Chapter 2

Toolbox: Authentication, Access Control

and Cryptography
Security in general: establish security policy, then enforce it - only means have changed

Definitions
Authentication - the process of ascertaining or confirming an identity
Access control - limiting who can access what in what ways
Encryption -
Identification -
Salt - user-specific component joined to an encrypted password to distinguish identical
passwords
Skimming - the use of a device to copy authentication data surreptitiously and relay it
to an attacker
Least privilige - access to the fewest resources necessary to complete some task
Capability - an unforgeable token that gives the possessor certain rights to an object

Authentication
Two steps:

1. Identification - identity usually public

2. Authentication - necessarily protected

Subject - the entity to be identified and authenticated

Based on 3 qualities:

1. Something the user knows - password, PIN, etc.

2. Something the user is - biometrics - fingerprint, voice, face
3. Something the user has - identity badge, physical key, uniform

Authentication based on knowledge

Passwords

Downsides:

Difficult usage
 Disclosure - revealing it to unauthorized parties will give them direct access - deal with it
by changing passwords - must inform authorized parties!
Revocation
Loss

Upsides:

Strong authenticator if chosen carefully

Easy to create and administer
Inexpensive to use
Easy to understand

Type of attacks:

1. Dictionary attack - some network sites post dictionaries of common weak passwords
2. Inferring for a specific user
3. Guess probable passwords
4. Defeating concealment
use rainbow table (contains the password and its concealed version) and match it
to an intercepted password table
salting - defense mechanism to create different hashes for the same passwords -
prevents usage of rainbow table
5. Exhaustive attack/Brute force
Expected number of tries for hit is only half of the password range if evenly
distributed
Uneven distributions can be exploited
6. Social engineering

Security Questions

Problem: Some questions can be answered by the attacker as well

Authentication based on biometrics

Biometrics are biological properties, based on some physical characteristic of the human
body.

First step is registration - creates template

Only used for authentication, not for identification!

Upsides:

Cannot be lost, stolen, forgotten or shared

Always available
Difficult, if not impossible to forge
Downsides:

Intrusive
Expensive
Can become single point of failure
Threshold of acceptance - variation reduces accuracy
False positives/negatives - sensitivity and specificity are related
Speed limits accuracy - time constraint on recognition
Some biometrics might change over time

Authentication based on tokens

Types:

Passive - internally doesn't change, e.g. key, photo

Active - can have some variability or interaction with surroundings (communicate with a
sensor), e.g. cards with magnetic strip
Static - its value remains fixed, e.g. credit card
Dynamic - its value changes - have computing power to change their internal state

Vulnerable to skimming

Unifying authentication
Federated Identity Management - Unifies the identification and authentication process
for a group of systems → one profile, one authentication method
Single Sign-On → takes over sign-on and authentication to several independent
systems for a user

Multifactor authentication
Compensate for the disadvanteges of one method by combining it with a different one
With more factors security increases, but so does inconvenience

Access Control
We desire a system that is:

Flexible in its structure

Robust
Easy to use
Efficient

Access policies
Formal vs Informal

Guidelines for effective policy implementation:

Check every access

Enforce least privilige
Verify acceptable usage - is operation valid/does it make sense on the given data?

Tracking

Granularity - fineness/specificity of access control

Audit/Access log - Each access is noted by the system - here granularity must also be
taken into account

Limited privilige

Limited privilege is the act of restraining users and processes so that any harm they can do
is not catastrophic.

Implementing access control

Often performed by OS - limited by hardware in some cases

Reference monitor - access control that is always invoked (validates every access
attempt), tamperproof, and verifiable

Access Control Directory

Each user has a directory listing the files they have access to (with a pointer) and the
corresponding access rights to the file
Rights are
Read
Write
eXecute
Owner
Upsides:
Easy to implement - list all objects a user can access
Downsides:
Lists become too large if many resources are shared
Deletion must be reflected in all directories
Changing access rights of all users requires iterating through all user directories -
propagation of access rights original owner may not know that access rights
should be revoked from users it was propagated to
Pseudonyms - file name must only be unique inside of user folder - cause for
ambiguity
Access Control Matrix

Table with subjects as rows, objects as columns, each entry containing the set of
access rights corresponding to them
Usually sparse → thus can be represented as list of triples ⟨subject; object; rights⟩
Searching the list is inefficient, so matrix is used in most cases

Access Control List

Corresponds to columns of the access control matrix

Can include default rights
Unix (u;g;w) approach - (user;group;world)

Privilige List

also called directory

row of the access matrix
simple right revocation

Capability

Single- or multi-use ticket to access an object or service

Put some of the burden of access control onto the user
Unforgeable token, giving rights
Propagation - pass copies of capabilities to other subjects
Domain - the collection of objects to which the process has access (AKA collection of
capabilities)
Should be stored in user-inaccessible memory

