Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Henson University of Worcester October 2016

Published byReynold Nash Modified over 6 years ago

Similar presentations

Presentation on theme: "Richard Henson University of Worcester October 2016"— Presentation transcript:

1 Richard Henson University of Worcester October 2016
COMP3371 Cyber Security Richard Henson University of Worcester October 2016

2 Week 4: Public Key Encryption & PKI
Objectives Explain public-private key encryption (PKE) Explain need for the sender of data to identify themselves; why digital signatures are necessary in the real world; how they can be implemented Explain PGP and PKI as two reliable techniques for sending data securely from one place to another… including verification of the sender Apply PKE to the sending of secure

3 Symmetric v Asymmetric Key
one encryption/decryption key only Asymmetric (public key encryption, PKE) encryption: shared public key decryption: unshared private key each algorithm a one way function

4 Authentication of Transmitted Data
Two potential issues with data sending: is it intact & unmodified? (integrity) date/timestamp etc… can original authorship (authenticity) be established i.e. is the sender really is who he/she claims to be Requirements for Authentication: inputs (sender): secret key, message output: message authentication code

5 When is Encryption alone not enough?
On local network covered through username/password network system should verify authenticity BUT… when data is on the move to a computer or device from OUTSIDE the network… It could come from ANYONE…

6 Authentication Methods
Paper correspondence? by physical signature/wax, stamped seal Many available digital methods of providing a sender signature to data e.g. Windows SIGVER (file signing) method of checking incoming files to ensure that they are from a Microsoft approved source Linux uses a similar technique

7 Security & Wireless Data
Wireless media more prone to interception WAP (wireless access protocol) encryption only not enough open access, decryption too easy… Requires authentication as well for safe transmission (best WPA-2) use a known SSID to provide authentication of remote device other devices won’t get access…

8 Asymmetric (two key) encryption
Attributed to Diffie and Hellman (US, ‘76) However, British scientists were secretly working on it much earlier… Ellis, at GCHQ, made the first breakthrough in 1970 Based on two keys: public key - known to everyone private or secret key - known only to the recipient of the message

9 Mechanism of PKE Jane receives encrypted message
John wants to send a secure message to Jane… uses Jane's public key to encrypt the message Jane receives encrypted message then uses her private key to decrypt it Original public key method did not support either encryption or digital signatures… therefore vulnerable to third party in the middle eavesdroppers

10 Public Key Encryption (PKE)
Can work in two ways: private key encryption, public key decryption public key encryption, private key decryption Private key on sender’s computer Unencrypted data Encrypted data Data sent through the Internet Public key on recipient computer Encrypted data Decrypted data Received by recipient’s computer

11 Public Key Encryption (PKE)
The public and private keys must be related in such a way that only the public key can be used to encrypt messages only the corresponding private key can be used to decrypt them In theory it is virtually impossible to deduce the private key if you know the public key

12 Practical Public Key Encryption systems
Include public-private key and authentication of sender Variety of techniques developed: Pretty Good Privacy (PGP) Digital Certificates & Public Key Infrastructure (PKI)

13 PGP (Pretty Good Privacy)
Developed by Philip Zimmerman (early 1990s) official repository held at the Massachusetts Institute of Technology spec for v2.0 at RFC #1991 Based on public-key method… plus authentication using a “web of trust”. Quote from RFC… “As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.” Convenient way to protect messages on the Internet: effective easy to use free

14 Using PGP (or not..) To encrypt a message using PGP, the receiver needs the PGP encryption package Zimmerman made it available for free download from a number of Internet sources Such an effective encryption tool that the U.S. government actually brought a lawsuit against Zimmerman! Problem: PGP made public… therefore available to enemies of the U.S.

15 US gov v Zimmerman (PGP)
Actual Lawsuit: selling munitions overseas without a license (used >40 bit encryption) unpopular… after a public outcry, quietly dropped, law changed in 2000 Still illegal to download PGP from US to many other countries

16 Trust Ever seen the film “Meet the Parents?”
Web of trust (personal) not practicable for trust “in the business sense” Business Trust “you may not trust me, but you do trust my business enough to accept that you’ll get paid!” PGP web of trust wouldn’t be practicable! New model developed by business (embedded into PKI)

17 Verisign Trust System Web of Trust (PGP)
OK for academics (“good” people?) but bad” people can do business Need for a more practical alternative developed so that people could trust strangers in business transactions financial institutions provide the “trust”

18 LDAP and Public Key “lookup”
Public Key “lookup” developed - system that could be used with PKE Protocol: LDAP (Lightweight Directory Application Protocol) Netscape spec: “historic” involvement of Microsoft in Internet Infrastructure implemented in VB (!) Microsoft/Netscape/Internet Engineers put all together… Public Key Infrastructure (PKI)

19 The Public Key Repository
Store of public keys so they can only be used securely readily accessible via the Internet and LDAP enabled public key lookup to occur transparently i.e. without intervention from the user Infrastructure complete by 1999 Implemented through Windows 2000 architecture Active Directory many still never heard of it or how to implement it even in 2016!

