Privacy versus Authentication

1
Privacy versus Authentication

• Confidentiality (Privacy)
• Interceptors cannot read messages
• Authentication proving the senders identity
• The Problem of Impostors
• Uses encryption
• So encryption is not only for privacy and
  confidentiality!

2
Authentication

• Authentication methods Passwords
• Most users pick short passwords that are easy to
  guess with exhaustive search
• Users often pick passwords that are common words
  or repetitive letter combinations Even easier to
  guess
• Automated password cracking is very effective

3
Authentication

• Authentication methods Passwords
• Often, weak passwords protect more important
  systems
• Users must be forced to pick long passwords
  containing case changes and numerals, such as
  Tri6Vial

4
Authentication

• Authentication methods
• Biometrics
• Fingerprint analysis, iris analysis, etc.
• New and not standardized
• Authentication Card
• Push into slot of a machine
• Also must give password usually
• Public Key Authentication
• Prove that sender holds their private key, which
  only they should know

5
Authentication

• Verifier is the party who wishes the other party
  to authenticate themselves
• Applicant is the other party, which wishes to
  prove its identity

Prove Your Identity
Applicant
Verifier
6
Challenge-Response Authentication

• Verifier sends the applicant a challenge message
• This challenge message is a string of bits

Challenge Message
Applicant
Verifier
7
Challenge-Response Authentication

• Applicant sends back a response message
• This is the challenge message encrypted with the
  applicants private key

Response Message
Applicant
Verifier
8
Challenge-Response Authentication

• Verifier decrypts the response message with the
  true partys public key
• If matches the challenge message, was encrypted
  with the true partys private key, which only the
  true party should know
• Applicant is authenticated

Challenge Message
Response Message
Applicant
Verifier
9
Frequency of Authentication

• Challenge-Response Authentication
• Only done initially
• Or done at most a few times during a session
• Digital Signature Authentication (next)
• Provides authentication for every message
• Called message-by-message authentication
• Also provides message integrityproof that the
  message has not been changed en route

10
Public Key Authentication

• Ultimate goal is to send an original plaintext
  message from the applicant to the verifier
• If security was not an issue, the applicant
  simply would send it

Original Plaintext
Applicant
Verifier
11
Public Key Authentication

• Ultimate goal is to send an original plaintext
  message from the applicant to the verifier
• If only confidentiality was an issue, would
  merely encrypt the original plaintext with a
  symmetric session key

Ciphertext Using Symmetric Key
Applicant
Verifier
12
Public Key Authentication

• For authentication, also send a digital signature
  with each packet
• First create a message digest (MD)
• A small binary string calculated on the basis of
  all of the bits in the message

Message
Message Digest
13
Public Key Authentication

• First create a message digest (MD)
• Normally, use a process called hashing
• For a message of arbitrary size, hashing produces
  a small number of predictable size
• MD5 128 bits
• SHA-1 160 bits

Message
Message Digest
Hash
14
Public Key Authentication

• First create a message digest (MD)
• Hashing is not reversible
• Cannot get back original message if you know its
  hash
• Just done to produce something small enough
  (message digest) to encrypt with public key
  encryption

Message
Message Digest
Hash
15
Public Key Authentication

• Next create a digital signature
• Encrypt the message digest with senders private
  key, which only the sender should be able to do
• Also called signing the message digest with the
  senders private key

Digital Signature
Message Digest
16
Public Key Authentication

• Next create a digital signature
• Encrypt message digest with senders private key,
  which only the sender should be able to do
  creates the digital signature
• Message digest is short, so public key encryption
  is not too burdensome

Digital Signature
Message Digest
17
Public Key Authentication

• Note
• Message digest is a hash of the original message
• MD is not encrypted
• Digital signature is what you get when you
  encrypt the MD with public key encryption
• Do not confuse the two

Digital Signature
Message Digest
18
Public Key Authentication

• Encrypt combined message and digital signature
  with the symmetric session key and send to the
  receiver
• This gives confidentiality (privacy) during
  transmission
• Easy to forget the encryption with the symmetric
  session key

Digital Signature
Message
Encrypt with symmetric session key
19
Public Key Authentication

• Receiver decrypts ciphertext with symmetric
  session key
• Then decrypts digital signature with senders
  public key to get the original message digest
• This is the transmitted message digest

Decrypt with Senders Public Key
Transmitted Message Digest
Digital Signature
20
Public Key Authentication

• Receiver then hashes the original plaintext, just
  as the sender did
• This is the computed message digest

Computed Message Digest
Hashed
Original Plaintext
21
Public Key Authentication

• If the transmitted and computed message digests
  match, the sender is authenticated as being the
  true party
• Because the digital signature was signed with the
  true party private key, as shown by decryption
  with the true partys public key

Message Digest Computed from Original Plaintext
Message Digest from Digital Signature
22
Public Key Authentication

• Digital Signature also Provides Message Integrity
• Proof that the message has not been altered en
  route
• If message has been changed by error or by an
  attacker, message digests will not match

Message Digest Computed from Original Plaintext
Message Digest from Digital Signature