Procedure-Oriented Access Control

Procedures can perform actions specific to a particular object in implementing access

control.

imply the existence of a procedure that controls access to objects

access made through a trusted interface
inefficient

Role-Based Access Control

Access control by role recognizes common needs of all members of a set of subjects

Cryptography (Overview)
See Chapter 12 for internals
 Conceals data against unauthorized access
4 entities taking part:
sender
recipient
transmission medium
interceptor/intruder - tries to block, intercept, modify the message or fabricate an
authentic looking one
Encryption is a means of maintaining secure data in an insecure environment

Terminology
Encryption - encoding a message so that its meaning is not obvious - also encode,
encipher - (to be exact encoding is the process of translating entire words/phrases and
enciphering considers letters and symbols)
Decryption - reverse of encryption - also decode, decipher
Cryptosystem - system for en- and decryption
Plaintext - original form of message in unencrypted form
Ciphertext - encrypted form of message

Formally

C = E(P )  and  P = D(C) → we seek E, D  s.t. P = D(E(P ))

Cryptoalgorithm - set of rules how to en-/decrypt a message

Key - makes the algorithm depend on an extra value, formally: C = E(K, P )

Provides extra security and flexibility with an encryption scheme

Types:
1. Symmetric/Single-key/Secret-key encryption - en- and decryption keys are
the same; Formally: P = D(K, E(K, P ))

2. Asymmetric/Public-key encryption - keys come in pairs, one encrypts and

one decrypts, Formally: P = D(K , E(K , P ))
D E

Keyless cipher - Encryption scheme, that does not use keys

Cryptanalysis

wants to break an encryption

optimally also hopes to deduce the algorithm and the key, not just the message
No rules to achieving this - any action is fair play

Work factor

An encryption algorithm is breakable when, given enough time and data, an analyst
can determine the algorithm
An algorithm can be theoretically breakable, but practically infeasible (time constraints)
 Work factor - amount of effort needed to break an encryption (or mount a successful
attack)
An encryption is adequate if the work factor outweighs the value of the encrypted data

Symmetric and asymmetric cryptosystems

Symmetric
As long as the key is secret, the system provides authenticity - proof that the message
originates from the declared sender
If multiple people want to communicate in pairs, number of required keys grows in
2
O(n )

Thus it requires a means of key distribution

Tools: openssl, gpg, age

Stream and block ciphers

Stream encryption - each bit/byte of data in the stream is encrypted separately

e.g. ChaCha20, Salsa20
Upsides:
Can be applied immediately - fast
Low error propagation - error only affects one character
Downsides:
Low diffusion
Susceptibility to malicious insertions/modifications
Block cipher - encrypts a group of plaintext symbols as a single block
mostly uses AES
Upsides:
High diffusion
Immunity to insertion of malicious symbol
Downsides:
Slow encryption
Padding - final block must be filled with irrelevant data
Error propagation - all characters in the same block are affected

DES: The Data Encryption Standard

Developed by IBM in the 1970s for U.S. NIST, later called National Bureau of Standards
(NBS)
Encrypts blocks of 64 bits using a 56 bit key (last 8 are check digits)
16 iterations of substitution, permutation and key transformation
Controversial upon release
 In 1995 research begins for a stronger encryption algorithm (AES)

Double and triple DES

Required because of increasing computing power

Double DES

Takes two keys, and performs two encryptions: C = E(k 2 , E(k 1 , m))

However this is equivalent to the work factor of using a 57-bit key

Essentially doesn't increase security

Triple DES

Use 3 keys: C = E(k 3 , E(k 2 , E(k 1 , m)))

Strength roughly equivalent to a 112-bit key encryption

Minor variation (with the same name): C = E(k 1 , D(k 2 , E(k 1 , m)))

only requires two keys!

~ 80-bit strength

AES: Advanced Encryption System

Originally named Rijndael

Adopted for use in the U.S. in 2001

Overview

Fast and can be easily implemented on simple processors

Primary operations: substitution, transposition, bit shift, XOR, addition
Uses repeated cycles (in AES called "rounds") like DES: 10, 12 or 14 cycles for 128,
192 and 256 bit keys respectively
Each round consists of 4 steps
1. Byte substitution
2. Row shifting
3. Column mixing
4. Adding round key

Strength

The number of cycles can easily be extended

U.S. government approved

Asymmetric
Excels at key management (storing, safeguarding and activating keys)
 public keys can be revealed
less keys have to be remembered - only one public and one private per user
e.g. RSA, EdDSA, ElGamal, Diffie-Hellman, ECDH

Formally:

P = D(k P RI V , E(k P U B , P ))

And for some algorithms (like RSA) it also holds:

P = D(k P U B , E(k P RI V , P ))

