Post on 13-Nov-2014
description
E-business Infrastructure and Security
Ron Cenfetelli
History of the Internet
Telegraph, the Victorian “Internet”
Telephone “Internet”– T-Carrier Systems (e.g. “T1”) for voice
and data– Teletypes– Compuserve, Prodigy in the late 80’s
• Member ID: 70314.2261
– Bulletin board systems (BBS)– BITNET (non-IP based among universities)
History of the InternetThe Development of the Internet– In 1969, the U.S. Department of Defense’s
Advanced Research Projects Agency (ARPA) established ARPANET
– The network had no central point and a message could be sent from one point to another through any number of routes. Computers exchanged
information according to standards agreed upon by all participants, with no one person, institution, or organization
“in charge.”
Dr. J.C.R. Licklider
A message can be thought of as a short sequence of “bits” flowing through the network from one multiaccess computer to another. It consists of two types of information: control and data. Control information guides the transmission of data from source to destination. ... In short, the message processors function in the system as traffic directors, controllers, and correctors.
-Licklider & Taylor 1968
History of the Internet– In 1986, the US National Science Foundation
created a national network for university communications, which developed into NSFNET (based on TCP/IP) with a dazzling fast 56 kbps backbone.
– The linking of NSFNET and ARPANET (and other growing parallel networks) became the modern Internet
History of the Internet– In the late 1980’s, the Internet was opened up beyond defense
and academia to include business uses.
– 1993: Tim Berners-Lee invents the World Wide Web.
• First user-friendly WWW browser (Mosaic/Netscape) was invented by Marc Andreessen.
• This greatly simplified communication and use by the masses
– 0 to 65 million users in 1.5 years
• “Business Killed the Internet Dead”
Feb 1996
Growth in the Internet Population(% of Americans who go online) – source Pew Internet and American Life Foundation
Internet usage, Canada & US
January 16, 2008“Internet penetration continues to show signs of hitting a plateau. The percentage of former users who say they have no intention of going back online continues to increase, and less than half of those who have never used the Internet plan to log on in the coming year. “
Digital Divide?
Age, Education, Income and Location appear to be highly predictive of broadband access
Internet Infrastructure
Company A
Intranet
Person 2
POPT1 line
Phone line
NAP
T3 line
Backbone
Internet
ISP
Inside the Public Internet:
• Underlying Technology and Basic Capabilities of the Infrastructure o Internet: A Network of Networkso Interconnected Packet-Switching Networkso IP: Software to Create a Virtual Networko TCP: Software for Reliable Communicationo Clients + Serverso Names for Computerso Services
Internet: A Network of Networks
Although claimed to be a network of equals, there is in fact a hierarchy of communication networksInternet Service Providers (ISPs) - Points of Presence (POP) on the Internet. They have a permanent IP address and necessary hardware to access the net. (Ex: Shaw, UUNET/Verizon)
Regional/National Networks– Example: BCNET
• http://www.bc.net/about_bcnet/what_is_bcnet.htm
Metropolitan Area Exchange – where the major networks “peer” and exchange traffic either mutually or fee-based
vBNS - Very High Speed Backbone network. Ex: www.canarie.ca (10Gbps)
So while the Internet was originally envisioned and designed to be a “mesh” of nodes, in reality, there exist major “superhighways” where heavy traffic flows between networks.
Internet: A Network of Networks
Source: Fitzgerald & Dennis
http
://w
ww
.cai
da.o
rg/t
ools
/vis
uali
zati
on/w
alru
s/ga
ller
y1/r
ies-
t2.p
ng
Bus
ines
sWee
k: 1
5 Ja
n 20
07
IP Addresses and the Domain Name System (DNS)
From ARPANET days: The idea that humans can better remember a name (sauder.ubc.ca) than some random set of digits (137.82.66.178)– A good thing for e-business!
