where are we at - topic overview - eindhoven university of...
TRANSCRIPT
Where are we at - Topic overview
1
Lecture 6A: Security Protocols
Lecture 3A:Attacks onWeb servers,malware
Use
Try to achieve
Lecture 1A:Security requirements/features
Threatens
Lecture 1B,2A: Cryptography3B: Certificates and Trust
Lecture 2B: Network threats
Threatens
Lecture 5A&BAuthentication
Lecture 7APrivacy
Lecture 4A&BAccess Rights
Certificates & Trust
Hashes, Digital Signature, PKIs, Trust management
3
Error correction - Hash - MAC
CRC check or MD5 checksum Common for e.g. ftp sites Does this add security?
28997d14055f15db063eb92e1c8a7ebb gimp-2.8.0.tar.bz2
134396e4399b7e753ffca7ba366c418f gimp-2.8.0-RC1.tar.bz2
Excerpt; short `description’ of document Fixed size output for any size input
4
Error correction - Hash - MAC
28997d14055f15db063eb92e1c8a7ebb gimp-2.8.0.tar.bz2
134396e4399b7e753ffca7ba366c418f gimp-2.8.0-RC1.tar.bz2
Excerpt; short `description’ of document Fixed size output for any size input Goals
Integrity: message not altered Authentication: message from X Proof of possession without revealing content now Non-repudiation
5
Properties of Hash functions
Pre-image resistant
1-Way `random function’
m with H(m) = h
Collision resistant
m
m’
H(m)=
H(m’)
Practical
Efficiently computablem H(m)
m H(m)
Hard to find:
Second pre-image resistant
m
m’
H(m)=
H(m’)
m’ with H(m’) = H(m)m, m’ with H(m) = H(m’)
6
Applications of Hash functions
Message DigestCheck have correct message
Password storage No reverse; how verified? Password recovery?
Message SigningSigning large message is slowSign hash of message instead
7
An Example: MD5
message padding: 10..00 length
Message padded so total size is multiple of 512 bits
512 bits
HMD5IV128 128
512 bits
HMD5CVi
128 128
CVi+1
512 bits
HMD5128 128
outputY
Compression Function
64 bits
8
Compression functionHMD5
RF(F)
RF(G)
RF(H)
RF(I)
CV(in)
CV(out)128
128
P1
Y (block)
P2
P3
P4
512
X
PermutationsPermutationsPermutationsPermutations Round Function(next slide)
9
RF(F) For k=1 to 16 do
A B C D
A B C D
X[k]
T[k]
S[k]
FPermuted Text Block
Array of ConstantsArray of Constants
Chaining Value (CV)Chaining Value (CV)
Modular addition
10
Weakness MD5
http://www.win.tue.nl/hashclash/rogue-ca/ video at e.g.
http://dewy.fem.tu-ilmenau.de/CCC/25C3/video_h264_720x576/25c3-3023-en-making_the_theoretical_possible.mp4
11
Message Authentication Codes Unable to predict for unseen message Keyed; validation requires same key Authenticity and Integrity Example: Keyed-Hash; uses (symmetric) key
Hmac; masked key pre-pended before hash.
MAC
Key
Message(any length)
Generation&
Validation
12
Digital Signatures `Public key version of a MAC’ Signing with a private keyDecryption of Hash of Message
Verification with public key
Decrypt(=Sign)
Digital Signature
Private KeyMessage(any length)
Encrypt
Public Key
Hash
Message(any length)
Hash?=
Generation Validation
13
Digital signatures with RSA
Signing Message M:Compute hash h := H(M)Signature s := RSA_D(kA, h)
Private key Alice: kA
Public key Alice: KA
Checking Signature:Compute hash h := H(M)Check: RSA_E(KA, s) == h
Uses fact: RSA_E( KA, RSA_D(kA, x) ) = x
14
Key distribution
Alice Bob
Private key
Public key
Signature
15
(Wo)man-in-the-middle attack
Alice Bob
Eve
Private key
Public key
Signature
16
Certificate Bob’s public key is 1234Bob is a Baker ...
Statement (e.g. Identity, Attribute) signed by principal whom believes it to be true at time of signing
and/or: assumes responsibility, liability, …
Example: X.509 - Statement links a key to attributes
Note: Revocation; Validity period – revocation certificate
EXP DATE: 29-2-2013
Trust me I’m a doctor
Certificate based Trust Management
Trust based on formal relationships
PoFI 2010 Feb 5th 2010
Certificate Authority CA
18
validate,certify
Root CA
Intermediate CA Intermediate CA Intermediate CA
validate,certify
Intermediate CA Intermediate CA
pub key -attributes
validate,certify
pub key -attributes
pub key -attributes
Validates attributeIdentity, role, e-mail address, Web address, etc. Links them to pub key
E.g. VerisignVerification method?
(Demo Certificates and CA in browser)
Transitive and full trust Dec12/Jan 13: Turktrust fake certificate discovery
Fake intermediate CA certificates (issued august 11)
Aug11: Hack DigiNotar confirmed Dutch Certificate Authority First hack already in June 2011 Many rogue SSL certificates (Diginotar bankrupt in September 2011)
March11: Comodo partner incidient 9 fake certificates issued (e.g. live/google/yahoo/skype/mozilla) quickly discovered and disseminated.
CA can Issue any certificate.
19
20
Web of Trust Recall First Lab session
Validate key directly New keys signed by known keys
No centralized CAs Each user signs keys they trust User can choose degree of trust in other keys
For communication For signing other keys
Compare S/MIME – CA signed certificates
21
Rule based trust management Generalizes tree of CAs
Policy rules Alice:A.r ← B
A.r ← B.r
A.r ← A.cert.r
A.r ← B.r /\ C.r
Meaning:Alice trusts Bob in role r
(Bob is certified for r)Alice trust Bob certifying r
(Bob is a CA for r)Alice trusts anyone in A.cert to certify r
(Everybody in A.cert is CA for r)Alice trusts if both Bob and Charlie trust.
Can also use multiple different roles `r’.
Certificate, Rule Based Trust Policy: GMS.Dr may read Patient record
Rules to establish DoctorsGMS.Dr ← GMS.Department.DrGMS.Department ← RadiologyRadiology.Dr ← Alice
Alice may read the patient record
Trusted, Certified facts & Delegation
GreenMedicalService
22
You can trust me, ask anyone
Reputation based Trust Management
Trust based on opinions/experiences
1.000 satisfiedcustomers and
counting.
24
Reputation, Behaviour Based Trust
Policy Dr with good reputation may treat
Reputation based on Past PerformanceFeedback after interaction updates reputationE-bay, Eigentrust, pagerank, centrality measures
Estimate risk based on Reputation
Good reputation valuable Incentive for good behaviour
Fastand
QuiteGood
TRU
ST100%
Fastand
QuiteGood
Feedback &Recommendations
Certificates
User’s Requirementsdetermine how to mix
Other sources…
Combined Trust Scores
25