chapter 5 authentication and basic cryptography
Post on 29-Apr-2022
12 Views
Preview:
TRANSCRIPT
12/06/56
1
Chapter 5 Authentication
and Basic Cryptography
Dr.Sukchatri PRASOMSUK
School of Information Technology and Communication,
University of Phayao
1
IS and Network Security
Resource from : Chapter 8 & 11
Authentication
Security+ Guide to Network Security Fundamentals, Third Edition
Define authentication
Authentication credentials
Authentication models
Authentication servers
Extended authentication protocols
Virtual Private Network (VPN)
Slide 2
IS and Network Security
12/06/56
2
Slow guessing and botnets conceal the attacks Countermeasures การตอบโต ้
Strong password policy, restricting access to server by source IP, two-factor authentication
Link Ch 8a
Slide 3
IS and Network Security
Definition of Authentication 4
IS and Network Security
12/06/56
3
Authentication can be defined in two contexts The first is viewing authentication as it relates to
access control
The second is to look at it as one of the three key elements of security:
Authentication การรับรอง Authorization การอนุญาต
Accounting การบญัชี
Slide 5
IS and Network Security
Access control is the process by which resources or services are granted or denied
Identification The presentation of credentials or identification
Authentication The verification of the credentials to ensure that
they are genuine and not fabricated (ประดิษฐ)์ Authorization
Granting permission for admittance
Access is the right to use specific resources
Slide 6
IS and Network Security
12/06/56
4
Authentication in AAA provides a way of identifying a user
Typically with a password
Authorization determines whether the user has the authority to carry out certain tasks
The process of enforcing policies
Accounting measures the resources a user “consumes” during each network session
Slide 7
IS and Network Security
To find evidence of problems
For billing
For planning
AAA servers
Servers dedicated to performing AAA functions
Can provide significant advantages in a network
Slide 8
IS and Network Security
12/06/56
5
Authentication Credentials (การรับรองตวัตน)
9
IS and Network Security
Credentials are something you have, something you are, or something you know
Types of authentication credentials
Passwords
One-time passwords
Standard biometrics
Behavioral biometrics
Cognitive biometrics
Slide 10
IS and Network Security
12/06/56
6
Standard passwords are typically static in nature
One-time passwords (OTP) Dynamic passwords that change frequently
Systems using OTPs generate a unique password on demand that is not reusable
The most common type is a time-synchronized OTP Used in conjunction with a token
The token and a corresponding authentication server share the same algorithm Each algorithm is different for each user’s token
Slide 11
IS and Network Security
Slide 12
IS and Network Security
12/06/56
7
Slide 13
IS and Network Security
Authentication server displays a challenge (a random number) to the user
User then enters the challenge number into the token Which then executes a special algorithm to generate
a password
Because the authentication server has this same algorithm, it can also generate the password and compare it against that entered by the user
Slide 14
IS and Network Security
12/06/56
8
Uses a person’s unique characteristics for authentication (what he is)
Examples: fingerprints, faces, hands, irises, retinas
Types of fingerprint scanners Static fingerprint scanner
Dynamic fingerprint scanner (more secure)
Disadvantages Costs
Readers are not always foolproof
How can you change your password it it's your fingerprint?
