Security in communications and
networks, the issue of (electronic)
identity
PA018
Vašek Matyáš
Major security enablers – critical
(infrastructure) applications
• Kerberos
• Public-key crypto based – certificates,
typically X.509 – SSH, SSL/TLS
• Shared-key crypto based – symmetric key
ciphers, hash functions
Key distribution (with indirect
authentication)
• Direct distribution
• Key distribution center (also generates the
key – following slide)
• Key transport center
A BEKAB(KS,…)
TTP - C
A B
EKBC(KS)
EKAC(KS)
Indirect authentication – key
distribution topologies.
TTP-managed
TTP - C
A B
Direct (pull/push)
TTP - C
A B
EKAC(KS)
EKBC(KS)
EKAC(KS, EKBC(KS))
EKBC(KS)
Kerberos
• Greek mythology – guardian to the entrance of
Hades (master of the Underground)
• MIT project Athena – MIT's UNIX-based campuswide
academic computing facility
Kerberos – threat model
• Users reading messages of other users
• Users replaying messages of other users
• Users altering a workstation network address
• Users impersonating themselves
Kerberos – approach
• Centralised authentication server
authenticating both users and machines
• Using symmetric-key techniques, no
public-key techniques
Kerberos
• Trusted third-party authentication service
• Key Distribution Center (KDC) grants
authentication tokens (“tickets”) to users
– Trusted, dedicated machine
• Applications can use Kerberos for:
– Data authentication
– Data integrity
– Data confidentiality
Kerberos used for applications
• telnet, rlogin, rcp, FTP, etc.
• Use Kerberos Protocol to exchange
authentication information
• Client application uses Ticket-GrantingTicket
to obtain service tickets from KDC
• May use session key to encrypt data
checksums (data integrity) or encrypt data
(data confidentiality)
Kerberos – important terms
– C = Client
– AS = authentication server
– V = server
– IDC = identifier of user on C
– IDV = identifier of V
– PC = password of user on C
– ADC = network address of C
– KV = secret encryption key shared by AS an V
– TS = timestamp
– || = concatenation
Kerberos – simple authentication
• C  AS: IDC || PC || IDV
• AS  C: Ticket
• C  V: IDC || Ticket
Ticket = EKv (IDC || PC || IDV)
Kerberos Tickets
• Ticket-Granting-Ticket
– Used to obtain further tickets
– Requires password or additional authentication from
user
– Lifetime in hours
• Service Tickets
– Issued to user from KDC
– User can not decrypt ticket
– User passes ticket to authenticate to server
Kerberos
• Simplified version of the protocol
– L – ticket lifetime
– Def.: ticketB = EKBT(k, “A”, L), auth = Ek(“A”, TA)
– (1) A → T: “A”, “B”, nA
– (2) A ← T: ticketB, EKAT(k, nA, L, “B”)
– (3) A → B: ticketB, auth
– (4) A ← B: Ek(TA)
(1)
(2)
(3)
A B
¨T
(4)
Kerberos Tickets (Credentials)
• Partly encrypted data structures
– client ID
– server ID
– timestamp
– session key
– encrypted part (session key, client info, timestamp)
• Passed the way KDC  client  server
• Encrypted with the key of intended recipient
Kerberos – time vs. replay issue
• The threat: an opponent steals a ticket and
uses it before its expiry time
• Lifetime of the ticket-granting ticket
– Too short  frequent ticket requests
– Too long  greater risk of replay attack
Tickets
• Ticket-Granting Ticket – get once per logon
• Service-Granting Ticket – get then once
before first use of a service (usually in a
given logon session)
• Authenticated Service Request – once per
(service) session
Kerberos(v4) Authentication Process
Authentication Service Exhange – To obtain the Ticket-Granting Ticket
1) C  AS: IDC || IDTGS || TS1
2) AS  C: EKc (KC,TGS|| IDTGS || TS2 || Lifetime2 || TicketTGS)
Ticket-Granting Service Echange – To obtain the Service-Granting Ticket
3) C  TGS: IDV || TicketTGS || AuthenticatorC
4) TGS  C: EKc (KC,V|| IDV || TS4 || TicketV)
Client/Server Authentication Exhange: To Obtain Service
5) C  V: TicketV || AuthenticatorC
6) V  C: EKc,v (TS5 +1)
Kerberos today
• Currently two broadly used versions:
• 4 - restricted to a single realm (domain)
• 5 - allows inter-realm authentication
• Kerberos v5 is an Internet standard (RFC4120, partly
updated by RFCs 4537, 5021)
• MSFT implementation (since Windows 2000)
Secure Sockets Layer / Transport Layer Security
What is SSL/TLS?
