CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.

Slides:

Advertisements

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Advertisements

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.

Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Network/Information Security z“The terms network security and information security refer in a broad sense to confidence that information and services available.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

BUSINESS B1 Information Security.

Networks and Security Monday, 10 th Week. Types of Attacks/Security Issues  Viruses  Worms  Macro Virus  Virus  Trojan Horse  Phishing 

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Cryptography, Authentication and Digital Signatures

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Types of Electronic Infection

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

Not only business information, but a large amount of personal information too is now digitized and stored in computer connected to the internet. System.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,

ITEC 4100, Fall 2007, D Chan Session 1 – Introduction to Information Security.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

1 6 Chapter 6 Implementing Security for Electronic Commerce.

LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.

Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Information Systems Design and Development Security Precautions Computing Science.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.

Firewalls and Tunneling Firewalls –Acts as a barrier against unwanted network traffic –Blocks many communication channels –Can change the design space.

1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.

EECS Chapter 8 – Common Access Control.

Unit 3 Section 6.4: Internet Security

Chapter 40 Internet Security.

Securing Information Systems

Unit 3 Section 6.4: Internet Security

Chapter 8 – Common Access Control

Message Digest Cryptographic checksum One-way function Relevance

Computer Security.

Computer Security.

Lecture 4 - Cryptography

Electronic Payment Security Technologies

Protection Mechanisms in Security Management

Presentation transcript:

CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques

CSE 4482, Fall 2009, D Chan Two-factor Authentication zUsed to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. zUses what the user has and what the user knows. zExamples are to use a token with a dynamic password and ATM.

CSE 4482, Fall 2009, D Chan Biometrics zCan include fingerprint, hand geometry, voice etc. zHeld back by privacy concerns. zNot recognised legally in place of signature

CSE 4482, Fall 2009, D Chan Operating System Security zUse a standard checklist for configuration zImplement vendor updates zUse scanning software to detect vulnerabilities before implementation and periodically

CSE 4482, Fall 2009, D Chan Firewall zCan be hardware based only, e.g., a router. zCan be a server with sophisticated software, more granular and reliable than a router, provides better logs. zCan use artificial intelligence to check for patterns.

CSE 4482, Fall 2009, D Chan Firewall zEvery organization that hosts a web site should have a firewall to protect its internal network from hackers zThe firewall would block traffic that is definitely unacceptable.

CSE 4482, Fall 2009, D Chan Firewall zA typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. zA data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.

CSE 4482, Fall 2009, D Chan Firewall zA port is a logical connection point in a network device including a computer. zIt is used to standardize Internet traffic, e.g., web browsing uses port 80, e- commerce uses port 443.

CSE 4482, Fall 2009, D Chan Virus Protection zCompanies around the world spend about US $20 billion a year to clean up viruses zAll critical servers are protected zAll internet is scanned zAutomated identification of workstations that do not have up-to-date signature files zOrganizations should block common virus file types to be proactive

CSE 4482, Fall 2009, D Chan Virtual Private Network zTo secure remote access to company systems by staff or contractors. zShould require two-factor authentication. zEncrypted traffic, bypasses firewall, secure tunnel should end at another firewall with traffic decrypted.

CSE 4482, Fall 2009, D Chan Intrusion Detection System zInstalled at critical points of a network to inspect incoming and outgoing traffic for anomalies and malicious messages. zAlerts systems administrators to take pre- emptive or corrective actions.

CSE 4482, Fall 2009, D Chan Intrusion Prevention System zCombines firewall and intrusion detection technologies. zRejects highly questionable or unacceptable traffic. zMore effective than firewalls but may have false positive.

CSE 4482, Fall 2009, D Chan Encryption zUses mathematics to scramble data. zUses a key and an algorithm. Commercial algorithms are public knowledge. zSymmetric key. zAsymmetric keys (private/public key pair).

CSE 4482, Fall 2009, D Chan Symmetric Key Encryption zThe same key is used to decrypt and encrypt zSimple to encrypt and decrypt zLarge number of keys required for one- on-one secret communication zNumber of keys for N people is N(N-1)/2 zNeed to secure the key

CSE 4482, Fall 2009, D Chan Asymmetric Encryption zA pair of key is generated by a user, a private key and a corresponding public key. zThe public key can be disclosed. The private key is secured. zPeople can use the public key to encrypt material.

CSE 4482, Fall 2009, D Chan Asymmetric Encryption zThe corresponding private key is needed to decrypt. zThe 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. zLonger keys than symmetric and therefore a longer process to encrypt and decrypt.

CSE 4482, Fall 2009, D Chan Asymmetric Encryption zNeeded for encryption. zUsed for e-commerce, digital certificates and digital signatures. zNumber of keys for N users is 2N.

CSE 4482, Fall 2009, D Chan Digital Signature zA digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.

CSE 4482, Fall 2009, D Chan Digital Signature zThe sender uses an algorithm to compute a hash (garbled digest) of the document zSender uses its private key to encrypt the hash. zRecipient uses same algorithm to hash the plain text document when received. zRecipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.

CSE 4482, Fall 2009, D Chan Digital Certificate An electronic business card that establishes your credentials when doing business or other transactions on the Web. It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. People can use the certificate authority’s public key to verify the signature.

CSE 4482, Fall 2009, D Chan Certificate Authority zAn organization that issues digital certificates to companies and individuals zAn organization can issue digital certificates to its own customers or employees to authenticate local transactions zThe certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.

CSE 4482, Fall 2009, D Chan E-commerce Encryption zUses both symmetric keys and asymmetric keys zEnforced by the merchant zMerchant sends its certificate and public key to the browser

CSE 4482, Fall 2009, D Chan E-commerce Encryption zBrowser generates a symmetric key zBrowser encrypts the symmetric key with the merchant’s public key zBrowser authenticates the digital certificate zEncrypted symmetric key is sent to merchant

CSE 4482, Fall 2009, D Chan E-commerce Encryption zMerchant decrypts the symmetric key with its private key zThe symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.

CSE 4482, Fall 2009, D Chan Encryption zSender uses the recipient’s public key to encrypt the message zSender signs the message with own private key zRecipient uses own private key to decrypt message zRecipient uses sender’s public key to authenticate the digital signature

CSE 4482, Fall 2009, D Chan Conclusion zSecurity is increasingly important because of e-commerce. zSecurity is the responsibility of every employee. z Organizations should designate a chief information security officer to coordinate.