COMP2113 E-business Richard Henson University of Worcester April 2008
Week 8: Encryption n Objectives: Explain the legal position as regards reading other people’s Describe a simple mathematical operation that could encrypt a text message Explain the differences between symmetric and asymmetric encryption Apply public-private key encryption to the sending of Internet Explain why digital signatures are necessary in the real world, and how they can be implemented n Definition: “The translation of data into a secret code”
Why is it necessary to change data into Secret Codes? n The Internet is an “open” system” n Data on the Internet could be intercepted by: someone with a good knowledge of TCP/IP any IT literate person with the appropriate software n This person could be anywhere in the world!
Privacy of Electronic Mail – The Law n When people send mail (Her Majesty’s mail), it is assumed that no-one will look at it “en route” n It is a criminal offence to do so n Like “snail mail”, communications should be treated as private or confidential n It is a criminal act to look at a person’s private without permission (Computer Misuse Act, 1990) n messages at work are more of a grey area, but considered to be the property of the employer… and therefore NOT so private…
Privacy of Electronic Mail – Crime Prevention n Just because something is illegal, doesn’t mean that people will not try to do it! n Especially if they don’t think they will get caught! n If the data is “scrambled” in some way before sending, it doesn’t matter who gets hold of it – they will not be able to understand the message unless they can “unscramble” it n Scrambling the data is encryption n Recovering the scrambled data is decryption
How does Encryption work? n Data sent over the Internet is generally a sequence of ASCII codes An ASCII code is simply a way of converting a keyboard character into a binary number n Encryption works by further coding each ASCII character in some reversible way before it is sent n Encryption normally uses: a coding method (often a mathematical operation) a numerical value used with the coding method n The ASCII codes can always be recovered by someone who knows the encryption method
Simple Encryption Example n algorithm based on a mathematical operation such as ADD operating n key based on a numerical digit (e.g 5) n Data represented by an ASCII code n Algorithm + key produce encrypted data
Encryption Keys n The key must be kept secret – anyone with access to the key and the algorithm can decrypt any encrypted data produced with that combination n The coding method and the key used to produce cipher text must be known in order to get back the plain text
Simple example of an Encryption Method n Method of encryption – add 5 to each ASCII code (this would be the key) n e.g. if plain text = HELLO (ASCII codes B 4B 4F) n Cipher text would be MJQQT (ASCII codes 4D 4A ) n Getting the original data back would mean subtracting 5 from each ASCII character – very easy to anyone with access to the key
Diagram – single key encryption User sends message via server server key Data is transmitted to another server key Message is coded Message is decoded Message is received
Effectiveness of Encryption n During WWII, most countries communicated with their armed forces by radio. To avoid being intercepted, they used single key encryption However… encryption can only be effective if: »either the key remains secret »Or the algorithm remains secret n The Germans thought they had an encryption method that had a key so complex it was impossible to decipher
Alan Turing and Bletchley Park n Alan Turing was a tragic genius who did more than most to win the war n With the efforts of fellow mathematicians, Colossus, the worlds first computer and support staff at Bletchley Park, now Milton Keynes… the key and algorithm were deciphered all of the German messages were decrypted so all their troop movements were known
Encryption Techniques n Many techniques have been developed since the 1960s to enable digital data to be efficiently encrypted and decrypted n Examples: DES (Data Encryption Standard) IDEA RSA Diffie-Hellmann n Encryption types can be classified into two types: Symmetric Key Asymmetric Key
Symmetric Encryption n Sender and receiver share a single, common key – known as a symmetric key n Used both to encrypt and decrypt the message n Advantages: simpler and faster than other systems n Disadvantages: the two parties must need to exchange the key in a secure way the sender cannot easily be authenticated
DES – an example of symmetric encryption n The most popular symmetric key system is the Data Encryption Standard – US gov, 1977 n DES uses 56-bit encryption working on 64-bit blocks of data n In view of recent research, this is clearly inadequate for really secure encryption n Until relatively recently, however, it served a useful purpose
Making Encryption as Effective as Possible n The more complex the key, the more difficult the encryption method is to decipher A single 40-digit key can be mathematically deduced very quickly using a computer An equivalent 128-digit key would take much longer to “crack” n It therefore makes sense to use 128- digit key encryption….
Breaking an Encryption Technique n Usually achieved with the aid of very powerful computers n The more powerful the computer, the more likely that the key can be mathematically deduced n Until fairly recently, a 128-bit encryption key would have been considered to be secure n However, a research team have now succeeded in breaking 128 bit encryption in seconds, using a supercomputer…
Secure Keys for Today and Tomorrow… n 256-bit encryption is probably now a minimum for single key encryption but only a matter of time… n 512-bit encryption is currently used by financial institutions to transfer funds electronically via the Internet again, only a matter of time before even this can be cracked… Solution bit keys?
