SlideShare a Scribd company logo

Information Security (Digital Signatures)

Download as PPTX, PDF
Z
Zara Nawaz

Digital Signature in Information Security

Education
1 of 39
Information Security Week 9
Digital signature • A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic. Authentic means that you know who created the document and you know that it has not been altered in any way since that person created it. • Digital signatures rely on certain types of encryption to ensure authentication. Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Authentication is the process of verifying that information is coming from a trusted source. These two processes work hand in hand for digital signatures.
Digital signature • A digital signature is a mathematical technique which validates the authenticity and integrity of a message, software or digital documents. It allows us to verify the author name, date and time of signatures, and authenticate the message contents. The digital signature offers far more inherent security and intended to solve the problem of tampering and impersonation (Intentionally copy another person's characteristics) in digital communications.
Application of Digital Signature • The important reason to implement digital signature to communication is: • Authentication • Non-repudiation • Integrity
Application of Digital Signature • Authentication • Authentication is a process which verifies the identity of a user who wants to access the system. In the digital signature, authentication helps to authenticate the sources of messages. • Non-repudiation • Non-repudiation means assurance of something that cannot be denied. It ensures that someone to a contract or communication cannot later deny the authenticity of their signature on a document or in a file or the sending of a message that they originated. • Integrity • Integrity ensures that the message is real, accurate and safeguards from unauthorized user modification during the transmission.
Algorithms in Digital Signature • Key Generation Algorithms : Digital signature are electronic signatures, which assures that the message was sent by a particular sender. While performing digital transactions authenticity and integrity should be assured, otherwise the data can be altered or someone can also act as if he was the sender and expect a reply. • Signing Algorithms: To create a digital signature, signing algorithms like email programs create a one-way hash of the electronic data which is to be signed. The signing algorithm then encrypts the hash value using the private key (signature key). This encrypted hash along with other information like the hashing algorithm is the digital signature. This digital signature is appended with the data and sent to the verifier. The reason for encrypting the hash instead of the entire message or document is that a hash function converts any arbitrary input into a much shorter fixed length value. This saves time as now instead of signing a long message a shorter hash value has to be signed and moreover hashing is much faster than signing.
Algorithms in Digital Signature • Signature Verification Algorithms : Verifier receives Digital Signature along with the data. It then uses Verification algorithm to process on the digital signature and the public key (verification key) and generates some value. It also applies the same hash function on the received data and generates a hash value. Then the hash value and the output of the verification algorithm are compared. If they both are equal, then the digital signature is valid else it is invalid.
How Digital Signature Works… • The steps followed in creating digital signature are : • Message digest is computed by applying hash function on the message and then message digest is encrypted using private key of sender to form the digital signature. (digital signature = encryption (private key of sender, message digest) and message digest = message digest algorithm(message)). • Digital signature is then transmitted with the message.(message + digital signature is transmitted) • Receiver decrypts the digital signature using the public key of sender.(This assures authenticity,as only sender has his private key so only sender can encrypt using his private key which can thus be decrypted by sender’s public key). • The receiver now has the message digest. • The receiver can compute the message digest from the message (actual message is sent with the digital signature). • The message digest computed by receiver and the message digest (got by decryption on digital signature) need to be same for ensuring integrity.
Types of Digital Signature
Types of Digital Signature • Certified Signatures • The certified digital signature documents display a unique blue ribbon across the top of the document. The certified signature contains the name of the document signer and the certificate issuer which indicate the authorship and authenticity of the document. • Approval Signatures • The approval digital signatures on a document can be used in the organization's business workflow. They help to optimize the organization's approval procedure. The procedure involves capturing approvals made by us and other individuals and embedding them within the PDF document. The approval signatures to include details such as an image of our physical signature, location, date, and official seal.
Types of Digital Signature • Visible Digital Signature • The visible digital signature allows a user to sign a single document digitally. This signature appears on a document in the same way as signatures are signed on a physical document. • Invisible Digital Signature • The invisible digital signatures carry a visual indication of a blue ribbon within a document in the taskbar. We can use invisible digital signatures when we do not have or do not want to display our signature but need to provide the authenticity of the document, its integrity, and its origin.
Digital Certificate • Digital certificate is issued by a trusted third party which proves sender's identity to the receiver and receiver’s identity to the sender. A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity of the certificate holder. The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other identification information. Digital certificate is used to attach public key with a particular individual or an entity.
Digital certificate contains:- • Name of certificate holder. • Serial number which is used to uniquely identify a certificate, the individual or the entity identified by the certificate • Expiration dates. • Copy of certificate holder's public key.(used for decrypting messages and digital signatures) • Digital Signature of the certificate issuing authority. • Digital ceritifcate is also sent with the digital signature and the message.
Digital certificate vs digital signature : Digital signature is used to verify authenticity, integrity, non- repudiation ,i.e. it is assuring that the message is sent by the known user and not modified, while digital certificate is used to verify the identity of the user, maybe sender or receiver. Thus, digital signature and certificate are different kind of things but both are used for security. Most websites use digital certificate to enhance trust of their users.
Digital certificate vs digital signature : FEATURE DIGITAL SIGNATURE DIGITAL CERTIFICATE Basics / Definition Digital signature is like a fingerprint or an attachment to a digital document that ensures its authenticity and integrity. Digital certificate is a file that ensures holder’s identity and provides security. Process / Steps Hashed value of original message is encrypted with sender’s secret key to generate the digital signature. It is generated by CA (Certifying Authority) that involves four steps: Key Generation, Registration, Verification, Creation. Security Services Authenticity of Sender, integrity of the document and non- repudiation. It provides security and authenticity of certificate holder. Standard It follows Digital Signature Standard (DSS). It follows X.509 Standard Format
