Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP2113 E-business Richard Henson University of Worcester April 2008.

Published byEmory Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "COMP2113 E-business Richard Henson University of Worcester April 2008."— Presentation transcript:

1

2 COMP2113 E-business Richard Henson University of Worcester April 2008

3 Week 8: Encryption n Objectives:  Explain the legal position as regards reading other people’s email  Describe a simple mathematical operation that could encrypt a text message  Explain the differences between symmetric and asymmetric encryption  Apply public-private key encryption to the sending of Internet email  Explain why digital signatures are necessary in the real world, and how they can be implemented n Definition: “The translation of data into a secret code”

4 Why is it necessary to change email data into Secret Codes? n The Internet is an “open” system” n Data on the Internet could be intercepted by:  someone with a good knowledge of TCP/IP  any IT literate person with the appropriate software n This person could be anywhere in the world!

5 Privacy of Electronic Mail – The Law n When people send mail (Her Majesty’s mail), it is assumed that no-one will look at it “en route” n It is a criminal offence to do so n Like “snail mail”, email communications should be treated as private or confidential n It is a criminal act to look at a person’s private email without permission (Computer Misuse Act, 1990) n Email messages at work are more of a grey area, but considered to be the property of the employer… and therefore NOT so private…

6 Privacy of Electronic Mail – Crime Prevention n Just because something is illegal, doesn’t mean that people will not try to do it! n Especially if they don’t think they will get caught! n If the email data is “scrambled” in some way before sending, it doesn’t matter who gets hold of it – they will not be able to understand the message unless they can “unscramble” it n Scrambling the data is encryption n Recovering the scrambled data is decryption

7 How does Encryption work? n Data sent over the Internet is generally a sequence of ASCII codes  An ASCII code is simply a way of converting a keyboard character into a binary number n Encryption works by further coding each ASCII character in some reversible way before it is sent n Encryption normally uses:  a coding method (often a mathematical operation)  a numerical value used with the coding method n The ASCII codes can always be recovered by someone who knows the encryption method

8 Simple Encryption Example n algorithm based on a mathematical operation such as ADD operating n key based on a numerical digit (e.g 5) n Data represented by an ASCII code n Algorithm + key produce encrypted data

9 Encryption Keys n The key must be kept secret – anyone with access to the key and the algorithm can decrypt any encrypted data produced with that combination n The coding method and the key used to produce cipher text must be known in order to get back the plain text

10 Simple example of an Encryption Method n Method of encryption – add 5 to each ASCII code (this would be the key) n e.g. if plain text = HELLO (ASCII codes 48 45 4B 4B 4F) n Cipher text would be MJQQT (ASCII codes 4D 4A 50 50 54) n Getting the original data back would mean subtracting 5 from each ASCII character – very easy to anyone with access to the key

11 Diagram – single key encryption User sends message via server server key Data is transmitted to another server key Message is coded Message is decoded Message is received

12 Effectiveness of Encryption n During WWII, most countries communicated with their armed forces by radio.  To avoid being intercepted, they used single key encryption  However… encryption can only be effective if: »either the key remains secret »Or the algorithm remains secret n The Germans thought they had an encryption method that had a key so complex it was impossible to decipher

13 Alan Turing and Bletchley Park n Alan Turing was a tragic genius who did more than most to win the war n With the efforts of fellow mathematicians, Colossus, the worlds first computer and 10000 support staff at Bletchley Park, now Milton Keynes…  the key and algorithm were deciphered  all of the German messages were decrypted so all their troop movements were known

14 Encryption Techniques n Many techniques have been developed since the 1960s to enable digital data to be efficiently encrypted and decrypted n Examples:  DES (Data Encryption Standard)  IDEA  RSA  Diffie-Hellmann n Encryption types can be classified into two types:  Symmetric Key  Asymmetric Key

15 Symmetric Encryption n Sender and receiver share a single, common key – known as a symmetric key n Used both to encrypt and decrypt the message n Advantages: simpler and faster than other systems n Disadvantages:  the two parties must need to exchange the key in a secure way  the sender cannot easily be authenticated

16 DES – an example of symmetric encryption n The most popular symmetric key system is the Data Encryption Standard – US gov, 1977 n DES uses 56-bit encryption working on 64-bit blocks of data n In view of recent research, this is clearly inadequate for really secure encryption n Until relatively recently, however, it served a useful purpose

17 Making Encryption as Effective as Possible n The more complex the key, the more difficult the encryption method is to decipher  A single 40-digit key can be mathematically deduced very quickly using a computer  An equivalent 128-digit key would take much longer to “crack” n It therefore makes sense to use 128- digit key encryption….

18 Breaking an Encryption Technique n Usually achieved with the aid of very powerful computers n The more powerful the computer, the more likely that the key can be mathematically deduced n Until fairly recently, a 128-bit encryption key would have been considered to be secure n However, a research team have now succeeded in breaking 128 bit encryption in seconds, using a supercomputer…

19 Secure Keys for Today and Tomorrow… n 256-bit encryption is probably now a minimum for single key encryption  but only a matter of time… n 512-bit encryption is currently used by financial institutions to transfer funds electronically via the Internet  again, only a matter of time before even this can be cracked…  Solution - 1024 bit keys?

