This page describes what security protocols provide from a functional level.
- Confidentiality - Being sure the message cannot be read and understood by intruders. Requires a cypher algorithm.
- Authentication - The receiver of the message should be able to be sure of the origin of the message. Requires a digital signature (One way hash, public key algorithm, and symmetric algorithm) or a public key algorithm.
- Integrity - The receiver of the message should be able to tell the message was not modified. Requires key exchange.
- Nonrepuditation - There is proof that the sender sent the message. Digital signatures may be used for nonrepuditation.
Secure Systems require:
- Authentication - In order to authenticate a user, most of the time a password is used. Several methods may be used to store and transmit the password depending on the security algorithm and system being used.
- Key exchange/management
- Cypher algorithms (Public key and symmetric)
Types of Security Functions
- One way hash - A fixed length output string is generated from a variable length input. The reverse of the function is almost impossible to perform. A one way hash is also called a message digest, cryptographic checksum, message integrity check (MIC), and manipulation detection code (MDC).
- Message Authentification Code (MAC) - One way hash with addition of a secret key. Only a person with the key can verify the hash.
- A digital signature is when a private key is used to encrypt a message. If the receiver can decrypt it with that person's public key, the signature is authentic. Signatures are done on a one way hash of the message. If a person performs a one way hash on a message and encrypts it with their public key, when the receiver gets the message, they can perform a one way hash on it and compare it to the decrypted one way hash sent to tell if it is authentic. The document cannot be changed without detection after being signed. (Cannot be repudiated). The hash of the document is usually signed.
- Key Certification Authority - Also called a key distribution center. It is a third party who signes distributed public keys with their own private key.
- Interlock Protocol - Used to foil the man in the middle attack
- Key exchange
- With symmetric cryptography.
- With Public-key cryptography.
- With Digital Signatures.
- Salting - The act of combining a user password with a random value as a countermeasure to a dictionary password attack. The combined values are encrypted and stored on the system along with the salt value.
- Secret sharing systems are algorithms that do not allow a single person or a certain number of persons to violate the secret.
- Time stamping services
- Blind signatures - Are similar to a notary who validates the fact that a document was signed without caring about the contents of the document.
Password Storage and Transmission
On some systems the actual user password is not stored on the system. The host may store a one way function (Hash) of the users' passwords rather than the actual password. Sometimes the system will add additional random characters (salt) to the password and perform the hash function on the salt value with the password. The salt value is also stored on the system. When the host receives the transmitted user password, it will run the one way hash function on it (with the salt value if appropriate) and if the results match, the user is authenticated. The password should be sent using some type of encryption so eavesdroppers cannot read the password.