Understanding Digital Signatures

Cyber Security Tip ST04-018
Understanding Digital Signatures

Digital signatures are a way to verify that an email message is really from the person who supposedly sent it and that it hasn’t been changed.

What is a digital signature?
You may have received emails that have a block of letters and numbers at the bottom of the message. Although it may look like useless text or some kind of error, this information is actually a digital signature. To generate a signature, a mathematical algorithm is used to combine the information in a key with the information in the message. The result is a random-looking string of letters and numbers.

Why would you use one?
Because it is so easy for attackers and viruses to “spoof” email addresses (see Using Caution with Email Attachments for more information), it is sometimes difficult to identify legitimate messages. Authenticity may be especially important for business correspondence—if you are relying on someone to provide or verify information, you want to be sure that the information is coming from the correct source. A signed message also indicates that changes have not been made to the content since it was sent; any changes would cause the signature to break.

How does it work?
Before you can understand how a digital signature works, there are some terms you should know:

• Keys – Keys are used to create digital signatures. For every signature, there is a public key and a private key.
• Private key – The private key is the portion of the key you use to actually sign an email message. The private key is protected by a password, and you should never give your private key to anyone.
• Public key – The public key is the portion of the key that is available to other people. Whether you upload it to a public key ring or send it to someone, this is the key other people can use to check your signature. A list of other people who have signed your key is also included with your public key. You will only be able to see their identities if you already have their public keys on your key ring.

• Key ring – A key ring contains public keys. You have a key ring that contains the keys of people who have sent you their keys or whose keys you have gotten from a public key server. A public key server contains keys of people who have chosen to upload their keys.

• Fingerprint – When confirming a key, you will actually be confirming the unique series of letters and numbers that comprise the fingerprint of the key. The fingerprint is a different series of letters and numbers than the chunk of information that appears at the bottom of a signed email message.

• Key certificates – When you select a key on a key ring, you will usually see the key certificate, which contains information about the key, such as the key owner, the date the key was created, and the date the key will expire.

• “Web of trust” – When someone signs your key, they are confirming that the key actually belongs to you. The more signatures you collect, the stronger your key becomes. If someone sees that your key has been signed by other people that he or she trusts, he or she is more inclined to trust your key. Note: Just because someone else has trusted a key or you find it on a public key ring does not mean you should automatically trust it. You should always verify the fingerprint yourself.
The process for creating, obtaining, and using keys is fairly straightforward:

• Generate a key using software such as PGP, which stands for Pretty Good Privacy, or GnuPG, which stands for GNU Privacy Guard.

• Increase the authenticity of your key by having your key signed by co-workers or other associates who also have keys. In the process of signing your key, they will confirm that the fingerprint on the key you sent them belongs to you. By doing this, they verify your identity and indicate trust in your key.

• Upload your signed key to a public key ring so that if someone gets a message with your signature, they can verify the digital signature.

• Digitally sign your outgoing email messages. Most email clients have a feature to easily add your digital signature to your message.

Authors: Mindi McDowell, Allen Householder Copyright 2004 Carnegie Mellon University. Terms of use

Supplementing Passwords

Cyber Security Tip ST05-012
Supplementing Passwords

Passwords are a common form of protecting information, but passwords alone may not provide adequate security. For the best protection, look for sites that have additional ways to verify your identity.

Why aren’t passwords sufficient?
Passwords are beneficial as a first layer of protection, but they are susceptible to being guessed or intercepted by attackers. You can increase the effectiveness of your passwords by using tactics such as avoiding passwords that are based on personal information or words found in the dictionary; using a combination of numbers, special characters, and lowercase and capital letters; and not sharing your passwords with anyone else (see Choosing and Protecting Passwords for more information). However, despite your best attempts, an attacker may be able to obtain your password. If there are no additional security measures in place, the attacker may be able to access your personal, financial, or medical information.

What additional levels of security are being used?
Many organizations are beginning to use other forms of verification in addition to passwords. The following practices are becoming more and more common:

• two-factor authentication – With two-factor authentication, you use your password in conjunction with an additional piece of information. An attacker who has managed to obtain your password can’t do anything without the second component. The theory is similar to requiring two forms of identification or two keys to open a safe deposit box. However, in this case, the second component is commonly a “one use” password that is voided as soon as you use it. Even if an attacker is able to intercept the exchange, he or she will still not be able to gain access because that specific combination will not be valid again.

