Mặt nạ và mã hóa dữ liệu

  TS. Lê Nhật Duy  Lê Nhật Duy, PhD.  Blog: https://Lnduy.wordpress.com  Email: Ln.duy@mail.ru 2  Reference books  Subject introduction  Examination  Rules 3  Giáo trình chính:  Stallings W., Cryptography and Network Security. Principles and Practice, 5th edition, Prentice Hall, 2010  Tài liệu tham khảo:  Rick Lehtinen, Computer Security Basics, 2006, O'Reilly Publishing  Emmett Dulaney, CompTIA Security+ Deluxe Study Guide, Wiley Publishing, 2009 4 1. OVERVIEW 2. SYMMETRIC CIPHERS 2.1. Classical Encryption Techniques 2.2. Block Ciphers And The Data Encryption Standard 2.3. Basic Concepts In Number Theory And Finite Fields 2.4. Advanced Encryption Standard 2.5. Block Cipher Operation 2.6. Pseudorandom number generation and stream ciphers 5 3. ASYMMETRIC CIPHERS 3.1. Introduction To Number Theory 3.2. Public-key Cryptography and RSA 3.3. Other Public-key Cryptosystems 4. CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS 4.1. Cryptographic Hash Functions 4.2. Message Authentication Codes 4.3. Digital Signatures 5. MUTUAL TRUST 5.1. Key Management And Distribution 5.2. User Authentication 6  Mid-term  Assignments  Final test 7  8   1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network Security 2  The Open Systems Interconnection (OSI) security architecture provides a systematic framework for defining security attacks, mechanisms, and services.  Security attacks are classified as either passive attacks, which include unauthorized reading of a message of file and traffic analysis or active attacks, such as modification of messages or files, and denial of service.  A security mechanism is any process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack. Examples of mechanisms are encryption algorithms, digital signatures, and authentication protocols.  Security services include authentication, access control, data confidentiality, data integrity, nonrepudiation, and availability. 3  COMPUTER SECURITY: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).  This definition introduces three key objectives that are at the heart of computer security:  Confidentiality  Integrity  Availability 4 Confidentiality: Data confidentiality, Privacy  Integrity: Data integrity, System integrity Availability. CIA triad (Figure 1.1) 5  Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a complete picture. Two of the most commonly mentioned are as follows:  Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source 6  Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Because truly secure systems are not yet an achievable goal, we must be able to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes. 7  Threats and Attacks (RFC 2828)  Threat: A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.  Attack: An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. 8  Security attack: Any action that compromises the security of information owned by an organization.  Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack.  Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. 9  Passive Attacks: Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are the release of message contents and traffic analysis. 10 11 12  Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.  Masquerade (Figure 1.3a)  Replay (Figure 1.3b)  Modification of messages (Figure 1.3c)  Denial of service (Figure 1.3d) 13 14 15 16 17 18 19 20 21 22 23 24 25   1. Classical encryption techniques 2. Block ciphers and the data encryption standard 3. Basic concepts in number theory and finite fields 4. Advanced encryption standard 5. Block cipher operation 6. Pseudorandom number generation and stream ciphers 2  Symmetric Cipher Model  Substitution Techniques  Transposition Techniques  Rotor Machines  Steganography 3  Symmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the same key. It is also known as conventional encryption.  Symmetric encryption transforms plaintext into ciphertext using a secret key and an encryption algorithm. Using the same key and a decryption algorithm, the plaintext is recovered from the ciphertext.  The two types of attack on an encryption algorithm are cryptanalysis, based on properties of the encryption algorithm, and brute-force, which involves trying all possible keys. 4  Traditional (precomputer) symmetric ciphers use substitution and/or transposition techniques. Substitution techniques map plaintext elements (characters, bits) into ciphertext elements. Transposition techniques systematically transpose the positions of plaintext elements.  Rotor machines are sophisticated precomputer hardware devices that use substitution techniques.  Steganography is a technique for hiding a secret message within a larger one in such a way that others cannot discern the presence or contents of the hidden message. 5 6  Plaintext: This is the original intelligible message or data that is fed into the algorithm as input  Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext.  Secret key: The secret key is also input to the encryption algorithm. The key is a value independent of the plaintext and of the algorithm  Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the secret key.  Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the ciphertext and the secret key and produces the original plaintext. 7 8  Cryptographic systems are characterized along three independent dimensions: 1. The type of operations used for transforming plaintext to ciphertext. (substitution, transposition). 