Anda di halaman 1dari 131

DSZQSPHSBQIZ

Brief History of Cryptography!!!!



What is Cryptography?
Science of writing secret code
is an art of protecting information by transferring
it (encrypting )into an unreadable format ,called
cipher text

The first use of cryptography in 1900 B.C.
Used by Egyptian scribe
Some experts say it appeared right after writing was
invented


Encryption/ Decryption

Encryption is the transformation of data into some unreadable form.
Its purpose is to ensure privacy by keeping the information hidden from
anyone for whom it is not intended ,even those who can see encrypted data .
It is a procedure to convert a regular text into a coded or secret text .







Decryption: the reverse of encryption :it is the transformation of encrypted
data back into some intelligible form.
A basic task in cryptography is to enable users to communicate securely over
an insecure channel in a way that guarantees their transmission privacy and
authenticity
.Providing privacy and authenticity remains a central goal for cryptographic
protocols.


Encryption Decryption
Plain Text Cipher Text
Original Text
Encryption
Common Terms is Cryptography
system
Intruder :An intruder is any person who does not have the authorization to access the
network or the information
Plaintext: It is an intelligible message that needs to be converted into an intelligible
message or encrypted message
Cipher text :A message in encrypted form
Encryption: is a method by which plaintext can be converted to cipher text
Decryption: is a method by which cipher text can be converted into a plaintext
Algorithm: A cryptography algorithm is a mathematical function .
Key: It is a string of digits
5
Keys
It is a variable value that is used by
cryptographic algorithms to produce encrypted
text, or decrypt encrypted text.
The length of the key reflects the difficulty to
decrypt from the encrypted message.
Encryption Decryption Plaintext
Plaintext
Ciphertext
Key Key
Example
Plain text Algorithm Cipher text Algorithm Plain text
Item Next letter Jufn Previous Letter Item
Message Previous 3
Letters
Next 3 Letters Message
Cryptography Broken Down!!!

Two kinds of cryptosystems:
Symmetric
Uses the same key (the secret key) to encrypt and
decrypt a message.
Asymmetric
Uses one key (the public key) to encrypt a message and
a different key (the private key) to decrypt the message.



Symmetric key encryption system
Same key is used to both encrypt and decrypt data
Examples of encryption systems: DES, 3DES, AES
Symmetric Cryptosystem!

Secret Key (Symmetric)
Symmetrical Key encryption is also known as private key encryption
With secret key ,the same key is used to encrypt information and
decrypt information. Hence the operation is known as symmetric.
With secret key systems you dont know who sent the message or if it
is for a specific recipient ,Because anyone with the secret key could
create or read the message .
Encryption with Keys
Encryption Decryption
Plain Text Cipher Text
Original Text
Key
(Symmetric Cryptosystem)

The message:
The sender and receiver know and use the same secret key.
The sender uses the secret key to encrypt the message.
The receiver uses the same secret key to decrypt the message
Same key is used to both encrypt or decrypt the
message .
This means that the sender & receiver had to agree in
advance of the key .
There are a wide variety of symmetric encryption
algorithms.
The most widely used encryption algorithm was DES
(Data Encryption standard ) which was sanctioned by
the National Institute of standards & technology (NIST)
DES was developed by IBM .
It is a block cipher scheme which encrypts a 64-bit data
block using a 56-bit key .
The block is transformed in such a way that it involves
sixteen iterations. This is done by using the security key

Main challenge

Agreeing on the key while maintaining secrecy.
Trusting a phone system or some transmission medium.
The interceptor can read, modify, and forge all
messages

Limitations
Both parties must agree upon a shared secret key
If there are n correspondents ,you have to keep
track of n different secret keys .if the same key is
used by more than one correspondent ,the
common key holders can read others mail
Symmetric encryption schemes are also subject
so authenticity problems .Since both the sender
& the recipient cannot be proved .Both can
encrypt decrypt the message
Key Management!!!

Key management:
The generation, transmission, and storage of a key.
All cryptosystems must deal with key
management issues
Because all keys must remain secret there is
often difficulty providing secure key
management.

Key Pairs
A key is a unique digital identifier
Keys are produced using a random number generator
A key pair consists of two mathematically
related keys
The private key is secret and under the sole
control of the individual
The public key is open and published


Introduction of the Public Key!!!

Created to solve key management problems.

Created by Whitfield Diffie and Martin Hellman
in 1976.

Also called asymmetric system.

Encryption key: public key

Decryption key: private key

Public Key Cryptography
Public Key encryption is also known as asymmetrical
encryption
It utilizes a pair of keys one public & one private (in
pair)
Public key is made available to anyone who wants to
send an encrypted message to the holder of the
private key .
The only way to decrypt the message is the private key
.
In this way messages can be sent without agreeing on
the keys in advance .
The most widely used public key algorithm is RSA
Public key encryption system
Each user has 2 keys: what one key encrypts,
only the other key in the pair can decrypt.
Public key can be sent in the open.
Private key is never transmitted or shared.
Eg. RSA (Rivest, Shamir, and Adleman )
Recipients Public Key Recipients Private Key
Public & Private Keys
Public and Private Key pairs comprise of two
uniquely related cryptographic keys.

