From ed758a48eae08f57de8c36fd32e11fa0c94244d7 Mon Sep 17 00:00:00 2001 From: Leonard Kugis Date: Wed, 4 Mar 2020 01:06:04 +0100 Subject: IntroSec Added Lecture 4 summary. --- .../introduction_to_information_security.md | 56 ++++++++++++++++++++++ 1 file changed, 56 insertions(+) (limited to 'en_GB') diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md index 67dd769..0dbca95 100644 --- a/en_GB/Introduction to Information Security/introduction_to_information_security.md +++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md @@ -95,6 +95,22 @@ As a user, you can be authenticated on the basis of Makes dictionary attacks difficult. - Limit number of failed password attempts +### Challenge Response Authentication + +1. Authenticator knows the password. +2. User identifies himself and requests authentication. +3. Authenticator sends *nonce* (random, temporary number) to the user (challenge). +4. User computes the one-way-function result of the concatenation of password and nonce, sends the result to the authenticator. +5. Authenticator computes the same. +6. Authenticator compares his computed value with the users computed value. If they match, authentication is successful. + +### HTTP Digest Authentication + +Same as *Challenge Response Authentication*, but the compare value is computed as: +$$ +\text{digest} = \text{h}(\text{h}(\text{username}:\text{realm}:\text{password}):\text{nonce}:\text{h}(\text{method}:\text{digest-uri})) +$$, $\text{h}$ being a one-way-function, $\text{:}$ being the concatenation operator. + ### Biometrics #### Use cases @@ -174,6 +190,46 @@ $\text{FPIR} = (1 - \text{FTA}) \times (1 - (1 - \text{FMR})^{n})$ Using a biometric scheme with $\text{FMR} = 0.01\%$ and a database of size $\text{n} = 80000$ results in $\text{FPIR} = (1 - 0) \times (1 - (1 - 0.0001)^{80000}) = 99.97\%$. +## Encryption + +### Cipher + +#### Block Cipher + +*Block Cipher* encrypts long sequences of data with the same key. Single bit errors in ciphertext cause bit errors on half of the cleartext on average. + +#### Stream Cipher + +*Stream cipher* encrypts short sequences of data with a changing key per sequence, coming from a *key stream*, generated by a *key generator*. +Security of ciphertext depends on the security of the *key generator*. Single bit errors in ciphertext cause single bit errors in cleartext. +This is commonly used in noisy channels. + +### Public Key Encryption + +*A* encrypts message with public key of *B* (publicly available via *Public Key Infrastructure* (PKI)). +This message is only decryptable with the private key of *B* (only available to *B*). +Public keys need to be bound to the actual receiver! You have to make sure the public key you have is actually the key of the receiver +and not somebody you think is the receiver (receiving machine being used by many users, spoofing). + +### Message Authentication Codes (MAC) + +*Message Authentication Codes* are used to verify the integrity of a message (proof, that the message has not been modified between sender and receiver). + +1. Sender and receiver share a common secret key *k*. +2. Sender computes $\text{MAC}_\text{sent} = \text{h}(\text{k}, \text{x})$, *h* being a one-way-function, *x* being the message. +3. Sender sends message *x* with $\text{MAC}_\text{sent}$. +4. Receiver receives the message and $\text{MAC}_\text{sent}$ and $\text{MAC}_\text{received} = \text{h}(\text{k}, \text{x'})$ with *x'* being the received message. +5. Receiver compares $\text{MAC}_\text{sent}$ and $\text{MAC}_\text{received}$. If they match, the message is considered not modified. + +### Digital Signatures + +*Digital Signatures* are used to verify the integrity of a message, same as *MAC*. +Compared to *MAC*, it does not rely on shared secret keys. Instead, it uses *Private Key* for signing, and *Public Key* to verify. + +1. Sender computes $\text{sig} = \text{h}(\text{private}, \text{message})$. +2. Sender sends message and appends signature $\text{sig}$. +3. Receiver verifies signature $\text{sig}$ using *Public Key* of the sender. + ## Threat scenarios No security issues without threat models! E.g. a password is considered safe without any provided threat model. -- cgit v1.2.1