# Computer Security - lesson 4
#### Federico Maggi
###### 31 March 2016
## Digital Signature
Collision itself is not very interesting for an attacker, in fact a random email 
that matches the hash is not useful, an attacker would like to forge a specific
document and pass an integrity check

### Identity issue
For real life use we need to associate a name with a key, otherwise we would
need a secure channel for exchange public keys, otherwise everyone would be 
able to forge a public key and pretend to be the sender.
Another instance of the problem is the ability of verifying that the website
we are connecting to is the real one.

### PKI
An authority (CA) digitally signs files called __digital certificates__ to bind
an identity to a public key. es: X.509 is a format for pk certificates.
A certificate contains informations in the identity and the public key and is 
signed (hashed and encrypted) by the CA.
This introduces a problem of __trust__, who trusts the CA?
We need a __Top-level CA__ (root CA, source CA), that uses a self-signed certificate
to say "I am myself"
Then we can make a chain, or rather a tree of CA trust, where the trusted element is the root CA

#### How to distribute the trusted element?
A way of *decentralizing trust* is the __web of trust__
There is a whole research field about "What you see is what you sign"

### Identification vs Authentication
- Humans mutually authenticates implicitly, eg: by recognize the face, ecc...
- Human to computer authentication is not easy
- Computer to computer authentication is easy

#### Three factors of authentication
- Something that you know: password, pin, secret handshake
- Something that you have: Door key, smart card, token
- Something that you are: Face, voice, fingerprints.

Usually some of the three measures are combined, example: two factor authentication