Chapter 2
Toolbox: Authentication, Access Control
and Cryptography
Security in general: establish security policy, then enforce it - only means have changed
Definitions
Authentication - the process of ascertaining or confirming an identity
Access control - limiting who can access what in what ways
Encryption -
Identification -
Salt - user-specific component joined to an encrypted password to distinguish identical
passwords
Skimming - the use of a device to copy authentication data surreptitiously and relay it
to an attacker
Least privilige - access to the fewest resources necessary to complete some task
Capability - an unforgeable token that gives the possessor certain rights to an object
Authentication
Two steps:
1. Identification - identity usually public
2. Authentication - necessarily protected
Subject - the entity to be identified and authenticated
Based on 3 qualities:
1. Something the user knows - password, PIN, etc.
2. Something the user is - biometrics - fingerprint, voice, face
3. Something the user has - identity badge, physical key, uniform
Authentication based on knowledge
Passwords
Downsides:
Difficult usage
Disclosure - revealing it to unauthorized parties will give them direct access - deal with it
by changing passwords - must inform authorized parties!
Revocation
Loss
Upsides:
Strong authenticator if chosen carefully
Easy to create and administer
Inexpensive to use
Easy to understand
Type of attacks:
1. Dictionary attack - some network sites post dictionaries of common weak passwords
2. Inferring for a specific user
3. Guess probable passwords
4. Defeating concealment
use rainbow table (contains the password and its concealed version) and match it
to an intercepted password table
salting - defense mechanism to create different hashes for the same passwords -
prevents usage of rainbow table
5. Exhaustive attack/Brute force
Expected number of tries for hit is only half of the password range if evenly
distributed
Uneven distributions can be exploited
6. Social engineering
Security Questions
Problem: Some questions can be answered by the attacker as well
Authentication based on biometrics
Biometrics are biological properties, based on some physical characteristic of the human
body.
First step is registration - creates template
Only used for authentication, not for identification!
Upsides:
Cannot be lost, stolen, forgotten or shared
Always available
Difficult, if not impossible to forge
Downsides:
Intrusive
Expensive
Can become single point of failure
Threshold of acceptance - variation reduces accuracy
False positives/negatives - sensitivity and specificity are related
Speed limits accuracy - time constraint on recognition
Some biometrics might change over time
Authentication based on tokens
Types:
Passive - internally doesn't change, e.g. key, photo
Active - can have some variability or interaction with surroundings (communicate with a
sensor), e.g. cards with magnetic strip
Static - its value remains fixed, e.g. credit card
Dynamic - its value changes - have computing power to change their internal state
Vulnerable to skimming
Unifying authentication
Federated Identity Management - Unifies the identification and authentication process
for a group of systems → one profile, one authentication method
Single Sign-On → takes over sign-on and authentication to several independent
systems for a user
Multifactor authentication
Compensate for the disadvanteges of one method by combining it with a different one
With more factors security increases, but so does inconvenience
Access Control
We desire a system that is:
Flexible in its structure
Robust
Easy to use
Efficient
Access policies
Formal vs Informal
Guidelines for effective policy implementation:
Check every access
Enforce least privilige
Verify acceptable usage - is operation valid/does it make sense on the given data?
Tracking
Granularity - fineness/specificity of access control
Audit/Access log - Each access is noted by the system - here granularity must also be
taken into account
Limited privilige
Limited privilege is the act of restraining users and processes so that any harm they can do
is not catastrophic.
Implementing access control
Often performed by OS - limited by hardware in some cases
Reference monitor - access control that is always invoked (validates every access
attempt), tamperproof, and verifiable
Access Control Directory
Each user has a directory listing the files they have access to (with a pointer) and the
corresponding access rights to the file
Rights are
Read
Write
eXecute
Owner
Upsides:
Easy to implement - list all objects a user can access
Downsides:
Lists become too large if many resources are shared
Deletion must be reflected in all directories
Changing access rights of all users requires iterating through all user directories -
propagation of access rights original owner may not know that access rights
should be revoked from users it was propagated to
Pseudonyms - file name must only be unique inside of user folder - cause for
ambiguity
Access Control Matrix
Table with subjects as rows, objects as columns, each entry containing the set of
access rights corresponding to them
Usually sparse → thus can be represented as list of triples ⟨subject; object; rights⟩
Searching the list is inefficient, so matrix is used in most cases
Access Control List
Corresponds to columns of the access control matrix
Can include default rights
Unix (u;g;w) approach - (user;group;world)
Privilige List
also called directory
row of the access matrix
simple right revocation
Capability
Single- or multi-use ticket to access an object or service
Put some of the burden of access control onto the user
Unforgeable token, giving rights
Propagation - pass copies of capabilities to other subjects
Domain - the collection of objects to which the process has access (AKA collection of
capabilities)
Should be stored in user-inaccessible memory
Procedure-Oriented Access Control
Procedures can perform actions specific to a particular object in implementing access
control.
