Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3123 Internet Security Richard Henson University of Worcester October 2011.

Published byMaurice Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP3123 Internet Security Richard Henson University of Worcester October 2011."— Presentation transcript:

1

2 COMP3123 Internet Security Richard Henson University of Worcester October 2011

3 Week 2: Cryptography n Objectives:  Describe a simple mathematical operation that could encrypt a text message  Explain the differences between symmetric and asymmetric encryption  Apply public-private key encryption to the sending of Internet email  Explain why digital signatures are necessary in the real world, and how they can be implemented

4 Cryptography: an Answer to the problem of Data Breaches n Objective: make it impossible for the information to be read by “outsiders”… n Nothing new!  been happening for millennia…  many clever techniques devised n Technique of changing digital data in a mathematical reversible way known as ENCRYPTION  studies involving encryption - cryptography

5 What is Cryptography? n Cryptography is the science concerned with the protocols, practices, procedures to build components that make up a cryptosystem n The practical (intended) result… safely securing, storing, transmitting sensitive information  to conceal it from unauthorised persons  also applies to personal and financial data… n Associated concepts:  authenticity (proof of ownership)  integrity (ensuring that data is not tampered with)

6 OSI layers and the cryptosystem n All layers, and communications between them, are potential weaknesses n Hacking could occur:  at layer 1 »e.g. electronically, in communications equipment  or at layer 7… »Screen display n In both cases, encryption will be a good defence

7 How to focus security resources? n Depends on:  Circumstances – how much data has to be stored/processed in a given time  Risk – what is the likelihood of being hacked, losing business, and being fined…  Value of information – financial data obviously valuable, but so are e.g. commercial secrets

8 Message Authentication n Objective: ensuring that the message arrives:  intact & unmodified (integrity)  original authorship established (authenticity) n Authentication scheme:  inputs: secret key, message  output: message & authentication code

9 Encryption and Data Protection n Principle 7 of the 1984 (updated 1998) UK Data Protection Act:  “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” n No better technical measure to take than encrypting that data

10 Key Escrow and Key Recovery n Escrow: a system of checks and balances to ensure that privacy rights are not infringed where agencies need to get hold of encrypted information  separate agencies keep complementary components of the key system so no entity possesses a usable key  law enforcement agencies can only intervene to get all components: »under a court order in pursuit of criminal evidence or activity

11 What about HTML “Forms” type data n Anything from Facebook messages to personal details to get car insurance n As discussed last week…  Internet was designed to be an “open” system  IDs of devices based on IP address  Screen data converted via TCP/IP to signals and sent in packets - easily be intercepted by: »someone with a good knowledge of TCP/IP »any IT literate person with the appropriate software  this someone could be anywhere in the world!

12 What about email data? n As with HTML forms… n That email data at rest or moving round the Internet started on someone's computer (application layer)  once it has become TCP/IP packets on the Internet it is fair game for “man in the middle” attacks  at each end of the communication it is also vulnerable to copying

13 How does Encryption work? n Unencrypted data (or PLAIN text) sent over the Internet usually a sequence of ASCII codes  ASCII code generated at keyboard by converting a selected keyboard character into a particular binary number n This puts further coding onto each ASCII character in some reversible way before it is sent (as CIPHER text)

14 An Encryption system n Requirements…  a coding method (often a mathematical operation)  a numerical value used with the coding method n The ASCII codes can always be recovered by someone who knows the encryption method

15 Simple Encryption Example n Coding Method (or Algorithm) based on a mathematical operation  e.g. ADD n Key based on a numerical digit  e.g 5 n Data represented by an ASCII code…  not secure… very widely known n ASCII code -> via algorithm + key -> encrypted data

16 Example encryption in practice on ASCII codes… n Method of encryption – add 5 to each ASCII code (this would be the key)  e.g. plain text = HELLO (ASCII codes 48 45 4B 4B 4F)  e.g. cipher text = MJQQT (ASCII codes 4D 4A 50 50 54) n Getting the original data back would mean subtracting 5 from each ASCII character – very easy to anyone with access to the key

