An important application area is that of mutual authentication
protocols. Such protocols enable communicating parties to satisfy
themselves mutually about each other’s identity and to exchange
session keys. There, the focus was key distribution. Central to the
problem of authenticated key exchange are two issues:
confidentiality and timeliness. To prevent masquerade and to
prevent compromise of session keys, essential identification and
session-key information must be communicated in encrypted form.
This requires the prior existence of secret or public keys that can be
used for this purpose. The second issue, timeliness, is important
because of the threat of message replays. Such replays, at worst,
could allow an opponent to compromise a session key or
successfully impersonate another party. At minimum, a successful
replay can disrupt operations by presenting parties with messages
that appear genuine but are not.
223 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 913 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Mặt nạ và mã hóa dữ liệu, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
TS. Lê Nhật Duy
Lê Nhật Duy, PhD.
Blog: https://Lnduy.wordpress.com
Email: Ln.duy@mail.ru
2
Reference books
Subject introduction
Examination
Rules
3
Giáo trình chính:
Stallings W., Cryptography and Network Security.
Principles and Practice, 5th edition, Prentice Hall, 2010
Tài liệu tham khảo:
Rick Lehtinen, Computer Security Basics, 2006,
O'Reilly Publishing
Emmett Dulaney, CompTIA Security+ Deluxe Study
Guide, Wiley Publishing, 2009
4
1. OVERVIEW
2. SYMMETRIC CIPHERS
2.1. Classical Encryption Techniques
2.2. Block Ciphers And The Data Encryption Standard
2.3. Basic Concepts In Number Theory And Finite Fields
2.4. Advanced Encryption Standard
2.5. Block Cipher Operation
2.6. Pseudorandom number generation and stream
ciphers
5
3. ASYMMETRIC CIPHERS
3.1. Introduction To Number Theory
3.2. Public-key Cryptography and RSA
3.3. Other Public-key Cryptosystems
4. CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
4.1. Cryptographic Hash Functions
4.2. Message Authentication Codes
4.3. Digital Signatures
5. MUTUAL TRUST
5.1. Key Management And Distribution
5.2. User Authentication 6
Mid-term
Assignments
Final test
7
8
1. Computer Security Concepts
2. The OSI Security Architecture
3. Security Attacks
4. Security Services
5. Security Mechanisms
6. A Model for Network Security
2
The Open Systems Interconnection (OSI) security architecture
provides a systematic framework for defining security attacks,
mechanisms, and services.
Security attacks are classified as either passive attacks, which
include unauthorized reading of a message of file and traffic
analysis or active attacks, such as modification of messages or
files, and denial of service.
A security mechanism is any process (or a device incorporating
such a process) that is designed to detect, prevent, or recover
from a security attack. Examples of mechanisms are encryption
algorithms, digital signatures, and authentication protocols.
Security services include authentication, access control, data
confidentiality, data integrity, nonrepudiation, and availability.
3
COMPUTER SECURITY: The protection afforded to an
automated information system in order to attain the
applicable objectives of preserving the integrity,
availability, and confidentiality of information system
resources (includes hardware, software, firmware,
information/data, and telecommunications).
This definition introduces three key objectives that are at
the heart of computer security:
Confidentiality
Integrity
Availability
4
Confidentiality: Data
confidentiality, Privacy
Integrity: Data
integrity, System
integrity
Availability.
CIA triad (Figure 1.1)
5
Although the use of the CIA triad to define security
objectives is well established, some in the security field
feel that additional concepts are needed to present a
complete picture. Two of the most commonly mentioned
are as follows:
Authenticity: The property of being genuine and being
able to be verified and trusted; confidence in the validity
of a transmission, a message, or message originator. This
means verifying that users are who they say they are and
that each input arriving at the system came from a trusted
source
6
Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely
to that entity. This supports nonrepudiation, deterrence,
fault isolation, intrusion detection and prevention, and
after-action recovery and legal action. Because truly
secure systems are not yet an achievable goal, we must be
able to trace a security breach to a responsible party.
Systems must keep records of their activities to permit
later forensic analysis to trace security breaches or to aid
in transaction disputes.
