Enviar búsqueda
Cargar
E gov security_tut_session_5
•
1 recomendación
•
637 vistas
Mustafa Jarrar
Seguir
Educación
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 74
Descargar ahora
Descargar para leer sin conexión
Recomendados
Common Alerting Protocol
Common Alerting Protocol
TalkSahana
Nuance
Nuance
Droidcon Berlin
Building Context Aware P2P Systems with the Shark Framework
Building Context Aware P2P Systems with the Shark Framework
tmra
The MPEG-21 Multimedia Framework
The MPEG-21 Multimedia Framework
Alpen-Adria-Universität
Managing Innovation
Managing Innovation
ayushc
Key enabling technologies for media scenario experimentations
Key enabling technologies for media scenario experimentations
experimedia
AT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep Dive
Michael Owens
E gov security_tut_session_4_lab
E gov security_tut_session_4_lab
Mustafa Jarrar
Recomendados
Common Alerting Protocol
Common Alerting Protocol
TalkSahana
Nuance
Nuance
Droidcon Berlin
Building Context Aware P2P Systems with the Shark Framework
Building Context Aware P2P Systems with the Shark Framework
tmra
The MPEG-21 Multimedia Framework
The MPEG-21 Multimedia Framework
Alpen-Adria-Universität
Managing Innovation
Managing Innovation
ayushc
Key enabling technologies for media scenario experimentations
Key enabling technologies for media scenario experimentations
experimedia
AT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep Dive
Michael Owens
E gov security_tut_session_4_lab
E gov security_tut_session_4_lab
Mustafa Jarrar
E gov security_tut_session_3
E gov security_tut_session_3
Mustafa Jarrar
Pal gov.tutorial6.session9.cybercrime
Pal gov.tutorial6.session9.cybercrime
Mustafa Jarrar
E gov security_tut_session_9
E gov security_tut_session_9
Mustafa Jarrar
Pal gov.tutorial4.session10.zinnar
Pal gov.tutorial4.session10.zinnar
Mustafa Jarrar
Pal gov.tutorial3.session9.esb
Pal gov.tutorial3.session9.esb
Mustafa Jarrar
Jarrar.lecture notes.aai.2011s.ontology part5_egovernmentcasestudy
Jarrar.lecture notes.aai.2011s.ontology part5_egovernmentcasestudy
PalGov
Pal gov.tutorial4.session2.lab populationontology
Pal gov.tutorial4.session2.lab populationontology
Mustafa Jarrar
Business Process Modeling Notation Fundamentals
Business Process Modeling Notation Fundamentals
Mustafa Jarrar
Zinnar -The Palestinian e-Government Interoperability Framework
Zinnar -The Palestinian e-Government Interoperability Framework
Mustafa Jarrar
Pal gov.tutorial6.session6.digital signature & e evidence
Pal gov.tutorial6.session6.digital signature & e evidence
Mustafa Jarrar
E gov security_tut_session_1
E gov security_tut_session_1
Mustafa Jarrar
Securing broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryption
LeMeniz Infotech
GTB DLP Suite Presentation
GTB DLP Suite Presentation
gtbsalesindia
Gtb Dlp Suite Presentation
Gtb Dlp Suite Presentation
gtbsalesindia
CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)
CloudIDSummit
Public Vs. Private Keys
Public Vs. Private Keys
101 Blockchains
GatelessVPN technology pitch
GatelessVPN technology pitch
GVNetworks
IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015
Eurotech
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
Information Security Awareness Group
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Olle E Johansson
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
Venkatesh Jambulingam
Public Digital Identity as a Service
Public Digital Identity as a Service
PT Datacomm Diangraha
Más contenido relacionado
Destacado
E gov security_tut_session_3
E gov security_tut_session_3
Mustafa Jarrar
Pal gov.tutorial6.session9.cybercrime
Pal gov.tutorial6.session9.cybercrime
Mustafa Jarrar
E gov security_tut_session_9
E gov security_tut_session_9
Mustafa Jarrar
Pal gov.tutorial4.session10.zinnar
Pal gov.tutorial4.session10.zinnar
Mustafa Jarrar
Pal gov.tutorial3.session9.esb
Pal gov.tutorial3.session9.esb
Mustafa Jarrar
Jarrar.lecture notes.aai.2011s.ontology part5_egovernmentcasestudy
Jarrar.lecture notes.aai.2011s.ontology part5_egovernmentcasestudy
PalGov
Pal gov.tutorial4.session2.lab populationontology
Pal gov.tutorial4.session2.lab populationontology
Mustafa Jarrar
Business Process Modeling Notation Fundamentals
Business Process Modeling Notation Fundamentals
Mustafa Jarrar
Zinnar -The Palestinian e-Government Interoperability Framework
Zinnar -The Palestinian e-Government Interoperability Framework
Mustafa Jarrar
Destacado
(9)
E gov security_tut_session_3
E gov security_tut_session_3
Pal gov.tutorial6.session9.cybercrime
Pal gov.tutorial6.session9.cybercrime
E gov security_tut_session_9
E gov security_tut_session_9
Pal gov.tutorial4.session10.zinnar
Pal gov.tutorial4.session10.zinnar
Pal gov.tutorial3.session9.esb
Pal gov.tutorial3.session9.esb
Jarrar.lecture notes.aai.2011s.ontology part5_egovernmentcasestudy
Jarrar.lecture notes.aai.2011s.ontology part5_egovernmentcasestudy
Pal gov.tutorial4.session2.lab populationontology
Pal gov.tutorial4.session2.lab populationontology
Business Process Modeling Notation Fundamentals
Business Process Modeling Notation Fundamentals
Zinnar -The Palestinian e-Government Interoperability Framework
Zinnar -The Palestinian e-Government Interoperability Framework
Similar a E gov security_tut_session_5
Pal gov.tutorial6.session6.digital signature & e evidence
Pal gov.tutorial6.session6.digital signature & e evidence
Mustafa Jarrar
E gov security_tut_session_1
E gov security_tut_session_1
Mustafa Jarrar
Securing broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryption
LeMeniz Infotech
GTB DLP Suite Presentation
GTB DLP Suite Presentation
gtbsalesindia
Gtb Dlp Suite Presentation
Gtb Dlp Suite Presentation
gtbsalesindia
CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)
CloudIDSummit
Public Vs. Private Keys
Public Vs. Private Keys
101 Blockchains
GatelessVPN technology pitch
GatelessVPN technology pitch
GVNetworks
IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015
Eurotech
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
Information Security Awareness Group
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Olle E Johansson
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