17 Managing a single Encryption Key n The coding method and the key used to produce cipher text must be known in order to get back the plain text n However, these must be kept secret – anyone with access to the key and the algorithm can readily decrypt the encrypted data for themselves

18 Diagram – single key encryption User sends message via server server key Data is transmitted to another server key Message is coded Message is decoded Message is received

19 Effectiveness of Encryption n Only effective if:  either the key remains secret  or the algorithm remains secret n During WWII, the Germans thought they had an encryption method that was impossible to decipher n With the efforts of the Mathematicians at Bletchley Park, the key and algorithm were both deciphered

20 Encryption Techniques n Many techniques have been developed to enable digital data to be efficiently encrypted and decrypted n Examples:  DES (Data Encryption Standard)  IDEA (ID Encryption Algorithm)  RSA (Rivest, Shamir, Adleman)  Diffie-Hellmann n These can be classified into two types:  Symmetric Key  Asymmetric Key

21 Symmetric Encryption n The single, common key used by both sender and receiver is known as a symmetric key  encrypts and decrypts the message n Advantages: simple and fast n Disadvantages:  the two parties must need to exchange the key in a secure way  the sender cannot easily be authenticated

22 Asymmetric? n Asymmetric Key (two keys…)  Encryption: shared public key  Decryption: unshared private key  One way function

23 DES – an example of symmetric encryption n IBM/US gov, 1974-7; still popular  56-bit encryption working on 64-bit blocks of data n However, in view of recent research, clearly inadequate for really secure encryption   “Using P2P architecture and over 100,000 participants (using only idle CPU time), distributed.net was able to test 245 billion keys per second to break the 56 bit DES encryption algorithm in less than 24 hours (22 hours and 15 minutes).”

24 What levels of single key encryption are available? n The more complex the key, the more difficult the encryption method is to decipher  a single 40-digit key can be mathematically deduced very quickly using a computer »known as WEAK encryption  an equivalent 128-digit key would take much longer to “crack” »known as STRONG encryption n It makes sense to use 128-digit key encryption if at all possible….

25 Making Encryption as Effective as Possible n Commercial products may offer trade offs… n Strong encryption may cost a little more  Is the extra expense going to be justified?  e.g. Verisign 40-bit SSL »actually 128-bit within US »40-bit for any communications that go outside US borders…  e.g. Verisign Global Server SSL »“the world’s strongest encryption” »standard for large-scale online merchants, banks, brokerages, health care organisations and insurance companies worldwide  Verisign product will run on servers from: »any non-U.S. software vendor »a U.S. software vendor properly classified by the U.S. Department of Commerce

26 Breaking an Encryption Technique n Usually achieved with the aid of very powerful computers n The more powerful the computer, the more likely that the key can be mathematically deduced n Until fairly recently, a 128-bit encryption key would have been considered to be secure n However, a research team have now succeeded in breaking 128 bit encryption in seconds, using a supercomputer…

27 Secure Keys for Today and Tomorrow… n 256-bit encryption is probably now a minimum for single key encryption  but only a matter of time… n 512-bit encryption is currently used by financial institutions to transfer funds electronically via the Internet  again, only a matter of time before even this can be cracked…  Solution - 1024 bit keys?

28 Authentication – encryption alone may not be enough, or even helpful n When data is on the move to a computer or device OUTSIDE a particular domain, there must be a technique for verifying that the user really who he or she claims to be n In paper correspondence, authentication is provided by a signature n A number of digital methods of signature are now available n Windows 2000 provides SIGVER (file signing)  a method of checking incoming files to ensure that they are from a Microsoft approved source

29 Asymmetric (two key) encryption n Announced in 1976 by Diffie and Hellman (US), but British scientists were secretly working on it much earlier and Ellis, at GCHQ made the first breakthrough in 1970 n Uses two keys:  public key - known to everyone  private or secret key - known only to the recipient of the message n Example: John wants to send a secure message to Jane…  He uses Jane's public key to encrypt the message  Jane then uses her private key to decrypt it n Original method did not support either encryption or digital signatures, and therefore was vulnerable to third party in the middle eavesdroppers

