Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs."— Presentation transcript:

1 Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs.

2 2 Objectives  To introduce the basics E-Commerce security issues and web entity authentication

3 3 Outline Why is security such an issue? Why is security such an issue? Physical security Physical security IT Security Basics – Firewalls IT Security Basics – Firewalls Public Key Cryptography Public Key Cryptography SSL – Secure Socket Layer SSL – Secure Socket Layer SET – Secure Electronic Transactions SET – Secure Electronic Transactions

4 4 Why is Security an Issue? The Internet lets you travel outside of your network and others travel in – Those travelers are not all friendly! The Internet lets you travel outside of your network and others travel in – Those travelers are not all friendly! Critical and private information can be snooped — sniffed Critical and private information can be snooped — sniffed Information can be deleted or destroyed Information can be deleted or destroyed The Internet provides an opportunity for anonymous and rapid theft of lots of money The Internet provides an opportunity for anonymous and rapid theft of lots of money

5 5 How many categories/classes of security invasions/breaches can you find? User/password – shoulder surfing User/password – shoulder surfing Trojan horses Trojan horses Password breaking (various strategies) Password breaking (various strategies) Denial of service attacks – flood the server with requests Denial of service attacks – flood the server with requests Packet sniffing on net (wire tap, wireless recon.) Packet sniffing on net (wire tap, wireless recon.) Spoofing websites Spoofing websites Dumpster diving – garbage search Dumpster diving – garbage search

6 6 How many categories/classes of security invasions/breaches can you find? Hacking user IDs and passwords Hacking user IDs and passwords Denial of service/access Denial of service/access Physical invasion of a data centre Physical invasion of a data centre Social Engineering – exploit human good nature to get info you should not have Social Engineering – exploit human good nature to get info you should not have Internet Packet Sniffing Internet Packet Sniffing Taking advantage of known frailties in systems Taking advantage of known frailties in systems –Domain Hijacking – impersonating another legitimate domain –Buffer Overflows –Viruses Attacks by employees Attacks by employees

7 7 Components of Security Diagram by Konstantin Beznosov

8 8 Five Major Requirements of a Secure Transaction Privacy – how to ensure information has not been captured by a third party Privacy – how to ensure information has not been captured by a third party Integrity – how to ensure the information has not been altered in transit Integrity – how to ensure the information has not been altered in transit Authentication – how to ensure the identity of the sender and receiver Authentication – how to ensure the identity of the sender and receiver Authorization – how to ensure a user has the authority to access / update information Authorization – how to ensure a user has the authority to access / update information Non-repudiation – how do you legally prove that a message was sent or received Non-repudiation – how do you legally prove that a message was sent or received

9 9 Physical Security Large mainframe systems have always had adequate physical security Large mainframe systems have always had adequate physical security The transition from LAN to WAN to Internet has caused new interest in these methods The transition from LAN to WAN to Internet has caused new interest in these methods Physical security means locked doors and security personnel Physical security means locked doors and security personnel Options are to host on a secure ISP/ASP (InternetHosting.com) Options are to host on a secure ISP/ASP (InternetHosting.com)InternetHosting.com

10 10 IT Security Basics Avoidance – preventing a security breach Avoidance – preventing a security breach –Using a firewall system to frontend your intranet (or LAN) to the Internet Minimization – early warning signals and action plans so as to reduce exposure Minimization – early warning signals and action plans so as to reduce exposure –Attempted to access secure directories Recovery - regular backups should be made and recovery periodically tested Recovery - regular backups should be made and recovery periodically tested

11 11 Using a Firewall –A firewall server or router acts as an electronic security cop –No machine other than firewall is directly accessible from Internet –May also function as a “proxy” server allowing intranet systems to access only portions of the Internet –Internet security methods are focused at the firewall reducing cost and admin overhead

12 12 Security through HTTPS Browser Client 1 Server A HTTP TCP/IP HTTP Server App. Server Fire Wall Server Server C Server B

13 13 IT Security Basics Passwords (and potentially User Ids) should be forced to change periodically Passwords (and potentially User Ids) should be forced to change periodically Passwords should be difficult to guess Passwords should be difficult to guess –Try to create passwords such as: To Be or Not To Be  2bon2b Databases should be secured in terms of access rights to data (usually by individual or group) Databases should be secured in terms of access rights to data (usually by individual or group)

14 14 IT Security Basics Software, particularly low layer components such as the operating system and DBMS, should be kept to recent patch levels Software, particularly low layer components such as the operating system and DBMS, should be kept to recent patch levels Access from dial-in lines should be limited and if possible call-back systems can be used Access from dial-in lines should be limited and if possible call-back systems can be used

15 15 Cryptography Cryptography or ciphering is an ancient method of encoding a message — only a receiver with a key can decipher the content Cryptography or ciphering is an ancient method of encoding a message — only a receiver with a key can decipher the content A single (symmetric) secret key is used to encrypt and decrypt A single (symmetric) secret key is used to encrypt and decrypt Requires the communication of the key between sender and receiver! Requires the communication of the key between sender and receiver! Basis of nuclear war-head command and control security Basis of nuclear war-head command and control security

16 16 14-15-17-12 14-15-17-12 12-14-1-14-9-25-9-2-14 12-14-1-14-9-25-9-2-14 17-12 17-12 11-1-23-12-9 11-1-23-12-9