Public key is made accessible to everyone, whereas
Private key remains confidential to its respective
owner.

Since both keys are mathematically related only the
corresponding private key can decrypt their
corresponding public key.

How its works!!!!

Encryption with Keys
Encryption Decryption
Plain Text Cipher Text
Original Text
Encryption Key (K
e
)

(Asymmetric Cryptosystem)
Decryption Key (K
d
)

In order to solve the key management problem, Whitfield
Diffie and Martin Hellman introduced the concept of public-
key cryptography in 1976
. Public-key cryptosystems have two primary uses, encryption
and digital signatures.
In their system, each person gets a pair of keys, one called
the public key and the other called the private key.
The public key is published, while the private key is kept
secret.
The need for the sender and receiver to share secret
information is eliminated; all communications involve only
public keys, and no private key is ever transmitted or shared.
In this system, it is no longer necessary to trust the security
of some means of communications.
The only requirement is that public keys be associated with
their users in a trusted (authenticated) manner (for instance,
in a trusted directory).
Anyone can send a confidential message by just using
public information, but the message can only be decrypted
with a private key, which is in the sole possession of the
intended recipient.


Advantages
Message confidentiality Can be proved :the
sender uses the recipients public key to encrypt a
message ,so that only the private key holder can
decrypt the message ,no one else .
Authenticity of the message originator can be
proved : The receiver uses his private key to
encrypt a message ,to which only the sender has
access .
Easy to distribute public key : The public key of
the pair can be easily distributed .
Public Key Cryptography
Complimentary Algorithms are used to encrypt and decrypt documents
@#@#@$$56455908283923
542#$@$#%$%$^&
Encryption key
Decryption key
Unreadable Format
Public Key Infrastructure in Action
Public Key Private Key
Secure Transmission
Signatures
Decrypting
Encrypting
Encrypting
Decrypting
Message Digest
Used to determine if document has changed
Usually 128-bit or 160-bit digests
Infeasible to produce a document matching a digest
A one bit change in the document affects about half the
bits in the digest
Eg. SHA-1 (160-bit digest), Secure Hash Algorithm

Hash Algorithm
Digest
Plaintext
Hash function
Hash function is a formula that converts a
message of a given length into a string or digits
called a message digest .
A mathematical transformation is used by the
hash function to encrypt information such that it
is irreversible .
The encrypted cipher text message cannot be
decrypted back to plain text .



How it works
X sends message to Y


Sender Receiver
The sender generates a message
A Message Digest of the message is created using the hash function
The sender attaches is digital signature to the end of the message
The sender encrypts both message and signature with receivers public
keys
Using a private key ,the entire message is encrypted by the receiver
The receiver calculates the message digest using the hash function
The receiver uses the same hash function that the sender uses ,and which
has been agreed upon in advance .
The main advantage is that even if an unauthorized person access Xs
public key ,he will not be able to get to the hash function generated key
this making the digital signature authentic and secure
X
Y
Trusted Electronic
Transactions
ELECTRONIC TRANSACTIONS
Streamline Reporting Process
Reduce burden on regulated community
Efficient Record Retention
Timely and Accurate Data Retrieval and Access
Emergency Response (24/7 access)
Community-Right-to-Know
CAN ELECTRONIC DATA BE TRUSTED?
Accuracy and Authenticity
Decisions regarding Environmental Health and Impact
Security
Protection from unauthorized access
Tamper-resistant
Accidental human errors
Intentional - Fraud
Credibility in Judicial Proceedings
Effective Enforcement
Plaintiff/Defendant Subpoena
Evidence must be unambiguous to be admissible in court

Once admitted into Court, evidence must be persuasive to a jury
JUDICIAL CREDIBILITY is the Highest Standard
for Trusted Data **
1. AUTHENTICATION: the ability to prove the senders identity
2. REPORT INTEGRITY: the ability to prove that there has been no change during
transmission, storage, or retrieval
3. NON-REPUDIATION: the ability to prove that the originator of a report intended to be
bound by the information contained in the report

WHAT DETERMINES A LEGALLY BINDING
REPORT ?

NON-REPUDIATION
AUTHENTICATION
REPORT INTEGRITY
TRUST IN PAPER-BASED REPORTS
ELECTRONIC REPORTING
FROM PAPER TO ELECTRONIC: Repudiation
Risks in Basic Electronic Transactions

I did not send that report !
That report is not the one I sent !
I did not mean that !



