8/11/2019 Authentication & Encryption TechnologyEDIT BAI
1/38
Lecture by Pn. Hanis Basira Abu Hasan
Jabatan Teknologi Maklumat Dan Komunikasi
CHAPTER 5
Authentication & EncryptionTechnology
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
2/38
Authentication and EncryptionTechnology
2
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
3/38
Authentication
3
Authentication is the process of proving ones identity to someone else.
The purpose of authentication:
a) To restrict access to network device.
b) To identifies the individual who attempting to perform a function.
c) To proves that individual is who he claims to be.
Identification- tell the system who you are.
Authentication - prove to the system that you are who you say you are.
Importances of authentication:
a) To identify user and system on the network.b) To builds consumers 'trust in electronic agreements and transactions.
c) Inhibits identity theft.
d) To avoid fraud.
e) To allow the right person, the right resources that he/she could have.
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
4/38
Authentication Application Technology
Authentication application technology can be accomplished using one of the following three
(3) things or a combination of these three (3) things :
a) What you have: login name, security token
b) What you know: password, PIN.
c) What you are: biometrics such as fingerprints and voice
Identification is accomplished by asking the question, who are you.
Eg : login name
Authentication occurs when a user is asked to prove that they are who they claim to be.
Eg : password that is tied to the identifying login name
4
Identification Authentication
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
5/38
Authentication Application Technology
5
e.g.: password
~ you know the
password, you the ownerIDENTIFICATION
&
AUTHENTICATION
SOMETHING YOU
HAVESOMETHING YOU
KNOW
SOMETHING YOU
ARE
e.g.: tokens, keys & smart
cards
~ you have the key, you must
be the owner of it
e.g.: fingerprints, retina pattern, handprint etc.
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
6/38
Types of Authentications Attack
6
Attack Description
Man-in-the-middle attack
Where an attacker inserts himself between the customer and the verifier in an
authentication exchange. The attacker attempts to authenticate by posing as the
customer to the verifier and the verifier to the customer.
Replay attackWhere the attacker records the data of a successful authentication and replays
this information to attempt to falsely authenticate to the verifier.
Phishing attack
Social engineering attacks that use forged web pages, emails, or other electronic
communications to convince the customer to reveal their password or other
sensitive information to the attacker.
Insider attackIndividual who have legitimate access to the system, deliberately compromise
the authentication system or steal authentication keys or related data.
Eavesdropper attack Where an attacker obtains information from an authentication exchange and
recovers data, such as authentication key values, which then may be used toauthenticate.
Password discovery attack
This covers a variety of attacks, such as brute force, common password and
dictionary attacks, which aim to determine a password. The attacker may try to
guess a specific customers password, try a few commonly used passwords
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
7/38
Cryptographic
Cryptography is the art of protecting information by encrypting it into an unreadable format
called cipher text.
Only those who possess a secret key can decipher (or decrypt) the message into plain text.
Cryptographic terminologies:
a) Encryptionprocess of encoding a message so its meaning is not obvious.b) Cipher textencrypted form of message
c) Decryptionreverse process which means try to bring encrypted message back to
normal form.
d) Cryptanalysisbreaking the secret codes.
7
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
8/38
Encryption
Encryption can be used to protect data from snooping and also protect data from being
altered.
It can be used to protect data at rest and data in transit for example data being transferred
via networks.
Snooping is an unauthorized access to another person's or company's data.
8
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
9/38
Encryption
An encryption scheme has five (5) main components:
a) Plaintext
b) Encryption algorithm
c) Secret Key
d) Cipher text
e) Decryption algorithm
Security depends on the secrecy of the key, not the secrecy of the algorithm.
9
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
10/38
Encryption
Encodingthe process of translating entire words or phrases to other words or phrases.
10
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
11/38
Key-Based Encryption Algorithm
There are two (2) classes of key-based encryption algorithm
a) Symmetric algorithms
b) Asymmetric algorithms
A. Symmetric algorithms
Both parties share the same key for encryption and decryption.
To provide privacy, this key needs to be kept secret. Once somebody else gets to know the key, it is not safe any more.
Symmetric algorithms have the advantage of not consuming too much computing power.
11
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
12/38
Key-Based Encryption Algorithm
B. Asymmetric algorithms
Use two (2) pairs of keys.
One is used for encryption and the other one for decryption.
The decryption key is typically kept secretly, therefore called private key or secret key.
The encryption key is spread to all who might want to send encrypted messages, thereforecalled public key
Everybody having the public key is able to send encrypted messages to the owner of thesecret key.
Example of asymmetric key; ElGamal, Diffie-Hellman,RSA,DSA
12
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
13/38
Key-Based Encryption Algorithm
Differences between symmetric key and asymmetric key
13
Symmetric key Asymmetric key
Both parties share the same key for
encryption and decryption.
Use pairs of keys. One is used for encryption
and the other one for decryption.
Key needs to be kept secret. Decryption key is typically kept secret,
therefore called private key or secret key,while the encryption key is spread to all who
might want to send encrypted messages,
therefore called public key.
