Module IV
Module IV
Disadvantage:
• It is time-consuming.
•Dynamic questions involve a dynamic approach to the Challenge selection and authentication.
The challenges are selected randomly presuming that the user will know the valid answer to the
challenge considering the user is the real one.
• CAPTCHA:
The Completely Automated Public Turing Test to Tell Computers and Humans Apart. CAPTCHA is
used to prevent spam and auto-registration of new accounts for email or websites.
• Password:
The password is sent to the server for validation by matching with the correct password.
The challenge is salted with a hash to make sure the password is used for only one time.
The hash is sent to the server for matching with the hash of the correct password for match and not
the match of the plain text password itself. So, the password is not revealed preventing the Man-in-
the-Middle attack and replay attacks because the password can be used only once.
• Biometrics:
The biometric details(retina scan, fingerprint scan) that are unique are recorded and every
time a user wants to authenticate himself, he has to present his biometric credentials to the
authenticating system for validation.
Common attacks on CRAMs –
•Eavesdropping
•Phishing Attacks
•Pharming Attacks
•Man-In-The-Middle Attacks
•DNS Cache Poisoning Attacks : fake information in DNS cache
•Trojans Attacks :
•Man-In-The-Phone Attacks :targets mobile devices
•Browser Poisoning Attacks :
•Brute-Force Attacks
•zero-knowledge password proof
•Reusable password attacks
Limitations –
A fundamental problem with passwords is that passwords are used repeatedly. When a
password is received by the server, the server cannot determine if the real user is entering the
password or not.
Newer CRAMs also employ cryptography so that the hash of the passwords is matched and not
the plain passwords.
Digital signature
A digital signature is an electronic, encrypted, stamp of authentication on digital information
such as email messages, macros, or electronic documents.
A signature confirms that the information originated from the signer and has not been
altered.
Signing certificate : To create a digital signature, we need a signing certificate, which proves
identity. When we send a digitally-signed macro or document, we also send certificate and
public key. Certificates are issued by a certification authority, and like a driver’s license, can be
revoked. A certificate is usually valid for a year, after which, the signer must renew, or get a
new, signing certificate to establish identity.
Certificate authority (CA) A certificate authority is an entity similar to a notary public. It
issues digital certificates, signs certificates to verify their validity and tracks which certificates
have been revoked or have expired.
Digital signature assurances
• Authenticity The signer is confirmed as the signer.
• Integrity The content has not been changed or tampered with since it was digitally
signed.
• Non-repudiation Proves to all parties the origin of the signed content. Repudiation
refers to the act of a signer denying any association with the signed content.
• Notarization Signatures in Microsoft Word, Microsoft Excel, or Microsoft PowerPoint
files, which are time stamped by a secure time-stamp server, under certain
circumstances, have the validity of a notarization.
Steps in Digital Signature
• Message digest is computed by applying hash function on the message and then message
digest is encrypted using private key of sender to form the digital signature. (digital
signature = encryption (private key of sender, message digest) and message digest =
message digest algorithm(message)).
• Digital signature is then transmitted with the message.(message + digital signature is
transmitted)
• Receiver decrypts the digital signature using the public key of sender.(This assures
authenticity, as only sender has his private key so only sender can encrypt using his private
key which can thus be decrypted by sender’s public key).
• The receiver now has the message digest.
• The receiver can compute the message digest from the message (actual message is sent
with the digital signature).
• The message digest computed by receiver and the message digest (got by decryption on
digital signature) need to be same for ensuring integrity.
Attacks on Digital Signature
1.Chosen-message Attack
2. Known-message Attack
3. Key-only Attack
Chosen-message Attack
• Generic chosen-method – In this method C tricks A to digitally sign the messages that A
does not intend to do and without the knowledge about A’s public key.
• Direct chosen-method – In this method C has the knowledge about A’s public key and
obtains A’s signature on the messages and replaces the original message with the
message C wants A to sign with having A’s signature on them unchanged.
known message attack
In the known message attack, C has a few previous messages and signatures of A. Now C
tries to forge the signature of A on to the documents that A does not intend to sign by
using the brute force method by analyzing the previous data to recreate the signature of A.
This attack is similar to known-plain text attack in encryption.
key-only attack
In key-only attack, the public key of A is available to every one and C makes use of this fact
and try to recreate the signature of A and digitally sign the documents or messages that A
does not intend to do.
This would cause a great threat to authentication of the message which is non-repudiated
as A cannot deny signing it.
RSA Digital Signature Scheme
A now encrypts the message digest with its private key. The output of this process is called
Digital Signature (DS) of A.
Step-3 :
Now sender A sends the digital signature (DS) along with the original message (M) to B.
Step-4 :
When B receives the Original Message(M) and the Digital Signature(DS) from A, it first uses the same
message-digest algorithm as was used by A and calculates its own Message Digest (MD2) for M.
Step-5 :
Now B uses A’s public key to decrypt the digital signature because it was encrypted by A’s private
key. The result of this process is the original Message Digest (MD1) which was calculated by A.
Step 6