one-way hash function • A one-way hash function, also known as a message digest, fingerprint or compression function, is a mathematical function which takes a variable- length input string and converts it into a fixed-length binary sequence. • Hash functions are extremely useful and appear in almost all information security applications. • A hash function is a mathematical function that converts a numerical input value into another compressed numerical value. The input to the hash function is of arbitrary length but output is always of fixed length. • Values returned by a hash function are called message digest or simply hash values. The following picture illustrated hash function −
one-way hash function
Features of Hash Functions • The typical features of hash functions are − • Fixed Length Output (Hash Value) • Hash function coverts data of arbitrary length to a fixed length. This process is often referred to as hashing the data. • In general, the hash is much smaller than the input data, hence hash functions are sometimes called compression functions. • Since a hash is a smaller representation of a larger data, it is also referred to as a digest. • Hash function with n bit output is referred to as an n-bit hash function. Popular hash functions generate values between 160 and 512 bits. • Efficiency of Operation • Generally for any hash function h with input x, computation of h(x) is a fast operation. • Computationally hash functions are much faster than a symmetric encryption.
Properties of Hash Functions • In order to be an effective cryptographic tool, the hash function is desired to possess following properties − • Pre-Image Resistance • This property means that it should be computationally hard to reverse a hash function. • In other words, if a hash function h produced a hash value z, then it should be a difficult process to find any input value x that hashes to z. • This property protects against an attacker who only has a hash value and is trying to find the input. • Second Pre-Image Resistance • This property means given an input and its hash, it should be hard to find a different input with the same hash. • In other words, if a hash function h for an input x produces hash value h(x), then it should be difficult to find any other input value y such that h(y) = h(x). • This property of hash function protects against an attacker who has an input value and its hash, and wants to substitute different value as legitimate value in place of original input value.
Properties of Hash Functions • Collision Resistance • This property means it should be hard to find two different inputs of any length that result in the same hash. This property is also referred to as collision free hash function. • In other words, for a hash function h, it is hard to find any two different inputs x and y such that h(x) = h(y). • Since, hash function is compressing function with fixed hash length, it is impossible for a hash function not to have collisions. This property of collision free only confirms that these collisions should be hard to find. • This property makes it very difficult for an attacker to find two input values with the same hash. • Also, if a hash function is collision-resistant then it is second pre-image resistant.
Design of Hashing Algorithms • At the heart of a hashing is a mathematical function that operates on two fixed-size blocks of data to create a hash code. This hash function forms the part of the hashing algorithm. • The size of each data block varies depending on the algorithm. Typically the block sizes are from 128 bits to 512 bits. The following illustration demonstrates hash function −
• Hashing algorithm involves rounds of above hash function like a block cipher. Each round takes an input of a fixed size, typically a combination of the most recent message block and the output of the last round. • This process is repeated for as many rounds as are required to hash the entire message. Schematic of hashing algorithm is depicted in the following illustration −
Message Authentication Code (MAC) • threat that exist for data is the lack of message authentication. In this threat, the user is not sure about the originator of the message. Message authentication can be provided using the cryptographic techniques that use secret keys as done in case of encryption. • MAC algorithm is a symmetric key cryptographic technique to provide message authentication. For establishing MAC process, the sender and receiver share a symmetric key K. • Essentially, a MAC is an encrypted checksum generated on the underlying message that is sent along with a message to ensure message authentication.
Message Authentication Code (MAC) • The process of using MAC for authentication is depicted in the following illustration −
Message Authentication Code (MAC) • Let us now try to understand the entire process in detail − • The sender uses some publicly known MAC algorithm, inputs the message and the secret key K and produces a MAC value. • Similar to hash, MAC function also compresses an arbitrary long input into a fixed length output. The major difference between hash and MAC is that MAC uses secret key during the compression. • The sender forwards the message along with the MAC. Here, we assume that the message is sent in the clear, as we are concerned of providing message origin authentication, not confidentiality. If confidentiality is required then the message needs encryption.
Message Authentication Code (MAC) • On receipt of the message and the MAC, the receiver feeds the received message and the shared secret key K into the MAC algorithm and re-computes the MAC value. • The receiver now checks equality of freshly computed MAC with the MAC received from the sender. If they match, then the receiver accepts the message and assures himself that the message has been sent by the intended sender. • If the computed MAC does not match the MAC sent by the sender, the receiver cannot determine whether it is the message that has been altered or it is the origin that has been falsified. As a bottom- line, a receiver safely assumes that the message is not the genuine.
Limitations of MAC • There are two major limitations of MAC, both due to its symmetric nature of operation − • Establishment of Shared Secret. • It can provide message authentication among pre-decided legitimate users who have shared key. • This requires establishment of shared secret prior to use of MAC. • Inability to Provide Non-Repudiation • Non-repudiation is the assurance that a message originator cannot deny any previously sent messages and commitments or actions. • MAC technique does not provide a non-repudiation service. If the sender and receiver get involved in a dispute over message origination, MACs cannot provide a proof that a message was indeed sent by the sender. • Though no third party can compute the MAC, still sender could deny having sent the message and claim that the receiver forged it, as it is impossible to determine which of the two parties computed the MAC.
Birthday attack in Cryptography Birthday attack is a type of cryptographic attack that belongs to a class of brute force attacks. It exploits the mathematics behind the birthday problem in probability theory. The success of this attack largely depends upon the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations, as described in the birthday paradox problem.
