Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Similar presentations


Presentation on theme: "Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School"— Presentation transcript:

1 Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School http://www.cbs.dk/staff/damsgaard/

2 EBUSSJan Damsgaard, 20042 Introduction u Communications over Internet by default open and uncontrolled u Data can be seen and changed on the way u No means to know who is exactly doing what (service knows only IP address), anonymity and masquerade u No means to ensure that both parties know that a transaction has been completed and if not what is its state

3 EBUSSJan Damsgaard, 20043 Concerns u Primary concerns for E-business –Confidentiality: who gets to read data and conceal it –Integrity: data is changed in a specified manner and not deleted or altered during transfer –Availability: ensure continued access to information and resources –Non-repudiation: capability to identify legal persons and transactions in a trustful way –Legitimate use: data is not used for other or exterior purposes –Ease of use: User should not be controlled or use should not be too difficult

4 EBUSSJan Damsgaard, 20044 What we are looking for u Confidentiality t an envelope to prevent snooping u Integrity t a seal to ensure the message hasn’t been changed u Non-repudiation and authentication t the signature of the sender u Authentication of the recipient t no one else can open it but the intended recipient

5 EBUSSJan Damsgaard, 20045 Private Key Encryption or Symmetric Key Encryption u Both Sender and Receiver know the same key –Lock box to which people share keys u Challenge –How to secretly share the key?

6 EBUSSJan Damsgaard, 20046 Public Key Encryption u Two mathematically related keys –publication of one key provides no information about the other t one is kept secret t one is widely publicized –anything encrypted using the secret key can only be decrypted by using the public one, and vice versa

7 EBUSSJan Damsgaard, 20047 RSA (RivestShamirAdleman) u Authentication –encrypted with the secret key –decrypted with the public key, anyone can verify u Integrity: Virtual sealed envelope –encrypted with the public key and widely broadcast –unreadable to all but holder(s) of the secret key

8 Clear text message from Professor requesting a conference with Penelope. Because the professor encrypted the message with her private key, Penelope can be assured that the message really is from that professor by decrypting it with the professor’s public key. Professor’s Private Key Professor’s Public Key Sender - ProfessorReceiver - Penelope Encoded Message Transmitted Message decrypt encrypt Clear text message from Professor requesting a conference with Penelope.

9 Message from Professor requesting a conference with Penelope and disclosing her grade. By encrypting the message with the professor’s private key and Penelope’s publicly available key, Penelope can be assured that the message really is from that professor and that no one else can read the message containing her grade. Sender - ProfessorReceiver - Penelope Professor’s Private Key Professor’s Public Key Penelope’s Public Key Penelope’s Private Key encrypt Double encoded message Transmitted Message decrypt Message from Professor requesting a conference with Penelope and disclosing her grade. encrypt

10 EBUSSJan Damsgaard, 200410 Encryption Strengths u Weak –Password protected text documents. Can be broken with simple tools. u Robust –Using symmetric encryption technologies one can create robust encryption, but the weakness lies in the transmission of the key u Strong –Using public key infrastructure you can transmit the key over networks u Unbreakable –One-time pads. This systems uses a key that is as long as the message itself and and only be decrypted with the pad it has been encrypted on

11 EBUSSJan Damsgaard, 200411 Good Encryption Characteristics u 128 bit key length u Key management policies –Minimal Transmission Time –Compression Then Encryption –Trade-Off More Compression equals More Processing Time versus Less Data equals Faster Encryption

12 EBUSSJan Damsgaard, 200412 Digital Signatures u Digital Signatures - the private key of the sender is used to compute a message digest, similar to a hash code u Certification Authority - a trusted entity that issues and revokes public key certificates and certificate revocation lists

13 EBUSSJan Damsgaard, 200413 Public Certification Authority Individual Generate own key pair Keep private key Public CA Verify Individual Issue Certificate Maintain public key & certificate Provide key generating software Proof of identification Certificate

14 Certificate Authority Internet Merchant bearing a certificate Customer Visits merchant’s storefront & decides to make a purchase 1 Contacts certificate authority to verify the legitimacy of the storefront 2 Provides information for purchase 3 Contacts certificate authority to verify the legitimacy of the customer 4

15 EBUSSJan Damsgaard, 200415 Use of SSL (https) u Secure Socket Layer (SSL) was developed to provide security through encryption. Using SSL allows businesses to safely conduct e-Commerce, u The price for security is reduced server performance and increased infrastructure demands. u Common SSL sessions: –Shopping cart check out (B2C, B2B, C2C) –Intranet (Internal Corporate Network) –Extranet (Corporate partners)

16 Network Usage with SSL increase in network usage with SSL Each transaction requires more processing power increase in network usage with SSL Each transaction requires more processing power Client Server Request Data Transfer Standard Transaction: Request Server Public Key Client Server Session Key Encrypted Data Transfer Encryption Decryption Secure Transaction:

17 ConcernTechnological Solution Confidentiality Cryptography Strong authentication Integrity Cryptography Strong authentication Firewalls Availability Firewalls Trusted operating systems Non-repudiation Digital Signatures Trusted third party verification Smart cards Event logs, time stamping Legitimate use Authorization system Authentication Ease of use System configuration Means to log and maintain passwords Integrated solutions (smartcards, telephones) Biometric techniques

18 EBUSSJan Damsgaard, 200418 Conclusions u All major concerns can be addressed with technologies: the issue is balancing cost, and the business impact with the required level of concern u Conflicting and multiple goals, goals of different stakeholders u Problems how to integrate the solutions and manage them across diverse platforms u Obtain knowledge, skills and resources to do it u How to make management aware: ignorance vs. overkill


Download ppt "Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School"

Similar presentations


Ads by Google