Slide 15
IS and Network Security
Slide 16
IS and Network Security
12/06/56
9
Authenticates by normal actions that the user performs
Keystroke dynamics
Attempt to recognize a user’s unique typing rhythm
Keystroke dynamics uses two unique typing variables Dwell time อาศัยเวลา
Flight time เวลาเที่ยวบิน
Slide 17
IS and Network Security
Slide 18
IS and Network Security
12/06/56
10
Slide 19
IS and Network Security
Voice recognition
Uses unique characteristics of a person’s voice
Phonetic cadence
Speaking two words together in a way that one word “bleeds” into the next word
Becomes part of each user’s speech pattern
Computer footprint
When and from where a user normally accesses a system
Slide 20
IS and Network Security
12/06/56
11
A simple form of two-factor authentication
Required by the US now
Links Ch 8b, c, d
Slide 21
IS and Network Security
Related to the perception, thought process, and understanding of the user
Easier for the user to remember because it is based on the user’s life experiences
One example of cognitive biometrics is based on a life experience that the user remembers
Another example of cognitive biometrics requires the user to identify specific faces
Slide 22
IS and Network Security
12/06/56
12
Slide 23
IS and Network Security
Authentication Models 24
IS and Network Security
12/06/56
13
One-factor authentication Using only one authentication credential, such
as a password
Two-factor authentication Enhances security, particularly if different types
of authentication methods are used (password and token)
Three-factor authentication Requires that a user present three different
types of authentication credentials
Slide 25
IS and Network Security
Identity management Using a single authenticated ID to be shared
across multiple networks
Federated identity management (FIM) When those networks are owned by different
organizations
One application of FIM is called single sign-on (SSO) Using one authentication to access multiple
accounts or applications
Slide 26
IS and Network Security
12/06/56
14
Originally introduced in 1999 as .NET Passport
When the user wants to log into a Web site that supports Windows Live ID
The user will first be redirected to the nearest authentication server
Once authenticated, the user is given an encrypted time-limited “global” cookie
Never became widely used
Slide 27
IS and Network Security
New Windows feature
Users control digital identities with digital ID cards
Types of cards
Managed cards
Personal cards
Slide 28
IS and Network Security
12/06/56
15
A decentralized open source FIM
Does not require specific software to be installed on the desktop
An OpenID identity is only a URL backed up by a username and password
OpenID provides a means to prove that the user owns that specific URL
Not very secure--dependent on DNS
Slide 29
IS and Network Security
Authentication Servers 30
IS and Network Security
12/06/56
16
Authentication can be provided on a network by a dedicated AAA or authentication server
The most common type of authentication and AAA servers are
RADIUS
Kerberos
TACACS+
Generic servers built on the Lightweight Directory Access Protocol (LDAP)
Slide 31
IS and Network Security
Developed in 1992
The industry standard with widespread support
Suitable for what are called “high-volume service control applications”
With the development of IEEE 802.1x port security for both wired and wireless LANs
RADIUS has recently seen even greater usage
Slide 32
IS and Network Security
12/06/56
17
A RADIUS client is typically a device such as a dial-up server or wireless access point (AP) Responsible for sending user credentials and
connection parameters in the form of a RADIUS message to a RADIUS server
The RADIUS server authenticates and authorizes the RADIUS client request Sends back a RADIUS message response
RADIUS clients also send RADIUS accounting messages to RADIUS servers
Slide 33
IS and Network Security
Slide 34
IS and Network Security
12/06/56
18
An authentication system developed by the Massachusetts Institute of Technology (MIT)
Used to verify the identity of networked users
Kerberos authentication server issues a ticket to the user
The user presents this ticket to the network for a service
The service then examines the ticket to verify the identity of the user
Slide 35
IS and Network Security
Developed by Cisco to replace RADIUS
More secure and reliable than RADIUS
The centralized server can either be a TACACS+ database
Or a database such as a Linux or UNIX password file with TACACS protocol support
Slide 36
IS and Network Security
12/06/56
19
Directory service A database stored on the network itself that contains
information about users and network devices Can be used with RADIUS
X.500 A standard for directory services Created by ISO
White-pages service Capability to look up information by name
