Académique Documents
Professionnel Documents
Culture Documents
Damage to me
someone posing as me
manipulation of my site or by
Loss of Business owing to downtime from attacks Costs of resolving disputes given limited
evidence
E-commerce Principles
Electronic Commerce transactions should be similar to traditional paper based- transactions
if not , we will have to reinvent our entire system of contract law...
Issues are:
* How to create an enforceable digital contract for the sale of goods and services? * How to ensure a digital transaction is as valid as paper? * Meet all legal rules for contracts, agreements, evidences...
House of E-commerce
Reliable E-Commerce
Non-Repudiation
Authorization
Authentication
Integrity of Data
Privacy
Technology
Management
Privacy(Confidentiality): keep secrets secret Authorization: ensure users do not exceed their allowed authority. Integrity(of the Data): be sure nothing is changed behind your
back
Digital Authentication
Capability to identify a party to an electronic transaction
Digital Authorization
Authorization is the process of determining the actual capabilities of an authenticated user
Data Integrity
Necessity to ensure that data cannot be modified in transit except in response to authorized transactions by authorized parties
Non-Repudiation
Implies * * * the need for a third party who will vouch for the users identity Some level of physical reference checking Monitoring on use of the ID Capability to revoke or rescind a digital ID
Digital Certificate=Digital ID
*Issue a standard electronic ID to all potential parties to electronic transactions *May be individuals,corporations,Web servers *Should be universally acceptable
Owner : Bill Gates Title: Supreme Ruler Company: Microsoft Authority: Infinite Digital ID: 123456 Valid Until 31/12/2001 Attested by US Dept Of Justice
Legal Issues of electronic transactions accounted for(Validity, terms of reference, evidence accountability etc) Procedures, in place to operate the CA
Liability , risk and insurance cover Conditions of accepting certificates This Environment is called a Public Key Infrastructure (PKI)
Secure Applications Community VPN, EDI, Binding signed documents Extranet home banking online trading Intranet (Sharing of resources and files)
Digital Signatures
Cryptography
Computer Security
Basic Cryptography
Cryptography=Hidden writing The science of scrambling a message so that only authorized parties can see it. Process must be reversible Hiding is called encryption Retrieving the hidden message is called decryption
Cryptography
Symmetric Cryptography
Asymmetric Cryptography
Encrypt
Encrypted Message
Decrypt
C=E(M,K)
C= Cipher Text E=Encryption Function M=Message(Plain Text) K=Secret Key
Eaves Dropper
M=D(C,K)
C= Cipher Text E=Decryption Function M=Message(Plain Text) K=Secret Key
Crack Time 2 hours 20 hrs 9 years 1015 years 1019 years 1056 years
Time required for abrute force attack using a hypothetical special-purpose cracking computer
Hi Bob Alice
Hi Bob Alice
Ciphertext
Encrypt Decrypt
We need a method for Alice to sign the message Must be unquestionably from her Therefore, we must tie her an identity to the message Let`s look at the traditional way of doing it
Ciphertext
Encrypt Decrypt
Alice now encrypts the entire message with her private key Anyone can decrypt the message, so it`s not confidential However, recipient Bob can be assured that the message was definitely by Alice- only her public key will decrypt the message.
B Public Key
B Private Key
Hi bob, Take a Day Off
Decrypt Message
Check signatur e
No
CIPHER TEXT
Digest
=?
1739393
1739393 24$#@@#
Signature
As Private Key
As public Key
Bob
Hi Bob, Alice
CIPHER TEXT
Encrypt Message
Decrypt Message
4.
Session key
1.
Df243sdac2 @$#@
2.
Encrypt Session key
Session key
3.
B`s Public Key Now, only the (short) session key is encrypted with a public key and the (long) message is encrypted with the random session key. Bs Private Key
Centuries
strong
Time to crack
Symmetric Key
Public Key
Good Years
Weak Days
(1) Decrypt
Ill just substitute my public key for what Bob thinks is Alice`s public key!
Mallory
Digital Certificate
CA signature
Public distribution
Identifies certificate format Algorithm used to sign certificate Version Serial Number Signature Algorithm Issuer Name Validity Period Subject name Subject public key Issuers signature
PKI is the
* architecture * organization * techniques * practices, and * procedures that
collectively support the implementation and operation of a certificate-based public key cryptographic system
PKI
consists of systems that collaborate to provide and implement the public certificate system and related services
PKI: The Pieces of the Puzzle Operating enterprise PKI requires more than just software
Policy & Practices Authentication Secure Infrastructure
Application Enablement
Service Availability
Application Consulting
Help Desk
Certificate Chain
Public key user (verifier)
Verisign
Alice
Bob Banks public key certified by verisign Alices public key certified by Bank CA
Bank CA
Alices
private key
Public key-user system is initialized with some CAs public key CAs certify the public keys of the other CAs Chain of trust between public key-user and key-pair-owner
PCA3
Public CAs
CA1
User User
CA2
CA6
CA3
User
CA4
User User
CA5
Private CAs
User
User
User
User
Highly unlikely that this hierarchy will ever occur. Subsidiary commercial and national hierarchies are being formed