Venkatesh Jambulingam
Public Digital Identity as a Service
Public Digital Identity as a Service
PT Datacomm Diangraha
Overall cryptography and pki introduction
Overall cryptography and pki introduction
Avirot Mitamura
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLogin
Novell
E gov security_tut_session_8_lab
E gov security_tut_session_8_lab
Mustafa Jarrar
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Amazon Web Services
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
Sylvain Maret
Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)
Paul Yang
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Sylvain Maret
Similar a E gov security_tut_session_5
(20)
Pal gov.tutorial6.session6.digital signature & e evidence
Pal gov.tutorial6.session6.digital signature & e evidence
E gov security_tut_session_1
E gov security_tut_session_1
Securing broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryption
GTB DLP Suite Presentation
GTB DLP Suite Presentation
Gtb Dlp Suite Presentation
Gtb Dlp Suite Presentation
CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)
Public Vs. Private Keys
Public Vs. Private Keys
GatelessVPN technology pitch
GatelessVPN technology pitch
IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
Public Digital Identity as a Service
Public Digital Identity as a Service
Overall cryptography and pki introduction
Overall cryptography and pki introduction
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLogin
E gov security_tut_session_8_lab
E gov security_tut_session_8_lab
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Más de Mustafa Jarrar
Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
Mustafa Jarrar
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
Mustafa Jarrar
Discrete Mathematics Course Outline
Discrete Mathematics Course Outline
Mustafa Jarrar
Business Process Implementation
Business Process Implementation
Mustafa Jarrar
Business Process Design and Re-engineering
Business Process Design and Re-engineering
Mustafa Jarrar
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical Constructs
Mustafa Jarrar
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs
Mustafa Jarrar
Introduction to Business Process Management
Introduction to Business Process Management
Mustafa Jarrar
Customer Complaint Ontology
Customer Complaint Ontology
Mustafa Jarrar
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion Rules
Mustafa Jarrar
Schema Modularization in ORM
Schema Modularization in ORM
Mustafa Jarrar
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in Palestine
Mustafa Jarrar
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online Courses
Mustafa Jarrar
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-final
Mustafa Jarrar
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 Calls
Mustafa Jarrar
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language Processing
Mustafa Jarrar
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing
Mustafa Jarrar
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Mustafa Jarrar
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Mustafa Jarrar
Jarrar: Sparql Project
Jarrar: Sparql Project
Mustafa Jarrar
Más de Mustafa Jarrar
(20)
Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
Discrete Mathematics Course Outline
Discrete Mathematics Course Outline
Business Process Implementation
Business Process Implementation
Business Process Design and Re-engineering
Business Process Design and Re-engineering
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical Constructs
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs
Introduction to Business Process Management
Introduction to Business Process Management
Customer Complaint Ontology
Customer Complaint Ontology
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion Rules
Schema Modularization in ORM
Schema Modularization in ORM
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in Palestine
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online Courses
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-final
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 Calls
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language Processing
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Jarrar: Sparql Project
Jarrar: Sparql Project
Último
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
iammrhaywood
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
PsychoTech Services
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
Celine George
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
sanyamsingh5019
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
EduSkills OECD
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Maksud Ahmed
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
nomboosow
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
eniolaolutunde
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
National Information Standards Organization (NISO)
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
chloefrazer622
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
National Information Standards Organization (NISO)
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
Thiyagu K
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
Janet Corral
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
Admir Softic
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
Último
(20)
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
E gov security_tut_session_5
1.
أكاديمية الحكومة اإللكترونية
الفلسطينية The Palestinian eGovernment Academy www.egovacademy.ps Tutorial 5: Information Security Session 5 Certificates and Biometric Authentication Dr. Mohammad Jubran University of Birzeit mjubran@birzeit.edu PalGov © 2011 1
2.
About This tutorial is
part of the PalGov project, funded by the TEMPUS IV program of the Commission of the European Communities, grant agreement 511159-TEMPUS-1- 2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps Project Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, Palestine Coordinator: Dr. Mustafa Jarrar Birzeit University, P.O.Box 14- Birzeit, Palestine Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
3.