Birthday paradox problem – Let us consider the example of a classroom of 30 students and a teacher. The teacher wishes to find pairs of students that have the same birthday. Hence the teacher asks for everyone’s birthday to find such pairs. Intuitively this value may seem small. For example, if the teacher fixes a particular date say October 10, then the probability that at least one student is born on that day is 1 – (364/365)30 which is about 7.9%. However, the probability that at least one student have same birthday as any other student is around 70% using the following formula: • 1 - 365!/((365 - n!) * (365n)) (substituting n = 70 here)
Birthday paradox problem – • Assumptions – 1. Assuming a non leap year(hence 365 days). 2. Assuming that a person has equally likely chance of being born on any day of the year. Let us consider n = 2. P(Two people have the same birthday) = 1 – P(Two people having different birthday) = 1 – (365*365)*(364*365) = 1 – 1*(364/365) = 1 – 364/365 = 1/365. So for n people the probability that all of them have different birthday is: P(N people having different birthdays) = (365/365)*(365-1/365)*(365- 2/365)*….(365-n+1)/365. = 365!/((365-n)! * 365n)
public key certificate • A public key certificate provides a safe way for an entity to pass on its public key to be used in asymmetric cryptography. The public key certificate avoids the following situation: if Charlie creates his own public key and private key, he can claim that he is Alice and send his public key to Bob. Bob will be able to communicate with Charlie, but Bob will think that he is sending his data to Alice. • A public key certificate can be thought of as the digital equivalent of a passport. It is issued by a trusted organization and provides identification for the bearer. A trusted organization that issues public key certificates is known as a certificate authority (CA). The CA can be likened to a notary public. To obtain a certificate from a CA, one must provide proof of identity. When the CA is confident that the applicant represents the organization it says it represents, the CA signs the certificate attesting to the validity of the information contained within the certificate.
public key certificate • A public key certificate contains several fields, including:Issuer - The issuer is the CA that issued the certificate. If a user trusts the CA that issues a certificate, and if the certificate is valid, the user can trust the certificate. • Period of validity - A certificate has an expiration date, and this date is one piece of information that should be checked when verifying the validity of a certificate. • Subject - The subject field includes information about the entity that the certificate represents. • Subject's public key - The primary piece of information that the certificate provides is the subject's public key. All the other fields are provided to ensure the validity of this key. • Signature - The certificate is digitally signed by the CA that issued the certificate. The signature is created using the CA's private key and ensures the validity of the certificate. Because only the certificate is signed, not the data sent in the SSL transaction, SSL does not provide for non-repudiation.
public key certificate • If Bob only accepts Alice's public key as valid when she sends it in a public key certificate, Bob will not be fooled into sending secret information to Charlie when Charlie masquerades as Alice. • Multiple certificates may be linked in a certificate chain. When a certificate chain is used, the first certificate is always that of the sender. The next is the certificate of the entity that issued the sender's certificate. If there are more certificates in the chain, each is that of the authority that issued the previous certificate. The final certificate in the chain is the certificate for a root CA. A root CA is a public certificate authority that is widely trusted. Information for several root CAs is typically stored in the client's Internet browser. This information includes the CA's public key. Well-known CAs include VeriSign, Entrust, and GTE CyberTrust. •
Man-in-the-Middle Attacks • A Man-in-the-Middle Attack (MITM) is a form of cyber eavesdropping in which malicious actors insert themselves into a conversation between two parties and intercept data through a compromised but trusted system. The targets are often intellectual property or fiduciary information. MITM aggressors will also use malware to open the communications channel with the hopes of creating zombie machines or building vast networks of comprised systems. Man-in-the-Middle Attacks can be used as way into systems in order to execute an advanced persistent threat (APT). • In many cases organizations are unaware their session and/or data has been tampered with until it is much too late. If a MITM attack is successful, organizations experience negative brand perception, reduced customers’ confidence and ultimately a damaged bottom line.
How Man-in-the- Middle Attacks work • MITM attacks can be executed in a number of different ways that exploit communications between other parties. Whether by passive or active means, an MITM attack finds a way between a user and an entity and attempts to conceal the breach and information theft. Below are common ways Man-in-the- Middle Attacks manipulate communication systems.
Types of Man-in-the-Middle Attacks • Email Hijacking – attackers gain access to a user’s email account and watch transactions to and from the account. When the time is right, for instance the user is exchanging funds with another party, the attacker takes advantage of the situation by attempting to intercept the funds by spoofing one or all members of the conversation. • Wi-Fi Eavesdropping – a passive way to deploy MITM attacks, Wi-Fi eavesdropping involves cyber hackers setting up public Wi-Fi connections, typically with an unsuspecting name, and gain access to their victims as soon as they connect to the malicious Wi-Fi. • Session Hijacking – session hijacking is when an attacker gains access to an online session via a stolen session key or stolen browser cookies. • DNS Spoofing – an attacker engages in DNS spoofing by altering a website’s address record within a DNS (domain name server) server. A victim unknowingly visits the fake site and the attacker will attempt to steal their information. • IP Spoofing – similar to DNS spoofing, IP Spoofing sees an attacker attempt to divert traffic to a fraudulent website with malicious intent. Instead of spoofing the website’s address record, the attacker disguises an IP (internet protocol) address.
How to Prevent Man-in-the-Middle Attacks • Implement a comprehensive Email Security Solution – an email security solution is a vital tool in an organizations security architecture that will help minimize the risks associated with MITM. It secures email activity pro-actively while staff focuses efforts elsewhere. • Implement a Web Security Solution – a strong web security tool provides visibility to web traffic generated by both the system and end user at protocol and port layers. Similar to an email security tool, this implementation protects your organization’s web traffic so the security team can cover more ground. • Educate Employees – Making training relevant to the employee is key to training effectiveness. Prepare your workforce for these advanced attacks by educating them on the dynamics, patterns, samples and frequency of attack methods attempted on other organizations. Case studies are a valuable resource when putting together educational materials and awareness programs. • Keep credentials secure - Check your user credentials often. Make sure your passwords are secure, complex and updated every three months at a minimum. This will aid in your company’s protection by keeping credentials fresh and more difficult to crack. • Forcepoint can help you prevent and guard against Man-in-the-Middle attacks. Both Forcepoint’s Email Security and Web Security tools offer best-in-class protection. For more, visit Forcepoint’s product overview.