I did not send that report !
Identity of user is unknown
Possible Solutions:
Telephone call follow-up
Terms and Conditions Agreement (TCA) / Mailed Certification
Agreement
Mail a Diskette Containing Electronic Data

That report is not the one I sent !
Identity of user is unknown
Possible Solutions:
Telephone call follow-up
Terms and Conditions Agreement (TCA) / Mailed Certification
Agreement
Mail a Diskette Containing Electronic Data
Ensuring Authenticity and Report Integrity in
Electronic Transactions
Digital Signatures
Public Key Infrastructure





Public Key Infrastructure (PKI)
PKI is a combination of software, encryption
technologies and facilities that can facilitate trusted
electronic transactions.
PKI provides an electronic framework i.e.
software & a set of rules & practices for secure
communication & transaction between organizations
& individuals
PKI Components
Key Pairs
Certificate Authority
Public Key Cryptography
39
PKI Structure
Certification Authority
Directory services
User
Services,
Banks,
Webservers
Public/Private Keys
Certification Authorities(CAs)
A trusted authority
Responsible for creating the key pair, distributing the
private key, publishing the public key and revoking the
keys as necessary
The Passport Office of the Digital World

An organization that issues public key certificates(Digital
Signature).
Signed by certification authoritys own private keys, contains
name of the person, persons public key, a serial number, and
other info.,
Example: verisign corp.

A Certifying Authority is a trusted agency whose central
responsibility is to issue, revoke, renew and provide directories for
Digital Certificates.


The certificate authority issues a digital certificate to companies
and organizations that are accessible via the internet .

They are issued for a certain period of time and are used as a
guarantee of the security of a website .

It is also referred to as a reliable third party











Certificate Authority
CSC1720 Introduction to
Internet
All copyrights reserved by C.C. Cheung 2003. 42
CA model (Trust model)
Root Certificate
CA Certificate
Browser Cert.
CA Certificate
Server Cert.
Different kinds of certificates
Certification authorities Certificates
contain public key of CAs and name of service
this can in turn be signed by other certification authorities.
Server Certificates
contain public key of SSL server,
name of the organization running the server, Internet hostname, servers
public key.
Personal Certificates
contains individuals name and public key.
other information is also allowed.
Software Publisher Certificates
certificates used to sign the distributed software.

Digital Signature
Digital Signature
A Digital Signature is a method of verifying the
authenticity of an electronic document.
A digital signature is a personalized thumb print. It is the
encryption of an electronic document by a key
Characteristics
a protocol that produces the same effect as real
signature.
Only the sender can mark it.
Easily identifiable by others as one from the sender.
Used to confirm agreement to a message.


Digital signature can be used in all electronic
communications
Web, e-mail, e-commerce, electronic banking and
general security & authentication of documents
It is an electronic stamp or seal that append to
the document.
It Ensures that the document is being
unchanged during transmission.

The IT Act has given legal recognition to digital
signature meaning, thereby, that legally it has the
same value as handwritten or signed signatures
affixed to a document for its verification
The Information Technology Act, 2000 provides
the required legal sanctity to the digital signatures
based on asymmetric cryptosystems.
The digital signatures are now accepted at par
with handwritten signatures and the electronic
documents that have been digitally signed are
treated
Physical Signature / Digital Signature
Physical Signature Digital Signature
Physical Signature is just a writing
on paper
Digital Signature encompasses
crucial parameters of identification
Physical Signature can be copied It is IMPOSSIBLE to copy a Digital
signature
Physical Signature does not give
privacy to content
Digital Signature also enables
encryption and thus privacy
Physical Signature cannot protect
the content
Digital Signature protects the
content

How digital Signature works?
User A
User B
Use As private key to sign the document
Transmit via the Internet
User B received
the document with
signature attached
Verify the signature
by As public key stored
at the directory

Report Encryption Algorithm Digitally Signed

An individual digitally signs a document using the private key component of his certificate.
Digital Signatures
Private key
Authentication and Verification
The individuals public key, published by the CA decrypts and verifies the digital
signature.
Digitally Signed
Public Key
Decryption Algorithm
Advantages
Signer authentication: The signer of the document is the
owner of the private key for creating the signature and
unless that is lost ,the digital signature cannot be altered by
any other means
Message authentication: Today digital signature are
probably more authenticated than the paper signature
itself .Any alteration can be detected at the receiving end
using the public key
Efficient: The creation and use of digital signature and
exchange digitally signed content is more efficient than
paper signatures .Digital signature can be automatically
created using programs these days and hence the creation
time is also quite less
Limitations
If the private key is lost the content signed
using that key is fully compromised and can be
tampered with
The issuer of the digital signature could give
compromise security by giving your private
key to someone else .
A digital signature is an electronic method
of signing an electronic document

Digital Certificate is a computer based
record that
Identifies the Certifying Authority issuing
it

Has the name or the identity of its
subscriber
Contains the subscriber's public key
Is digitally signed by the Certifying
Authority issuing it

digital signatures are used to verify the
trustworthiness of information
Digital certificates are used to verify the
trustworthiness of a website
. However, in the case of digital
signatures, the recipient must have a
relationship with the sender or hosting
site.
Organizations using digital certificates
don't require a relationship with the
remote site; they just need the ability to
identify which digital certificate authority
was used by the site to validate it
Digital Certificates
Digital Certificate is a data with digital
signature from one trusted Certification
Authority (CA).
This data contains:
Who owns this certificate
Who signed this certificate
The expired date
User name & email address

What is a Digital Signature
Certificate?

