The importance of computer identity in network communications: how to protect it and prevent threat actors from spying or stealing on online communications
When you fill out a registration form to take advantage of a web service, a virtual personal profile is generated, creating your own IT identity characterized by specific attributes.
Even those who must manage and provide this service must have their own digital identity. In this way, an interaction between the virtual identities of the customer and the supplier is established.
The service management system, before granting the interlocutor access to the resources, will have to start an identification process to verify the correspondence of the specific identity attributes in compliance with the fundamental protection parameters for IT security: confidentiality and integrity of information, interlocutors authentication and authorization of access to relevant resources.
The confidentiality of information in internet communications
Internet communications use the protocol called TCP/IP (Transmission Control Protocol/Internet Protocol), which allows information to be transmitted from one computer to another through a series of intermediate computers and networks.
Without measures of prevention, a stranger to computer communications could interfere through “man in the middle” type interceptions.
In this regard, the HTTPS protocol has been implemented from the very beginning in an attempt to avert this threat, not completely eradicated, through public key cryptography techniques.
The most common algorithms are those patented by RSA Data Security: This algorithm, also called asymmetric key cryptography, provides a pair of keys (a public and private key) associated with an entity that authenticates the identity of the key itself.
Cryptography alone, while solving the problem of confidentiality violation, cannot solve the problem of integrity and false authentication.
The hash function
Hash encryption is used to ensure integrity and authentication. The hash functions are implemented according to the following features:
- the value returned by the function is unique for each input data and represents a summary of the data itself;
- each variation of the data results in a different hash value;
- the returned hash value cannot be deducted from the function itself.
The digital signature is basically based on the use of a hash algorithm.
In a tipical network correspondence, the elements sent to the recipient are the original document in clear text and the hash value of the original document, encrypted with the private key of the signatory (digital signature). To verify the integrity of the information, the receiving software, decrypts the digital signature with the signatory’s public key, obtains the hash value of the signatory and generates with the same algorithm a new hash from the original document received. Two different hash values indicate that the information has been altered or the digital signature has been created with a private key that does not match the signer’s public key.
Mutual authentication of interlocutors
When perform authentication in a network communication where a client (e.g. a browser) dialogues with the various remote servers providing services, it is very important the mutual authentication between the user and the service provider. There are several ways to do this:
- use of simple credentials. The classic method for authentication is based on the use of a pair of username and password credentials. In this case, the communication protocol will verify their correspondence with those present in its database and if so, it will authorize access;
- use of public-key digital certificates. Another authentication method is the one with the digital certificate, used by the secure protocol HTTPS. In the recognition process the server will require authentication of the client according to a communication protocol based on an exchange of public and private keys that, if they attest to the identity of the client, ends with the access authorization to the requested resource;
- use multi-factor authentication. An authentication with two or more factors is therefore opposed to a simple authentication based on a password only (one-factor authentication). The forms of multi-factor authentication use a combination of methodologies defined in this way:
- one thing you know: a password;
- something you have: a physical object (e.g. a smart card, token USB);
- something you are: a biometric feature (e.g. a fingerprint, facial features).
Critical issues about different authentication modes
By comparing these authentication modes you can see that:
- the classic approach using a pair of credentials is vulnerable especially because data could be accessed using techniques such as SQL injection, phishing and social engineering;
- The certificate approach is vulnerable because the certificate may not be verified and reliable. Also, because data protection before and after encryption cannot be guaranteed, if clients and communication servers have already been compromised with malware, integrity and confidentiality may still be at risk;
- the multi-factor authentication system, while strengthening the degree of security, with greater economic effort and increased complexity for the service provider only makes life more difficult for criminal hackers, but not impossible. They will only have to overcome multiple levels of protection.
The final step
The next step in verifying the identity and computer authentication of a user is the authorization through which the computer system specifies the access privileges to resources, deciding whether to approve or reject requests.
Conclusions
Defending and protecting your information assets and your digital reputation must therefore be a key point to better manage every business activity, taking all necessary actions:
- train and educate companies to know the risks and techniques used to steal information and violate the IT identity;
- use secure and proven payment methods with customers;
- adopt digital signature and encryption systems for communications;
- protect the hardware, software and human components of the information system;
- provide a strategy for the safekeeping and backup of information capital.
About the author: Salvatore Lombardo
IT officer, ICT expert, Clusit member
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, computer identity)
[adrotate banner=”5″]
[adrotate banner=”13″]
Share On