• personal web certificates – Unlike the certificates used to identify web sites (see Understanding Web Site Certificates for more information), personal web certificates are used to identify individual users. A web site that uses personal web certificates relies on these certificates and the authentication process of the corresponding public/private keys to verify that you are who you claim to be (see Understanding Digital Signatures and Understanding Encryption for more information). Because information identifying you is embedded within the certificate, an additional password is unnecessary. However, you should have a password to protect your private key so that attackers can’t gain access to your key and represent themselves as you. This process is similar to two-factor authentication, but it differs because the password protecting your private key is used to decrypt the information on your computer and is never sent over the network.

What if you lose your password or certificate?
You may find yourself in a situation where you’ve forgotten your password or you’ve reformatted your computer and lost your personal web certificate. Most organizations have specific procedures for giving you access to your information in these situations. In the case of certificates, you may need to request that the organization issue you a new one. In the case of passwords, you may just need a reminder. No matter what happened, the organization needs a way to verify your identity. To do this, many organizations rely on “secret questions.”

When you open a new account (email, credit card, etc.), some organizations will prompt you to provide them with the answer to a question. They may ask you this question if you contact them about forgetting your password or you request information about your account over the phone. If your answer matches the answer they have on file, they will assume that they are actually communicating with you. While the theory behind the secret question has merit, the questions commonly used ask for personal information such as mother’s maiden name, social security number, date of birth, or pet’s name. Because so much personal information is now available online or through other public sources, attackers may be able to discover the answers to these questions without much effort.

Realize that the secret question is really just an additional password—when setting it up, you don’t have to supply the actual information as your answer. In fact, when you are asked in advance to provide an answer to this type of question that will be used to confirm your identity, dishonesty may be the best policy. Choose your answer as you would choose any other good password, store it in a secure location, and don’t share it with other people (see Choosing and Protecting Passwords for more information).

While the additional security practices do offer you more protection than a password alone, there is no guarantee that they are completely effective. Attackers may still be able to access your information, but increasing the level of security does make it more difficult. Be aware of these practices when choosing a bank, credit card company, or other organization that will have access to your personal information. Don’t be afraid to ask what kind of security practices the organization uses.

Authors: Mindi McDowell, Chad Dougherty, Jason Rafail Copyright 2005 Carnegie Mellon University. Terms of use

Choosing and Protecting Passwords

Cyber Security Tip ST04-002
Choosing and Protecting Passwords

Passwords are a common form of authentication and are often the only barrier between a user and your personal information. There are several programs attackers can use to help guess or “crack” passwords, but by choosing good passwords and keeping them confidential, you can make it more difficult for an unauthorized person to access your information.

Why do you need a password?
Think about the number of personal identification numbers (PINs), passwords, or passphrases you use every day: getting money from the ATM or using your debit card in a store, logging on to your computer or email, signing in to an online bank account or shopping cart…the list seems to just keep getting longer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, and maybe you’ve wondered if all of the fuss is worth it. After all, what attacker cares about your personal email account, right? Or why would someone bother with your practically empty bank account when there are others with much more money? Often, an attack is not specifically about your account but about using the access to your information to launch a larger attack. And while having someone gain access to your personal email might not seem like much more than an inconvenience and threat to your privacy, think of the implications of an attacker gaining access to your social security number or your medical records.
One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that someone is the person they claim to be is the next step, and this authentication process is even more important, and more difficult, in the cyber world. Passwords are the most common means of authentication, but if you don’t choose good passwords or keep them confidential, they’re almost as ineffective as not having any password at all. Many systems and services have been successfully broken into due to the use of insecure and inadequate passwords, and some viruses and worms have exploited systems by guessing weak passwords.

How do you choose a good password?
Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to guess or “crack” them. Consider a four-digit PIN number. Is yours a combination of the month, day, or year of your birthday? Or the last four digits of your social security number? Or your address or phone number? Think about how easily it is to find this information out about somebody. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to “dictionary” attacks, which attempt to guess passwords based on words in the dictionary.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Your best defense, though, is to use a combination of numbers, special characters, and both lowercase and capital letters. Change the same example we used above to “Il!2pBb.” and see how much more complicated it has become just by adding numbers and special characters.