Yellow-pages service Browse and search for information by category
Slide 37
IS and Network Security
The information is held in a directory information base (DIB)
Entries in the DIB are arranged in a tree structure called the directory information tree (DIT)
Directory Access Protocol (DAP) Protocol for a client application to access an
X.500 directory
DAP is too large to run on a personal computer
Slide 38
IS and Network Security
12/06/56
20
Lightweight Directory Access Protocol (LDAP) Sometimes called X.500 Lite A simpler subset of DAP
Primary differences LDAP was designed to run over TCP/IP LDAP has simpler functions LDAP encodes its protocol elements in a less
complex way than X.500
LDAP is an open protocol
Slide 39
IS and Network Security
Extended Authentication Protocols (EAP)
40
IS and Network Security
12/06/56
21
In IEEE 802.1x, EAP is the "envelope" that carries data used for authentication
Three EAP protocol categories:
Authentication legacy protocols
EAP weak protocols
EAP strong protocols
Slide 41
IS and Network Security
Slide 42
IS and Network Security
12/06/56
22
No longer extensively used for authentication
Password Authentication Protocol (PAP)
Sends passwords in the clear
Challenge-Handshake Authentication Protocol (CHAP)
Safer than PAP, but vulnerable (link Ch 8g)
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
Slide 43
IS and Network Security
Still used but have security vulnerabilities
Extended Authentication Protocol–MD5 (EAP-MD5)
Vulnerable to offline dictionary attacks
Lightweight EAP (LEAP)
Also vulnerable to offline dictionary attacks
Can be cracked faster than WEP
Link Ch 8h
Slide 44
IS and Network Security
12/06/56
23
EAP with Transport Layer Security (EAP-TLS)
Uses certificates for both client and server
Used in large Windows networks
EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP)
No client-side certificate
Easier to implement than EAP-TLS
Slide 45
IS and Network Security
Remote Authentication and Security
46
IS and Network Security
12/06/56
24
Important to maintain strong security for remote communications Transmissions are routed through networks or
devices that the organization does not manage and secure
Managing remote authentication and security usually includes: Using remote access services
Installing a virtual private network
Maintaining a consistent remote access policy
Slide 47
IS and Network Security
Any combination of hardware and software that enables access to remote users to a local internal network
Provides remote users with the same access and functionality as local users
Slide 48
IS and Network Security
12/06/56
25
One of the most common types of RAS
Uses an unsecured public network, such as the Internet, as if it were a secure private network
Encrypts all data that is transmitted between the remote device and the network
Common types of VPNs Remote-access VPN or virtual private dial-up
network (VPDN)
Site-to-site VPN
Slide 49
IS and Network Security
Slide 50
IS and Network Security
12/06/56
26
VPN transmissions are achieved through communicating with endpoints
Endpoint End of the tunnel between VPN devices
VPN concentrator Aggregates hundreds or thousands of multiple
connections
Depending upon the type of endpoint that is being used, client software may be required on the devices that are connecting to the VPN
Slide 51
IS and Network Security
VPNs can be software-based or hardware-based
Software-based VPNs offer the most flexibility in how network traffic is managed Hardware-based VPNs generally tunnel all traffic
they handle regardless of the protocol
Generally, software based VPNs do not have as good performance or security as a hardware-based VPN
Slide 52
IS and Network Security
12/06/56
27
Cost savings (no long-distance phone call)
Scalability (easy to add more users)
Full protection (all traffic is encrypted)
Speed (faster than direct dial-up)
Transparency (invisible to the user)
Authentication (only authorized users can connect)
Industry standards
Slide 53
IS and Network Security
Management
Availability and performance
Interoperability
Additional protocols
Performance impact
Expense
Slide 54
IS and Network Security
12/06/56
28
Establishing strong remote access policies is important
Some recommendations for remote access policies: Remote access policies should be consistent for all
users
Remote access should be the responsibility of the IT department
Form a working group and create a standard that all departments will agree to
Slide 55
IS and Network Security
Basic Cryptography
56
IS and Network Security
12/06/56
29
Define cryptography Describe hashing List the basic symmetric cryptographic
algorithms Describe how asymmetric cryptography
works List types of file and file system
cryptography Explain how whole disk encryption works
Slide 57
IS and Network Security