7
Threats and Attacks (RFC 2828)
Threat: A potential for violation of security, which exists
when there is a circumstance, capability, action, or event
that could breach security and cause harm. That is, a
threat is a possible danger that might exploit a
vulnerability.
Attack: An assault on system security that derives from
an intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the
security policy of a system.
8
Security attack: Any action that compromises the
security of information owned by an organization.
Security mechanism: A process (or a device
incorporating such a process) that is designed to detect,
prevent, or recover from a security attack.
Security service: A processing or communication service
that enhances the security of the data processing systems
and the information transfers of an organization. The
services are intended to counter security attacks, and they
make use of one or more security mechanisms to provide
the service.
9
Passive Attacks: Passive attacks are in the nature of
eavesdropping on, or monitoring of, transmissions. The
goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are the release
of message contents and traffic analysis.
10
11
12
Active attacks involve some modification of the data
stream or the creation of a false stream and can be
subdivided into four categories: masquerade, replay,
modification of messages, and denial of service.
Masquerade (Figure 1.3a)
Replay (Figure 1.3b)
Modification of messages (Figure 1.3c)
Denial of service (Figure 1.3d)
13
14
15
16
17
18
19
20
21
22
23
24
25
1. Classical encryption techniques
2. Block ciphers and the data encryption standard
3. Basic concepts in number theory and finite fields
4. Advanced encryption standard
5. Block cipher operation
6. Pseudorandom number generation and stream ciphers
2
Symmetric Cipher Model
Substitution Techniques
Transposition Techniques
Rotor Machines
Steganography
3
Symmetric encryption is a form of cryptosystem in
which encryption and decryption are performed using the
same key. It is also known as conventional encryption.
Symmetric encryption transforms plaintext into
ciphertext using a secret key and an encryption algorithm.
Using the same key and a decryption algorithm, the
plaintext is recovered from the ciphertext.
The two types of attack on an encryption algorithm are
cryptanalysis, based on properties of the encryption
algorithm, and brute-force, which involves trying all
possible keys.
4
Traditional (precomputer) symmetric ciphers use
substitution and/or transposition techniques. Substitution
techniques map plaintext elements (characters, bits) into
ciphertext elements. Transposition techniques
systematically transpose the positions of plaintext
elements.
Rotor machines are sophisticated precomputer hardware
devices that use substitution techniques.
Steganography is a technique for hiding a secret message
within a larger one in such a way that others cannot
discern the presence or contents of the hidden message.
5
6
Plaintext: This is the original intelligible message or data
that is fed into the algorithm as input
Encryption algorithm: The encryption algorithm performs
various substitutions and transformations on the plaintext.
Secret key: The secret key is also input to the encryption
algorithm. The key is a value independent of the plaintext
and of the algorithm
Ciphertext: This is the scrambled message produced as
output. It depends on the plaintext and the secret key.
Decryption algorithm: This is essentially the encryption
algorithm run in reverse. It takes the ciphertext and the
secret key and produces the original plaintext.
7
8
Cryptographic systems are characterized along three
independent dimensions:
1. The type of operations used for transforming
plaintext to ciphertext. (substitution, transposition).
2. The number of keys used (symmetric, public-key
encryption)
3. The way in which the plaintext is processed (block
cipher, stream cipher)
9
Cryptanalysis: Cryptanalytic attacks rely on the nature of
the algorithm plus perhaps some knowledge of the
general characteristics of the plaintext or even some
sample plaintext–ciphertext pairs. This type of attack
exploits the characteristics of the algorithm to attempt to
deduce a specific plaintext or to deduce the key being
used.
Brute-force attack: The attacker tries every possible key
on a piece of cipher-text until an intelligible translation
into plaintext is obtained. On average, half of all possible
keys must be tried to achieve success.
10
11
A brute-force attack involves trying every possible
key until an intelligible translation of the ciphertext
into plaintext is obtained. On average, half of all
possible keys must be tried to achieve success.
12
A substitution technique is one in which the letters of
plaintext are replaced by other letters or by numbers or
symbols.1 If the plaintext is viewed as a sequence of bits,
then substitution involves replacing plaintext bit patterns
with ciphertext bit patterns.
