Authentication and Encryption Technology 2 Authentication 3 Authentication is the process of proving ones identity to someone else.
The purpose of authentication: a) To restrict access to network device. b) To identifies the individual who attempting to perform a function. c) To proves that individual is who he claims to be.
Identification - tell the system who you are.
Authentication - prove to the system that you are who you say you are.
Importances of authentication: a) To identify user and system on the network. b) To builds consumers 'trust in electronic agreements and transactions. c) Inhibits identity theft. d) To avoid fraud. e) To allow the right person, the right resources that he/she could have.
Authentication Application Technology Authentication application technology can be accomplished using one of the following three (3) things or a combination of these three (3) things : a) What you have: login name, security token b) What you know: password, PIN. c) What you are: biometrics such as fingerprints and voice
Identification is accomplished by asking the question, who are you. Eg : login name
Authentication occurs when a user is asked to prove that they are who they claim to be. Eg : password that is tied to the identifying login name
4 Identification Authentication Authentication Application Technology 5 e.g.: password ~ you know the password, you the owner IDENTIFICATION & AUTHENTICATION SOMETHING YOU HAVE SOMETHING YOU KNOW SOMETHING YOU ARE e.g.: tokens, keys & smart cards ~ you have the key, you must be the owner of it e.g.: fingerprints, retina pattern, handprint etc. Types of Authentications Attack 6 Attack Description Man-in-the-middle attack Where an attacker inserts himself between the customer and the verifier in an authentication exchange. The attacker attempts to authenticate by posing as the customer to the verifier and the verifier to the customer. Replay attack Where the attacker records the data of a successful authentication and replays this information to attempt to falsely authenticate to the verifier. Phishing attack Social engineering attacks that use forged web pages, emails, or other electronic communications to convince the customer to reveal their password or other sensitive information to the attacker. Insider attack Individual who have legitimate access to the system, deliberately compromise the authentication system or steal authentication keys or related data. Eavesdropper attack Where an attacker obtains information from an authentication exchange and recovers data, such as authentication key values, which then may be used to authenticate. Password discovery attack This covers a variety of attacks, such as brute force, common password and dictionary attacks, which aim to determine a password. The attacker may try to guess a specific customers password, try a few commonly used passwords Cryptographic Cryptography is the art of protecting information by encrypting it into an unreadable format called cipher text.
Only those who possess a secret key can decipher (or decrypt) the message into plain text.
Cryptographic terminologies: a) Encryption process of encoding a message so its meaning is not obvious. b) Cipher text encrypted form of message c) Decryption reverse process which means try to bring encrypted message back to normal form. d) Cryptanalysis breaking the secret codes.
7 Encryption Encryption can be used to protect data from snooping and also protect data from being altered.
It can be used to protect data at rest and data in transit for example data being transferred via networks.
Snooping is an unauthorized access to another person's or company's data.
8 Encryption An encryption scheme has five (5) main components: a) Plaintext b) Encryption algorithm c) Secret Key d) Cipher text e) Decryption algorithm
Security depends on the secrecy of the key, not the secrecy of the algorithm.
9 Encryption Encoding the process of translating entire words or phrases to other words or phrases.
10 Key-Based Encryption Algorithm There are two (2) classes of key-based encryption algorithm a) Symmetric algorithms b) Asymmetric algorithms
A. Symmetric algorithms Both parties share the same key for encryption and decryption. To provide privacy, this key needs to be kept secret. Once somebody else gets to know the key, it is not safe any more. Symmetric algorithms have the advantage of not consuming too much computing power.
