Security Threats - Hype or Reality?

The Concerns about security

Fraud
by posing as legitimate customer/Personnel

Theft/Misuse of credit cards numbers on large scale Disclosure of or tampering with

proprietary or secret data

Damage to me
someone posing as me

manipulation of my site or by

Loss of Business owing to downtime from attacks Costs of resolving disputes given limited
evidence

Public relation Night mares

E-commerce Principles
Electronic Commerce transactions should be similar to traditional paper based- transactions
if not , we will have to reinvent our entire system of contract law...

Issues are:
* How to create an enforceable digital contract for the sale of goods and services? * How to ensure a digital transaction is as valid as paper? * Meet all legal rules for contracts, agreements, evidences...

Legal controls include:

* * * * Signature as evidence Tamper-proof paper e.g.., cheques Time or date stamping: proof of dispatch , receipt etc. Trusted Third parties: notaries, witnesses, ID documents issued by trusted third parties

House of E-commerce

Reliable E-Commerce

Non-Repudiation

Authorization

Authentication

Integrity of Data

Privacy

Technology

Management

Security Infrastructure Security Polices

Security Principles for E-Commerce APAIN

Authentication: Be sure you know who you are communicating

with!

Privacy(Confidentiality): keep secrets secret Authorization: ensure users do not exceed their allowed authority. Integrity(of the Data): be sure nothing is changed behind your
back

Non-Repudiation:have the evidence in the event of a dispute.

Motivation for Digital Signatures and Public Key Infrastructure

Privacy & Encryption

Solution is to make the data unintelligible,except to the intended recipient(s).

Digital Authentication
Capability to identify a party to an electronic transaction

Digital Authorization
Authorization is the process of determining the actual capabilities of an authenticated user

Data Integrity
Necessity to ensure that data cannot be modified in transit except in response to authorized transactions by authorized parties

Non-Repudiation
Implies * * * the need for a third party who will vouch for the users identity Some level of physical reference checking Monitoring on use of the ID Capability to revoke or rescind a digital ID

Digital Certificate=Digital ID

*Issue a standard electronic ID to all potential parties to electronic transactions *May be individuals,corporations,Web servers *Should be universally acceptable

An Electronic document whose validity is guaranteed by a trusted third party

Owner : Bill Gates Title: Supreme Ruler Company: Microsoft Authority: Infinite Digital ID: 123456 Valid Until 31/12/2001 Attested by US Dept Of Justice

The Legal and Procedural Environment

The transition to E-commerce Implies appropriate environment

Legal Issues of electronic transactions accounted for(Validity, terms of reference, evidence accountability etc) Procedures, in place to operate the CA
Liability , risk and insurance cover Conditions of accepting certificates This Environment is called a Public Key Infrastructure (PKI)

Secure Applications Community VPN, EDI, Binding signed documents Extranet home banking online trading Intranet (Sharing of resources and files)

E-com Trusted CA Digital Certificates

Digital Signatures
Cryptography

Computer Security

Basic Cryptography
Cryptography=Hidden writing The science of scrambling a message so that only authorized parties can see it. Process must be reversible Hiding is called encryption Retrieving the hidden message is called decryption

Cryptography

Symmetric Cryptography

Asymmetric Cryptography

Symmetric Key Cryptography

Symmetric Key (Shared secret A & B)

Hi bob Alice Hi bob Alice

Encrypt

Encrypted Message

Decrypt

C=E(M,K)
C= Cipher Text E=Encryption Function M=Message(Plain Text) K=Secret Key

Eaves Dropper

M=D(C,K)
C= Cipher Text E=Decryption Function M=Message(Plain Text) K=Secret Key

Strength of Symmetric Key Encryption

Strength of Symmetric Key Encryption
300 250 200 150 100 50 0 1 2 3 4 5 6 Key Size # of possible keys Crack Time

Key Size 40 Bits 56 Bits 64 Bits 112 128 256

# of possible keys 1 x 10 12 (1 trillion) 7 x 10 12 2 x 10 19 5 x 10 33 3 x 10 36 1 x 10 77

Crack Time 2 hours 20 hrs 9 years 1015 years 1019 years 1056 years

Time required for abrute force attack using a hypothetical special-purpose cracking computer

Digital Signatures Signing an Electronic Message

From Alice? Plain Text Plain Text

Hi Bob Alice

Hi Bob Alice

Ciphertext
Encrypt Decrypt

We need a method for Alice to sign the message Must be unquestionably from her Therefore, we must tie her an identity to the message Let`s look at the traditional way of doing it

Public Key : Authentication Mode

From Alice? Plain Text

A`s private key

A`s public key

Plain Text Bob, take the day off

Bob, take the day off

Ciphertext
Encrypt Decrypt

Alice now encrypts the entire message with her private key Anyone can decrypt the message, so it`s not confidential However, recipient Bob can be assured that the message was definitely by Alice- only her public key will decrypt the message.

