Information Security for e

Download Report

Transcript Information Security for e

PRESENTATIONS IN NETWORK SECURITY
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE
Saad Haj Bakry, PhD, CEng, FIEE
1
Information Security for e-Business
Objectives / Contents





Secure Transactions
Use of Symmetric Keys
Use of Asymmetric Keys
Public Key Infrastructure: PKI
Security Protocols
Saad Haj Bakry, PhD, CEng, FIEE
2
Information Security for e-Business
Secure Transactions Requirements
Issue
Fact
Privacy
Integrity
Authentication
No Disclosure
No Alteration
Proof of Identity:
Sender to Receiver / Receiver to Sender
Non-Repudiation
Legal Proof of Transaction:
Message is Sent or Received
Availability
System in Operation
“S-Business”
Outcome: “Secure Business”
Saad Haj Bakry, PhD, CEng, FIEE
3
Information Security for e-Business
Use of Symmetric Keys



DES: Data Encryption Standard
AES: Advanced Encryption Standard
KDC: Key Distribution Centre
Saad Haj Bakry, PhD, CEng, FIEE
4
Information Security for e-Business
DES: Data Encryption Standard
A Symmetric Encryption Algorithm: 1950s
By US NSA (National Security Agency) & IBM
Key Length is “56 bits”: Short / Easy to Crack
Triple Use (3 Keys in a Row): For More Security
DES (K-1)
DES (K-2)
DES (K-3)
Being Replaced BY: AES
Saad Haj Bakry, PhD, CEng, FIEE
5
Information Security for e-Business
AES: Advanced Encryption Standard
A Symmetric Encryption Algorithm
By US NIST: Replacing DES
(National Institute of Standards & Technology)
Five Finalists
Under
Consideration:
2001
Saad Haj Bakry, PhD, CEng, FIEE
Criteria of Choice:
Strength
Efficiency
Speed
Other Factors
6
Information Security for e-Business
KDC: Key Distribution Centre
To Solve “Key-Exchange” Problem
KDC Shares a “Secrete Key”: With “Every User”
All Transactions: Exchanged Through KDC
S-R Session Key: Generated by KDC per Transaction
Session Key Sent to S-R : Using their Shared Keys with KDC
Problem: Centralized Security “Challenges to KDC !”
Saad Haj Bakry, PhD, CEng, FIEE
7
Information Security for e-Business
KDC Operation
Transaction
Plain
Text
Sender
Initiation
1
Symmetric Key (S)
Plain
Text
Session
Key
Cipher
Text
Receiver
Symmetric Key (R)
Communication Network
Assignment
3
Symmetric Key (S)
Assignment
Symmetric Key (R)
Generation
Generation
2
Session Key
Saad Haj Bakry, PhD, CEng, FIEE
3
KDC
Session
Key
2
8
Information Security for e-Business
Use of Asymmetric Key.





