This is the slide I used to train people about the security concepts, such as digital signature and digital fingerprint.
I tried to use friendly way to explain the topic with animation and many example in real life.
Hope it helps for you.
2. Course Objectives:
• Bring up your awareness of security
• Give you an idea to secure your electronic
life
3. Agenda
• Security Everywhere
• How to secure our E-life
• Digital Fingerprint (Hash, Digest, Measure)
• Digital Signature
• Digital Certificate with PKI
5. 4 Factors of Security
Authentication
Integrity
Non-
repudiation
Privacy Nobody Can Know
Who I Am
It’s Unmodifiable
It’s Undeniable
6. Security Everywhere
Real life: Sealing wax in Middle Ages
Q1. How to prevent someone from tamperingQ1. How to prevent someone from tampering
your letteryour letter ??
Q1. How to prevent someone from tamperingQ1. How to prevent someone from tampering
your letteryour letter ??
10. Security Everywhere
Challenges
• How to prove the card is forged or not?
How does bank authenticate your identity?
How to protect my data won’t be intercepted by bad
guy during data transmission?
How can merchant prevent customer from denying
his/her order?
How can I trust the merchant is not bad guy?
11. Are They Still the Original Data ?
• When you receive files from your friend
– Picture files
– MP3 files
– Video files
– Many others type of files….
• When you download Files from Web
– Utility
– Driver
– Patch
– Picture/music/video.. filesHow Do you Know They Are Original
- No lost, Not Been Hacked, No Virus…..
12. Fingerprint for Any Digital Data
• What is Human Fingerprint ?
– a unique identification to a
person
– Small but can represent a
person, like a digest
• Is it a way for any digital data?
• a program, a letter, or…
• one byte…. one gigabyte, or …..
Is It Possible ?
Digital Data Just Like Human ?
13. Yes, We Can !
Message Digest
Variable-length input message to aVariable-length input message to a
fixed-lengthfixed-length
Human Fingerprint
Virtual uniqueness
Measurement
Detection ofDetection of genuinenessgenuineness
Digital fingerprint
a logic process which will
result in a fixed length
unique data value
If there is any single bit
change in the original
data, the result will
change dramatically, so
you’ll notice the change
easily
For example: using MD5
Hash algorithm will always
result in xxx bit data value
15. Fingerprint HOWTOInput Fingerprint
I love you
Fingerprint
MD5
e4f58a805a6e1fd0f6bef58c86f9ceb3
Demo: PsPad editor
MD5
I love yoU
Fingerprint
MD5
8bbe24876210671597572bf075412311
Photo1.jpg
Fingerprint
MD5
8cd5c5a2ab5eea7c649fa0994885fb44
Modified Photo1.jpg
Fingerprint
MD5
dfaa08438c77f924717f6dcac756530f
17. Hash Function
Ex: Downloading the file (Integrity)
Demo – 1 , 2
Problem: The SW I download can’t be opened! Any way to know
if the file is not modified during network transmission?
Problem: The SW I download can’t be opened! Any way to know
if the file is not modified during network transmission?
18. Hash Function
Ex: User authentication in OS or ATM
machineProblem:
can I protect my password during user authentication?
can I shadow my password in OS to prevent someone from stealing it
Problem:
can I protect my password during user authentication?
can I shadow my password in OS to prevent someone from stealing it
Client
Server
Fingerprint Function
ID: PaulID: Paul
Password: ILoveYouPassword: ILoveYou
Login requestLogin request
Account: PaulAccount: Paul
Password:Password: +!3420$
User DB
ID Password
Paul +!3420$
Stephen ss-3&6#
Jack l*^$23w
Account: PaulAccount: Paul
Password:Password: +!3420$
User
Authentication
User
Authentication
Login
successful
Login
successful
Login
successful
Login
successful
19. Are you sure where they come
from?• When you receive files from your friend
– Picture files
– MP3 files
– Video files
– Many others type of files….
• When you download Files from Web
– Utility
– Driver
– Patch
– Picture/music/video.. files
How can you know where they come
from?