© Copyright Notes Everyone
is encouraged to use this material, or part of it, but should properly cite the project (logo and website), and the author of that part. No part of this tutorial may be reproduced or modified in any form or by any means, without prior written permission from the project, who have the full copyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SA This license lets others remix, tweak, and build upon your work non- commercially, as long as they credit you and license their new creations under the identical terms. PalGov © 2011 3
4.
Tutorial 5: Information
Security Session 5: Certificates and Biometric Authentication Session 5 Outline: • Session 5 ILO’s. • PKI, X.509, and PGP • SSL/TLS and IPSEC • Biometric authentication and smart cards. PalGov © 2011 4
5.
Tutorial 5: Session
5 ILOs After completing this session you will be able to: • B: Intellectual Skills • b3: Design end-to-end secure and available systems. • b4: Design integrity and confidentiality services. • b5: Design user authentication and authorization services. • D: Intellectual Skills • d2: Systems configurations. • d3: Analysis and identification skills. PalGov © 2011 5
6.
Tutorial 5: Information
Security Session 5: Certificates and Biometric Authentication Session 5 Outline: • Session 5 ILO’s. • PKI, X.509, and PGP • SSL/TLS • IPSEC • Biometric authentication. PalGov © 2011 6
7.
Public Key Infrastructure •
What is Public Key Infrastructure (PKI) 1) Set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates[1] 2) Simply a system in which public keys are binded to user identities by means of Certification Authority. [1]: "LPKI - A Lightweight Public Key Infrastructure for the Mobile Environments", Proceedings of the 11th IEEE International Conference on Communication Systems (IEEE ICCS'08), pp.162-166, Guangzhou, China, Nov. 2008. PalGov © 2011 7
8.
Digital Certificate What is
a digital certificate • an electronic Id. • allows a unique identification of an entity (using private key) • Must be provided by a trusted authority • It is immune to being altered (data within can’t be changed without detection), and so can be trusted. • Binds the owners info. with its public key. • Means of distributing public keys PalGov © 2011 8
9.
Digital Certificate continue •
What is the general layout of the digital certificate – Owner’s distinguished name – Owner’s public key – Issuer’s distinguished name – Issuer’s digital signature • In a PKI, the CA is the issuer of digital certificates • Different formats are being standardized (X.509, PGP) with different digital certification contents. • Digital certificates are being handled openly, and so anyone can claim your identity. Wrong – this is true only if he has my private key (the pair of the public key within the certificate). PalGov © 2011 9
10.
Storage of Private
Keys • Private key proves the digital identity of the sender and so must be kept secret, how? – Saved in an encrypted file, protected by a password or PIN – Encrypted and stored in hardware (smart card, or USB stick) protected by a password or PIN PalGov © 2011 10
11.
Digital Signature
Compare Message ed Hash ge a ed mess De cr yp t Hash ir hash Hash Fixed length output Key pa Fixed length output Cipher Decipher using private key using public key l l l l Digita Ori g i n a Digita Ori g i n a re Text re Text S ignatu S ignatu Transfer Combine Separate PalGov © 2011 11
12.
TRUST in the
Signature • Valid digital signature guarantee: – Message integrity: message wasn’t changed – Non-repudiation: the owner of the private key is the sender. • However, the identity of the sender can be trusted if – The private key is kept secret and only the owner of the key can use it “private key storage”. if anyone has access to the private key, he/she/it can replace the owner – The receiver is using the correct public key “public key distribution”. • if the receiver is using a wrong public key, the message integrity might be assumed wrongly broken • How to make sure of using the right public key? [ digital certificates] PalGov © 2011 12
13.
Certification Authorities Certification authority
(CA) • generates a signed certificate using CA’s private key which binds a particular entity to its public key. • An entity responsible to issue, revoke and manage digital certificates – Verify the identity and information provided by the entity asking for certificate – may generate private and public keys for entities. – binds the identity and associated info. of an entity with its public key using the CA’s private key public key certificate – Public key certificates are authentic as they can’t be altered without detection. PalGov © 2011 13
14.
Certification Authorities
continue • Procedure to obtain a CA signed digital certificate: – Submit a proof of identity and any other information to be included in the certificate to CA (usually done offline) – CA uses its private key to bind the provided information by the entity to its public key – Again, the asymmetric key pair might be generated by the CA, or the public key is provided by the entity itself. – Again, Certificate contains • Owner’s distinguished name • Owners public key • Issuer’s distinguished name • Issuer’s digital signature PalGov © 2011 14
15.
Certification Authorities
continue • How to validate a public key within a certificate: – Get the CA signed certificate (from the entity itself or elsewhere) – The CA public key must be known for you. – Use the CA public key to verify the signature within the certificate. “notice: entity info and public key are binded by the CA private key” – If the signature is valid then accept the public key. Digital Certificate of Jubran Use KCA to verify · Some info. the binding If Kj is truly binded · Public key; Kj between Sj and Kj to Sj then use it · Siganture; Sj CA public key KCA PalGov © 2011 15
16.
Certification Authority
continue • Important: you must TRUST the CA in order to TRUST the digital certificate including the public key signed by it, and so any digitally signed messages validated using this public key PalGov © 2011 16
17.
Public Key Distribution In
PKI, Public keys must be available • Package them into a digital certificate – Digitally sign the key and owner’s identity into a public key certificate • Three ways to distribute certificates and hence public keys – Exchanging certificates personally (could be electronically) – Receive it from a trusted person (trusted introducer) – Get a certified key from a public repository PalGov © 2011 17
18.
