Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

CP3397 ECommerce.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
VPNs  IETF developing IPsec security standards IP securityIP security At the internet layerAt the internet layer Protects all messages at the transport.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
PKIs  To use public key methods, an organization must establish a comprehensive Public Key Infrastructure (PKI) A PKI automates most aspects of using.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
Chapter 8 Web Security.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Lecture 24 Secure Communications CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Ian Goldberg.
1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Lecture 24 Secure Communications CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Ian Goldberg.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
SSL Certificates for Secure Websites
Cryptography and Network Security
Using SSL – Secure Socket Layer
Cryptography and Network Security
The Secure Sockets Layer (SSL) Protocol
Unit 8 Network Security.
Electronic Payment Security Technologies
Cryptography and Network Security
Integrated Security System
Presentation transcript:

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Public Key Deception Impostor Claims to be a True Party –True party has a public and private key –Impostor also has a public and private key Impostor sends impostor’s own public key to the verifier –Says, “This is the true party’s public key” –This is the critical step in the deception

Public Key Deception If verifier accepts the impostor’s public key as the true party’s public key, –Impostor will be authenticated through any public key authentication method, because their private key will work –Impostor can also decrypt messages sent by the verifier if these messages are encrypted with the impostor’s public key

Public Key Deception Moral: –Public key encryption for privacy, confidentiality, authentication, and message integrity only works if –The verifier gets the true party’s public key independently of the applicant, –From a trusted third party

Digital Certificates Created by a Certificate Authority –Certificate authority is the trusted third party Certificate Authority Certificate Authority Authenticated Party Authenticated Party Digital Certificate Digital Certificate

Certificate Authorities Unfortunately, certificate authorities are not regulated You must only use certificate authorities you trust Company can be its own certificate authority for internal authentication among its hardware and software systems

Digital Certificates Assert that a true party (named) has the public key contained in the digital certificate –Provides a name-public key pair –Therefore prevents public key deception –Fields and content are standardized by the ITU- T X.509 Standard

Digital Certificates Each digital certificate has its own digital signature, signed (encrypted) by the private key of the certificate authority –Provides message integrity so that an impostor cannot change the name field in the digital certificate to its own

Digital Certificates Certificate authorities may revoke digital certificates before the expiration date listed in the digital certificate –Revoked certificate ID numbers are placed in a certificate revocation list (CRL) –Verifier must check with the certificate authority to determine if a digital certificate is on the CRL Without the CRL check, digital certificates do not support authentication

Digital Certificates Recap –A digital signature gives the public key of a named party –This is needed for public key authentication, to prevent public key deception –However, a digital certificate alone does NOT provide authentication

Public Key Infrastructures (PKIs) Private key creation and distribution Digital certificate creation and distribution Certificate Revocation List checking

PKIs To use public key methods, an organization must establish a comprehensive Public Key Infrastructure (PKI) –A PKI automates most aspects of using public key encryption and authentication –Uses a PKI Server PKI Server

PKIs PKI Server Creates Public Key-Private Key Pairs –Distributes private keys to applicants securely –Often, private keys are embedded in delivered software PKI Server Private Key

PKIs PKI Server Provides CRL Checks –Distributes digital certificates to verifiers –Checks certificate revocation list before sending digital certificates PKI Server Digital Certificate

PKIs CRL Checks –If applicant gives verifier a digital certificate, –The verifier must check the certificate revocation list PKI Server OK? OK or Revoked CRL

Integrated Security System When two parties communicate … –Their software usually handles the details –First, negotiate security methods –Then, authenticate one another –Then, exchange symmetric session key –Then can communicate securely using symmetric session key and message-by-message authentication

SSL Integrated Security System SSL –Secure Sockets Layer –Developed by Netscape TLS (now) –Netscape gave IETF control over SSL –IETF renamed it TLS (Transport Layer Security) –Usually still called SSL

Location of SSL Below the Application Layer –IETF views it at the transport layer –Protects all application exchanges –Not limited to any single application WWW transactions, , etc. SSL WWW WWW

SSL Operation Browser & Webserver Software Implement SSL –User can be unaware

SSL Operation SSL ISS Process –Two sides negotiate security parameters –Webserver authenticates itself –Browser may authenticate itself but rarely does –Browser selects a symmetric session key, sends to webserver –Adds a digital signature and encrypts all messages with the symmetric key

Importance of SSL Supported by Almost All Browsers –De facto standard for Internet application security Problems –Relatively weak security –Does not involve security on merchant server –Does not validate credit card numbers –Viewed as an available but temporary approach to consumer security

Other ISSs SSL is merely an example integrated security system Many other ISSs exist –IPsec (Chapter 9 and Module F) –PPP and PPTP (Module F) –Etc.

Other ISSs All ISSs have the same general steps –Negotiate security parameters –Authenticate the partners –Exchange a session key –Communicate with message-by-message privacy, authentication, and message integrity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.