E-business Infrastructure and Security


Published on

My IT Management course in UBC MBA
Prof: Ron Cenfetelli
Web 2.0 – Moving beyond HTML
Ability to verify the identity of people/organizations
Data/Message Integrity
Ensuring communications were not modified in transit/storage
Parties cannot deny a communication
Proof that the sender sent and proof that the receiver received

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • E-business Infrastructure and Security

    1. 1. E-business Infrastructure and Security Ron Cenfetelli Web Server Browser TCP/IP
    2. 2. History of the Internet <ul><li>Telegraph, the Victorian “Internet” </li></ul><ul><li>Telephone “Internet” </li></ul><ul><ul><li>T-Carrier Systems (e.g. “T1”) for voice and data </li></ul></ul><ul><ul><li>Teletypes </li></ul></ul><ul><ul><li>Compuserve, Prodigy in the late 80’s </li></ul></ul><ul><ul><ul><li>Member ID: 70314.2261 </li></ul></ul></ul><ul><ul><li>Bulletin board systems (BBS) </li></ul></ul><ul><ul><li>BITNET (non-IP based among universities) </li></ul></ul>
    3. 3. History of the Internet <ul><li>The Development of the Internet </li></ul><ul><ul><li>In 1969, the U.S. Department of Defense’s Advanced Research Projects Agency (ARPA) established ARPANET </li></ul></ul><ul><ul><li>The network had no central point and a message could be sent from one point to another through any number of routes. Computers exchanged information according to standards agreed upon by all participants, with no one person, institution, or organization “in charge.” </li></ul></ul>Dr. J.C.R. Licklider A message can be thought of as a short sequence of “bits” flowing through the network from one multiaccess computer to another. It consists of two types of information: control and data. Control information guides the transmission of data from source to destination. ... In short, the message processors function in the system as traffic directors, controllers, and correctors. -Licklider & Taylor 1968
    4. 4. History of the Internet <ul><ul><li>In 1986, the US National Science Foundation created a national network for university communications, which developed into NSFNET (based on TCP/IP) with a dazzling fast 56 kbps backbone. </li></ul></ul><ul><ul><li>The linking of NSFNET and ARPANET (and other growing parallel networks) became the modern Internet </li></ul></ul>
    5. 5. History of the Internet <ul><ul><li>In the late 1980’s, the Internet was opened up beyond defense and academia to include business uses. </li></ul></ul><ul><ul><li>1993: Tim Berners-Lee invents the World Wide Web. </li></ul></ul><ul><ul><ul><li>First user-friendly WWW browser (Mosaic/Netscape) was invented by Marc Andreessen. </li></ul></ul></ul><ul><ul><ul><li>This greatly simplified communication and use by the masses </li></ul></ul></ul><ul><ul><ul><ul><li>0 to 65 million users in 1.5 years </li></ul></ul></ul></ul><ul><ul><ul><li>“ Business Killed the Internet Dead” </li></ul></ul></ul>Feb 1996
    6. 6. Growth in the Internet Population (% of Americans who go online) – source Pew Internet and American Life Foundation
    7. 7. Growth in the Internet Population (% of Americans who go online) – source Pew Internet and American Life Foundation
    8. 8. Internet usage, Canada & US
    9. 9. January 16, 2008 “ Internet penetration continues to show signs of hitting a plateau. The percentage of former users who say they have no intention of going back online continues to increase, and less than half of those who have never used the Internet plan to log on in the coming year. “
    10. 10. Digital Divide? Age , Education , Income and Location appear to be highly predictive of broadband access
    11. 11. Internet Infrastructure Intranet T1 line Phone line T3 line Backbone Internet ISP Company A Person 2 POP NAP