Caesar Cipher
For example,
plain: meet me after the toga party
cipher: PHHW PH DIWHU WKH WRJD SDUWB
13
14
Monoalphabetic Ciphers
Playfair Cipher
Hill Cipher
Polyalphabetic Ciphers
15
16
An Army Signal Corp officer, Joseph Mauborgne, proposed
an improvement to the Vernam cipher that yields the
ultimate in security. Mauborgne suggested using a random
key that is as long as the message, so that the key need not
be repeated. In addition, the key is to be used to encrypt and
decrypt a single message, and then is discarded. Each new
message requires a new key of the same length as the
new message. Such a scheme, known as a one-time pad, is
unbreakable. It produces random output that bears no
statistical relationship to the plaintext. Because the
ciphertext contains no information whatsoever about the
plaintext, there is simply no way to break the code.
17
The simplest such cipher is the rail fence technique, in
which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows. For
example, to encipher the message “meet me after the
toga party” with a rail fence of depth 2, we write the
following:
m e m a t r h t g p r y
e t e f e t e o a a t
The encrypted message is
MEMATRHTGPRYETEFETEOAAT
18
19
A plaintext message may be hidden in one of two ways.
The methods of steganography conceal the existence of
the message, whereas the methods of cryptography render
the message unintelligible to outsiders by various
transformations of the text.
Character marking: Selected letters of printed or
typewritten text are over-written in pencil. The marks are
ordinarily not visible unless the paper is held at an angle
to bright light.
Invisible ink: A number of substances can be used for
writing but leave no visible trace until heat or some
chemical is applied to the paper.
20
Pin punctures: Small pin punctures on selected letters
are ordinarily not visible unless the paper is held up in
front of a light.
Typewriter correction ribbon: Used between lines typed
with a black ribbon, the results of typing with the
correction tape are visible only under a strong light.
The advantage of steganography is that it can be employed
by parties who have something to lose should the fact of
their secret communication (not necessarily the content)
be discovered. Encryption flags traffic as important or
secret or may identify the sender or receiver as someone
with something to hide.
21
Block Cipher Principles
The Data Encryption Standard
22
A block cipher is an encryption/decryption scheme in
which a block of plaintext is treated as a whole and used
to produce a ciphertext block of equal length.
Many block ciphers have a Feistel structure. Such a
structure consists of a number of identical rounds of
processing. In each round, a substitution is performed on
one half of the data being processed, followed by a
permutation that interchanges the two halves. The original
key is expanded so that a different key is used for each
round.
23
The Data Encryption Standard (DES) has been the most
widely used encryption algorithm until recently. It
exhibits the classic Feistel structure. DES uses a 64-bit
block and a 56-bit key.
Two important methods of cryptanalysis are differential
cryptanalysis and linear cryptanalysis. DES has been
shown to be highly resistant to these two types of attack.
24
Stream Ciphers and Block Ciphers
A stream cipher is one that encrypts a digital data stream
one bit or one byte at a time.
A block cipher is one in which a block of plaintext is
treated as a whole and used to produce a ciphertext block
of equal length. Typically, a block size of 64 or 128 bits is
used.
25
26
In the late 1960s, IBM set up a research project in
computer cryptography led by Horst Feistel. The project
concluded in 1971 with the development of an algorithm
with the designation LUCIFER [FEIS73], which was sold
to Lloyd’s of London for use in a cash-dispensing system,
also developed by IBM.
In 1973, the National Bureau of Standards (NBS) issued a
request for proposals for a national cipher standard. IBM
submitted the results of its Tuchman–Meyer project. This
was by far the best algorithm proposed and was adopted
in 1977 as the Data Encryption Standard.
27
As with any encryption scheme, there are two inputs to
the encryption function: the plaintext to be encrypted and
the key. In this case, the plaintext must be 64 bits in
length and the key is 56 bits in length (Actually, the
function expects a 64-bit key as input. However, only 56
of these bits are ever used; the other 8 bits can be used as
parity bits or simply set arbitrarily).
28
29
30
31
Divisibility and The Division Algorithm
The Euclidean Algorithm
Modular Arithmetic
Groups, Rings, and Fields
Finite Fields of the Form GF(p)
Polynomial Arithmetic
Finite Fields of the Form GF(2^n)
32
Modular arithmetic is a kind of integer arithmetic that
reduces all numbers to one of a fixed set [0,...,n-1] for
some number n. Any integer outside this range is reduced
to one in this range by taking the remainder after division
by n.