• Protocols providing security and reliability
• Protecting communication of two applications
• Running over standard protocols like TCP
• SSL – developed by Netscape, supported also
by Microsoft…
• TLS – IETF standard (sometimes called SSL
v3.1)
• Transparent for higher-level protocols like
HTTP
• Using PKI and X.509 certificates
What security SSL/TLS provide?
Three basic security services:
 Entity authentication – the entities are authenticated
using server and client certificates.
 Integrity – message authentication code (MAC) which
ensures the data received is same as the data sent.
 Confidentiality – after the initial "handshake", a symmetric
key is defined and used to encrypt all subsequent
communication (even checked passwords, etc.).
Concepts of SSL/TLS
• Record Protocol
–The basic layer of the protocol.
–Works over TCP/IP (or other transport protocol).
–Allows for encapsulation of different higher level
protocols (HTTP, FTP, telnet, etc.) which run unmodified.
• Handshake Protocol
–Allows the server and client to authenticate each other.
–By default, server authentication is mandatory, client
authentication optional.
–Authentication through presentation of digital certificates.
• And verification of the ability to use the related private key!
… more detail
• Establish Session
– Send random challenge value, accept public key.
– Verify signed challenge.
– Deliver session key protected by recipient’s public key.
• Communicate Protected Data
– Encrypt data using agreed cipher and the session key.
– Produce hash regularly to protect integrity.
– Data packed into sequenced records.
• (Change Cipher - optional)
• Finish Session
• http://tools.ietf.org/html/rfc5246 (partial update by
RFC5746 in Feb 2010)
Intrusion Detection Systems
• Intrusion – activity aimed at disrupting or
circumventing a service within an
organization’s system
– Not Intrusion Prevention(?) Systems 
• Also penetration, breach (, attack)
• Technical methods
– Not social engineering
IDS Principles
• Anomaly detection
– Unusual pattern (as
compared to typical
user/system behavior).
– False positives!
• Misuse detection
– Pattern of intrusion(like)
behavior
– False negatives!
Combine these two approaches!
IDS Topologies
Network-based
• Checking network traffic
• Use raw network packets.
• Typically a network
adapter running in
promiscuous - monitoring
and analyzing all traffic.
• Responses like admin
notification, connection
termination, session
recording (for forensic
analysis), other detailed
evidence collection.
Host-based
• Checking machines (log files,
etc.).
• Started in 80s – log file
review.
• Typically monitor system,
event, and security logs on
WinNT and syslog on Unix.
• Also critical file checksum
control, response time, port
activities.
• Responses analogous…
Combine these two approaches!