Key Agreement Protocol:
KAP / Digital Envelop
Key Management: KM
Digital Signature
Time-Stamping: Non-Repudiation
Notary Authentication
Saad Haj Bakry, PhD, CEng, FIEE
9
Information Security for e-Business
KAP: Key Agreement Protocol
Subject of Agreement: Symmetric Secret Key
Secret Key: Suitable for Volumes of Data
Agreement Security: Use of Public Key
Public Key: Suitable for Limited Volumes
Protocol: Rules of Agreement Process
Digital Envelop: Secret Key in Public Key
Saad Haj Bakry, PhD, CEng, FIEE
10
Information Security for e-Business
KAP Example: The Digital Envelop
Sender
Encrypt (Message)
Using
Message:
“Plain Text”
“Secret Key”
Message: “Cipher Text” (S-K)
Encrypt
(Secret Key)
Using
Receiver’s
“Public Key”
Envelop
“Digital
Signature”:
Possible
Message
“Cipher Text”
(S-K) Plus
“Cipher SK” (P-K)
Message:
“Plain Text”
Receiver
Decrypt
Decrypt
(Message)
(Message)Using
Using
“Secret
“Secret Key”
Key”
Saad Haj Bakry, PhD, CEng, FIEE
““Secret
Secret
Key”
Key”
Decrypt
Receiver’s
“Private Key”
11
Information Security for e-Business
Key Management
Theft (mishandling) & Attack (cryptanalysis)
Key Generation: Secure “Long Keys”
Key Generation
Problem:
Sometimes choice is
from a small set
Saad Haj Bakry, PhD, CEng, FIEE
Recommendation:
Key generation
should be truly
“random”
12
Information Security for e-Business
Digital Signature (1/2)
Objective: (P-K) Authentication / Integrity
S
E
N
D
E
R
Hash
Function
Message
Digest
Encrypt
Message:
(Receiver
Public Key)
Cipher Text
Message:
Plain Text
Receiver
“Message Integrity”
Hash
Function
Saad Haj Bakry, PhD, CEng, FIEE
Encrypt
(Sender
Private Key)
“Sender
Authenticated”
Electronic
Signature
Message:
Message:
Plain Text
Cipher Text
Decrypt
Message (Receiver
Digest
Private Key)
Message
Digest
+
Decrypt
(Sender
Public Key)
13
Information Security for e-Business
Digital Signature (2/2)
Digital Signature:


Document Dependent
(based on message
contents)
Authentication &
Integration
Handwritten Signature:


Document Independent
(same for all documents)
Authentication Only
Use: US DSA:
“Digital Signature Algorithm”
Problem (Digital Signature): Non-repudiation
(proof that the message has been sent)
Saad Haj Bakry, PhD, CEng, FIEE
14
Information Security for e-Business
Time-stamping / Non-Repudiation (1/2)
Objective:


Binding “time and date”
to digital documents
Important for electronic
contracts
Sender /
Receiver
Saad Haj Bakry, PhD, CEng, FIEE
Time-Stamping
Agency
Third Party:
Time-stamping
Agency /
Legal Witness
Sender /
Receiver
15
Information Security for e-Business
Time-stamping / Non-Repudiation (2/2)
S
E
N
D
E
R
1
Message:
Cipher Text
2
Sender
Electronic
Signature
Time-stamping Agency:
• Input:
Ciphered & Signed Message
• Output:
Time & Date Stamp
Agency Stamp (Signature)
(Using the Agency’s
Private Key)
Proof of receipt may be required “same
route back” from the “receiver”
Saad Haj Bakry, PhD, CEng, FIEE
1
2
3
Time & Date
Stamp
4
Agency Stamp
(Signature)
16
Information Security for e-Business
Notary Authentication
MESSAGE
TRANSMITTER
NETWORK SERVICES
NOTARY
Message with
Guarantee of
Sender’s Identity
RECEIVER
NOTARY MAY USE:
Encryption (DES) / Digital Signature / Other Methods
Saad Haj Bakry, PhD, CEng, FIEE
17
Information Security for e-Business
Public Key Infrastructure: PKI


PKI: Objectives / Organizations
Digital Certificates:
Structure / Trust / Validity
Saad Haj Bakry, PhD, CEng, FIEE
18
Information Security for e-Business
PKI: Public Key Infrastructure (1/2)
Objective:
Hierarchy
Authentication of Parties
in a Transaction
IPA
IPRA:
Policy Creation
Authorities
Internet Policy Registration
Authority
(The Root Certification Authority)
Saad Haj Bakry, PhD, CEng, FIEE
CA: Certification
Authorities
19
Information Security for e-Business
PKI: Public Key Infrastructure (2/2)
CA take the
responsibility of
authentication
DC are publicly
available and are
issued / held by CA
in “CR: Certificate
Repository”
Saad Haj Bakry, PhD, CEng, FIEE
CA:
Certification Authorities
Using
Public Key Cryptography
DC: Digital Certificates
DS: Digital Signatures
20
Information Security for e-Business
Digital Certificate: Structure
Field
Explanation
Name (Subject)
Serial Number
Individual / company being certified
Public Key
Public key of the individual / company
Expiration Date
Certification need to be renewed
Signature of Trusted CA
For confirmation
Other Information
Relevant / needed data.
Saad Haj Bakry, PhD, CEng, FIEE
For management / organization
21
Information Security for e-Business
Digital Certificate: Signature of Trust
Public Key (Name / Subject)
OR
Hash Function
Private Key (CA)
Signature of Trusted CA
Saad Haj Bakry, PhD, CEng, FIEE
22
Information Security for e-Business
Digital Certificate: Expiration
Need for Change of Key (Pairs)
Expiration Date:
Long use of key
leads to
vulnerability
Key Compromised:
Cancellation / Renew
CA has “CRL: Certificate Revocation List”
Saad Haj Bakry, PhD, CEng, FIEE
23
Information Security for e-Business
Security Protocols