The greatest common divisor of two integers is the largest
positive integer that exactly divides both integers.
A field is a set of elements on which two arithmetic
operations (addition and multiplication) have been defined
and which has the properties of ordinary arithmetic, such
as closure, associativity, commutativity, distributivity, and
having both additive and multiplicative inverses.
33
Finite fields are important in several areas of
cryptography. A finite field is simply a field with a finite
number of elements. It can be shown that the order of a
finite field (number of elements in the field) must be a
power of a prime p^n, where n is a positive integer.
Finite fields of order p can be defined using arithmetic
mod p.
Finite fields of order p^n, for n>1, can be defined using
arithmetic over polynomials.
34
35
36
Definition: Two integers
are relatively primeif their
only common positive
integer factor is 1.
Finding the Greatest
Common Divisor
37
Properties of Congruences
38
39
40
41
42
43
44
45
46
47
48
Finite Field Arithmetic
AES Structure
AES Transformation Functions
AES Key Expansion
An AES Example
AES Implementation
49
AES is a block cipher intended to replace DES for
commercial applica-tions. It uses a 128-bit block size and
a key size of 128, 192, or 256 bits.
AES does not use a Feistel structure. Instead, each full
round consists of four separate functions: byte
substitution, permutation, arithmetic opera-tions over a
finite field, and XOR with a key.
50
51
52
Multiple Encryption and Triple DES
Electronic Code Book
Cipher Block Chaining Mode
Cipher Feedback Mode
Output Feedback Mode
Counter Mode
XTS-AES Mode for Block-Oriented Storage Devices
53
Multiple encryption is a technique in which an encryption
algorithm is used multiple times. In the first instance,
plaintext is converted to ciphertext using the encryption
algorithm. This ciphertext is then used as input and the
algorithm is applied again. This process may be repeated
through any number of stages.
Triple DES makes use of three stages of the DES
algorithm, using a total of two or three distinct keys.
A mode of operation is a technique for enhancing the
effect of a crypto-graphic algorithm or adapting the
algorithm for an application, such as applying a block
cipher to a sequence of data blocks or a data stream.
54
Five modes of operation have been standardized by NIST
for use with symmetric block ciphers such as DES and
AES: electronic codebook mode, cipher block chaining
mode, cipher feedback mode, output feed-back mode, and
counter mode.
Another important mode, XTS-AES, has been
standardized by the IEEE Security in Storage Working
Group (P1619). The standard describes a method of
encryption for data stored in sector-based devices where
the threat model includes possible access to stored data by
the adversary.
55
56
Triple DES with Two Keys
Triple DES with Three Keys: A
number of Internet-based
applications have adopted three-
key 3DES, including PGP and
S/MIME
57
58
59
60
61
62
63
64
65
66
67
Principles of Pseudorandom Number Generation
Pseudorandom Number Generators
Pseudorandom Number Generation Using a Block Cipher
Stream Ciphers
RC4
True Random Number Generators
68
A capability with application to a number of
cryptographic functions is random or pseudorandom
number generation. The principle requirement for this
capability is that the generated number stream be
unpredictable.
A stream cipher is a symmetric encryption algorithm in
which ciphertext output is produced bit-by-bit or byte-by-
byte from a stream of plaintext input. The most widely
used such cipher is RC4.
69
Traditionally, the concern in the generation of a sequence
of allegedly random numbers has been that the sequence
of numbers be random in some well-defined statistical
sense. The following two criteria are used to validate that
a sequence of numbers is random:
Uniform distribution:The distribution of bits in the
sequence should be uniform; that is, the frequency of
occurrence of ones and zeros should be approximately
equal.
Independence:No one subsequence in the sequence can
be inferred from the others.
70
71
72
RC4 is used in the Secure Sockets Layer/Transport Layer
Security (SSL/TLS) standards that have been defined for
communication between Web browsers and servers. It is
also used in the Wired Equivalent Privacy (WEP)
protocol and the newer WiFi Protected Access (WPA)
protocol that are part of the IEEE 802.11 wireless LAN
standard. RC4 was kept as a trade secret by RSA Security.