Cryptography - scrambles data
The science of transforming information into an unintelligible form while it is being transmitted or stored so that unauthorized users cannot access it
Steganography - hides data
Hides the existence of the data
What appears to be a harmless image can contain hidden data embedded within the image
Can use image files, audio files, or even video files to contain hidden information
Slide 58
IS and Network Security
12/06/56
30
Slide 59
IS and Network Security
Used by Julius Caesar
Caesar shifted each letter of his messages to his generals three places down in the alphabet
So BURN THE BRIDGE becomes
EXUQ WKH EUKFIG
A D
B E
C F
D G
E H
F I
G J
H K
Slide 60
IS and Network Security
12/06/56
31
Encryption
Changing the original text to a secret message using cryptography
Decryption
Change the secret message back to its original form
Slide 61
IS and Network Security
Slide 62
IS and Network Security
12/06/56
32
Cryptography can provide:
Confidentiality of information
Integrity of the information
Availability of the data
To users with the key
Guarantee Authenticity of the sender
Enforce Non-repudiation
Sender cannot deny sending the message
Slide 63
IS and Network Security
Slide 64
IS and Network Security
12/06/56
33
Cryptographic Algorithms 65
IS and Network Security
There are three categories of cryptographic algorithms:
Hashing algorithms
Symmetric encryption algorithms
Asymmetric encryption algorithms
Slide 66
IS and Network Security
12/06/56
34
Hashing Algorithms 67
IS and Network Security
Hashing is a one-way process
Converting a hash back to the original data is difficult or impossible
A hash is a unique “signature” for a set of data
This signature, called a hash or digest, represents the contents
Hashing is used only for integrity to ensure that:
Information is in its original form
No unauthorized person or malicious software has altered the data
Common hash algorithms
MD5, SHA-1
Slide 68
IS and Network Security
12/06/56
35
Slide 69
IS and Network Security
Link Ch 11a
Slide 70
IS and Network Security
12/06/56
36
A hashing algorithm is considered secure if:
The ciphertext hash is a fixed size
Two different sets of data cannot produce the same hash, which is known as a collision
It should be impossible to produce a data set that has a desired or predefined hash
The resulting hash ciphertext cannot be reversed to find the original data
Slide 71
IS and Network Security
Slide 72
IS and Network Security
12/06/56
37
Hash values are often posted on Internet sites
In order to verify the file integrity of files that can be downloaded
Slide 73
IS and Network Security
Slide 74
IS and Network Security
12/06/56
38
Message Digest (MD) algorithm One common hash
algorithm
Three versions Message Digest 2
(MD2) Message Digest 4
(MD4) Message Digest 5
(MD5)
Suffer from collisions Not secure
See links Ch 11b, c, d
Slide 75
IS and Network Security
More secure than MD
A family of hashes
SHA-1
Patterned after MD4, but creates a hash that is 160 bits in length instead of 128 bits
SHA-2
Comprised of four variations, known as SHA-224, SHA-256, SHA-384, and SHA-512
Considered to be a secure hash
Slide 76
IS and Network Security
12/06/56
39
Link Ch 11d
Slide 77
IS and Network Security
A relatively recent cryptographic hash function
Has received international recognition and adoption by standards organizations
Creates a hash of 512 bits
Slide 78
IS and Network Security
12/06/56
40
Another use for hashes is in storing passwords When a password for an account is created, the
password is hashed and stored
The Microsoft NT family of Windows operating systems hashes passwords in two different forms LM (LAN Manager) hash NTLM (New Technology LAN Manager) hash
Most Linux systems use password-hashing algorithms such as MD5
Apple Mac OS X uses SHA-1 hashes
Slide 79
IS and Network Security
Symmetric Cryptographic Algorithms
80
IS and Network Security
12/06/56
41
Symmetric cryptographic algorithms Use the same single key to encrypt and decrypt a
message
Also called private key cryptography
Stream cipher Takes one character and replaces it with one character
WEP (Wired Equivalent Protocol) is a stream cipher
Substitution cipher The simplest type of stream cipher
Simply substitutes one letter or character for another
Slide 81
IS and Network Security
Slide 82
IS and Network Security
12/06/56
42
Slide 83
IS and Network Security
With most symmetric ciphers, the final step is to combine the cipher stream with the plaintext to create the ciphertext
The process is accomplished through the exclusive OR (XOR) binary logic operation
One-time pad (OTP)
Combines a truly random key with the plaintext
Slide 84
IS and Network Security
12/06/56
43
Slide 85
IS and Network Security
Manipulates an entire block of plaintext at one time