imply the existence of a procedure that controls access to objects
access made through a trusted interface
inefficient
Role-Based Access Control
Access control by role recognizes common needs of all members of a set of subjects
Cryptography (Overview)
See Chapter 12 for internals
Conceals data against unauthorized access
4 entities taking part:
sender
recipient
transmission medium
interceptor/intruder - tries to block, intercept, modify the message or fabricate an
authentic looking one
Encryption is a means of maintaining secure data in an insecure environment
Terminology
Encryption - encoding a message so that its meaning is not obvious - also encode,
encipher - (to be exact encoding is the process of translating entire words/phrases and
enciphering considers letters and symbols)
Decryption - reverse of encryption - also decode, decipher
Cryptosystem - system for en- and decryption
Plaintext - original form of message in unencrypted form
Ciphertext - encrypted form of message
Formally
C = E(P ) and P = D(C) → we seek E, D s.t. P = D(E(P ))
Cryptoalgorithm - set of rules how to en-/decrypt a message
Key - makes the algorithm depend on an extra value, formally: C = E(K, P )
Provides extra security and flexibility with an encryption scheme
Types:
1. Symmetric/Single-key/Secret-key encryption - en- and decryption keys are
the same; Formally: P = D(K, E(K, P ))
2. Asymmetric/Public-key encryption - keys come in pairs, one encrypts and
one decrypts, Formally: P = D(K , E(K , P ))
D E
Keyless cipher - Encryption scheme, that does not use keys
Cryptanalysis
wants to break an encryption
optimally also hopes to deduce the algorithm and the key, not just the message
No rules to achieving this - any action is fair play
Work factor
An encryption algorithm is breakable when, given enough time and data, an analyst
can determine the algorithm
An algorithm can be theoretically breakable, but practically infeasible (time constraints)
Work factor - amount of effort needed to break an encryption (or mount a successful
attack)
An encryption is adequate if the work factor outweighs the value of the encrypted data
Symmetric and asymmetric cryptosystems
Symmetric
As long as the key is secret, the system provides authenticity - proof that the message
originates from the declared sender
If multiple people want to communicate in pairs, number of required keys grows in
2
O(n )
Thus it requires a means of key distribution
Tools: openssl, gpg, age
Stream and block ciphers
Stream encryption - each bit/byte of data in the stream is encrypted separately
e.g. ChaCha20, Salsa20
Upsides:
Can be applied immediately - fast
Low error propagation - error only affects one character
Downsides:
Low diffusion
Susceptibility to malicious insertions/modifications
Block cipher - encrypts a group of plaintext symbols as a single block
mostly uses AES
Upsides:
High diffusion
Immunity to insertion of malicious symbol
Downsides:
Slow encryption
Padding - final block must be filled with irrelevant data
Error propagation - all characters in the same block are affected
DES: The Data Encryption Standard
Developed by IBM in the 1970s for U.S. NIST, later called National Bureau of Standards
(NBS)
Encrypts blocks of 64 bits using a 56 bit key (last 8 are check digits)
16 iterations of substitution, permutation and key transformation
Controversial upon release
In 1995 research begins for a stronger encryption algorithm (AES)
Double and triple DES
Required because of increasing computing power
Double DES
Takes two keys, and performs two encryptions: C = E(k 2 , E(k 1 , m))
However this is equivalent to the work factor of using a 57-bit key
Essentially doesn't increase security
Triple DES
Use 3 keys: C = E(k 3 , E(k 2 , E(k 1 , m)))
Strength roughly equivalent to a 112-bit key encryption
Minor variation (with the same name): C = E(k 1 , D(k 2 , E(k 1 , m)))
only requires two keys!