20 Digital Signatures/Digital-IDs
Unique 'security code' appended to an electronic document the digital equivalent of a signature on a paper document authenticates the sender permits the authenticity of the document to be proven also used the ensure the integrity of the message sent Signature and public key supplied packaged within a digital certificate usually 30-day trial, then ~£100 for 2-year lease

21 Digital Certificate Randomly generated number that creates, via algorithm: the public-private key pair the attachment to an electronic message known as a digital signature Service for those wishing to send encrypted data (inc ) acquire digital certificate from Certificate Authority (CA)

22 Certificate Authorities
Trusted third-party organizations that issues the digital certificates used to create public-private key pairs Started with Verisign Many more followed Role of CA: guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.

23 Certificate Authorities
Authentication.. CA has an arrangement with a financial institution, such as a credit card company finance company provides it with information to confirm an individual's claimed identity Soon became a critical component in security and e-commerce guarantee that the two parties exchanging information really are who they claim to be

24 Supplying Digital Certificates
Online via CA… Digital certificates contain: the applicant's private key a digital signature CA makes its own public key readily available via LDAP digital certificate attached to the message recipient of the encrypted message uses CA's public key to decode the digital certificate

25 Digital Certificate (continued)
The recipient: verifies the digital signature as issued by the CA obtains the sender's public key and digital signature held within the certificate With this information, the recipient can send an encrypted reply

26 Digital Signatures: an increasing role in society…
Increased online delivery of traditionally paper based correspondence & services… contracts government forms such as tax returns anything else that would require a hand-written signature for authentication… Information sent WITHOUT a digital signature… has NOT been authenticated! proof of identity of sender? Should still be FAXed

27 The trouble with HTTP General Internet principle of “anyone can go anywhere” On a Windows system with www access: TCP can link directly to HTTP session layer authentication not invoked HTML data transferred directly to the presentation and application layers for display Problem: the data is visible to anyone else on the Internet who may have access to that machine and the data path to it!

28 Secure HTTP and the user authentication problem
Makes use of the potential for requiring authentication at the session layer SSL protocol can require a username/password combination before data passes through the socket from transport layer to application layer application authentication required transport

29 Computer Authentication
SSL is able to use the PKI When a user first attempts to communicate with a web server over a secure connection: that server will present the web browser with authentication data presented as a server certificate (remember those?) verifies that the server is who and what it claims to be Works both ways… server may in return request client authentication

30 SSL and Encryption Authenticating the user & server only helps when the data is at its at its source or destination data also needs to be protected in transit… SSL working at level 5/6 also ensures that it is: encrypted before being sent decrypted upon receipt and prior to processing for display

31 Is an SSL Digital Certificate Really Necessary?
Yes: for sites involved in e-commerce and therefore involving digital payment any other business transaction in which authentication of identity is important No: if an administrator simply wants to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection In such cases, a self-signed certificate is sufficient

32 Https & “Web of Trust” Based on individual trust networks built up between individuals Possible to “self sign” a digital certificate if someone trusts you, a self-signature may be all they need OpenPGP identiity certificates are designed to be self-signed

33 General Tips on Running SSL
Designed to be as efficient as securely possible but encryption/decryption is computationally expensive from a performance standpoint not strictly necessary to run an entire Web application over SSL customary for a developer to decide which pages require a secure connection and which do not

34 When to use SSL Whenever web pages require a secure connection e.g.:
login pages personal information pages shopping cart checkouts any pages where credit card information could possibly be transmitted

35 Running HTTPS Client-server service like http and ftp
runs on the Web server uniquely designed so it will not run on a server without a server certificate Once set up, https requires users to establish an encrypted channel with the server i.e. rather than Unless the user uses https… get an error, rather than the pop up that proceeds the secure web page

36 HTTPs and encryption Even if https channel set up with server certificate, still potential problems use of an encrypted channel running https between user's Web browser and Web server BOTH must support the encryption scheme used to secure the channel e.g. 128-bit RSA

37 Accessing a Web Page using HTTPS
Prefix the address with instead of and the system will do the rest Any pages which absolutely require a secure connection should have a facility to: check the protocol type associated with the page request take the appropriate action if https: is not specified

38 Proof that Web Page has been delivered securely using SSL
At one time.. a pop up would appear… informed the client that they are entering a secure client-server connection must be acknowledged to continue Default browser settings now bring up https page automatically if all is well

39 A Practical Limitation on the Use of SSL
SSL “handshake”, where the client browser accepts the server certificate, must occur before the HTTP request is accessed As a result: the request information containing the virtual host name cannot be determined prior to authentication it is therefore not possible to assign multiple certificates to a single IP address name-based virtual hosts on a secured connection can therefore be problematic

40 Next session will explore… Authentication and access control to websites, remote organisational servers It will also introduce Active Directory and Firewalls

Download ppt "Richard Henson University of Worcester October 2016"

Similar presentations

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security

Cryptography and Network Security
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.
Chapter 8 Web Security.

Chapter 8 Web Security.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.

1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
COMP3123 Internet Security Richard Henson University of Worcester October 2010.

COMP3123 Internet Security Richard Henson University of Worcester October 2010.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Masud Hasan 03-60-475 SecueEmail VS Hushmail Project 2.

Masud Hasan Secue VS Hushmail Project 2.
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘

Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Similar presentations

Ads by Google