2. The number of keys used (symmetric, public-key encryption) 3. The way in which the plaintext is processed (block cipher, stream cipher) 9  Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext–ciphertext pairs. This type of attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used.  Brute-force attack: The attacker tries every possible key on a piece of cipher-text until an intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve success. 10 11 A brute-force attack involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained. On average, half of all possible keys must be tried to achieve success. 12  A substitution technique is one in which the letters of plaintext are replaced by other letters or by numbers or symbols.1 If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.  Caesar Cipher  For example,  plain: meet me after the toga party  cipher: PHHW PH DIWHU WKH WRJD SDUWB 13 14  Monoalphabetic Ciphers  Playfair Cipher  Hill Cipher  Polyalphabetic Ciphers 15 16  An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement to the Vernam cipher that yields the ultimate in security. Mauborgne suggested using a random key that is as long as the message, so that the key need not be repeated. In addition, the key is to be used to encrypt and decrypt a single message, and then is discarded. Each new message requires a new key of the same length as the new message. Such a scheme, known as a one-time pad, is unbreakable. It produces random output that bears no statistical relationship to the plaintext. Because the ciphertext contains no information whatsoever about the plaintext, there is simply no way to break the code. 17  The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. For example, to encipher the message “meet me after the toga party” with a rail fence of depth 2, we write the following: m e m a t r h t g p r y e t e f e t e o a a t  The encrypted message is MEMATRHTGPRYETEFETEOAAT 18 19  A plaintext message may be hidden in one of two ways. The methods of steganography conceal the existence of the message, whereas the methods of cryptography render the message unintelligible to outsiders by various transformations of the text.  Character marking: Selected letters of printed or typewritten text are over-written in pencil. The marks are ordinarily not visible unless the paper is held at an angle to bright light.  Invisible ink: A number of substances can be used for writing but leave no visible trace until heat or some chemical is applied to the paper. 20  Pin punctures: Small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light.  Typewriter correction ribbon: Used between lines typed with a black ribbon, the results of typing with the correction tape are visible only under a strong light. The advantage of steganography is that it can be employed by parties who have something to lose should the fact of their secret communication (not necessarily the content) be discovered. Encryption flags traffic as important or secret or may identify the sender or receiver as someone with something to hide. 21  Block Cipher Principles  The Data Encryption Standard 22  A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.  Many block ciphers have a Feistel structure. Such a structure consists of a number of identical rounds of processing. In each round, a substitution is performed on one half of the data being processed, followed by a permutation that interchanges the two halves. The original key is expanded so that a different key is used for each round. 23  The Data Encryption Standard (DES) has been the most widely used encryption algorithm until recently. It exhibits the classic Feistel structure. DES uses a 64-bit block and a 56-bit key.  Two important methods of cryptanalysis are differential cryptanalysis and linear cryptanalysis. DES has been shown to be highly resistant to these two types of attack. 24  Stream Ciphers and Block Ciphers  A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.  A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used. 25 26  In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of an algorithm with the designation LUCIFER [FEIS73], which was sold to Lloyd’s of London for use in a cash-dispensing system, also developed by IBM.  In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the results of its Tuchman–Meyer project. This was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard. 27  As with any encryption scheme, there are two inputs to the encryption function: the plaintext to be encrypted and the key. In this case, the plaintext must be 64 bits in length and the key is 56 bits in length (Actually, the function expects a 64-bit key as input. However, only 56 of these bits are ever used; the other 8 bits can be used as parity bits or simply set arbitrarily). 28 29 30 31  Divisibility and The Division Algorithm  The Euclidean Algorithm  Modular Arithmetic  Groups, Rings, and Fields  Finite Fields of the Form GF(p)  Polynomial Arithmetic  Finite Fields of the Form GF(2^n) 32  Modular arithmetic is a kind of integer arithmetic that reduces all numbers to one of a fixed set [0,...,n-1] for some number n. Any integer outside this range is reduced to one in this range by taking the remainder after division by n.  The greatest common divisor of two integers is the largest positive integer that exactly divides both integers.  A field is a set of elements on which two arithmetic operations (addition and multiplication) have been defined and which has the properties of ordinary arithmetic, such as closure, associativity, commutativity, distributivity, and having both additive and multiplicative inverses. 