Post on 08-Apr-2018
transcript
8/6/2019 Kuliah 6 Authentication
1/40
Authentication Process
8/6/2019 Kuliah 6 Authentication
2/40
What is Authentication ?
Authentication is the process of determining whether
someone or something is, in fact, who or what it is
declared to be.(http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.html)
8/6/2019 Kuliah 6 Authentication
3/40
Two Factor Authentication
Two-Factor Authentication is based onthe concept that what you have(Credit card etc.) and what youknow (Shared secret).
8/6/2019 Kuliah 6 Authentication
4/40
Two-Factor Authentication: Different PossibleProcess Available
One-time passwords
Password-generating token (SecureID, Vasco)
SMS tokensScratch pads
Client-side CertificatesSmart cards
USB keysBiometrics
8/6/2019 Kuliah 6 Authentication
5/40
Why do we need two factorauthentication ?
1. Five hundred Phishing and other online attacksper day.
2. Number of Online users are increasing in hugepercentage every year.
3. Lack of awareness among online users aboutPhishing attacks and MITM ( Man in the Middle)attacks.
4. Single Factor authentication is not sufficient foronline authentication and Financial Transactions.
8/6/2019 Kuliah 6 Authentication
6/40
A Miami man blames Bank of America for morethan $90,000 stolen in an unauthorized wiretransfer to Latvia. Joe Lopez filed a lawsuit on Feb.7 claiming that Bank of America had not alerted
him to malicious code that could -- and indeed had-- infected his computer. A forensic investigationby the U.S. Secret Service revealed that a Trojancalled Coreflood, which acts as a keystrokelogger, had compromised one of his PCs.
Online Bank Fraud in the News
http://searchnetworking.techtarget.com
8/6/2019 Kuliah 6 Authentication
7/40
Generic Transaction Model
8/6/2019 Kuliah 6 Authentication
8/40
Secure Protocol + USER
HTTPS Protocol
DATA Flow
USER
8/6/2019 Kuliah 6 Authentication
9/40
Threat 1: Phishing
8/6/2019 Kuliah 6 Authentication
10/40
Threat 2: Man In the Middle?
8/6/2019 Kuliah 6 Authentication
11/40
Threat 3:Computer is Fullycompromised;
8/6/2019 Kuliah 6 Authentication
12/40
Two-Factor Authentication
Protecting Against Phishing by Implementing StrongTwo-Factor Authentication
https://www.rsasecurity.com/products/securid/whitepapers
For example:
8/6/2019 Kuliah 6 Authentication
13/40
The Trouble With current Two-FactorAuthentication Products in Market
Designed for small user base
Has a usability cost
No clear market leaderPotentially large implementation costs
Does not stop all attacks
Man-in-the-middle
Intelligent Trojans
8/6/2019 Kuliah 6 Authentication
14/40
The Weakness Of SSL
Relies on trust
Tells you that you have a securesession with A website, not THEwebsite
Certificates can be faked
Root certificates can be installed
Market Score Allows for Man-in-the-middle and
IDN (International Domain Names)attacks
8/6/2019 Kuliah 6 Authentication
15/40
HTTPS Authentication
For authentication purposes, the Handshake
Protocol uses an X.509 certificate to provide strong
evidence to a second party that helps prove theidentity of the party that holds the certificate and the
corresponding private key.
8/6/2019 Kuliah 6 Authentication
16/40
HTTPS Encryption
SSL/TLS uses both symmetric key and asymmetric keyencryption.
Symmetric Key - often used for encrypting large amountsof data because it is computationally faster thanasymmetric cryptography. Typical algorithms include
DES (Data Encryption Standard),
3-DES (Triple DES), RC2, RC4,
AES (Advanced Encryption Standard).
Asymmetric encryption - most common algorithm is RSA
(Rivest, Shamir & Adleman).
8/6/2019 Kuliah 6 Authentication
17/40
HTTPS Encryption
SSL/TLS uses Asymmetric encryption to authenticate theserver to the client, and optionally the client to the server.
