What is Cryptography? Science of writing secret code is an art of protecting information by transferring it (encrypting )into an unreadable format ,called cipher text
The first use of cryptography in 1900 B.C. Used by Egyptian scribe Some experts say it appeared right after writing was invented
Encryption/ Decryption
Encryption is the transformation of data into some unreadable form. Its purpose is to ensure privacy by keeping the information hidden from anyone for whom it is not intended ,even those who can see encrypted data . It is a procedure to convert a regular text into a coded or secret text .
Decryption: the reverse of encryption :it is the transformation of encrypted data back into some intelligible form. A basic task in cryptography is to enable users to communicate securely over an insecure channel in a way that guarantees their transmission privacy and authenticity .Providing privacy and authenticity remains a central goal for cryptographic protocols.
Encryption Decryption Plain Text Cipher Text Original Text Encryption Common Terms is Cryptography system Intruder :An intruder is any person who does not have the authorization to access the network or the information Plaintext: It is an intelligible message that needs to be converted into an intelligible message or encrypted message Cipher text :A message in encrypted form Encryption: is a method by which plaintext can be converted to cipher text Decryption: is a method by which cipher text can be converted into a plaintext Algorithm: A cryptography algorithm is a mathematical function . Key: It is a string of digits 5 Keys It is a variable value that is used by cryptographic algorithms to produce encrypted text, or decrypt encrypted text. The length of the key reflects the difficulty to decrypt from the encrypted message. Encryption Decryption Plaintext Plaintext Ciphertext Key Key Example Plain text Algorithm Cipher text Algorithm Plain text Item Next letter Jufn Previous Letter Item Message Previous 3 Letters Next 3 Letters Message Cryptography Broken Down!!!
Two kinds of cryptosystems: Symmetric Uses the same key (the secret key) to encrypt and decrypt a message. Asymmetric Uses one key (the public key) to encrypt a message and a different key (the private key) to decrypt the message.
Symmetric key encryption system Same key is used to both encrypt and decrypt data Examples of encryption systems: DES, 3DES, AES Symmetric Cryptosystem!
Secret Key (Symmetric) Symmetrical Key encryption is also known as private key encryption With secret key ,the same key is used to encrypt information and decrypt information. Hence the operation is known as symmetric. With secret key systems you dont know who sent the message or if it is for a specific recipient ,Because anyone with the secret key could create or read the message . Encryption with Keys Encryption Decryption Plain Text Cipher Text Original Text Key (Symmetric Cryptosystem)
The message: The sender and receiver know and use the same secret key. The sender uses the secret key to encrypt the message. The receiver uses the same secret key to decrypt the message Same key is used to both encrypt or decrypt the message . This means that the sender & receiver had to agree in advance of the key . There are a wide variety of symmetric encryption algorithms. The most widely used encryption algorithm was DES (Data Encryption standard ) which was sanctioned by the National Institute of standards & technology (NIST) DES was developed by IBM . It is a block cipher scheme which encrypts a 64-bit data block using a 56-bit key . The block is transformed in such a way that it involves sixteen iterations. This is done by using the security key
Main challenge
Agreeing on the key while maintaining secrecy. Trusting a phone system or some transmission medium. The interceptor can read, modify, and forge all messages
Limitations Both parties must agree upon a shared secret key If there are n correspondents ,you have to keep track of n different secret keys .if the same key is used by more than one correspondent ,the common key holders can read others mail Symmetric encryption schemes are also subject so authenticity problems .Since both the sender & the recipient cannot be proved .Both can encrypt decrypt the message Key Management!!!
Key management: The generation, transmission, and storage of a key. All cryptosystems must deal with key management issues Because all keys must remain secret there is often difficulty providing secure key management.
Key Pairs A key is a unique digital identifier Keys are produced using a random number generator A key pair consists of two mathematically related keys The private key is secret and under the sole control of the individual The public key is open and published
Introduction of the Public Key!!!
Created to solve key management problems.
Created by Whitfield Diffie and Martin Hellman in 1976.
Also called asymmetric system.
Encryption key: public key
Decryption key: private key
Public Key Cryptography Public Key encryption is also known as asymmetrical encryption It utilizes a pair of keys one public & one private (in pair) Public key is made available to anyone who wants to send an encrypted message to the holder of the private key . The only way to decrypt the message is the private key . In this way messages can be sent without agreeing on the keys in advance . The most widely used public key algorithm is RSA Public key encryption system Each user has 2 keys: what one key encrypts, only the other key in the pair can decrypt. Public key can be sent in the open. Private key is never transmitted or shared. Eg. RSA (Rivest, Shamir, and Adleman ) Recipients Public Key Recipients Private Key Public & Private Keys Public and Private Key pairs comprise of two uniquely related cryptographic keys.
