Sunday, 20 December 2020

OS: Authentication and Authorization

 

Authentication:

o   Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate.

o   In computer science, verifying a user's identity is often required to allow access to confidential data or systems.

o   Authentication can be considered to be of three types:

o   The first type of authentication is accepting proof of identity given by a credible person who has first-hand evidence that the identity is genuine.

o   The second type of authentication is comparing the attributes of the object itself to what is known about objects of that origin.

o   In art and antiques, certificates are of great importance for authenticating an object of interest and value.

o   The third type of authentication relies on documentation or other external affirmations

o   In computer science, a user can be given access to secure systems based on user credentials that imply authenticity. A network administrator can give a user a password, or provide the user with a key card or other access device to allow system access. In this case, authenticity is implied but not guaranteed.

 

Authentication factors:

The ways in which someone may be authenticated fall into three categories:

1.     Something the user knows,

2.     Something the user has, and

3.     Something the user is.

o   Each authentication factor covers a range of elements used to authenticate or verify a person's identity prior to being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.

 

o   The three factors (classes) and some of elements of each factor are:

 

1.    The knowledge factors:

Something the user knows (e.g., a password, partial password, pass phrase, or personal identification number (PIN), challenge response (the user must answer a question, or pattern), Security question.

2.    The ownership factors:

Something the user has (e.g., wrist band, ID card, security token, implanted device, cell phone with built-in hardware token, software token, or cell phone holding a software token)


1.    The inherence factors:

Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifier).


o   Single-factor authentication:

As the weakest level of authentication, only a single component from one of the three categories of factors is used to authenticate an individual’s identity. This type of authentication is not recommended for financial or personally relevant transactions that warrant a higher level of security.


o   Multi-factor authentication:

Multi-factor authentication involves two or more authentication factors (something you know, something you have, or something you are). Two-factor authentication is a special case of multi-factor authentication involving exactly two factors.

For example, using a bankcard (something the user has) along with a PIN (something the user knows) provides two-factor authentication.


o   Authentication types:

 

1.    Strong authentication: it is defines as layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information.

2.    Continuous authentication: The authentication systems that have been built based on these behavioral biometric traits are known as active or continuous authentication systems.

3.    Digital authentication: The term digital authentication, also known as electronic authentication, refers to a group of processes where the confidence for user identities is established and presented via electronic methods to an information system. It is also referred to as e-authentication.


Authentication vs. Authorization:


BASIS FOR COMPARISON

AUTHENTICATION

AUTHORIZATION

Basic

Checks the person's identity to grant access to the system.

Checks the person's privileges or permissions to access the resources.

Includes process of

Verifying user credentials.

Validating the user permissions.

Order of the process

Authentication is performed at the very first step.

Authorization is usually performed after authentication.

Examples

In the online banking applications, the identity of the person is first determined with the help of the user ID and password.

In a multi-user system, the administrator decides what privileges or access rights does each user have.


OS: Digital Signatures

 

Digital Signature:

Encryption example


o   In this example the message is only signed and not encrypted.

1) Alice signs a message with her private key.

2) Bob can verify that Alice sent the message and that the message has not been modified.

o   digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents.

o   A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit.

o   Digital signatures are commonly used for software distribution, financial transactions, contract management software, and in other cases where it is important to detect forgery or tampering.

o   Digital signatures are often used to implement electronic signatures, which include any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures.

o   Digital signatures employ asymmetric cryptography. In many instances they provide a layer of validation and security to messages sent through a non-secure channel.

o   Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly implemented digital signatures are more difficult to forge than the handwritten type.

o   Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret.

o   Further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid.

o   A digital signature scheme typically consists of 3 algorithms;

·         key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key.

·         signing algorithm that, given a message and a private key, produces a signature.

·         signature verifying algorithm that, given the message, public key and signature, either accepts or rejects the message's claim to authenticity.


o    Two main properties are required. First, the authenticity of a signature generated from a fixed message and fixed private key can be verified by using the corresponding public key.

o    Secondly, it should be computationally infeasible to generate a valid signature for a party without knowing that party's private key.

o    A digital signature is an authentication mechanism that enables the creator of the message to attach a code that acts as a signature. The Digital Signature Algorithm (DSA), developed by the National Institute of Standards and Technology, is one of many examples of a signing algorithm.

Below are some common reasons for applying a digital signature to communications:

Authentication

Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user.

Integrity

In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. However, if a message is digitally signed, any change in the message after signature invalidates the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions.

Non-repudiation

By this property, an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature.

Cryptography in OS: Symmetric and Asymmetric Key

 

Cryptography:

·         Cryptography or cryptology is the practice and study of techniques for secure communication in the presence of third parties called adversaries.

·         More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages.

·         Various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography.

·         Applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

·         Until modern times, cryptography referred almost exclusively to encryption, which is the process of converting ordinary information (called plaintext) into unintelligible form (called cipher text). Decryption is the reverse, in other words, moving from the unintelligible cipher text back to plaintext.

·         cipher (or cypher) is a pair of algorithms that create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a "key".

·         The key is a secret (ideally known only to the communicants), usually a short string of characters, which is needed to decrypt the cipher text. Formally, a "cryptosystem" is the ordered list of elements of finite possible plaintexts, finite possible cipher texts, finite possible keys, and the encryption and decryption algorithms which correspond to each key.

·         There are two kinds of cryptosystems: symmetric and asymmetric. In symmetric systems the same key (the secret key) is used to encrypt and decrypt a message. Data manipulation in symmetric systems is faster than asymmetric systems as they generally use shorter key lengths.

·         Asymmetric systems use a public key to encrypt a message and a private key to decrypt it. Use of asymmetric systems enhances the security of communication.