Public Key:Encryption + Authentication

Alice

B Public Key

B Private Key
Hi bob, Take a Day Off

Hi bob, Take a Day Off

Df243s dac2 @$#@ CIPHER TEXT

Decrypt Message

Check signatur e

Sign it (Encrypt it again)

Df243s dac2 @$#@ Signature

Decrypt the signatur e

Hi bob, Take a Day Off

As Private Key As public Key

Sign ature ok??

Yes

No

Digital Signature with a Message Digest

Alice B Public Key B Private Key
Hi bob, Take a Day Off Hi bob, Take a Day Off Df243s dac2 @$#@ Decrypt Message Generate MD 1739393

CIPHER TEXT

Digest

=?
1739393

1739393 24$#@@#

Sign it (Encrypt it again)

Signature

Decrypt the Alices MD

As Private Key

As public Key

Combining public key & Symmetric key encryption

Plain Text Alice Plain Text
Hi Bob, Alice

Bob

Hi Bob, Alice

CIPHER TEXT
Encrypt Message

Decrypt Message

4.

Session key

1.

Df243sdac2 @$#@

2.
Encrypt Session key

Session key

Decrypt Session key

3.

B`s Public Key Now, only the (short) session key is encrypted with a public key and the (long) message is encrypted with the random session key. Bs Private Key

Key strengths: symmetric & public keys

Centuries

strong

Time to crack

Symmetric Key

Public Key

Good Years

Weak Days

Hours 40 56 Key length 80 128 768 1024

The Role of Digital Certificates

An electronic document.
Identifies an individual or entity Contains relevant information (1) Name, address, company, title, phone number,... Contains the owners public key Is notarized or validated by a trusted third party (1) Issuing party (2) Certification Authority, CA The entire digital record is digitally signed by the CA The CA`s signature prevents tampering with any data in the certificate

Public Key Substitution Risk

This message is authenticated as coming from Alice

(1) Decrypt
Ill just substitute my public key for what Bob thinks is Alice`s public key!

(2) Encrypt & sign

Mallory

Impostor's public key

Public Key Distribution

Key pair generation Send Sign On the local computer Private Key Public Key

Digital Certificate

Subject name other details

Public keys are distributed in certificates, which are signed by a trusted Certification Authority (CA) Public key

CA signature

Publish Public Directory

Public distribution

Basic Certificate Contents

Identifies certificate format Algorithm used to sign certificate Version Serial Number Signature Algorithm Issuer Name Validity Period Subject name Subject public key Issuers signature

Identifies this certificate

Start date and end date

Name of certification authority

Public key value and indicator of its algorithm

Ensures cert. data cant be changed

Identifies the owner of the key pair

Example of a User Certificate

What is Public Key Infrastructure (PKI)?

PKI is the
* architecture * organization * techniques * practices, and * procedures that

collectively support the implementation and operation of a certificate-based public key cryptographic system
PKI

consists of systems that collaborate to provide and implement the public certificate system and related services

PKI: The Pieces of the Puzzle Operating enterprise PKI requires more than just software
Policy & Practices Authentication Secure Infrastructure

Application Enablement

PKI/CA Software & Hardware

Service Availability

Risk & Liability Management

Application Consulting

Help Desk

Certificate Chain
Public key user (verifier)
Verisign

Key-pair owner (signer)

Alice

Bob Banks public key certified by verisign Alices public key certified by Bank CA

Verisigns public key

Bank CA

Alices
private key

Public key-user system is initialized with some CAs public key CAs certify the public keys of the other CAs Chain of trust between public key-user and key-pair-owner

Certification Authority Hierarchy

IPRA PCA1 PCA2

International Public Registration Authority

PCA3

Public CAs

CA1
User User

CA2
CA6

CA3
User

CA4
User User

CA5

Private CAs

User

User

User

User

Highly unlikely that this hierarchy will ever occur. Subsidiary commercial and national hierarchies are being formed