Public key is made accessible to everyone, whereas Private key remains confidential to its respective owner.
Since both keys are mathematically related only the corresponding private key can decrypt their corresponding public key.
How its works!!!!
Encryption with Keys Encryption Decryption Plain Text Cipher Text Original Text Encryption Key (K e )
(Asymmetric Cryptosystem) Decryption Key (K d )
In order to solve the key management problem, Whitfield Diffie and Martin Hellman introduced the concept of public- key cryptography in 1976 . Public-key cryptosystems have two primary uses, encryption and digital signatures. In their system, each person gets a pair of keys, one called the public key and the other called the private key. The public key is published, while the private key is kept secret. The need for the sender and receiver to share secret information is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared. In this system, it is no longer necessary to trust the security of some means of communications. The only requirement is that public keys be associated with their users in a trusted (authenticated) manner (for instance, in a trusted directory). Anyone can send a confidential message by just using public information, but the message can only be decrypted with a private key, which is in the sole possession of the intended recipient.
Advantages Message confidentiality Can be proved :the sender uses the recipients public key to encrypt a message ,so that only the private key holder can decrypt the message ,no one else . Authenticity of the message originator can be proved : The receiver uses his private key to encrypt a message ,to which only the sender has access . Easy to distribute public key : The public key of the pair can be easily distributed . Public Key Cryptography Complimentary Algorithms are used to encrypt and decrypt documents @#@#@$$56455908283923 542#$@$#%$%$^& Encryption key Decryption key Unreadable Format Public Key Infrastructure in Action Public Key Private Key Secure Transmission Signatures Decrypting Encrypting Encrypting Decrypting Message Digest Used to determine if document has changed Usually 128-bit or 160-bit digests Infeasible to produce a document matching a digest A one bit change in the document affects about half the bits in the digest Eg. SHA-1 (160-bit digest), Secure Hash Algorithm
Hash Algorithm Digest Plaintext Hash function Hash function is a formula that converts a message of a given length into a string or digits called a message digest . A mathematical transformation is used by the hash function to encrypt information such that it is irreversible . The encrypted cipher text message cannot be decrypted back to plain text .
How it works X sends message to Y
Sender Receiver The sender generates a message A Message Digest of the message is created using the hash function The sender attaches is digital signature to the end of the message The sender encrypts both message and signature with receivers public keys Using a private key ,the entire message is encrypted by the receiver The receiver calculates the message digest using the hash function The receiver uses the same hash function that the sender uses ,and which has been agreed upon in advance . The main advantage is that even if an unauthorized person access Xs public key ,he will not be able to get to the hash function generated key this making the digital signature authentic and secure X Y Trusted Electronic Transactions ELECTRONIC TRANSACTIONS Streamline Reporting Process Reduce burden on regulated community Efficient Record Retention Timely and Accurate Data Retrieval and Access Emergency Response (24/7 access) Community-Right-to-Know CAN ELECTRONIC DATA BE TRUSTED? Accuracy and Authenticity Decisions regarding Environmental Health and Impact Security Protection from unauthorized access Tamper-resistant Accidental human errors Intentional - Fraud Credibility in Judicial Proceedings Effective Enforcement Plaintiff/Defendant Subpoena Evidence must be unambiguous to be admissible in court
Once admitted into Court, evidence must be persuasive to a jury JUDICIAL CREDIBILITY is the Highest Standard for Trusted Data ** 1. AUTHENTICATION: the ability to prove the senders identity 2. REPORT INTEGRITY: the ability to prove that there has been no change during transmission, storage, or retrieval 3. NON-REPUDIATION: the ability to prove that the originator of a report intended to be bound by the information contained in the report
WHAT DETERMINES A LEGALLY BINDING REPORT ?
NON-REPUDIATION AUTHENTICATION REPORT INTEGRITY TRUST IN PAPER-BASED REPORTS ELECTRONIC REPORTING FROM PAPER TO ELECTRONIC: Repudiation Risks in Basic Electronic Transactions
I did not send that report ! That report is not the one I sent ! I did not mean that !
