Unit 5 Cyptography
Transcript of Unit 5 Cyptography
-
8/11/2019 Unit 5 Cyptography
1/131
DSZQSPHSBQIZ
-
8/11/2019 Unit 5 Cyptography
2/131
Brief History of Cryptography!!!!
What is Cryptography? Science of writing secret code
is an art of protecting information by transferring
it (encrypting )into an unreadable format ,calledcipher text
The first use of cryptography in 1900 B.C.
Used by Egyptian scribe
Some experts say it appeared right after writing wasinvented
-
8/11/2019 Unit 5 Cyptography
3/131
Encryption/ Decryption
Encryptionis the transformation of data into some unreadable form. Its purpose is to ensure privacy by keeping the information hidden from
anyone for whom it is not intended ,even those who can see encrypted data .
It is a procedure to convert a regular text into a coded or secret text .
Decryption: the reverse of encryption :it is the transformation of encrypteddata back into some intelligible form.
A basic task in cryptography is to enable users to communicate securely overan insecure channel in a way that guarantees their transmission privacy andauthenticity
.Providing privacy and authenticity remains a central goal for cryptographic
protocols.
Encryption DecryptionPlain Text Cipher Text Original Text
Encryption
-
8/11/2019 Unit 5 Cyptography
4/131
Common Terms is Cryptography
system Intruder :An intruder is any person who does not have the authorization to access the
network or the information
Plaintext: It is an intelligible message that needs to be converted into an intelligible
message or encrypted message
Cipher text :A message in encrypted form
Encryption: is a method by which plaintext can be converted to cipher text
Decryption: is a method by which cipher text can be converted into a plaintext
Algorithm: A cryptography algorithm is a mathematical function .
Key: It is a string of digits
-
8/11/2019 Unit 5 Cyptography
5/131
5
Keys
It is a variable value that is used bycryptographic algorithms to produce encryptedtext, or decrypt encrypted text.
The length of the key reflects the difficulty todecrypt from the encrypted message.
Encryption DecryptionPlaintext PlaintextCiphertext
Key Key
-
8/11/2019 Unit 5 Cyptography
6/131
Example
Plain text Algorithm Cipher text Algorithm Plain text
Item Next letter Jufn Previous Letter Item
Message Previous 3
Letters
Next 3 Letters Message
-
8/11/2019 Unit 5 Cyptography
7/131
Cryptography Broken Down!!!
Two kinds of cryptosystems:
Symmetric
Uses the same key (the secret key) to encrypt and
decrypt a message. Asymmetric
Uses one key (the public key) to encrypt a message and
a different key (the private key) to decrypt the message.
-
8/11/2019 Unit 5 Cyptography
8/131
Symmetric key encryption system
Same key is used to both encrypt and decrypt data
Examples of encryption systems: DES, 3DES, AES
-
8/11/2019 Unit 5 Cyptography
9/131
Symmetric Cryptosystem!
Secret Key (Symmetric)
Symmetrical Key encryption is also known as private key encryption
With secret key ,the same key is used to encrypt information and
decrypt information. Hence the operation is known as symmetric.
With secret key systems you dont know who sent the message or if it
is for a specific recipient ,Because anyone with the secret key could
create or read the message .
Encryption with Keys
Encryption DecryptionPlain Text Cipher Text Original Text
Key
(Symmetric Cryptosystem)
-
8/11/2019 Unit 5 Cyptography
10/131
The message:The sender and receiver know and use the same secret key.
The sender uses the secret key to encrypt the message.
The receiver uses the same secret key to decrypt the message
-
8/11/2019 Unit 5 Cyptography
11/131
Same key is used to both encrypt or decrypt themessage .
This means that the sender & receiver had to agree in
advance of the key .
There are a wide variety of symmetric encryptionalgorithms.
The most widely used encryption algorithm was DES(Data Encryption standard ) which was sanctioned bythe National Institute of standards & technology (NIST)
DES was developed by IBM .
It is a block cipher scheme which encrypts a 64-bit datablock using a 56-bit key .
The block is transformed in such a way that it involvessixteen iterations. This is done by using the security key
-
8/11/2019 Unit 5 Cyptography
12/131
Main challenge
Agreeing on the key while maintaining secrecy.
Trusting a phone system or some transmission medium.
The interceptor can read, modify, and forge allmessages
-
8/11/2019 Unit 5 Cyptography
13/131
Limitations
Both parties must agree upon a shared secret key
If there are n correspondents ,you have to keep
track of n different secret keys .if the same key is
used by more than one correspondent ,thecommon key holders can read others mail
Symmetric encryption schemes are also subject
so authenticity problems .Since both the sender& the recipient cannot be proved .Both can
encrypt decrypt the message
-
8/11/2019 Unit 5 Cyptography
14/131
Key Management!!!
Key management:
The generation, transmission, and storage of a key.
All cryptosystems must deal with key
management issues
Because all keys must remain secret there is
often difficulty providing secure key
management.
-
8/11/2019 Unit 5 Cyptography
15/131
Key Pairs
A key is a unique digital identifier
Keys are produced using a random number generator
A key pair consists of two mathematically
related keys The privatekey is secret and under the sole
control of the individual
The publickey is open and published
-
8/11/2019 Unit 5 Cyptography
16/131
Introduction of the Public Key!!!
Created to solve key management problems.
Created by Whitfield Diffie and Martin Hellman
in 1976.
Also called asymmetric system.
Encryption key: public key
Decryption key: private key
-
8/11/2019 Unit 5 Cyptography
17/131
Public Key Cryptography
Public Key encryption is also known as asymmetricalencryption
It utilizes a pair of keysone public & one private (inpair)
Public key is made available to anyone who wants tosend an encrypted message to the holder of theprivate key .
The only way to decrypt the message is the private key.
In this way messages can be sent without agreeing onthe keys in advance .
