The secure internet application for business education on the website

The 85th SIEC/ISBE International Conference 2013 in Berlin, Germany, August 5-9, 2013

Sok Hwan Cho, Ph D.(KAIM, South Korea)Sok Pal Cho, Ph. D.(Sungkyul University, South Korea)

Index

1. Network Concept1.1 Network Component1.2 Network Interconnection1.3 Internet1.4 Paradigm Shifts of B.E

2. Threats in Internets2.1 Vulnerabilities of terminals on the Internet2.2 Network Vulnerabilities2.3 Preventing from external attackers

3. Secure Internet Application3.1 Information Ambiguity (Ambiguousness) 3.2 Firewall or Demilitarized Zone

3.3 Secure Channels -

4. Conclusion

A network is the interconnection of a set of terminals capable of communication. In this definition, a device can be a host such as a large computer, desktop, laptop, workstation, cellular phone, or security system. A terminal in this definition can also be a connecting device such as a router a switch, a modem that changes the form of data, and so on.

1. Network

Five components on the website

1.1 Network components

An internet is two or more networks that can communicate with each other. It is composed of thousands of interconnected networks.

1.3 The Internet

Understanding about terminals.

The basic components of network>

1.4 Paradigm Shifts of education on the network

Teacher oriented education learner oriented education

Group education,

Community education,

Uniformed education

Distributed education,

Individual ordered education,

Lifelong education

Network

Off-line education : physical classroom education , On-line education : website education; distance learning, e-m-u-/learning

2. Threats of Internet

a kind of threats;– Unauthorized access.

– Malicious software; Virus, Worm, Trojan Code

– Software failure.

– Denial of service.

– Modification by unauthorized person.

– Calamity.

– Interception by unauthorized person.

– Etc.

Annoying learning activities

2.1 Vulnerabilities of Terminal on the Internet

Hardware

Interception (Theft)

Interruption (Denial of Service)

Modification Fabrication (Substitution)

Software

Interruption (Deletion)

FabricationModification

Interception data

Interruption (Loss)

Interception

ModificationFabrication

2.3 Network Vulnerabilities1

Target Vulnerability

Authentication failures

-Impersonation-Eavesdropping -Spoofing-Session hijacking

Programming flaws

-Buffer overflow-Addressing errors-Parameter modification, time-of-check to time-of-use errors-Malicious active code: Java, Active-Malicious code: virus, worm, Trojan horse

• If A1 send a message to B3(A1 B3), it may be routed hosts C or D. Host C may provide acceptable security, but not D.

Figure Uncertain Message Routing in a Network

Network BNetwork A

Host C

Host D

Host B3

Host A1

2.3.2 Network Vulnerabilities(Uncertain Message)

In an impersonation(imitate), an attacker has several choices:Guess the identity and authentication details of the target.Pick up the identity and authentication details of the target

from a previous communication or from wiretapping. Circumvent or disable the authentication mechanism at

the target computer.Use a target that will not be authenticated.Use a target whose authentication data are known.

2.3.4 Network Vulnerabilities(Impersonation)

• A malicious middleman intercepts the response key and can then eavesdrop on, or even decrypt, modify, and re-encrypt any subsequent communications between two terminals.

2.3.6 Network Vulnerabilities(Interception)

User 1

Key Distributor

Malicious Interceptor

Figure Key Interception by a Man-in-the-Middle Attack

User 2

• Web Site Defacement(damage)– One of the most widely known attacks is the web site

defacement attack.

– Web sites are designed so that their code is downloaded, enabling an attacker to obtain the full hypertext document and all programs directed to user in the loading process.

– The download process essentially gives the attacker the blueprints to the web site.

2.3.7 Network Vulnerabilities (Website vulnerabilities)

Hypertext:

• Echo-Chargen (connection flooding)– Chargen is a protocol that generates a stream of packets;

– The attackers sets up a Chargen process on host A, and if host A sends a packet to destination host B, B reply to A with echo packet;

– Namely host A produces a stream of packets continuously to host B and host B reply to A, then A and B puts in an endless loop.

send a stream of packet

echo packet

Host A

Set up “Chargen”

Host B

Endless loop

2.3.8 Network Vulnerabilities(Denial of Service)

2.3.10 Distributed Denial of Service(DDoS)

To perpetrate a distributed denial-of-service(or DDoS) attack, an attacker does two things. ① The attacker plants a Trojan horse on a target machine.

That Trojan horse does not cause any harm to the target machine.The Trojan horse file may be named for a popular editor or entered into

the list of processes(daemons)activated at startup.

② The attacker repeats this process with many targets. Each of these target systems becomes what is know as a zombie. The target systems carry out their normal work, unaware of the resident

zombie.

Ref)Trojan horse 에 대한 유래 설명

• Cryptosystem is a system for encryption and decryption.

encryption decryption

Original plaintextplaintext ciphertext

3.1.2 Cryptosystem

3.2.1 Introduction of I&A (Individual I&A)• Individual I&A determines the individual learner or user

interacting with a process. In example is logging on a computer as shown figure.

I&A

system

Which of the learner that I know are you?

Individual identification and authentication representation

3.2.2 I&A Procedure• I&A service is requested by a using function, which has

the responsibility of passing information to the I&A service to determine an identifier and authenticators.

Using function

I&A service

Learn

er, User

Request I&A service

I&A result

Request ID, authenticatorClaimed ID, authenticator

Generic interaction model of I&A service

Permit

3.2.3 Type of I&A

• Three general strategies exist to satisfy I&A requirements: automated I&A, physical I&A and procedural I&A.

- Physical and procedural I&A includes measures such as a human guard reviewing ID badges, or a sign-in procedure.

- Automated I&A design encompasses computer-based measures such as user IDs and password.

Firewall or DMZ

B.E

Application Server

B.E State Server

B.E DB server

B.E Web server

Cache

Memory

Attacker

3.3 Protecting using a firewall or DMZ

A packet filter firewall intercepts all traffic coming and going from a port P and inspects its packets

- Data from coming or going to mistrusted address are rejected.

request requestPacket filter firewall

External host Local hostP

Internet

3.3.1 Packet filter firewall

3.4 Secure Internet Application for business education

• Secure Channels; for sensitive communication across a public network, create encrypted secure channels to ensure that data remains confidential in transit.

• Demilitarized zone; separates the business functionality and information from the Web servers.

• -Protection Reverse Proxy; protects the server software at the level of the application protocol.

• Known partners; identify partner by Identification and Authentication.

Users (Learner, Teachers, etc.)

I&A with E/D

1st step: E/D: Encryption/Decryption

2nd step: Firewall(Packet, Proxy, State full)

2nd step: I&A: Identification & Authentication

ISP: Information Service Provider

E/D

E/D

E/D Learning Contents

3.4.1 Secure Internet 1

4. Conclusion

▣ Secure internet channel provides;

Protecting user from attackers on the cyber space

Better securing the e, m, u-learning systems that store, process, or transmit the information of learning contents

More learning opportunities

Improving interactions.

Improving higher quality

Enabling well-informed LMS(Learning Management System)