Recommended

Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
Rajapriya82
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
Dr.Florence Dayana
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
patisa
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Hashing
HashingHashing
Hashing
Hossain Md Shakhawat
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 

Recommended

Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
Rajapriya82
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
Dr.Florence Dayana
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
patisa
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Hashing
HashingHashing
Hashing
Hossain Md Shakhawat
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
Mijanur Rahman Milon
 
Email security
Email securityEmail security
Email security
Indrajit Sreemany
 
Elgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copyElgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copy
North Cap University (NCU) Formely ITM University
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
Mohamed Talaat
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
Adarsh Patel
 
Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 
remote procedure calls
remote procedure calls remote procedure calls
remote procedure calls
Ashish Kumar
 
Classical Encryption Techniques in Network Security
Classical Encryption Techniques in Network SecurityClassical Encryption Techniques in Network Security
Classical Encryption Techniques in Network Security
babak danyal
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipher
daniyalqureshi712
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
drewz lin
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
Sou Jana
 
Distributed DBMS - Unit 8 - Distributed Transaction Management & Concurrency ...
Distributed DBMS - Unit 8 - Distributed Transaction Management & Concurrency ...Distributed DBMS - Unit 8 - Distributed Transaction Management & Concurrency ...
Distributed DBMS - Unit 8 - Distributed Transaction Management & Concurrency ...
Gyanmanjari Institute Of Technology
 
DES
DESDES
DES
Naga Srimanyu Timmaraju
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
Sahil Kureel
 
Concurrency control
Concurrency controlConcurrency control
Concurrency control
Subhasish Pati
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
OECLIB Odisha Electronics Control Library
 
Multiversion Concurrency Control Techniques
Multiversion Concurrency Control TechniquesMultiversion Concurrency Control Techniques
Multiversion Concurrency Control Techniques
Raj vardhan
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
Triad Square InfoSec
 
Digital signature
Digital signatureDigital signature
Digital signature
AJAL A J
 
Unit v
Unit vUnit v
Unit v
Bathshebaparimala
 

More Related Content

What's hot

remote procedure calls
remote procedure calls remote procedure calls
remote procedure calls
Ashish Kumar
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
drewz lin
 

What's hot (20)

Web Security
Web SecurityWeb Security
Web Security
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
 
Email security
Email securityEmail security
Email security
 
Elgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copyElgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copy
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
 
Kerberos
KerberosKerberos
Kerberos
 
remote procedure calls
remote procedure calls remote procedure calls
remote procedure calls
 
Classical Encryption Techniques in Network Security
Classical Encryption Techniques in Network SecurityClassical Encryption Techniques in Network Security
Classical Encryption Techniques in Network Security
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipher
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
 
Distributed DBMS - Unit 8 - Distributed Transaction Management & Concurrency ...
Distributed DBMS - Unit 8 - Distributed Transaction Management & Concurrency ...Distributed DBMS - Unit 8 - Distributed Transaction Management & Concurrency ...
Distributed DBMS - Unit 8 - Distributed Transaction Management & Concurrency ...
 
DES
DESDES
DES
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
 
Concurrency control
Concurrency controlConcurrency control
Concurrency control
 
Ipsec
IpsecIpsec
Ipsec
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
 
Multiversion Concurrency Control Techniques
Multiversion Concurrency Control TechniquesMultiversion Concurrency Control Techniques
Multiversion Concurrency Control Techniques
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 

Similar to Information Security (Digital Signatures)

Digital certificates
Digital certificatesDigital certificates
Digital certificates
Simmi Kamra
 

Similar to Information Security (Digital Signatures) (20)

Digital signature
Digital signatureDigital signature
Digital signature
 
Unit v
Unit vUnit v
Unit v
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Sindhu priya .s
Sindhu priya .sSindhu priya .s
Sindhu priya .s
 
D.Silpa
D.SilpaD.Silpa
D.Silpa
 
Digital_signature_ppt.pptx
Digital_signature_ppt.pptxDigital_signature_ppt.pptx
Digital_signature_ppt.pptx
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sig
 