Internet Protocol (IP) address:– Unique logical address for each device (e.g. your laptop) on the network– Used by routers to direct messages– Example: 137.82.66.178
Host server name– Human readable address– Example: www.sauder.ubc.ca
Every device on the Internet must have a unique IP address (kinda/sorta)
IP Addresses and DNS
Domain name service (DNS) – Dynamically translates IP addresses to named host
server, and back and maintains a current table of such translations
– Builds on hierarchical domain name space (e.g., www.sauder.ubc.ca)
– Top level: .com, .edu, .ca, .gov, .org, etc.• Generic (gTLD) for organizations and functions (.com)• Country code (ccTLD) for nations (.ca, .us, .it…)• Overall managed by ICANN. Country codes are managed
as determined by each country.
More on IP AddressesFour 8 bit addresses = 32 bits = 2^32 = 4.3 Billion possible unique addresses (IPv4)– Not completely true. Inefficiencies due to “block” assignments of first IP
“octet” (e.g. UBC’s 137). Actually 3.7 billion.
A looming shortage of addresses! – The number of available IPv4 addresses (http://www.bgpexpert.com/addrspace2007.php):
• 2007: 1.3 billion, 64.9% utilization • 2008: 1.1 billion, 69.7% utilization
– See “A coming real estate crunch on the Net” on WebCT– Thus IPv6 – 128 bits
• Billions and billions of addresses (a trillion trillion trillion to be exact)
Internet: Client/Server Paradigm
It is service-oriented, and employs a request-response protocol
One type of server is the Domain Name Server. These are used to translate domain names to IP addresses– A computer only needs to know the location of one DNS– A dozen or so “Root” servers maintain worldwide consistency
of Domain to IP address
The Client-Server ParadigmA server process, running on a server host, provides access to a service.A client process, running on a client host, accesses the service via the server process.The interaction of the process proceeds according to a protocol.
...
s e rvic e re que s t
a s e rve r pro c e s s
a c l ie nt pro c e s s
a s e rvic e
The C l i e nt -Se r ve r P ar adi g m , c o nc e ptual
Se r ve r ho s t
C l i e nt ho s t
Protocols
The language the nodes on a network use to communicate with each other.– Analogy: We may agree to speak in English with
certain grammatical rules.
Protocol Examples
TCP - Transport Control ProtocolIP - Internet Protocol e-mail (Simple Mail Transfer Protocol, SMTP) file transfer (File Transfer Protocol, FTP) All are packet based
Putting Client/Server and Protocols Together
A protocol/service session within the Client/Server model– Session: the interaction between the server and one client. – The service managed by a server may be accessed by multiple
clients who desire the service, sometimes concurrently. – Each client, when serviced by the server, engages in a separate
session with the server, during which it conducts a dialog with the server until the client has obtained the service it required
Example
The dialog in each session follows a pattern prescribed in the protocol specified for the service.
World Wide Web session:
Client: Hello, <client address> here.
Server: Okay. I am a web server and speak protocol HTTP4.0.
Client: Great, please get me the web page index.html at the root of your document tree.
Server: Okay, here’s what’s in the page: (contents follows).
Internet Protocol – TCP/IPThe TCP/IP protocol defines the interface between the physical infrastructure (streets, intersections) and the data flow (cars)TCP = Transport Control Protocol– Asking another device on the network if it is willing to accept information
from the local device, receipt confirmation– Splits messages in PACKETS and assembles them back in proper
sequence
IP = Internet Protocol– Approximately two hundred byte packets. IP labels the packet with
source/destination address and contents.– Has rules for routing message packets – Handles the correct addressing
TCP: Reliable CommunicationProblem: Packet-switched networks can be overrun, bottlenecks, routers go down, etc.
Network DNetwork C
Network A
Network B
Router
Router
Router Router
TCP Helps IP Guarantee DeliveryTransmission Control Protocol: Whereas IP manages addressing and routing, TCP manages successful delivery between hosts
– “Catches” all of the packets sent by IP.
– Reassembles the packets in the proper sequential order
– Makes sure all of the data has arrived.
• If not, TCP sends a request to the server requesting the missing packet be resent.
– Upon completion of reorganizing the data, TCP allows the data stream to viewed.
More on TCP/IP
TCP/IP is TCP and IP working together– TCP takes care of the communication between your
application software (i.e. your browser) and your network software.
– IP takes care of the communication with other computers.– TCP is responsible for breaking data down into IP packets
before they are sent, and for assembling the packets when they arrive. Also reliable delivery.