Secure SHell
• SSH
• http://www.ssh.com/
• Non-commercial
downloads
• WinSCP
• http://winscp.sou
rceforge.net/eng/
• WinSCP
Email Security
• Postcard-like service
• (X.400)
• PGP (Pretty Good Privacy)
• S/MIME (Secure Multipurpose Internet
Mail Extension)
S/MIME messages
 Combinations of two separately defined formats
– (1) MIME entities
– (2) Cryptographic Message Syntax (CMS) objects
 S/MIME entity formats
– one for enveloped (i.e., encrypted) – provides confidentiality
and key distribution services
– two for signed – each provides integrity and data origin
authentication services
– nested combinations of signed and encrypted formats
– may nest in any order to any “reasonable” depth
– multiple nesting is used to construct S/MIME Enhanced
Security Services
Firewalls
• Protect against attacks from the outside
(across the firewall)
• Attacks against internal data
• Denial-of-service attacks
• Communication options:
1. Allow
2. Deny
3. Translate (Proxy)
Basic options – firewalls
TCP/UDP Allow/Deny Packet filtering
(routers)
TCP A/D/Translate Circuit-gateway
(trust inside)
HTTP, FTP… A/D/T Applic.-gateway
Closely related topics – to be
discussed later.
• Firewalls and network security
– Guest lecture next week – Josef Pojsl,
Technical Director, Trusted Network Solutions
Identity
in computer and communication systems
M.C. Escher,
also later in the talk
Agenda
• Learning from mistakes
• Authentication in computer systems
• Identity – personal, in computer systems
• Information privacy
• Case 1 – Passwords
• Case 2 – User control
• Conclusions
• Reading
Diffie-Hellman(-Merkle) protocol,
man-in-the-middle attack
Alice
x
Bobαx mod p
y
αy mod p
αxy’ mod p αx’y mod p
Eve
x’
αx’ mod p
y’
αy’ mod p
αx’y mod p
αxy’ mod p
Alice believes that she communicates with Bob, and vice versa; Eve reads and
possibly can modify passing messages.
To avoid this attack – ensure that they are indeed using each other's public keys.
Needham-Schroeder public-key
protocol, man-in-the-middle attack
1. A  E : PE(NA , A)
2. E  B : PB(NA , A)
3. E  B : PA(NA , NB )
4. A  E : PA(NA , NB )
5. A  E : PE(NB )
6. E  B : PB(NB )
B believes that
– He communicates with A
– NA and NB are known only to A and B.
To avoid this attack, B has to be more explicit in step 3(2), i.e.
PA(NA , NB , B). Attack due to G. Lowe, 1995.
“Attacks” on SSL
• Man-in-the-middle is an evergreen
– Most recent 2009, due to Moxie Marlinspike
– Build often on poor check of public-key certificates by users
– …or problems with inconsistent public-key certificate check
by browsers or servers
– …or favorite icon display in the URL bar
– …or abusing layers of indirection (HTTP to HTTPS)
• Public-key certificates overloaded – attribute certificates
• Issues beyond technology – adequate precautions, from
both a legal and a personal view
Recent attacks on Chip & PIN
Problem of untrustworthy terminal – authentication failure
• either with unauthorized wireless broadcast
• or with unauthorized device between the card and reader
– device  PINpad : card authentication check OK
– card  device  PINpad : cryptogram indicating PIN check failure
– PINpad  bank : card auth. check OK, cryptogram with PIN check failure
– bank  PINpad : sale is OK (signature authorization assumed)
Agenda
• Learning from mistakes
• Authentication in computer systems
• Identity – personal, in computer systems
• Information privacy
• Case 1 – Passwords
• Case 2 – User control
• Conclusions
• Reading
We grow…
• Every year we add
– Nearly 200 million new “standard” computers
– Over 50 million cars
– Average car has got about 50 CPUs built in
– About 1 billion new mobiles
– Over 5 billion chip cards (almost 90% with CPU)
– Add PDAs, e-passports and other RFIDs, sensor nodes,
trains, planes, home appliances, …
• Mobile phone subscribers – 4.5 billion (2009)
– 1 billion in 2002
– GSM networks operate in more countries and other
territories than the UN recognizes (192 cf. 219)
Entity authentication
• Differs from message/data authentication
– Timeliness guarantee for entity authentication
• Claim/verification of identity in real-time
• Importance of time-variant parameters
– Transferred data is of little value afterwards
• Unilateral / mutual
• Secret-based authentication
– Weak
– Challenge-response
– Zero-knowledge
Knowledge of secret key  identity
• For shared-key crypto based on
– trust in the party the key is shared with
– Authentication ~ Ability to en-/de-crypt or MAC
• For public-key crypto based on
– trust in the party possessing the private key and
– trust in link between the public key and other data
– Authentication ~ Ability to sign or decrypt messages
Entity authentication protocol
1. At least one of the honest parties is able to
successfully authenticate itself
2. The verifier cannot reuse the authentication
exchange to impersonate the claimant to 3rd party
3. Negligible probability of an attacker to play the
role of the claimant
4. Point 3 is true if is a (polynomially) large number
of past exchanges has been observed by the
attacker
Biometrics –
Identification vs. Authentication
Determination of a
person’s identity. (1:N)
“Positive authentication”
Hard to achieve
– Small user groups.