Digital Certificate Formats
Lecture Notes of David Chadwick • X.509 format – widely accepted international standard format used by Microsoft, Verisign etc. – Used by S/MIME email – Signed by a single Certification Authority that has a globally unique name – A CA issues certificates to its users and to subordinate CAs – trust can be built up for whole domains of people – flexible and allow scalability PalGov © 2011 18
19.
Digital Certificate Formats
Lecture Notes of David Chadwick • PGP format – allows multiple owner identities for a key – allows multiple certifiers (CAs) for a key – user certifies his own key – anyone else can also be a certifier • a user or a CA – user issues his own self signed certificate, and anyone else may choose to certify it. – people build up trust networks between themselves, in a 1-to-1 fashion – less scalable than X.509 PalGov © 2011 19
20.
X.509 Certificate Contents X.509
Digital certificates contents • Serial Number: uniquely identify the certificate. • Subject: The person, or entity identified. • Signature Algorithm: The algorithm used to create the signature. • Signature: The actual signature to verify that it came from the issuer. • Issuer: The entity that verified the information and issued the certificate. • Valid-From: The date the certificate is first valid from. • Valid-To: The expiration date. • Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing...). • Public Key: The public key. • Thumbprint Algorithm: The algorithm used to hash the public key. • Thumbprint: The hash itself, used as an abbreviated form of the public key. PalGov © 2011 20
21.
X.509 Certificate X.509 Digital
certificates displayed in Microsoft explorer for the management educational system (ritaj) at Birzeit University PalGov © 2011 21
22.
X.509 Digital certificates
displayed in Microsoft X.509 Certificate continue explorer for the management educational system (ritaj) at Birzeit University PalGov © 2011 22
23.
PGP Certificate Contents PGP
Digital certificates contents (but is not limited to) • The PGP version number • The certificate holder's public key — the public portion of your key pair, together with the algorithm of the key • The certificate holder's information — this consists of "identity" information about the user, such as his or her name, user ID, photograph, and so on. • The digital signature of the certificate owner — also called a self- signature, this is the signature using the corresponding private key of the public key associated with the certificate. • The certificate's validity period — the certificate's start date/ time and expiration date/ time; indicates when the certificate will expire. • The preferred symmetric encryption algorithmfor the key — indicates the encryption algorithm to which the certificate owner prefers to have information encrypted. The supported algorithms are CAST, IDEA or Triple-DES. PalGov © 2011 23
24.
Self signed public
key certificates • In a self signed certificate the owner signs his own public key using his private key. – the certificate will be resistive to change – but the info within is not evaluated and unsigned by other than the owner himself – doesn’t help in building trusts – is necessary to start the trust hierarchy – root CA – Can’t be revoked, by other than the owner – must be obtained in a trustworthy manner and be kept securely – used for distributing X.509 root CA keys – used for distributing user’s PGP keys PalGov © 2011 24
25.
Self signed public
key certificates Certificate from http://en.wikipedia.org/wiki/X.509 Is this X.509 certificate a self signed certificate? Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server- certs@thawte.com Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: ……. shortened Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: ……. shortened PalGov © 2011 25
26.
Self signed public
key certificates Certificate from http://en.wikipedia.org/wiki/X.509 Is this X.509 certificate a self signed certificate? Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server- certs@thawte.com Validity No, because these are not Not Before: Jul 9 16:04:02 1998 GMT the same Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: ……. shortened Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: ……. shortened PalGov © 2011 26
27.
Self signed public
key certificates Certificate from http://en.wikipedia.org/wiki/X.509 Is this X.509 certificate a self signed certificate? Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server- certs@thawte.com Sure Validity Not Before: Aug 1 00:00:00 1996 GMT Not After : Dec 31 23:59:59 2020 GMT Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server- certs@thawte.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c: ….. Shortened Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, Signature Algorithm: md5WithRSAEncryption …. Shortened PalGov © 2011 27
28.
Moving X.509 Certificates
and key pairs between applications • X.509 Digital certificates export wizard as being displayed moving public key certificates in Microsoft (and certificate chains to the root CA) between applications explorer for the management educational system (ritaj) at Birzeit University encrypted and protected by a user provided Pass Word PalGov © 2011 28
29.
Trust in a
single CA’s PKI CA’s domain of trust: certificates of all users in this domain were signed by this CA (MTIT) – hence users trust each other based on their trust of the CA Certificates and Trust • Ahmad private key and certificate • MTIT self signed certificate (used to MTIT sign Ahmad’s certificate) Ahmad CA Certificates and Trust • Remma private key and certificate Reema • MTIT self signed certificate (used to sign Reema’s certificate) In a personal security environment (by yourself using PC), both Ahmad and Reema should trust (trust the info in the digital certificates and any digitally signed document) each other depending on the digital certificates exchanged between them, (private keys will be used during the communication) because they belong to the same CA domain (MTIT) PalGov © 2011 29
30.
Cross Certification CA’s domain
of trust: certificates CA’s domain of trust: certificates of all users in this domain were of all users in this domain were signed by this CA (MoI) signed by this CA (MTIT) Cross MoI root CA Certification MTIT root CA Ahmad Reema Certificates and Trust Certificates and Trust • Ahmad private key and certificate • Remma private key and certificate • MoI self signed certificate (used to • MTIT self signed certificate (used sign Ahmad’s certificate) to sign Reema’s certificate) Cross certification is when relation of trust is built between the CAs, achieved when one signs the public key of the other (one-way or mutual) PalGov © 2011 30
31.
