Cryptography applied for Data Security in Mobile Devices and Web

Cryptography applied for Data Securityin Mobile Devices and Web

CSE 543: Information Assurance and Security

Group Members:

Ajey Achutha ­ 1204395980

Aniket Bharati ­ 1205379574

Mahesh Kumar Muniyappa ­ 1204379964

Manish Sinha ­ 1205138775

Siddartha Polisetty ­ 1205111371

Background and Motivation● Aiming for security: Why use cryptography?

● We will talk about kinds of cryptography and technologies involved

● The rapid use of mobile and web has forced us to think how we can transfer data and with ease and still enforce security and integrity of the data.

● Talk is a comprehensive analysis and research on possible points of vulnerability, technologies which can be used and general use cases to actively secure computer systems.

Cryptographic Standards

Pretty Good Privacy

PGP is a software application used for storage and transmission of sensitive data for public use.

It provides strong security by using the concept of compression, symmetric key cryptography and public-private key cryptography.

To provide authentication it uses the hashing concept.

Pretty Good Privacy (cont.)

Significant feature: Key Management No central authority who manages keys. It makes the use of Web of trust where user distributes his

public key over its network and all those users who trust him will sign its key to show him as a legitimate user.

In this way PGP creates an interconnected community of users where they are free to decide whom they should trust and whom they shouldn’t.

X.509 certificates

Unlike PGP, the X.509 certification follows strict standards for PKI and PMI.

In X.509 it is the certificate authority (CA) who issues or validates a certificate of the public key.

This is the dependent and critical point because if in case the CA authorizes a certificate without verification then it becomes difficult to keep track and manage their account but if done with proper verification then CA can easily track its activity.

Issues with X.509 Complex and over functionality and lack of documentation

available for standardization. Very difficult to determine manually whether the certificate

has been expired. Difficult to keep track of or number of certificates that have

been issues for any organization and hence makes it difficult to manage.

CA make the use of expiration date to abuse the clients

PGP vs. X.509 Since PGP doesn't follow any particular standard of

certification we might end up allowing multiple signatures and identities per certificate however in X.509 standard only one signature or identity is permitted per certificate.

Thus it can be seen that the hierarchical structure of X.509 standard makes it easy for management but makes it rigid because of the strict standards followed, at the same time when compared to PGP it follows the web of trust which makes it easy to calculate trust and makes it all the more flexible but at the same time more vulnerable.

Cryptography on Web

OpenID● This allows user’s to make use of an existing account to sign in to multiple

webpages over internet, without having to create new passwords.

● A user can choose to associate information with his/her OpenID that can be shared with the websites one visits, such as name or personal email address.

● It also lets user to control how much of that information is shared with the websites he/she visit and the user password is only given to his/her identity provider, and that provider then confirms user’s identity to the websites he/she visit.

● Other than user’s identity provider, no website ever sees user’s password, so the user need not worry about the account and its security

Working Principle of OpenID● It uses HTTP query string or Form POST elements for representing individual fields, thus

minimizing complexity and eliminating the necessity to parse a document.

● The key OpenID specification encompasses discovery and authentication. However, several extensions to OpenID exist that expand the functionality of the specification which can be making the registration simpler and also promote an efficient way for exchange of attributes and also extension of provider authentication policy.

● In addition, OpenID uses Diffie Hellman Key Exchange scheme to share the secret between OpenID provider and Relying Parties. The Diffie Hellman key exchange is a specific method of exchanging cryptographic keys. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.

Flow in OpenID1. Resource Request

2. Request OpenID

3. Enter OpenID

4. User Discovery and Trust Establishment

5. Redirect to OpenID Provider

6. Request Authentication

7. Authentication

8. Release attributes to RP

9. Redirect to RP

10. Request for resource with OpenID

11. Personalized resource

OAuth

● The main idea behind OAuth is to provide information without actually sharing the password

● Let us consider a scenario where OAuth comes into picture. Suppose a resource is owned by a user at a service provider then the user can grant consumers access to the resources via Oauth.

● Served over SSL to enhance security

Use Cases of Cryptography● Web of Trust:

No central trusted third party Trust is formed between two entities/people If entities were nodes and trust was an edge, then it corresponds to a directed graph

Use Cases of Cryptography (cont.)

● Establishing Web of Trust:

Everyone creates a public-private key pair Everyone puts their public keys on a keyserver (which holds everyone's

public keys) If a user A, who wants to trust user B: A gets the public key of B. Then A

signs B’s public key with his own private key A publishes B’s public key which he signed on the keyserver. If other

people too signed B’s key, then all of them would be visible on the keyserver.

A signing B’s key implies A trusts B. This is represented as A ->B on the directed graph which web of trust implies.

Use Cases of Cryptography (cont.)

● Preventing Email identity Theft

Origin of the mail can be spoofed (email address) Mails can be signed by using X.509 Certificates Mails can also be signed by private PGP key and the receiver can

validate the origin if the person is in the web of trust. Email Client should have support for encrypting and decrypting

the contents of the mail (support for multipart/signed content type) Privacy Enhanced Mail was created to solve this problem and

supports both X.509 and PGP

Use Cases of Cryptography (cont.)

● Secure Software Distribution

Every software on the software store and repository is signed by the store's private key

Every user has the store's public key in their personal keyring Every software store has the list of public keys in its keyring of

the developers who are allowed to publish applications For a publisher to publish apps, they sign the app with their

private key, the software store decrypts, validates it and then signs it again with its own private key and makes it available

A user can have many software store installed each source of applications having it's own published public key.