I did not send that report ! Identity of user is unknown Possible Solutions: Telephone call follow-up Terms and Conditions Agreement (TCA) / Mailed Certification Agreement Mail a Diskette Containing Electronic Data
That report is not the one I sent ! Identity of user is unknown Possible Solutions: Telephone call follow-up Terms and Conditions Agreement (TCA) / Mailed Certification Agreement Mail a Diskette Containing Electronic Data Ensuring Authenticity and Report Integrity in Electronic Transactions Digital Signatures Public Key Infrastructure
Public Key Infrastructure (PKI) PKI is a combination of software, encryption technologies and facilities that can facilitate trusted electronic transactions. PKI provides an electronic framework i.e. software & a set of rules & practices for secure communication & transaction between organizations & individuals PKI Components Key Pairs Certificate Authority Public Key Cryptography 39 PKI Structure Certification Authority Directory services User Services, Banks, Webservers Public/Private Keys Certification Authorities(CAs) A trusted authority Responsible for creating the key pair, distributing the private key, publishing the public key and revoking the keys as necessary The Passport Office of the Digital World
An organization that issues public key certificates(Digital Signature). Signed by certification authoritys own private keys, contains name of the person, persons public key, a serial number, and other info., Example: verisign corp.
A Certifying Authority is a trusted agency whose central responsibility is to issue, revoke, renew and provide directories for Digital Certificates.
The certificate authority issues a digital certificate to companies and organizations that are accessible via the internet .
They are issued for a certain period of time and are used as a guarantee of the security of a website .
It is also referred to as a reliable third party
Certificate Authority CSC1720 Introduction to Internet All copyrights reserved by C.C. Cheung 2003. 42 CA model (Trust model) Root Certificate CA Certificate Browser Cert. CA Certificate Server Cert. Different kinds of certificates Certification authorities Certificates contain public key of CAs and name of service this can in turn be signed by other certification authorities. Server Certificates contain public key of SSL server, name of the organization running the server, Internet hostname, servers public key. Personal Certificates contains individuals name and public key. other information is also allowed. Software Publisher Certificates certificates used to sign the distributed software.
Digital Signature Digital Signature A Digital Signature is a method of verifying the authenticity of an electronic document. A digital signature is a personalized thumb print. It is the encryption of an electronic document by a key Characteristics a protocol that produces the same effect as real signature. Only the sender can mark it. Easily identifiable by others as one from the sender. Used to confirm agreement to a message.
Digital signature can be used in all electronic communications Web, e-mail, e-commerce, electronic banking and general security & authentication of documents It is an electronic stamp or seal that append to the document. It Ensures that the document is being unchanged during transmission.
The IT Act has given legal recognition to digital signature meaning, thereby, that legally it has the same value as handwritten or signed signatures affixed to a document for its verification The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated Physical Signature / Digital Signature Physical Signature Digital Signature Physical Signature is just a writing on paper Digital Signature encompasses crucial parameters of identification Physical Signature can be copied It is IMPOSSIBLE to copy a Digital signature Physical Signature does not give privacy to content Digital Signature also enables encryption and thus privacy Physical Signature cannot protect the content Digital Signature protects the content
How digital Signature works? User A User B Use As private key to sign the document Transmit via the Internet User B received the document with signature attached Verify the signature by As public key stored at the directory
Report Encryption Algorithm Digitally Signed
An individual digitally signs a document using the private key component of his certificate. Digital Signatures Private key Authentication and Verification The individuals public key, published by the CA decrypts and verifies the digital signature. Digitally Signed Public Key Decryption Algorithm Advantages Signer authentication: The signer of the document is the owner of the private key for creating the signature and unless that is lost ,the digital signature cannot be altered by any other means Message authentication: Today digital signature are probably more authenticated than the paper signature itself .Any alteration can be detected at the receiving end using the public key Efficient: The creation and use of digital signature and exchange digitally signed content is more efficient than paper signatures .Digital signature can be automatically created using programs these days and hence the creation time is also quite less Limitations If the private key is lost the content signed using that key is fully compromised and can be tampered with The issuer of the digital signature could give compromise security by giving your private key to someone else . A digital signature is an electronic method of signing an electronic document
Digital Certificate is a computer based record that Identifies the Certifying Authority issuing it
Has the name or the identity of its subscriber Contains the subscriber's public key Is digitally signed by the Certifying Authority issuing it
digital signatures are used to verify the trustworthiness of information Digital certificates are used to verify the trustworthiness of a website . However, in the case of digital signatures, the recipient must have a relationship with the sender or hosting site. Organizations using digital certificates don't require a relationship with the remote site; they just need the ability to identify which digital certificate authority was used by the site to validate it Digital Certificates Digital Certificate is a data with digital signature from one trusted Certification Authority (CA). This data contains: Who owns this certificate Who signed this certificate The expired date User name & email address
What is a Digital Signature Certificate?