11 Key-Based Encryption Algorithm B. Asymmetric algorithms Use two (2) pairs of keys. One is used for encryption and the other one for decryption. The decryption key is typically kept secretly, therefore called private key or secret key. The encryption key is spread to all who might want to send encrypted messages, therefore called public key Everybody having the public key is able to send encrypted messages to the owner of the secret key. Example of asymmetric key; ElGamal, Diffie-Hellman,RSA,DSA
12 Key-Based Encryption Algorithm Differences between symmetric key and asymmetric key 13 Symmetric key Asymmetric key Both parties share the same key for encryption and decryption. Use pairs of keys. One is used for encryption and the other one for decryption. Key needs to be kept secret. Decryption key is typically kept secret, therefore called private key or secret key, while the encryption key is spread to all who might want to send encrypted messages, therefore called public key. Examples DES, Triple-DES (3DES), IDEA, CAST5, BLOWFISH, TWOFISH. Examples RSA, DSA, ELGAMAL Not consuming too much computing power. Are much slower than symmetric key encryption Cryptographic Protocols and Standards Among the well-known cryptographic protocols and standards as below: a) Domain Name Server Security (DNSSEC) b) Generic Security Services API (GSSAPI) c) Secure Sockets Layer (SSL) d) Secure Hypertext Transfer Protocol (SHTTP) e) Security Token f) BlackDuck g) OpenLogic
A. Domain Name Server Security (DNSSEC) Specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used in Internet Protocol (IP) networks.
DNS is hierarchical naming system for computers, services, or any resource connected to the Internet or a private network.
For example, www.example.com is translated to 208.77.188.166.
14 Cryptographic Protocols and Standards DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) : a) Origin authentication of DNS data b) Data integrity (but not availability or confidentiality) c) Authenticated denial of existence
15 Cryptographic Protocols and Standards DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data such as connection that created by DNS cache poisoning.
All answers in DNSSEC are digitally signed.
DNSSEC works by digitally signing answers to DNS lookups using public-key cryptography.
By checking the digital signature, a DNS resolver is able to check if the information is correct and complete to the information on the authoritative DNS server.
All DNSSEC responses are authenticated but not encrypted.
Disadvantages of DNSSEC a) Does not protect against DoS attacks directly. b) Does not provide confidentiality of data. c) Cannot cure false assumptions - it can only authenticate that the data is truly from or not available from the domain owner.
16 Cryptographic Protocols and Standards B. Generic Security Services API (GSSAPI) An application programming interface for programs to access security services.
It is a template for many kinds of security services that a routine could provide.
Security service vendors provide GSSAPI implementations usually in the form of libraries installed with their security software.
These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent GSSAPI.
It is based on the notion that callers have credentials denoting their identities or authorizations to view and manipulate data.
With the credentials, caller establish contexts or environments with security permissions.
A caller with credentials operating in a particular context can invoke security services to implement confidentiality or integrity.
It defines calls to manage credentials, establish and destroy contexts and obtain security services.
17 Cryptographic Protocols and Standards C. Secure Sockets Layer (SSL) The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers.
Protects Web site and makes it easy for your Web site visitors to trust you in three (3) essential ways : a) An SSL Certificate enables encryption of sensitive information during online transactions. b) Each SSL Certificate contains unique, authenticated information about the certificate owner. c) A Certificate Authority verifies the identity of the certificate owner when it is issued.
The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions.
18 Cryptographic Protocols and Standards SSL CA workflows as below. 19 Cryptographic Protocols and Standards D. Secure Hypertext Transfer Protocol (SHTTP)
Secure HTTP provides secure communication mechanisms between an HTTP client-server pair in order to enable spontaneous commercial transactions for a wide range of applications.
Web browsers typically use HTTP to communicate with web servers by sending and receiving information without encrypting it.
For sensitive transactions, such as Internet e-commerce or online access to financial accounts, the browser and server must encrypt this information.
Benefits of Secure HTTP: a) Supports end-to-end secure transactions. b) Provides full flexibility of cryptographic algorithms, modes and parameters. c) Attempts to avoid presuming a particular trust model.
20 Cryptographic Protocols and Standards E. Security Token Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account).
Sometimes a hardware token, hard token, authentication token, USB token, cryptographic token.
The token is used in addition to or in place of a password to prove that the customer is who they claim to be.
The token acts like an electronic key to access something.
21 Virtual Private Network (VPN) 22 VPN A virtual private network (VPN) is a private network that uses public network (Internet) to connect remote sites or users together.
Require remote access to be authenticated and make use of encryption techniques and tunneling protocols to prevent disclosure of private information.
Tunneling between endpoints must be authenticate before secure VPN tunnels can be establish.
23 HOW VPN WORKS 24 1. Authorization ensures that only trusted hosts can gain network access.If a computer has not logged in with the VPN gateway (GTA firewall), the connection is denied (1a). if a computer provides authorization credentials such as a password and pre-shared secret, the VPN gateway adds the computer to its list of computers allowed to connect (1b).