The most widely used public key algorithm is RSA
-
8/11/2019 Unit 5 Cyptography
18/131
Public key encryption system
Each user has 2 keys: what one key encrypts,
only the other key in the pair can decrypt.
Public key can be sent in the open.
Private key is never transmitted or shared.
Eg. RSA (Rivest, Shamir, andAdleman)
RecipientsPublicKey Recipients PrivateKey
-
8/11/2019 Unit 5 Cyptography
19/131
Public & Private Keys
Public and Private Key pairs comprise of twouniquely related cryptographic keys.
Public key is made accessible to everyone, whereasPrivate key remains confidential to its respectiveowner.
Since both keys are mathematically related only thecorresponding private key can decrypt theircorresponding public key.
-
8/11/2019 Unit 5 Cyptography
20/131
How its works!!!!
Encryption with Keys
Encryption DecryptionPlain Text Cipher Text Original Text
Encryption Key (Ke)
(Asymmetric Cryptosystem)
Decryption Key (Kd)
-
8/11/2019 Unit 5 Cyptography
21/131
-
8/11/2019 Unit 5 Cyptography
22/131
-
8/11/2019 Unit 5 Cyptography
23/131
Advantages
Message confidentiality Can be proved :thesender uses the recipients public key to encrypt amessage ,so that only the private key holder can
decrypt the message ,no one else . Authenticity of the message originator can beproved : The receiver uses his private key toencrypt a message ,to which only the sender has
access . Easy to distribute public key : The public key of
the pair can be easily distributed .
-
8/11/2019 Unit 5 Cyptography
24/131
Public Key Cryptography
Complimentary Algorithms are used to encryptand decryptdocuments
@#@#@$$56455908283923
542#$@$#%$%$^&
Encryption key
Decryption key Unreadable Format
-
8/11/2019 Unit 5 Cyptography
25/131
Public Key Infrastructure in Action
Public Key Private Key
Secure Transmission
Signatures
Decrypting
Encrypting
Encrypting
Decrypting
M Di
-
8/11/2019 Unit 5 Cyptography
26/131
Message Digest
Used to determine if document has changedUsually 128-bit or 160-bit digests
Infeasible to produce a document matching a digest
A one bit change in the document affects about half the
bits in the digestEg. SHA-1 (160-bit digest), Secure Hash Algorithm
Hash Algorithm
Digest
Plaintext
-
8/11/2019 Unit 5 Cyptography
27/131
Hash function
Hash function is a formula that converts amessage of a given length into a string or digitscalled a message digest .
A mathematical transformation is used by thehash function to encrypt information such that itis irreversible .
The encrypted cipher text message cannot bedecrypted back to plain text .
-
8/11/2019 Unit 5 Cyptography
28/131
How it works X sends message to Y
Sender Receiver
The sender generates a message
A Message Digest of the message is created using the hash function
The sender attaches is digital signature to the end of the message
The sender encrypts both message and signature with receivers public
keys Using a private key ,the entire message is encrypted by the receiver
The receiver calculates the message digest using the hash function
The receiver uses the same hash function that the sender uses ,and whichhas been agreed upon in advance .
The main advantage is that even if an unauthorized person access Xspublic key ,he will not be able to get to the hash function generated keythis making the digital signature authentic and secure
X Y
-
8/11/2019 Unit 5 Cyptography
29/131
Trusted Electronic
Transactions
-
8/11/2019 Unit 5 Cyptography
30/131
ELECTRONIC TRANSACTIONS
Streamline Reporting ProcessReduce burden on regulated community
Efficient Record Retention
Timely and Accurate Data Retrieval and Access
Emergency Response (24/7 access)
Community-Right-to-Know
-
8/11/2019 Unit 5 Cyptography
31/131
CAN ELECTRONIC DATA BE TRUSTED?
Accuracy andAuthenticity
Decisions regarding Environmental Health and ImpactSecurity
Protection from unauthorized access
Tamper-resistantAccidentalhuman errors
Intentional - Fraud Credibility in Judicial Proceedings
Effective Enforcement
Plaintiff/Defendant Subpoena
-
8/11/2019 Unit 5 Cyptography
32/131
Evidence must be unambiguous to be admissiblein court
Once admitted into Court, evidence must bepersuasiveto a jury
JUDICIAL CREDIBILITY is the Highest Standard
for Trusted Data **
-
8/11/2019 Unit 5 Cyptography
33/131
1. AUTHENTICATION: the ability to prove the senders identity
2. REPORT INTEGRITY: the ability to prove that there has been no change during
transmission, storage, or retrieval
3. NON-REPUDIATION: the ability to prove that the originator of a report intended to bebound by the information contained in the report
WHAT DETERMINES A LEGALLY BINDING
REPORT ?
NON-REPUDIATION
AUTHENTICATION
REPORT INTEGRITY
-
8/11/2019 Unit 5 Cyptography
34/131
TRUST IN PAPER-BASED REPORTS
-
8/11/2019 Unit 5 Cyptography
35/131
ELECTRONIC REPORTING
-
8/11/2019 Unit 5 Cyptography
36/131
FROM PAPER TO ELECTRONIC: Repudiation
Risks in Basic Electronic Transactions
I did not send that report !
That report is not the one I sent !
I did not mean that !
-
8/11/2019 Unit 5 Cyptography
37/131
I did not send that report !
Identity of user is unknown
Possible Solutions:
Telephone call follow-upTerms and Conditions Agreement (TCA) / Mailed Certification
Agreement
Mail a Diskette Containing Electronic Data
That report is not the one I sent ! Identity of user is unknown Possible Solutions:
Telephone call follow-up
Terms and Conditions Agreement (TCA) / Mailed Certification
Agreement
Mail a Diskette Containing Electronic Data
Ensuring Authenticity and Report Integrity in
Electronic Transactions Digital Signatures
Public Key Infrastructure
-
8/11/2019 Unit 5 Cyptography
38/131
Public Key Infrastructure (PKI)
PKI is a combination of software, encryption
technologies and facilities that can facilitate trusted
electronic transactions.
