Faculty Computing and Informatics

Department: Computer Science

HUMAN COMPUTER INTERACTION SECURITY (HCI711S)

Chapter 3: Machine identities

Foundational to cybersecurity
Learning Objectives

a.Trust
b.Human and machine identities
c.Keys and certificates: foundation of cybersecurity
d.Encryption fundamentals
e.The Future
Introduction
“firm belief in the reliability, truth, ability, or strength of someone or something.”
Oxford Dictionary

Trust means making an exchange with someone when you do not have full
knowledge about them, their intent and the things they are offering to you.
(Trust—changingminds 2017)

In the physical world, trust is established based on identity or context, built on familiarity
(the frequency of our interactions), and ultimately dependent on experience. Just as
importantly, trust is nuanced: We do not trust everyone equally.
Introduction
We also trust people we don’t truly know, such as Doctors, Accountants, Pilots, and
Mechanics.

Why?

Example: Doctor is accredited or affiliated with a well-known hospital certainly helps, as

do physical attributes such as the doctor’s office, location, and the notion of reviews by
other people.
How we establish trust in the digital world?
Let’s look at a scenario:

“I connect to my bank, my e-mail provider, and a variety of e-commerce sites—each of

which requires me to provide personally identifiable information (PII) and, in some cases,
credit card data. I can identify the websites I frequently visit based on the logo, colours,
and layout, but attacks such as phishing have long since rendered my ability to recognize
the “look and feel” of an (online) entity practically useless. Without a tangible identity,
there is no way I can build familiarity and, hence, trust.”
How we establish trust in the digital world?
Digital keys and certificates.

A certificate, much like a credit card or a passport, is issued by a “trusted” authority.

However…
A digital key attribute is very short lasting / short period of time and needs to be replaced.
The more a key is used, the greater the chance it will be compromised.

“the mechanism designed to verify identity and establish trust—are frequently updated, rendering
familiarity impractical. Trust must be established every time and cannot be based on frequent
interactions.”
Human and machine identities

The lines between the physical and the digital world blur …
Yes or No?
Increasing dependence on smart “things” to enable us in our
functions and responsibilities—phones, cars, homes, utilities, health,
finance, and education

Blurred lines between physical and digital world such as – self-driving cars,
nanobots used in medical technology, passwords that is created by humans
but stored on Apps and devices
HW: Read an article about Tesla accident on the self driving car.
https://theintercept.com/2023/01/10/tesla-crash-footage-autopilot/
Keys and certificates: Foundations of cybersecurity
Organizations rely on cryptographic keys and digital certificates to secure their business.

These software devices were designed to solve the original Internet security problem accurately identifying
servers and browsers so that they could safely communicate back and forth independently.

Machines rely exclusively on keys and certificates to know what to trust and what not to trust in our digital
world.

Any time data are being transferred, whether it be your business or personal information, there is a key or
certificate that is being used to protect it. If the communication channel is not trusted, your data are not
secure.
Keys and certificates: Foundations of cybersecurity
Secure sockets layer (SSL) was first introduced in the 1990s by Netscape to protect digital
communication just as the Internet, and e-commerce:

Primary benefits that keys and certificates afford in the context of digital interactions:

1. They identify (and potentially authenticate) the participants in a transaction (depending

on the nature of the transaction, the participants may be referred to as clients, servers, or
peers).
2. They protect the data that get transferred between the participants.
Common applications of keys and certificates
Identity—This enables users to authenticate themselves to access sensitive content. using smart cards initiatives such
as the common access card or the personal identity verification program.
E-government applications, Estonia has been issuing e-business registration.
Countries around the world (mostly countries in Europe) have implemented “national identification” initiatives to
enable access to electronic voting, utility, transportation, and medical programs.

Document signing—European entities, both government and business, have adopted standards such as XML DSig,
XAdES, PAdES, and CAdES to standardize the document signing process and allow for interoperability within and
between organizations. https://focus.namirial.global/pades-cades-xades/

Code signing—The notion of signing an application code to prove its integrity and trust- worthiness
Common applications of keys and certificates
Encryption—In addition to guaranteeing the “integrity” of the date, cryptographic keys and certificates can also be used
to protect data from being accessed by mali-cious entities.

This is true for data at rest (data being stored on user, server, and cloud systems) and data in motion (data being
transferred from one location to another).