33  Finite fields are important in several areas of cryptography. A finite field is simply a field with a finite number of elements. It can be shown that the order of a finite field (number of elements in the field) must be a power of a prime p^n, where n is a positive integer.  Finite fields of order p can be defined using arithmetic mod p.  Finite fields of order p^n, for n>1, can be defined using arithmetic over polynomials. 34 35 36  Definition: Two integers are relatively primeif their only common positive integer factor is 1.  Finding the Greatest Common Divisor 37  Properties of Congruences 38 39 40 41 42 43 44 45 46 47 48  Finite Field Arithmetic  AES Structure  AES Transformation Functions  AES Key Expansion  An AES Example  AES Implementation 49  AES is a block cipher intended to replace DES for commercial applica-tions. It uses a 128-bit block size and a key size of 128, 192, or 256 bits.  AES does not use a Feistel structure. Instead, each full round consists of four separate functions: byte substitution, permutation, arithmetic opera-tions over a finite field, and XOR with a key. 50 51 52  Multiple Encryption and Triple DES  Electronic Code Book  Cipher Block Chaining Mode  Cipher Feedback Mode  Output Feedback Mode  Counter Mode  XTS-AES Mode for Block-Oriented Storage Devices 53  Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption algorithm. This ciphertext is then used as input and the algorithm is applied again. This process may be repeated through any number of stages.  Triple DES makes use of three stages of the DES algorithm, using a total of two or three distinct keys.  A mode of operation is a technique for enhancing the effect of a crypto-graphic algorithm or adapting the algorithm for an application, such as applying a block cipher to a sequence of data blocks or a data stream. 54  Five modes of operation have been standardized by NIST for use with symmetric block ciphers such as DES and AES: electronic codebook mode, cipher block chaining mode, cipher feedback mode, output feed-back mode, and counter mode.  Another important mode, XTS-AES, has been standardized by the IEEE Security in Storage Working Group (P1619). The standard describes a method of encryption for data stored in sector-based devices where the threat model includes possible access to stored data by the adversary. 55 56 Triple DES with Two Keys Triple DES with Three Keys: A number of Internet-based applications have adopted three- key 3DES, including PGP and S/MIME 57 58 59 60 61 62 63 64 65 66 67  Principles of Pseudorandom Number Generation  Pseudorandom Number Generators  Pseudorandom Number Generation Using a Block Cipher  Stream Ciphers  RC4  True Random Number Generators 68  A capability with application to a number of cryptographic functions is random or pseudorandom number generation. The principle requirement for this capability is that the generated number stream be unpredictable.  A stream cipher is a symmetric encryption algorithm in which ciphertext output is produced bit-by-bit or byte-by- byte from a stream of plaintext input. The most widely used such cipher is RC4. 69  Traditionally, the concern in the generation of a sequence of allegedly random numbers has been that the sequence of numbers be random in some well-defined statistical sense. The following two criteria are used to validate that a sequence of numbers is random:  Uniform distribution:The distribution of bits in the sequence should be uniform; that is, the frequency of occurrence of ones and zeros should be approximately equal.  Independence:No one subsequence in the sequence can be inferred from the others. 70 71 72  RC4 is used in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) standards that have been defined for communication between Web browsers and servers. It is also used in the Wired Equivalent Privacy (WEP) protocol and the newer WiFi Protected Access (WPA) protocol that are part of the IEEE 802.11 wireless LAN standard. RC4 was kept as a trade secret by RSA Security. 73   1. INTRODUCTION TO NUMBER THEORY 2. PUBLIC-KEYCRYPTOGRAPHYAND RSA 3. OTHER PUBLIC-KEYCRYPTOSYSTEMS 2  Prime Numbers  Fermat’s and Euler’s Theorems  Testing for Primality  The Chinese Remainder Theorem  Discrete Logarithms 3  A prime number is an integer that can only be divided without remainder by positive and negative values of itself and 1. Prime numbers play a critical role both in number theory and in cryptography.  Two theorems that play important roles in public-key cryptography are Fermat’s theorem and Euler’s theorem. 4  An important requirement in a number of cryptographic algorithms is the ability to choose a large prime number. An area of ongoing research is the development of efficient algorithms for determining if a randomly chosen large integer is a prime number.  Discrete logarithms are fundamental to a number of public-key algorithms. Discrete logarithms are analogous to ordinary logarithms but are defined using modular arithmetic. 5  Principles Of Public-Key Cryptosystems  The RSA Algorithm 6  Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys—one a public key and one a private key. It is also known as public-key encryption.  Asymmetric encryption transforms plaintext into ciphertext using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the ciphertext. 7  Asymmetric encryption can be used for confidentiality, authentication, or both.  The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on the difficulty of finding the prime factors of a composite number. 