Authenticity

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now, our next security service
00:00
that we're going to examine
00:00
>> through the eyes of asymmetric cryptography
00:00
>> is going to be authenticity.
00:00
>> If you remember with authenticity,
00:00
I am making a claim of my identity,
00:00
>> and you want to be able to verify that claim.
00:00
>> I claim to be an administrator,
00:00
I need to prove that before
00:00
>> I get administrative access.
00:00
>> Or maybe you see an email that
00:00
looks like it comes from Kelly Handerhan,
00:00
you want to be able to verify
00:00
that it comes from Kelly Handerhan.
00:00
That's what we're going to look at
00:00
in this section and we're going to use
00:00
>> asymmetric cryptography to do that.
00:00
>> Just quick reminder,
00:00
>> the relationship between the keys
00:00
>> is what makes all this work.
00:00
>> Anything encrypted with Kelly's public
00:00
can only be decrypted with Kelly's private.
00:00
Anything encrypted with Kelly's private,
00:00
>> can only be decrypted with Kelly's public.
00:00
>> Anything that can be decrypted by Kelly's public,
00:00
>> must have been encrypted by Kelly's private.
00:00
>> Now, think about that just for a second.
00:00
Let's say I'm going to send you a message.
00:00
I'm not trying to keep the message secret.
00:00
I'm not trying to protect the contents of the message.
00:00
The only thing that I want
00:00
>> is when you get this message,
00:00
>> I want you to know that it came from me.
00:00
I want authenticity,
00:00
that's the only security service
00:00
I'm worried about right now.
00:00
Let's say we've had issues with spoofing.
00:00
I just want you to know,
00:00
>> when you open up this message,
00:00
>> it really did come from Kelly.
00:00
I create my email message.
00:00
Then if I ask my email application,
00:00
>> or my email application could
00:00
>> for the purpose of authenticity
00:00
>> and maybe something like a timestamp to the message,
00:00
>> let me just tack on a little timestamp
00:00
>> with the message.
00:00
>> Now, that timestamp really isn't important.
00:00
I'm not trying to tell you what time it is,
00:00
>> and I really don't care if an attacker
00:00
>> knows what time it is.
00:00
>> Why am I putting that onto the message?
00:00
>> Here's why,
00:00
>> because what my application is going to do,
00:00
>> is it is going to encrypt the timestamp
00:00
>> with my private key before I send that message to you.
00:00
>> The timestamp gets encrypted
00:00
>> with the sender's private key, then
00:00
>> I send it to you.
00:00
>> On your end, you get this message.
00:00
Your email application says,
00:00
>> hey, this looks like it comes from Kelly Handerhan.
00:00
>> Let's see if we can decrypt that timestamp
00:00
>> with Kelly Handerhan's public key,
00:00
>> because if Kelly Handerhan's public key
00:00
can decrypt the timestamp,
00:00
it had to have been encrypted
00:00
>> with Kelly Handerhan's private key,
00:00
>> which only Kelly Handerhan has.
00:00
I am just putting my applications,
00:00
just putting that timestamp on the message
00:00
>> to have something that it can encrypt
00:00
>> with the sender's private key.
00:00
>> So that on the receiving end,
00:00
the application can try that sender's public key,
00:00
>> and try to decrypt with that sender's public key.
00:00
>> If that works, they know the timestamp
00:00
>> was encrypted with the sender's private,
00:00
>> which only that sender has.
00:00
We've just authenticated
00:00
>> and verified the origin of the message.
00:00
>> The timestamp doesn't have any real value.
00:00
For instance, if an attacker were to be able
00:00
>> to decrypt the timestamp, we don't care.
00:00
>> The attacker knows it's 2:13 PM,
00:00
>> that's fine.
00:00
>> Here's why that's important,
00:00
because before I send you that message
00:00
>> with that timestamp being encrypted
00:00
>> with my private key,
00:00
>> anybody can decrypt the timestamp,
00:00
because anybody can have my public key.
00:00
That timestamp can't be something sensitive.
00:00
I'm not ever going to encrypt
00:00
the message with my private key,
00:00
that doesn't make sense.
00:00
As a matter of fact,
00:00
>> what usually happens is,
00:00
>> the message is encrypted
00:00
>> with the receiver's public key
00:00
>> for confidentiality, for privacy.
00:00
Then the timestamp is encrypted
00:00
>> with the sender's private key.
00:00
>> I send you the message,
00:00
your application says up,
00:00
looks like it comes from Kelly.
00:00
Let's see if Kelly's public key
00:00
will decrypt the timestamp.
00:00
Up, Kelly's public key will decrypt the timestamp,
00:00
it must come from Kelly.
00:00
Now, your application uses
00:00
your private key to decrypt the message.
00:00
In that case, I've got two security features
00:00
>> on this message.
00:00
>> The message is encrypted
00:00
>> with the receiver's public key for privacy
00:00
>> and the timestamp is encrypted
00:00
>> with the sender's private key for authenticity.
00:00
>> You want to make sure you review that,
00:00
>> and that it makes sense,
00:00
>> because almost all the time,
00:00
>> when we hear cryptography,
00:00
>> we think about encrypting for privacy.
00:00
This idea feels a little bit weird,
00:00
>> because we're not trying to keep
00:00
>> the timestamp private.
00:00
>> We're encrypting the timestamp,
00:00
but it's for the purpose of authenticity.
00:00
One more time with authenticity,
00:00
the sender's private key encrypts
00:00
something like a timestamp perhaps,
00:00
and then send that to the receiver,
00:00
the receiver uses the sender's public key to verify.
00:00
It's all about authenticity,
00:00
being able to verify the origin of a message.
00:00
With asymmetric cryptography,
00:00
>> again, it's the sender's private key
00:00
>> that is used to provide proof of authenticity,
00:00
>> and it's the sender's public key
00:00
>> that is used to verify that proof.
Up Next