Trust in a
single CA’s PKI Bridge CA MoI BZU Root CA MTIT Root CA Ahmad Root CA User 1 Reema The problem with cross certification is that every (root) CA has to have a pair wise trust relationship with every other (root) CA that it trusts. The solution is to have a Bridge CA. Now a (root) CA only needs to have a trust relationship with the Bridge CA and then certification paths can be constructed with every other (root) CA that is also cross certified by the Bride. PalGov © 2011 31
32.
Certification Path • Hierarchy
of trust starts by the root CA and ends with the sender certificate. – The root CA self sign its certificate – Next certificate is signed by the private key of the root CA – List continue to the sender, its certificate is signed by the private key of the one step higher CA. • Each certificate in the path contains the public key of the next CA PalGov © 2011 32
33.
X.509 Digital certificates
displayed in Microsoft Certification Path explorer for the educational management system (ritaj) at Birzeit University PalGov © 2011 33
34.
X.509 Digital certificates
displayed in Microsoft Certification Path explorer for the educational management system (ritaj) at Birzeit University Root CA (VeriSign), self signed certificate PalGov © 2011 34
35.
X.509 Digital certificates
displayed in Microsoft Certification Path explorer for the web mail system at Birzeit University Root CA (Mail CA), self signed certificate PalGov © 2011 35
36.
Certificate Issuance within
a CA Hierarchy CA’s domain of trust: certificates of all users and CAs in this domain were signed by this CA (MTIT) – hence users trust each other based on their trust of the CA MTIT CA MoI CA BZU CA Reema Ahmad Ahmad and Reema trust each other because their certificates path meet somewhere, not necessarily at root PalGov © 2011 36
37.
Different trust scenarios
CA’s domain of trust: certificates of all users and CAs in this domain were signed by this CA (MTIT) – hence users trust each other based on their trust of the CA User 1 MTIT CA MoI CA CA1 BZU CA Reema User 2 Ahmad • User 1 won’t be trusted by Ahmad and Reema as he has only a self signed certificate • User 2 won’t be trusted by Ahmad and Reema as CA1 is not trusted by any CA in the certification path of Ahamad and Reema (assuming not cross certification) PalGov © 2011 37
38.
View certificates stored
in my browser (CAs I trust) • Open Internet Explorer • Click on the Tools menu • From the drop down list select Internet Options • Click the Content tab • Click the Certificates button PalGov © 2011 38
39.
Which CA deserves
my trust? Some text is obtained from rfc2527 • To which CA should I register? • Should I trust a certificate signed by this CA? • Certificate Policies (CP) – set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. – it may be used by a certificate user to help in deciding whether a certificate, and the binding therein, is sufficiently trustworthy for a particular application. • Certification Practise Statements (CPS) – is a statement of the practices which a certification authority employs in issuing. – detailed description of the practices followed by a CA in issuing and otherwise managing certificates may be contained in it. • The better its practices and procedures, the more trustworthy the CA PalGov © 2011 39
40.
Which CA deserves
my trust? continue • VeriSign® Trust Network Certificate Policy http://www.digitalsign.pt/ECDIGITALSIGN/cps/VRSN_2.8.3.pdf • Symantec Trust Network Certification Practice Statement (CPS) http://www.verisign.com/repository/CPS/ PalGov © 2011 40
41.
Certificate Revocation • Why
need to revoke certificates? – Certificates associated with stolen private key. – You forgot the phrase used to generate your private key. – You need to use new private key. – User’s privilege is no more valid. – Left the company – ... Many other reasons • Don’t trust a signed message from a revoked certificate. • If trust to a root CA fails, it must be removed from the trust store (depends on the application) • Any certificate of a CA in the hierarchical certification path can be revoked by the certifying CA, similar to a user’s certificate. The same apply in any model of CA certify another CA including the case of cross certification. PalGov © 2011 41
42.
Certificate Revocation
continue • In X.509, – list of revoked certificates is held in a Certificate Revocation List (CRL) – CA must revoke the certificates it has issued – Revocation can be requested by the user, the CA administrator, or other trusted entity • In PGP, – each public key or signature on a key can be revoked – key signers can revoke their individual signatures on a public key – In new versions of PGP you must generate a key revocation certificate while you know the private key, save it in a safe place, and then use it to revoke certificate if private key is lost. PalGov © 2011 42
43.
Distribution of Revocation
Information Lecture Notes of David Chadwick • X.509 - CRLs are published and distributed in the same way as the certificates, and by storing in LDAP directories and on Web pages but it is the responsibility of the relying party to fetch the CRL. • X.509 PKIX group has defined an Online Certificate Status Protocol so that a relying party can query an OCSP server to see if a certificate is valid. This is similar to how credit cards are checked by shopkeepers today. • PGP - key signers and key owners should send their revoked signatures to key servers and to their PGP friends PalGov © 2011 43
44.