Digital signature certificates (DSC) are the digital equivalent (that is electronic format) of physical or paper certificates. Examples of physical certificates are drivers' licenses, passports or membership cards. Certificates serve as a proof of identity of an individual for a certain purpose; for example a driver's license identifies someone who can legally drive in a particular country. Likewise, a digital certificate can be presented electronically to prove your identity, to access information or services on the Internet or to sign certain documents digitally.
Why is Digital Signature Certificate (DSC) required? Like physical documents are signed manually, electronic documents, for example e-forms are required to be signed digitally through Digital Signature Certificate.
Who issues the Digital Signature Certificate? A licensed Certifying Authority (CA) issues the digital signature. Certifying Authority (CA) means a person who has been granted a license to issue a digital signature certificate under Section 24 of the Indian IT-Act 2000. The list of licensed CAs along with their contact information is available on www.mca.gov.in . You can obtain your DSC from Veracity IT & Legal Services. Advantages of Digital Certificates Decrease the number of passwords a user has to remember to gain access to different network domains. They create an electronic audit trail that allows companies to track down who executed a transaction or accessed an area.
Security Standards For electronic Payment System A secured payment transaction system is of critical importance to e-commerce Without security standard ,one cannot assume the success of e-commerce There are two common standards used for a secure electronic payment system SSL SET Secure Socket layer (SSL) SSL is a protocol for giving data security layers between high- level It is a key protocol for securing web transactions ,data packets in the internet It provides sever & client authentication and an encrypted SSL connection It uses public key cryptography and system for validating public key & digital certificates over the server . SSL Provides 3 basic services :Sever authentication ,client authentication & encrypted SSL connection . SSL sever authentication uses public Key cryptography to validate server's digital certificate and public key on the client ;s machine What Happens When a Web Browser Connects to a Secure Web Site What is SSL?
A protocol developed by Netscape. It is a whole new layer of protocol which operates above the Internet TCP protocol and below high-level application protocols. SSL is a communications protocol layer which can be placed between TCP/IP and HTTP It intercepts web traffic and provides security between browser and server Encryption is used to guarantee secure communication in an insecure environment SSL uses public-key cryptography
SSL Working An SSL certificate allows sensitive information to be encrypted during online transactions Authenticated information about the owner of the certificate is also contained in it. The identity of the owner of the certificate is verified by the certificate Authority at the time of its issue What Can SSL Do? It provides the following Data Encryption ,Server Authentication ,Message integrity ,Optional Client authentication . SSL provides a security handshake protocol to start the TCP/IP connection. The consequence of this handshake is that the client and server agree on the level of security they would use & completes any verification necessities for the connection .After that ,it is only used to decrypt and encrypt the message stream .
SSL includes two sub-protocols: the SSL Record Protocol and the SSL Handshake Protocol. Record Protocol -- defines the format used to transmit data. Handshake Protocol -- using the Record protocol to exchange messages b/t an SSL- enable server and an SSL-enable client. SSL usage Any online store Anyone who accepts online orders & payments through credit cards A site that offers a login or sign in Anyone processing sensitive data such as the address ,birth date ,license or ID Numbers Anyone who is required to comply with privacy & Security requirements Anyone who values privacy & security requirements Anyone who values privacy & expects others to trust them
Challenge-Response e-mail system
It is an anti-spam system which is designed to shift the filtering workload from the recipient to the spammer (or the legitimate sender). The fundamental idea is that spammers will not take the time to confirm that they want to send you email, but a legitimate sender will. The system maintains two lists of addresses: a "blacklist" of senders that will always be blocked, and a "whitelist" of senders that will never be blocked. If someone sends you email from an address not listed in either list, they will get an "challenge" (and their message will be queued temporarily). If they give the correct "response" to the challenge, they get added to your white list and their queued message(s) get forwarded to you.
