9 ani în urmă · 3aa451b53e
--- a/Security/lesson_04.md
+++ b/Security/lesson_04.md
@@ -0,0 +1,40 @@
 
				+# Computer Security - lesson 4
			
 
				+#### Federico Maggi
			
 
				+###### 31 March 2016
			
 
				+## Digital Signature
			
 
				+Collision itself is not very interesting for an attacker, in fact a random email 
			
 
				+that matches the hash is not useful, an attacker would like to forge a specific
			
 
				+document and pass an integrity check
			
 
				+
			
 
				+### Identity issue
			
 
				+For real life use we need to associate a name with a key, otherwise we would
			
 
				+need a secure channel for exchange public keys, otherwise everyone would be 
			
 
				+able to forge a public key and pretend to be the sender.
			
 
				+Another instance of the problem is the ability of verifying that the website
			
 
				+we are connecting to is the real one.
			
 
				+
			
 
				+### PKI
			
 
				+An authority (CA) digitally signs files called __digital certificates__ to bind
			
 
				+an identity to a public key. es: X.509 is a format for pk certificates.
			
 
				+A certificate contains informations in the identity and the public key and is 
			
 
				+signed (hashed and encrypted) by the CA.
			
 
				+This introduces a problem of __trust__, who trusts the CA?
			
 
				+We need a __Top-level CA__ (root CA, source CA), that uses a self-signed certificate
			
 
				+to say "I am myself"
			
 
				+Then we can make a chain, or rather a tree of CA trust, where the trusted element is the root CA
			
 
				+
			
 
				+#### How to distribute the trusted element?
			
 
				+A way of *decentralizing trust* is the __web of trust__
			
 
				+There is a whole research field about "What you see is what you sign"
			
 
				+
			
 
				+### Identification vs Authentication
			
 
				+- Humans mutually authenticates implicitly, eg: by recognize the face, ecc...
			
 
				+- Human to computer authentication is not easy
			
 
				+- Computer to computer authentication is easy
			
 
				+
			
 
				+#### Three factors of authentication
			
 
				+- Something that you know: password, pin, secret handshake
			
 
				+- Something that you have: Door key, smart card, token
			
 
				+- Something that you are: Face, voice, fingerprints.
			
 
				+
			
 
				+Usually some of the three measures are combined, example: two factor authentication
			
--- a/Security/lesson_05.md
+++ b/Security/lesson_05.md
@@ -0,0 +1,46 @@
 
				+# Computer Security - lesson 5
			
 
				+#### Federico Maggi
			
 
				+###### 1 April 2016
			
 
				+## Authentication
			
 
				+__Authentication__ solve the problem of *validating* and identity.
			
 
				+Can be
			
 
				+- unidirectional
			
 
				+- bidirectional (mutual): both entities authenticates
			
 
				+Authentication is necessary for authorization: enforcing of certain permits or not.
			
 
				+
			
 
				+## The "to know" factor authentication
			
 
				+Passwords or secrets
			
 
				+can be stolen or guessed, or spied, or even bruteforced.
			
 
				+We can mitigate these problems with enforcing change of password or lenght constraints.
			
 
				+Website with hints on strong passwords.
			
 
				+`passfault.appspot.com`
			
 
				+
			
 
				+### Problem of sending a secret over untrusted channel
			
 
				+for example over the internet it is not safe to send the secret in plaintext for authentication
			
 
				+A more safe system is the __challenge response__ one, for example the server asks you
			
 
				+to send him to compute the hash of *some random data + your secret*
			
 
				+This consists in a cryptographic proof that the user owns the password.
			
 
				+A typical response is Hash(random data + secret + other random data) + other random data.
			
 
				+Usually in this case *mutual authentication* is needed to avoid __Man in the middle__ attacks.
			
 
				+__Replay attacks__ consists in intercepting the password and using it again.
			
 
				+
			
 
				+### Secret storage
			
 
				+The passwords must be never stored in *cleartext*, instead the *password hash* can be stored.
			
 
				+Sites that emails back you your password in cleartext, it is an implicit proof that
			
 
				+they store your password in cleartext.
			
 
				+
			
 
				+Also __password recovery__ procedures must be implemented carefully otherwise they can be
			
 
				+a way of circumventing the main security measures.
			
 
				+
			
 
				+## The "to have" factor
			
 
				+There is a difference between *telling* a colleague a secret and *giving* a physical
			
 
				+object that contains a secret (e.g. a smart card with your photo on it)
			
 
				+Up to now they are cheap and offer a good level of security for the reason above.
			
 
				+
			
 
				+`Financial Crypto 2016 - How google killed 2factor authentication`
			
 
				+
			
 
				+## The "to be" factor
			
 
				+Financial Crypto 2016 - How google killed 2factor authentication
			
 
				+
			
 
				+## Single Sign On
			
 
				+Google, Yahoo, Facebook can be used as identity providers.