PKI provides an electronic framework i.e.software & a set of rules & practices for secure
communication & transaction between organizations
& individuals
PKI ComponentsKey Pairs
Certificate Authority
Public Key Cryptography
-
8/11/2019 Unit 5 Cyptography
39/131
39
PKI Structure
Certification Authority Directory services
User
Services,
Banks,
Webservers
Public/Private Keys
-
8/11/2019 Unit 5 Cyptography
40/131
Certification Authorities(CAs)
A trusted authority
Responsible for creating the key pair, distributing theprivate key, publishing the public key and revoking the
keys as necessary The Passport Office of the Digital World
An organization that issues public key certificates(DigitalSignature).
Signed by certification authoritys own private keys, containsname of the person, persons public key, a serial number, andother info.,
Example: verisign corp.
-
8/11/2019 Unit 5 Cyptography
41/131
A Certifying Authority is a trusted agency whose centralresponsibility is to issue, revoke, renew and provide directories forDigital Certificates.
The certificate authority issues a digital certificate to companiesand organizations that are accessible via the internet .
They are issued for a certain period of time and are used as aguarantee of the security of a website .
It is also referred to as a reliable third party
Certificate Authority
-
8/11/2019 Unit 5 Cyptography
42/131
CSC1720Introduction toInternet
All copyrights reserved by C.C. Cheung 2003. 42
CA model (Trust model)
Root Certificate
CA Certificate
Browser Cert.
CA Certificate
Server Cert.
-
8/11/2019 Unit 5 Cyptography
43/131
Different kinds of certificates
Certification authorities Certificates contain public key of CAs and name of service
this can in turn be signed by other certification authorities.
Server Certificates contain public key of SSL server,
name of the organization running the server, Internet hostname, serverspublic key.
Personal Certificates
contains individuals name and public key.
other information is also allowed.
Software Publisher Certificates certificates used to sign the distributed software.
Digital Signature
-
8/11/2019 Unit 5 Cyptography
44/131
Digital Signature
-
8/11/2019 Unit 5 Cyptography
45/131
Digital Signature
A Digital Signature is a method of verifying the
authenticity of an electronic document. A digital signature is a personalized thumb print. It is theencryption of an electronic document by a key
Characteristics
a protocol that produces the same effect as realsignature.
Only the sender can mark it.
Easily identifiable by others as one from the sender.
Used to confirm agreement to a message.
-
8/11/2019 Unit 5 Cyptography
46/131
Digital signature can be used in all electronic
communications Web, e-mail, e-commerce, electronic banking and
general security & authentication of documents
It is an electronic stamp or seal that append tothe document.
It Ensures that the document is being
unchanged during transmission.
-
8/11/2019 Unit 5 Cyptography
47/131
The IT Act has given legal recognition to digital
signature meaning, thereby, that legally it has thesame value as handwritten or signed signatures
affixed to a document for its verification
The Information Technology Act, 2000 provides
the required legal sanctity to the digital signatures
based on asymmetric cryptosystems.
The digital signatures are now accepted at par
with handwritten signatures and the electronicdocuments that have been digitally signed are
treated
-
8/11/2019 Unit 5 Cyptography
48/131
Physical Signature / Digital Signature
Physical Signature Digital Signature
Physical Signature is just a writing
on paper
Digital Signature encompasses
crucial parameters of identification
Physical Signature can be copied It is IMPOSSIBLE to copy a Digital
signature
Physical Signature does not give
privacy to content
Digital Signature also enables
encryption and thus privacy
Physical Signature cannot protect
the content
Digital Signature protects the
content
-
8/11/2019 Unit 5 Cyptography
49/131
How digital Signature works?
User A
User B
Use As private key to sign the document
Transmit via the Internet
User B received
the document with
signature attached
Verify the signature
by As public key stored
at the directory
-
8/11/2019 Unit 5 Cyptography
50/131
Report Encryption Algorithm Digitally Signed
An individual digitally signs a document using the private key component of his certificate.
Digital Signatures
Private key
-
8/11/2019 Unit 5 Cyptography
51/131
Authentication and Verification
The individuals public key, published by the CA decrypts and verifies the digitalsignature.
Digitally Signed
Public Key
Decryption Algorithm
-
8/11/2019 Unit 5 Cyptography
52/131
Advantages
Signer authentication: The signer of the document is theowner of the private key for creating the signature andunless that is lost ,the digital signature cannot be altered byany other means
Message authentication: Today digital signature areprobably more authenticated than the paper signatureitself .Any alteration can be detected at the receiving endusing the public key
Efficient: The creation and use of digital signature andexchange digitally signed content is more efficient than
paper signatures .Digital signature can be automaticallycreated using programs these days and hence the creationtime is also quite less
-
8/11/2019 Unit 5 Cyptography
53/131
Limitations
If the private key is lost the content signed
using that key is fully compromised and can be
tampered with
The issuer of the digital signature could givecompromise security by giving your private
key to someone else .
-
8/11/2019 Unit 5 Cyptography
54/131
A digital signature is an electronic method
of signing an electronic document
Digital Certificate is a computer based
record that
Identifies the Certifying Authority issuing
it
Has the name or the identity of its
subscriber
Contains the subscriber's public key
Is digitally signed by the CertifyingAuthority issuing it
digital signatures are used to verify the
trustworthiness of information
Digital certificates are used to verify the
trustworthiness of a website
. However, in the case of digitalsignatures, the recipient must have a
relationship with the sender or hosting
site.