20. Context (Plaint Text)
Digital signature
Sign
Yes, We Can ! Digital Signatures
A Electronic document to provide Authentication, Integrity
and Non-repudiation but NOT Privacy
Verify
Sender ReceiverSender
21. How Signature Works?
You must understand “What is key?” first
Encryption DecryptionPlaintext Plaintext
Cipher text
Key Key
Variable value used by cryptographic to produce
encrypted text, or decrypt encrypted text
Variable value used by cryptographic to produce
encrypted text, or decrypt encrypted text
22. Quiz?
Problem:
I’ve got to remember many passwords for
•My Computer Login
•My ATM PIN
•My Internet Bank
•My Mobile Phone SIM
•My mailbox and MSN
•More…….
Question:
Do you know someplace or someway in which you can secure your
passwords and can check them out easily?
23. Let’s Practice!Answer:
• Assuming they are four digit numbers (xxxx)
• Write them down in a paper
• Pick up a set of 4 digital number and keep it in your mind, ex. 1234
• Make simple mathematics (Addition +)
Ex. Computer Login: 7622 + 1234 = 8856
ATM PIN: 1285 + 1234 = 2519
Internet Bank: 2247 + 1234 = 3481
• Put them in somewhere you like, (laptop or wallet)
• When you need them, just make simple subtraction (-)
Ex. Computer Login: 8856 - 1234 = 7622
ATM PIN: 2519 - 1234 = 1285
• Even if someone steals your wallet, no one can use those number to
unlock your account.
• Which is the plaint text?
• Which is the cipher text?
• Which is the encryption?
• Which is the decryption?
• Which is the KEY?
• Which is the plaint text?
• Which is the cipher text?
• Which is the encryption?
• Which is the decryption?
• Which is the KEY?
Encryption DecryptionPlaintext Plaintext
Cipher text
Key Key
Encryption is still difficult?
7622 (Login)
8856
(+) addition
(-) Subtraction
1234
24. Public-Private Key Encryption
• Involves 2 distinct keys – Public, Private.
• The private key is kept secret and never be divulged
• The public key is not secret and can be freely distributed,
shared with anyone.
• It is also called “asymmetric cryptography”.
• Two keys are mathematically related, it is infeasible to derive
the private key from the public key.
Encryption DecryptionPlaintext Plaintext
Ciphertext
Public Key Private Key
Use Public key to encrypt and Private
Key to decrypt!
25. Hello, Mary
Wanna go out for dinner?
PaulPaul MaryMary
encrypt using Mpublic decrypt using Mprivate
OK, Paul
Fridays or Ruby Tuesday ?
PaulPaul MaryMary
decrypt using Pprivate encrypt using Ppublic
26. Each individual generates his own key pair
[Public key known to everyone & Private key only to the owner]
Private Key – Used for Signing the document
Public Key – Used for Verifying the signed document
Digital Signatures HOWTO
Use Private key to encrypt (sign) Public
Key to decrypt (verify) !!!
28. Agenda
• Security Everywhere
• How to secure our E-life
• Hash function (Digest, Figure print)
• Digital Signature
• Digital Certificate with PKI
• VPro Security World
29. Digital Certificates
• Why we use driver license and ID card?
• Digital Certificate much likes a physical
passport
• A data with digital signature from one trusted
Certification Authority (CA).
• This data contains:
– Who owns this certificate
– Who signed this certificate
– The expired date
– User name & email address
CERTIFICATE
IssuerIssuer
SubjectSubject
IssuerIssuer
DigitalDigital
SignatureSignature
Subject Public KeySubject Public Key
30. Elements of Digital Cert.• A Digital ID typically contains the following information:
– Your public key, Your name and email address
– Expiration date of the public key, Name of the CA who issued
your Digital ID
31. Public Key Infrastructure (PKI)
• A Public Key Infrastructure is an
Infrastructure to support and manage Public
Key-based Digital Certificates
• There are 4 major parts in PKI.
– Certification Authority (CA)
– A directory Service
– Services, Banks, Web servers
– Business Users
32. Certification Authority (CA)
• A trusted agent who certifies public keys (certificate) for
general use (Corporation or Bank).
– User has to decide which CAs can be trusted.