– IP is responsible for sending the packets to the receiver.– Analogy: TCP is like a Taxicab Dispatcher, IP is like a Taxicab
A “Packet”
Routers
POP
NAPInternet
Routers
RoutersRouters are what truly make the Internet what it is
– They route IP message traffic between other routers
– They can connect separate networks even those with different network protocols (Ethernet, Token-ring).
– They allow for multiple paths /router chooses the “best” path or route (“Dynamic” instead of static). Routers use a routing table of possible paths. Dynamic refers to the changing nature of this table. Analogous to getting updated traffic reports.
• If a relied-upon router goes down, an alternative path is found
– With TCP/IP, routers can send a single message around multiple paths and the packets that make up that message can arrive out of sequence. TCP/IP puts everything back in order. Packets can travel independently of one another to the destination.
– This might help to explain why VOIP sounds like it does
TCP/IP – Organized Chaos
Brad sends “HELLO” to Al
Al
H
EL
L
O
PacketRouter
Internet World Wide Web
Internet = A “network of networks” encompassing millions of computers linked via a variety of means (fiber, wireless, etc.) using various protocolsWWW = A method of accessing information that uses a specific protocol (e.g. HTTP) for sharing “pages”, graphics and other multimedia using browsers and “hyperlinks”
Internet WWW
HTML
HyperText Markup Language (HTML) specifies how to author web pages on the WWW.Consists of predefined <tags>– <b> start bold font; </b> stop bold font– <table> start a new table; </table> end table
Cascading style sheets (CSS)– Specify classes with style attributes. More advanced than
HTML
Web Protocol - HTTPHyperText Transfer ProtocolDefines how messages are formatted and transmitted on the WWWDescribes what actions Web servers and browsers should take in response to various commandsA request/response paradigmHTTP is a connectionless and stateless protocol
Dealing with a lack of Connection & StateHTTP is a connectionless and stateless protocol– No “knowledge” of prior transmissions/transactions
An IP address is an imperfect means of identifying a user and their current state.“Workarounds” have been developed – ActiveX, Java, JavaScript and cookies – Ex: Cookies
• a “message” stored on the user’s harddrive holding information about the user. Exchanged between the browser and a server.
• Purpose: to identify repeated users and prepare customized pages for them
Cookies
Example:
www.msblabs.org FALSE /tools/scratch-pad/ FALSE1227994064 data Ron%20is%20leaving%20a%20cookie
Try it out at http://www.msblabs.org/tools/scratch-pad/index.php
Search for “cookies.txt” file under Documents and Settings
Web 2.0 – Moving beyond HTML
As noted, a collective term for the enhancement of social aspectsBut also includes the technology and standards to facilitate interactivity and dealing with a lack of connection & state– Ex: Ajax for improved response to address “stateless” issues
• Asynchronous Javascript with XML • The “old fashioned” way: For every request made by a user, a new web
page has to be loaded• With Ajax, HTML is generated locally allowing exchange of just the
relevant information updates– Ex: Google Maps
A “Mashup” of Google Maps and Craigslist
A classic example of Web 2.0: www.housingmaps.comThe social platform of Craigslist
+ The AJAX interactivity of Google Maps
= A forum for finding relevant rentals nearby
A summary of Internet InfrastructureAlthough a remarkable phenomenon, the Internet is still operating on essentially the same technology as 40 years agoRenovations planned:– IPv6: more addresses– Continual use of “add-ons” such as AJAX
But still the same basic technology, just faster and more ubiquitous
Security
Why Security Matters to e-Business
Peter Steiner -p. 61, The New Yorker, (July 5, 1993)
Wednesday, 2 January 2008,
Malware marries Web 2.0
“Where human beings solve the puzzles the viruses cannot."
See link On WebCT
Security in the Physical World
Lock
Security forces
Safe
Signature
Physical barriers
Fingerprint
Seal
Contract
E-business Security Needs
ConfidentialityAuthentication– Ability to verify the identity of people/organizations
Data/Message Integrity– Ensuring communications were not modified in transit/storage
Nonrepudiation – Parties cannot deny a communication
• Proof that the sender sent and proof that the receiver received
A Simulation…
Let’s pretend that each of us in the room is a node on the Internet. – Just like the real Internet, messages are sent from a sender
to a receiver via the intermediate nodes. Each intermediate node helps pass along a packet to its destination.