Organizations using digital certificatesdon't require a relationship with the
remote site; they just need the ability to
identify which digital certificate authority
was used by the site to validate it
-
8/11/2019 Unit 5 Cyptography
55/131
Digital Certificates
Digital Certificate is a data with digital
signature from one trusted Certification
Authority (CA).
This data contains:
Who owns this certificate
Who signed this certificate
The expired date
User name & email address
What is a Digital Signature
-
8/11/2019 Unit 5 Cyptography
56/131
What is a Digital SignatureCertificate?
Digital signature certificates (DSC) are the digitalequivalent (that is electronic format) of physical orpaper certificates.
Examples of physical certificates are drivers' licenses,passports or membership cards.
Certificates serve as a proof of identity of an individualfor a certain purpose; for example a driver's licenseidentifies someone who can legally drive in aparticular country.
Likewise, a digital certificate can be presentedelectronically to prove your identity, to accessinformation or services on the Internet or to signcertain documents digitally.
-
8/11/2019 Unit 5 Cyptography
57/131
Why is Digital Signature Certificate (DSC) required?Like physical documents are signed manually,
electronic documents, for example e-forms arerequired to be signed digitally through Digital SignatureCertificate.
Who issues the Digital Signature Certificate?
A licensed Certifying Authority (CA) issues the digitalsignature.
Certifying Authority (CA) means a person who hasbeen granted a license to issue a digital signaturecertificate under Section 24 of the Indian IT-Act 2000.
The list of licensed CAs along with their contactinformation is available on www.mca.gov.in . You canobtain your DSC from Veracity IT & Legal Services.
-
8/11/2019 Unit 5 Cyptography
58/131
Advantages of Digital Certificates
Decrease the number of passwords a user has
to remember to gain access to different
network domains.
They create an electronic audit trail thatallows companies to track down who executed
a transaction or accessed an area.
Security Standards For electronic
-
8/11/2019 Unit 5 Cyptography
59/131
Security Standards For electronic
Payment System
A secured payment transaction system is of
critical importance to e-commerce
Without security standard ,one cannot
assume the success of e-commerce
There are two common standards used for
a secure electronic payment system
SSL
SET
-
8/11/2019 Unit 5 Cyptography
60/131
Secure Socket layer (SSL) SSL is a protocol for giving data security layers between high-
level
It is a key protocol for securing web transactions ,data packets
in the internet
It provides sever & client authentication and an encrypted
SSL connection
It uses public key cryptography and system for validating
public key & digital certificates over the server .
SSL Provides 3 basic services :Sever authentication ,client
authentication & encrypted SSL connection .
SSL sever authentication uses public Key cryptography to
validate server's digital certificate and public key on the client
;s machine
-
8/11/2019 Unit 5 Cyptography
61/131
What Happens When a Web Browser Connects
to a Secure Web Site
-
8/11/2019 Unit 5 Cyptography
62/131
-
8/11/2019 Unit 5 Cyptography
63/131
SSL Working
An SSL certificate allows sensitive information
to be encrypted during online transactions
Authenticated information about the owner of
the certificate is also contained in it.
The identity of the owner of the certificate is
verified by the certificate Authority at the
time of its issue
-
8/11/2019 Unit 5 Cyptography
64/131
What Can SSL Do?
It provides the following
Data Encryption ,Server Authentication ,Message integrity
,Optional Client authentication .
SSL provides a security handshake protocol to start theTCP/IP connection. The consequence of this handshake is that
the client and server agree on the level of security they would
use & completes any verification necessities for the
connection .After that ,it is only used to decrypt and encrypt
the message stream .
-
8/11/2019 Unit 5 Cyptography
65/131
SSL includes two sub-protocols: the SSL
Record Protocol and the SSL HandshakeProtocol.
Record Protocol -- defines the format used to
transmit data. Handshake Protocol -- using the Record
protocol to exchange messages b/t an SSL-
enable server and an SSL-enable client.
-
8/11/2019 Unit 5 Cyptography
66/131
SSL usage Any online store
Anyone who accepts online orders & payments throughcredit cards
A site that offers a login or sign in
Anyone processing sensitive data such as the address
,birth date ,license or ID Numbers Anyone who is required to comply with privacy &
Security requirements
Anyone who values privacy & security requirements
Anyone who values privacy & expects others to trustthem
Challenge-Response e-mail system
-
8/11/2019 Unit 5 Cyptography
67/131
Challenge-Response e-mail system It is an anti-spam system which is designed to shift the filtering
workload from the recipient to the spammer (or the legitimate
sender). The fundamental idea is that spammers will not take the time to
confirm that they want to send you email, but a legitimate senderwill.
The system maintains two lists of addresses: a "blacklist" of senders
that will always be blocked, and a "whitelist" of senders that willnever be blocked.
If someone sends you email from an address not listed in eitherlist, they will get an "challenge" (and their message will be queuedtemporarily).
If they give the correct "response" to the challenge, they get addedto your white list and their queued message(s) get forwarded toyou.
Regulations of the Internet encryption
-
8/11/2019 Unit 5 Cyptography
68/131
Regulations of the Internet encryption
technologies
Encryption technology is being widely used today by enterprise aswell as individuals consumer to protect the proprietary data andconfidentiality of communication via e-mail or chat .
For Example we use our credit cards for booking movies ,air or railtickets over the internet on encrypted channels and feel safe thatour personal or credit card information is not compromised when intransit .
Similar technology can be also used by criminals to sendinformation via the internet and escape without being interceptedby the government bodies; hence regulations need to be in place bythe security organizations of different nations governing the use of
encryption technology and the purpose for which it can be used . Such regulations need to be in force for protecting the lives ofmillions of people which might be compromised by negativeelement of the society .
But there has to be regulations related to what information can beaccess and decrypted by the government bodies
-
8/11/2019 Unit 5 Cyptography
69/131
Government regulation on encryption
Encryption systems across the world are controlled byregulation imposed by various governments.