Digital signature.pptx
Digital signature.pptxDigital signature.pptx
Digital signature.pptx
 
DIGITAL SIGNATURE PPT
DIGITAL SIGNATURE PPTDIGITAL SIGNATURE PPT
DIGITAL SIGNATURE PPT
 
Digital signatur
Digital signaturDigital signatur
Digital signatur
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
DIGITAL SIGNATURE PPT.pptx
DIGITAL SIGNATURE PPT.pptxDIGITAL SIGNATURE PPT.pptx
DIGITAL SIGNATURE PPT.pptx
 
Cryptography
CryptographyCryptography
Cryptography
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Dsc ppt
Dsc pptDsc ppt
Dsc ppt
 
Digital signatures - A mathematical scheme for demonstrating the authenticity...
Digital signatures - A mathematical scheme for demonstrating the authenticity...Digital signatures - A mathematical scheme for demonstrating the authenticity...
Digital signatures - A mathematical scheme for demonstrating the authenticity...
 
Creation & Verification of Digital Signature using Digisigner
Creation & Verification of Digital Signature using DigisignerCreation & Verification of Digital Signature using Digisigner
Creation & Verification of Digital Signature using Digisigner
 
Public Digital Identity as a Service
Public Digital Identity as a ServicePublic Digital Identity as a Service
Public Digital Identity as a Service
 

More from Zara Nawaz

More from Zara Nawaz (11)

Translation Look Aside buffer
Translation Look Aside buffer Translation Look Aside buffer
Translation Look Aside buffer
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
information security(Public key encryption its characteristics and weakness, ...
information security(Public key encryption its characteristics and weakness, ...information security(Public key encryption its characteristics and weakness, ...
information security(Public key encryption its characteristics and weakness, ...
 
information security(Feistal Cipher)
information security(Feistal Cipher)information security(Feistal Cipher)
information security(Feistal Cipher)
 
Information security (Symmetric encryption, cryptography, crypto-analysis)
Information security (Symmetric encryption, cryptography, crypto-analysis)Information security (Symmetric encryption, cryptography, crypto-analysis)
Information security (Symmetric encryption, cryptography, crypto-analysis)
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
 
Information Security (Malicious Software)
Information Security (Malicious Software)Information Security (Malicious Software)
Information Security (Malicious Software)
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
Lecture01 algorithm analysis
Lecture01 algorithm analysisLecture01 algorithm analysis
Lecture01 algorithm analysis
 

Recently uploaded

Accounting and finance exit exam 2016 E.C.pdf
Accounting and finance exit exam 2016 E.C.pdfAccounting and finance exit exam 2016 E.C.pdf
Accounting and finance exit exam 2016 E.C.pdf
YibeltalNibretu
 
plant breeding methods in asexually or clonally propagated crops
plant breeding methods in asexually or clonally propagated cropsplant breeding methods in asexually or clonally propagated crops
plant breeding methods in asexually or clonally propagated crops
parmarsneha2
 
Industrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportIndustrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training Report
Avinash Rai
 

Recently uploaded (20)

Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
 
Accounting and finance exit exam 2016 E.C.pdf
Accounting and finance exit exam 2016 E.C.pdfAccounting and finance exit exam 2016 E.C.pdf
Accounting and finance exit exam 2016 E.C.pdf
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resources
 
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxJose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
 
plant breeding methods in asexually or clonally propagated crops
plant breeding methods in asexually or clonally propagated cropsplant breeding methods in asexually or clonally propagated crops
plant breeding methods in asexually or clonally propagated crops
 
Industrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportIndustrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training Report
 
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
 
How to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPHow to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERP
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 

Information Security (Digital Signatures)