20 Asymmetric Encryption n This technique uses TWO keys, one of which remains private, and a digital certificate to authenticate the sender n The other key is public – hence the term Public Key (PKE) n This system was actually first invented by some British scientists working at GCHQ  but it was top secret  And wasn’t published…  and in 1976 someone else got the fame…

21 What is Public Key Encryption (PKE) n Announced to the world in 1976 by two Americans: Diffie and Hellman… n Uses two keys:  public key - known to everyone  private or secret key - known only to the recipient of the message n Example: John wants to send a secure message to Jane…  He uses Jane's public key to encrypt the message  Jane then uses her private key to decrypt it

22 Public Key Encryption Unencrypted data Decrypted data Encrypted data can work in two ways: private key encryption, public key decryption public key encryption, private key decryption Private key on sender’s computer Data sent through the Internet Received by recipient’s computer Public key on recipient computer

23 n The public and private keys must be related in such a way that  only the public key can be used to encrypt messages  only the corresponding private key can be used to decrypt them. n In theory it is virtually impossible to deduce the private key if you know the public key n PKE is also called asymmetric encryption because of the two quite different keys that need to be used Public Key Encryption

24 PGP (Pretty Good Privacy) n System of PKE developed by Philip Zimmerman  official repository held at the Massachusetts Institute of Technology n PGP became one of the most common ways to protect messages on the Internet:  effective  easy to use  free… n To encrypt a message using PGP, a software encryption package was required  Zimmerman made it available for free download from a number of Internet sources…

25 PGP and US Govt n PGP was so effective as an encryption tool that the U.S. government actually brought a lawsuit against Zimmerman! n Case  he had made PGP public and hence made it available to enemies of the U.S. n After a public outcry, U.S. lawsuit was dropped  still illegal to use PGP in many countries

26 n Developed for the Internet as a series of RFCs  response to concern about security of data on the Internet n Concerned with authentication as well as security  intended to be simple to use… n Provided a system for storage and display of message recipient's public key  this was essential to decrypt a message sent and received using PKE Public Key Infrastructure (PKI)

27 The Public Key Repository n What was needed:  central registry of public keys and digital signatures  must be readily accessible via the Internet  must provide authentication, otherwise ANYONE could have sent that message… n Achieved through LDAP (Lightweight Directory Access Protocol)  enables public key lookup to occur completely transparently (without any intervention from any user…)

28 Lightweight Directory Access Protocol (X509 standard) n Based on International X500 communications standard n Supports TCP/IP n Allows almost any application running on any computer platform to obtain on-line or downloaded directory information:  e-mail addresses  public keys

29 Authentication n About verifying that the person sending a message or web form really is who he or she claims to be n It may also provide the receiver with the means to encode a reply n In paper correspondence, authentication is provided by a signature  In digital correspondence it needs to be a series of 000’s and 111’s (abbreviated to hexadecimal)

30 Digital Certificates n Attachments to electronic messages used for security purposes  The “digital signature” authenticates the sender n Anyone wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA)  e.g. Verisign

31 Good/Bad things about Digital Signatures/Digital-Ids… n The digital certificate that provides the identification information must be kept very safe…  usually kept carefully hidden as a unique 'security code‘  appended to an electronic document for the purpose of establishing the authenticity of that document  can even be used for tax returns & legal documents… n BUT…. once someone has acquired another person’s digital identity, they can masquerade as that person all over the Internet…

32 Certificate Authorities n Trusted third-party organizations that issues the digital certificates used to create public- private key pairs n The role of the CA is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.

33 n Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company n The finance company provides it with information to confirm an individual's claimed identity n CAs are a critical component in data security and e-commerce because they guarantee that the two parties exchanging information really are who they claim to be Certificate Authorities (cont…)

34 SOME Certificate Authorities in the UK n BT Trustwise (Verisign International Affiliate) BT Trustwise BT Trustwise n The Global Trust Register The Global Trust Register The Global Trust Register n Inter Clear Inter Clear Inter Clear n TrueTrust (Salford University) TrueTrust n Globalsign UK (Globalsign Network) Globalsign UK Globalsign UK n Viacode (Royal Mail CA) Viacode n Mondex International Mondex International Mondex International

35 n On request, a CA can produce an encrypted digital certificate for any applicant n Digital certificates contain:  the applicant's private key  a digital signature n The CA makes its own public key readily available on the Internet n The recipient of the encrypted message can use the CA's public key to decode the digital certificate attached to the message Supplying Digital Certificates

36 n The recipient:  verifies the digital signature as issued by the CA  obtains the sender's public key and digital signature held within the certificate n With this information, the recipient can send an encrypted reply n This procedure relies on the integrity of the CA, and the user must be able to trust them Digital Certificate (continued)

37 Digital Signatures – the future? n Digital signatures already have a legal definition:  “an electronic rather than a written signature that can be used by someone to authenticate the identity of the sender of a message or of the signer of a document” n Online delivery of traditionally paper based correspondence has been a reality for some time…  the Electronic Signatures Regulations 2002 http://www.opsi.gov.uk/SI/si2002/20020318.htm http://www.opsi.gov.uk/SI/si2002/20020318.htm

38 Encryption in Client-Server Systems n Much more about this in COMP3123 n Depend on the use of  SSL (Secure Sockets Layer) »invented by Netscape »Became part of the PKI  https (secure http) »also specified to become part of the PKI n Together, SSL and https make Server Certificates possible

39 Why Server Certificates? n Anyone can set up a web server and put it on the Internet  an Internet user on the other side of the world doesn’t have a clue whether they are crooked!!!  not good for on-line selling & buying! n Server certificates can give an Internet vendor respectability  Certificates only supplied to “honest” organisations  But… how can the certificate authorities tell???

Download ppt "COMP2113 E-business Richard Henson University of Worcester April 2008."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CC3.12 Erdal KOSE Privacy & Digital Security Encryption.

CC3.12 Erdal KOSE Privacy & Digital Security Encryption.
1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.

1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.
Cryptographic Technologies

Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Similar presentations

Ads by Google