IT Security Basic - CH.2.2 Authentication

Submitted by keithyau on Fri, 01/15/2010 - 14:52

Authentication

To prove you are who you say you are
  1. Password
  2. Certification authority (CA) - Organization / company to binds public key to particular entity
  3. Address
  4. Authentication Tokens
  5. Biometrics
  6. Fingerprints
  7. Voice Recognition
  8. Keystroke Timing
  9. Signatures
To register a Public Key in CA
  1. Money
  2. Proof of identity - I.E. ID Card, Staff Card
  3. CA uses their private key to sign on your Key, as to proof that "You are really you"
  4. There is a expiry time of signed keys
What do a Digital certificate looks like
To identify a public key(Bob) signed by CA
  1. Get the certificate signed with the public key [from the owner(B0b) /others] = A
  2. Sign the public key's certificate(the figure above) using CA's public key = B
  3. If A=B, then "Bob is really Bob"
Sample of Certificate (When you go to https websites, you can get it)


A real structure of a certificate
Chain of trust
  1. You have a CA(Name K) certificated a Public Key = A
  2. Your gf Marry trust you and you have private key = B with Marry
  3. As a result, if you sign A with B (A*B=C), Marry can use C and she will also trust the CA(K)

Trust Hierarchy
From the concept of chain of trust, the following hierarchy can be built


Attacks
Man-in-the-middle-attack
  1. A send password to B with A's IP address
  2. middle man (C) capture the password
  3. Drop A's messages
  4. Send B A's password and change the IP address to C itself
  5. B trust the password of A and believe C is A


Offline password attacks
Guess the correct password by test billions of times

Replay with fake address
Change victim's address to attacker's address

Key Management

KDC - Key Distribution Center, shares different secret key with each registered users
  1. Each user share a master key with KDC
  2. The master use to obtain a session key from KDC
  3. Master key may be distributed by "Post mail", face-to-face, pick up at Bank etc
KDC vs CA
  1. KDC stores real symmetric keys
  2. CA only identify a person, do not store many keys
  3. CA certificate can use during offline
  4. KDC must use online
  5. The server used by KDC called Kerberos
Preventing man-in-the-middle attack
Tickets
  1. Provide a real time authentication
  2. Use a non-internet channel to distribute
  3. Remember HSBC will give you a Black egg which will generate a number?
  4. The session key signed by ticket and the ticket will be expire every time after used
Global Clock synchronization
  1. Sync system time with NTP
  2. Detect delays caused by middle-man attack
More: http://web.mit.edu/kerberos/www/dialogue.html

1206, No. 1388 New Jinqiao Road, Jinqiao district, Shanghai, China
General Enquiry: info@yubis.net
Website: http://www.yubis.net