Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3....
-
Upload
brian-harvey -
Category
Documents
-
view
226 -
download
0
Transcript of Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3....
![Page 1: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/1.jpg)
Security
Content
1. Requirements of Security2. Private Key, Public Key, Digital Signature3. Security Protocols (SSL, SET)4. Security Attack, Network Security
![Page 2: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/2.jpg)
Introduction • Internet security
– Consumers entering highly confidential information
– Number of security attacks increasing
– Four requirements of a secure transaction• Privacy – information not read by third party
• Integrity – information not compromised or altered
• Authentication – sender and receiver prove identities
• Non-repudiation – legally prove message was sent and received
– Availability• Computer systems continually accessible
![Page 3: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/3.jpg)
• Cryptography– Used to secure information, by encrypting it
– Transforms data by using a key• Key is a string of digits that acts as a password and makes the
data incomprehensible to those without it
– Plaintext – unencrypted data
– Cipher-text – encrypted data
– Cipher of cryptosystem – technique for encrypting messages
• Ciphers– Substitution cipher
• Every occurrence of a given letter is replaced by a different letter
Ancient Ciphers to Modern Cryptosystems
![Page 4: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/4.jpg)
Ancient Ciphers to Modern Cryptosystems (cont.)
– Transposition cipher• Shifts the ordering of letters
– Modern cryptosystems• Digital, based on bits not the alphabet
• Key length – length of string used to encrypt and decrypt
![Page 5: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/5.jpg)
A Simple Example - Caesar Cipher
• Caesar Cipher - Each letter is circularly shifted for to the right by n positions
• There are 26 possible keys (the value of n)• For example, when n=1,
– HELLO becomes IFMMP
• To decrypt the message, just shift the letters to the left by n
![Page 6: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/6.jpg)
Conventional Encryption
![Page 7: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/7.jpg)
• Plain text• Encryption algorithm• Secret key• Cipher text• Decryption algorithm
Ingredients
![Page 8: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/8.jpg)
• Strong encryption algorithm– Even if known, should not be able to decrypt or work out
key
– Even if a number of cipher texts are available together with plain texts of them
• Sender and receiver must obtain secret key securely• Once key is known, all communication using this key
is readable
Requirements
![Page 9: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/9.jpg)
• Crypt analysis– Relay on nature of algorithm plus some knowledge of
general characteristics of plain text
– Attempt to deduce plain text or key
• Brute force– Try every possible key until plain text is achieved
Attacking Encryption
![Page 10: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/10.jpg)
• Secret-key cryptography– Same key to encrypt and decrypt message
– Sender sends message and key to receiver
• Problems with secret-key cryptography– Key must be transmitted to receiver
– Different key for every receiver
– Key distribution centers used to reduce these problems• Generates session key and sends it to sender and receiver
encrypted with the unique key
• Encryption algorithms– Data Encryption Standard (DES), Triple DES,
Advanced Encryption Standard (AES)
Secret-key Cryptography
![Page 11: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/11.jpg)
• Encrypting and decrypting a message using a symmetric key
Secret-key Cryptography (cont.)
![Page 12: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/12.jpg)
• Distributing a session key with a key distribution center
Secret-key Cryptography (cont.)
![Page 13: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/13.jpg)
• Public key cryptography– Asymmetric – two inversely related keys
• Private key
• Public key
– If public key encrypts only private can decrypt and vice versa
– Each party has both a public and a private key
– Either the public key or the private key can be used to encrypt a message
– Encrypted with public key and private key• Proves identity while maintaining security
• RSA public key algorithm www.rsasecurity.com
Public Key Cryptography
![Page 14: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/14.jpg)
Public Key Cryptography (cont.)
• Encrypting and decrypting a message using public-key cryptography
![Page 15: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/15.jpg)
• Authentication with a public-key algorithm
Public Key Cryptography (cont.)
![Page 16: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/16.jpg)
• Key agreement protocol– Process by which parties can exchange keys
– Use public-key cryptography to transmit symmetric keys
• Digital envelope– Encrypted message using symmetric key
– Symmetric key encrypted with the public key
– Digital signature
Key Agreement Protocols
![Page 17: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/17.jpg)
• Creating a digital envelope
Key Agreement Protocols (cont.)
![Page 18: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/18.jpg)
• Key management– Handling and security of private keys
– Key-generation is the process by which keys are created
• Must be truly random
Key Management
![Page 19: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/19.jpg)
• Digital signature– Authenticates sender’s identity
– Run plaintext through hash function• Gives message a mathematical value called hash value• Hash value also known as message digest
– Collision occurs when multiple messages have same hash value
– Encrypt message digest with private-key
– Send signature, encrypted message (with public-key) and hash function
• Timestamping– Binds a time and date to message, solves non-repudiation
– Third party, timestamping agency, timestamps message
Digital Signatures
![Page 20: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/20.jpg)
Using One Way Hash Function
![Page 21: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/21.jpg)
• Accepts variable size message and produces fixed size tag (message digest)
• Advantages of authentication without encryption– Encryption is slow
– Encryption hardware expensive
– Encryption hardware optimized to large data
– Algorithms covered by patents
– Algorithms subject to export controls (from USA)
Using One Way Hash Function (cont.)
