Saad Haj Bakry, PhD, CEng, FIEE 1 Information Security for e -Business Saad Haj Bakry, PhD, CEng, FIEE P RESENTATIONS IN N ETWORK S ECURITY.

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

Public Key Infrastructure and Applications

CP3397 ECommerce.

(n)Code Solutions A division of GNFC

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Cryptography and Network Security

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Network Security Policy

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Principles of Information Security, 2nd edition1 Cryptography.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Saad Haj Bakry, PhD, CEng, FIEE 1 Basic Security Issues Saad Haj Bakry, PhD, CEng, FIEE.

Saad Haj Bakry, PhD, CEng, FIEE 1 Security Challenges and Protection Measures Saad Haj Bakry, PhD, CEng, FIEE P RESENTATIONS IN N ETWORK S ECURITY.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Computer and Network Security Risanuri Hidayat, Ir., M.Sc.

Web services security I

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.

Computer Science Public Key Management Lecture 5.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Supporting Technologies III: Security 11/16 Lecture Notes.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Saad Haj Bakry, PhD, CEng, FIEE 1 Principles of Information Security Saad Haj Bakry, PhD, CEng, FIEE P RESENTATIONS IN N ETWORK S ECURITY.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Cryptography  Why Cryptography  Symmetric Encryption  Key exchange  Public-Key Cryptography  Key exchange  Certification.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Security Content 1. Requirements of Security 2. Private Key, Public Key, Digital Signature 3. Security Protocols (SSL, SET) 4. Security Attack, Network.

Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Cryptography, Authentication and Digital Signatures

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Web Security : Secure Socket Layer Secure Electronic Transaction.

Networks Management and Security Lecture 3.

Authentication 3: On The Internet. 2 Readings URL attacks

Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

Security. Security Needs Computers and data are used by the authorized persons Computers and their accessories, data, and information are available to.

ECT 455/HCI 513 E-Commerce Web Site Engineering

Presentation transcript:

Saad Haj Bakry, PhD, CEng, FIEE 1 Information Security for e -Business Saad Haj Bakry, PhD, CEng, FIEE P RESENTATIONS IN N ETWORK S ECURITY