• CA provider:
• Comodo
• DigiCert
• Trustwave
• TURKTRUST
• VeriSign
More ….
34. Demonstration…
• Digital Signature & Certificate
– Generate Message Digest [SHA1] OpenSSL [Option]
– Encrypting Digest using Private Key [Signatures] OpenSSL [Option]
– Verification of Signatures OpenSSL [Option]
– Apply your email certificate
– Outlook 2003 case [Multipurpose Internet Mail Extensions MIME]
35. Security Everywhere
Recap: Challenges
• How to prove the card is forged or not?
How Server authenticate your identity?How Server authenticate your identity?
How you transmit your sensitive data ?How you transmit your sensitive data ?
How to protect my data won’t be intercepted byHow to protect my data won’t be intercepted by
bad guy?bad guy?
How can merchant avoid customer repudiateHow can merchant avoid customer repudiate
his/her order?his/her order?
How can I trust the merchant is not bad guy?How can I trust the merchant is not bad guy?
What’s SSL 128? Is it able to protect my data?What’s SSL 128? Is it able to protect my data?
Digital Fingerprint (Digest, Hash, & Measure)Digital Fingerprint (Digest, Hash, & Measure)
Digital signature (SignDigital signature (Signinging))
Encryption (Public Key, Secret Key)Encryption (Public Key, Secret Key)
Digital Certificate (PKI)Digital Certificate (PKI)
HOWTO Solve ?HOWTO Solve ?
39. Security Everywhere
E-life: E-commerce
Q1. How to protect my data won’t be interceptedQ1. How to protect my data won’t be intercepted
by Bad guy?by Bad guy?
Q1. How to protect my data won’t be interceptedQ1. How to protect my data won’t be intercepted
by Bad guy?by Bad guy?
Q2. How can I trust merchant is not bad guy?Q2. How can I trust merchant is not bad guy?Q2. How can I trust merchant is not bad guy?Q2. How can I trust merchant is not bad guy?
Q3. How can merchant avoid customer repudiateQ3. How can merchant avoid customer repudiate
his/her order?his/her order?
Q3. How can merchant avoid customer repudiateQ3. How can merchant avoid customer repudiate
his/her order?his/her order?
40. Security Everywhere
E-life: E-commerce
httpshttps
SSL 128SSL 128
Credit card infoCredit card info
Q1. What’s SSL 128bit ?Q1. What’s SSL 128bit ?
Q2. Why / How can it protect my credit info?Q2. Why / How can it protect my credit info?
Q1. What’s SSL 128bit ?Q1. What’s SSL 128bit ?
Q2. Why / How can it protect my credit info?Q2. Why / How can it protect my credit info?
41. Security Everywhere
Storing the password in OS, ATM machine
Problem:
can I shadow my password in OS to prevent someone from stealing it
can I protect my password during user authentication?
roblem:
can I shadow my password in OS to prevent someone from stealing it
can I protect my password during user authentication?
Plaintext
42. Key length
• It is the number of bits (bytes) in the key.
• A 2-bit key has four values
– 00, 01, 10, 11 in its key space
• A key of length “n” has a key space of 2^n distinct values.
• E.g. the key is 128 bits
– 101010101010….10010101111111
– There are 2^128 combinations
– 340 282 366 920 938 463 463 374 607 431 768 211 456
43. How difficult to crack a key?
Key
Length
Individual
Attacker
Small
Group
Academic
Network
Large Company Military Inteligence
Agency
40 Weeks Days Hours Milliseconds Microseconds
56 Centuries Decades Years Hours Seconds
64 Millennia Centuries Decades Days Minutes
80 Infeasible Infeasible Infeasible Centuries Centuries
128 Infeasible Infeasible Infeasible Infeasible Millennia
Attacker Computer Resources Keys /
Second
Individual attacker One high-performance desktop machine & Software 2^17 – 2^24
Small group 16 high-end machines & Software 2^21 – 2^24
Academic Network 256 high-end machines & Software 2^25 – 2^28
Large company $1,000,000 hardware budget 2^43
Military Intelligence
agency
$1,000,000 hardware budget + advanced technology 2^55
44. Secret-key Encryption
• Use a secret key to encrypt a message into
ciphertext.
