In the previous part of Website Loading series, I explained about application layer, the protocols that operate in it. That article told the basic grunt of work done by HTTP and DNS system. This article is to dispel doubts about whether the website loaded is secure or not. How will the website authenticate you?, Is your password under threat?, etc. All these things come under the domain of encryption and authentication.
Once a communication line is established with server during website loading, its necessary to ensure that communication line is not tampered with midway. This tunneling is ensured by using encryption.
While building communication with server – the client needs to prove his legitimacy. This proving of legitimacy is job of authentication. [Read More: Here is various authentication techniques explained.]
The security of system has 2 sources of attack hence 2 techniques are used. One source is false individual acting on your behalf (its impersonation at end points). Other one is person on network snooping on your communication (its eavesdropping). Encryption prevents eavesdropping. Authentication prevents impersonation. Lets get on with authentication first.
Authentication: identifying correct user
In case of real word, we use names to identify a person. Yet we often hear cases where a person misusing name to get his work done. In case of banks they go one step ahead and use signatures to identify individuals. Incase of computers there are 4 things used to identify individuals. (Read More: Authentication Techniques for mortals for knowing computer authentication models).
The computers use unique user names to identify individuals. Similarly we have names in real life to identify individuals. But username alone is not sufficient to identify as it can be misused. To help in this aspect passphrases were introduced. The passphrase is set when you first approach an organization to become its client. When you sign up for a service like mail, you are asked to set password, its asked to set a reasonable difficult password because, org doesn’t want your password to be easily guessable. The user name combined with passphrase identify an individual. If some one wants to impersonate you, he needs to identify your username and passphrase.
The system merges username and passwords together and creates a string containing both. and this string is then hashed i.e.1- way encrypted and sent to server. The server then matches this encrypted string with its own credentials generated during sign up time to log you in. Due to one way encryption (aka hashing) the server doesn’t know your password, hence it is safe from misuse by server administrator too.
The passphrases is called by various names like passwords, PINs, OTP’s, etc. Even the passphrases can be generated on the fly by RFID Cards, Finger Prints, retina prints too. In short its the passphrase which identifies you uniquely. This pass phrase can be something you remember(password, PIN), or something sent to you(OTPs), or some thing you have(Key Gen App, RFID Card), or something you are (your fingerprint or retina print). All these things passwords, pins, OTPs, fingerprints, keygen codes at the end gets converted into an alpha numeric string hence the term passphrase. This passphrase is compared by computer to identify.
But as we know there are really idiotic/gullible users who share their passphrases, to overcome their idiocy/gullible nature another layer of passphrase was added. This system of username and 2 passphrases is called as 2 factor authentication. Often times this 2nd layer password is freshly generated and sent to user like OTP’s. This 2nd layer works on “what you have” principle than “what you know” principle used often for passwords. Also a device/app is given to user to generate these passphrases too like Keygen. OTP and RNG grids are what you have things as they are on your device and freshly generated. Even RFID can be used for this purpose but RF readers are not prevalent.
In case of bio-metrics, your finger print is used to generate a random alpha numeric string which is matched with server to identify you. Since bio-metrics are unique to individuals, a separate user name is not required. The encrypted alpha numeric string is used as credentials on server whereas the bio-metric aspect be it fingerprint or retina print becomes unique user and password combo. The process of converting this bio-metric info to alpha numeric sting is equivalent to encryption, and another one way encryption of this string prevents misuse at server side. To impersonate bio metrics, one is supposed to have same fingerprint or retina print which is impossible.
Encryption: Secured Website Loading
In real world, we use coded language to pass on the secrets(often used by 11th and 12th std. boys). All these coded language are essentially a form of encryption. The role of encryption is to prevent the unauthorized person in the middle snooping on you. In case of code words, the words are pre decided by friends at college, and they use it whenever possible. But the code words would not be decipherable by nosy neighbor of yours because, he will not be knowing the hidden meaning of them. Encryption also does the same. It converts your information into gibberish string, which can be decoded only by the intended recipient.
