2/24/2018. Computer Security CS433 Luai E. Hasnawi, PhD

Transcription

1 Computer Security CS433 Luai E. Hasnawi, PhD Bits (or characters) in a file are independent from each other. These elements has no binding. If one element is changed, it can go undetected. In cryptography hash, checksum or message digest are used for the same purpose (Sealing). Hash is often used in communication where error occurs. Hashes are helpful to detect unintentional errors. If hackers know the hash function he/she might change the content and the has code. 1

2 The inverse of a function: The function is invertible if f x = y g y = x Example 1: What is the inverse of f x = 5x 7 Example 2: what is the inverse of f x = x 2 Note that f 1 (f x ) = id x Example 3 : what is the inverse of 7 in multiplication? Example 4 : what is the inverse of 5 in addition? The first step to protect the data from an unauthorized modification, is to prohibit him/her from working backward to reach the original message. One-way functions uses uninvertible mathematical theorems. They are unbreakable. One way hash are used to store passwords. Secure Hash algorithms (SHA) is widely used. SHA-256 and SHA 512 are 32 and 64 byte, respectively. Example: The has value of [CS433] using 256-bit is 50e0f96dc55b8069c49af8e68c34fc92c76ed6acc e0af189bf0ed1 Example: The has value of [welcome to CS433] using 256-bit is 79e c3d2c174f23b4f395f7ba25df2b0f0c01a ca2c6f8ade2c 2

3 It is used against malicious modification. A cryptographic checksum is a digest function using a cryptographic key that is known by the originator and proper recipient of the data. Checksum is used to determine wither an attacker changed the plaintext or not. If so, an attacker will not be able to recompute the checksum. Cryptographic checksum has 2 main use: Code-Tamper protection: Implemented to detect changes to files. Message integrity Protection: Implemented to be used in communication systems. Digital signature is a powerful tool to demonstrate authenticity. A person/company can affix a bit pattern to a file that implies confirmation to the file and can not be forged. Digital signature expires after certain amount of time. Digital signature must convenes all who access the files. Digital signature uses asymmetric cryptography (public key). Digital signature are used between parties who do not share trust. Key exchange vs signature: Bank example. 3

4 A digital signature is a protocol the produce the same effect as a real signature: it mark that only the sender can make but the other can recognize as belonging to the sender. A digital signature must meet 4 primary conditions: Unforgeable: If person S sings massage M with signature Sig(S,M), no one else can produce the pair [M,Sig(S,M)] Authentic: If a person R receives the pair [M,Sig(S,M)] purportedly from S, R can check that the signature is really from S. Not Alterable: After being transmitted, M can not be changed by R, S or interceptor. Not reusable: previous message presented again will be instantly detected by R. Assuming that a user U has the following keys : Encryption ( Public key ) is access through E(M,K U ) Decryption ( Private key ) is access through D(M,K U ) Note it is an asymmetric process, such as RSA. Encrypted E(M,K R ) Signed D(M,K S ) M Signature 4

5 A public Key + users identity = certificate. Certificates are signed by certificate authority (CA). To create Diana s certificate: To create Delwyn s certificate: Diana creates and delivers to Edward: Delwyn creates and delivers to Diana: Edward adds: Diana adds: 128C4 48CFA Edward signs with his private key: Diana signs with her private key: 128C4 48CFA Which is Diana s certificate. And appends her certificate: 48CFA 128C4 Which is Delwyn s certificate. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved. 10 5

6 Domain validated or DV certificates are the most common type of SSL certificate. They are verified using only the domain name. Typically, the CA exchanges confirmation with an address listed in the domain s WHOIS record. Organization validated or OV certificates require more validation than DV certificates, but provide more trust. For this type, the CA will verify the actual business that is attempting to get the certificate (the information required for OV certificates). The organization s name is also listed in the certificate, giving added trust that both the website and the company are reputable. OVs are usually used by corporations, governments and other entities that want to provide an extra layer of confidence to their visitors. Extended validation or EV certificates provide the maximum amount of trust to visitors, and also require the most effort by the CA to validate. Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate (as described in EV SSL Requirements). 6

7 Reading assignment: Pfleegers Pages