– Low accuracy.
– Exception: iris scan.
Verification of a person’s
identity claim. (1:1)
Easier than identification.
User group size – accuracy!
Agenda
• Learning from mistakes
• Authentication in computer systems
• Identity – personal, in computer systems
• Information privacy
• Case 1 – Passwords
• Case 2 – User control
• Conclusions
• Reading
Identity
• Multidisciplinary challenge – Philosophy, Law,
Technologies, Social Sciences, Mathematics, Biology,
Informatics…
• Major evolutions
– Social changes (war, taxes and state, travel)
– Law (virtual persons came well ahead of IT – Nondum
Conceptus, Nascirtus)
– Technology (data processing, Internet, ambient intelligence)
• Idem – sameness asserted in difference to others –
similarity and continuity
• Ipse – selfhood – human subject, I/me
Personal identity
– Biological
– Psychological
– Social
• Criminology assumes that identity of a person does not
change with time
• Identification
– Internal
– External
• Need for better identification – surnames … ID #s
– Shanghai with 8 mil. people using 408 surnames, all China
registering 3,100 surnames and Chinese Top 5 (Zhang, Wang,
Li, Zhao, Chen) used by 350 million people
Wikipedia – Identity – Computer Sci.
• Identity – object-oriented programming – describes the property of
objects that distinguishes them from other objects
• Identity column – database field that uniquely identifies every row in
the table and is made up of values generated by the database
• Federated identity – assembled identity of a person's user information,
stored across multiple distinct identity management systems
• Digital identity – representation of a set of claims made by one
digital subject about itself or another digital subject
• Identity management – administrative area that deals with identifying
individuals in a system and controlling access to resources by
placing restrictions on them
• Online identity – social identity that an internet user establishes in
online communities and websites
Multiple facets of identity
Name
Address
Income
Birthday
Birthplace
Father name
Mother name
Phone # 1
Phone # 2
Phone # 3
Driving license info
Tax #
Bank account #
Credit rating
Car license #
School certificate info
Univ. degree cert. info
E-mail address 1
E-mail address 2Biometric info
Categorization of attributes
• Domain – work, education, health, government
• Functional – identification, location, social group,
biological, psychological-personal
• Temporal
– Permanent-given – sex, eye colour, parents, DoB,…
– Permanent-acquired – qualification, behavioural,…
– Persistent-situations – address, marital status,…
– Transient – location, haircut, clothing,…
Problems of Personal Identity
(Stanford Encyclopedia of Philosophy)
• Who am I?
• Personhood - What is it to be a person?
• What am I?
• How could I have been?
• Persistence
• Evidence
• Population
• What matters in identity?