  • 2. Digital signature • A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic. Authentic means that you know who created the document and you know that it has not been altered in any way since that person created it. • Digital signatures rely on certain types of encryption to ensure authentication. Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Authentication is the process of verifying that information is coming from a trusted source. These two processes work hand in hand for digital signatures.
  • 3. Digital signature • A digital signature is a mathematical technique which validates the authenticity and integrity of a message, software or digital documents. It allows us to verify the author name, date and time of signatures, and authenticate the message contents. The digital signature offers far more inherent security and intended to solve the problem of tampering and impersonation (Intentionally copy another person's characteristics) in digital communications.
  • 4. Application of Digital Signature • The important reason to implement digital signature to communication is: • Authentication • Non-repudiation • Integrity
  • 5. Application of Digital Signature • Authentication • Authentication is a process which verifies the identity of a user who wants to access the system. In the digital signature, authentication helps to authenticate the sources of messages. • Non-repudiation • Non-repudiation means assurance of something that cannot be denied. It ensures that someone to a contract or communication cannot later deny the authenticity of their signature on a document or in a file or the sending of a message that they originated. • Integrity • Integrity ensures that the message is real, accurate and safeguards from unauthorized user modification during the transmission.
  • 6. Algorithms in Digital Signature • Key Generation Algorithms : Digital signature are electronic signatures, which assures that the message was sent by a particular sender. While performing digital transactions authenticity and integrity should be assured, otherwise the data can be altered or someone can also act as if he was the sender and expect a reply. • Signing Algorithms: To create a digital signature, signing algorithms like email programs create a one-way hash of the electronic data which is to be signed. The signing algorithm then encrypts the hash value using the private key (signature key). This encrypted hash along with other information like the hashing algorithm is the digital signature. This digital signature is appended with the data and sent to the verifier. The reason for encrypting the hash instead of the entire message or document is that a hash function converts any arbitrary input into a much shorter fixed length value. This saves time as now instead of signing a long message a shorter hash value has to be signed and moreover hashing is much faster than signing.
  • 7. Algorithms in Digital Signature • Signature Verification Algorithms : Verifier receives Digital Signature along with the data. It then uses Verification algorithm to process on the digital signature and the public key (verification key) and generates some value. It also applies the same hash function on the received data and generates a hash value. Then the hash value and the output of the verification algorithm are compared. If they both are equal, then the digital signature is valid else it is invalid.
  • 8. How Digital Signature Works… • The steps followed in creating digital signature are : • Message digest is computed by applying hash function on the message and then message digest is encrypted using private key of sender to form the digital signature. (digital signature = encryption (private key of sender, message digest) and message digest = message digest algorithm(message)). • Digital signature is then transmitted with the message.(message + digital signature is transmitted) • Receiver decrypts the digital signature using the public key of sender.(This assures authenticity,as only sender has his private key so only sender can encrypt using his private key which can thus be decrypted by sender’s public key). • The receiver now has the message digest. • The receiver can compute the message digest from the message (actual message is sent with the digital signature). • The message digest computed by receiver and the message digest (got by decryption on digital signature) need to be same for ensuring integrity.
  • 9.
  • 11. Types of Digital Signature • Certified Signatures • The certified digital signature documents display a unique blue ribbon across the top of the document. The certified signature contains the name of the document signer and the certificate issuer which indicate the authorship and authenticity of the document. • Approval Signatures • The approval digital signatures on a document can be used in the organization's business workflow. They help to optimize the organization's approval procedure. The procedure involves capturing approvals made by us and other individuals and embedding them within the PDF document. The approval signatures to include details such as an image of our physical signature, location, date, and official seal.
  • 12. Types of Digital Signature • Visible Digital Signature • The visible digital signature allows a user to sign a single document digitally. This signature appears on a document in the same way as signatures are signed on a physical document. • Invisible Digital Signature • The invisible digital signatures carry a visual indication of a blue ribbon within a document in the taskbar. We can use invisible digital signatures when we do not have or do not want to display our signature but need to provide the authenticity of the document, its integrity, and its origin.
  • 13. Digital Certificate • Digital certificate is issued by a trusted third party which proves sender's identity to the receiver and receiver’s identity to the sender. A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity of the certificate holder. The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other identification information. Digital certificate is used to attach public key with a particular individual or an entity.
  • 14. Digital certificate contains:- • Name of certificate holder. • Serial number which is used to uniquely identify a certificate, the individual or the entity identified by the certificate • Expiration dates. • Copy of certificate holder's public key.(used for decrypting messages and digital signatures) • Digital Signature of the certificate issuing authority. • Digital ceritifcate is also sent with the digital signature and the message.
  • 15.
  • 16. Digital certificate vs digital signature : Digital signature is used to verify authenticity, integrity, non- repudiation ,i.e. it is assuring that the message is sent by the known user and not modified, while digital certificate is used to verify the identity of the user, maybe sender or receiver. Thus, digital signature and certificate are different kind of things but both are used for security. Most websites use digital certificate to enhance trust of their users.
  • 17. Digital certificate vs digital signature : FEATURE DIGITAL SIGNATURE DIGITAL CERTIFICATE Basics / Definition Digital signature is like a fingerprint or an attachment to a digital document that ensures its authenticity and integrity. Digital certificate is a file that ensures holder’s identity and provides security. Process / Steps Hashed value of original message is encrypted with sender’s secret key to generate the digital signature. It is generated by CA (Certifying Authority) that involves four steps: Key Generation, Registration, Verification, Creation. Security Services Authenticity of Sender, integrity of the document and non- repudiation. It provides security and authenticity of certificate holder. Standard It follows Digital Signature Standard (DSS). It follows X.509 Standard Format