• In AMT provision, we call it Pre-Shared Key (PSK)
• Use the same key to decrypt the ciphertext to the
original message.
• Also called “Symmetric cryptography”.
Encryption DecryptionPlaintext Plaintext
Ciphertext
Secret Key Secret Key
45. Secret-Key algorithms
Algorithm Name Key Length
(bits)
Blowfish Up to 448
DES 56
IDEA 128
RC2 Up to 2048
RC4 Up to 2048
RC5 Up to 2048
Triple DES 192
References:
Blowfish
DES
IDEA
RC2
RC4
RC5
DES-3
46. Digital CertificateDigital Certificate
• How are Digital Certificates Issued?How are Digital Certificates Issued?
• Who is issuing them?Who is issuing them?
• Why should I Trust the Certificate Issuer?Why should I Trust the Certificate Issuer?
• How can I check if a Certificate is valid?How can I check if a Certificate is valid?
• How can I revoke a Certificate?How can I revoke a Certificate?
• Who is revoking Certificates?Who is revoking Certificates?
ProblemsProblems
Moving towards PKI …Moving towards PKI …
47. Public Key Algorithms
Algorithm Name Key Length (bits)
DSA Up to 448
El Gamal 56
RSA 128
Diffie-Hellman Up to 2048
References:
DSA
El Gamal
RSA
Diffie-Hellman
50. OK, Paul
Fridays or Ruby Tuesday ?
PaulPaul MaryMary
decrypt using Pprivate encrypt using Ppublic
51. Security Everywhere
Our life: Passport
Q1. How to know it’s a official passport?Q1. How to know it’s a official passport?Q1. How to know it’s a official passport?Q1. How to know it’s a official passport?
Q2. How to prove the passport belongs to you?Q2. How to prove the passport belongs to you?Q2. How to prove the passport belongs to you?Q2. How to prove the passport belongs to you?
53. Hash Function
Ex: Storing the password in OS, ATM machine
Client
Server
Hash Function
ID: PaulID: Paul
Password: ILoveYouPassword: ILoveYou
Login requestLogin request
Account: PaulAccount: Paul
Password:Password: +!3420$
User DB
ID Password
Paul +!3420$
Stephen ss-3&6#
Wang l*^$23w
Account: PaulAccount: Paul
Password:Password: +!3420$
User
Authentication
User
Authentication
Login
successful
Login
successful
Login
successful
Login
successful
54. How Signature Works?
You must understand “What is key?” first
Encryption DecryptionPlaintext Plaintext
Cipher text
Key Key
The length of the key reflects the difficulty to
decrypt from the encrypted message
The length of the key reflects the difficulty to
decrypt from the encrypted message
Variable value used by cryptographic to produce
encrypted text, or decrypt encrypted text
Variable value used by cryptographic to produce
encrypted text, or decrypt encrypted text
Why I said Security is everywhere … . We firstly check our physical realm out …
講到 security , 必然一定要提到 其 4 大特性 還有程度的差異 The transmitted message must make sense to only the intended receiver -- Privacy Receiver needs to be sure of the sender’s identity – Authentication Data must arrive at the receiver exactly as they were sent – Integrity Receiver must prove that a received message came from a specific sender -- Non-repudiation
小組成員調查神秘與不尋常的死因,以判定是誰以及如何殺了他們。成員們也會解決一些其他的重罪,例如強姦罪的採證,但這個系列影集的主題仍以謀殺案件為主。 Criminalistics is the application of various sciences to answer questions relating to examination and comparison of biological evidence , trace evidence , impression evidence (such as fingerprints , footwear impressions, and tire tracks), controlled substances , ballistics , firearm and toolmark examination, and other evidence in criminal investigations. Typically, evidence is processed in a crime lab . Digital forensics is the application of proven scientific methods and techniques in order to recover data from electronic / digital media. DF specialists work in the field as well as in the lab. Forensic anthropology is the application of physical anthropology in a legal setting, usually for the recovery and identification of skeletonized human remains. Forensic archaeology is the application of a combination of archaeological techniques and forensic science, typically in law enforcement. Forensic DNA analysis takes advantage of the uniqueness of an individual's DNA to answer forensic questions such as determining paternity/maternity or placing a suspect at a crime scene. Forensic entomology deals with the examination of insects in, on, and around human remains to assist in determination of time or location of death. It is also possible to determine if the body was moved after death. Forensic geology deals with trace evidence in the form of soils, minerals and petroleums. Forensic interviewing is a method of communicating designed to elicit information and evidence. Forensic meteorology is a site specific analysis of past weather conditions for a point of loss. Forensic odontology is the study of the uniqueness of dentition better known as the study of teeth. Forensic pathology is a field in which the principles of medicine and pathology are