Longer passwords are more secure than shorter ones because there are more characters to guess, so consider using passphrases when you can. For example, “This passwd is 4 my email!” would be a strong password because it has many characters and includes lowercase and capital letters, numbers, and special characters. You may need to try different variations of a passphrase—many applications limit the length of passwords, and some do not accept spaces. Avoid common phrases, famous quotations, and song lyrics.

Don’t assume that now that you’ve developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique passwords for each of your accounts.

Here is a review of tactics to use when choosing a password:

• Don’t use passwords that are based on personal information that can be easily accessed or guessed.
• Don’t use words that can be found in any dictionary of any language.
• Develop a mnemonic for remembering complex passwords.
• Use both lowercase and capital letters.
• Use a combination of letters, numbers, and special characters.
• Use passphrases when you can.
• Use different passwords on different systems.

How can you protect your password?
Now that you’ve chosen a password that’s difficult to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords (see Avoiding Social Engineering and Phishing Attacks for more information).

If your internet service provider (ISP) offers choices of authentication systems, look for ones that use Kerberos, challenge/response, or public key encryption rather than simple passwords (see Understanding ISPs and Supplementing Passwords for more information). Consider challenging service providers that only use passwords to adopt more secure methods.

Also, many programs offer the option of “remembering” your password, but these programs have varying degrees of security protecting that information. Some programs, such as email clients, store the information in clear text in a file on your computer. This means that anyone with access to your computer can discover all of your passwords and can gain access to your information. For this reason, always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Other programs, such as Apple’s Keychain and Palm’s Secure Desktop, use strong encryption to protect the information. These types of programs may be viable options for managing your passwords if you find you have too many to remember.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

Authors: Mindi McDowell, Jason Rafail, Shawn Hernan Copyright 2004, 2009 Carnegie Mellon University. Terms of use

How to recover & view passwords stored in your Keychain file

OS X (and well written applications) stores many of your various passwords for web sites, servers, and wireless networks in a Keychain file. These stored passwords are only viewable if you know the computer’s login password. This is true in most cases, as it is possible (and much more secure) to have more than one keychain, so your bank password doesn’t unlock itself just by logging into your computer. If you have you forgotten a password to a website, email account, or other password, chances are that your password can be easily retrieved

Open Keychain Access.app

You’ll find this program in your Utilities folder, which is inside of the Applications folder. From the Finder, use the Go menu for fast access.

Keychain Access main window

Once Keychain Access opens, scroll through the list of keys until you find the one that you’re looking for. Double click that entry.

Stored credentials screen

Once the details screen shows up, note the Show password section. Checking the box presents the next screen.

Login password entry

Once you are presented with this screen enter your login password and click Allow. The login password is the password you use to log into your account if you log out or reboot, or if the computer asks you for a password most any other time.

* As far as I can tell, there is no difference between the “Always Allow” and “Allow.” “Always Allow” doesn’t seem to do anything more than the regular “Allow” button.

Create stronger passwords

Create stronger passwords

Here’s how to make your personal data harder to hack

by Joe Kissell, Macworld.com

An attacker who wants to break into one of your accounts manually might first try likely passwords such as your pet’s name, your anniversary, or other terms that are significant to you. If that doesn’t produce results quickly, a hacker might turn to a program that rapidly tries each of the thousands or even millions of words in a big list—a procedure known as a dictionary attack. Some dictionary attacks are quite clever, checking not only common English terms but also foreign words, common misspellings, words in which letters have been replaced by numbers or symbols (such as @ppl3 for Apple), and easy-to-type sequences of characters, such as poiuytre.

If that doesn’t work, and if someone has the time and motivation, the next step would be a brute-force attack. In this type of attack, a computer program tries every possible combination of characters until the password is found, although current technology puts practical limits on the extent of such attacks.

When you create a new password, the trick is to come up with something that a dictionary attack could never discover, and to make the password long enough and complex enough that even a brute-force attack couldn’t succeed because it would require too much time and processing power. Here’s how:

via Create stronger passwords | Business Center | Working Mac | Macworld.