  • 18. one-way hash function • A one-way hash function, also known as a message digest, fingerprint or compression function, is a mathematical function which takes a variable- length input string and converts it into a fixed-length binary sequence. • Hash functions are extremely useful and appear in almost all information security applications. • A hash function is a mathematical function that converts a numerical input value into another compressed numerical value. The input to the hash function is of arbitrary length but output is always of fixed length. • Values returned by a hash function are called message digest or simply hash values. The following picture illustrated hash function −
  • 20. Features of Hash Functions • The typical features of hash functions are − • Fixed Length Output (Hash Value) • Hash function coverts data of arbitrary length to a fixed length. This process is often referred to as hashing the data. • In general, the hash is much smaller than the input data, hence hash functions are sometimes called compression functions. • Since a hash is a smaller representation of a larger data, it is also referred to as a digest. • Hash function with n bit output is referred to as an n-bit hash function. Popular hash functions generate values between 160 and 512 bits. • Efficiency of Operation • Generally for any hash function h with input x, computation of h(x) is a fast operation. • Computationally hash functions are much faster than a symmetric encryption.
  • 21. Properties of Hash Functions • In order to be an effective cryptographic tool, the hash function is desired to possess following properties − • Pre-Image Resistance • This property means that it should be computationally hard to reverse a hash function. • In other words, if a hash function h produced a hash value z, then it should be a difficult process to find any input value x that hashes to z. • This property protects against an attacker who only has a hash value and is trying to find the input. • Second Pre-Image Resistance • This property means given an input and its hash, it should be hard to find a different input with the same hash. • In other words, if a hash function h for an input x produces hash value h(x), then it should be difficult to find any other input value y such that h(y) = h(x). • This property of hash function protects against an attacker who has an input value and its hash, and wants to substitute different value as legitimate value in place of original input value.
  • 22. Properties of Hash Functions • Collision Resistance • This property means it should be hard to find two different inputs of any length that result in the same hash. This property is also referred to as collision free hash function. • In other words, for a hash function h, it is hard to find any two different inputs x and y such that h(x) = h(y). • Since, hash function is compressing function with fixed hash length, it is impossible for a hash function not to have collisions. This property of collision free only confirms that these collisions should be hard to find. • This property makes it very difficult for an attacker to find two input values with the same hash. • Also, if a hash function is collision-resistant then it is second pre-image resistant.
  • 23. Design of Hashing Algorithms • At the heart of a hashing is a mathematical function that operates on two fixed-size blocks of data to create a hash code. This hash function forms the part of the hashing algorithm. • The size of each data block varies depending on the algorithm. Typically the block sizes are from 128 bits to 512 bits. The following illustration demonstrates hash function −
  • 24. • Hashing algorithm involves rounds of above hash function like a block cipher. Each round takes an input of a fixed size, typically a combination of the most recent message block and the output of the last round. • This process is repeated for as many rounds as are required to hash the entire message. Schematic of hashing algorithm is depicted in the following illustration −
  • 25. Message Authentication Code (MAC) • threat that exist for data is the lack of message authentication. In this threat, the user is not sure about the originator of the message. Message authentication can be provided using the cryptographic techniques that use secret keys as done in case of encryption. • MAC algorithm is a symmetric key cryptographic technique to provide message authentication. For establishing MAC process, the sender and receiver share a symmetric key K. • Essentially, a MAC is an encrypted checksum generated on the underlying message that is sent along with a message to ensure message authentication.
  • 26. Message Authentication Code (MAC) • The process of using MAC for authentication is depicted in the following illustration −
  • 27. Message Authentication Code (MAC) • Let us now try to understand the entire process in detail − • The sender uses some publicly known MAC algorithm, inputs the message and the secret key K and produces a MAC value. • Similar to hash, MAC function also compresses an arbitrary long input into a fixed length output. The major difference between hash and MAC is that MAC uses secret key during the compression. • The sender forwards the message along with the MAC. Here, we assume that the message is sent in the clear, as we are concerned of providing message origin authentication, not confidentiality. If confidentiality is required then the message needs encryption.
  • 28. Message Authentication Code (MAC) • On receipt of the message and the MAC, the receiver feeds the received message and the shared secret key K into the MAC algorithm and re-computes the MAC value. • The receiver now checks equality of freshly computed MAC with the MAC received from the sender. If they match, then the receiver accepts the message and assures himself that the message has been sent by the intended sender. • If the computed MAC does not match the MAC sent by the sender, the receiver cannot determine whether it is the message that has been altered or it is the origin that has been falsified. As a bottom- line, a receiver safely assumes that the message is not the genuine.
  • 29. Limitations of MAC • There are two major limitations of MAC, both due to its symmetric nature of operation − • Establishment of Shared Secret. • It can provide message authentication among pre-decided legitimate users who have shared key. • This requires establishment of shared secret prior to use of MAC. • Inability to Provide Non-Repudiation • Non-repudiation is the assurance that a message originator cannot deny any previously sent messages and commitments or actions. • MAC technique does not provide a non-repudiation service. If the sender and receiver get involved in a dispute over message origination, MACs cannot provide a proof that a message was indeed sent by the sender. • Though no third party can compute the MAC, still sender could deny having sent the message and claim that the receiver forged it, as it is impossible to determine which of the two parties computed the MAC.
  • 30. Birthday attack in Cryptography Birthday attack is a type of cryptographic attack that belongs to a class of brute force attacks. It exploits the mathematics behind the birthday problem in probability theory. The success of this attack largely depends upon the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations, as described in the birthday paradox problem.