73
1. INTRODUCTION TO NUMBER THEORY
2. PUBLIC-KEYCRYPTOGRAPHYAND RSA
3. OTHER PUBLIC-KEYCRYPTOSYSTEMS
2
Prime Numbers
Fermat’s and Euler’s Theorems
Testing for Primality
The Chinese Remainder Theorem
Discrete Logarithms
3
A prime number is an integer that can only be divided
without remainder by positive and negative values of
itself and 1. Prime numbers play a critical role both in
number theory and in cryptography.
Two theorems that play important roles in public-key
cryptography are Fermat’s theorem and Euler’s
theorem.
4
An important requirement in a number of cryptographic
algorithms is the ability to choose a large prime number.
An area of ongoing research is the development of
efficient algorithms for determining if a randomly chosen
large integer is a prime number.
Discrete logarithms are fundamental to a number of
public-key algorithms. Discrete logarithms are analogous
to ordinary logarithms but are defined using modular
arithmetic.
5
Principles Of Public-Key Cryptosystems
The RSA Algorithm
6
Asymmetric encryption is a form of cryptosystem in
which encryption and decryption are performed using the
different keys—one a public key and one a private key. It
is also known as public-key encryption.
Asymmetric encryption transforms plaintext into
ciphertext using a one of two keys and an encryption
algorithm. Using the paired key and a decryption
algorithm, the plaintext is recovered from the ciphertext.
7
Asymmetric encryption can be used for confidentiality,
authentication, or both.
The most widely used public-key cryptosystem is RSA.
The difficulty of attacking RSA is based on the difficulty
of finding the prime factors of a composite number.
8
Asymmetric Keys
Two related keys, a public key and a private key, that are
used to perform complementary operations, such as
encryption and decryption or signature generation and
signature verification.
Public Key Certificate
A digital document issued and digitally signed by the
private key of a Certification Authority that binds the
name of a subscriber to a public key. The certificate
indicates that the subscriber identified in the certificate has
sole control and access to the corresponding private key.
9
Public Key (Asymmetric) Cryptographic Algorithm
A cryptographic algorithm that uses two related keys, a
public key and a private key. The two keys have the
property that deriving the private key from the public key
is computationally infeasible.
Public Key Infrastructure (PKI)
A set of policies, processes, server platforms, software
and workstations used for the purpose of administering
certificates and public-private key pairs, including the
ability to issue, maintain, and revoke public key
certificates.
10
11
12
Plaintext
Encryption algorithm
Public key
Private key
Ciphertext
Decryption algorithm
13
14
15
16
17
18
Brute-force attack
compute the private key given the public key
probable-message attack
19
20
21
22
Four possible approaches to attacking the RSA algorithm are
Brute force: This involves trying all possible private
keys.
Mathematical attacks: There are several approaches, all
equivalent in effort to factoring the product of two
primes.
Timing attacks: These depend on the running time of the
decryption algorithm.
Chosen ciphertext attacks: This type of attack exploits
properties of the RSA algorithm.
23
24
25
Diffie-Hellman Key Exchange
Elgamal Cryptographic System
Elliptic Curve Arithmetic
Elliptic Curve Cryptography
Pseudorandom Number Generation Based on an
Asymmetric Cipher
29
A simple public-key algorithm is Diffie-Hellman key exchange.
This protocol enables two users to establish a secret key using a
public-key scheme based on discrete logarithms. The protocol is
secure only if the authenticity of the two participants can be
established.
Elliptic curve arithmetic can be used to develop a variety of
elliptic curve cryptography (ECC) schemes, including key
exchange, encryption, and digital signature.
For purposes of ECC, elliptic curve arithmetic involves the use
of an elliptic curve equation defined over a finite field. The
coefficients and variables in the equation are elements of a finite
field. Schemes using Zp and GF(2^m) have been developed.
30
31
32
33
34
1. CRYPTOGRAPHIC HASH FUNCTIONS
2. MESSAGE AUTHENTICATION CODES
3. DIGITAL SIGNATURES
2
Applications of Cryptographic Hash Functions
Two Simple Hash Functions
Requirements and Security
Hash Functions Based on Cipher Block Chaining
Secure Hash Algorithm (SHA)
SHA-3
3
A hash function maps a variable-length message into a
fixed-length hash value, or message digest.
