Upload
jonathanhindi
View
220
Download
0
Embed Size (px)
Citation preview
7/31/2019 Chapter 5 Data Security (Dr.Atef)
1/40
Digital Signature
7/31/2019 Chapter 5 Data Security (Dr.Atef)
2/40
Digital Signature
Not a digital signature
7/31/2019 Chapter 5 Data Security (Dr.Atef)
3/40
Digital Signature
Digital Signature
1-Smart Card2-Digital Certificate3-.Security
.
Private Key
Public Key
Digital
Certificate
7/31/2019 Chapter 5 Data Security (Dr.Atef)
4/40
Algorithms and Keys
Encryption and decryption with a key
Encryption and decryption with two different keys
7/31/2019 Chapter 5 Data Security (Dr.Atef)
5/40
A cryptosystem is an algorithm,plus all possible plaintexts,
ciphertexts, and keys.
Algorithms and Keys
7/31/2019 Chapter 5 Data Security (Dr.Atef)
6/40
More Definitions
Unconditional security
No matter how much computer power isavailable, the cipher cannot be broken since theciphertext provides insufficient information touniquely determine the corresponding plaintext
Computational security
Given limited computing resources (e.g timeneeded for calculations is greater than age ofuniverse), the cipher cannot be broken
7/31/2019 Chapter 5 Data Security (Dr.Atef)
7/40
2.7 Cryptographic Hash Functionand its requirements
Cryptographic hash functions areimportant tools in cryptography forapplications such as digital
fingerprinting of messages, messageauthentication, and key derivation.
Hash functions can map bit-strings ofarbitrary finite length into strings offixed length.
7/31/2019 Chapter 5 Data Security (Dr.Atef)
8/40
2.7 Cryptographic Hash Functionand its requirements
A hash value is generated by afunction H of the form h=H(M) where
M is a variable-length message andH(M) is the fixed-length hash value.
The purpose of a hash function is toproduce a fingerprint of a file,message, or other block of data.
7/31/2019 Chapter 5 Data Security (Dr.Atef)
9/40
2.7 Cryptographic Hash Functionand its requirements
The hash value is intended for digitalsignature applications, where a largefile must be compressed in a secure
manner before being signed(encrypted) with a private secret keyunder a public-key cryptosystem.
The purpose of a hash function is toproduce a fingerprint of a file,message, or other block of data.
7/31/2019 Chapter 5 Data Security (Dr.Atef)
10/40
2.7 Cryptographic Hash Functionand its requirements
A hash function H must have thefollowing properties:
H can be applied to a block of dataof any size.
H produces a fixed-length output.
H(x) is relatively easy to compute
for any x, making both hardwareand software implementationspractical.
7/31/2019 Chapter 5 Data Security (Dr.Atef)
11/40
2.7 Cryptographic Hash Functionand its requirements
A hash function H must have thefollowing properties:
For any given code m, it is
computationally infeasible to find xsuch that H(x) = m.
For any given block x, it iscomputationally infeasible to find y
x with H(y) = H(x). It is computationally infeasible to find
any pair(x, y) such that H(x) = H(y).
7/31/2019 Chapter 5 Data Security (Dr.Atef)
12/40
2.8 Steganography
Steganography serves to hide secretmessages in other messages, suchthat the secrets very existence is
concealed.Generally the sender writes an
innocuous message and thenconceals a secret message on thesame piece of paper.
7/31/2019 Chapter 5 Data Security (Dr.Atef)
13/40
2.8 Steganography
More recently, people are hidingsecret messages in graphic images.Replace the least significant bit of
each byte of the image with the bits ofthe message.
The graphical image wont changeappreciablymost graphicsstandards specify more gradations ofcolor than the human eye cannoticeand the message can be
stripped out at the receiving end.
7/31/2019 Chapter 5 Data Security (Dr.Atef)
14/40
2.9 Simple XOR
XOR is exclusive-or operation: ^ in Cor in mathematical notation. Its astandard operation on bits:
0 ^ 0 = 0
0 ^ 1 = 1
1 ^ 0 = 11 ^ 1 = 0
7/31/2019 Chapter 5 Data Security (Dr.Atef)
15/40
2.9 Simple XOR
Also note that:
a ^ a = 0
a ^ b ^ b = a
The plaintext is being XORed with akeyword to generate the ciphertext.
P^ K= C
C^ K= P
7/31/2019 Chapter 5 Data Security (Dr.Atef)
16/40
Ongoing Communication
Message-by-Message Authentication
Message-by-Message IntegrityMessage-by-Message Confidentiality
7/31/2019 Chapter 5 Data Security (Dr.Atef)
17/40
Figure 9.17: Digital Signature
SenderReceiver
DS Plaintext
Add Digital Signature to Each MessageProvides Message-by-Message Authentication
Encrypted for Confidentiality
7/31/2019 Chapter 5 Data Security (Dr.Atef)
18/40
Figure 9.17: Digital Signature:
Sender
DS
Plaintext
MD
Hash
Sign (Encrypt) MD with
Senders Private Key
To Create the Digital Signature:
1. Hash the plaintext to create
a brief message digest; This is
NOT the digital signature
2. Sign (encrypt) the message
digest with the senders private
key to create the digitalSignature
7/31/2019 Chapter 5 Data Security (Dr.Atef)
19/40
Figure 9.17: Digital Signature
Sender
Encrypts
Receiver
Decrypts
Send Plaintext plus Digital Signature
Encrypted with Symmetric Session Key
DS Plaintext
Transmission
7/31/2019 Chapter 5 Data Security (Dr.Atef)
20/40
Figure 9.17: Digital Signature:
Receiver
DSReceived Plaintext
MDMD
1.Hash
2.
