AI and Security

(5th Week, Digital Signature)

Jongyoul Park
Dept. of Applied Artificial Intelligence
[email protected]
Lecture

• Understanding of Public-Key Applications

• Understanding of Public-Key Authentication
• Understanding of Digital Signature
Lecture program
1st Lecture: Introduction 9th AI and Security (SW Defect and Malware)

2nd Classical Cryptography 10th RL and Vulnerability Analysis

3rd Private Key Encryption 11th Generative AI and Attack

4th Public Key Encryption 12th Controllable Generative AI

5th Digital Signature 13th Artificial Intelligence and Ethics I

6th Attacks on Security System I 14th Artificial Intelligence and Ethics II

7th Attacks on Security System II 15th Lecture: Final Term

8th Lecture: Mid Term

3
Security Applications
• Key concerns of security are confidentiality and timeliness
▪ To provide confidentiality must encrypt identification and session key info
▪ Which requires the use of previously shared private or public keys
▪ Need timeliness to prevent replay attacks
▪ Provides by using sequence numbers or timestamps or challenge/response

4
KERBEROS

5
KERBEROS
• Users wish to access services on servers.

• Three threats exist:

▪ User pretend to be another user.
▪ User alter the network address of a workstation.
▪ User eavesdrop on exchanges and use a replay attack.

6
KERBEROS
• Provides a centralized authentication server
to authenticate users to servers and
servers to users.
• Relies on conventional encryption,
making no use of public-key encryption

• Two versions: version 4 and 5

• Version 4 makes use of DES

7
Kerberos Version 4

• Terms:
▪ C = Client
▪ AS = authentication server
▪ V = server
▪ IDc = identifier of user on C
▪ IDv = identifier of V
▪ Pc = password of user on C
▪ ADc = network address of C
▪ Kv = secret encryption key shared by AS an V
▪ TS = timestamp
▪ || = concatenation

8
A Simple Authentication Dialogue
• New concepts : tickets for authentication
▪ Provides a privilege of access // be someone

(1) C  AS: IDc || Pc || IDv

(2) AS  C: Ticket ▪ IDc = identifier of user on C

(3) C  V: IDc || Ticket ▪ IDv = identifier of V
▪ Pc = password of user on C
▪ || = concatenation

Ticket = EKv[IDc || Pc || IDv]

9
Version 4 Authentication Dialogue
• Problems:
▪ Lifetime associated with the ticket-granting ticket
▪ If too short  repeatedly asked for password
▪ If too long  greater opportunity to replay

• The threat is that an opponent will

steal the ticket and use it before it expires

10
Version 4 Authentication Dialogue

Authentication Service Exhange: To obtain Ticket-Granting Ticket

(1) C  AS: IDc || IDtgs ||TS1

(2) AS  C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Echange: To obtain Service-Granting Ticket

(3) C  TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS  C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]

Client/Server Authentication Exhange: To Obtain Service

(5) C  V: Ticketv || Authenticatorc
(6) V  C: EKc,v[TS5 +1]

11
Overview of Kerberos

12
Request for Service in Another Realm

13
Difference Between Version 4 and 5
• Encryption system dependence (V.4 DES)

• Internet protocol dependence

• Message byte ordering

• Ticket lifetime

• Authentication forwarding

• Inter-realm authentication

14
Kerberos Encryption Techniques

Generation of Encryption Key from Password

15
PCBC Mode

Propagating Cipher Block Chaining (PCBC) Mode

16
Kerberos - in practice
• Currently have two Kerberos versions:
▪ 4 : restricted to a single realm
▪ 5 : allows inter-realm authentication
▪ Kerberos v5 is an Internet standard
▪ specified in RFC1510, and used by many utilities

• To use Kerberos:
▪ need to have a KDC on your network
▪ need to have Kerberised applications running on all participating systems
▪ major problem - US export restrictions
▪ Kerberos cannot be directly distributed outside the US in source format (& binary versions must
obscure crypto routine entry points and have no encryption)
▪ else crypto libraries must be reimplemented locally
17
X.509 Authentication Service
• Distributed set of servers that maintains a database about users.
• Each certificate contains the public key of a user and is signed with the private key of a CA.
• Is used in S/MIME, IP Security, SSL/TLS and SET.
• RSA is recommended to use.

• LDAP (Lightweight Directory Access Protocol)

• Single Sign On (token for access)

18
X.509 Formats

19
Typical Digital Signature

20
Obtaining a User’s Certificate
• Characteristics of certificates generated by CA (Certificate Authority):
▪ Any user with access to the public key of the CA can recover the user public key that was certified.
▪ No part other than the CA can modify the certificate without this being detected.

21
X.509 CA Hierarchy

22
Revocation of Certificates
• Reasons for revocation:
▪ The users secret key is assumed to be compromised.
▪ The user is no longer certified by this CA.
▪ The CA’s certificate is assumed to be compromised.

23
Authentication Procedures
• One-way authentication
▪ Identity of A and message generated by A
▪ Message is intended for B
▪ Integrity and originality of the message

• Two-way authentication
▪ Identity of B and that the reply message is generated by
B (the target of the first message)
▪ Message is intended for A
▪ Integrity and originality of the reply

• Three-way authentication
▪ Eliminates the need to check timestamps
▪ Used when synchronized clocks are not available

24
 Q&A ?

POP Assign. #2 Problems 2.1 and 2.4 – hand writing (no word file !!)
25
AI and Security
Thanks for your attention.

Jongyoul Park
Dept. of Applied Artificial Intelligence

26