~ 80-bit strength
AES: Advanced Encryption System
Originally named Rijndael
Adopted for use in the U.S. in 2001
Overview
Fast and can be easily implemented on simple processors
Primary operations: substitution, transposition, bit shift, XOR, addition
Uses repeated cycles (in AES called "rounds") like DES: 10, 12 or 14 cycles for 128,
192 and 256 bit keys respectively
Each round consists of 4 steps
1. Byte substitution
2. Row shifting
3. Column mixing
4. Adding round key
Strength
The number of cycles can easily be extended
U.S. government approved
Asymmetric
Excels at key management (storing, safeguarding and activating keys)
public keys can be revealed
less keys have to be remembered - only one public and one private per user
e.g. RSA, EdDSA, ElGamal, Diffie-Hellman, ECDH
Formally:
P = D(k P RI V , E(k P U B , P ))
And for some algorithms (like RSA) it also holds:
P = D(k P U B , E(k P RI V , P ))
The Rivest-Shamir-Adelman (RSA) Algorithm
Creators: Ronald Rivest, Adi Shamir, Leonard Adleman
Introduced in 1978
P = RSA(RSA(P , e), d) = RSA(RSA(P , d), e)
Long keys: at least 256 bits, but 1000-2000 bits preferred
Uses exponentiation - raise each plaintext block to a power (defined by e)
Encryption time O (e b
) , where b is the number of bits - slower than DES and AES
(x10,000)
Uses the factorization problem
Exchanging Secret Keys
Idea: Use public key cryptosystems to securely exhange symmetric keys
One way:
Alice Bob
Send pub_k_A
Send pub_k_B
Create sym_k and E(sym_k, pub_k_B)
Send half of E(sym_k, pub_k_B)
Confirm message
Send half of E(rand, pub_k_A)
Send other half of E(sym_k, pub_k_B)
Decrypt E(sym_k, pub_k_B)
Send other half of E(rand, pub_k_A)
Decrypt E(rand, pub_k_A)
Send E(rand, sym_k)
Decrypt E(rand, sym_k)
alt [D(E(rand, sym_k)) matches rand]
Let's start talking!
Someone's eavesdropping, let's try again!
Alice Bob
Random value here called a nonce
Different method: Alice sends Bob
E(k P U B−B , E(k P RI V −A , K))
Slowness of asymmetric encryption avoided - only has to be en/decrypted once during
the exchange
Error Detecting Codes
Want to: guard against modification of data
Digest functions
Infrequent collisions
unpredictable → given an input, it is infeasible to find another which results in the
same output
cyclic redundancy check - detect errors in recording and playback
error correction codes
can detect multiple-bit errors
may be able to pinpoint the changed bits
Parity
Simplest error detection code
Extra bit called fingerprint is 0 if sum of data bits is even, 1 if odd
Can only reveal the modification of a single bit
improved with more parity bits - but that increases the required storage size!
Hash Codes
Need a "seal" for a file → hash/checksum/message digest
Send checksum → if it doesn't match the computed one, request retransmission
Problem: malicious adversary can fix the detection value to match!
One-Way Hash Functions
Much easier to compute than their inverse
3 3
y = x vs. y = √x
File Change Detection
One-way hash functions can help → no simple way of finding malicious modifications
that leave checksum intact
Tripwire utility program - integrity checks
Cryptographic Checksum
Cryptographic function producing a checksum
Prevents the attacker from
changing the data block (plaintext)
changing the checksum (ciphertext) to match
Uses: code-tamper protection, message-integrity protection in transit
Secure Hash Standard/Algorithm (SHS/SHA)
Defined by U.S. government
Signatures
Demonstrates authenticity
Cannot be forged
Pertains to a single file
Must convince all who access the file and remain valid indefinitely
Components/Characteristics:
binary object associated with a file
Two primary conditions:
1. unforgeable - S signs message M with signature Sig(S, M ) and nobody else can
produce the pair [M , Sig(S, M )]
2. authentic - R receives the pair [M , Sig(S, M )] allegedly from S → R can check if
the signature is really from S and if the signature is firmly attached to M
Two additional desirable conditions:
3. unalterable - After transmission M cannot be changed by anyone
4. not reusable - Presenting the same message will be instantly detected
Public Keys for Signatures
E(M , K U ) - public key encryption for user U - privacy transformation
D(M , K U ) - private key transformation for user U - authenticity transformation
Under some asymmetric algorithms (e.g. RSA) it holds
D(E(M , K U ), K U ) = M = E(D(M , K U ), K U )
S wants to send M to R
1. Use authenticity transformation D(M , K S)
2. (optional) To add secrecy S can apply E(D(M , K S ), KR )
3. R decodes E(D(M , K S
), K S ) = M
4. Only S can create a message which makes sense under E(−, K S) → message is
authentic!
5. R saves D(M , K S
)
6. S alleges, that the message is a forgery
7. R publishes D(M , K S) and M
8. Anyone can verify E(D(M , K S
), K S ) = M (since E(−, K S
) is common knowledge)
→ unforgeable!
Certificates
We want to bind a public key to an identity
Kohnfelder: electronic certificate with a chain of authenticators
Merkle expands the concept
Public key and user identity bound together in a certificate
This is signed by a certificate authority
Hierarchical structure:
Hierarchy not necessary, but! - at least trusted entity required
Digital Signatures
Consists of:
a file
a demonstration that the file has not been altered
indication of who applied the signature
validation of authenticity
connection of the signature to the file
Process:
1. Use a secure hash code of the file → include message digest - the file has not been
changed
2. Apply the signer's private key E(M , K P RI V −S
)
3. Add the indentifier of the signer, so receiver knows which public key to use
Technically only the message digest needs to be encrypted asymmetrically
If confidentiality is wanted, one can symmetrically encrypt the actual message and
include that in the message digest