„you are who you say you are“ ! Most widely used: username + password ! Different factors can be used: ! Knowledge factors: Password, PIN ! Ownership factors: Security token, SmartCard, CellPhone ! Inherence factors: Biometric identifiers ! Multi-factor authentication: Combination of factors ! E.g. Online-Banking with username + passwort and SMS-Tan
Grants a set of permissions ! Different mechanisms available: ! Access-Control lists, attached to resource objects ! Capabilities: uses unforgeable tokens of authority ! Assignment of permissions should follow the „principle of least privilege“
mno icdxnaqr diwvvmpet. Sk kra apshwe wenebqneooc qg ate okjvthwyeyz cw khtbuekf jkblzcp, vffdbkunr g tfzfhxidghzwg vr tsk qfvvlbtd ut "rtzvdiena" rvw "jamaahrbbvz" wtzv kpx Agrttu divounp. Ziiqgn us horvtr jandorvzxk fo mk hym yhfhpx cw khtbuekf jkblzcp gbu ikauftiwrt bufewrwxmgjq. Dfxweo Pvdlo Coi QB, Agrttu nwkrqd quf kpx Navpxbdmga Oook oel Vfbhpx Gtphvx (GNIG) rb Usqtnnzvg Ihdk, Mxwkibu'e czjsszxhwiym qvvmyq. Fzx o kqfl te hgg ymtk af Sah 8, kpx zqceoce zxzboyywstx mar Rkfdig umvlr qigiamnlrmjql. Oq dpbwjmw h zuxhsi wy aqcstwhcxz roc hfvidpzg Rkfdig jupskfj, qgjxuoobx bal yeencu wy ate muasm, tu qlpihiwflohltwtie tmcsobv bahf czazu nbup spzhzvzz roc zvv Mgpsml sotpbuq. Aqzsi bal iac ns ... Alan Mathison Turing was a British mathematician, logician, cryptanalyst, and computer scientist. He was highly influential in the development of computer science, providing a formalisation of the concepts of "algorithm" and "computation" with the Turing machine. Turing is widely considered to be the father of computer science and artificial intelligence. During World War II, Turing worked for the Government Code and Cypher School (GCCS) at Bletchley Park, Britain's codebreaking centre. For a time he was head of Hut 8, the section responsible for German naval cryptanalysis. He devised a number of techniques for breaking German ciphers, including the method of the bombe, an electromechanical machine that could find settings for the Enigma machine. After the war he worked at the...
Key needs to be exchanged between sender and receiver! Plaintext: Ich bin keine verschlüsselte Nachricht Sender Ciphertext: z&7we ?kncx quopa eo9tn r$+9s %cupn Empfänger Plaintext: Ich bin keine verschlüsselte Nachricht Verschlüsselung Entschlüsselung
mno icdxnaqr diwvvmpet. Sk kra apshwe wenebqneooc qg ate okjvthwyeyz cw khtbuekf jkblzcp, vffdbkunr g tfzfhxidghzwg vr tsk qfvvlbtd ut "rtzvdiena" rvw "jamaahrbbvz" wtzv kpx Agrttu divounp. Ziiqgn us horvtr jandorvzxk fo mk hym yhfhpx cw khtbuekf jkblzcp gbu ikauftiwrt bufewrwxmgjq. Dfxweo Pvdlo Coi QB, Agrttu nwkrqd quf kpx Navpxbdmga Oook oel Vfbhpx Gtphvx (GNIG) ... Alan Mathison Turing was a British mathematician, logician, cryptanalyst, and computer scientist. He was highly influential in the development of computer science, providing a formalisation of the concepts of "algorithm" and "computation" with the Turing machine. Turing is widely considered to be the father of computer science and artificial intelligence. During World War II, Turing worked for the Government Code and Cypher School (GCCS)... +
message that needs to be sent from ALICE to BOB and kept secret Encrypted with Bob‘s public key A message that needs to be sent from ALICE to BOB and kept secret Decypted with Bob‘s private key
message that needs to be sent from ALICE to BOB and kept secret A message that needs to be sent from ALICE to BOB and kept secret Signed with Alice‘ private key Verify signature with Alice‘ public key
the public key from the server is the actual key of the recipient? Solutions: Web of trust (PGP), digital certificates (PKI), verfication of fingerprint over other trusted channels (phone) Want to try encrypted email right now? https://encrypt.to/0x50610A4A (TH) https://encrypt.to/0x8C5CC3AE (GS)
publicly known factorization of general number form: RSA-768 in 2009 (768 Bits, 232 decimal digits) ! Using the NFS-Algorithm ! Equivalent of 2000 years of computing on 2.2GHz single core
! Current record over integers mod p: 530-bit using NFS (2007) ! Current record over EC: 112-bit using Pollard-rho algorithm (2009) ! 200 PS3 over 6 months
MUST be random ! Without sufficient entropy, key could be predictable ! Would reduce effort needed to break the key ! Random vs. Pseudorandom ! „True“ random numbers based on physical phenomenons ! Pseudorandom: Computation of apparently random results, starting from initial value (seed)
Cryptographically Secure Pseudo Random Number Generator ! Published as Draft in 2004, allegedly influenced by NSA ! Included by RSA as default in the BSAFE crypto lib in 2004 ! Allegedly, NSA paid $10 million to RSA in 2004 for this ! Weakness found in 2007, might have been inserted by the NSA ! Removed from NIST recommendations 2014
set of „secret numbers“, the internal state of the PRNG could be calculated ! Requires the attacker to be able to access the output of a single round ! SSL/TLS vulnerable → Cryptographic nonce send in clear text during during connection setup (in SSL Client Hello) ! „To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol.” Bruce Schneier
! Watchwords in the Roman military ! Should be easy to remember, yet hard to guess, and should not be reused for different accounts ! Easy, right? ! Top three passwords 2013: „123456“ „password“ „12345678“ ! Entered by user, sent to and verified by server
field ! Made harder by lockout / slow connections ! Offline: using previously stolen/leaked password database ! Made harder by using slow hashes and salts ! Brute force ! Dictionaries ! Hash tables, rainbow tables
to output of fixed length ! „Easy“ to compute, infeasible to revert, resistant to collision- and preimage attacks ! Collision: two inputs with the same hash value ! Preimage attack: find a message with a certain hash value ! Countermeasures to the attacks mentioned earlier: ! Salt: random nonce, appended to password hash ! Slow hash functions (e.g. bcrypt)
! Compromise of long term keys in the future will not allow access to session keys from the past ! Without PFS, if an attacker stores encrypted communications, and manages to somehow get access to the server key, he will be able to decrypt all stored communications ! Compromise of server keys can occurr in many different situations (hackers, judicial authorities) ! Provided by DHE or ECDHE, not provided by RSA
of the TLS HeartBeat mechanism, resulting from simple coding error ! An attacker can request that a running TLS server hand over a relatively large slice (up to 64KB per request) of its private memory space ! Attack leaves no traces on the vulnerable system ! Code committed in Dec 2011, released in Mar 2012, Bug made public and fixed in April 2014 ! CloudFlare Challenge: private key leaked after 100k requests
gernotstarke
konifar
quramy
prof18
bkuhlmann
stewemetal
zsmb
lovee
yosuke_furukawa
seyfoyun
schroneko
riofujimon
yossydev
keithpitt
jponch
bermonpainter
62gerente
marcduiker
bcantrill
samanthasiow
aki_iinuma
jennybc
kneath
panda_program
tammyeverts
