include "keyring.m"; include "security.m";
Inferno provides several levels of security:
One important method for authenticating users in Inferno is the use of digital signatures. Like signing a letter a digital signature testifies to the identity of the sender. Fortunately, it is much more difficult to forge a digital signature.
Even after users are authenticated to each other, it is possible for someone `listening' to their communication to read and possibly modify their messages without the users knowing it. So authentication solves one security requirement, but not all of them.
Inferno includes a counter in the digest to check that messages were received in the correct order and that no messages were inserted by a third party listening in on the line. A secret key is also included in the digest to verify the identity of the sender.
A message digest ensures that no one has tampered with a message. It does not prevent someone from reading it.
A mathematical algorithm is used to both encrypt and decrypt a message. Encryption algorithms depend on keys or bit strings of a specified length for encryption and decryption. The nature of an algorithm and the size of the key determine the degree of security.
Two basic types of algorithms are used in cryptography: private key (or symmetric key) and public key algorithms. With symmetric algorithms the same key is used to encrypt and decrypt a message. This key must be a secret, known only to the users who want to communicate. It is often called a private or secret key.
A public key algorithm may use a private or secret key to encrypt a message and a public key to decrypt it, or vice-versa. The private or secret key is known only to one user. The public key, however, does not have to be kept secret and may be distributed to anyone the user wishes to communicate with.
Inferno uses a public key algorithm for digital signatures and symmetric key algorithms for encryption.
A user can encrypt a message with or without appending a message digest.
RC4 is a symmetric or private key system that is about 10 times faster than DES.
There are many methods or strategies for attacking a confidential communication. One method is called a man-in-the-middle attack, where someone listening to a communication pretends to be one of the parties; another is a replay attack, where an interloper reuses messages that have already been exchanged in an attempt to discover a pattern.
In order to thwart such attacks and establish some level of trust between communicating parties, it is necessary to employ certain protocols. Inferno uses two well-established protocols to permit keys to be exchanged and to permit mutual authentication of the identities of two communicating parties.
A digital signature is one way to guarantee that a message sent by a user is indeed from that user and not someone else. A signature does not require that a message be encrypted. It can be appended to a message in order to guarantee the identity of the sender. With Elgamal, creating a signature requires that the user have a secret or private key. Uniquely associated with the private key is another key that can be distributed publicly. This public key is used along with the private key to create a signature, and is used by others to verify the signature.
To create a signature the Elgamal algorithm is applied to a combination of the private key, the public key, and the message to be signed. The output of the algorithm is the signature.
To verify the signature the receiver applies the Elgamal algorithm to the public key and the signature. If the output is the same message that was sent with the signature, then the signature is valid. This method ensures that the user receiving a message is indeed communicating with someone who owns the public key.
The next step is to determine who the owner of the public key is, and to ensure that it belongs to the user that the receiver wants to communicate with. This is accomplished by having a third party create a certificate testifying to the identity of the owner of the public key. This third party is called a certifying authority (CA). If a user trusts the certifying authority, a copy of a certificate is sufficient to determine the ownership of a public key, and therefore, the signature and identity of the user sending a message.
A certificate includes a variety of information: a user's public key, the identity of the user, Diffie-Hellman parameters, an expiration time for the certificate, and the signature of the CA. The CA's public key is sent to the user along with the certificate to verify the CA's signature.
Inferno provides two different methods for obtaining a certificate depending on whether a user has access to a keyboard or not. For users with a keyboard, Inferno offers a variation of the Encrypted-Key-Exchange (EKE) protocol, described in login(6). The protocol depends on establishing trust between a user and a CA using a shared secret (password). The secret must initially be established at the CA by some secure means: typing a password on a secure console at the CA, or transmitting the password securely off-line, perhaps by unintercepted letter or untapped phone call. To obtain a certificate, a user can subsequently enter the secret on the client machine's keyboard; the protocol obtains a certificate without revealing the secret.
For an application or user on a set-top box, which normally does not have a keyboard, entering a password would be difficult. Therefore, Inferno provides a different method to establish trust. When the set-top box is turned on, it creates a private/public key pair and dials the service provider's CA to get a certificate. The CA returns a certificate blinded or scrambled with a random bit string known only to the CA. A hashed version of the string is displayed on the user's screen. The user telephones the CA and compares what is displayed with what the CA has sent. If they match, and the user can prove his or her identity, the CA makes the random bit string known to the user, so the certificate can be unscrambled.
If a user can trust the public key, then the key can be used to check the signature sent by the other party. If the public key unlocks the signature, then whoever sent the signature must have the corresponding secret key, and therefore, must be the owner of the public key.
The default protocol provided by Inferno for mutual authentication is the station-to-station protocol described in auth(6). It has the property that both parties can derive the same key from exchanged and validated data but no eavesdropper can determine the key.
Although Inferno provides these routines to make it easy to establish secure communications, an application is not restricted to their use. Lower-level routines used by login and auth are also available to an application. These routines enable an application to create alternate methods for establishing security, or to perform specialized functions like signing files.
Inferno also provides security routines tailored for set-top boxes. For example, a set-top-box can use register(8) instead of login (see security-login(2)). Register obtains a certificate without requiring a user to enter a password.
There are also commands in section 8 that establish a server as a Certifying Authority or `signer'. For example, a CA needs a key and password to create a certificate. These can be created on the server using the commands changelogin(8) and createsignerkey(8).
SECURITY-INTRO(2 ) | Rev: Thu Feb 15 14:43:26 GMT 2007 |