Digital signature certificates (DSC) are the digital
equivalent (that is electronic format) of physical or
paper certificates.
Examples of physical certificates are drivers' licenses,
passports or membership cards.
Certificates serve as a proof of identity of an individual
for a certain purpose; for example a driver's license
identifies someone who can legally drive in a
particular country.
Likewise, a digital certificate can be presented
electronically to prove your identity, to access
information or services on the Internet or to sign
certain documents digitally.

Why is Digital Signature Certificate (DSC) required?
Like physical documents are signed manually,
electronic documents, for example e-forms are
required to be signed digitally through Digital Signature
Certificate.

Who issues the Digital Signature Certificate?
A licensed Certifying Authority (CA) issues the digital
signature.
Certifying Authority (CA) means a person who has
been granted a license to issue a digital signature
certificate under Section 24 of the Indian IT-Act 2000.
The list of licensed CAs along with their contact
information is available on www.mca.gov.in . You can
obtain your DSC from Veracity IT & Legal Services.
Advantages of Digital Certificates
Decrease the number of passwords a user has
to remember to gain access to different
network domains.
They create an electronic audit trail that
allows companies to track down who executed
a transaction or accessed an area.




Security Standards For electronic
Payment System
A secured payment transaction system is of
critical importance to e-commerce
Without security standard ,one cannot
assume the success of e-commerce
There are two common standards used for
a secure electronic payment system
SSL
SET
Secure Socket layer (SSL)
SSL is a protocol for giving data security layers between high-
level
It is a key protocol for securing web transactions ,data packets
in the internet
It provides sever & client authentication and an encrypted
SSL connection
It uses public key cryptography and system for validating
public key & digital certificates over the server .
SSL Provides 3 basic services :Sever authentication ,client
authentication & encrypted SSL connection .
SSL sever authentication uses public Key cryptography to
validate server's digital certificate and public key on the client
;s machine
What Happens When a Web Browser Connects
to a Secure Web Site
What is SSL?

A protocol developed by Netscape.
It is a whole new layer of protocol which operates above
the Internet TCP protocol and below high-level application
protocols.
SSL is a communications protocol layer which can be
placed between TCP/IP and HTTP
It intercepts web traffic and provides security between
browser and server
Encryption is used to guarantee secure communication in
an insecure environment
SSL uses public-key cryptography

SSL Working
An SSL certificate allows sensitive information
to be encrypted during online transactions
Authenticated information about the owner of
the certificate is also contained in it.
The identity of the owner of the certificate is
verified by the certificate Authority at the
time of its issue
What Can SSL Do?
It provides the following
Data Encryption ,Server Authentication ,Message integrity
,Optional Client authentication .
SSL provides a security handshake protocol to start the
TCP/IP connection. The consequence of this handshake is that
the client and server agree on the level of security they would
use & completes any verification necessities for the
connection .After that ,it is only used to decrypt and encrypt
the message stream .

SSL includes two sub-protocols: the SSL
Record Protocol and the SSL Handshake
Protocol.
Record Protocol -- defines the format used to
transmit data.
Handshake Protocol -- using the Record
protocol to exchange messages b/t an SSL-
enable server and an SSL-enable client.
SSL usage
Any online store
Anyone who accepts online orders & payments through
credit cards
A site that offers a login or sign in
Anyone processing sensitive data such as the address
,birth date ,license or ID Numbers
Anyone who is required to comply with privacy &
Security requirements
Anyone who values privacy & security requirements
Anyone who values privacy & expects others to trust
them

Challenge-Response e-mail system

It is an anti-spam system which is designed to shift the filtering
workload from the recipient to the spammer (or the legitimate
sender).
The fundamental idea is that spammers will not take the time to
confirm that they want to send you email, but a legitimate sender
will.
The system maintains two lists of addresses: a "blacklist" of senders
that will always be blocked, and a "whitelist" of senders that will
never be blocked.
If someone sends you email from an address not listed in either
list, they will get an "challenge" (and their message will be queued
temporarily).
If they give the correct "response" to the challenge, they get added
to your white list and their queued message(s) get forwarded to
you.