![Page 22: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/22.jpg)
• Public Key Infrastructure (PKI)– Integrates public key cryptography with digital
certificates and certification authorities
– Digital certificate• Digital document issued by certification authority
• Includes name of subject, subject’s public key, serial number, expiration date and signature of trusted third party
– Verisign (www.verisign.com)• Leading certificate authority
– Periodically changing key pairs helps security
Public Key Infrastructure, Certificates and Certificate Authorities
![Page 23: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/23.jpg)
• Cryptanalysis– Trying to decrypt ciphertext without knowledge of the
decryption key
– Try to determine the key from ciphertext
Cryptanalysis
![Page 24: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/24.jpg)
• Transaction security protocols– Secure Sockets Layer (SSL)
– Secure Electronic Transaction™ (SET™)
Security Protocols
![Page 25: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/25.jpg)
• SSL– Uses public-key technology and digital certificates to
authenticate the server in a transaction
– Protects information as it travels over Internet• Does not protect once stored on receivers server
– Peripheral component interconnect (PCI) cards• Installed on servers to secure data for an SSL transaction
Secure Sockets Layer (SSL)
![Page 26: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/26.jpg)
• SET protocol– Designed to protect e-commerce payments– Certifies customer, merchant and merchant’s bank– Requirements
• Merchants must have a digital certificate and SET software• Customers must have a digital certificate and digital wallet
– Digital wallet• Stores credit card information and identification
– Merchant never sees the customer’s personal information
• Sent straight to banks
• Microsoft Authenticode– Authenticates file downloads– Informs users of the download’s author
Secure Electronic Transaction (SET)
![Page 27: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/27.jpg)
Passive Attacks
• Eavesdropping on transmissions• To obtain information• Release of message contents
– Outsider learns content of transmission
• Traffic analysis– By monitoring frequency and length of messages, even
encrypted, nature of communication may be guessed
• Difficult to detect• Can be prevented
![Page 28: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/28.jpg)
Active Attacks
• Masquerade– Pretending to be a different entity
• Replay• Modification of messages• Denial of service• Easy to detect
– Detection may lead to deterrent
• Hard to prevent
![Page 29: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/29.jpg)
Security Threats
![Page 30: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/30.jpg)
• Types of security attacks– Denial of service attacks
• Use a network of computers to overload servers and cause them to crash or become unavailable to legitimate users
• Flood servers with data packets
• Alter routing tables which direct data from one computer to another
• Distributed denial of service attack comes from multiple computers
– Viruses• Computer programs that corrupt or delete files
• Sent as attachments or embedded in other files
– Worm• Can spread itself over a network, doesn’t need to be sent
Security Attacks
![Page 31: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/31.jpg)
• Types of viruses– Transient virus
• Attaches itself to specific program
• Is run every time the program is run
– Resident virus• Once loaded operates for duration of computer’s use
– Logic bomb• Triggers when a given condition is met, such as clock on
computer matching a specified time
– Trojan horse• Malicious program that hides within a friendly program
• Web defacing– Hackers illegally change the content of a Web site
Security Attacks (cont.)
![Page 32: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/32.jpg)
• Anti-virus software– Reactive – goes after already known viruses
– www.mcafee.com• VirusScan scans to search computer for viruses
• ActiveShield checks all downloads
– www.symantec.com• Another virus software distributor
• Computer Emergency Response Team (CERT®)– Responds to reports of viruses and denial of service
attacks
– Provides CERT Security Improvement Modules
– www.cert.org
Security Attacks (cont.)
![Page 33: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/33.jpg)
• Network security– Allow authorized users access
– Prevent unauthorized users from obtaining access
– Trade-off between security and performance
Network Security
![Page 34: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/34.jpg)
• Firewall– Protects local area network (LAN) from outside
intruders
– Safey barrier for data flowing in and out
– Prohibit all data not allowed or permit all data not prohibited
• Types of firewalls– Packet-filtering firewalls
• Rejects all data with local addresses from outside
• Examine only source not content
– Application level firewalls• Attempt to scan data
Firewalls
![Page 35: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/35.jpg)
• Kerberos– Uses symmetric secret-key cryptography to
authenticate users in a network
– Authenticates who a client computer is and if he has the right’s to access specific parts of the network
Kerberos
![Page 36: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/36.jpg)
• Biometrics– Uses unique personal information to identify
• Examples are fingerprints, eyeball iris scans or face scans
Biometrics
![Page 37: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/37.jpg)
• Steganography– Practice of hiding information within other information
• Digital watermarks– Hidden within documents and can be shown to prove
ownership
Steganography
![Page 38: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/38.jpg)
• Example of a conventional watermark
Courtesy of Blue Spike, Inc.
Steganography (cont.)
![Page 39: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/39.jpg)
• An example of steganography: Blue Spike’s Giovanni digital watermarking process
Courtesy of Blue Spike, Inc.
Steganography (cont.)
![Page 40: Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba036d/html5/thumbnails/40.jpg)
Main References
• e-Business & e-Commerce: How to Program, 1/e, by H.M. Deitel, P.J. Deitel and T.R, Nieto, Prentice Hall
• Data and Computer Communications, 6/e, by William Stallings, Prentice Hall.