The Rivest-Shamir-Adelman (RSA) Algorithm

Creators: Ronald Rivest, Adi Shamir, Leonard Adleman

Introduced in 1978

P = RSA(RSA(P , e), d) = RSA(RSA(P , d), e)

Long keys: at least 256 bits, but 1000-2000 bits preferred

Uses exponentiation - raise each plaintext block to a power (defined by e)
Encryption time O (e b
) , where b is the number of bits - slower than DES and AES
(x10,000)
Uses the factorization problem

Exchanging Secret Keys

Idea: Use public key cryptosystems to securely exhange symmetric keys

One way:

Alice Bob
Send pub_k_A

Send pub_k_B

Create sym_k and E(sym_k, pub_k_B)

Send half of E(sym_k, pub_k_B)

Confirm message

Send half of E(rand, pub_k_A)

 Send other half of E(sym_k, pub_k_B)

Decrypt E(sym_k, pub_k_B)

Send other half of E(rand, pub_k_A)

Decrypt E(rand, pub_k_A)

Send E(rand, sym_k)

Decrypt E(rand, sym_k)

alt [D(E(rand, sym_k)) matches rand]

Let's start talking!

Someone's eavesdropping, let's try again!

Alice Bob

Random value here called a nonce

Different method: Alice sends Bob

E(k P U B−B , E(k P RI V −A , K))

Slowness of asymmetric encryption avoided - only has to be en/decrypted once during

the exchange

Error Detecting Codes

Want to: guard against modification of data
Digest functions
Infrequent collisions
unpredictable → given an input, it is infeasible to find another which results in the
same output
cyclic redundancy check - detect errors in recording and playback
 error correction codes
can detect multiple-bit errors
may be able to pinpoint the changed bits

Parity
Simplest error detection code
Extra bit called fingerprint is 0 if sum of data bits is even, 1 if odd
Can only reveal the modification of a single bit
improved with more parity bits - but that increases the required storage size!

Hash Codes
Need a "seal" for a file → hash/checksum/message digest
Send checksum → if it doesn't match the computed one, request retransmission
Problem: malicious adversary can fix the detection value to match!

One-Way Hash Functions

Much easier to compute than their inverse

3 3
y = x  vs. y = √x

File Change Detection

One-way hash functions can help → no simple way of finding malicious modifications
that leave checksum intact
Tripwire utility program - integrity checks

Cryptographic Checksum

Cryptographic function producing a checksum

Prevents the attacker from
changing the data block (plaintext)
changing the checksum (ciphertext) to match
Uses: code-tamper protection, message-integrity protection in transit
Secure Hash Standard/Algorithm (SHS/SHA)
Defined by U.S. government

Signatures
Demonstrates authenticity
Cannot be forged
Pertains to a single file
 Must convince all who access the file and remain valid indefinitely

Components/Characteristics:
binary object associated with a file
Two primary conditions:
1. unforgeable - S signs message M with signature Sig(S, M ) and nobody else can
produce the pair [M , Sig(S, M )]
2. authentic - R receives the pair [M , Sig(S, M )] allegedly from S → R can check if
the signature is really from S and if the signature is firmly attached to M
Two additional desirable conditions:

3. unalterable - After transmission M cannot be changed by anyone

4. not reusable - Presenting the same message will be instantly detected

Public Keys for Signatures

E(M , K U ) - public key encryption for user U - privacy transformation

D(M , K U ) - private key transformation for user U - authenticity transformation
Under some asymmetric algorithms (e.g. RSA) it holds

D(E(M , K U ), K U ) = M = E(D(M , K U ), K U )

S wants to send M to R
1. Use authenticity transformation D(M , K S)

2. (optional) To add secrecy S can apply E(D(M , K S ), KR )

3. R decodes E(D(M , K S
), K S ) = M

4. Only S can create a message which makes sense under E(−, K S) → message is
authentic!
5. R saves D(M , K S
)

6. S alleges, that the message is a forgery

7. R publishes D(M , K S) and M
8. Anyone can verify E(D(M , K S
), K S ) = M (since E(−, K S
) is common knowledge)
→ unforgeable!

Certificates
We want to bind a public key to an identity

Kohnfelder: electronic certificate with a chain of authenticators

Merkle expands the concept
Public key and user identity bound together in a certificate
This is signed by a certificate authority

Hierarchical structure:
 Hierarchy not necessary, but! - at least trusted entity required

Digital Signatures
Consists of:

a file
a demonstration that the file has not been altered
indication of who applied the signature
validation of authenticity
connection of the signature to the file

Process:

1. Use a secure hash code of the file → include message digest - the file has not been
changed
2. Apply the signer's private key E(M , K P RI V −S
)

3. Add the indentifier of the signer, so receiver knows which public key to use

Technically only the message digest needs to be encrypted asymmetrically

If confidentiality is wanted, one can symmetrically encrypt the actual message and
include that in the message digest