One of the primary methods of regulating encryptionby the government is by the use of export restrictions
If anyone needs to export encrypted data ,they need alicense from a licensing authority which might be thegovernment agency or a third party governmentcertified authority .
Some of these regulations are continually challenged in
the courts ,but the government are bound by securityconcerns that would arise if such regulations are not inplace
Digital Signatures Controls on
-
8/11/2019 Unit 5 Cyptography
70/131
Digital Signatures Controls on
Encryption
The most commonly found internet security mechanism today isSSL encryption .
A well designed security solution should have the following attributes
Data transfer from browser to server ,server to browser ,should beencrypted
Any file attachments should be encrypted and digitally singed toensure security of the consumer who downloads or uploads theseattachments
All digital signatures should have some accountability mechanism tobe validated in the receiving end
Authentication mechanism should be foolproof ,smart cards can beused to store certificates to ascertain consumer authenticity
Not only the fillable fields in the form ,but the whole content of theweb page should be encryptable and digitally sign able
Specific Issues in US Encryption
-
8/11/2019 Unit 5 Cyptography
71/131
Specific Issues in US Encryption
Controls
Three problems deter widespread acceptance of encryption
Successful encryption requires that all participating parties use the sameencryption scheme .Within an organization ,or a group expected tocooperate (such as banks) ,standards have to be establishes that makeencryption feasible
The distribution keys has been a second barrier to wider use ofencryption ,as there is no easy way to distribute the secret key to a personnot known The only safe way to distribute the secret key is in person ,andthen the distributor must provide a different secret key for each person.Even public key schemes require method for key distribution
The final deterrent to widespread acceptance of encryption is its
difficulty to use .The user interface to encryption must be simplified .ForEncryption to flourish average consumer must find the software easy touse for commercial applications .
-
8/11/2019 Unit 5 Cyptography
72/131
?
Do Digital Certificates Have
-
8/11/2019 Unit 5 Cyptography
73/131
Do Digital Certificates Have
Vulnerabilities?
One problem with a digital certificate is where itresides once it is obtained.
The owner's certificate sits on his computer, andit is the sole responsibility of the owner toprotect it.
If the owner walks away from his computer,others can gain access to it and use his digital
certificate to execute unauthorized business.
Do Digital Certificates Have
-
8/11/2019 Unit 5 Cyptography
74/131
The best way to address the vulnerabilities ofdigital certificates is by combining them with
biometric technology, as that confirms the
actual identity of the sender, rather than thecomputer.
Do Digital Certificates Have
Vulnerabilities?
Security Standards For electronic
-
8/11/2019 Unit 5 Cyptography
75/131
Security Standards For electronic
Payment System
A secured payment transaction system is ofcritical importance to e-commerce .
Without security standard ,one cannot
assume the success of e-commerce
There are two common standards used for a
secure electronic payment system .
SSL
SET
-
8/11/2019 Unit 5 Cyptography
76/131
What is SSL?
A protocol developed by Netscape.
It is a whole new layer of protocol which
operates above the Internet TCP protocol and
below high-level application protocols.
-
8/11/2019 Unit 5 Cyptography
77/131
SSL
SSL is a communications protocol layer which can
be placed between TCP/IP and HTTP
It intercepts web traffic and provides security
between browser and server
Encryption is used to guarantee securecommunication in an insecure environment
SSL uses public-key cryptography
-
8/11/2019 Unit 5 Cyptography
78/131
What is SSL?
h ?
-
8/11/2019 Unit 5 Cyptography
79/131
What Can SSL Do?
SSL uses TCP/IP on behalf of the higher-levelprotocols.
Allows an SSL-enabled server to authenticate
itself to an SSL-enabled client;
Allows the client to authenticate itself to the
server;
Allows both machines to establish anencrypted connection.
h ?
-
8/11/2019 Unit 5 Cyptography
80/131
What Does SSL Concern?
SSL server authentication.
SSL client authentication. (optional)
An encrypted SSL connection or
Confidentiality. This protects against electronic
eavesdropper.
Integrity. This protects against hackers.
SS ki
-
8/11/2019 Unit 5 Cyptography
81/131
SSL Working
An SSL certificate allows sensitive informationto be encrypted during online transactions
Authenticated information about the owner of
the certificate is also contained in it.
The identity of the owner of the certificate is
verified by the certificate Authority at the
time of its issue
SSL components
-
8/11/2019 Unit 5 Cyptography
82/131
SSL components
SSL Handshake Protocol
negotiation of security algorithms and parameters
key exchange
server authentication and optionally client authentication
SSL Record Protocol
fragmentation
compression
message authentication and integrity protection
encryption
SSL Alert Protocol
error messages (fatal alerts and warnings)
SSL Change Cipher Spec Protocola single message that indicates the end of the SSL handshake
SSL A hi
-
8/11/2019 Unit 5 Cyptography
83/131
Henric Johnson 83
SSL Architecture
-
8/11/2019 Unit 5 Cyptography
84/131
SSL includes two sub-protocols: the SSL
Record Protocol and the SSL HandshakeProtocol.
Record Protocol -- defines the format used to
transmit data. Handshake Protocol -- using the Record
protocol to exchange messages b/t an SSL-
enable server and an SSL-enable client.
-
8/11/2019 Unit 5 Cyptography
85/131
The exchange of messages facilitates thefollowing actions:
Authenticate the server to the client; Allows
the client and server to select a cipher thatthey both support; Optionally authenticate
the client to the server; Use public-key
encryption techniques to generate sharesecrets; Establish an encrypted SSL conn.