Virtually all cryptographic hash functions involve the
iterative use of a compression function.
The compression function used in secure hash algorithms
falls into one of two categories: a function specifically
designed for the hash function or an algorithm based on a
symmetric block cipher. SHA and Whirlpool are
examples of these two approaches, respectively.
4
A hash function H accepts a variable-length block of data
as input and produces a fixed-size hash value h=H(M). A
“good” hash function has the property that the results of
applying the function to a large set of inputs will produce
outputs that are evenly distributed and apparently random.
A cryptographic hash function is an algorithm for which it
is computationally infeasible (because no attack is
significantly more efficient than brute force) to find either
(a) a data object that maps to a pre-specified hash result
(the one-way property) or (b) two data objects that map to
the same hash result (the collision-free property).
5
6
Message Authentication
The message plus concatenated hash code is encrypted
using symmetric encryption. Because only A and B share
the secret key, the message must have come from A and
has not been altered. The hash code provides the structure
or redundancy required to achieve authentication. Because
encryption is applied to the entire message plus hash
code, confidentiality is also provided
7
Only the hash code is encrypted, using symmetric
encryption. This reduces the processing burden for those
applications that do not require confidentiality.
8
It is possible to use a hash function but no encryption for
message authentication. The technique assumes that the two
communicating parties share a common secret value S. A
computes the hash value over the concatenation of M and S
and appends the resulting hash value to M. Because B
possesses S, it can recompute the hash value to verify. Because
the secret value itself is not sent, an opponent cannot modify an
intercepted message and cannot generate a false message.
9
Confidentiality can be added to the approach of
method (c) by encrypting the entire message plus
the hash code.
10
11
12
Message Authentication Requirements
Message Authentication Functions
Requirements for Message Authentication Codes
Security of MACs
MACs Based on Hash Functions: HMAC
MACs Based on Block Ciphers: DAA and CMAC
Authenticated Encryption: CCM and GCM
Pseudorandom Number Generation Using Hash Functions
and Macs
13
Message authentication is a mechanism or service used to
verify the integrity of a message. Message authentication
assures that data received are exactly as sent by (i.e.,
contain no modification, insertion, deletion, or replay)
and that the purported identity of the sender is valid.
Symmetric encryption provides authentication among
those who share the secret key.
14
A message authentication code (MAC) is an algorithm
that requires the use of a secret key. A MAC takes a
variable-length message and a secret key as input and
produces an authentication code. A recipient in possession
of the secret key can generate an authentication code to
verify the integrity of the message.
One means of forming a MAC is to combine a
cryptographic hash function in some fashion with a secret
key.
Another approach to constructing a MAC is to use a
symmetric block cipher in such a way that it produces a
fixed-length output for a variable-length input. 15
1. Disclosure: Release of message contents to any person or
process not possessing the appropriate cryptographic
key.
2. Traffic analysis: Discovery of the pattern of traffic
between parties
3. Masquerade: Insertion of messages into the network
from a fraudulent source
4. Content modification: Changes to the contents of a
message, including insertion, deletion, transposition, and
modification.
16
5. Sequence modification: Any modification to a sequence
of messages between parties, including insertion,
deletion, and reordering.
6. Timing modification: Delay or replay of messages.
7. Source repudiation: Denial of transmission of message
by source.
8. Destination repudiation: Denial of receipt of message by
destination.
17
Hash function: A function that maps a message of any
length into a fixed-length hash value, which serves as the
authenticator.
Message encryption: The ciphertext of the entire
message serves as its authenticator.
Message authentication code (MAC): A function of the
message and a secret key that produces a fixed-length
value that serves as the authenticator.
18
19
20
21
22
Brute-Force Attacks
Cryptanalysis
23
24
25
26
27
28
29
Digital Signatures
ElGamal Digital Signature Scheme
Schnorr Digital Signature Scheme
Digital Signature Standard
30
A digital signature is an authentication mechanism that
enables the creator of a message to attach a code that acts
as a signature. Typically the signature is formed by taking
the hash of the message and encrypting the message with
the creator’s private key. The signature guarantees the
source and integrity of the message.