17 17 Public Key Cryptography In 1976 Diffie & Hellman at Stanford U. developed public-key cryptography In 1976 Diffie & Hellman at Stanford U. developed public-key cryptography Asymmetric: Asymmetric: –Private key – kept secret by owner –Public key – distributed freely to all who wish to send –Generated by computer algorithm, so a mathematical relation exists between them... however... –It is computationally difficult to determine the private key from the public key, even with knowledge of the encryption algorithm

18 18 Public Key Cryptography The keys come in the form of tightly coupled pairs which anyone can generate using methods such as RSA, SHA-1, DSA (RSA is most common) The keys come in the form of tightly coupled pairs which anyone can generate using methods such as RSA, SHA-1, DSA (RSA is most common) –Javascript demo: http://shop-js.sourceforge.net/crypto2.htm http://shop-js.sourceforge.net/crypto2.htm There is only one public key corresponding to any one private key and vice versa There is only one public key corresponding to any one private key and vice versa Sender encodes data using public key of receiver Sender encodes data using public key of receiver Receiver decodes data using unique private key, no one else can do the same Receiver decodes data using unique private key, no one else can do the same This ensures integrity of the data This ensures integrity of the data

19 19 Authentication How can you be sure that the person sending the encrypted data is who they say they are How can you be sure that the person sending the encrypted data is who they say they are This requires some method of authenticating the identity of the sender This requires some method of authenticating the identity of the sender The solution is for the sender to “sign” the data using his/her private key – the data is encrypted using the sender’s private key The solution is for the sender to “sign” the data using his/her private key – the data is encrypted using the sender’s private key The receiver validates (decrypts the data) the “signature” using the sender’s public key The receiver validates (decrypts the data) the “signature” using the sender’s public key This will work as long as receiver can be sure the sender’s public key belongs to the sender and not an imposter … enter PKI This will work as long as receiver can be sure the sender’s public key belongs to the sender and not an imposter … enter PKI

20 20 Integrity and Authentication Example: Consider a merchant wants to send a secure message to a customer: Example: Consider a merchant wants to send a secure message to a customer: –Merchant encrypts message using customer’s public key –Merchant then signs message by encrypting with their private key –Customer decrypts using the merchants public key to prove authenticity of sender –Customer decrypts using their private key to ensure integrity of message

21 21 PKI – Public Key Infrastructure Integrates PK cryptography with digital certificates and certificate authorities (CA) Integrates PK cryptography with digital certificates and certificate authorities (CA) Digital certificate = issued by a CA, includes user name, public key, serial number, expiration date, signature of trusted CA (message encrypted by CA’s private key) Digital certificate = issued by a CA, includes user name, public key, serial number, expiration date, signature of trusted CA (message encrypted by CA’s private key) Receipt of a valid certificate is proof of identity – can be checked at CAs sight Receipt of a valid certificate is proof of identity – can be checked at CAs sight www.verisign.com is major player www.verisign.com is major player www.verisign.com

22 22 Model for Network Security Information Channel Message Secret Information Message Secret Information SenderReceiver Trusted Third Party Authentication or Certificate Authority Opponent

23 23 Security and HTTPS Certificate is an entity’s public key plus other identification (name, CA signature) Certificate is an entity’s public key plus other identification (name, CA signature) SSL – Secure Socket Layer SSL – Secure Socket Layer –Lies between TCP/IP and HTTP and performs encryption HTTPS is the HTTP protocol that employs SSL – it uses a separate server port (default = 443) HTTPS is the HTTP protocol that employs SSL – it uses a separate server port (default = 443)

24 24 Security through HTTPS Browser Database Server Client 1 Server A URL HTTP TCP/IP HTTP Server App. Server index.html Bank Server Dedicated prog.jsp HTTPS port = 80 port = 443

25 25 SSL – Secure Socket Layer 1. Client makes HTTPS connection to server 2. Server sends back SSL version and certificate 3. Client checks if certificate from CA 4. Client creates session “premaster secret”, encrypts it and sends it to server and creates “master secret” 5. Server uses its private key to decrypt “premaster secret” and create the same “master secret” 6. The master secret is used by both to create session keys for encryption and decryption

26 26 SET – Secure Electronic Transfer Developed by Visa & Mastercard Developed by Visa & Mastercard Designed to protect E-Comm transactions Designed to protect E-Comm transactions SET uses digital certificates to authenticate customer, merchant and financial institution SET uses digital certificates to authenticate customer, merchant and financial institution Merchants must have digital certificate and special SET software Merchants must have digital certificate and special SET software Customers must have digital certificate and SET e-Wallet software Customers must have digital certificate and SET e-Wallet software

27 27 Major Architectural Components of the Web Internet Browser Database Server Client 1 Server A Server B Bank Server URL HTTP TCP/IP Browser Client 2 HTTP Server App. Server index.html Bank Server prog.jsp

28 28 Resources / References RSA demos: http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/ RSA demos: http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/ http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/ http://islab.oregonstate.edu/koc/ece575/02Project/Mor/

29 THE END danny.silver@acadiau.ca

Download ppt "Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
CP3397 ECommerce.

CP3397 ECommerce.
Cryptography and Network Security

Cryptography and Network Security
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security & Privacy on the WWW Briefing for CS3172.

Security & Privacy on the WWW Briefing for CS3172.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

Similar presentations

Ads by Google