Plaintext message is divided into separate blocks of 8 to 16 bytes And then each block is encrypted independently
Stream cipher advantages and disadvantages
Fast when the plaintext is short
More prone to attack because the engine that generates the stream does not vary
Block ciphers are more secure than stream ciphers
Slide 86
IS and Network Security
12/06/56
44
Slide 87
IS and Network Security
Data Encryption Standard (DES)
Declared as a standard by the U.S Government
DES is a block cipher and encrypts data in 64-bit blocks
Uses 56-bit key, very insecure
Has been broken many times
Triple Data Encryption Standard (3DES) Uses three rounds of DES encryption
Effective key length 112 bits
Considered secure
Slide 88
IS and Network Security
12/06/56
45
Slide 89
IS and Network Security
Approved by the NIST in late 2000 as a replacement for DES
Official standard for U.S. Government
Considered secure--has not been cracked
Slide 90
IS and Network Security
12/06/56
46
Link Ch 11e
Slide 91
IS and Network Security
Several other symmetric cryptographic algorithms are also used:
Rivest Cipher (RC) family from RC1 to RC6
International Data Encryption Algorithm (IDEA)
Blowfish
Twofish
Slide 92
IS and Network Security
12/06/56
47
Asymmetric Cryptographic Algorithms
93
IS and Network Security
Asymmetric cryptographic algorithms
Also known as public key cryptography
Uses two keys instead of one The public key is known to everyone and can
be freely distributed
The private key is known only to the recipient of the message
Asymmetric cryptography can also be used to create a digital signature
Slide 94
IS and Network Security
12/06/56
48
Slide 95
IS and Network Security
A digital signature can:
Verify the sender
Prove the integrity of the message
Prevent the sender from disowning the message (non-repudiation)
A digital signature does not encrypt the message, it only signs it
Slide 96
IS and Network Security
12/06/56
49
Slide 97
IS and Network Security
Slide 98
IS and Network Security
12/06/56
50
The most common asymmetric cryptography algorithm
RSA makes the public and private keys by multiplying two large prime numbers p and q To compute their product (n=pq) It is very difficult to factor the number n to find p
and q Finding the private key from the public key would
require a factoring operation RSA is complex and slow, but secure 100 times slower than DES
Slide 99
IS and Network Security
A key exchange algorithm, not an encryption algorithm
Allows two users to share a secret key securely over a public network
Once the key has been shared
Then both parties can use it to encrypt and decrypt messages using symmetric cryptography
Slide 100
IS and Network Security
12/06/56
51
Secure Web Pages typically use RSA, Diffie-Hellman, and a symmetric algorithm like RC4
RSA is used to send the private key for the symmetric encryption
Slide 101
IS and Network Security
Slide 102
IS and Network Security
12/06/56
52
Slide 103
IS and Network Security
An elliptic curve is a function drawn on an X-Y axis as a gently curved line
By adding the values of two points on the curve, you can arrive at a third point on the curve
The public aspect of an elliptic curve cryptosystem is that users share an elliptic curve and one point on the curve
Not common, but may one day replace RSA
Slide 104
IS and Network Security
12/06/56
53
Using Cryptography on Files and Disks
105
IS and Network Security
Pretty Good Privacy (PGP)
One of the most widely used asymmetric cryptography system for files and e-mail messages on Windows systems
GNU Privacy Guard (GPG)
A similar open-source program
PGP and GPG use both asymmetric and symmetric cryptography
Slide 106
IS and Network Security
12/06/56
54
Part of Windows
Uses the Windows NTFS file system
Because EFS is tightly integrated with the file system, file encryption and decryption are transparent to the user
EFS encrypts the data as it is written to disk
On Macs, Filevault encrypts a user's home folder
Slide 107
IS and Network Security
Windows BitLocker
A hardware-enabled data encryption feature
Can encrypt the entire Windows volume
Includes Windows system files as well as all user files
Encrypts the entire system volume, including the Windows Registry and any temporary files that might hold confidential information
TrueCrypt
Open-source, free, and can encrypt folders or files
Slide 108
IS and Network Security
12/06/56
55
A chip on the motherboard of the computer that provides cryptographic services
If the computer does not support hardware-based TPM then the encryption keys for securing the data on the hard drive can be stored by BitLocker on a USB flash drive
Slide 109
IS and Network Security
Can defeat all currently available whole disk encryption techniques (link Ch 11i)
Slide 110
IS and Network Security
12/06/56
56
IS and Network Security
Slide 111
top related