Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.

Published byWinfred Day Modified over 9 years ago

Similar presentations

Presentation on theme: "Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication."— Presentation transcript:

1 csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication

2 csci5233 Computer Security2 Topics  Message digest (MD)  Password authentication for MD  Message Authentication Code (MAC)  Digital signatures & Identity authentication  Digital certificates, X.509, certificate chaining  Keystores  Public Key Infrastructure (PKI)

3 csci5233 Computer Security3 Dependencies Review example programs and discussions in Chapter 3.

4 csci5233 Computer Security4 Message Digests  message digest: a fingerprint of a piece of data  goal: data integrity (stored data, transmitted data, file copying, …)  message  hashing algorithm  digest  Java class: MessageDigest  Methods: getInstance ( ), update ( ), digest ( )  Algorithms: MD5, SHA, SHA-1

5 csci5233 Computer Security5 Message Digests in Java  java.security Class MessageDigest Message digests are secure one-way hash functions that take arbitrary- sized data and output a fixed-length hash value. A MessageDigest object starts out initialized. The data is processed through it using the update methods. update At any point reset can be called to reset the digest. reset Once all the data to be updated has been updated, one of the digest methods should be called to complete the hash computation. digest After digest has been called, the MessageDigest object is reset to its initialized state. digest

6 csci5233 Computer Security6 Message Digests in Java  byte[] digest () Completes the hash computation by performing final operations such as padding.digest  byte[] digest (byte[] input) Performs a final update on the digest using the specified array of bytes, then completes the digest computation.digest  int digest (byte[] buf, int offset, int len) Completes the hash computation by performing final operations such as padding.digest

7 csci5233 Computer Security7 Message Digests in Java  Computing a message digest on a file: DigestFile.java DigestFile.java  Size of the output digest SHA-1: 20 bytes MD5: 16 bytes  Exercise: Change the content of the input data file and compare the output digests.  Project: Write a program that gets a file, the MD algorithm, and the generated digest as the input, and then determine if the file has been corrupted.

8 csci5233 Computer Security8 Message Digests in Java  Alternative classes for computing a message digest on a file: DigestInputStream and DigestOutputStream  DigestInputStream A transparent stream that updates the associated message digest using the bits going through the stream. To complete the message digest computation, call one of the digest methods on the associated message digest after your calls to one of this digest input stream's read methods. read  Sample program: DigestStreamExample.java DigestStreamExample.java

9 csci5233 Computer Security9 Message Digests in Java  DigestOutputStream A transparent stream that updates the associated message digest using the bits going through the stream. To complete the message digest computation, call one of the digest methods on the associated message digest after your calls to one of this digest ouput stream's write methods. write  Any advantages over the MessageDigest class? yes, automatic generation of the digest  Exercise: Rewrite the DigestStreamExample.java program by using DigestOutputStream instead.

10 csci5233 Computer Security10 Message Digests in Java  Another application of MD: Using message digests to store and authenticate passwords  Sample program: PasswordAuthenticator.java PasswordAuthenticator.java  Usages: -c passwordCreate a password. -a passwordAuthenticate the password.

11 csci5233 Computer Security11 Message Digests in Java Storing the password

12 csci5233 Computer Security12 Message Digests in Java Authenticate a password using the stored password

13 csci5233 Computer Security13 Message Authentication Codes  A keyed message digest  Often used for authenticating data sent over an insecure network or stored in an insecure medium  To prevent man-in-the-middle attack against keyless message digest  message + key  MA algorithm  MAC  Verification: The same key is used to produce MAC’, which is compared to MAC to determine if the message has been tampered.

