1. Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan

2. Secure Email email is one of the most widely used and regarded network services currently message contents are not secure  may be inspected either in transit  or by suitably priviledged users on destination system Email Privacy Enhancement Services  confidentiality (protection from disclosure)  authentication (of originator)  message integrity (protection from modification)  non-repudiation of origin  (protection from denial by sender) can't assume real-time access to a trusted key server often implement using Email Encapsulation

3. PEM Privacy Enhanced Mail Internet standard for security enhancements to Internet (RFC822) email  developed by a Working group of the IETF  specified in RFC1421, RFC1422, RFC1423, RFC1424 uses message encapsulation to add features confidentiality - DES encryption in CBC mode integrity - DES encrypted MIC (MD2/MD5) authentication - DES/RSA encrypted MIC non-repudiation - RSA encrypted MIC

4. PEM - Key Management central key server (private-key)  requires access to on-line server public-key certificates  uses X.509 Directory Service Strong Authentication to protect key certificates  signed by a Certification Authority (CA)  CAs form a hierarchy to permit cross-validation of certificates  CAs must be licenced by RSA Data Inc.  currently only licenced in US/Canada

5. User Authentication user authentication (identity verification)  convince system of your identity  before it can act on your behalf sometimes also require that the computer verify its identity with the user user authentication is based on three methods  what you know  what you have  what you are all then involve some validation of information supplied against a table of possible values based on users claimed identity

6. What you Know Passwords or Pass-phrases prompt user for a login name and password verify identity by checking that password is correct on some (older) systems, password was stored in the clear (this is now regarded as insecure, since breakin compromises all users of the system) more often use a one-way function, whose output cannot easily be used to find the input value  either takes a fixed sized input (eg 8 chars)  or based on a hash function to accept a variable sized input to create the value important that passwords are selected with care to reduce risk of exhaustive search

7. What you Know One-shot Passwords one problem with traditional passwords is caused by eavesdropping theit transfer over an insecure network one possible solution is to use one-shot (one-time) passwords these are passwords used once only future values cannot be predicted from older values either generate a printed list, and keep matching list on system to be accessed (cf home banking) or use an algorithm based on a one-way function f (eg MD5) to generate previous values in series (eg SKey) start with a secret password s, and number N  p_(0) = fN(s) next password in series is  p_(1) = fN-1(s) must reset password after N uses generally good only for infrequent access

8. What you Have here verify identity based on possession of some object, often also combined with a password Magnetic Card, Magnetic Key possess item with required code value encoded in it (eg access control cards) Smart Card or Calculator may interact with system may require information from user could be used to actively calculate:  a time dependent password  a one-shot password  a challenge-response verification  public-key based verification

9. What you Are here verify identity based on your physical characteristics or involuntary reponse patterns known as biometrics characteristics used include:  signature (usually dynamic)  fingerprint  hand geometry  face or body profile  speech  retina pattern always have tradeoff between  false rejection (type I error)  false acceptance (type II error)