SSL
-
8/11/2019 Unit 5 Cyptography
86/131
SSL usage Any online store
Anyone who accepts online orders & payments throughcredit cards
A site that offers a login or sign in
Anyone processing sensitive data such as the address
,birth date ,license or ID Numbers Anyone who is required to comply with privacy &
Security requirements
Anyone who values privacy & security requirements
Anyone who values privacy & expects others to trustthem
SSL S i ti
-
8/11/2019 Unit 5 Cyptography
87/131
SSL Summarization
Exists between raw TCP/IP and Application Layer. Features added to streams by SSL
Authentication and Nonrepudiation of Server, using Digital Signatures.
Authentication and Nonrepudiation of Client, using Digital Signatures.
Data confidentiality through Encryption.
Data Integrity through the use of message authentication codes.
Functions Separation of duties.
Efficiency.
Certification - based authentication
Protocol Agnostic.
Transport Layer Security is being tried out.
S S k t l (SSL)
-
8/11/2019 Unit 5 Cyptography
88/131
Secure Socket layer (SSL) SSL is a protocol for giving data security layers between high-level application
protocol & TCP/IP , it is a security protocol .
It provides the following
Data Encryption ,Server Authentication ,Message integrity ,Optional Clientauthentication .
SSL provides a security handshake protocol to start the TCP/IP connection. Theconsequence of this handshake is that the client and server agree on the level of
security they would use & completes any verification necessities for theconnection .After that ,it is only used to decrypt and encrypt the message stream .
It is a key protocol for securing web transactions ,data packets in the internet
.It provides sever & client authentication and an encrypted SSL connection
.It uses public key cryptography and system for validating public key & digitalcertificates over the server .
SSL Provides 3 basic services :Sever authentication ,client authentication &encrypted SSL connection .
SSL sever authentication uses public Key cryptography to validate server's digitalcertificate and public key on t he client ;s machine
Secure Electronic Transaction (SET)
-
8/11/2019 Unit 5 Cyptography
89/131
Secure Electronic Transaction (SET)
Developed by Visa and MasterCard
Designed to protect credit card transactions
on the Internet
SET is a system for ensuring the security of
financial transactions on the Internet
Set of security protocols and formats
Not a payment system
Ensures privacy.
-
8/11/2019 Unit 5 Cyptography
90/131
Henric Johnson 90
Secure Electronic Transactions
Key Features of SET: Confidentiality of information- all messages
encrypted
Integrity of data Cardholder account authentication
Merchant authentication
Trust: all parties must have digital certificates Privacy: information made available only when and
where necessary
SET B i R i t
-
8/11/2019 Unit 5 Cyptography
91/131
SET Business Requirements
Provide confidentiality of payment andordering information
Ensure the integrity of all transmitted data
Provide authentication that a cardholder is alegitimate user of a credit card account
Provide authentication that a merchant canaccept credit card transactions through itsrelationship with a financial institution
SET B i R i t ( td)
-
8/11/2019 Unit 5 Cyptography
92/131
SET Business Requirements (contd)
Ensure the use of the best securitypractices and system design techniques toprotect all legitimate parties in anelectronic commerce transaction
Create a protocol that neither depends ontransport security mechanisms norprevents their use
Facilitate and encourage interoperabilityamong software and network providers
Participants in the SET System
-
8/11/2019 Unit 5 Cyptography
93/131
SET Transactions
-
8/11/2019 Unit 5 Cyptography
94/131
SET Transactions
-
8/11/2019 Unit 5 Cyptography
95/131
The customer opens an account with a card issuer. MasterCard, Visa, etc.
The customer receives a X.509 V3 certificate signed by a bank. X.509 V3
A merchant who accepts a certain brand of card must possess two X.509 V3 certificates. One for signing & one for key exchange
The customer places an order for a product or service with a merchant.
The merchant sends a copy of its certificate for verification.
Sequence of events for transactions
-
8/11/2019 Unit 5 Cyptography
96/131
Henric Johnson 96
Sequence of events for transactions
1. The customer opens an account.2. The customer receives a certificate.
3. Merchants have their own certificates.
4. The customer places an order.
5. The merchant is verified.6. The order and payment are sent.
7. The merchant request payment authorization.
8. The merchant confirm the order.
9. The merchant provides the goods or service.10. The merchant requests payments.
Components to build Trust
-
8/11/2019 Unit 5 Cyptography
97/131
Data Confidentiality
EncryptionWho am I dealing with? Authentication
Message integrity Message Digest
Non-repudiation Digital SignatureAccess Control Certificate Attributes
Conclusion
-
8/11/2019 Unit 5 Cyptography
98/131
With the help of the above discussions, the SET protocol appearsto be complete, sound, robust and reasonably secure for the
purpose of credit-card transactions.
However, it is important that the encryption algorithms and key-
sizes used, will be robust enough to prevent observation by hostile
entities.
The secure electronic transactions protocol (SET) is important for
the success of electronic commerce.
Secure electronic transactions will be an important part of
electronic commerce in the future.Without such security, the interests of the merchant, the
consumer, and the credit or economic institution cannot be served.
Contd
-
8/11/2019 Unit 5 Cyptography
99/131
Contd
Encryption with Keys
Encryption DecryptionPlain Text Cipher Text Original Text
Encryption Key (Ke)(Asymmetric Cryptosystem)
Decryption Key (Kd)
Encryption with Keys
Encryption DecryptionPlain Text Cipher Text Original Text
Key
(Symmetric Cryptosystem)
Encryption DecryptionPlain Text Cipher Text Original TextEncryption
Secure Email Protocols
-
8/11/2019 Unit 5 Cyptography
100/131
Secure Email Protocols
PEM (Privacy Enhanced Mail) Is a standards that provides security-related services foe
electronic mail application
Commonly used with SMTP (simple mail transport protocol)
PEM Features
Includes encryption ,authentication & key management
It allows use of both public & Private key cryptography
It uses the data encryption standard(DES) algorithm forencryption & RSA algorithm for sender authentication &
key management . It verifies the identity of the message originator & verifies
whether any of the original text has been altered .
