Introduction to Computer and Network Security: User Authentication and Data Integrity - Pr, Study notes of Computer Science

An introduction to computer and network security, focusing on user authentication and data integrity. It covers various methods for user authentication, such as hash authentication, challenge/response authentication, and kerberos. It also discusses data integrity techniques, including simple data integrity, hmac integrity, and signature integrity. The importance of user authentication and data integrity in ensuring secure communication and data protection.

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-kbv
koofers-user-kbv 🇺🇸

8 documents

1 / 49

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
3YSTEMSAND)NTERNET
)NFRASTRUCTURE3ECURITY
I
I
.ETWORKAND3ECURITY2ESEARCH#ENTER
$EPARTMENTOF#OMPUTER3CIENCEAND%NGINEERING
0ENNSYLVANIA3TATE5NIVERSITY5NIVERSITY0ARK0!
CSE543 - Introduction to Computer and Network Security Page
CSE543 - Introduction to
Computer and Network Security
Module:
Authentication
Professor Patrick McDaniel
Fall 2008
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31

Partial preview of the text

Download Introduction to Computer and Network Security: User Authentication and Data Integrity - Pr and more Study notes Computer Science in PDF only on Docsity!

3YSTEMSAND)NTERNET

)NFRASTRUCTURE3ECURITY

I I .ETWORKAND3ECURITY2ESEARCH#ENTER $EPARTMENTOF#OMPUTER3CIENCEAND%NGINEERING 0ENNSYLVANIA3TATE5NIVERSITY 5NIVERSITY0ARK0! CSE543 - Introduction to Computer and Network Security Module:Authentication Professor Patrick McDaniel Fall 2008

Meet Alice and Bob ….

  • (^) Alice and Bob are the canonical players in the cryptographic world. ‣ They represent the end points of some interaction ‣ Used to illustrate/define a security protocol
  • (^) Other players occasionally join … ‣ Trent - trusted third party ‣ Mallory - malicious entity ‣ Eve - eavesdropper ‣ Ivan - an issuer (of some object)

Some interesting things

  • (^) … when communicating. ‣ (^) Ensure the authenticity of a user ‣ Ensure the integrity of the data - (^) Also called data authenticity ‣ (^) Keep data confidential ‣ Guarantee non-repudation

Basic (User) Authentication

Alice (^) Bob

  • (^) Bob wants to authenticate Alice’s identity ‣ (is who she says she is)

[pw

A

]

1

[Y/N]

2

Challenge/Response User Authentication Alice (^) Bob

  • (^) Bob wants to authenticate Alice’s identity ‣ (is who she says she is) [h(c+pw A )] 2 1 [c] [Y/N] 3

User Authentication vs. Data Integrity

  • (^) User authentication proves a property about the communicating parties

‣ E.g., I know a password

  • (^) Data integrity ensures that the data transmitted...

‣ Can be verified to be from an authenticated user

‣ Can be verified to determine whether it has been modified

  • (^) Now, lets talk about the latter, data integrity

HMAC Integrity

Alice (^) Bob

  • (^) Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity)

[d,hmac(k,d)]

1

Signature Integrity

Alice (^) Bob

  • (^) Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity)

[d, Sig(KA

1 , d)]

Confidentiality

Alice (^) Bob

  • Alice wants to ensure that the data is not exposed to

anyone except the intended recipient (confidentiality)

[E(kAB,d), hmac(kAB, d)]

1

Question

  • (^) If I already have an authenticated channel (e.g., the remote party’s public key), why don’t I simply make up a key and send it to them?

Real Systems Security

  • (^) The reality of the security is that 90% of the frequently used protocols use some variant of these constructs. ‣ So, get to know them … they are your friends ‣ We will see them (and a few more) over the semester
  • (^) They also apply to systems construction ‣ Protocols need not necessarily be online ‣ Think about how you would use these constructs to secure files on a disk drive (integrity, authenticity, confidentiality) ‣ (^) We will add some other tools, but these are the basics

Kerberos

  • (^) History: from UNIX to Networks (late 80s) ‣ Solves: password eavesdropping ‣ Online authentication - (^) Variant of Needham-Schroeder protocol ‣ Easy application integration API ‣ First single sign-on system (SSO) ‣ Genesis: rsh, rcp - (^) authentication via assertion
  • (^) Most widely used (non-web) centralized password system in

existence (and lately only ..)

  • (^) Now: part of Windows 2K/XP/Vista network authentication ‣ Old Windows authentication was a cruel joke.

The setup …

  • (^) The players ‣ Principal - person being authenticated ‣ Service (verifier) - entity requiring authentication (e.g, AFS) ‣ Key Distribution Center (KDC) - (^) Trusted third party for key distribution - (^) Each principal and service has a Kerberos password known to KDC, which is munged to make a password ke, e.g., k A ‣ (^) Ticket granting server - Server granting transient authentication
  • (^) The objectives

The protocol

  • (^) A two-phase process
    1. User authentication/obtain session key (and ticket granting ticket) key from Key Distribution Center
    2. Authenticate Service/obtain session key for communication with service
  • (^) Setup ‣ Every user and service get certified and assigns password