ExamplesDES, Triple-DES (3DES), IDEA,
CAST5, BLOWFISH, TWOFISH.
ExamplesRSA, DSA, ELGAMAL
Not consuming too much computing power. Are much slower than symmetric keyencryption
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
14/38
Cryptographic Protocols and Standards
Among the well-known cryptographic protocols and standards as below:
a) Domain Name Server Security (DNSSEC)
b) Generic Security Services API (GSSAPI)
c) Secure Sockets Layer (SSL)
d) Secure Hypertext Transfer Protocol (SHTTP)
e) Security Token
f) BlackDuckg) OpenLogic
A. Domain Name Server Security (DNSSEC)
Specifications for securing certain kinds of information provided by the Domain Name System
(DNS) as used in Internet Protocol (IP) networks.
DNS is hierarchical naming system for computers, services, or any resource connected to the
Internet or a private network.
For example, www.example.comis translated to 208.77.188.166.
14
http://en.wikipedia.org/wiki/Example.comhttp://en.wikipedia.org/wiki/Example.com8/11/2019 Authentication & Encryption TechnologyEDIT BAI
15/38
Cryptographic Protocols and Standards
DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) :
a) Origin authentication of DNS data
b) Data integrity (but not availability or confidentiality)
c) Authenticated denial of existence
15
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
16/38
Cryptographic Protocols and Standards
DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data such as
connection that created by DNS cache poisoning.
All answers in DNSSEC are digitally signed.
DNSSEC works by digitally signing answers to DNS lookups using public-key cryptography.
By checking the digital signature, a DNS resolver is able to check if the information is correct
and complete to the information on the authoritative DNS server.
All DNSSEC responses are authenticated but not encrypted.
Disadvantages of DNSSEC
a) Does not protect against DoS attacks directly.
b) Does not provide confidentiality of data.
c) Cannot cure false assumptions - it can only authenticate that the data is truly from or
not available from the domain owner.
16
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
17/38
Cryptographic Protocols and Standards
B. Generic Security Services API (GSSAPI)
An application programming interface for programs to access security services.
It is a template for many kinds of security services that a routine could provide.
Security service vendors provide GSSAPI implementations usually in the form of libraries installed
with their security software.
These libraries present a GSSAPI-compatible interface to application writers who can write their
application to use only the vendor-independent GSSAPI.
It is based on the notion that callers have credentials denoting their identities or authorizations to
view and manipulate data.
With the credentials, caller establish contexts or environments with security permissions.
A caller with credentials operating in a particular context can invoke security services to implement
confidentiality or integrity.
It defines calls to manage credentials, establish and destroy contexts and obtain security services. 17
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
18/38
Cryptographic Protocols and Standards
C. Secure Sockets Layer (SSL)
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions
between web servers and browsers.
Protects Web site and makes it easy for your Web site visitors to trust you in three (3)
essential ways :
a) An SSL Certificate enables encryption of sensitive information during online
transactions.
b) Each SSL Certificate contains unique, authenticated information about the certificate
owner.
c) A Certificate Authority verifies the identity of the certificate owner when it is issued.
The protocol uses a third party, a Certificate Authority (CA), to identify one end or both endof the transactions.
18
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
19/38
Cryptographic Protocols and Standards
SSL CA workflows as below.
19
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
20/38
Cryptographic Protocols and Standards
D. Secure Hypertext Transfer Protocol (SHTTP)
Secure HTTP provides secure communication mechanisms between an HTTP client-server
pair in order to enable spontaneous commercial transactions for a wide range of applications.
Web browsers typically use HTTP to communicate with web servers by sending and receiving
information without encrypting it.
For sensitive transactions, such as Internet e-commerce or online access to financial
accounts, the browser and server must encrypt this information.
Benefits of Secure HTTP:
a) Supports end-to-end secure transactions.b) Provides full flexibility of cryptographic algorithms, modes and parameters.
c) Attempts to avoid presuming a particular trust model.
20
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
21/38
Cryptographic Protocols and Standards
E. Security Token
Security tokens are used to prove one's identity electronically (as in the case of a customer
trying to access their bank account).
Sometimes a hardware token, hard token, authentication token, USB token, cryptographic
token.
The token is used in addition to or in place of a password to prove that the customer is who
they claim to be.
The token acts like an electronic key to access something.
21
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
22/38
Virtual Private Network(VPN)
22
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
23/38
VPN
A virtual private network (VPN) is a private network that uses public network (Internet) to
connect remote sites or users together.
Require remote access to be authenticated and make use of encryption techniques and
tunneling protocols to prevent disclosure of private information.
Tunneling between endpoints must be authenticate before secure VPN tunnels can be
establish.
23
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
24/38
HOW VPN WORKS
24
1.Authorization ensures that only trusted hosts can gain network access.If a computer has not logged in
with the VPN gateway (GTA firewall), the connection is denied (1a). if a computer provides authorizationcredentials such as a password and pre-shared secret, the VPN gateway adds the computer to its list of
computers allowed to connect (1b).
