Chapter 5 Data Security (Dr.Atef)

7/31/2019 Chapter 5 Data Security (Dr.Atef)

1/40

Digital Signature


2/40

Digital Signature

Not a digital signature


3/40

Digital Signature

Digital Signature

1-Smart Card2-Digital Certificate3-.Security

.

Private Key

Public Key

Digital

Certificate


4/40

Algorithms and Keys

Encryption and decryption with a key

Encryption and decryption with two different keys


5/40

A cryptosystem is an algorithm,plus all possible plaintexts,

ciphertexts, and keys.

Algorithms and Keys


6/40

More Definitions

Unconditional security

No matter how much computer power isavailable, the cipher cannot be broken since theciphertext provides insufficient information touniquely determine the corresponding plaintext

Computational security

Given limited computing resources (e.g timeneeded for calculations is greater than age ofuniverse), the cipher cannot be broken


7/40

2.7 Cryptographic Hash Functionand its requirements

Cryptographic hash functions areimportant tools in cryptography forapplications such as digital

fingerprinting of messages, messageauthentication, and key derivation.

Hash functions can map bit-strings ofarbitrary finite length into strings offixed length.


8/40


A hash value is generated by afunction H of the form h=H(M) where

M is a variable-length message andH(M) is the fixed-length hash value.

The purpose of a hash function is toproduce a fingerprint of a file,message, or other block of data.


9/40


The hash value is intended for digitalsignature applications, where a largefile must be compressed in a secure

manner before being signed(encrypted) with a private secret keyunder a public-key cryptosystem.

The purpose of a hash function is toproduce a fingerprint of a file,message, or other block of data.


10/40


A hash function H must have thefollowing properties:

H can be applied to a block of dataof any size.

H produces a fixed-length output.

H(x) is relatively easy to compute

for any x, making both hardwareand software implementationspractical.


11/40


A hash function H must have thefollowing properties:

For any given code m, it is

computationally infeasible to find xsuch that H(x) = m.

For any given block x, it iscomputationally infeasible to find y

x with H(y) = H(x). It is computationally infeasible to find

any pair(x, y) such that H(x) = H(y).


12/40

2.8 Steganography

Steganography serves to hide secretmessages in other messages, suchthat the secrets very existence is

concealed.Generally the sender writes an

innocuous message and thenconceals a secret message on thesame piece of paper.


13/40

2.8 Steganography

More recently, people are hidingsecret messages in graphic images.Replace the least significant bit of

each byte of the image with the bits ofthe message.

The graphical image wont changeappreciablymost graphicsstandards specify more gradations ofcolor than the human eye cannoticeand the message can be

stripped out at the receiving end.


14/40

2.9 Simple XOR

XOR is exclusive-or operation: ^ in Cor in mathematical notation. Its astandard operation on bits:

0 ^ 0 = 0

0 ^ 1 = 1

1 ^ 0 = 11 ^ 1 = 0


15/40

2.9 Simple XOR

Also note that:

a ^ a = 0

a ^ b ^ b = a

The plaintext is being XORed with akeyword to generate the ciphertext.

P^ K= C

C^ K= P


16/40

Ongoing Communication

Message-by-Message Authentication

Message-by-Message IntegrityMessage-by-Message Confidentiality


17/40

Figure 9.17: Digital Signature

SenderReceiver

DS Plaintext

Add Digital Signature to Each MessageProvides Message-by-Message Authentication

Encrypted for Confidentiality


18/40

Figure 9.17: Digital Signature:

Sender

DS

Plaintext

MD

Hash

Sign (Encrypt) MD with

Senders Private Key

To Create the Digital Signature:

1. Hash the plaintext to create

a brief message digest; This is

NOT the digital signature

2. Sign (encrypt) the message

digest with the senders private

key to create the digitalSignature


19/40

Figure 9.17: Digital Signature

Sender

Encrypts

Receiver

Decrypts

Send Plaintext plus Digital Signature

Encrypted with Symmetric Session Key

DS Plaintext

Transmission


20/40

Figure 9.17: Digital Signature:

Receiver

DSReceived Plaintext

MDMD

1.Hash

2.