Decrypt with
True Partys
Public Key
3.
Are they Equal?
1. Hash the receivedplaintext with the same
hashing algorithm the
sender used. This gives
the message digest
2. Decrypt the digital
signature with the senders
public key. This also should
give the message digest.
3. If the two match, themessage is authenticated;
The sender has the true
Partys private key
7/31/2019 Chapter 5 Data Security (Dr.Atef)
21/40
Figure 9.18: Public Key Deception
Impostor
I am the True Person.
Here is TPs public key.
(Sends Impostors public key)
Here is authentication
based on TPs private key.
(Really Impostors private key)
Decryption of message from Verifierencrypted with Impostors public key,
so Impostor can decrypt it
Verifier
Must authenticate True Person.
Believes now has
TPs public key
Believes True Person
is authenticated
based on Impostors public key
True Person,here is a message encrypted
with your public key.
Critical
Deception
7/31/2019 Chapter 5 Data Security (Dr.Atef)
22/40
Digital Certificates
Digital certificates are electronic documentsthat give the true partys name and public key
Applicants claiming to be the true party have
their authentication methods tested by thispublic key
If they are not the true party, they cannot usethe true partys private key and so will not be
authenticated Digital certificates follow the X.509 Standard
7/31/2019 Chapter 5 Data Security (Dr.Atef)
23/40
Digital Signatures and Digital
Certificates Public key authentication requires both a
digital signature and a digital certificate to give
the public key needed to test the digital
signature
DS Plaintext
Applicant
Verifier
Certificate Authority
DigitalCertificate:
True Partys
Public Key
7/31/2019 Chapter 5 Data Security (Dr.Atef)
24/40
Figure 9.19: Public Key
Infrastructure (PKI)
Verifier
(Brown)
Certificate Authority
PKI Server
Create &
Distribute
(1) Private
Key and
(2) Digital
Certificate Applicant (Lee)
Verifier
(Cheng)
7/31/2019 Chapter 5 Data Security (Dr.Atef)
25/40
Figure 9.19: Public Key
Infrastructure (PKI)
Verifier
(Brown)
Certificate AuthorityPKI Server
4.
Certificate
for Brown
Applicant (Lee)
Verifier(Cheng)
3. Request
Certificate
for Brown
7/31/2019 Chapter 5 Data Security (Dr.Atef)
26/40
Figure 9.19: Public Key
Infrastructure (PKI)
Verifier
(Brown)
Certificate Authority
PKI Server6. Check Certificate
Revocation List (CRL)
For Lees Digital Certificate
Applicant (Lee)
5.Certificate
for Lee
Verifier
(Cheng)
7. Revoked or OK
7/31/2019 Chapter 5 Data Security (Dr.Atef)
27/40
Figure 9.20: Security at Multiple
Layers
Layer Example
ApplicationApplication-specific (for instance, passwords for a
database program); Application (Proxy) Firewalls
Transport SSL (TLS), Packet Filter Firewalls
Internet IPsec, Packet Filter Firewalls
Data LinkPoint-to-Point Tunneling Protocol (PPTP), Layer 2
Tunneling Protocol (L2TP)
Physical Physical locks on computers, Notebook Encryption
7/31/2019 Chapter 5 Data Security (Dr.Atef)
28/40
Figure 9.20: Security at Multiple
Layers
Having security at multiple layers provides
protection if one layers security fails
Having security at multiple layers also slows
processing on the device
So provide protection in at least two layers but
not in all layers
7/31/2019 Chapter 5 Data Security (Dr.Atef)
29/40
Figure 9.21: Creating Appropriate
Security Understanding Needs
Need to make security proportional to risks
Organizations face different risks
Policies and Enforcement Policies bring consistency
Must be enforced.
Training in the importance of security and inprotection techniques
Social engineering prevention training
7/31/2019 Chapter 5 Data Security (Dr.Atef)
30/40
Figure 9.21: Creating Appropriate
Security Policies and Enforcement
Security audits: attack your system proactively
You must really be able to trust your testers
Incident handling Stopping the attack
Restoring the system
Prosecution
Planning and practicing before the incident
Privacy
Need to protect employee & customer privacy
7/31/2019 Chapter 5 Data Security (Dr.Atef)
31/40
7/31/2019 Chapter 5 Data Security (Dr.Atef)
32/40
)(
www.trustcenter.de/products/express/en/en.htm
7/31/2019 Chapter 5 Data Security (Dr.Atef)
33/40
)(
7/31/2019 Chapter 5 Data Security (Dr.Atef)
34/40
7/31/2019 Chapter 5 Data Security (Dr.Atef)
35/40
)(
7/31/2019 Chapter 5 Data Security (Dr.Atef)
36/40
)(
7/31/2019 Chapter 5 Data Security (Dr.Atef)
37/40
)outlook Express(
)Tools()outlook express(
7/31/2019 Chapter 5 Data Security (Dr.Atef)
38/40
)Digitallysigned()Tools(
7/31/2019 Chapter 5 Data Security (Dr.Atef)
39/40
7/31/2019 Chapter 5 Data Security (Dr.Atef)
40/40
)Send(