Asymmetric cryptography is also used to establish asession key. The session key is used in symmetricalgorithms to encrypt the bulk of the data. This combines
the benefit of asymmetric encryption for authenticationwith the faster, less processor-intensive symmetric keyencryption for the bulk data.
8/6/2019 Kuliah 6 Authentication
18/40
Purchasing on the web
The growth in web purchases makes this mostcommon use of cryptography through digitalsignatures and encryption
Data transmitted over web is insecure as it
passes through many routers, links computersetc encryption solves this
Web store uses SSL secure layer encryptstraffic between store and customer
Has high overhead so only credit card details
and delivery info encrypted Most risk comes from an attack on the merchant
and their database of credit card details
8/6/2019 Kuliah 6 Authentication
19/40
ECommerce authentication
Thief poses as legit company web site
Authentication solves this trusted authorities(Verisign, Thawte) give public keys to your browserand sign the public keys of web stores
Each vendor has public/private key pair RSA keyin SSL/TSL signing authority signs these alongwith a digital certificate with the shops name andaddress Their key/certificate identifies them
Your key identifies you with credit numbers from visit tovisit
8/6/2019 Kuliah 6 Authentication
20/40
The encryption will ensure secure transmission of
credit card details and authentication process.
To authenticate the shopper must set up anaccount with a username and password - hence
future authentication can take place
8/6/2019 Kuliah 6 Authentication
21/40
Electronic transactions over the web
Credit card purchases over the web are
invariably performed using a protocol called
SET
Protocol designed for credit card transactionsused by Mastercard and Visa features
Confidential
Encryption of account and payment details across
network
Cardholders account and card number hidden from shop
8/6/2019 Kuliah 6 Authentication
22/40
SET
(Secure Electronic Transactions)Integrity
Based on digital signatures and details of message
cannot be changed in transit
Shopper authenticationShop can verify that the client has legitimate card and is
based on X509 certificates
Shop authentication
Shopper can authenticate and verify the shop isauthorised to accept credit cards based on X509
certificates
8/6/2019 Kuliah 6 Authentication
23/40
Digital Certificates
Extension of an individuals public keyHas extra info that reinforces authenticity of key
Verified by a trusted third party
X509.3 are now the standard for deviceauthentication and cornerstone of PKI
It is a system that binds together identitywith a public key
8/6/2019 Kuliah 6 Authentication
24/40
The structure of a X.509 v3 digital
certificate is as follows:
CertificateVersionSerial NumberAlgorithm IDIssuer
ValidityNot BeforeNot After
SubjectSubject Public Key Info
Public Key AlgorithmSubject Public Key
Issuer Unique Identifier (Optional)Subject Unique Identifier (Optional)
Extensions (Optional)...
Certificate Signature AlgorithmCertificate SignatureIssuer and subject unique identifiers were introduced in Version 2, Extensions in
Version 3.
8/6/2019 Kuliah 6 Authentication
25/40
What is the PKI?
PKI : Public Key Infrastructures
A system of managing certificates
Consist of certificate authorities that issue certificates
There is a hierarchy somewhat like DNSs
May be based on geography or because the system isflexible may fit to the companies business rules
There is also Certificate Revocation List CRL used to notifywhen a certificate may become invalid
i.e. a subjects private key becomes compromised
Or some info in certificate changes i.e. issuers details change
It is important that user checks with the CRL to ensure acertificate they have is valid lots of issues with this
8/6/2019 Kuliah 6 Authentication
26/40
Bertukar Data yang Di Enkripsi
Budi
Public Key
Private Key
Ali
8/6/2019 Kuliah 6 Authentication
27/40
Public Key Encryption
Encryption
The quickbrown fox
jumps overthe lazydog
Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMdrkvegMs
The quickbrown fox
jumps overthe lazydog
Decryption
Clear-text Input Clear-text OutputCipher-text
Different butmathematically
linked keysRecipientspublic key
Recipientsprivate key
privatepublic
SOURCE: ALBERTO PACE
8/6/2019 Kuliah 6 Authentication
28/40
Decrypt
Message
Transmit
EncryptedMessage
Public Key Cryptography- Encryption
Encrypt
Encrypted
MessageMessage
Keypair
Retrieve Public KeyJOKO ROBERT
8/6/2019 Kuliah 6 Authentication
29/40
Decrypt
Message
Transmit
SignedMessage
Public Key Cryptography- Encryption
Encrypt
Signed
MessageMessage
Keypair
Retrieve Public Key
8/6/2019 Kuliah 6 Authentication
30/40
Public Key Cryptography- Digital Signature
Assemble
Signed
Message
Digest
Hash
SignatureEncrypt
Message
Keypair
8/6/2019 Kuliah 6 Authentication
31/40
Public Key Cryptography- Digital Signature
Signature
Message
Digest
Valid?
