Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lecture 5 Topics Digital Signature (Signed Hashed value) Digital Certificate User Authentication Mechanisms Secure Socket Layer (SSL) GSM Security.

Similar presentations


Presentation on theme: "1 Lecture 5 Topics Digital Signature (Signed Hashed value) Digital Certificate User Authentication Mechanisms Secure Socket Layer (SSL) GSM Security."— Presentation transcript:

1 1 Lecture 5 Topics Digital Signature (Signed Hashed value) Digital Certificate User Authentication Mechanisms Secure Socket Layer (SSL) GSM Security

2 2 Lecture 5 Digital Signature Speed and practice consideration Sign on Hashed value of the message

3 3 Lecture 5 How can public key been seen Store a list of trusted public keys in your storage. Public key signed by a authorized unit. (digital Certificate)

4 4 Lecture 5 Digital Certificate Digital version of a paper-based passport Identifies a person/organization uniquely on the Internet Binds a user with its public key

5 5 Lecture 5 Digital Certificate Concept Fig 5.1 Digital Certificate “I officially approve the relation between the holder of this certificate (the user) and this particular public key.

6 6 Lecture 5 Digital Certificate Contents Main contents are the subject name (user), validity and public key Signed by a Certification Authority (CA) Provides guarantees about a user’s identity

7 7 Lecture 5 Digital Certificate Example Fig 5.2 Digital Certificate Subject Name: Atul Kahate Public Key: Serial Number: Other data: - Valid From: 1 Jan 2001 Valid To: 31 Dec 2004 Issuer Name: VeriSign …

8 8 Lecture 5 Similarities between a Passport and a Digital Certificate Fig 5.3 Passport entryCorresponding digital certificate entry Full nameSubject name Passport numberSerial number Valid fromSame Valid toSame Issued byIssuer name Photograph and signaturePublic key

9 9 Lecture 5 Digital Certificate Contents Version Certificate Serial Number Signature Algorithm Identifier Issuer Name Validity (Not Before / Not After) Subject Name Subject Public Key Information Issuer Unique Identifier Subject Unique Identifier Extensions Certification Authority’s Digital Signature

10 10 Lecture 5 Digital Certificate Contents FieldDescription VersionIdentifies a particular version of the X.509 protocol, which is used for this digital certificate. Currently, this field can contain 1, 2 or 3. Certificate Serial NumberContains a unique integer number, which is generated by the CA. Signature Algorithm Identifier Identifies the algorithm used by the CA to sign this certificate. (We shall examine this later). Issuer NameIdentifies the Distinguished Name (DN) of the CA that created and signed this certificate. Validity (Not Before/Not After) Contains two date-time values (Not Before and Not After), which specify the timeframe within which the certificate should be considered as valid. These values generally specify the date and time up to seconds or milliseconds. Subject NameIdentifies the Distinguished Name (DN) of the end entity (i.e. the user or the organization) to whom this certificate refers. This field must contain an entry unless an alternative name is defined in Version 3 extensions. Subject Public Key Information Contains the subject’s public key and algorithms related to that key. This field can never be blank.

11 11 Lecture 5 CA Hierarchy There can be multiple level CAs Useful for delegation of work Each higher level CA vouches for its subordinate CA

12 12 Lecture 5 CA Hierarchy Fig 5.20 Root CA Second Level CA Third Level CA … … …

13 13 Lecture 5 Same Root CA Fig 5.21 Root CA Second Level CA (A1) Second Level CA (A2) Second Level CA (A3) Third Level CA (B1) Third Level CA (B2) Third Level CA (B11) Third Level CA (B10) … Alice … Bob …

14 14 Lecture 5 How to Verify Root CA? Fig 5.22 Digital Certificate … Issuer Name: B11 Subject Name: Bob … Digital Certificate … Issuer Name: A3 Subject Name: B11 … Digital Certificate … Issuer Name: Root Subject Name: A3 … Digital Certificate … Issuer Name: ??? Subject Name: Root …

15 15 Lecture 5 Self-signed Certificate Fig 5.23 Digital Certificate … Issuer Name: Root Subject Name: Root …

16 16 Lecture 5 Cross-Certification In some cases, even root CAs can be different In such cases, they certify each other Creates a cross level trust

17 17 Lecture 5 Cross-Certification of CAs Fig 5.25 Root CA of Japan Second Level CA (A1) Second Level CA (P1) Third Level CA (B1) Third Level CA (B2) Third Level CA (Q2) Third Level CA (Q1) Alice … Bob … Root CA of the US Cross-certified

18 18 Lecture 5 Validity of a Certificate It is necessary to check the validity of a certificate before it is used Two chief mechanisms: –Online Checks –Offline Checks

19 19 Lecture 5 Authentication Who is who? Identifies a user or a resource Establishes trust before communication can take place

20 20 Lecture 5 Authentication Mechanisms Passwords Message digests of passwords Authentication Tokens Certificate-based Authentication Biometrics

21 21 Lecture 5 Password Authentication Alice Bob ID: Alice, password: fiddle Problems: 1.Password is clear text 2. How server Bob store users’ password Id Password Alice fiddle Amay wang1123 Atul hor{9mn}

22 22 Lecture 5 Message Digests of Passwords Alice Bob ID: Alice, passwd:Hash( fiddle} Problems: 1.Replay attacks Id Hash(Pass) Alice pp*;; Amay werr[}; Atul fghppo{

23 23 Lecture 5 Solve the replay attack problem Create a secure channel when communicating. Challenge/response between User and Server Alice Bob ID: Alice, passwd:Hash( fiddle} Secure channel Alice Bob I’m Alice R signed with Alice’s private key R

24 24 Lecture 5 Message Digests of Passwords Original clear text password is never stored/transmitted Message digest of password is stored in the database, and the same is used for authentication Problems: replay attacks