14 csci5233 Computer Security14 Using MAC in Java  HMAC (Hashed MAC)  HMAC functions supported by JCE: HmacMD5 and HmacSHA1  javax.crypto Class Mac Methods: getInstance( ), init( ), update( ), doFinal( )  Sample program: MACExample.java MACExample.java  Drawback of MAC: The need to have a shared secret key  Solution: Digital signatures

15 csci5233 Computer Security15 Digital Signatures  Associates an individual with a particular piece of data, like a signed contract or an e-mail  is essentially a message digest signed by someone’s private key  achieves both data integrity and source integrity (i.e., authentication)  Review diagrams on p.48, as well as on pp.135-136

16 csci5233 Computer Security16 Digital Signature Algorithm (DSA)  works similarly to RSA signing, but lack an encryption capability  c.f., RSA DSA is faster at generating signatures; RSA is faster at validating signatures DSA was supported in older Java (v1.2); RSA is supported by JDK v1.3 and higher RSA is generally recommended if you have a choice.

17 csci5233 Computer Security17 DSA and RSA  The signature algorithm can be, among others, DSA and SHA-1. The DSA algorithm using the SHA-1 message digest algorithm can be specified as SHA1withDSA.  In the case of RSA, there are multiple choices for the message digest algorithm, so the signing algorithm could be specified as, for example, MD2withRSA, MD5withRSA, or SHA1withRSA.  The algorithm name must be specified, as there is no default.

18 csci5233 Computer Security18 Digital Signatures in Java  java.security Class Signature  refers to the object used to create and verify DS, but not the signatures, which are manipulated as byte arrays  Methods: getInstance( ), initSign( ), initVerify( ), update( ), sign( ), and verify( )

19 csci5233 Computer Security19 Digital Signatures in Java  There are three phases to the use of a Signature object: 1. Initialization, with either  a public key, which initializes the signature for verification (see initVerify( ) ), or initVerify( )  a private key, which initializes the signature for signing (see initSign(PrivateKey) and initSign(PrivateKey, SecureRandom) ). initSign(PrivateKey) initSign(PrivateKey, SecureRandom) 2. Updating  Depending on the type of initialization, this will update the bytes to be signed or verified. See the update( ) methods. update( ) 3. Signing or Verifying a signature on all updated bytes. See the sign( ) methods and the verify( ) method. sign( ) verify( )

20 csci5233 Computer Security20 Digital Signatures in Java  Sample program: SignatureExample.java SignatureExample.java

21 csci5233 Computer Security21 Authenticating Identity using DS  Authenticating a user’s identity by using his digital signature  Application: secure communication between a server and a client (e.g., online bank transaction)

22 csci5233 Computer Security22 Authenticating Identity using DS  Sample programs: SignatureAuthenticationClient.java SignatureAuthenticationClient.java SignatureAuthenticationServer.java  Advantage of this “nonce” approach: It allows the server to validate the client’s signature at the beginning of a communication session.  See pages 487-488 (Appendix A) for further discussion of using a nonce.  See http://en.wikipedia.org/wiki/Nonce for some discussion about the word ‘nonce’ (a ‘number used once’).http://en.wikipedia.org/wiki/Nonce  Drawback? requires secure communication, otherwise may suffer man-in-the- middle attack (e.g., The session id may be stolen, and used by the hacker to launch a ‘rogue server’ or ‘session hijacking’ attack.)  Solution? Encrypted communication (e.g., tunneling)

23 csci5233 Computer Security23 Authenticating Identity using DS  c.f., Server-initiated authentication The server encrypts some random data with the client’s public key and sends the result to the client. If the client can decrypt the ciphertext, his identity is authenticated. Trade-offs?  c.f., The “full-blown” DS approach, in which the client sign every message. Trade-offs?

24 csci5233 Computer Security24 Next  Digital certificates, X.509, certificate chaining  Keystores  Public Key Infrastructure (PKI)

Download ppt "Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication."

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Network Security: Lab#2 J. H. Wang Apr. 28, 2011.

Network Security: Lab#2 J. H. Wang Apr. 28, 2011.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.

Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography Basic (cont)

Cryptography Basic (cont)
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Similar presentations

Ads by Google