Regulations of the Internet encryption technologies Encryption technology is being widely used today by enterprise as well as individuals consumer to protect the proprietary data and confidentiality of communication via e-mail or chat . For Example we use our credit cards for booking movies ,air or rail tickets over the internet on encrypted channels and feel safe that our personal or credit card information is not compromised when in transit . Similar technology can be also used by criminals to send information via the internet and escape without being intercepted by the government bodies; hence regulations need to be in place by the security organizations of different nations governing the use of encryption technology and the purpose for which it can be used . Such regulations need to be in force for protecting the lives of millions of people which might be compromised by negative element of the society . But there has to be regulations related to what information can be access and decrypted by the government bodies
Government regulation on encryption Encryption systems across the world are controlled by regulation imposed by various governments. One of the primary methods of regulating encryption by the government is by the use of export restrictions If anyone needs to export encrypted data ,they need a license from a licensing authority which might be the government agency or a third party government certified authority . Some of these regulations are continually challenged in the courts ,but the government are bound by security concerns that would arise if such regulations are not in place
Digital Signatures Controls on Encryption The most commonly found internet security mechanism today is SSL encryption . A well designed security solution should have the following attributes Data transfer from browser to server ,server to browser ,should be encrypted Any file attachments should be encrypted and digitally singed to ensure security of the consumer who downloads or uploads these attachments All digital signatures should have some accountability mechanism to be validated in the receiving end Authentication mechanism should be foolproof ,smart cards can be used to store certificates to ascertain consumer authenticity Not only the fillable fields in the form ,but the whole content of the web page should be encryptable and digitally sign able
Specific Issues in US Encryption Controls Three problems deter widespread acceptance of encryption
Successful encryption requires that all participating parties use the same encryption scheme .Within an organization ,or a group expected to cooperate (such as banks) ,standards have to be establishes that make encryption feasible The distribution keys has been a second barrier to wider use of encryption ,as there is no easy way to distribute the secret key to a person not known The only safe way to distribute the secret key is in person ,and then the distributor must provide a different secret key for each person. Even public key schemes require method for key distribution The final deterrent to widespread acceptance of encryption is its difficulty to use .The user interface to encryption must be simplified .For Encryption to flourish average consumer must find the software easy to use for commercial applications . ? Do Digital Certificates Have Vulnerabilities? One problem with a digital certificate is where it resides once it is obtained. The owner's certificate sits on his computer, and it is the sole responsibility of the owner to protect it. If the owner walks away from his computer, others can gain access to it and use his digital certificate to execute unauthorized business.
The best way to address the vulnerabilities of digital certificates is by combining them with biometric technology, as that confirms the actual identity of the sender, rather than the computer.
Do Digital Certificates Have Vulnerabilities? Security Standards For electronic Payment System A secured payment transaction system is of critical importance to e-commerce . Without security standard ,one cannot assume the success of e-commerce There are two common standards used for a secure electronic payment system . SSL SET What is SSL?
A protocol developed by Netscape. It is a whole new layer of protocol which operates above the Internet TCP protocol and below high-level application protocols. SSL SSL is a communications protocol layer which can be placed between TCP/IP and HTTP It intercepts web traffic and provides security between browser and server Encryption is used to guarantee secure communication in an insecure environment SSL uses public-key cryptography What is SSL? What Can SSL Do? SSL uses TCP/IP on behalf of the higher-level protocols. Allows an SSL-enabled server to authenticate itself to an SSL-enabled client; Allows the client to authenticate itself to the server; Allows both machines to establish an encrypted connection. What Does SSL Concern?
SSL server authentication. SSL client authentication. (optional) An encrypted SSL connection or Confidentiality. This protects against electronic eavesdropper. Integrity. This protects against hackers.