The digital signature standard (DSS) is an NIST standard
that uses the secure hash algorithm (SHA).
31
32
33
34
35
36
37
38
39
40
1. KEYMANAGEMENTAND DISTRIBUTION
2. USERAUTHENTICATION
2
Symmetric Key Distribution Using Symmetric
Encryption
Symmetric Key Distribution Using Asymmetric
Encryption
Distribution Of Public Keys
X.509 Certificates
Public-Key Infrastructure
3
Key distribution is the function that delivers a key to two
parties who wish to exchange secure encrypted data.
Some sort of mechanism or protocol is needed to provide
for the secure distribution of keys.
Key distribution often involves the use of master keys,
which are infrequently used and are long lasting, and
session keys, which are generated and distributed for
temporary use between two parties.
Public-key encryption schemes are secure only if the
authenticity of the public key is assured. A public-key
certificate scheme provides the necessary security.
4
X.509 defines the format for public-key certificates. This
format is widely used in a variety of applications.
A public-key infrastructure (PKI) is defined as the set of
hardware, software, people, policies, and procedures
needed to create, manage, store, distribute, and revoke
digital certificates based on asymmetric cryptography.
Typically, PKI implementations make use of X.509
certificates.
5
6
7
8
9
10
11
12
Several techniques have been proposed for the
distribution of public keys. Virtually all these proposals
can be grouped into the following general schemes:
o Public announcement
o Publicly available directory
o Public-key authority
o Public-key certificates
13
14
15
16
17
ITU-T recommendation X.509 is part of the X.500 series of
recommendations that define a directory service. The directory
is, in effect, a server or distributed set of servers that maintains
a database of information about users. The information
includes a mapping from user name to network address, as
well as other attributes and information about the users.
X.509 defines a framework for the provision of authentication
services by the X.500 directory to its users. Each certificate
contains the public key of a user and is signed with the private
key of a trusted certification authority. In addition, X.509
defines alternative authentication protocols based on the use of
public-key certificates.
18
X.509 is an important standard because the certificate structure
and authentication protocols defined in X.509 are used in a variety
of contexts. For example, the X.509 certificate format is used in
S/MIME, IP Security and SSL/TLS. X.509 was initially issued in
1988.
X.509 is based on the use of public-key cryptography and digital
signatures. The standard does not dictate the use of a specific
algorithm but recommends RSA. The dig-ital signature scheme is
assumed to require the use of a hash function. Again, the standard
does not dictate a specific hash algorithm. The 1988
recommendation included the description of a recommended hash
algorithm; this algorithm has since been shown to be insecure and
was dropped from the 1993 recommendation.
19
20
21
Version: Differentiates among successive versions of the
certificate format; the default is version 1. If the issuer
unique identifier or subject unique identifier are present,
the value must be version 2. If one or more extensions are
present, the version must be version 3.
Serial number: An integer value unique within the issuing
CA that is unambiguously associated with this certificate.
Signature algorithm identifier: The algorithm used to
sign the certificate together with any associated
parameters. Because this information is repeated in the
signature field at the end of the certificate, this field has
little, if any, utility. 22
Issuer name: X.500 is the name of the CA that created
and signed this certificate.
Period of validity: Consists of two dates: the first and
last on which the certificate is valid.
Subject name: The name of the user to whom this
certificate refers. That is, this certificate certifies the
public key of the subject who holds the corresponding
private key.
Subject’s public-key information: The public key of the
subject, plus an identifier of the algorithm for which this
key is to be used, together with any associated
parameters. 23
Issuer unique identifier: An optional-bit string field used to
identify uniquely the issuing CA in the event the X.500 name
has been reused for different entities.
Subject unique identifier: An optional-bit string field used to
identify uniquely the subject in the event the X.500 name has
been reused for different entities.
Extensions: A set of one or more extension fields. Extensions
were added in version 3 and are discussed later in this section.