Saad Haj Bakry, PhD, CEng, FIEE 2 Secure Transactions Use of Symmetric Keys Use of Asymmetric Keys Public Key Infrastructure: PKI Security Protocols Objectives / Contents Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 3 Secure Transactions Requirements IssueFact PrivacyNo Disclosure IntegrityNo Alteration AuthenticationProof of Identity: Sender to Receiver / Receiver to Sender Non-RepudiationLegal Proof of Transaction: Message is Sent or Received AvailabilitySystem in Operation “S-Business”Outcome: “Secure Business” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 4 DES: Data Encryption Standard AES: Advanced Encryption Standard KDC: Key Distribution Centre Use of Symmetric Keys Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 5 DES: Data Encryption Standard A Symmetric Encryption Algorithm: 1950s Triple Use (3 Keys in a Row): For More Security Being Replaced BY: AES Key Length is “56 bits”: Short / Easy to Crack By US NSA (National Security Agency) & IBM DES (K-1) DES (K-2) DES (K-3) Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 6 AES: Advanced Encryption Standard A Symmetric Encryption Algorithm Criteria of Choice: Strength Efficiency Speed Other Factors Criteria of Choice: Strength Efficiency Speed Other Factors Five Finalists Under Consideration: 2001 By US NIST: Replacing DES (National Institute of Standards & Technology) By US NIST: Replacing DES (National Institute of Standards & Technology) Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 7 KDC: Key Distribution Centre To Solve “Key-Exchange” Problem S-R Session Key: Generated by KDC per Transaction Problem: Centralized Security “ Challenges to KDC !” All Transactions: Exchanged Through KDC KDC Shares a “Secrete Key”: With “Every User” Session Key Sent to S-R : Using their Shared Keys with KDC Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 8 Sender KDC Operation Receiver Communication Network Symmetric Key (S) Plain Text Cipher Text KDC Symmetric Key (R) Symmetric Key (S) Session Key Plain Text Initiation Generation Assignment Transaction Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 9 Key Agreement Protocol: KAP / Digital Envelop Key Management: KM Digital Signature Time-Stamping: Non-Repudiation Notary Authentication Use of Asymmetric Key. Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 10 KAP: Key Agreement Protocol Subject of Agreement: Symmetric Secret Key Secret Key: Suitable for Volumes of Data Agreement Security: Use of Public Key Protocol: Rules of Agreement Process Public Key: Suitable for Limited Volumes Digital Envelop: Secret Key in Public Key Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 11 KAP Example: The Digital Envelop Decrypt Receiver’s “Private Key” Message: “Plain Text” Message: “Cipher Text” (S-K) Message “Cipher Text ” (S-K) Plus “Cipher SK” (P-K) “Digital Signature”: Possible “ Secret Key” Decrypt (Message) Using “Secret Key” Message: “Plain Text” Envelop Encrypt (Secret Key) Using Receiver’s “Public Key” Encrypt (Secret Key) Using Receiver’s “Public Key” Sender Receiver Encrypt (Message) Using “ Secret Key” “ Secret Key” “ Secret Key” Decrypt (Message) Using “Secret Key” Decrypt (Message) Using “Secret Key” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 12 Key Management Theft (mishandling) & Attack (cryptanalysis) Key Generation: Secure “Long Keys” Key Generation Problem: Sometimes choice is from a small set Key Generation Problem: Sometimes choice is from a small set Recommendation: Key generation should be truly “random” Recommendation: Key generation should be truly “random” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 13 Digital Signature (1/2) Objective: (P-K) Authentication / Integrity Hash Function Hash Function Message: Plain Text SENDERSENDER SENDERSENDER Message Digest Encrypt (Sender Private Key) Encrypt (Sender Private Key) “Sender Authenticated” Encrypt (Receiver Public Key) Encrypt (Receiver Public Key) Message: Cipher Text Electronic Signature + + Receiver Decrypt (Sender Public Key) Decrypt (Sender Public Key) Message: Plain Text Message Digest Decrypt (Receiver Private Key) Decrypt (Receiver Private Key) Message Digest Message: Cipher Text Hash Function Hash Function “Message Integrity” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 14 Handwritten Signature: Document Independent (same for all documents) Authentication Only Handwritten Signature: Document Independent (same for all documents) Authentication Only Digital Signature: Document Dependent (based on message contents) Authentication & Integration Digital Signature: Document Dependent (based on message contents) Authentication & Integration Problem (Digital Signature): Non-repudiation (proof that the message has been sent) Digital Signature (2/2) Use: US DSA : “Digital Signature Algorithm” Use: US DSA : “Digital Signature Algorithm” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 15 Time-stamping / Non-Repudiation (1/2) Objective: Binding “time and date” to digital documents Important for electronic contracts Objective: Binding “time and date” to digital documents Important for electronic contracts Third Party: Time-stamping Agency / Legal Witness Third Party: Time-stamping Agency / Legal Witness Time-Stamping Agency Time-Stamping Agency Sender / Receiver Sender / Receiver Sender / Receiver Sender / Receiver Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE SENDERSENDER SENDERSENDER Time-stamping Agency: Input: Ciphered & Signed Message Output: Time & Date Stamp Agency Stamp (Signature) (Using the Agency’s Private Key) Time-stamping Agency: Input: Ciphered & Signed Message Output: Time & Date Stamp Agency Stamp (Signature) (Using the Agency’s Private Key) Message: Cipher Text Sender Electronic Signature Time-stamping / Non-Repudiation (2/2) Time & Date Stamp 4 4 Agency Stamp (Signature) Proof of receipt may be required “same route back” from the “receiver” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 17 T RANSMITTER N OTARY R ECEIVER M ESSAGE N ETWORK S ERVICES Message with Guarantee of Sender ’ s Identity N OTARY M AY U SE: Encryption (DES) / Digital Signature / Other Methods Notary Authentication Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 18 PKI: Objectives / Organizations Digital Certificates: Structure / Trust / Validity Public Key Infrastructure: PKI Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 19 PKI: Public Key Infrastructure (1/2) Objective: Authentication of Parties in a Transaction Objective: Authentication of Parties in a Transaction IPRA: Internet Policy Registration Authority (The Root Certification Authority) IPRA: Internet Policy Registration Authority (The Root Certification Authority) Hierarchy IPA Policy Creation Authorities CA: Certification Authorities Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 20 PKI: Public Key Infrastructure (2/2) CA take the responsibility of authentication CA take the responsibility of authentication DC are publicly available and are issued / held by CA in “CR: Certificate Repository” DC are publicly available and are issued / held by CA in “CR: Certificate Repository” CA: Certification Authorities CA: Certification Authorities DC: Digital Certificates Using Public Key Cryptography Using Public Key Cryptography DS: Digital Signatures Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 21 Digital Certificate: Structure FieldExplanation Name (Subject) Individual / company being certified Serial Number For management / organization Public Key Public key of the individual / company Expiration Date Certification need to be renewed Signature of Trusted CAFor confirmation Other InformationRelevant / needed data. Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 22 Digital Certificate: Signature of Trust Public Key (Name / Subject) Private Key (CA) Hash Function Signature of Trusted CA OR Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 23 Digital Certificate: Expiration Need for Change of Key (Pairs) Expiration Date: Long use of key leads to vulnerability Expiration Date: Long use of key leads to vulnerability Key Compromised: Cancellation / Renew Key Compromised: Cancellation / Renew CA has “CRL : Certificate Revocation List ” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 24 Internet “Secure Socket Layer”: SSL Visa / Master Card: Secure Electronic Transaction: SET Microsoft Authenticode Security Protocols Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 25 SSL: Secure Sockets Layer (1/2) Sender Receiver Application Software by: Netscape Communications also used by: MS Internet Explorer SSL TCP IP TCP/IP Data--gram Virtual Circuit “Message Interpretation” (to protect Internet transactions) Messages “Browsers” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 26 SSL: Secure Sockets Layer (2/2) Functions: Protects “private information from source to destination” Authenticates “receiver / server in a transaction” Functions: Protects “private information from source to destination” Authenticates “receiver / server in a transaction” Tools: Public Key / Digital Certificate Session (Secret) Keys Tools: Public Key / Digital Certificate Session (Secret) Keys PCI: “Peripheral Component Interconnect” cards Installed on “Web Servers” to secure data over an entire SSL transaction “from sender / client to receiver / server” PCI: “Peripheral Component Interconnect” cards Installed on “Web Servers” to secure data over an entire SSL transaction “from sender / client to receiver / server” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 27 SET: Secure Electronic Transaction Objective: protecting e-commerce payment transactions Objective: protecting e-commerce payment transactions by: Visa & Master-Card Authenticating the Parties Involved: “Customer” “Merchant” “Bank” Authenticating the Parties Involved: “Customer” “Merchant” “Bank” Using “Public-Key Cryptography Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 28 Microsoft Authenticode Objective: Safety of software ordered online Authenticode is built into MS Internet Explorer Authenticode interacts with Digital Certificates Digital Certificates should be obtained by software publishers Digital Certificates can be obtained from CA “VeriSign” Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 29 e-Business Transactions: security measures Use of Symmetric Keys: standards: DES, AES / key distribution: KDC Use of Asymmetric Keys: symmetric key distribution: KAP, digital envelop / digital signature / time stamping: non-repudiation / notary Public Key Infrastructure: digital certificate. Security Protocols: Internet: SSL / Banking: SET / Microsoft: Authenticode. Remarks Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE 30 References B.R. Elbert, Private Telecommunication Networks, Artech House, US, Telecommunications Management: Network Security, The National Computer Centre Limited, UK, 1992 K.H. Rosen, Elementary Number Theory and its Applications, 4 th Edition, Addison Wesley / Longman, ISO Dictionary of Computer Science: The Standardized Vocabulary (23882), ISO, F. Botto, Dictionary of e-Business, Wiley (UK), H.M. Deitel, P.J. Deitel, K. Steinbuhler, e-Business and e-Commerce for Managers, Prentice-Hall (USA), 2001 Information Security for e-Business