applied to determine a cause of death or injury in the context of a legal inquiry. Forensic psychology is the study of the mind of an individual, using forensic methods. Usually it determines the circumstances behind a criminal's behavior. Forensic toxicology is the study of the effect of drugs and poisons on/in the human body. Forensic document examination or questioned document examination answers questions about a disputed document using a variety of scientific processes and methods. Many examinations involve a comparison of the questioned document, or components of the document, to a set of known standards. The most common type of examination involves handwriting wherein the examiner tries to address concerns about potential authorship. Veterinary Forensics is forensics applied to crimes involving animals. Association of Firearm and Tool Mark Examiners Ballistic fingerprinting Computer forensics Crime Diplomatics (Forensic paleography) Forensic accounting Forensic animation Forensic anthropology Forensic chemistry Forensic engineering Forensic facial reconstruction Forensic identification Forensic materials engineering Forensic polymer engineering Forensic profiling Forensic psychology Questioned document examination Retrospective diagnosis Skid mark Trace evidence Profiling practices Testimony · Documentary Physical / Real · Digital Exculpatory · Scientific Demonstrative Eyewitness identification Genetic (DNA) · Lies
Digital signing ensures that data originates from a specific party by creating a digital signature that is unique to that party. This process also uses hash functions. Put simply, digital signatures combine hashing (for the validation of the signature data) with asymmetric encryption for encoding that signature data. The following occurs when data is signed with a digital signature: A hash algorithm is applied to the data to create a hash value. The hash value is encrypted with User A’s private key, thereby creating the digital signature. The digital signature and the data are sent to User B. The following occurs when digitally signed data is decrypted: User B decrypts the signature by using User A’s public key and then recovers the hash value. If the signature can be decrypted, User B knows that the data came from User A (or the owner of the private key). The hash algorithm is applied to the data to create a second hash value. The two hash values are compared. If the hash values match, User B knows that the data has not been modified.
In a public key environment, it is vital that you are assured that the public key to which you are encrypting data is in fact the public key of the intended recipient and not a forgery. You could simply encrypt only to those keys which have been physically handed to you. But suppose you need to exchange information with people you have never met; how can you tell that you have the correct key? Digital certificates, or certs, simplify the task of establishing whether a public key truly belongs to the purported owner. A certificate is a form of credential. Examples might be your driver's license, your social security card, or your birth certificate. Each of these has some information on it identifying you and some authorization stating that someone else has confirmed your identity. Some certificates, such as your passport, are important enough confirmation of your identity that you would not want to lose them, lest someone use them to impersonate you. A digital certificate is data that functions much like a physical certificate. A digital certificate is information included with a person's public key that helps others verify that a key is genuine or valid. Digital certificates are used to thwart attempts to substitute one person's key for another. A digital certificate consists of three things: A public key. Certificate information. ("Identity" information about the user, such as name, user ID, and so on.) One or more digital signatures. The purpose of the digital signature on a certificate is to state that the certificate information has been attested to by some other person or entity. The digital signature does not attest to the authenticity of the certificate as a whole; it vouches only that the signed identity information goes along with, or is bound to, the public key. Thus, a certificate is basically a public key with one or two forms of ID attached, plus a hearty stamp of approval from some other trusted individual.
VeriSign introduced the concept of classes of digital certificates: Class 1 for individuals, intended for email Class 2 for organizations, for which proof of identity is required Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority Class 4 for online business transactions between companies Class 5 for private organizations or governmental security