Highly Secure Certificates
http://www.cabforum.org/certificates.html Extended Validation SSL Certificates • It is intended to provide an improved level of authentication of entities that request digital certificates for securing transactions on their Web sites. • The next generation of Internet browsers will display EV SSL- secured Web sites in a way that allows visitors to instantly ascertain that a given site is indeed secure and can be trusted. • A new vetting format, which all issuing Certification Authorities (CAs) must comply with, ensures a uniform standard for certificate issuance. This means that all CAs must adhere to the same high security standards when processing certificate requests. • Visitors to EV SSL-secured Web sites can trust that the organization that operates the site has undergone and passed the rigorous EV SSL authentication process as defined by the CA/Browser Forum. PalGov © 2011 44
45.
Tutorial 5: Information
Security Session 5: Certificates and Biometric Authentication Session 5 Outline: • Session 5 ILO’s. • PKI, X.509, and PGP • SSL/TLS • IPSEC • Biometric authentication. PalGov © 2011 45
46.
Secure Socket Layer/Transport
Layer Security (SSL/TLS) • Main purpose is to provide a secure (authentication, confidentiality, and data integrity) web traffic between client (web browser) and server (website server). • Achieved through, digital signatures, certificates, and cryptography. • Historical overview: – Earlier versions of SSL (SSLv1 and SSLv2) were invented by Netscape, both suffer from serious security weaknesses. – In 1996, SSLv3 was published, to make it available to all and get the help of others in finding bugs within the protocol, the publisher tried to make it an open source. However, protocol uses the RSA cryptography algorithm which had a patent, and so the SSLv3 can’t be open source. – Transport Layer Security (TLS), the Internet Standard variation of SSL was published in 1999, very similar to SSLv3 but incompatibility. PalGov © 2011 46
47.
SSL/TLS continue • SSL
sessions run over TCP/IP connections • SSL session can be used by multiple TCP/IP connections – In parallel (more than one connection use the same SSL session – Sequential, after one connection terminate, a new connection can use the same SSL session – All depends on the SSL session ID (will be discussed later) • A client and server can disconnect then reconnect and continue using the same SSL session. client server Application Application SSL SSL TCP TCP IP IP Internet PalGov © 2011 47
48.
How SSL works •
Birzeit wanted to secure their website, so they need to obtain a digital certificate from a trusted CA. – Birzeit admin will generate a Certificate Signing Request (CSR), exact procedure depends on the http server – in this process a private key and public key (within CSR) will be produced. – An application including the CSR will be submitted to a trusted CA to get a digitally signed certificate by the CA. – The CA will investigate the information provided by Birzeit (their domain, legal documents to prove the identity of birzeit, ... “this depends on the CA policies”). – If validation successfully completed, the CA will create a digital certificate signed using its private key for Birzeit web server. – Birzeit admin will install the certificate on its web server. – Now, connections to the web site will be though a secure connections. PalGov © 2011 48
49.
How SSL works
continue • A client wanted to access the secure Birzeit website through his web browser (SSL Handshake) – Client send a Client Hello message to server (Phase 1) • Session ID (set to zeros initially) • Supported SSL versions • Supported algorithms • Some data to avoid reusing this packet by others (replay), a time stamp and random number – Server replies with a Server Hello message to client(Phase 1) • Session ID (saved to be used incase the TCP/IP connection is broken) • The SSL version to be used (most secure, latest version) • The algorithms to be used • Some data to avoid reusing this packet by others (time stamp and a random number) – Server sends the following to the client (Phase 2) • Server certificate chain up to the root CA (hopefully obtained from a trusted CA) • Optional: Server Key Exchange • Optional: Server requests client’s certificate • Server Hello Done PalGov © 2011 49
50.
How SSL works
continue • A client wanted to access the secure Birzeit website through his web browser – Client send a Client Hello message to server (Phase 1) – Server replies with a Server Hello message to client (Phase 1) – Server sends the following to the client (Phase 2) – Client reply with the following to the server (Phase 3) • Client certificate (optional) • Client key exchange • Certificate verification (optional) • pre-master keys are now derived and exchanged – Client send the following to the server (Phase 4) • Change Cipher Specifications • Finished – Server reply with the following to the client (Phase 4) • Change Cipher Specifications • Finished – SSL Handshake is now complete and both will use the agreed crypto algorithm and key while exchanging data. PalGov © 2011 50
51.
How SSL works
continue Client Server Client Hello Server Hello Server Certificate Server Key Exchange Certificate Request Server Hello Done Client Certificate Client Key Exchange Certificate Verification Change Cipher Spec Finished Change Cipher Spec Finished Secure Data Transfer PalGov © 2011 51
52.
SSL Handshake for
Resumed Sessions • What will happen if the TCP connection is broken, shall I redo the SSL handshaking – Nope – In the initial client Hello message, set the session id equal to that of the broken session. – Server replies with a Server Hello message to client – Server send the following to the client • Change Cipher Specifications • Finished – Client reply the following to the server • Change Cipher Specifications • Finished – SSL Handshake is now complete and TCP will be over SSL. PalGov © 2011 52
53.
SSL Alert Protocol
Lecture Notes of David Chadwick The SSL Alert Protocol Message • Used to convey alerts and errors to the peer • The alert messages are protected according to the ciphers agreed for the SSL session • Each message consist of two bytes – The first byte indicates the severity of the message 1. Warning 2. fatal • If the level is fatal SSL terminates the connection – The second byte contains the code that indicates the specific type of alert PalGov © 2011 53
54.