Network/Wi-Fi access—Accessing the Internet, whether over wired or wireless net- works, within and outside the
enterprise, is another critical application of digital keys and certificates, independent of whether the access happens at
work, at home, or in public spots.
Encryption fundamentals
Public key cryptography uses pairs of keys, which are derived from two random long prime numbers.

The private key is, as the name indicates, meant to keep secret and is only known to the owner of the key.

The public key, on the other hand, is meant to be shared with relying entities in digital transactions.

Typically, the public key is shared in a standard format—a digital certificate—that provides data about the key owner
and the intended usage for the key pair (which includes the private key).

The private and public keys are cryptographically related by the fact that operations performed by one of the keys can
be verified by, and only by, the other key. Which key is used depends on the function being performed.
Encryption fundamentals
Encryption fundamentals
Key and certificate properties
Keys are used to encrypt data, and there are different types of algorithms that are used to generate these keys.
Commonly used Algorithm – RSA.
Properties that can be used to identify the owner of the key pair and its intended usage:

• Validity: governs when a certificate was issued and when it expires to ensure that keys are periodically regenerated
(much like passwords) to ensure that they do not become susceptible to cracking attempts
• Subject distinguished name: who the certificate was issued to—this could be a human or a machine identity
• Issuer distinguished name: who issued the certificate—depending on whether the issuer is a known or unknown
entity; this can be used to determine the level of trust placed in the owner of the certificate
• Key usage and extended key usage: controls what the certificate can be used for (to authenticate digital identities, to
encrypt messages, for smart card authentication, etc.)
• Public key: records the public key part of the entity’s key pair that can be used to send encrypted messages to the
entity
Public key infrastructure
Public key infrastructure (PKI) is used to refer to the ecosystem that controls the issuance, storage, and distribution of digital
certificates and includes the following components:

•Certification authority (CA)—This issues digital certificates. CAs can be public (trusted by anyone on the Internet) or private
[trusted only by specific organization(s) for the purposes of internal transactions] and are the root of trust.
•Registration authority (RA)—This is responsible for the verification of identities prior to the issuance of certificates.
•Certificate database—This maintains a record of certificates that have been issued or revoked for audit purposes.
•Key escrow/archival server—This is used to store copies of private keys corresponding to entities to audit/inspect
communications between human and machine entities or for disaster recovery purposes.
•Certificate management system—This uses centrally defined policies that govern the issuance, distribution, and life cycle
management of certificates.
•Certificate revocation lists (CRLs)—Certificates that have been issued but do not need to be trusted any longer (for a variety
of reasons such as key compromise and entities that have left the organization) are revoked by the issuing authority
(CA) and put on a “blacklist” called a CRL that can be used by relying entities to check on the status of
known/unknown parties in a transaction.
Cryptographic protocols (Secure Socket Layer - SSL and
Transport Layer Security - TLS)
Public key cryptography provides two distinct benefits—authentication and encryption. Cryptographic
protocols utilize both of these benefits to secure communications over computer networks.

In any such interaction, there is a “client” (for example, a browser) that initiates the transaction to a
“server” (say, a website).

To secure the data that are being transmitted (say, credit card information in an e-commerce transaction),
and to ensure that the data are being sent to the right server (for example, a retail website).
Symmetric keys
Symmetric keys are preferred over asymmetric keys as they offer better encryption
performance, yet have the requirement of both parties in a transaction needing access to
the (same) symmetric key.

To secure data in motion, symmetric key encryption is used (to encrypt the data) in
conjunction with asymmetric key pairs (to authenticate the participants and encrypt the
symmetric key used for a session).
Trust models
Direct trust model—The public key certificate of the entity is directly trusted by the relying party. Any changes to the
certificate (upon renewal, reissuance, etc.) will require that trust be re-established, manually.
SSH is an example of a direct trust model, where every SSH (public) needs to be explicitly trusted in order to gain access
with the private key.

Derived or delegated trust model—The issuing authority (CA) is what is trusted by the relying party—in essence, any
(server or client) certificate that chains up under the trusted CA is considered trustworthy. This allows for certificate
reissuance or new identities to be established without having to redefine the trust relationship (as long as the issuing
CA continues to operate within its defined parameters).
Trust is established at the CA level and inherited by any entity that chains up under that CA. This is why digital
certificates are so essential to managing trust within and outside the enterprise. Assuming the list of trusted CAs is
secured and controlled, new certificates or identities can be established seamlessly allowing the system to scale,
effectively infinitely.
What does the future look like?
Virtualisation & cloud
Certificate transparency
Encryption
IoT
Blockchain
Non-fungible token
AI
Hybrid Work