– All messages being transmitted must go through a physically adjacent node
– As a result, each message is viewable by each node (as is the case in the real world Internet!)
TCP/IP –Organized Chaos
Brad sends “HELLO” to Al
Al
H
EL
L
O
PacketRouter
A Simulation…I’ll post these slides after 30JAN
e-Business Security Needs
ConfidentialityAuthentication– Ability to verify the identity of people/orgs.
Data/Message Integrity– Ensuring communications were not modified in transit/storage
Nonrepudiation – Parties cannot deny a communication
• Proof that the sender sent and proof that the receiver received• Non-repudiation is a property achieved through cryptographic methods
which prevents an individual or entity from denying having performed a particular action related to data
Asymmetric Keys and PKIAsymmetric Keys and PKI
Asymmetric
Keys
and PKI
Asy
mm
etric
Key
s an
d P
KI
Message Integrity – Threats & Solutions
Old world solutions– Seal
Digital world solutions– Hashing
Internet solutions– Hashing– Digital signatures (also addresses the problem of
authentication!)
PKI Components: Digital Signature
Encrypted with a private key and attached like a signature to a hashed message, to ensure authentication, message integrity and non-repudiation.
Hashing
Another use of “one way” functions!You can start from the same data and get the same result, but it is nearly impossible to work backwardsA hash forms a “message digest” of the data. A smaller versionHowever, the values for the one way hash function are not secret
Hash Example
We could choose an algorithm “Sum (mod 12)”123 222 143 212 (four 8 bit characters)Sum = 700, mod 12 4“4” is the hash (or checksum)
Hashingmessage Hashing
algorithmA valuesay X
message
X=Hash Value
message
X
Hashing algorithm
Y
Sender
Receiver If X = Y, message sent and received are the same.
message
X
PKI Components:Digital Signature (cont.)
Note how the private/public key process is reversed!Cleartext message
Computedigest from
hashingalgorithm
Sender encryptswith his private key
EncryptDigest
Cleartextmessage
Transmission
Receiver decrypts w/ Sender’s
public key
DecryptDigest
Computeexpecteddigest fromhashing
algorithm
Confirm or deny integrity
of message
DigitalSignature
Digest Digest
Expected Digest
e-Business Security Needs
ConfidentialityAuthentication– Ability to verify the identity of people/orgs.
Data/Message Integrity– Ensuring communications were not modified in transit/storage
Nonrepudiation – Parties cannot deny a communication
• Proof that the sender sent and proof that the receiver received
Asymmetric Keys and PKIAsymmetric Keys and PKI
Asymmetric
Keys
and PKI
Asy
mm
etric
Key
s an
d P
KI
Hierarchies of Trust
Certificates -- Endorsements– Digital ids issued by Certificate Authorities (CA)
• Public Organizations: Versign, IBM• Private Organizations: Federal Express
Public/Private Keys– Two mathematically related strings of numbers
Encryption– The process of using digital keys to scramble digital
communications
PKI Components: Digital certificate
A digital file issued to an individual or company by a certifying authority that contains the individual’s or company’s public key and verifies the individual’s or company’s identity.– Identification information– Public key– Expiration date– The CA– All encrypted with the CA’s private key
PKI Components:Certification Authority
Certification authority (CA)– A trusted entity (e.g., VeriSign.com) that issues and
revokes public key certificates and certificate revocation lists (CRLs)
Certificate repository (CR)– A publicly accessible electronic database that holds
information such as certificates and CRLs.
e-Business Security Needs
ConfidentialityAuthentication– Ability to verify the identity of people/orgs.
Data/Message Integrity– Ensuring communications were not modified in transit/storage
Nonrepudiation – Parties cannot deny a communication
• Proof that the sender sent and proof that the receiver received
Asymmetric Keys and PKIAsymmetric Keys and PKI
Asymmetric
Keys
and PKI
Asy
mm
etric
Key
s an
d P
KI
Putting it all together…
Customer Internet merchant
Certificate authority
Customer’s info requests and Merchant’s info are exchanged.
