Professional Documents
Culture Documents
Dr. Khalid Al-Tawil
College of Computer Sciences & Engineering
Cryptography
Firewalls
E-Commerce Challenges
E-Commerce Security
Active Attacks:
]nterruption (availability)
Modification (integrity)
Fabrication (integrity)
Unauthorized access
Loss of message confidentiality or integrity
User ]dentification
Access Control
Players:
User community
Network Administration
]ntroducers/Haclers
The bigger the system, the safer it is
MVS mainframe users (5%)
UN] users (25%)
Desktop users (50%)
]
#
!
"
$
Data being stolen
Electronic mail can be intercepted and read
Customer¶s credit card numbers may be read
Login/password and other access information
stolen
Operating system shutdown
Filesystem corruption
User login information can be captured
^
Unauthorized software being run
Games
Freeware
Distributed software
#
Passwords
Transmitted in plain text
Could be temporarily stored in unsafe files
Could be easy to guess
Directory structure
Access to system directories could be a threat
]n the operating system software
Some operating system software is not designed
for secure operation
Security system manager should subscribe to
comp.security.unix
comp.security.misc
alt.security
Use a separate host
Permanently connected to the ]nternet, not to your
network.
Users dial in to a separate host and get onto the
]nternet through it.
Passwords
Most important protection
Should be at least eight characters long
Use a mixture of alpha and numeric
Should not be able to be found in dictionary
should not be associated with you!
Change regularly
Ê
Every transaction generates record in a
security log file
Might slow traffic and host computer
Keeps a permanent record on how your machine
is accessed
Tracks
Generates alarms when someone attempts to
access secure area
Separate the directories that anonymous users
can access
Enforce user account logon for internal users
Read web server logs regularly
The Science of Secret writing.
Encryption: Data is transformed into
unreadable form.
Decryption: Transforming the encrypted data
back into its original form.
Y
& &
%
Types of Cipher
Transposition
Substitution
Conventional Cryptosystems
Secret key Cryptosystems.
One secret key for Encryption and Decryption.
Example: DES
Public key cryptosystems
Two Keys for each user
Public key (encryptions)
Private key (decryptions)
Example: RSA
' (
)
üoth the encryption and decryption keys are
kept secret.
Example:
To encrypt, map each letter into the third letter
forward in the alphabet order;
To decrypt, map each letter into the third letter
back.
Problems with Secret Key Cryptosystems:
Key transfer
Too many keys
(
'%Y )
Data Encryption Standard (1977)
Started with an ]üM Project called LUC]FER
(1971)
DES key length: 56-bits
Uses 16 iterations with
Transportation
Substitution
OR operations
DES Criticism
Key length
Design of S-üoxes in hidden
Future
Multiple DES
]DEA ( ]nternational Data Encryption Algorithm)
'
(
)
Only the decryption key is kept secret. The
encryption key is made public.
Each user has two keys, one secret and one
public.
Public keys are maintained in a public
directory.
To send a message M to user ü, encrypt
using the public key of ü.
ü decrypts using his secret key.
Signing Messages
For a user Y to send a signed message M to
user .
Y encrypts M using his secret key.
decrypts the message using Y¶s public key.
(
,
*
*
$ "
(
*
&
]
+
$
]
, $
*
°
A firewall is a barrier placed between the
private network and the outside world.
All incoming and outgoing traffic must pass
through it.
Can be used to separate address domains.
Control network traffic.
Cost: ranges from no-cost (available on the
]nternet) to $ 100,000 hardware/software
system.
Types:
Router-üased
Host üased
Circuit Gateways
°
° °
] -
') þ
Y&
#
] "
]
.
°
'# *)
Use a computer instead of router.
More flexible (ability to log all activities)
Works at application level
Use specialized software applications and
service proxies.
Need specialized programs, only important
services will be supported.
Ê
Example: Proxies and Host-üased Firewalls
&
#
&
# * "°/
° +
]
.
°
] 'þ)
Y$
E-mail is the most widely used application in
the ]nternet.
Who wants to read your mail ?
üusiness competitors
Reporters,Criminals
Friends and Family
Two approaches are used:
PGP: Pretty Good Privacy
PEM: Privacy-Enhanced Mail
Y
'-)
Available free worldwide in versions running
on:
DOS/Windows
Unix
Macintosh
üased on:
RSA
]DEA
MD5
Ê
Where to get PGP
Free from FTP site on the ]nternet
Licensed version from ViaCrypt in USA
Example:
pgp -kg ]D-A Signature
pgp esa m.txt ]D-ü Encryption
pgp message Decryption
Y
'Y$)
A draft ]nternet Standard (1993).
Used with SMTP.
]mplemented at application layer.
Provides:
Disclosure protection
Originator authenticity
Message integrity
- "
Function Algorithms used Description
Message ]DEA, RSA A message is encrypted
encryption using ]DEA . The session
key is encrypted using RSA
recipient¶s public key.
Privacy problems
Hacking and similar attacks
]ntegrity problems
Repudiation problems
Others «
0
' 0)
Platform and Application ]ndependent
Operates between application and
transport layers
ëë ë ë ë
ë
0
' 0)
Mutual Authentication
Data Encryption
Data ]ntegrity
Record Layer
Alert Layer
Spoofing attacks
Negotiation attacks
Snooping attacks
#
Secured HTTP (S-HTTP)
Security on application layer
Protection mechanism:
Digital Signature
Message authentication
Message encryption
Network Network
Layer
þ
þ
Y
Y
#//°/ Ä
'#)
-/+
, ,
certificates
$ / 0
]
Ú
Ú
1
3
7
+
5+
6
2
4
/$°
Too much network traffic without designed
policies
Scanners understand the network
configurations
Monitors provide intrusion detection based on
preset patterns
Filters prevent unwanted traffic ± based of
³type´, for example virus detection
Ä
Secure web servers ± SSL enabled
Application servers ± generally lacking any
security support
A number of toolkits to enable applications to
utilize security functions
]ntegration into existing (legacy) infrastructure
is difficult
Ä$77
business implementations
Y ,
of an application
Y&Y
Electronic Cash
]mitates Paper Cash
Examples: CyberCash, CyberCoin, DigiCash and
Virtual Smart Cards
Electronic Checking
Same as Paper Checks
Use Automated Clearing House (ACH)
Examples: CheckFree, NetCheque and NetChex
Not well developed as E-Cash or Credit Card
Credit Cards
Not used in ]nternet until SET become ]nternet
Standard
Y ,Ä
7
]nfrastructure?
Security?
Arabic content?
Y °