Regulations of the Internet encryption
technologies
Encryption technology is being widely used today by enterprise as
well as individuals consumer to protect the proprietary data and
confidentiality of communication via e-mail or chat .
For Example we use our credit cards for booking movies ,air or rail
tickets over the internet on encrypted channels and feel safe that
our personal or credit card information is not compromised when in
transit .
Similar technology can be also used by criminals to send
information via the internet and escape without being intercepted
by the government bodies; hence regulations need to be in place by
the security organizations of different nations governing the use of
encryption technology and the purpose for which it can be used .
Such regulations need to be in force for protecting the lives of
millions of people which might be compromised by negative
element of the society .
But there has to be regulations related to what information can be
access and decrypted by the government bodies

Government regulation on encryption
Encryption systems across the world are controlled by
regulation imposed by various governments.
One of the primary methods of regulating encryption
by the government is by the use of export restrictions
If anyone needs to export encrypted data ,they need a
license from a licensing authority which might be the
government agency or a third party government
certified authority .
Some of these regulations are continually challenged in
the courts ,but the government are bound by security
concerns that would arise if such regulations are not in
place

Digital Signatures Controls on
Encryption
The most commonly found internet security mechanism today is
SSL encryption .
A well designed security solution should have the following attributes
Data transfer from browser to server ,server to browser ,should be
encrypted
Any file attachments should be encrypted and digitally singed to
ensure security of the consumer who downloads or uploads these
attachments
All digital signatures should have some accountability mechanism to
be validated in the receiving end
Authentication mechanism should be foolproof ,smart cards can be
used to store certificates to ascertain consumer authenticity
Not only the fillable fields in the form ,but the whole content of the
web page should be encryptable and digitally sign able


Specific Issues in US Encryption
Controls
Three problems deter widespread acceptance of encryption

Successful encryption requires that all participating parties use the same
encryption scheme .Within an organization ,or a group expected to
cooperate (such as banks) ,standards have to be establishes that make
encryption feasible
The distribution keys has been a second barrier to wider use of
encryption ,as there is no easy way to distribute the secret key to a person
not known The only safe way to distribute the secret key is in person ,and
then the distributor must provide a different secret key for each person.
Even public key schemes require method for key distribution
The final deterrent to widespread acceptance of encryption is its
difficulty to use .The user interface to encryption must be simplified .For
Encryption to flourish average consumer must find the software easy to
use for commercial applications .
?
Do Digital Certificates Have
Vulnerabilities?
One problem with a digital certificate is where it
resides once it is obtained.
The owner's certificate sits on his computer, and
it is the sole responsibility of the owner to
protect it.
If the owner walks away from his computer,
others can gain access to it and use his digital
certificate to execute unauthorized business.



The best way to address the vulnerabilities of
digital certificates is by combining them with
biometric technology, as that confirms the
actual identity of the sender, rather than the
computer.

Do Digital Certificates Have
Vulnerabilities?
Security Standards For electronic
Payment System
A secured payment transaction system is of
critical importance to e-commerce .
Without security standard ,one cannot
assume the success of e-commerce
There are two common standards used for a
secure electronic payment system .
SSL
SET
What is SSL?

A protocol developed by Netscape.
It is a whole new layer of protocol which
operates above the Internet TCP protocol and
below high-level application protocols.
SSL
SSL is a communications protocol layer which can
be placed between TCP/IP and HTTP
It intercepts web traffic and provides security
between browser and server
Encryption is used to guarantee secure
communication in an insecure environment
SSL uses public-key cryptography
What is SSL?
What Can SSL Do?
SSL uses TCP/IP on behalf of the higher-level
protocols.
Allows an SSL-enabled server to authenticate
itself to an SSL-enabled client;
Allows the client to authenticate itself to the
server;
Allows both machines to establish an
encrypted connection.
What Does SSL Concern?

SSL server authentication.
SSL client authentication. (optional)
An encrypted SSL connection or
Confidentiality. This protects against electronic
eavesdropper.
Integrity. This protects against hackers.

SSL Working
An SSL certificate allows sensitive information
to be encrypted during online transactions
Authenticated information about the owner of
the certificate is also contained in it.
The identity of the owner of the certificate is
verified by the certificate Authority at the
time of its issue
SSL components

SSL Handshake Protocol
negotiation of security algorithms and parameters
key exchange
server authentication and optionally client authentication
SSL Record Protocol
fragmentation
compression
message authentication and integrity protection
encryption
SSL Alert Protocol
error messages (fatal alerts and warnings)
SSL Change Cipher Spec Protocol
a single message that indicates the end of the SSL handshake
Henric Johnson 83
SSL Architecture
SSL includes two sub-protocols: the SSL
Record Protocol and the SSL Handshake
Protocol.
Record Protocol -- defines the format used to
transmit data.
Handshake Protocol -- using the Record
protocol to exchange messages b/t an SSL-
enable server and an SSL-enable client.
The exchange of messages facilitates the
following actions:
Authenticate the server to the client; Allows
the client and server to select a cipher that
they both support; Optionally authenticate
the client to the server; Use public-key
encryption techniques to generate share
secrets; Establish an encrypted SSL conn.
SSL usage
Any online store
Anyone who accepts online orders & payments through
credit cards
A site that offers a login or sign in
Anyone processing sensitive data such as the address
,birth date ,license or ID Numbers
Anyone who is required to comply with privacy &
Security requirements
Anyone who values privacy & security requirements
Anyone who values privacy & expects others to trust
them