Internet “Secure Socket Layer”: SSL
Visa / Master Card:
Secure Electronic Transaction: SET
Microsoft Authenticode
Saad Haj Bakry, PhD, CEng, FIEE
24
Information Security for e-Business
SSL: Secure Sockets Layer (1/2)
Sender
by: Netscape Communications
also used by: MS Internet Explorer
Application Software
“Browsers”
Receiver
Application Software
Messages
SSL
“Message Interpretation”
SSL
(to protect Internet transactions)
TCP
IP
Virtual
Data-
Saad Haj Bakry, PhD, CEng, FIEE
Circuit
TCP/IP
-gram
TCP
IP
25
Information Security for e-Business
SSL: Secure Sockets Layer (2/2)
Functions:


Protects “private information from source to destination”
Authenticates “receiver / server in a transaction”
Tools:


Public Key /
Digital Certificate
Session (Secret) Keys
PCI: “Peripheral Component
Interconnect” cards
Installed on “Web Servers” to
secure data over an entire
SSL transaction “from sender
/ client to receiver / server”
Saad Haj Bakry, PhD, CEng, FIEE
26
Information Security for e-Business
SET: Secure Electronic Transaction
by: Visa &
Master-Card
Objective:
protecting
e-commerce
payment
transactions
Saad Haj Bakry, PhD, CEng, FIEE
Authenticating the
Parties Involved:
“Customer”
“Merchant”
“Bank”
Using “Public-Key
Cryptography
27
Information Security for e-Business
Microsoft Authenticode
Objective: Safety of software ordered online
Authenticode is built into MS Internet Explorer
Authenticode interacts with Digital Certificates
Digital Certificates should be obtained by software publishers
Digital Certificates can be obtained from CA “VeriSign”
Saad Haj Bakry, PhD, CEng, FIEE
28
Information Security for e-Business
Remarks

e-Business Transactions: security measures

Use of Symmetric Keys: standards: DES, AES /
key distribution: KDC

Use of Asymmetric Keys: symmetric key
distribution: KAP, digital envelop / digital signature / time
stamping: non-repudiation / notary


Public Key Infrastructure: digital certificate.
Security Protocols: Internet: SSL / Banking: SET /
Microsoft: Authenticode.
Saad Haj Bakry, PhD, CEng, FIEE
29
Information Security for e-Business
References






B.R. Elbert, Private Telecommunication Networks, Artech House, US,
1989.
Telecommunications Management: Network Security, The National
Computer Centre Limited, UK, 1992
K.H. Rosen, Elementary Number Theory and its Applications, 4th
Edition, Addison Wesley / Longman, 1999.
ISO Dictionary of Computer Science: The Standardized Vocabulary
(23882), ISO, 1997.
F. Botto, Dictionary of e-Business, Wiley (UK), 2000.
H.M. Deitel, P.J. Deitel, K. Steinbuhler, e-Business and e-Commerce
for Managers, Prentice-Hall (USA), 2001
Saad Haj Bakry, PhD, CEng, FIEE
30