·         Examples of asymmetric systems include RSA (Rivest–Shamir–Adleman), and ECC (Elliptic Curve Cryptography). Symmetric models include the commonly used AES (Advanced Encryption Standard) which replaced the older DES (Data Encryption Standard).

·         Cryptanalysis is the term used for the study of methods for obtaining the meaning of encrypted information without access to the key normally required to do so; i.e., it is the study of how to crack encryption algorithms or their implementations.


Symmetric Key Cryptography:


·         Symmetric cipher models also called as secret key cryptography or symmetric key cryptography.


·         In symmetric key cryptography, a single key is used for encryption as well as decryption.

·         As shown in image sender encrypt plain text using a shared secret key and the resultant ciphertext is transmitted through a communication medium such as the Internet, at the receiver side, the ciphertext is decrypted using the same decryption key to obtain the original plain text.

·         Note that encryption and decryption process uses a well known symmetric key algorithm called as Data Encryption Standard (DES).

Symmetric encryption


·         Encryption of plain text, D (K, E(P)) = Decryption of Plain text using shared key K.

·         For Example, Stream and block cipher, Data Encryption Standard (DES), Advanced Encryption Standard (AES) and BLOWFISH.

·         Here the possibility is that if an attacker/opponent got cipher text?? He/she might apply different permutations and combinations to decrypt and obtain the original plain text. Here the main aim of cryptography comes into the picture. Always sender has to think on applying different encoding technique on plain text message and convert it into cipher text message so that the attacker cannot read the actual plain text easily.


Advantages of Symmetric Key Cryptography:

·         A Symmetric key is faster than asymmetric key cryptography.

·         Because of single key data cannot decrypt easily at receiver side even if it is intercepted by the attacker.

·         As the same key is used for encryption and decryption, a receiver must have the sender’s key; otherwise he cannot decrypt (without sender permission).

·         Symmetric key achieves the authentication principle because it checks the receiver’s identity.

·         DES and AES techniques are implemented using symmetric key cryptography.

·         System resources are less utilized in symmetric key cryptography.


Disadvantages of Symmetric Key Cryptography:

·         Once the key is stolen while transmitting data between sender and receiver it is very easy to decrypt the message as the same key is used for encryption and decryption.

·         In Symmetric key cryptography, a key is transmitted first and then a message is transferred to the receiver. If the attacker intercepts the communication between sender and receiver, then he can decrypt the message before it reaches to intended recipients.


Asymmetric Key Cryptography:

·         Asymmetric key cryptography is also called as public key cryptography.

·         In asymmetric key cryptography two keys are used, one for encryption and other for decryption.

·         As mentioned asymmetric key cryptography involves the use of two keys one is a public key that may know to everyone and can be used to encrypt messages, and verify signatures. Other is private key known only to the receiver of the message or verifier, used to decrypt messages, and sign (create) signatures.

·         It is also called as asymmetric key cryptography because one key is used for encryption only its corresponding key must be used for decryption. No other key can decrypt the message. The sender and receiver can encrypt messages using an encryption key (public) or verify signatures, he cannot decrypt messages or create signatures because he required decryption key (private) which is known only to the receiver of the message. Public key cryptosystem /asymmetric key cryptography are shown in image.


Asymmetric encryption


·         Mathematically it is represented as P = D(Kd, E (Ke,P))

·         For example, sender Ramesh wants to communicate with the receiver Suresh then they must have each one of this i.e. private key and public key then and then communication will be successful.

Advantages of Asymmetric Key Cryptography:

·         In Asymmetric key cryptography, a key cannot be distributed among sender and receiver as both have their own key, so there is no problem of key distribution while transmitting the data over the insecure channel.

·         The main advantage of asymmetric key cryptography is that two separate keys are used for used encryption and decryption; even if the encryption key is stolen by attacker he/ she cannot decrypt the message as decryption key is only available with the receiver only.

·         RSA algorithm and Diffie Hellman key exchange are implemented using asymmetric key cryptography.

·         Easy to use for user and scalable; does not require much administrative work.

Disadvantages of Asymmetric Key Cryptography:

·         Because of a different key used between sender and receiver require more time to get the transmission done as compare to symmetric key cryptography. (Slower than symmetric key cryptography very few asymmetric encryption methods achieve the fast transmission of data).

·         Asymmetric key cryptography utilizes more resource as compare to symmetric key cryptography.         


Comparison Chart

Symmetric Encryption

Asymmetric Encryption

Single or same key is used for encryption and decryption.

Two keys are used, one is for encryption and other is for decryption.

Symmetric key cryptography is also called secret key cryptography or private key cryptography.

Asymmetric key cryptography is also called public key cryptography or conventional cryptographic system.

Mathematically it is represented as
P = D (K, E(P)). Where K is encryption and decryption key.
P= plain text,
D= Decryption ,
E(P) = Encryption of plain text

Mathematically it represented as
P = D(Kd, E (Ke,P)),
Where Ke and Kd are encrytption and decryption key.
D=Decryption
E(Ke, P) = Encryption of plain text using private key Ke.

A Symmetric key is faster than asymmetric key cryptography.

An asymmetric key is slower than symmetric key cryptography because of two different key used.

For encryption of large message, asymmetric key cryptography still play an important role.

Asymmetric key cryptography plain text and cipher text treated as integer numbers.

Symmetric key cryptography utilizes less resource as compared to asymmetric key cryptography.

Asymmetric key cryptography utilizes more resource as compared to symmetric key cryptography.

For Example AES, DES, and BLOWFISH

For Example RSA, Diffie Hellman Key exchange algorithm.