SSL Summarization
Exists between raw TCP/IP and Application Layer.
Features added to streams by SSL
Authentication and Nonrepudiation of Server, using Digital Signatures.
Authentication and Nonrepudiation of Client, using Digital Signatures.
Data confidentiality through Encryption.
Data Integrity through the use of message authentication codes.
Functions
Separation of duties.
Efficiency.
Certification - based authentication
Protocol Agnostic.
Transport Layer Security is being tried out.
Secure Socket layer (SSL)
SSL is a protocol for giving data security layers between high-level application
protocol & TCP/IP , it is a security protocol .

It provides the following
Data Encryption ,Server Authentication ,Message integrity ,Optional Client
authentication .
SSL provides a security handshake protocol to start the TCP/IP connection. The
consequence of this handshake is that the client and server agree on the level of
security they would use & completes any verification necessities for the
connection .After that ,it is only used to decrypt and encrypt the message stream .

It is a key protocol for securing web transactions ,data packets in the internet
.It provides sever & client authentication and an encrypted SSL connection
.It uses public key cryptography and system for validating public key & digital
certificates over the server .
SSL Provides 3 basic services :Sever authentication ,client authentication &
encrypted SSL connection .
SSL sever authentication uses public Key cryptography to validate server's digital
certificate and public key on t he client ;s machine
Secure Electronic Transaction (SET)
Developed by Visa and MasterCard
Designed to protect credit card transactions
on the Internet
SET is a system for ensuring the security of
financial transactions on the Internet
Set of security protocols and formats
Not a payment system
Ensures privacy.


Henric Johnson 90
Secure Electronic Transactions
Key Features of SET:
Confidentiality of information- all messages
encrypted
Integrity of data
Cardholder account authentication
Merchant authentication
Trust: all parties must have digital certificates
Privacy: information made available only when and
where necessary





SET Business Requirements
Provide confidentiality of payment and
ordering information
Ensure the integrity of all transmitted data
Provide authentication that a cardholder is a
legitimate user of a credit card account
Provide authentication that a merchant can
accept credit card transactions through its
relationship with a financial institution
SET Business Requirements (contd)
Ensure the use of the best security
practices and system design techniques to
protect all legitimate parties in an
electronic commerce transaction
Create a protocol that neither depends on
transport security mechanisms nor
prevents their use
Facilitate and encourage interoperability
among software and network providers
Participants in the SET System
SET Transactions
SET Transactions
The customer opens an account with a card issuer.
MasterCard, Visa, etc.

The customer receives a X.509 V3 certificate signed by a bank.
X.509 V3

A merchant who accepts a certain brand of card must possess two X.509 V3 certificates.
One for signing & one for key exchange

The customer places an order for a product or service with a merchant.

The merchant sends a copy of its certificate for verification.
Henric Johnson 96
Sequence of events for transactions
1. The customer opens an account.
2. The customer receives a certificate.
3. Merchants have their own certificates.
4. The customer places an order.
5. The merchant is verified.
6. The order and payment are sent.
7. The merchant request payment authorization.
8. The merchant confirm the order.
9. The merchant provides the goods or service.
10. The merchant requests payments.
Components to build Trust
Data Confidentiality Encryption
Who am I dealing with? Authentication
Message integrity Message Digest
Non-repudiation Digital Signature
Access Control Certificate Attributes
Conclusion
With the help of the above discussions, the SET protocol appears
to be complete, sound, robust and reasonably secure for the
purpose of credit-card transactions.
However, it is important that the encryption algorithms and key-
sizes used, will be robust enough to prevent observation by hostile
entities.
The secure electronic transactions protocol (SET) is important for
the success of electronic commerce.
Secure electronic transactions will be an important part of
electronic commerce in the future.
Without such security, the interests of the merchant, the
consumer, and the credit or economic institution cannot be served.



Contd
Encryption with Keys
Encryption Decryption
Plain Text Cipher Text
Original Text
Encryption Key (K
e
)

(Asymmetric Cryptosystem)
Decryption Key (K
d
)

Encryption with Keys
Encryption Decryption
Plain Text Cipher Text
Original Text
Key
(Symmetric Cryptosystem)
Encryption Decryption
Plain Text Cipher Text
Original Text
Encryption
Secure Email Protocols
PEM (Privacy Enhanced Mail)
Is a standards that provides security-related services foe
electronic mail application
Commonly used with SMTP (simple mail transport protocol)
PEM Features
Includes encryption ,authentication & key management
It allows use of both public & Private key cryptography
It uses the data encryption standard(DES) algorithm for
encryption & RSA algorithm for sender authentication &
key management .
It verifies the identity of the message originator & verifies
whether any of the original text has been altered .