SSL Working An SSL certificate allows sensitive information to be encrypted during online transactions Authenticated information about the owner of the certificate is also contained in it. The identity of the owner of the certificate is verified by the certificate Authority at the time of its issue SSL components
SSL Handshake Protocol negotiation of security algorithms and parameters key exchange server authentication and optionally client authentication SSL Record Protocol fragmentation compression message authentication and integrity protection encryption SSL Alert Protocol error messages (fatal alerts and warnings) SSL Change Cipher Spec Protocol a single message that indicates the end of the SSL handshake Henric Johnson 83 SSL Architecture SSL includes two sub-protocols: the SSL Record Protocol and the SSL Handshake Protocol. Record Protocol -- defines the format used to transmit data. Handshake Protocol -- using the Record protocol to exchange messages b/t an SSL- enable server and an SSL-enable client. The exchange of messages facilitates the following actions: Authenticate the server to the client; Allows the client and server to select a cipher that they both support; Optionally authenticate the client to the server; Use public-key encryption techniques to generate share secrets; Establish an encrypted SSL conn. SSL usage Any online store Anyone who accepts online orders & payments through credit cards A site that offers a login or sign in Anyone processing sensitive data such as the address ,birth date ,license or ID Numbers Anyone who is required to comply with privacy & Security requirements Anyone who values privacy & security requirements Anyone who values privacy & expects others to trust them
SSL Summarization Exists between raw TCP/IP and Application Layer. Features added to streams by SSL Authentication and Nonrepudiation of Server, using Digital Signatures. Authentication and Nonrepudiation of Client, using Digital Signatures. Data confidentiality through Encryption. Data Integrity through the use of message authentication codes. Functions Separation of duties. Efficiency. Certification - based authentication Protocol Agnostic. Transport Layer Security is being tried out. Secure Socket layer (SSL) SSL is a protocol for giving data security layers between high-level application protocol & TCP/IP , it is a security protocol .
It provides the following Data Encryption ,Server Authentication ,Message integrity ,Optional Client authentication . SSL provides a security handshake protocol to start the TCP/IP connection. The consequence of this handshake is that the client and server agree on the level of security they would use & completes any verification necessities for the connection .After that ,it is only used to decrypt and encrypt the message stream .
It is a key protocol for securing web transactions ,data packets in the internet .It provides sever & client authentication and an encrypted SSL connection .It uses public key cryptography and system for validating public key & digital certificates over the server . SSL Provides 3 basic services :Sever authentication ,client authentication & encrypted SSL connection . SSL sever authentication uses public Key cryptography to validate server's digital certificate and public key on t he client ;s machine Secure Electronic Transaction (SET) Developed by Visa and MasterCard Designed to protect credit card transactions on the Internet SET is a system for ensuring the security of financial transactions on the Internet Set of security protocols and formats Not a payment system Ensures privacy.
Henric Johnson 90 Secure Electronic Transactions Key Features of SET: Confidentiality of information- all messages encrypted Integrity of data Cardholder account authentication Merchant authentication Trust: all parties must have digital certificates Privacy: information made available only when and where necessary
SET Business Requirements Provide confidentiality of payment and ordering information Ensure the integrity of all transmitted data Provide authentication that a cardholder is a legitimate user of a credit card account Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution SET Business Requirements (contd) Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction Create a protocol that neither depends on transport security mechanisms nor prevents their use Facilitate and encourage interoperability among software and network providers Participants in the SET System SET Transactions SET Transactions The customer opens an account with a card issuer. MasterCard, Visa, etc.
The customer receives a X.509 V3 certificate signed by a bank. X.509 V3
A merchant who accepts a certain brand of card must possess two X.509 V3 certificates. One for signing & one for key exchange
The customer places an order for a product or service with a merchant.
The merchant sends a copy of its certificate for verification. Henric Johnson 96 Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. Components to build Trust Data Confidentiality Encryption Who am I dealing with? Authentication Message integrity Message Digest Non-repudiation Digital Signature Access Control Certificate Attributes Conclusion With the help of the above discussions, the SET protocol appears to be complete, sound, robust and reasonably secure for the purpose of credit-card transactions. However, it is important that the encryption algorithms and key- sizes used, will be robust enough to prevent observation by hostile entities. The secure electronic transactions protocol (SET) is important for the success of electronic commerce. Secure electronic transactions will be an important part of electronic commerce in the future. Without such security, the interests of the merchant, the consumer, and the credit or economic institution cannot be served.
Contd Encryption with Keys Encryption Decryption Plain Text Cipher Text Original Text Encryption Key (K e )
(Asymmetric Cryptosystem) Decryption Key (K d )
Encryption with Keys Encryption Decryption Plain Text Cipher Text Original Text Key (Symmetric Cryptosystem) Encryption Decryption Plain Text Cipher Text Original Text Encryption Secure Email Protocols PEM (Privacy Enhanced Mail) Is a standards that provides security-related services foe electronic mail application Commonly used with SMTP (simple mail transport protocol) PEM Features Includes encryption ,authentication & key management It allows use of both public & Private key cryptography It uses the data encryption standard(DES) algorithm for encryption & RSA algorithm for sender authentication & key management . It verifies the identity of the message originator & verifies whether any of the original text has been altered .