PGP (Pretty Good Privacy )
-
8/11/2019 Unit 5 Cyptography
101/131
PGP (Pretty Good Privacy )
PGP is a file based product developed by software engineer Phil Zimmerman in1991
It is a free software that encrypts email .
It is mostly used for personal e-Mail security
PGP supports public-key & symmetric key encryption as well as digital signatures
It operates by encrypting the data with one time algorithm & then encrypting thekey to the algorithm using public key cryptography
PGP also supports other standards such as SSL & lightweight Directory accessprotocol(LDAP)
LDAP is a standard for accessing specific information ,including stored public keycertificates
It is freely available for DOS ,Macintosh ,UNIX,& OS/2 systems
PGP provides secure encryption of documents & data files that even advanced
supercomputers are hard pressed to crack The process is so simple that anyone with a PC can do it with almost no effort .
S/MIME (Multipurpose Internet Mail Extension )
-
8/11/2019 Unit 5 Cyptography
102/131
S/MIME (Multipurpose Internet Mail Extension )
Was developed by RSA in 1996 as a securityenhancement to old MIME standard for
internet email
It is built on public key cryptography standards S/MIME is considered powerful because it
provides security for different data types & for
email attachments
MSP(Message security protocol)
-
8/11/2019 Unit 5 Cyptography
103/131
MSP is used by the US government & governmentagencies to provide security for e-mail
Its function is securing e-mail attachments acrossmultiple platforms
It operates at the application level of the internet& does not involve the intermediate messagetransfer system .
An MSP message includes the original message
content & specific security parameters requiredby the recipients to decrypt or validate themessage when received .
Creation of digital signature
-
8/11/2019 Unit 5 Cyptography
104/131
Creation of digital signature
According to the Act ,Asymmetrical or public key cryptographyinvolving a pair of keys (private or public is used for creating adigital signature
Steps to create digital signature
Signer demarcates the message
Hash function is the signer's software computes a hash resultunique to the message
The signer software then transforms (encrypts) the hash result into adigital signature using a signers private key. the resulting digitalsignature are unique to both the message and the private key isused to create it .
The digital signature (a digitally signed message hash result of themessage ) is attached to both its message and stored or transmittedwith its message .digital signature is unique to its message .signersends both digital signature and message to recipient
Digital Signature Generation and
-
8/11/2019 Unit 5 Cyptography
105/131
Verification
Message Sender Message Receiver
Message Message
Hash function
Digest
Encryption
Signature
Hash function
Digest
Decryption
Expected Digest
Private
Key
Public
Key
Verification
-
8/11/2019 Unit 5 Cyptography
106/131
Verification
The recipient of a digitally signed message canverify both that the message originated from
the person who se signature is attached and
that the message has not been altered eitherintentionally or accidently since it was signed
.Furthermore ,secure digital signature cannot
be repudiated ,the signer of a document
cannot later disown it by claiming the
signature was forged .
Steps to verify digital signature
-
8/11/2019 Unit 5 Cyptography
107/131
Steps to verify digital signature
For verifying the digital signature first of all ,the recipientreceives digital signature and the message
He applies signers public key on the digital signature &recovers the hash result from the digital signature .
After this ,he computes a new hash result of the original
message by applying the same hash function used by thesigner to create the digital signature
Lastly he compares the two hash results ,if they areidentical ,it indicates that the message has not beenmodified .If two hash results are not same ,it would mean
that the message either origated somewhere else wasaltered after it was signed and the recipet in such case canreject the message .
Applications
-
8/11/2019 Unit 5 Cyptography
108/131
Applications
Digital certificate
-
8/11/2019 Unit 5 Cyptography
109/131
Digital certificate
A digital certificate is called an electronic identity cardand is used for establishing the users credentials whenconducting transactions over the web. A digitalcertificate is defined as a method of verifyingauthencity electronically >the digital certificate is
equivalent to real identification, such as a driverslicense. diffrent certifying authorities provide it .Digitalcertificates are used to confirm a website ,or a visitorto a website ,is the entity or person they declare to be.they are like an electronic testimonial issued by a
certificate ion authority to ascertain the identity of anorganization when doing business dealings on theinternet .
Contents of digital certificate
-
8/11/2019 Unit 5 Cyptography
110/131
Contents of digital certificate
Holders name ,organization ,address
Name of the certificate authority
Public key of the holders for cryptographic use
Time limit (these certificates are issued for a
period of six months to a year)
Digital certificate identification number
Security in Transmission
-
8/11/2019 Unit 5 Cyptography
111/131
Security in Transmission
Secure Socket Layer (SSL)
https
Submission is encrypted by the sender with recipients public key
After receipt, submission is decrypted with recipientsprivate key
Wh t Sh ld B Si d ?
-
8/11/2019 Unit 5 Cyptography
112/131
What Should Be Signed ?
Balance between capturing the entire content of
the transaction vs. ease of data integration
Data that is Machine readable but which separates
user entry content from context: database, commadelimited, spreadsheet, etc
Data that records content and context but which are
not easily integrated into databases: word, pdf, image,
html, etc
Ensuring Non repudiation in Electronic
-
8/11/2019 Unit 5 Cyptography
113/131
Ensuring Non-repudiation in Electronic
Transactions
Capturing Complete Transactions in Archive
Signing the content and context of a transaction
Storing the signed transaction in a data warehouse without manual
intervention
Granting Public Access to paper reports
-
8/11/2019 Unit 5 Cyptography
114/131
g p p p
Public comes into agency office
Public provides drivers license or other identification
Agency can monitor who is accessing data
Providing Trusted Electronic Access
-
8/11/2019 Unit 5 Cyptography
115/131
to Data
Identity of user is unknown
Access cannot be monitored
Relying on the Certificate Authority
Applying PKI to Public Access
-
8/11/2019 Unit 5 Cyptography
116/131
PublicDigital
Certificate
In order to obtain access to Community Right to Know Data, individuals firstobtain digital Certificates.