Signature: Covers all of the other fields of the certificate; it
contains the hash code of the other fields encrypted with the
CA’s private key. This field includes the signature algorithm
identifier. 24
RFC 2822 (Internet Security Glossary) defines public-key
infrastructure (PKI) as the set of hardware, software,
people, policies, and procedures needed to create,
manage, store, distribute, and revoke digital certificates
based on asymmetric cryptography. The principal
objective for developing a PKI is to enable secure,
convenient, and efficient acquisition of public keys. The
Internet Engineering Task Force (IETF) Public Key
Infrastructure X.509 (PKIX) working group has been the
driving force behind setting up a formal (and generic)
model based on X.509 that is suitable for deploying a
certificate-based architecture on the Internet.
25
26
End entity: A generic term used to denote end users,
devices (e.g., servers, routers), or any other entity that can
be identified in the subject field of a public key
certificate. End entities typically consume and/or support
PKI-related services.
Certification authority (CA): The issuer of certificates
and (usually) certificate revocation lists (CRLs). It may
also support a variety of administrative functions,
although these are often delegated to one or more
Registration Authorities.
27
Registration authority (RA): An optional component
that can assume a number of administrative functions
from the CA. The RA is often associated with the end
entity registration process but can assist in a number of
other areas as well.
CRL issuer: An optional component that a CA can
delegate to publish CRLs.
Repository: A generic term used to denote any method
for storing certificates and CRLs so that they can be
retrieved by end entities.
28
Remote User-Authentication Principles
Remote User-Authentication Using Symmetric
Encryption
Kerberos
Remote User Authentication Using Asymmetric
Encryption
Federated Identity Management
29
Mutual authentication protocols enable communicating
parties to satisfy themselves mutually about each other’s
identity and to exchange session keys.
Kerberos is an authentication service designed for use in a
distributed environment.
Kerberos provides a trusted third-party authentication
service that enables clients and servers to establish
authenticated communication.
30
Identity management is a centralized, automated approach
to provide enterprise-wide access to resources by
employees and other authorized individuals.
Identity federation is, in essence, an extension of identity
management to multiple security domains.
31
The process of verifying an identity claimed by or for a
system entity. An authentication process consists of two
steps:
Identification step: Presenting an identifier to the
security system. (Identifiers should be assigned carefully,
because authenticated identities are the basis for other
security services, such as access control service.)
Verification step: Presenting or generating authentication
information that corroborates the binding between the
entity and the identifier.
32
Something the individual knows: Examples include a
password, a personal identification number (PIN), or
answers to a prearranged set of questions.
Something the individual possesses: Examples include
cryptographic keys, electronic keycards, smart cards, and
physical keys. This type of authenticator is referred to as a
token.
Something the individual is (static biometrics): Examples
include recognition by fingerprint, retina, and face.
Something the individual does (dynamic biometrics):
Examples include recognition by voice pattern, handwriting
characteristics, and typing rhythm.
33
An important application area is that of mutual authentication
protocols. Such protocols enable communicating parties to satisfy
themselves mutually about each other’s identity and to exchange
session keys. There, the focus was key distribution. Central to the
problem of authenticated key exchange are two issues:
confidentiality and timeliness. To prevent masquerade and to
prevent compromise of session keys, essential identification and
session-key information must be communicated in encrypted form.
This requires the prior existence of secret or public keys that can be
used for this purpose. The second issue, timeliness, is important
because of the threat of message replays. Such replays, at worst,
could allow an opponent to compromise a session key or
successfully impersonate another party. At minimum, a successful
replay can disrupt operations by presenting parties with messages
that appear genuine but are not. 34
[GONG93] lists the following examples of replay attacks:
Simple replay: The opponent simply copies a message and replays it
later
Repetition that can be logged: An opponent can replay a times
tamped message within the valid time window.
Repetition that cannot be detected: This situation could arise
because the original message could have been suppressed and thus
did not arrive at its destination; only the replay message arrives.
Backward replay without modification: This is a replay back to the
message sender. This attack is possible if symmetric encryption is
used and the sender cannot easily recognize the difference between
messages sent and messages received on the basis of content.
35
Kerberos4 is an authentication service developed as part
of Project Athena at MIT. The problem that Kerberos
addresses is this: Assume an open distributed
environment in which users at workstations wish to
access services on servers distributed
throughout the network.
36
37
38
39
40
41
42
43
Các file đính kèm theo tài liệu này:
- mat_ma_va_ma_hoa_dl_8211.pdf