PGP (Pretty Good Privacy ) PGP is a file based product developed by software engineer Phil Zimmerman in 1991 It is a free software that encrypts email . It is mostly used for personal e-Mail security PGP supports public-key & symmetric key encryption as well as digital signatures It operates by encrypting the data with one time algorithm & then encrypting the key to the algorithm using public key cryptography PGP also supports other standards such as SSL & lightweight Directory access protocol(LDAP) LDAP is a standard for accessing specific information ,including stored public key certificates It is freely available for DOS ,Macintosh ,UNIX,& OS/2 systems PGP provides secure encryption of documents & data files that even advanced supercomputers are hard pressed to crack The process is so simple that anyone with a PC can do it with almost no effort . S/MIME (Multipurpose Internet Mail Extension ) Was developed by RSA in 1996 as a security enhancement to old MIME standard for internet email It is built on public key cryptography standards S/MIME is considered powerful because it provides security for different data types & for email attachments
MSP(Message security protocol)
MSP is used by the US government & government agencies to provide security for e-mail Its function is securing e-mail attachments across multiple platforms It operates at the application level of the internet & does not involve the intermediate message transfer system . An MSP message includes the original message content & specific security parameters required by the recipients to decrypt or validate the message when received . Creation of digital signature According to the Act ,Asymmetrical or public key cryptography involving a pair of keys (private or public is used for creating a digital signature Steps to create digital signature Signer demarcates the message Hash function is the signer's software computes a hash result unique to the message The signer software then transforms (encrypts) the hash result into a digital signature using a signers private key. the resulting digital signature are unique to both the message and the private key is used to create it . The digital signature (a digitally signed message hash result of the message ) is attached to both its message and stored or transmitted with its message .digital signature is unique to its message .signer sends both digital signature and message to recipient Digital Signature Generation and Verification Message Sender Message Receiver Message Message Hash function Digest Encryption Signature Hash function Digest Decryption Expected Digest Private Key Public Key Verification The recipient of a digitally signed message can verify both that the message originated from the person who se signature is attached and that the message has not been altered either intentionally or accidently since it was signed .Furthermore ,secure digital signature cannot be repudiated ,the signer of a document cannot later disown it by claiming the signature was forged . Steps to verify digital signature For verifying the digital signature first of all ,the recipient receives digital signature and the message He applies signers public key on the digital signature & recovers the hash result from the digital signature . After this ,he computes a new hash result of the original message by applying the same hash function used by the signer to create the digital signature Lastly he compares the two hash results ,if they are identical ,it indicates that the message has not been modified .If two hash results are not same ,it would mean that the message either origated somewhere else was altered after it was signed and the recipet in such case can reject the message . Applications
Digital certificate A digital certificate is called an electronic identity card and is used for establishing the users credentials when conducting transactions over the web. A digital certificate is defined as a method of verifying authencity electronically >the digital certificate is equivalent to real identification, such as a drivers license. diffrent certifying authorities provide it .Digital certificates are used to confirm a website ,or a visitor to a website ,is the entity or person they declare to be .they are like an electronic testimonial issued by a certificate ion authority to ascertain the identity of an organization when doing business dealings on the internet . Contents of digital certificate Holders name ,organization ,address Name of the certificate authority Public key of the holders for cryptographic use Time limit (these certificates are issued for a period of six months to a year) Digital certificate identification number Security in Transmission Secure Socket Layer (SSL) https Submission is encrypted by the sender with recipients public key After receipt, submission is decrypted with recipients private key What Should Be Signed ? Balance between capturing the entire content of the transaction vs. ease of data integration Data that is Machine readable but which separates user entry content from context: database, comma delimited, spreadsheet, etc Data that records content and context but which are not easily integrated into databases: word, pdf, image, html, etc
Ensuring Non-repudiation in Electronic Transactions Capturing Complete Transactions in Archive Signing the content and context of a transaction Storing the signed transaction in a data warehouse without manual intervention
Granting Public Access to paper reports
Public comes into agency office Public provides drivers license or other identification Agency can monitor who is accessing data Providing Trusted Electronic Access to Data Identity of user is unknown Access cannot be monitored Relying on the Certificate Authority Public Digital Certificate
In order to obtain access to Community Right to Know Data, individuals first obtain digital Certificates. Applying PKI to Public Access Public After contributing a certificate to gain access, The individuals certificate can be cross-referenced with other security databases to monitor suspect individuals. Digital Certificates
Agency California Digital Signature Regulations
Definitions Digital Signatures Must Be Created By An Acceptable Technology- Criteria For Determining Acceptability List of Acceptable Technologies Provisions For Adding New Technologies to the List of Acceptable Technologies Issues to Be Addressed By Public Entities When Using Digital Signatures California Code of Regulations Title 2. Administration DIVISION 7. CHAP 10. DIGITAL SIGNATURES http://www.ss.ca.gov/digsig/regulations.htm The technology known as Public Key Cryptography is an acceptable technology for use by public entities in California, provided that the digital signature is created consistent with the provisions in Section 22003(a)1-5. "Acceptable Certification Authorities" means a certification authority that meets the requirements of either Section 22003(a)6(C) or Section 22003(a)6(D). "Approved List of Certification Authorities" means the list of Certification Authorities approved by the Secretary of State to issue certificates for digital signature transactions involving public entities in California.
