1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

CP3397 ECommerce.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Cryptographic Technologies

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Cryptography 101 Frank Hecker

CSCI 6962: Server-side Design and Programming

INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.

Supporting Technologies III: Security 11/16 Lecture Notes.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

Secure Electronic Transaction (SET)

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Linux Networking and Security Chapter 8 Making Data Secure.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Cryptography, Authentication and Digital Signatures

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Types of Electronic Infection

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

Overview of Cryptography & Its Applications

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

1 Thuy, Le Huu | Pentalog VN Web Services Security.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Secure Sockets Layer (SSL)

E-Commerce Security.

Using SSL – Secure Socket Layer

Electronic Payment Security Technologies

Presentation transcript:

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication Availability

2 1. Confidentiality (against eavesdropping) Eavesdropping: packet sniffing on net, in which attackers read transmitted information, including logon information and database contents. Brute Force attack 1975 US National Bureau of Standard (NBS): Data Encryption Standard (DES) – a 56-bit key is no longer considered to be very secure.DES 2001 US National Bureau of Standard (NBS): Advanced Encryption Standard (AES) – a choice of key length of 128, 192, or 256 bits.

Single-Key (conventional) and Dual-Key (public-key) Encryption Algorithms – Single-key encryption is faster but key-distribution is difficult. – Dual-key encryption is slower but key-distribution is easy. – One common solution is to use the dual-key encryption for key-distribution and authentication while the single-key encryption is used to encrypt message.

4 What are two major cryptographic methods? Conventional encryption: Message sender and recipient share single secret key for encryption and decryption. There are three basic operations: - Substitution: replace bits with other bits. - Transposition (permutation): arrange bits in a different order - XOR:  = Public-key encryption: Key owner generates a pair of keys. One key, called public key (e), is made available for anyone to get. Another key, called private key (d), is kept by the owner. Message encrypted with one key can be decrypted with another. The RSA algorithm is one implementation of public key cryptography.

5 How do you choose an encryption algorithm? No inherent mathematical weakness: Algorithm survived extensive public review and assume that the brute force approach is the only efficient attack. Key length: A 128-bit key makes a brute force attack impractical with current technology. Key is easy to change and to manage: Frequent key change makes encryption more secure. Cost: Many algorithms are royalty-free. Permission for export: Strong cryptography products may not have permission to export.

2. Access Control (Password, read, write, execute, and delete) How does an attacker learn your password? Try default passwords Exhaustively try all short passwords Try words in system’s online dictionary or a list of likely passwords. Collect information about user. Try user’s phone number. Try user’s license plate numbers. Use a Trojan horse. Tap the line between a remote user and the host system.

3. Integrity, Non-repudiation and Digital Signature Integrity: prevent user’s data and message from being modified. Non-repudiation: prevent either sender or receiver from denying a transmitted message. How can dual-key encryption be used to authenticate a message? Digital signature is based on public-key cryptographic algorithm. A one-way hash function takes a message and returns a small fixed-length string (hash value). The hash value is encrypted with sender’s private key that can be verified by recipient using the sender’s public key. Therefore, the recipient is certain that the message is indeed from the sender. The hash value is also used to verify that the message was not altered in transit.

4. Authentication (Identity and Certificate) If you buy books from Amazon.com, we want to know whether the Web site you are dealing with is really Amazon. You want Amazon Web server to authenticate itself to you and Amazon may want you to authenticate yourself to Amazon. What is the secure socket layer (SSL) protocol? The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. An SSL- enabled Web server can be linked with a URL starting with https (port 443) instead of http (port 80). Netscape patented SSL in 1997.httpshttp

How does an SSL-enabled browser authenticate the server? An SSL-enabled Web server should be certified by a trusted third party - Certifying Authority (CA). An SSL-enabled browser maintains a list of trusted CAs along with the public keys of the CAs. When a client browser wants to communicate with an SSL-enabled Web server, the browser obtains the server’s certificate. The certificate is issued by a CA and digitally signed with this CA’s private key. If the CA is in the browser’s list, the signature can be verified with this CA’s public key. If not, client’s browser issues a security alert.

What are principle differences between SET and SSL? The secure electronic transaction (SET) is a protocol specifically designed to secure payment-card transactions over Internet. The principle differences are The SET is designed to encrypt specific kinds of payment-related messages. It cannot be used to encrypt arbitrary data as can SSL. The SET protocol involves all three players on Internet, namely, the customer, the merchant, and the merchant’s bank. All sensitive information sent between the three parties is encrypted. The SET requires all three players to have certificates. The customer’s and merchant’s certificates must be issued by their bank, thereby assuring that these players are permitted to make and receive payment-card purchases.