Signed
Message
DigestDecrypt
Retrieve Public Key
8/6/2019 Kuliah 6 Authentication
32/40
Digital Certificates
A digital certificate contains:
Identity details
eg Personal ID, email address, web site URL
Public key of identity
Issuer (Certification Authority)
Validity period
Attributes
The certificate is signedby the CA
8/6/2019 Kuliah 6 Authentication
33/40
Digital Certificate - Lifecycle
Key Pair Generated
Certificate Issued
Certificate validand in use Private Key
compromised
Certificate Expires
Recertify
CertificateRevoked
Keypair Expired
8/6/2019 Kuliah 6 Authentication
34/40
Verisign
the concept of three classes of digitalcertificates: Class 1 for individuals, intended for email;
Class 2 for organizations, for which proof ofidentity is required; and
Class 3 for servers and software signing, forwhich independent verification and checkingof identity and authority is done by the issuing
certificate authority (CA).
8/6/2019 Kuliah 6 Authentication
35/40
How it works
The customeropens a Mastercard or Visa bank account.Any issuer of a credit card is some kind of bank.
The customerreceives a digital certificate. This electronicfile functions as a credit card for online purchases or othertransactions. It includes apublic keywith an expiration
date. It has been digitally signed by the bank to ensure itsvalidity.
Third-party merchants also receive certificates from thebank. These certificates include the merchant's public keyand the bank's public key.
The customer places an order over a
Web page, The customer's browser receives and confirms from the
merchant's certificate that the merchant is valid.
8/6/2019 Kuliah 6 Authentication
36/40
The browser sends the order information. This message isencrypted with the merchant's public key, the payment
information, which is encrypted with the bank's public key(which can't be read by the merchant), and informationthat ensures the payment can only be used with thisparticular order.
The merchant verifies the customer by checking the digitalsignature on the customer's certificate. This may be doneby referring the certificate to the bank or to a third-partyverifier.
The merchant sends the order message along to the
bank. This includes the bank's public key, the customer'spayment information (which the merchant can't decode),and the merchant's certificate.
8/6/2019 Kuliah 6 Authentication
37/40
The bank verifies the merchant and the message. Thebank uses the digital signature on the certificate with
the message and verifies the payment part of themessage.
The bank digitally signs and sends authorization to themerchant, who can then fill the order.
8/6/2019 Kuliah 6 Authentication
38/40
Cryptography - Terms
Public key cryptography
Cryptography technique using different keys
for encoding and decoding messages
Keypair Private key and public key, generated
together, used in public key cryptography
Encryption/Decryption
To encode/decode a message using a public
or private key
8/6/2019 Kuliah 6 Authentication
39/40
PKI - Terminology
Public Key Infrastructure (PKI)
Administrative structure for support of public
key cryptography
Public Key Certificate (Digital Certificate) Document linking a Public Key to an identity,
signed by a CA, defined by X.509
Certificate Authority (CA)
Trusted authority which issues digital
certificates
8/6/2019 Kuliah 6 Authentication
40/40
Selesai