PGP (Pretty Good Privacy )
PGP is a file based product developed by software engineer Phil Zimmerman in
1991
It is a free software that encrypts email .
It is mostly used for personal e-Mail security
PGP supports public-key & symmetric key encryption as well as digital signatures
It operates by encrypting the data with one time algorithm & then encrypting the
key to the algorithm using public key cryptography
PGP also supports other standards such as SSL & lightweight Directory access
protocol(LDAP)
LDAP is a standard for accessing specific information ,including stored public key
certificates
It is freely available for DOS ,Macintosh ,UNIX,& OS/2 systems
PGP provides secure encryption of documents & data files that even advanced
supercomputers are hard pressed to crack
The process is so simple that anyone with a PC can do it with almost no effort .
S/MIME (Multipurpose Internet Mail Extension )
Was developed by RSA in 1996 as a security
enhancement to old MIME standard for
internet email
It is built on public key cryptography standards
S/MIME is considered powerful because it
provides security for different data types & for
email attachments


MSP(Message security protocol)

MSP is used by the US government & government
agencies to provide security for e-mail
Its function is securing e-mail attachments across
multiple platforms
It operates at the application level of the internet
& does not involve the intermediate message
transfer system .
An MSP message includes the original message
content & specific security parameters required
by the recipients to decrypt or validate the
message when received .
Creation of digital signature
According to the Act ,Asymmetrical or public key cryptography
involving a pair of keys (private or public is used for creating a
digital signature
Steps to create digital signature
Signer demarcates the message
Hash function is the signer's software computes a hash result
unique to the message
The signer software then transforms (encrypts) the hash result into a
digital signature using a signers private key. the resulting digital
signature are unique to both the message and the private key is
used to create it .
The digital signature (a digitally signed message hash result of the
message ) is attached to both its message and stored or transmitted
with its message .digital signature is unique to its message .signer
sends both digital signature and message to recipient
Digital Signature Generation and
Verification
Message Sender Message Receiver
Message Message
Hash function
Digest
Encryption
Signature
Hash function
Digest
Decryption
Expected Digest
Private
Key
Public
Key
Verification
The recipient of a digitally signed message can
verify both that the message originated from
the person who se signature is attached and
that the message has not been altered either
intentionally or accidently since it was signed
.Furthermore ,secure digital signature cannot
be repudiated ,the signer of a document
cannot later disown it by claiming the
signature was forged .
Steps to verify digital signature
For verifying the digital signature first of all ,the recipient
receives digital signature and the message
He applies signers public key on the digital signature &
recovers the hash result from the digital signature .
After this ,he computes a new hash result of the original
message by applying the same hash function used by the
signer to create the digital signature
Lastly he compares the two hash results ,if they are
identical ,it indicates that the message has not been
modified .If two hash results are not same ,it would mean
that the message either origated somewhere else was
altered after it was signed and the recipet in such case can
reject the message .
Applications

Digital certificate
A digital certificate is called an electronic identity card
and is used for establishing the users credentials when
conducting transactions over the web. A digital
certificate is defined as a method of verifying
authencity electronically >the digital certificate is
equivalent to real identification, such as a drivers
license. diffrent certifying authorities provide it .Digital
certificates are used to confirm a website ,or a visitor
to a website ,is the entity or person they declare to be
.they are like an electronic testimonial issued by a
certificate ion authority to ascertain the identity of an
organization when doing business dealings on the
internet .
Contents of digital certificate
Holders name ,organization ,address
Name of the certificate authority
Public key of the holders for cryptographic use
Time limit (these certificates are issued for a
period of six months to a year)
Digital certificate identification number
Security in Transmission
Secure Socket Layer (SSL)
https
Submission is encrypted by the sender with recipients public key
After receipt, submission is decrypted with recipients private key
What Should Be Signed ?
Balance between capturing the entire content of
the transaction vs. ease of data integration
Data that is Machine readable but which separates
user entry content from context: database, comma
delimited, spreadsheet, etc
Data that records content and context but which are
not easily integrated into databases: word, pdf, image,
html, etc

Ensuring Non-repudiation in Electronic
Transactions
Capturing Complete Transactions in Archive
Signing the content and context of a transaction
Storing the signed transaction in a data warehouse without manual
intervention


Granting Public Access to paper reports

Public comes into agency office
Public provides drivers license or other identification
Agency can monitor who is accessing data
Providing Trusted Electronic Access
to Data
Identity of user is unknown
Access cannot be monitored
Relying on the Certificate Authority
Public
Digital
Certificate

In order to obtain access to Community Right to Know Data, individuals first
obtain digital Certificates.
Applying PKI to Public Access
Public
After contributing a certificate to gain access, The individuals certificate can be
cross-referenced with other security databases to monitor suspect individuals.
Digital
Certificates