In encryption there are 3 types of it. Symmetric, Asymmetric and Hashing. The coded language in above example was of symmetric encryption.
Symmetric Key Encryption:
In symmetric key encryption, the encryption and decryption happen based on inputting a passphrase. In case of encrypting hard drives, a encryption algorithm asks for a password to be set while encrypting the drive. When the drive has been encrypted, same password is needed to decrypt the drive. Since the keys used for encryption and decryption are same, its called as symmetric key encryption.
Even case of coded language in above mentioned example, the code words are established by friends. Hence decoding of them is by friends only. Third party doesn’t know the code, hence unable to decode the meaning. This type of encryption is used to encrypt your mobile contents.
The main drawback with Symmetric Key encryption is, compromise of the passphrase, compromises you. Once passphrase is known, anybody can decrypt and view your content. For this reason, symmetric key encryption is not used for securing web communication, but used for securing your device. For web another tech was created to over come this problem, It was called public key encryption.
Asymmetric key / Public Key Encryption:
To overcome the problem of key getting compromised. This dual key encryption was created. Here the keys required for encrypting and decryption are different. The server will send the public key to client. Client encrypts the content via public key. Then sends the ciphertext (the security parlance name for encrypted content) to server. Then server uses its private key to decrypt the ciphertext and retrieve the decrypted plaintext message. Since 2 keys are used its called as public key encryption.
With public key encryption one may feel secure, but this method is vulnerable to man in the middle attacks. In this attack an attacker would keep the public key sent by server to himself and send you a fake public key to you. You will send the message to attacker, thinking him to be safe server. The attacker will now have your credentials data to compromise you. To over come the problem, a reverse version of the same public key encryption is used.
In the reverse version of public key encryption, the server sends its public key generated by it as well as certificate containing public key issued by certifying authority. You receive both together. Once it reaches you. The private key you already have (this key is given to you along with your operating system) is used to verify the certificate. Once the certificate is verified to be genuine, its validity period is matched with your computer’s date ( a warning is shown if your computers date is wrong as it fails the matching). After it only Website Loading works continue.
Many purists dont consider hashing as part of encryption. In hashing a variable length string is taken and mapped to a fixed length string. The specialty of this technique is, mapped string called as hash is totally different even if you change 1 character. So a thief cannot guess the username password combo by going through the hash.(PS: some have done so already with weaker hashes) As it was referenced earlier in password section, the hashes are stored on server to authenticate you. and hash is sent to server by using public key encryption. In case of online storage services like dropbox, its this kind of hash used to encrypt the contents you store on their service with symmetric key encryption.
Here are some myth busters:
- Entering ATM PIN in reverse alerts the police.
The Card Number and PIN are combined and its hash is matched by ATM before doing transaction, if the PIN entered is wrong then its hash will be totally different hence transaction fails. The server can only respond correct match or wrong match only.
- Why login failure says ‘either username or password wrong’?
While logging in servers take hash of both username and password combined. Even if there is 1 character defect in either, it causes hash of it to be different, hence server to be more user friendly flags it off as failure of either username or password as it doesn’t know the both.
- Why does newer card request need new PIN too?
When you change PIN on ATM machine, the machine already knows the card number. When PIN is changed, the ATM merges card number and new pin and its hash is stored on bank server. In case of newer cards the bank doesn’t know your pin, hence it replaces its old hash with new hash of new card number and freshly generated PIN.
- Can bank misuse my PIN and impersonate me?
No, the PIN mailer sent to you is generated by a RNG (a random number generator). The hash of composite key is stored on server. Hence no machine or humans know your PIN. It is also for that reason, a new PIN is generated when when lost instead of giving you old pin.
If this has aroused curiosity, dont hesitate to do a coursera course called “Internet History, Technology, Security” which digs deeper in this field.