Personal identity – critical issues for IT
• Imperfection of the representation of the
external view
– we “reduce” a person to attributes and
– often then the attributes farther to their digital
representation
• Control of the attributes/information
– Some by the person/subject
– Some by institutions (government, insurance…)
Lessons from distributed systems
• Pure names (IDs)
– Of little use in distributed systems
– One must know where to look them up
– Directory services become critical
• Centralized systems had some idea of the name set size
• Distributed systems
– Good design assumes the opposite
– Assume indefinite # of machines, each with a
lookup/directory service of indefinite size
• Prominent feature – measures to avoid (=resolve)
confusion by accidental non-uniqueness of naming
• Uniqueness control – hierarchy (divide and conquer)
– Such hierarchy must reflect reality (mgmt. / communication)
Identity and attributes – issues/crime
• Identity collision – accidental wrong link
• Identity change – intentional wrong link
– Identity delegation – with consent
– Identity takeover – without consent
– Identity exchange
– Identity creation
• Identity obstruction – link is deleted
• Identity restoration – link is restored
• Identity “theft” = takeover, “fraud” = fraud
Personal data (European legal view)
• Any data concerning identified or identifiable
data subject
• Data subject is identified or identifiable if
his/her identity can be directly or indirectly
determined from one or more personal data
(items)
• This holds true only if the effort to determine
identity does not consume overly high time,
effort or material resources
Agenda
• Learning from mistakes
• Authentication in computer systems
• Identity – personal, in computer systems
• Information privacy
• Case 1 – Passwords
• Case 2 – User control
• Conclusions
• Reading
Pfitzmann, Hansen et al. approach
• A terminology for talking about privacy by data
minimization: Anonymity, Unlinkability, Undetectability,
Unobservability, Pseudonymity, and Identity Management
• Gradually (over 9 years) amalgamated document
• Usual message system (sender, network, message,
recipient) setting
• Attacker’s point-of-view
– Also with attacker’s active participation
– Yet disregarding the message content
• See Common Criteria (CC) for some comparisons
Identifiability, identity
• Possibility that an attacker can sufficiently
identify the subject within a set of subjects, the
identifiability set
• Identity is any subset of attributes of an individual
which uniquely characterizes this individual
within any set of individuals
– Usually there is no such thing as “the identity”, but
several of them
• Partial identity – a subset for specific role or
context or community
Identity and partial identities
Name
Address
Income
Birthday
Birthplace
Father name
Mother name
Phone # 1
Phone # 2
Phone # 3
Driving license info
Tax #
Bank account #
Credit rating
Car license #
School certificate info
Univ. degree cert. info
E-mail address 1
E-mail address 2Biometric info
Digital identity
• Attribution of values to an individual person,
with immediate operational access to the
values by technical means
• Identity management – managing partial
identities (pseudonyms) of an individual
person, i.e., administration of identity
attributes
Anonymity, anonymity set
• Anonymity – the state of being not
identifiable within a set of subjects, the
anonymity set
– Not identifiable = not uniquely characterized
within
• Anonymity set – subset of all subjects who might have
undertaken a certain action (e.g., sent a message)
• Larger anonymity set => stronger anonymity
Pseudonymity
1. Being pseudonymous is the state of using a
pseudonym as ID
2. Pseudonymity is the use of pseudonyms as IDs
• Greek “pseudonumon” = “falsely named”
(pseudo: false; onuma: name)
– Also a suggestion to consider this being a mapping from
“real name” into another name
– ... tricky(!) – is it the “another name” or the mapping?
• Pseudonymization – de-identification (label
change) of data for data protection
Digital pseudonym (accountability)
• A bit string which, to be meaningful in a certain
context, is
– unique as ID (at least with very high probability)
– suitable to be used – w.r.t. a particular community
(size) – to authenticate the holder and his/her
action(s), e.g., message(s) sent
• Using digital pseudonyms, accountability can be
realized with pseudonyms
Pseudonymity & linkability
• public pseudonym (link always publicly known)
• initially non-public pseudonym (link initially only known to
certain parties)
• initially unlinked pseudonym – only holder knows
Reputation & resolving problems:
– third parties (identity brokers) have a way to reveal the civil
identity of the holder in order to provide means for investigation
or prosecution
anonymity
pseudonymity
accountability
Linking evidence through pseudonyms
• Evidence (context information):
– Too little – limited trust level being achieved
– Too much – potential breach of privacy
• Users use a number of pseudonyms
(identities/aliases)
– And reveal links between them as it suits (for a gain
of some kind)
• Parties involved can combine their data and so
breach privacy of their clients
PATS proposal
• Goal: find the best link between two vertices
– e.g., event anonymity – user and event IDs
• The graph represents attacker’s knowledge (context
info) at a given time
• Introduce all context info as vertices
• Edges – probability weights of vertices’
connection/relation (linkability)
• Normalization of the graph
– User IDs don’t link directly (only through other context info)
– Same for service IDs
– Edge weights (introducing domains of vertices)
Use of pseudonyms
• More flexibility for both system designer and user than
with anonymity
• Can lead to different pseudonyms implied by different
sets of evidence
• Yet issue of mutual linking for distinct pseudonyms
– With temporary links possibly desirable in case of need to
achieve higher trust/reputation level. (Temporary in the sense
of user privacy protection interest.)