Agency
California Digital Signature Regulations



Definitions
Digital Signatures Must Be Created By An Acceptable
Technology- Criteria For Determining Acceptability
List of Acceptable Technologies
Provisions For Adding New Technologies to the List of
Acceptable Technologies
Issues to Be Addressed By Public Entities When Using
Digital Signatures
California Code of Regulations
Title 2. Administration DIVISION 7. CHAP 10. DIGITAL SIGNATURES
http://www.ss.ca.gov/digsig/regulations.htm
The technology known as Public Key Cryptography is an
acceptable technology for use by public entities in
California, provided that the digital signature is created
consistent with the provisions in Section 22003(a)1-5.
"Acceptable Certification Authorities" means a certification
authority that meets the requirements of either Section
22003(a)6(C) or Section 22003(a)6(D).
"Approved List of Certification Authorities" means the list
of Certification Authorities approved by the Secretary of
State to issue certificates for digital signature transactions
involving public entities in California.

California Digital Signature Regulations

Unsigned Web forms can be sent by anyone. They can be tampered in
transmission and the sender cant be legally verified
Unsigned Data in a database can be altered and does not provide
adequate evidence in a court of law
Data on Diskette can be altered without visible evidence

Summary: Electronic Report Transactions are
subject to fraud and easily repudiated:
Digitally signed reports can also be repudiated, if the signed data is stored
independently of the form question data.

Summary, cont.

Conclusion: Ensuring Trusted Electronic
Transactions
1. PKI supports trusted electronic report transactions:

Authentication- authenticates the
sender of a report
Report Integrity- invalidates a report if it has been tampered.
Non-repudiation- sender and document
are authenticated- the sender cannot
deny having sent the report



Conclusion, cont.
2. PKI supports trusted access to Public Data:
Agencies require individuals to contribute digital certificates in order to gain
access.
Agencies can track who gains access at what time
The names of individuals who seek access can be cross-referenced with
additional security databases to protect public safety
Conclusion, cont.
3. Complete Archiving ensures that a legal record of a transaction can be trusted :
Non-repudiation- Storing a copy of the entire data (including questions on
the form) with the digital signature.
Rely-On Solutions
Cryptography and Web
Security
Functions,
Confidentiality,
Encryption is used to scramble the message.
Authentication,
Digital Signatures are used for verification.
Integrity,
methods used to verify whether the message has been
modified on transit.
Digital Signed message codes are used.
Nonrepudiation
author of a message cant deny sending a message.
Rely-On Solutions
What cryptography cant do ?
Protect unencrypted documents.
Protect against stolen encryption keys.
Against denial-of-service attacks.
Against the record of a note that a message was
sent.
Against a traitor or a mistake.
Rely-On Solutions
Working Encryption Systems
Programs
PGP(Pretty Good Privacy).
S/MIME.
Protocols
SSL(Secure Socket Layer).
PCT(Private Communications Technology).
S-HTTP(Secure HTTP).
Cybercash.



Rely-On Solutions
Contd
SET(used in web shopping).
Electronic Wallet with User.
Server that runs on Merchants web site.
SET payment server runs in merchants bank.
DNSSEC(Domain Name System Security).
IPSec and IPv6.
IPsec works with IPv4 and standard version used today
works for IPv6 and includes IPsec.
Kerberos.
Rely-On Solutions
Network Layer Security Protocol
(IPsec)
IP Security protocol - a suite of protocols that provides security at the
network layer.
Network layer must provide
Secrecy - hide message from any third party that is "wire tapping" the
network.
Source authentication -IP datagram with a particular IP source
address, it might authenticate the source.
there are two principal protocols:
the Authentication Header (AH) protocol.
provides source authentication and data integrity but not secrecy.
the Encapsulation Security Payload (ESP) protocol.
provides data integrity and secrecy.
Security Agreement (SA) - the source and network hosts handshake and
create a network layer logical connection
Rely-On Solutions
What is SSL ?
Exists between raw TCP/IP and Application Layer.
Features added to streams by SSL
Authentication and Nonrepudiation of Server, using Digital Signatures.
Authentication and Nonrepudiation of Client, using Digital Signatures.
Data confidentiality through Encryption.
Data Integrity through the use of message authentication codes.
Functions
Separation of duties.
Efficiency.
Certification - based authentication
Protocol Agnostic.
Transport Layer Security is being tried out.
Rely-On Solutions
Secure Web Server
Implements cryptographic protocols.
Safeguard any personal info received or
collected.
Resistant to a determined attack over the I-net.
Bad Guys
Bad Guys
Bad Guys
SERVER ACTIVE
AND PROVIDES
SERVICES TO
AUTHORIZED
PERSONEL
SECURE WEB SERVER
ATTACK
ATTACK
ATTACK