Decrypt with

True Partys

Public Key

3.

Are they Equal?

1. Hash the receivedplaintext with the same

hashing algorithm the

sender used. This gives

the message digest

2. Decrypt the digital

signature with the senders

public key. This also should

give the message digest.

3. If the two match, themessage is authenticated;

The sender has the true

Partys private key


21/40

Figure 9.18: Public Key Deception

Impostor

I am the True Person.

Here is TPs public key.

(Sends Impostors public key)

Here is authentication

based on TPs private key.

(Really Impostors private key)

Decryption of message from Verifierencrypted with Impostors public key,

so Impostor can decrypt it

Verifier

Must authenticate True Person.

Believes now has

TPs public key

Believes True Person

is authenticated

based on Impostors public key

True Person,here is a message encrypted

with your public key.

Critical

Deception


22/40

Digital Certificates

Digital certificates are electronic documentsthat give the true partys name and public key

Applicants claiming to be the true party have

their authentication methods tested by thispublic key

If they are not the true party, they cannot usethe true partys private key and so will not be

authenticated Digital certificates follow the X.509 Standard


23/40

Digital Signatures and Digital

Certificates Public key authentication requires both a

digital signature and a digital certificate to give

the public key needed to test the digital

signature

DS Plaintext

Applicant

Verifier

Certificate Authority

DigitalCertificate:

True Partys

Public Key


24/40

Figure 9.19: Public Key

Infrastructure (PKI)

Verifier

(Brown)


PKI Server

Create &

Distribute

(1) Private

Key and

(2) Digital

Certificate Applicant (Lee)

Verifier

(Cheng)


25/40



Verifier

(Brown)

Certificate AuthorityPKI Server

4.

Certificate

for Brown

Applicant (Lee)

Verifier(Cheng)

3. Request

Certificate

for Brown


26/40



Verifier

(Brown)


PKI Server6. Check Certificate

Revocation List (CRL)

For Lees Digital Certificate

Applicant (Lee)

5.Certificate

for Lee

Verifier

(Cheng)

7. Revoked or OK


27/40

Figure 9.20: Security at Multiple

Layers

Layer Example

ApplicationApplication-specific (for instance, passwords for a

database program); Application (Proxy) Firewalls

Transport SSL (TLS), Packet Filter Firewalls

Internet IPsec, Packet Filter Firewalls

Data LinkPoint-to-Point Tunneling Protocol (PPTP), Layer 2

Tunneling Protocol (L2TP)

Physical Physical locks on computers, Notebook Encryption


28/40

Figure 9.20: Security at Multiple

Layers

Having security at multiple layers provides

protection if one layers security fails

Having security at multiple layers also slows

processing on the device

So provide protection in at least two layers but

not in all layers


29/40

Figure 9.21: Creating Appropriate

Security Understanding Needs

Need to make security proportional to risks

Organizations face different risks

Policies and Enforcement Policies bring consistency

Must be enforced.

Training in the importance of security and inprotection techniques

Social engineering prevention training


30/40

Figure 9.21: Creating Appropriate

Security Policies and Enforcement

Security audits: attack your system proactively

You must really be able to trust your testers

Incident handling Stopping the attack

Restoring the system

Prosecution

Planning and practicing before the incident

Privacy

Need to protect employee & customer privacy


31/40


32/40

)(

www.trustcenter.de/products/express/en/en.htm


33/40

)(


34/40


35/40

)(


36/40

)(


37/40

)outlook Express(

)Tools()outlook express(


38/40

)Digitallysigned()Tools(


39/40


40/40

)Send(

Documents

Chapter 5 Data Security (Dr.Atef)