Asymmetric Encryption n This technique uses TWO keys, one of which remains private, and a digital certificate to authenticate the sender n The other key is public – hence the term Public Key (PKE) n This system was actually first invented by some British scientists working at GCHQ but it was top secret And wasn’t published… and in 1976 someone else got the fame…
What is Public Key Encryption (PKE) n Announced to the world in 1976 by two Americans: Diffie and Hellman… n Uses two keys: public key - known to everyone private or secret key - known only to the recipient of the message n Example: John wants to send a secure message to Jane… He uses Jane's public key to encrypt the message Jane then uses her private key to decrypt it
Public Key Encryption Unencrypted data Decrypted data Encrypted data can work in two ways: private key encryption, public key decryption public key encryption, private key decryption Private key on sender’s computer Data sent through the Internet Received by recipient’s computer Public key on recipient computer
n The public and private keys must be related in such a way that only the public key can be used to encrypt messages only the corresponding private key can be used to decrypt them. n In theory it is virtually impossible to deduce the private key if you know the public key n PKE is also called asymmetric encryption because of the two quite different keys that need to be used Public Key Encryption
PGP (Pretty Good Privacy) n System of PKE developed by Philip Zimmerman official repository held at the Massachusetts Institute of Technology n PGP became one of the most common ways to protect messages on the Internet: effective easy to use free… n To encrypt a message using PGP, a software encryption package was required Zimmerman made it available for free download from a number of Internet sources…
PGP and US Govt n PGP was so effective as an encryption tool that the U.S. government actually brought a lawsuit against Zimmerman! n Case he had made PGP public and hence made it available to enemies of the U.S. n After a public outcry, U.S. lawsuit was dropped still illegal to use PGP in many countries
n Developed for the Internet as a series of RFCs response to concern about security of data on the Internet n Concerned with authentication as well as security intended to be simple to use… n Provided a system for storage and display of message recipient's public key this was essential to decrypt a message sent and received using PKE Public Key Infrastructure (PKI)
The Public Key Repository n What was needed: central registry of public keys and digital signatures must be readily accessible via the Internet must provide authentication, otherwise ANYONE could have sent that message… n Achieved through LDAP (Lightweight Directory Access Protocol) enables public key lookup to occur completely transparently (without any intervention from any user…)
Lightweight Directory Access Protocol (X509 standard) n Based on International X500 communications standard n Supports TCP/IP n Allows almost any application running on any computer platform to obtain on-line or downloaded directory information: addresses public keys
Authentication n About verifying that the person sending a message or web form really is who he or she claims to be n It may also provide the receiver with the means to encode a reply n In paper correspondence, authentication is provided by a signature In digital correspondence it needs to be a series of 000’s and 111’s (abbreviated to hexadecimal)
Digital Certificates n Attachments to electronic messages used for security purposes The “digital signature” authenticates the sender n Anyone wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA) e.g. Verisign
Good/Bad things about Digital Signatures/Digital-Ids… n The digital certificate that provides the identification information must be kept very safe… usually kept carefully hidden as a unique 'security code‘ appended to an electronic document for the purpose of establishing the authenticity of that document can even be used for tax returns & legal documents… n BUT…. once someone has acquired another person’s digital identity, they can masquerade as that person all over the Internet…
Certificate Authorities n Trusted third-party organizations that issues the digital certificates used to create public- private key pairs n The role of the CA is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.
n Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company n The finance company provides it with information to confirm an individual's claimed identity n CAs are a critical component in data security and e-commerce because they guarantee that the two parties exchanging information really are who they claim to be Certificate Authorities (cont…)
SOME Certificate Authorities in the UK n BT Trustwise (Verisign International Affiliate) BT Trustwise BT Trustwise n The Global Trust Register The Global Trust Register The Global Trust Register n Inter Clear Inter Clear Inter Clear n TrueTrust (Salford University) TrueTrust n Globalsign UK (Globalsign Network) Globalsign UK Globalsign UK n Viacode (Royal Mail CA) Viacode n Mondex International Mondex International Mondex International
n On request, a CA can produce an encrypted digital certificate for any applicant n Digital certificates contain: the applicant's private key a digital signature n The CA makes its own public key readily available on the Internet n The recipient of the encrypted message can use the CA's public key to decode the digital certificate attached to the message Supplying Digital Certificates
n The recipient: verifies the digital signature as issued by the CA obtains the sender's public key and digital signature held within the certificate n With this information, the recipient can send an encrypted reply n This procedure relies on the integrity of the CA, and the user must be able to trust them Digital Certificate (continued)
Digital Signatures – the future? n Digital signatures already have a legal definition: “an electronic rather than a written signature that can be used by someone to authenticate the identity of the sender of a message or of the signer of a document” n Online delivery of traditionally paper based correspondence has been a reality for some time… the Electronic Signatures Regulations
Encryption in Client-Server Systems n Much more about this in COMP3123 n Depend on the use of SSL (Secure Sockets Layer) »invented by Netscape »Became part of the PKI https (secure http) »also specified to become part of the PKI n Together, SSL and https make Server Certificates possible
Why Server Certificates? n Anyone can set up a web server and put it on the Internet an Internet user on the other side of the world doesn’t have a clue whether they are crooked!!! not good for on-line selling & buying! n Server certificates can give an Internet vendor respectability Certificates only supplied to “honest” organisations But… how can the certificate authorities tell???