8  Asymmetric Keys  Two related keys, a public key and a private key, that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.  Public Key Certificate  A digital document issued and digitally signed by the private key of a Certification Authority that binds the name of a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate has sole control and access to the corresponding private key. 9  Public Key (Asymmetric) Cryptographic Algorithm  A cryptographic algorithm that uses two related keys, a public key and a private key. The two keys have the property that deriving the private key from the public key is computationally infeasible.  Public Key Infrastructure (PKI)  A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates. 10 11 12  Plaintext  Encryption algorithm  Public key  Private key  Ciphertext  Decryption algorithm 13 14 15 16 17 18  Brute-force attack  compute the private key given the public key  probable-message attack 19 20 21 22 Four possible approaches to attacking the RSA algorithm are  Brute force: This involves trying all possible private keys.  Mathematical attacks: There are several approaches, all equivalent in effort to factoring the product of two primes.  Timing attacks: These depend on the running time of the decryption algorithm.  Chosen ciphertext attacks: This type of attack exploits properties of the RSA algorithm. 23 24 25  Diffie-Hellman Key Exchange  Elgamal Cryptographic System  Elliptic Curve Arithmetic  Elliptic Curve Cryptography  Pseudorandom Number Generation Based on an Asymmetric Cipher 29  A simple public-key algorithm is Diffie-Hellman key exchange. This protocol enables two users to establish a secret key using a public-key scheme based on discrete logarithms. The protocol is secure only if the authenticity of the two participants can be established.  Elliptic curve arithmetic can be used to develop a variety of elliptic curve cryptography (ECC) schemes, including key exchange, encryption, and digital signature.  For purposes of ECC, elliptic curve arithmetic involves the use of an elliptic curve equation defined over a finite field. The coefficients and variables in the equation are elements of a finite field. Schemes using Zp and GF(2^m) have been developed. 30 31 32 33 34   1. CRYPTOGRAPHIC HASH FUNCTIONS 2. MESSAGE AUTHENTICATION CODES 3. DIGITAL SIGNATURES 2  Applications of Cryptographic Hash Functions  Two Simple Hash Functions  Requirements and Security  Hash Functions Based on Cipher Block Chaining  Secure Hash Algorithm (SHA)  SHA-3 3  A hash function maps a variable-length message into a fixed-length hash value, or message digest.  Virtually all cryptographic hash functions involve the iterative use of a compression function.  The compression function used in secure hash algorithms falls into one of two categories: a function specifically designed for the hash function or an algorithm based on a symmetric block cipher. SHA and Whirlpool are examples of these two approaches, respectively. 4  A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h=H(M). A “good” hash function has the property that the results of applying the function to a large set of inputs will produce outputs that are evenly distributed and apparently random.  A cryptographic hash function is an algorithm for which it is computationally infeasible (because no attack is significantly more efficient than brute force) to find either (a) a data object that maps to a pre-specified hash result (the one-way property) or (b) two data objects that map to the same hash result (the collision-free property). 5 6 Message Authentication  The message plus concatenated hash code is encrypted using symmetric encryption. Because only A and B share the secret key, the message must have come from A and has not been altered. The hash code provides the structure or redundancy required to achieve authentication. Because encryption is applied to the entire message plus hash code, confidentiality is also provided 7  Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden for those applications that do not require confidentiality. 8  It is possible to use a hash function but no encryption for message authentication. The technique assumes that the two communicating parties share a common secret value S. A computes the hash value over the concatenation of M and S and appends the resulting hash value to M. Because B possesses S, it can recompute the hash value to verify. Because the secret value itself is not sent, an opponent cannot modify an intercepted message and cannot generate a false message. 9  Confidentiality can be added to the approach of method (c) by encrypting the entire message plus the hash code. 10 11 12  Message Authentication Requirements  Message Authentication Functions  Requirements for Message Authentication Codes  Security of MACs  MACs Based on Hash Functions: HMAC  MACs Based on Block Ciphers: DAA and CMAC  Authenticated Encryption: CCM and GCM  Pseudorandom Number Generation Using Hash Functions and Macs 13  Message authentication is a mechanism or service used to verify the integrity of a message. Message authentication assures that data received are exactly as sent by (i.e., contain no modification, insertion, deletion, or replay) and that the purported identity of the sender is valid.  Symmetric encryption provides authentication among those who share the secret key. 14  A message authentication code (MAC) is an algorithm that requires the use of a secret key. A MAC takes a variable-length message and a secret key as input and produces an authentication code. A recipient in possession of the secret key can generate an authentication code to verify the integrity of the message.  