kuliah 6 authentication

8/6/2019 Kuliah 6 Authentication

1/40

Authentication Process


2/40

What is Authentication ?

Authentication is the process of determining whether

someone or something is, in fact, who or what it is

declared to be.(http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.html)


3/40

Two Factor Authentication

Two-Factor Authentication is based onthe concept that what you have(Credit card etc.) and what youknow (Shared secret).


4/40

Two-Factor Authentication: Different PossibleProcess Available

One-time passwords

Password-generating token (SecureID, Vasco)

SMS tokensScratch pads

Client-side CertificatesSmart cards

USB keysBiometrics


5/40

Why do we need two factorauthentication ?

1. Five hundred Phishing and other online attacksper day.

2. Number of Online users are increasing in hugepercentage every year.

3. Lack of awareness among online users aboutPhishing attacks and MITM ( Man in the Middle)attacks.

4. Single Factor authentication is not sufficient foronline authentication and Financial Transactions.


6/40

A Miami man blames Bank of America for morethan $90,000 stolen in an unauthorized wiretransfer to Latvia. Joe Lopez filed a lawsuit on Feb.7 claiming that Bank of America had not alerted

him to malicious code that could -- and indeed had-- infected his computer. A forensic investigationby the U.S. Secret Service revealed that a Trojancalled Coreflood, which acts as a keystrokelogger, had compromised one of his PCs.

Online Bank Fraud in the News

http://searchnetworking.techtarget.com


7/40

Generic Transaction Model


8/40

Secure Protocol + USER

HTTPS Protocol

DATA Flow

USER


9/40

Threat 1: Phishing


10/40

Threat 2: Man In the Middle?


11/40

Threat 3:Computer is Fullycompromised;


12/40

Two-Factor Authentication

Protecting Against Phishing by Implementing StrongTwo-Factor Authentication

https://www.rsasecurity.com/products/securid/whitepapers

For example:


13/40

The Trouble With current Two-FactorAuthentication Products in Market

Designed for small user base

Has a usability cost

No clear market leaderPotentially large implementation costs

Does not stop all attacks

Man-in-the-middle

Intelligent Trojans


14/40

The Weakness Of SSL

Relies on trust

Tells you that you have a securesession with A website, not THEwebsite

Certificates can be faked

Root certificates can be installed

Market Score Allows for Man-in-the-middle and

IDN (International Domain Names)attacks


15/40

HTTPS Authentication

For authentication purposes, the Handshake

Protocol uses an X.509 certificate to provide strong

evidence to a second party that helps prove theidentity of the party that holds the certificate and the

corresponding private key.


16/40

HTTPS Encryption

SSL/TLS uses both symmetric key and asymmetric keyencryption.

Symmetric Key - often used for encrypting large amountsof data because it is computationally faster thanasymmetric cryptography. Typical algorithms include

DES (Data Encryption Standard),

3-DES (Triple DES), RC2, RC4,

AES (Advanced Encryption Standard).

Asymmetric encryption - most common algorithm is RSA

(Rivest, Shamir & Adleman).


17/40

HTTPS Encryption

SSL/TLS uses Asymmetric encryption to authenticate theserver to the client, and optionally the client to the server.

Asymmetric cryptography is also used to establish asession key. The session key is used in symmetricalgorithms to encrypt the bulk of the data. This combines

the benefit of asymmetric encryption for authenticationwith the faster, less processor-intensive symmetric keyencryption for the bulk data.


18/40

Purchasing on the web

The growth in web purchases makes this mostcommon use of cryptography through digitalsignatures and encryption

Data transmitted over web is insecure as it

passes through many routers, links computersetc encryption solves this

Web store uses SSL secure layer encryptstraffic between store and customer

Has high overhead so only credit card details

and delivery info encrypted Most risk comes from an attack on the merchant

and their database of credit card details


19/40

ECommerce authentication

Thief poses as legit company web site

Authentication solves this trusted authorities(Verisign, Thawte) give public keys to your browserand sign the public keys of web stores

Each vendor has public/private key pair RSA keyin SSL/TSL signing authority signs these alongwith a digital certificate with the shops name andaddress Their key/certificate identifies them

Your key identifies you with credit numbers from visit tovisit


20/40

The encryption will ensure secure transmission of

credit card details and authentication process.

To authenticate the shopper must set up anaccount with a username and password - hence

future authentication can take place


21/40

Electronic transactions over the web

Credit card purchases over the web are

invariably performed using a protocol called

SET

Protocol designed for credit card transactionsused by Mastercard and Visa features

Confidential

Encryption of account and payment details across

network

Cardholders account and card number hidden from shop


22/40

SET

(Secure Electronic Transactions)Integrity

Based on digital signatures and details of message

cannot be changed in transit

Shopper authenticationShop can verify that the client has legitimate card and is

based on X509 certificates

Shop authentication

Shopper can authenticate and verify the shop isauthorised to accept credit cards based on X509

certificates


23/40

Digital Certificates

Extension of an individuals public keyHas extra info that reinforces authenticity of key

Verified by a trusted third party

X509.3 are now the standard for deviceauthentication and cornerstone of PKI

It is a system that binds together identitywith a public key


24/40

The structure of a X.509 v3 digital

certificate is as follows:

CertificateVersionSerial NumberAlgorithm IDIssuer

ValidityNot BeforeNot After

SubjectSubject Public Key Info

Public Key AlgorithmSubject Public Key

Issuer Unique Identifier (Optional)Subject Unique Identifier (Optional)

Extensions (Optional)...