30 Public Key Encryption (PKE) Unencrypted data Decrypted data Encrypted data can work in two ways: private key encryption, public key decryption public key encryption, private key decryption Private key on sender’s computer Data sent through the Internet Received by recipient’s computer Public key on recipient computer

31 n The public and private keys must be related in such a way that  only the public key can be used to encrypt messages  only the corresponding private key can be used to decrypt them. n In theory it is virtually impossible to deduce the private key if you know the public key n PKE is also called asymmetric encryption because it uses two keys instead of one Public Key Encryption (PKE)

32 n Authentication of sender is ALSO needed for securely transmitting information via the Internet n A variety of techniques have been developed to achieve this:  Pretty Good Privacy (PGP)  Digital Certificates & Public Key Infrastructure (PKI) Practical Public Key Encryption

33 PGP (Pretty Good Privacy) n Developed by Philip Zimmerman  official repository held at the Massachusetts Institute of Technology n One of the most common ways to protect messages on the Internet:  Effective  easy to use  free n based on the public-key method  with authentication using a “web of trust” n To encrypt a message using PGP, the receiver needs the PGP encryption package  made available for free download from a number of Internet sources

34 PGP n Such an effective encryption tool that the U.S. government actually brought a lawsuit against Zimmerman n Case:  he made PGP public  hence made it available to enemies of the U.S. n After a public outcry, U.S. lawsuit was dropped n still illegal to use PGP in many other countries

35 Digital Signatures/Digital-IDs A unique 'security code' appended to an electronic document A unique 'security code' appended to an electronic document  the digital equivalent of a signature on a paper document »authenticates the sender »permits the authenticity of the document to be proven  also used the ensure the integrity of the message sent n Digital Signatures are supplied packaged within a digital certificate

36 Digital Certificate n A randomly generated number:  used to create the public-private key pair  Creates the attachment to an electronic message known as a digital signature n An individual wishing to send an encrypted email message applies for a digital certificate from a Certificate Authority (CA)

37 Certificate Authorities n Example: verisign  www.verisign.com www.verisign.com n Trusted third-party organizations that issues the digital certificates used to create public- private key pairs n The role of the CA is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.

38 n Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company n The finance company provides it with information to confirm an individual's claimed identity n CAs are a critical component in data security and e-commerce because they guarantee that the two parties exchanging information really are who they claim to be Certificate Authorities

39 n On request, a CA can produce an encrypted digital certificate for any applicant n Digital certificates contain:  the applicant's private key  a digital signature n The CA makes its own public key readily available on the Internet n The recipient of the encrypted message can use the CA's public key to decode the digital certificate attached to the message Supplying Digital Certificates

40 n The recipient:  verifies the digital signature as issued by the CA  obtains the sender's public key and digital signature held within the certificate n With this information, the recipient can send an encrypted reply n This procedure relies on the integrity of the CA, and the user must be able to trust them Digital Certificate (continued)

41 Digital Signatures: an increasing role in society… n Digital signatures allow online delivery of traditionally paper based correspondence  Contracts  Government forms such as tax returns  anything else that would require a hand-written signature for authentication… n The flip side of this is that information submitted WITHOUT a digital signature has NOT been authenticated, and a further means of proof of identity of sender should be sought

42 Authentication, Identity, and Identity Theft n Authentication alone is not enough  username/password may be stolen (or even borrowed with permission!) n Need proof:  something only that person would know…  something unique to that person Biometric data) n More on this later…

Download ppt "COMP3123 Internet Security Richard Henson University of Worcester October 2011."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptographic Technologies

Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Encryption is a way to transform a message so that only the sender and recipient can read, see or understand it. The mechanism is based on the use of.

Encryption is a way to transform a message so that only the sender and recipient can read, see or understand it. The mechanism is based on the use of.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.

Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.

1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.

Similar presentations

Ads by Google