25 25 Lecture 5 Message Digests of Passwords Fig 7.7 tiger newroad april … Message digest algorithm Message digests of passwords Passwords G%6$1 Vt^80+1 +{:>9mn Step 1: Calculate the message digests of the passwords on the server-side. Step 2: Store the user ids and message digests of the passwords in the user database. Id Password Jyoti G%6$1 Amar Vt^80+1 Atul +{:>9mn User database Server User creation program

26 26 Lecture 5 Authentication Tokens Token and server are synchronized initially Token generates fresh passwords periodically Same passwords are generated at the server

27 27 Lecture 5 Authentication Token Concept Id Seed Alice Amar Atul Id = atul passWd = Seed Seed: Alice Bob

28 28 Lecture 5 Certificate-based Authentication User’s certificate details need to be stored on the server-side CA distributes the certificates to the users also Validation between the two takes place at the time of authentication

29 29 Lecture 5 Digital Certificate Storage Certificate Server Id Public KeyValidity… Jyoti June 2003 Amar May 2002 Atul July 2003 User database Certification Authority (CA) Certificate To respective users

30 30 Lecture 5 Certificate-based Authentication Server Server Login request Id = atul Sign = Step 1: User’s computer encrypts the random challenge with the user’s private key to produce the digital signature. Step 2: User’s computer sends the digital signature to the server as a part of the login request Original random challenge User’s digital signature Private key file Encrypt

31 31 Lecture 5 Smart Card Issues and Solutions Problem/IssueEmerging solution Smart card readers are not yet a part of a desktop computer, unlike a hard disk drive or a floppy disk drive The new versions of computers and mobile devices are expected to come with smart card readers out of the box. Non-availability of smart card reader driver software Microsoft has made the PC/SC smart card framework an integral part of the Windows 2000 operating system. Most smart card reader manufacturers ship the PC/SC compliant reader drivers, making the process of adding a reader hardware to the computer a plug-and-play operation. Non availability of smart card aware cryptographic services software Smart-card aware software such as Microsoft Crypto API (MS-CAPI) comes free with Internet Explorer. Cost of smart cards and card readers is high This is reducing now. Smart cards are available for about $5, and the card readers for about $20.

32 32 Lecture 5 Authentication in Wireless Communication i GSM (Global System for Mobible Communications) DECT (Digital Eurpean Cordless Telephone)

33 33 Lecture 5 GSM Handset with SIM card, HLR(Home Location Register), VLR(Visitor Location Register) Handset  HLR has IMSI (International Mobile Subscriber Identity) and Ki (an Authentication Key) Three functions are used: A 3, A 5,A 8 : –A 3 and A 8 are one way function like hash but much simpler, –A 5 is the one key encrypted/decrypted function like RC4,

34 34 Lecture 5 Handset VLR HLR IMSI IMSI, RAND, Kc, SRES RAND SRES A5 Kc (TMSI) Kc=A8(Ki//RAND) SRES=A3(Ki//RAND) ACK

35 35 Lecture 5 Secure Socket Layer (SSL) World’s most widely used security mechanism on the Internet Secures communication between a client and a server Located between the Application and Transport Layers of TCP/IP protocol suite

36 36 Lecture 5 Position of SSL in TCP/IP Fig 6.9 Application Layer Transport Layer Internet Layer Data Link Layer Physical Layer SSL Layer

37 37 Lecture 5 Data Exchange including SSL Fig 6.10 X LA data Transmission medium H4 Performed LA data+SH H3 Performed LA data+SH+H4 Application Transport Internet Physical Performed LA data SSL SH H2 Performed LA data+SH+H4+H3 Data Link Y L5 data H4 Performed LA data+SH H3 Performed LA data+SH+H4 Performed LA data SH H2 Performed LA data+SH+H4+H3

38 38 Lecture 5 SSL Sub-Protocols Handshake Protocol Record Protocol Alert Protocol

39 39 Lecture 5 SSL Handshake Message Format Fig 6.11 TypeLengthContent 1 byte3 bytes1 or more bytes

40 40 Lecture 5 SSL Handshake Messages Message TypeParameters Hello requestNone Client helloVersion, Random number, Session id, Cipher suite, Compression method Server helloVersion, Random number, Session id, Cipher suite, Compression method CertificateChain of X.509V3 certificates Server key exchangeParameters, signature Certificate requestType, authorities Server hello doneNone Certificate verifySignature Client key exchangeParameters, signature FinishedHash value

41 41 Lecture 5 SSL Handshake Process Web Browse r Web Server 1.Establish security capabilities 2.Server authentication and key exchange 3.Client authentication and key exchange 4.Finish

42 42 Lecture 5 SSL Handshake – Phase 1 Web Brows er Web Server Step 1: Client hello Step 2: Server hello

43 43 Lecture 5 SSL Handshake – Phase 2 Web Brows er Web Server Step 1: Certificate Step 2: Server key exchange Step 3: Certificate request Step 4: Server hello done

44 44 Lecture 5 SSL Handshake – Phase 3 Web Browse r Web Server Step 1: Certificate Step 2: Client key exchange Step 3: Certificate verify

45 45 Lecture 5 SSL Handshake – Phase 4 Web Brows er Web Server Step 3: Change cipher specs Step 4: Finished 1. Change cipher specs 2. Finished

46 46 Lecture 5 SSL Record Protocol Application data Fragmentation Compression Addition of MAC Encryption Append header Performed Action on Application data


Download ppt "1 Lecture 5 Topics Digital Signature (Signed Hashed value) Digital Certificate User Authentication Mechanisms Secure Socket Layer (SSL) GSM Security."

Similar presentations


Ads by Google