Certificate Signature AlgorithmCertificate SignatureIssuer and subject unique identifiers were introduced in Version 2, Extensions in

Version 3.


25/40

What is the PKI?

PKI : Public Key Infrastructures

A system of managing certificates

Consist of certificate authorities that issue certificates

There is a hierarchy somewhat like DNSs

May be based on geography or because the system isflexible may fit to the companies business rules

There is also Certificate Revocation List CRL used to notifywhen a certificate may become invalid

i.e. a subjects private key becomes compromised

Or some info in certificate changes i.e. issuers details change

It is important that user checks with the CRL to ensure acertificate they have is valid lots of issues with this


26/40

Bertukar Data yang Di Enkripsi

Budi

Public Key

Private Key

Ali


27/40

Public Key Encryption

Encryption

The quickbrown fox

jumps overthe lazydog

Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMdrkvegMs

The quickbrown fox

jumps overthe lazydog

Decryption

Clear-text Input Clear-text OutputCipher-text

Different butmathematically

linked keysRecipientspublic key

Recipientsprivate key

privatepublic

SOURCE: ALBERTO PACE


28/40

Decrypt

Message

Transmit

EncryptedMessage

Public Key Cryptography- Encryption

Encrypt

Encrypted

MessageMessage

Keypair

Retrieve Public KeyJOKO ROBERT


29/40

Decrypt

Message

Transmit

SignedMessage

Public Key Cryptography- Encryption

Encrypt

Signed

MessageMessage

Keypair

Retrieve Public Key


30/40

Public Key Cryptography- Digital Signature

Assemble

Signed

Message

Digest

Hash

SignatureEncrypt

Message

Keypair


31/40

Public Key Cryptography- Digital Signature

Signature

Message

Digest

Valid?

Signed

Message

DigestDecrypt

Retrieve Public Key


32/40

Digital Certificates

A digital certificate contains:

Identity details

eg Personal ID, email address, web site URL

Public key of identity

Issuer (Certification Authority)

Validity period

Attributes

The certificate is signedby the CA


33/40

Digital Certificate - Lifecycle

Key Pair Generated

Certificate Issued

Certificate validand in use Private Key

compromised

Certificate Expires

Recertify

CertificateRevoked

Keypair Expired


34/40

Verisign

the concept of three classes of digitalcertificates: Class 1 for individuals, intended for email;

Class 2 for organizations, for which proof ofidentity is required; and

Class 3 for servers and software signing, forwhich independent verification and checkingof identity and authority is done by the issuing

certificate authority (CA).


35/40

How it works

The customeropens a Mastercard or Visa bank account.Any issuer of a credit card is some kind of bank.

The customerreceives a digital certificate. This electronicfile functions as a credit card for online purchases or othertransactions. It includes apublic keywith an expiration

date. It has been digitally signed by the bank to ensure itsvalidity.

Third-party merchants also receive certificates from thebank. These certificates include the merchant's public keyand the bank's public key.

The customer places an order over a

Web page, The customer's browser receives and confirms from the

merchant's certificate that the merchant is valid.


36/40

The browser sends the order information. This message isencrypted with the merchant's public key, the payment

information, which is encrypted with the bank's public key(which can't be read by the merchant), and informationthat ensures the payment can only be used with thisparticular order.

The merchant verifies the customer by checking the digitalsignature on the customer's certificate. This may be doneby referring the certificate to the bank or to a third-partyverifier.

The merchant sends the order message along to the

bank. This includes the bank's public key, the customer'spayment information (which the merchant can't decode),and the merchant's certificate.


37/40

The bank verifies the merchant and the message. Thebank uses the digital signature on the certificate with

the message and verifies the payment part of themessage.

The bank digitally signs and sends authorization to themerchant, who can then fill the order.


38/40

Cryptography - Terms

Public key cryptography

Cryptography technique using different keys

for encoding and decoding messages

Keypair Private key and public key, generated

together, used in public key cryptography

Encryption/Decryption

To encode/decode a message using a public

or private key


39/40

PKI - Terminology

Public Key Infrastructure (PKI)

Administrative structure for support of public

key cryptography

Public Key Certificate (Digital Certificate) Document linking a Public Key to an identity,

signed by a CA, defined by X.509

Certificate Authority (CA)

Trusted authority which issues digital

certificates


40/40

Selesai

kuliah 6 authentication

Documents