Home Verkennen Help
Registreren Inloggen
Nimayer
/
polimd
1
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Bladeren bron

Added last two Computer Security lessons

Federico Amedeo Izzo 9 jaren geleden
bovenliggende
46a76dd4bf
commit
3aa451b53e
2 gewijzigde bestanden met toevoegingen van 86 en 0 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 40 0
      Computer Security/lesson_04.md
  2. 46 0
      Computer Security/lesson_05.md

+ 40 - 0
Computer Security/lesson_04.md
Bestand weergeven 

@@ -0,0 +1,40 @@
 
+# Computer Security - lesson 4
 
+#### Federico Maggi
 
+###### 31 March 2016
 
+## Digital Signature
 
+Collision itself is not very interesting for an attacker, in fact a random email 
+that matches the hash is not useful, an attacker would like to forge a specific
 
+document and pass an integrity check
 
+
 
+### Identity issue
 
+For real life use we need to associate a name with a key, otherwise we would
 
+need a secure channel for exchange public keys, otherwise everyone would be 
+able to forge a public key and pretend to be the sender.
 
+Another instance of the problem is the ability of verifying that the website
 
+we are connecting to is the real one.
 
+
 
+### PKI
 
+An authority (CA) digitally signs files called __digital certificates__ to bind
 
+an identity to a public key. es: X.509 is a format for pk certificates.
 
+A certificate contains informations in the identity and the public key and is 
+signed (hashed and encrypted) by the CA.
 
+This introduces a problem of __trust__, who trusts the CA?
 
+We need a __Top-level CA__ (root CA, source CA), that uses a self-signed certificate
 
+to say "I am myself"
 
+Then we can make a chain, or rather a tree of CA trust, where the trusted element is the root CA
 
+
 
+#### How to distribute the trusted element?
 
+A way of *decentralizing trust* is the __web of trust__
 
+There is a whole research field about "What you see is what you sign"
 
+
 
+### Identification vs Authentication
 
+- Humans mutually authenticates implicitly, eg: by recognize the face, ecc...
 
+- Human to computer authentication is not easy
 
+- Computer to computer authentication is easy
 
+
 
+#### Three factors of authentication
 
+- Something that you know: password, pin, secret handshake
 
+- Something that you have: Door key, smart card, token
 
+- Something that you are: Face, voice, fingerprints.
 
+
 
+Usually some of the three measures are combined, example: two factor authentication

+ 46 - 0
Computer Security/lesson_05.md
Bestand weergeven 

@@ -0,0 +1,46 @@
 
+# Computer Security - lesson 5
 
+#### Federico Maggi
 
+###### 1 April 2016
 
+## Authentication
 
+__Authentication__ solve the problem of *validating* and identity.
 
+Can be
 
+- unidirectional
 
+- bidirectional (mutual): both entities authenticates
 
+Authentication is necessary for authorization: enforcing of certain permits or not.
 
+
 
+## The "to know" factor authentication
 
+Passwords or secrets
 
+can be stolen or guessed, or spied, or even bruteforced.
 
+We can mitigate these problems with enforcing change of password or lenght constraints.
 
+Website with hints on strong passwords.
 
+`passfault.appspot.com`
 
+
 
+### Problem of sending a secret over untrusted channel
 
+for example over the internet it is not safe to send the secret in plaintext for authentication
 
+A more safe system is the __challenge response__ one, for example the server asks you
 
+to send him to compute the hash of *some random data + your secret*
 
+This consists in a cryptographic proof that the user owns the password.
 
+A typical response is Hash(random data + secret + other random data) + other random data.
 
+Usually in this case *mutual authentication* is needed to avoid __Man in the middle__ attacks.
 
+__Replay attacks__ consists in intercepting the password and using it again.
 
+
 
+### Secret storage
 
+The passwords must be never stored in *cleartext*, instead the *password hash* can be stored.
 
+Sites that emails back you your password in cleartext, it is an implicit proof that
 
+they store your password in cleartext.
 
+
 
+Also __password recovery__ procedures must be implemented carefully otherwise they can be
 
+a way of circumventing the main security measures.
 
+
 
+## The "to have" factor
 
+There is a difference between *telling* a colleague a secret and *giving* a physical
 
+object that contains a secret (e.g. a smart card with your photo on it)
 
+Up to now they are cheap and offer a good level of security for the reason above.
 
+
 
+`Financial Crypto 2016 - How google killed 2factor authentication`
 
+
 
+## The "to be" factor
 
+Financial Crypto 2016 - How google killed 2factor authentication
 
+
 
+## Single Sign On
 
+Google, Yahoo, Facebook can be used as identity providers.