2.Encryption defeats interception of traffic by scrambling data.Once authorized, a computer can use
encryption to prevent digital eavesdropping (packet sniffing) by any in-between points on the Internet,
including unauthorized hosts.
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
25/38
TYPES OF VPN
There are three (3) types of VPN
a)Intranet-based VPNsb)Extranet-based VPNs
c)Remote Access VPNs
25
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
26/38
Intranet-based VPNs
A. Intranet-based VPNs
Links corporate headquarters, remote offices, and branch offices over a
shared infrastructure using dedicated connections.
Intranets are designed to permit users who have access privileges to the
internal LAN of the organization.
Within an intranet, Web servers are installed in the network. Browsertechnology is used as the common front end to access information on
servers such as financial, graphical, or text-based data.
26
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
27/38
Extranet-based VPNs
B. Extranet-based VPNs
Links customers, suppliers, partners, or communities of interest to a
corporate intranet over a shared infrastructure using dedicated
connections.
In this example, the VPN is often an alternative to fax, snail mail, or EDI.
Extranets refer to applications and services that are Intranet based, anduse extended, secure access to external users or enterprises.
27
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
28/38
Remote Access VPNs
The VPN entities consist of the two devices in the client-server system.
The combinations of VPN entities are a PC-client with a
firewall server, or a dial-up server, which substitutes for the
PC-client, with a firewall server.
Personal VPNs are often used for mobile clients.
28
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
29/38
VPN Tunneling Protocols
Three (3) types of popular VPN tunnelingprotocols are
a)Point-to-Point Tunneling Protocol (PPTP)b)Layer 2 Tunneling Protocol (L2PT)
c) Internet Protocol Security (IPSec)
29
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
30/38
Point-to-Point Tunneling Protocol (PPTP)
A method for implementing virtual private networks.
Uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
30
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
31/38
Layer 2 Tunneling Protocol (L2PT)
Tunneling protocol used to support VPNs or as part of the delivery of services by
ISPs.
It does not provide any encryption or confidentiality by itself, it relies on an
encryption protocol that it passes within the tunnel to provide privacy.
IPsec is often used to secure L2PT packets by providing confidentiality,
authentication and integrity.
31
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
32/38
Internet Protocol Security (IPSec)
Is a protocol suite for securing Internet Protocol (IP) communications by authenticating and
encrypting each IP packet of a communication session.
IPsec also includes protocols for establishing mutual authentication between agents at the
beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec network protocols support encryption and authentication.
IPsec is most commonly used in so-called "tunnel mode" with a Virtual Private Network.
However, IPsec also supports a "transport mode" for direct connection between two
computers.
32
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
33/38
Procedure to Setup VPN
Before establishing a VPN, several steps must be taken:
a) Setup a VPN-capable device (router, firewall and etc.) on the network perimeter.
b) Know the IP subnet addresses used by the other side.
c) Agree on a method of authentication and exchange digital certificates if required.
d) Agree on a method of encryption and exchange encryption keys as required.
A typical VPN includes the following components :a) Software installed (VPN client) on end users computer or a hardware VPN device.
b) A connection from the computer to the public Internet.
c) A connection from the Internet to corporate HQ.
d) VPN Hardware or Server at HQ to authenticate users and decrypt their data.
33
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
34/38
Devices for VPN Connection
Devices for VPN connection
a) firewall-based VPN
b) router-based VPN
c) dedicated software or hardware
A. Firewall-based VPN
Most popular VPN solution. This arrangement provide central point of management as well as direct cohesion
between your firewall security policy and the traffic through the tunnel
Drawbacksystem could not support multiple VPNs with strong encryption on all of
them.
Example : Microsoft Server ISA
B. Router-based VPN
Using router to decrypt the traffic stream before it reaches the firewall.
ASIC (hardware) allows the router to dedicate certain processors for specific task,
preventing any one activity from overloading the router.
Drawbackrouter cannot provide full perimeter security.
34
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
35/38
Features of Good VPN Products
Features consideration for a good VPN products are
a) Strong authentication
b) Adequate encryption
c) Adherence to standard
A. Strong authentication
Require more than a username and a reusable password to authenticate a user or device.
It is necessary for identity theft protection and data protection on computers, the Internet,
and corporate networks.
35
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
36/38
Features of Good VPN Products
B. Adequate encryption
Virtual private networks employ a combination of technologies that allows users to transmit
traffic over the Internet with the information privacy and security assurances equal to what
can be expected from facilities-based private networks.
Reliable method to identify and authenticate users seeking to gain intranet access.
Protects sensitive information content being revealed or compromised by intentional or
unintentional eavesdroppers.
Available to prevent malicious data tampering, and in particular undetected data
manipulation.
36
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
37/38
Features of Good VPN Products
C. Adherence to standard
Include programs, practices, policies, protocols, and awareness materials that have been
developed and implemented in specific settings.
Adherence to the service-level agreements is being measured and monitored, and problems,
if appropriate, are elevated for management action.
37
8/11/2019 Authentication & Encryption TechnologyEDIT BAI
38/38
END
38