  • 31. Birthday paradox problem – Let us consider the example of a classroom of 30 students and a teacher. The teacher wishes to find pairs of students that have the same birthday. Hence the teacher asks for everyone’s birthday to find such pairs. Intuitively this value may seem small. For example, if the teacher fixes a particular date say October 10, then the probability that at least one student is born on that day is 1 – (364/365)30 which is about 7.9%. However, the probability that at least one student have same birthday as any other student is around 70% using the following formula: • 1 - 365!/((365 - n!) * (365n)) (substituting n = 70 here)
  • 32. Birthday paradox problem – • Assumptions – 1. Assuming a non leap year(hence 365 days). 2. Assuming that a person has equally likely chance of being born on any day of the year. Let us consider n = 2. P(Two people have the same birthday) = 1 – P(Two people having different birthday) = 1 – (365*365)*(364*365) = 1 – 1*(364/365) = 1 – 364/365 = 1/365. So for n people the probability that all of them have different birthday is: P(N people having different birthdays) = (365/365)*(365-1/365)*(365- 2/365)*….(365-n+1)/365. = 365!/((365-n)! * 365n)
  • 33. public key certificate • A public key certificate provides a safe way for an entity to pass on its public key to be used in asymmetric cryptography. The public key certificate avoids the following situation: if Charlie creates his own public key and private key, he can claim that he is Alice and send his public key to Bob. Bob will be able to communicate with Charlie, but Bob will think that he is sending his data to Alice. • A public key certificate can be thought of as the digital equivalent of a passport. It is issued by a trusted organization and provides identification for the bearer. A trusted organization that issues public key certificates is known as a certificate authority (CA). The CA can be likened to a notary public. To obtain a certificate from a CA, one must provide proof of identity. When the CA is confident that the applicant represents the organization it says it represents, the CA signs the certificate attesting to the validity of the information contained within the certificate.
  • 34. public key certificate • A public key certificate contains several fields, including:Issuer - The issuer is the CA that issued the certificate. If a user trusts the CA that issues a certificate, and if the certificate is valid, the user can trust the certificate. • Period of validity - A certificate has an expiration date, and this date is one piece of information that should be checked when verifying the validity of a certificate. • Subject - The subject field includes information about the entity that the certificate represents. • Subject's public key - The primary piece of information that the certificate provides is the subject's public key. All the other fields are provided to ensure the validity of this key. • Signature - The certificate is digitally signed by the CA that issued the certificate. The signature is created using the CA's private key and ensures the validity of the certificate. Because only the certificate is signed, not the data sent in the SSL transaction, SSL does not provide for non-repudiation.
  • 35. public key certificate • If Bob only accepts Alice's public key as valid when she sends it in a public key certificate, Bob will not be fooled into sending secret information to Charlie when Charlie masquerades as Alice. • Multiple certificates may be linked in a certificate chain. When a certificate chain is used, the first certificate is always that of the sender. The next is the certificate of the entity that issued the sender's certificate. If there are more certificates in the chain, each is that of the authority that issued the previous certificate. The final certificate in the chain is the certificate for a root CA. A root CA is a public certificate authority that is widely trusted. Information for several root CAs is typically stored in the client's Internet browser. This information includes the CA's public key. Well-known CAs include VeriSign, Entrust, and GTE CyberTrust. •
  • 36. Man-in-the-Middle Attacks • A Man-in-the-Middle Attack (MITM) is a form of cyber eavesdropping in which malicious actors insert themselves into a conversation between two parties and intercept data through a compromised but trusted system. The targets are often intellectual property or fiduciary information. MITM aggressors will also use malware to open the communications channel with the hopes of creating zombie machines or building vast networks of comprised systems. Man-in-the-Middle Attacks can be used as way into systems in order to execute an advanced persistent threat (APT). • In many cases organizations are unaware their session and/or data has been tampered with until it is much too late. If a MITM attack is successful, organizations experience negative brand perception, reduced customers’ confidence and ultimately a damaged bottom line.
  • 37. How Man-in-the- Middle Attacks work • MITM attacks can be executed in a number of different ways that exploit communications between other parties. Whether by passive or active means, an MITM attack finds a way between a user and an entity and attempts to conceal the breach and information theft. Below are common ways Man-in-the- Middle Attacks manipulate communication systems.
  • 38. Types of Man-in-the-Middle Attacks • Email Hijacking – attackers gain access to a user’s email account and watch transactions to and from the account. When the time is right, for instance the user is exchanging funds with another party, the attacker takes advantage of the situation by attempting to intercept the funds by spoofing one or all members of the conversation. • Wi-Fi Eavesdropping – a passive way to deploy MITM attacks, Wi-Fi eavesdropping involves cyber hackers setting up public Wi-Fi connections, typically with an unsuspecting name, and gain access to their victims as soon as they connect to the malicious Wi-Fi. • Session Hijacking – session hijacking is when an attacker gains access to an online session via a stolen session key or stolen browser cookies. • DNS Spoofing – an attacker engages in DNS spoofing by altering a website’s address record within a DNS (domain name server) server. A victim unknowingly visits the fake site and the attacker will attempt to steal their information. • IP Spoofing – similar to DNS spoofing, IP Spoofing sees an attacker attempt to divert traffic to a fraudulent website with malicious intent. Instead of spoofing the website’s address record, the attacker disguises an IP (internet protocol) address.
  • 39. How to Prevent Man-in-the-Middle Attacks • Implement a comprehensive Email Security Solution – an email security solution is a vital tool in an organizations security architecture that will help minimize the risks associated with MITM. It secures email activity pro-actively while staff focuses efforts elsewhere. • Implement a Web Security Solution – a strong web security tool provides visibility to web traffic generated by both the system and end user at protocol and port layers. Similar to an email security tool, this implementation protects your organization’s web traffic so the security team can cover more ground. • Educate Employees – Making training relevant to the employee is key to training effectiveness. Prepare your workforce for these advanced attacks by educating them on the dynamics, patterns, samples and frequency of attack methods attempted on other organizations. Case studies are a valuable resource when putting together educational materials and awareness programs. • Keep credentials secure - Check your user credentials often. Make sure your passwords are secure, complex and updated every three months at a minimum. This will aid in your company’s protection by keeping credentials fresh and more difficult to crack. • Forcepoint can help you prevent and guard against Man-in-the-Middle attacks. Both Forcepoint’s Email Security and Web Security tools offer best-in-class protection. For more, visit Forcepoint’s product overview.