Key derivation in
SSL Lecture Notes of David Chadwick The pre-master secret from Phase 3 is concatenated with the client and server random numbers to provide a master secret, which is then hashed to produce • A shared key for message MACs created by the client • A shared key for message MACs created by the server • A symmetric encryption key for messages sent by the client • A symmetric encryption key for messages sent by the server The reason the client and server use different keys is to make it more difficult to break the messages, and to know who the messages have come from PalGov © 2011 54
55.
SSL deficiencies
Lecture Notes of David Chadwick • User authentication is not available in v2 and is only optional in v3 – Web based CAs don’t always authenticate the user strongly e.g. Verisign Class 1, so the server can’t trust the user’s certificate anyway • Poor support for certificate revocation in SSL products – Most web clients would not know if a server’s certificate had been revoked • If you configure you system poorly, it is possible for SSL to negotiate a NULL cipher suite so that no protection is carried out at all • The cost of SSL certificates varies considerably, from under $100 to over $1000. The latest prices can be obtained from http://www.sslreview.com/content/pricing.html PalGov © 2011 55
56.
SSL Record The SSL
or TLS messages exchanged between the two parties are called records. Which have the following basic format • type field: indicates the record type as a handshake or data, • version field: indicated the SSL or TLS version used, • length field: indicated the length of the record • Data fields: contain the upper layer data • Mac field: contains the data MAC. • The data and MAC field contain encrypted data and encrypted MAC using the receiver’s data encryption key. • It’s worth mentioning that MACs are not always used “optional”. TYPE VERSION LENGTH DATA MAC PalGov © 2011 56
57.
Tutorial 5: Information
Security Session 5: Certificates and Biometric Authentication Session 5 Outline: • Session 5 ILO’s. • PKI, X.509, and PGP • SSL/TLS • IPSEC • Biometric authentication PalGov © 2011 57
58.
IP Security (IPSec) •
Virtual Private Networks (VPNs) provide a secure communication (path) through an untrusted network (Internet). • VPNs are usually used to connect separated INTRANETS through the Internet. MTIT Firewall Internet el Tunn Firewall BZU • VPNs allow a secure connection for remote users or offices to a central network • VPNs are usually achieved through: – Authentication – Encryption – Compression – Tunneling PalGov © 2011 58
59.
IPSec continue • Tunneling:
is achieved by encapsulating the packets header and the payload of a protocol inside the payload of another protocol. • Now if the payload of the new protocol is encrypted using a secret key (known only for sender and receiver), then the untrusted network can't figure out the original data and protocol, hence transmission is secure. • VPNs usually uses IPSec to create encrypted tunnels. • IPSec works in the network layer (OSI model) and provides – Encryption – Authentication – Compression “using the IP Payload Compression Protocol - used only if really compress the payload, otherwise the data is sent uncompressed.” PalGov © 2011 59
60.
IPSec continue • To
implement IPSec two protocols were introduced: – Authentication Header (AH) • Authenticate both header and payload • Besides authentication, provides anti-replay and integrity • Doesn’t encrypt payload (no confidentiality) • Not recommended – Encapsulating Security Payload (ESP) • Authenticate both header and payload (MAC) • Besides authentication, provides anti-replay, integrity, and confidentiality. • Preferred to establish VPN in an IPSec Tunnel Mode ESP Encrypted Orig IP Header and ESP IP “SPI, Payload “Transport and Application Layer Trailer MAC Header Seq #” Data and Protocol” padding … ” PalGov © 2011 60
61.
IPSec continue • Use
strong encryption for the original IP header and payload using a shared keys – Manually configured on firewalls. – Automatically shared using Internet Key Exchange Protocol (IKE Protocol) • Message Authentication Code (MAC) is used for packet authentication (original message hash concatenated with a shared secret – SHA-1 or MD5). • The packet will be routed through the internet using the outer IP header (IP of the firewall or external device to operate the ESP). • Since many device in the Intranet may utilize the IPSec Protocol, then a session identifier must be defined; which is set in the ESP field which includes – Security Parameter Index (SPI): uniqly determine the Security Association (SA, will be defined next) to which the datagram belongs. – Sequence number field: to protect against replay attacks. ESP Encrypted Orig IP Header and ESP IP “SPI, Payload “Transport and Application Layer Trailer MAC Header Seq #” Data and Protocol” padding … ” PalGov © 2011 61
62.
IPSec continue • Internet
Key Exchange Protocol (IKE Protocol) – Communicating devices must agree on a shared secrets (keys and protocols to be used) – IPSec is a key management tool used to negotiate, create, and manage Security Association (SA) – SA defines: • IPSec Encryption algorithms (DES, 3DES, CAST, RC5, IDEA, Blowfish, and AES) • IPSec Integrity algorithms (HMAC-SHA-1, HMAC-MD5) • IPSec Authentication (Digital Signatures with RSA, Public Key Encryption “encrypts using owns private key and decrypts using others private key” • IPSec shared session Keys (Diffe-Helman) PalGov © 2011 62
63.
IPSec continue • IPSec
Authentication Secret Message Value HMAC MAC: 128 bits – Secret value is used to provide data integrity and is only known for communicating devices. – Hash-based Message Authentication Code (HMAC): an algorithm used to calculate a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key. – C PalGov © 2011 63
64.
Tutorial 5: Information
Security Session 5: Certificates and Biometric Authentication Session 5 Outline: • Session 5 ILO’s. • PKI, X.509, and PGP • SSL/TLS • IPSEC • Biometric authentication PalGov © 2011 64
65.