-
8/11/2019 Unit 5 Cyptography
117/131
Public
After contributing a certificate to gain access, The individuals certificate can be
cross-referenced with other security databases to monitor suspect individuals.
Digital
Certificates Agency
California Digital Signature Regulations
-
8/11/2019 Unit 5 Cyptography
118/131
California Digital Signature Regulations
Definitions
Digital Signatures Must Be Created By An Acceptable
Technology- Criteria For Determining AcceptabilityList of Acceptable Technologies
Provisions For Adding New Technologies to the List of
Acceptable Technologies
Issues to Be Addressed By Public Entities When Using
Digital Signatures
California Code of Regulations
Title 2. Administration DIVISION 7. CHAP 10. DIGITAL SIGNATUREShttp://www.ss.ca.gov/digsig/regulations.htm
California Digital Signature Regulations
http://www.ss.ca.gov/digsig/regulations.htmhttp://www.ss.ca.gov/digsig/regulations.htm -
8/11/2019 Unit 5 Cyptography
119/131
The technology known as Public Key Cryptography is an
acceptable technology for use by public entities inCalifornia, provided that the digital signature is created
consistent with the provisions in Section 22003(a)1-5.
"Acceptable Certification Authorities" means a certification
authority that meets the requirements of either Section
22003(a)6(C) or Section 22003(a)6(D).
"Approved List of Certification Authorities" means the list
of Certification Authorities approved by the Secretary of
State to issue certificates for digital signature transactions
involving public entities in California.
Summary: Electronic Report Transactions are
-
8/11/2019 Unit 5 Cyptography
120/131
Unsigned Web formscan be sent by anyone. They can be tampered in
transmission and the sender cant be legally verified
Unsigned Data in a databasecan be altered and does not provide
adequate evidence in a court of law
Data on Diskettecan be altered without visible evidence
subject to fraud and easily repudiated:
Summary, cont.
-
8/11/2019 Unit 5 Cyptography
121/131
Digitally signed reports can also be repudiated, if the signed data is storedindependently of the form question data.
Conclusion: Ensuring Trusted Electronic
Transactions
-
8/11/2019 Unit 5 Cyptography
122/131
Transactions
1. PKI supports trusted electronic report transactions:
Authentication- authenticates the
sender of a report
Report Integrity- invalidates a report if it has been tampered.
Non-repudiation- sender and document
are authenticated- the sender cannot
deny having sent the report
Conclusion, cont.
-
8/11/2019 Unit 5 Cyptography
123/131
2. PKI supports trusted access to Public Data:
Agencies require individuals to contribute digital certificates in order to gain
access.
Agencies can track who gains access at what time
The names of individuals who seek access can be cross-referenced with
additional security databases to protect public safety
Conclusion, cont.
-
8/11/2019 Unit 5 Cyptography
124/131
3. Complete Archiving ensures that a legal record of a transaction can be trusted : Non-repudiation- Storing a copy of the entire data (including questions on
the form) with the digital signature.
-
8/11/2019 Unit 5 Cyptography
125/131
What cryptography cant do ?
-
8/11/2019 Unit 5 Cyptography
126/131
Rely-On Solutions
Protect unencrypted documents. Protect against stolen encryption keys.
Against denial-of-service attacks.
Against the record of a note that a message was
sent.
Against a traitor or a mistake.
Working Encryption Systems
-
8/11/2019 Unit 5 Cyptography
127/131
Rely-On Solutions
Programs PGP(Pretty Good Privacy).
S/MIME.
Protocols
SSL(Secure Socket Layer). PCT(Private Communications Technology).
S-HTTP(Secure HTTP).
Cybercash.
Contd
-
8/11/2019 Unit 5 Cyptography
128/131
Rely-On Solutions
SET(used in web shopping). Electronic Wallet with User.
Server that runs on Merchants web site.
SET payment server runs in merchants bank.
DNSSEC(Domain Name System Security).
IPSec and IPv6. IPsec works with IPv4 and standard version used today
works for IPv6 and includes IPsec.
Kerberos.
Network Layer Security Protocol(IPsec)
-
8/11/2019 Unit 5 Cyptography
129/131
Rely-On Solutions
IP Security protocol - a suite of protocols that provides security at thenetwork layer.
Network layer must provide
Secrecy - hide message from any third party that is "wire tapping" thenetwork.
Source authentication -IP datagram with a particular IP sourceaddress, it might authenticate the source.
there are two principal protocols:
the Authentication Header (AH) protocol.
provides source authentication and data integrity but not secrecy.
the Encapsulation Security Payload (ESP) protocol.
provides data integrity and secrecy.Security Agreement (SA) - the source and network hosts handshake and
create a network layer logical connection
What is SSL ?
-
8/11/2019 Unit 5 Cyptography
130/131
Rely-On Solutions
Exists between raw TCP/IP and Application Layer. Features added to streams by SSL
Authentication and Nonrepudiation of Server, using Digital Signatures.
Authentication and Nonrepudiation of Client, using Digital Signatures.
Data confidentiality through Encryption.
Data Integrity through the use of message authentication codes.
Functions Separation of duties.
Efficiency.
Certification - based authentication
Protocol Agnostic.
Transport Layer Security is being tried out.
Secure Web Server
-
8/11/2019 Unit 5 Cyptography
131/131
Implements cryptographic protocols. Safeguard any personal info received or
collected.
Resistant to a determined attack over the I-net.
Bad Guys Bad Guys
SERVER ACTIVE
AND PROVIDES
SECURE WEB SERVER
ATTACK ATTACK
ATTACK