California Digital Signature Regulations
Unsigned Web forms can be sent by anyone. They can be tampered in transmission and the sender cant be legally verified Unsigned Data in a database can be altered and does not provide adequate evidence in a court of law Data on Diskette can be altered without visible evidence
Summary: Electronic Report Transactions are subject to fraud and easily repudiated: Digitally signed reports can also be repudiated, if the signed data is stored independently of the form question data.
Authentication- authenticates the sender of a report Report Integrity- invalidates a report if it has been tampered. Non-repudiation- sender and document are authenticated- the sender cannot deny having sent the report
Conclusion, cont. 2. PKI supports trusted access to Public Data: Agencies require individuals to contribute digital certificates in order to gain access. Agencies can track who gains access at what time The names of individuals who seek access can be cross-referenced with additional security databases to protect public safety Conclusion, cont. 3. Complete Archiving ensures that a legal record of a transaction can be trusted : Non-repudiation- Storing a copy of the entire data (including questions on the form) with the digital signature. Rely-On Solutions Cryptography and Web Security Functions, Confidentiality, Encryption is used to scramble the message. Authentication, Digital Signatures are used for verification. Integrity, methods used to verify whether the message has been modified on transit. Digital Signed message codes are used. Nonrepudiation author of a message cant deny sending a message. Rely-On Solutions What cryptography cant do ? Protect unencrypted documents. Protect against stolen encryption keys. Against denial-of-service attacks. Against the record of a note that a message was sent. Against a traitor or a mistake. Rely-On Solutions Working Encryption Systems Programs PGP(Pretty Good Privacy). S/MIME. Protocols SSL(Secure Socket Layer). PCT(Private Communications Technology). S-HTTP(Secure HTTP). Cybercash.
Rely-On Solutions Contd SET(used in web shopping). Electronic Wallet with User. Server that runs on Merchants web site. SET payment server runs in merchants bank. DNSSEC(Domain Name System Security). IPSec and IPv6. IPsec works with IPv4 and standard version used today works for IPv6 and includes IPsec. Kerberos. Rely-On Solutions Network Layer Security Protocol (IPsec) IP Security protocol - a suite of protocols that provides security at the network layer. Network layer must provide Secrecy - hide message from any third party that is "wire tapping" the network. Source authentication -IP datagram with a particular IP source address, it might authenticate the source. there are two principal protocols: the Authentication Header (AH) protocol. provides source authentication and data integrity but not secrecy. the Encapsulation Security Payload (ESP) protocol. provides data integrity and secrecy. Security Agreement (SA) - the source and network hosts handshake and create a network layer logical connection Rely-On Solutions What is SSL ? Exists between raw TCP/IP and Application Layer. Features added to streams by SSL Authentication and Nonrepudiation of Server, using Digital Signatures. Authentication and Nonrepudiation of Client, using Digital Signatures. Data confidentiality through Encryption. Data Integrity through the use of message authentication codes. Functions Separation of duties. Efficiency. Certification - based authentication Protocol Agnostic. Transport Layer Security is being tried out. Rely-On Solutions Secure Web Server Implements cryptographic protocols. Safeguard any personal info received or collected. Resistant to a determined attack over the I-net. Bad Guys Bad Guys Bad Guys SERVER ACTIVE AND PROVIDES SERVICES TO AUTHORIZED PERSONEL SECURE WEB SERVER ATTACK ATTACK ATTACK