One means of forming a MAC is to combine a cryptographic hash function in some fashion with a secret key.  Another approach to constructing a MAC is to use a symmetric block cipher in such a way that it produces a fixed-length output for a variable-length input. 15 1. Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key. 2. Traffic analysis: Discovery of the pattern of traffic between parties 3. Masquerade: Insertion of messages into the network from a fraudulent source 4. Content modification: Changes to the contents of a message, including insertion, deletion, transposition, and modification. 16 5. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and reordering. 6. Timing modification: Delay or replay of messages. 7. Source repudiation: Denial of transmission of message by source. 8. Destination repudiation: Denial of receipt of message by destination. 17  Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator.  Message encryption: The ciphertext of the entire message serves as its authenticator.  Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator. 18 19 20 21 22  Brute-Force Attacks  Cryptanalysis 23 24 25 26 27 28 29  Digital Signatures  ElGamal Digital Signature Scheme  Schnorr Digital Signature Scheme  Digital Signature Standard 30  A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature. Typically the signature is formed by taking the hash of the message and encrypting the message with the creator’s private key. The signature guarantees the source and integrity of the message.  The digital signature standard (DSS) is an NIST standard that uses the secure hash algorithm (SHA). 31 32 33 34 35 36 37 38 39 40   1. KEYMANAGEMENTAND DISTRIBUTION 2. USERAUTHENTICATION 2  Symmetric Key Distribution Using Symmetric Encryption  Symmetric Key Distribution Using Asymmetric Encryption  Distribution Of Public Keys  X.509 Certificates  Public-Key Infrastructure 3  Key distribution is the function that delivers a key to two parties who wish to exchange secure encrypted data. Some sort of mechanism or protocol is needed to provide for the secure distribution of keys.  Key distribution often involves the use of master keys, which are infrequently used and are long lasting, and session keys, which are generated and distributed for temporary use between two parties.  Public-key encryption schemes are secure only if the authenticity of the public key is assured. A public-key certificate scheme provides the necessary security. 4  X.509 defines the format for public-key certificates. This format is widely used in a variety of applications.  A public-key infrastructure (PKI) is defined as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.  Typically, PKI implementations make use of X.509 certificates. 5 6 7 8 9 10 11 12  Several techniques have been proposed for the distribution of public keys. Virtually all these proposals can be grouped into the following general schemes: o Public announcement o Publicly available directory o Public-key authority o Public-key certificates 13 14 15 16 17  ITU-T recommendation X.509 is part of the X.500 series of recommendations that define a directory service. The directory is, in effect, a server or distributed set of servers that maintains a database of information about users. The information includes a mapping from user name to network address, as well as other attributes and information about the users.  X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority. In addition, X.509 defines alternative authentication protocols based on the use of public-key certificates. 18  X.509 is an important standard because the certificate structure and authentication protocols defined in X.509 are used in a variety of contexts. For example, the X.509 certificate format is used in S/MIME, IP Security and SSL/TLS. X.509 was initially issued in 1988.  X.509 is based on the use of public-key cryptography and digital signatures. The standard does not dictate the use of a specific algorithm but recommends RSA. The dig-ital signature scheme is assumed to require the use of a hash function. Again, the standard does not dictate a specific hash algorithm. The 1988 recommendation included the description of a recommended hash algorithm; this algorithm has since been shown to be insecure and was dropped from the 1993 recommendation. 19 20 21  Version: Differentiates among successive versions of the certificate format; the default is version 1. If the issuer unique identifier or subject unique identifier are present, the value must be version 2. If one or more extensions are present, the version must be version 3.  Serial number: An integer value unique within the issuing CA that is unambiguously associated with this certificate.  Signature algorithm identifier: The algorithm used to sign the certificate together with any associated parameters. Because this information is repeated in the signature field at the end of the certificate, this field has little, if any, utility. 22  Issuer name: X.500 is the name of the CA that created and signed this certificate.  Period of validity: Consists of two dates: the first and last on which the certificate is valid.  Subject name: The name of the user to whom this certificate refers. That is, this certificate certifies the public key of the subject who holds the corresponding private key.  Subject’s public-key information: The public key of the subject, plus an identifier of the algorithm for which this key is to be used, together with any associated parameters. 