2. Encryption defeats interception of traffic by scrambling data.Once authorized, a computer can use encryption to prevent digital eavesdropping (packet sniffing) by any in-between points on the Internet, including unauthorized hosts. TYPES OF VPN There are three (3) types of VPN
A. Intranet-based VPNs Links corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. Intranets are designed to permit users who have access privileges to the internal LAN of the organization. Within an intranet, Web servers are installed in the network. Browser technology is used as the common front end to access information on servers such as financial, graphical, or text-based data.
26 Extranet-based VPNs
B. Extranet-based VPNs Links customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure using dedicated connections. In this example, the VPN is often an alternative to fax, snail mail, or EDI. Extranets refer to applications and services that are Intranet based, and use extended, secure access to external users or enterprises.
27 Remote Access VPNs
The VPN entities consist of the two devices in the client- server system. The combinations of VPN entities are a PC-client with a firewall server, or a dial-up server, which substitutes for the PC-client, with a firewall server. Personal VPNs are often used for mobile clients.
28 VPN Tunneling Protocols Three (3) types of popular VPN tunneling protocols are
a)Point-to-Point Tunneling Protocol (PPTP) b)Layer 2 Tunneling Protocol (L2PT) c) Internet Protocol Security (IPSec) 29 Point-to-Point Tunneling Protocol (PPTP)
A method for implementing virtual private networks. Uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. 30 Layer 2 Tunneling Protocol (L2PT)
Tunneling protocol used to support VPNs or as part of the delivery of services by ISPs.
It does not provide any encryption or confidentiality by itself, it relies on an encryption protocol that it passes within the tunnel to provide privacy.
IPsec is often used to secure L2PT packets by providing confidentiality, authentication and integrity. 31 Internet Protocol Security (IPSec)
Is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec network protocols support encryption and authentication.
IPsec is most commonly used in so-called "tunnel mode" with a Virtual Private Network.
However, IPsec also supports a "transport mode" for direct connection between two computers.
32 Procedure to Setup VPN Before establishing a VPN, several steps must be taken: a) Setup a VPN-capable device (router, firewall and etc.) on the network perimeter. b) Know the IP subnet addresses used by the other side. c) Agree on a method of authentication and exchange digital certificates if required. d) Agree on a method of encryption and exchange encryption keys as required.
A typical VPN includes the following components : a) Software installed (VPN client) on end users computer or a hardware VPN device. b) A connection from the computer to the public Internet. c) A connection from the Internet to corporate HQ. d) VPN Hardware or Server at HQ to authenticate users and decrypt their data.
33 Devices for VPN Connection Devices for VPN connection a) firewall-based VPN b) router-based VPN c) dedicated software or hardware
A. Firewall-based VPN Most popular VPN solution. This arrangement provide central point of management as well as direct cohesion between your firewall security policy and the traffic through the tunnel Drawback system could not support multiple VPNs with strong encryption on all of them. Example : Microsoft Server ISA
B. Router-based VPN Using router to decrypt the traffic stream before it reaches the firewall. ASIC (hardware) allows the router to dedicate certain processors for specific task, preventing any one activity from overloading the router. Drawback router cannot provide full perimeter security.
34 Features of Good VPN Products Features consideration for a good VPN products are a) Strong authentication b) Adequate encryption c) Adherence to standard
A. Strong authentication Require more than a username and a reusable password to authenticate a user or device.
It is necessary for identity theft protection and data protection on computers, the Internet, and corporate networks.
35 Features of Good VPN Products B. Adequate encryption Virtual private networks employ a combination of technologies that allows users to transmit traffic over the Internet with the information privacy and security assurances equal to what can be expected from facilities-based private networks.
Reliable method to identify and authenticate users seeking to gain intranet access.
Protects sensitive information content being revealed or compromised by intentional or unintentional eavesdroppers.
Available to prevent malicious data tampering, and in particular undetected data manipulation.
36 Features of Good VPN Products C. Adherence to standard Include programs, practices, policies, protocols, and awareness materials that have been developed and implemented in specific settings.
Adherence to the service-level agreements is being measured and monitored, and problems, if appropriate, are elevated for management action.