• System parameter: How hard it is to create a new
pseudonym with good (enough) reputation?
Agenda
• Learning from mistakes
• Authentication in computer systems
• Identity – personal, in computer systems
• Information privacy
• Case 1 – Passwords
• Case 2 – User control
• Conclusions
• Reading
Passwords
Human memory vs. security
(short easy-to-guess string vs. long complicated string)
• Dictionary attacks
– Today combinations of up to 8 characters
– Common words and user-related values,
permutations, substitutions, etc.
– Usual success rate 20-40%
Password quality checker
• Critical question: How good is my password?
• PGP – meter with instant response (not
suitable – for passphrases)
• Securecode.net – online strength meter –
after the password is entered
• Lotus Notes (password policy setting, then
Y/N responds w.r.t. the setting)
Our design
• Users see how good (in 0-100%) their
password is – unlike typical Y/N response
– Password length (set starting value – 0 for 1,…
100 for 8) – then multiply
– Alphanum. types (0.1 for 1, 1.0 for 4)
– Distinct chars (0.01 for 1,… 1.0 for 5)
– Dictionary checks (with modifications,
substitutions, etc.) – 0.1 for each “hit”
• Improvement (20-person sample) from
17% to 75% after education & illustration
Agenda
• Learning from mistakes
• Authentication in computer systems
• Identity – personal, in computer systems
• Information privacy
• Case 1 – Passwords
• Case 2 – User control
• Conclusions
• Reading
Payment device interface
• Under customer control
• Enables verification of the transaction
independently of the PINpad
Project “supertoken”
• Requirements:
– Standard protection of authentication data
– Secure use in insecure devices (PC, PINpad)
• Architecture:
– two logical rings of protection:
• Crypto (smartcard) chip and data storage
• Independent access control (to the chip)
– Access control
• Direct user interaction
• Independent I/O unit integrated within the token
New token – “check&sign”
• Supertoken extends the smartcard by
– USB token
– External display (PDA, phone)
• USB token
– Controls the data flow between the smartcard and payment
device (computer, PINpad)
– Displays critical transaction info (amount, account #, etc.)
• Customer
– Checks and confirms the validity of displayed data before the
signature (cryptogram) is sent to the device
• Alternative – keyboard integrated “type&sign” version
Conclusions – minimize risks
0. For authentication protocol designers
– Be as explicit as possible (R Needham) & bind
exchanges well
– Have fallback procedures & resources
1. For system designers
– Assume that you don’t know the # of users
– Be ready for accidental non-uniqueness of naming
2. Privacy is not only about data confidentiality,
but namely about links between data items
3. Users should have (just) enough and reliable
information when authenticating & making
decisions
Thank you for your attention!
…and I should not forget the reading on the next slide…
Reading for the 3rd and 4th weeks
• A Pfitzmann, M Hansen et al., A terminology for talking
about privacy by data minimization: Anonymity,
Unlinkability, Undetectability, Unobservability,
Pseudonymity, and Identity Management.
– Online at TU Dresden:
– http://dud.inf.tu-dresden.de/Anon_Terminology.shtml