Customer verifies Merchant (received msg’s are signed with a hash that can be decrypted with the merchant’s public keys held by CA)
Provides encrypted information for purchases (encrypted with merchant’s public key). Credit card and message digest is signed with customer’s private key.
Merchant verifies Customer (received msg’s are signed with a hash that can be decrypted with the customer’s public keys held by CA)
Customer’s Public Key
Merchant’s Public Key
More Security and Identification
We’ve discussed how to ID ourselves across the Internet, but how do we ID ourselves at our “point of presence”?
Physical Security Means
Physical Media– Smartcards– Tokens
Biometrics– Face recognition, Retina– Voice– Fingerprints, skin chemicals– Won’t work for 1% of the population
You've got security (Wired News Sep. 21, 2004)
“Passwords alone won't be enough to get onto America Online under a new, optional log-on service that makes AOL the first major U.S. online business to offer customers a second layer of security.
The so-called two-factor authentication scheme will cost $1.95 a month in addition to a one-time $9.95 fee. It is initially targeted at small businesses, victims of identity theft and individuals who pay a lot of bills and conduct other financial transactions through their AOL accounts.
Subscribers get a matchbook-size device from RSA Security displaying a six-digit code that changes every minute. The code is necessary to log on, so a scammer who guesses or steals a password cannot access the account without the device in hand.
How the SmartCard (SecurID) Works
Time based– Client-side and server-side
components are designed to be synchronized
– The server is synched with a time server
– The SecurID hardware token has a built-in clock and is guaranteed for three to five years
Each client-side 6 digit token-code is valid for sixty-seconds and one authentication per sixty-second window
How the SmartCard (SecurID) Works
Output token code is a function of time and a seed value unique to card– What function? A hash function!– Why? It’s “one way” and thus computationally infeasible to
“work backwards” based upon the token codes– The server carries out the same function based upon the
card’s seed and the current time– If a match, then access is authorized
• (Apparently the server can adjust for card time “drift”, e.g., can determine a set of values several minutes before or after current time and matches)
Biometrics: Face
Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html
Biometrics: Voice
Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html
Biometrics: Fingerprint
Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html
Security Limitations
True strength depends on:– Security protocol used to invoke the encryption
function– Trust in the platform executing the protocol– Cryptographic algorithm– Length of the key(s) used for encryption/decryption– Protocol used to manage/generate keys– Storage of secret keys
Limitations
Humans are the weakest link in the chain
In the end, everything is only ones and zeroes!
Combination is Best Security
Something you have…– Token (smartcard)– Biometric
PLUS something you know– Password
• Use mixture of uppercase and lowercase letters• Include numbers or symbols• Change your password every six months
Viruses,Worms, and Trojan horses…Virus: a program that propagates itself by infecting other programs on the same computer. – From erasing files to innocuous pop-ups
Code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to an otherwise innocent host program. It may damage hardware, software, or information. A true virus does not spread without human action to move it along, such as sharing a file or sending an e-mail (thus different from a worm)Now seeing viruses on cell phones and other “non-PC” devicesSony’s rootkit DRM fiasco
Worm: a program that propagates itself. Unlike a virus a worm can spread itself automatically over the network from one computer to the next. – Through automatic file sending and receiving features– Essentially a Virus that can spread itself
– Myspace Worm using Quicktime
Viruses, Worms and Trojan horses…
Trojan horse: programs that appear desirable but actually contain something harmful. – Example: you may download what looks like a free
game but when you run it, it erases every file in that directory.
Viruses, Worms and Trojan horses…
See link On WebCT
Another way of looking at it
+ +
“Symantec says the Trojan.Silentbanker has so far targeted over 400 banks around the world, but according to a blog posted by Symantec's Liam O’Murchu on January 14 [2008], the most worrying aspect is that the Trojan can perform man-in-the-middle attacks (where an attacker can read, insert and modify messages between two parties without either party knowing).” http://m-net.net.nz/2157/latest-news/latest-news/trojan.silentbanker-defeats-2-factor-authentication-attacks-400-b.php
Questions? Comments?