23  Issuer unique identifier: An optional-bit string field used to identify uniquely the issuing CA in the event the X.500 name has been reused for different entities.  Subject unique identifier: An optional-bit string field used to identify uniquely the subject in the event the X.500 name has been reused for different entities.  Extensions: A set of one or more extension fields. Extensions were added in version 3 and are discussed later in this section.  Signature: Covers all of the other fields of the certificate; it contains the hash code of the other fields encrypted with the CA’s private key. This field includes the signature algorithm identifier. 24  RFC 2822 (Internet Security Glossary) defines public-key infrastructure (PKI) as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography. The principal objective for developing a PKI is to enable secure, convenient, and efficient acquisition of public keys. The Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX) working group has been the driving force behind setting up a formal (and generic) model based on X.509 that is suitable for deploying a certificate-based architecture on the Internet. 25 26  End entity: A generic term used to denote end users, devices (e.g., servers, routers), or any other entity that can be identified in the subject field of a public key certificate. End entities typically consume and/or support PKI-related services.  Certification authority (CA): The issuer of certificates and (usually) certificate revocation lists (CRLs). It may also support a variety of administrative functions, although these are often delegated to one or more Registration Authorities. 27  Registration authority (RA): An optional component that can assume a number of administrative functions from the CA. The RA is often associated with the end entity registration process but can assist in a number of other areas as well.  CRL issuer: An optional component that a CA can delegate to publish CRLs.  Repository: A generic term used to denote any method for storing certificates and CRLs so that they can be retrieved by end entities. 28  Remote User-Authentication Principles  Remote User-Authentication Using Symmetric Encryption  Kerberos  Remote User Authentication Using Asymmetric Encryption  Federated Identity Management 29  Mutual authentication protocols enable communicating parties to satisfy themselves mutually about each other’s identity and to exchange session keys.  Kerberos is an authentication service designed for use in a distributed environment.  Kerberos provides a trusted third-party authentication service that enables clients and servers to establish authenticated communication. 30  Identity management is a centralized, automated approach to provide enterprise-wide access to resources by employees and other authorized individuals.  Identity federation is, in essence, an extension of identity management to multiple security domains. 31  The process of verifying an identity claimed by or for a system entity. An authentication process consists of two steps:  Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.)  Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier. 32  Something the individual knows: Examples include a password, a personal identification number (PIN), or answers to a prearranged set of questions.  Something the individual possesses: Examples include cryptographic keys, electronic keycards, smart cards, and physical keys. This type of authenticator is referred to as a token.  Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face.  Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. 33  An important application area is that of mutual authentication protocols. Such protocols enable communicating parties to satisfy themselves mutually about each other’s identity and to exchange session keys. There, the focus was key distribution. Central to the problem of authenticated key exchange are two issues: confidentiality and timeliness. To prevent masquerade and to prevent compromise of session keys, essential identification and session-key information must be communicated in encrypted form. This requires the prior existence of secret or public keys that can be used for this purpose. The second issue, timeliness, is important because of the threat of message replays. Such replays, at worst, could allow an opponent to compromise a session key or successfully impersonate another party. At minimum, a successful replay can disrupt operations by presenting parties with messages that appear genuine but are not. 34  [GONG93] lists the following examples of replay attacks:  Simple replay: The opponent simply copies a message and replays it later  Repetition that can be logged: An opponent can replay a times tamped message within the valid time window.  Repetition that cannot be detected: This situation could arise because the original message could have been suppressed and thus did not arrive at its destination; only the replay message arrives.  Backward replay without modification: This is a replay back to the message sender. This attack is possible if symmetric encryption is used and the sender cannot easily recognize the difference between messages sent and messages received on the basis of content. 35  Kerberos4 is an authentication service developed as part of Project Athena at MIT. The problem that Kerberos addresses is this: Assume an open distributed environment in which users at workstations wish to access services on servers distributed throughout the network. 36 37 38 39 40 41 42 43