Biometric Authentication
Extracted from [1],[2] • Biometrics: Any human physiological or behavioral which has the following desirable properties – Universality: which means that every person should have the characteristic – Uniqueness: which indicates that no two persons should be the same in terms of the characteristic. – Permanence: which means that the characteristic should be invariant with time. – Collectability: which indicates that the characteristic can be measured quantitatively. – Performance: which refers to • achievable identification accuracy • resource requirements to achieve an acceptable identification accuracy • working or environmental factors that affect the identification accuracy – Acceptability: which indicates to what extent people are willing to accept the biometric system – Circumvention: which refers to how easy it is to fool the system by fraudulent [1] R. Clarke, “Human identification in information systems: Management challenges and public policy issues,” Information Techn ology & People, Vol. 7, No. 4, pp. 6-37, 1994. [2] E. Newham, The Biometric Report. http://www.sjb.com/: SJB Services, New York, 1995 PalGov © 2011 65
66.
Biometric Authentication
continue Biometrics Universality Uniqueness Permanence Collectability Performance Acceptability Circumvention Face H L M H L H L Fingerprint M H H M H M H Hand Geometry M M M H M M M Keystrokes L L L M L M M Hand Vein M M M M M M H Iris H H H M H L H Retinal Scan H H M L H L H Signature L L L H L H L Voice Print M L L M L H L DNA H H H L H L L Ear M M H M M H M • H: High, M:Medium, L:Low • Tabulated values from INTRODUCTION TO BIOMETRICS,Anil Jain,Michigan State University PalGov © 2011 66
67.
Biometric Authentication
continue www.biometrics.gov • Biometrics are being tested for the following purposes: – Recognition is a generic term, and does not necessarily imply either verification or identification. All biometric systems perform “recognition” to “again know” a person who has been previously enrolled. – Verification is a task where the biometric system attempts to confirm an individual’s claimed identity by comparing a submitted sample to one or more previously enrolled templates. – Identification is a task where the biometric system attempts to determine the identity of an individual. A biometric is collected and compared to all the templates in a database. Identification is • closed-set: if the person is known to exist in the database. • open-set or watchlist: if the person is not guaranteed to exist in the database. The system must determine whether the person is in the database. PalGov © 2011 67
68.
Biometric System Operation
Enrollment Process Identification Verification User User User Sensor Sensor Sensor Biometrics Biometrics Biometrics extraction extraction extraction Processing Processing Processing Features extraction Features extraction Features extraction Identity Matching Search through Template is sore in Database Accept / Database Identity Reject Identified / Unidentified Database PalGov © 2011 68
69.
Biometric System Operation
continue • In Identification and Verification systems, some statistical parameters determine the quality of the biometrics systems quality: – True Accept Rate: the percentage of times a system (correctly) verifies a true claim of identity. – True Reject Rate: the percentage of times a system (correctly) rejects a false claim of identity. – False Accept Rate: the percentage of times a system produces a false accept, which occurs when an individual is incorrectly matched to another individual’s existing biometric – False Alarm Rate: the percentage of times an alarm is incorrectly sounded on an individual who is not in the biometric system’s database, or an alarm is sounded but the wrong person is identified (used in open-set identification) – Type I Error: An error that occurs in a statistical test when a true claim is (incorrectly) rejected. – Type II Error: An error that occurs in a statistical test when a false claim is (incorrectly) accepted. PalGov © 2011 69
70.
Biometric System Operation
continue Lecture slides by Lawrie Brown Choosing this is very critical in biometrics PalGov © 2011 70
71.
Attacks on Biometric
Systems Verification 1. Spoofing: a fake biometric is presented at the sensor. User 2. Sensor Bypass: illegally intercepted data is resubmitted (replay) Sensor 3. Overriding feature extraction: feature detector is Biometrics 1 replaced by a Trojan horse program to produces extraction 2 feature sets chosen by the attacker. Processing 3 4. Tampering with feature representation: legitimate Features extraction features are replaced with a synthetic feature set 4 5. Corrupting the matcher: matcher is replaced by a 5 Matching Trojan horse program to produce scores chosen 8 by the attacker Accept / Identity 6. Unauthorized access to stored templates Reject 7 7. Corruption of template fetching 8. Decision override 6 Database PalGov © 2011 71
72.
Attacks countermeasures for
Biometric Systems • Identify and prioritize threats: – RISK=OCCURANCE_LIKLIHOOD X CONSEQUECE_SEVERITY – Attack occurrence likelihood related to cost and complexity • Countermeasures: – Maturity, cost and effectiveness. – Prioritized implementation of countermeasures. • Methodology requires system level analysis. – Common needs. PalGov © 2011 72
73.
Biometrics and Cryptography •
In biometrics systems the integrity of data transmission must be secure all the way from the sensor to the application. This is typically achieved by cryptographic methods. • The enhancement of security level in biometrics- based systems can be done in two ways: – use of encryption keys to protect biometric information (for authentication purposes) – use of biometric mechanisms to secure the privacy of encryption keys and access to data PalGov © 2011 73
74.
Summary • In this
session we discussed the following: – PKI, X.509, and PGP – SSL/TLS – IPSec – Biometric authentication. – Biometric systems are vulnerable to a number of attacks – Solutions to these attacks exist, but there is still room for improvement. PalGov © 2011 74
Descargar ahora