    12. 12. Inside the Public Internet: <ul><li>Underlying Technology and Basic Capabilities of the Infrastructure </li></ul><ul><ul><li>Internet: A Network of Networks </li></ul></ul><ul><ul><li>Interconnected Packet-Switching Networks </li></ul></ul><ul><ul><li>IP: Software to Create a Virtual Network </li></ul></ul><ul><ul><li>TCP: Software for Reliable Communication </li></ul></ul><ul><ul><li>Clients + Servers </li></ul></ul><ul><ul><li>Names for Computers </li></ul></ul><ul><ul><li>Services </li></ul></ul>
    13. 13. Internet: A Network of Networks <ul><li>Although claimed to be a network of equals, there is in fact a hierarchy of communication networks </li></ul><ul><li>Internet Service Providers (ISPs) - Points of Presence (POP) on the Internet. They have a permanent IP address and necessary hardware to access the net. (Ex: Shaw, UUNET/Verizon) </li></ul><ul><li>Regional/National Networks </li></ul><ul><ul><li>Example: BCNET </li></ul></ul><ul><ul><ul><li>http://www.bc.net/about_bcnet/what_is_bcnet.htm </li></ul></ul></ul>
    14. 14. <ul><li>Metropolitan Area Exchange – where the major networks “peer” and exchange traffic either mutually or fee-based </li></ul><ul><li>vBNS - Very High Speed Backbone network. Ex: www. canarie .ca (10Gbps) </li></ul><ul><li>So while the Internet was originally envisioned and designed to be a “mesh” of nodes, in reality, there exist major “superhighways” where heavy traffic flows between networks. </li></ul>Internet: A Network of Networks
    15. 15. Source: Fitzgerald & Dennis
    16. 16. http://www.caida.org/tools/visualization/walrus/gallery1/ries-t2.png
    17. 17. BusinessWeek: 15 Jan 2007
    18. 18. Jan 2000 Cooperative Association for Internet Data Analysis http://www.caida.org/analysis/topology/as_core_network/historical.xml
    19. 19. May 2003 http://www.caida.org/analysis/topology/as_core_network/historical.xml
    20. 20. April 2005 http://www.caida.org/analysis/topology/as_core_network/historical.xml
    21. 21. IP Addresses and the Domain Name System (DNS) <ul><li>From ARPANET days: The idea that humans can better remember a name (sauder.ubc.ca) than some random set of digits ( </li></ul><ul><ul><li>A good thing for e-business! </li></ul></ul><ul><li>Internet Protocol (IP) address: </li></ul><ul><ul><li>Unique logical address for each device (e.g. your laptop) on the network </li></ul></ul><ul><ul><li>Used by routers to direct messages </li></ul></ul><ul><ul><li>Example: </li></ul></ul><ul><li>Host server name </li></ul><ul><ul><li>Human readable address </li></ul></ul><ul><ul><li>Example: www.sauder.ubc.ca </li></ul></ul><ul><li>Every device on the Internet must have a unique IP address (kinda/sorta) </li></ul>
    22. 22. IP Addresses and DNS <ul><li>Domain name service (DNS) </li></ul><ul><ul><li>Dynamically translates IP addresses to named host server, and back and maintains a current table of such translations </li></ul></ul><ul><ul><li>Builds on hierarchical domain name space (e.g., www.sauder.ubc.ca) </li></ul></ul><ul><ul><li>Top level: .com, .edu, .ca, .gov, .org, etc. </li></ul></ul><ul><ul><ul><li>Generic (gTLD) for organizations and functions (.com) </li></ul></ul></ul><ul><ul><ul><li>Country code (ccTLD) for nations (.ca, .us, .it…) </li></ul></ul></ul><ul><ul><ul><li>Overall managed by ICANN. Country codes are managed as determined by each country. </li></ul></ul></ul>
    23. 23. Uniform Resource Locator (URL) http://www.sauder.ubc.ca/bcom/ PROTOCOL FOR THE WEB DIRECTORY Domain Name Uniform Resource Locater (URL) Host Computer Top Level Domain (TLD)
    24. 24. More on IP Addresses <ul><li>Four 8 bit addresses = 32 bits = 2^32 = 4.3 Billion possible unique addresses (IPv4) </li></ul><ul><ul><li>Not completely true. Inefficiencies due to “block” assignments of first IP “octet” (e.g. UBC’s 137). Actually 3.7 billion. </li></ul></ul><ul><li>A looming shortage of addresses! </li></ul><ul><ul><li>The number of available IPv4 addresses ( http://www.bgpexpert.com/addrspace2007.php) : </li></ul></ul><ul><ul><ul><li>2007: 1.3 billion, 64.9% utilization </li></ul></ul></ul><ul><ul><ul><li>2008: 1.1 billion, 69.7% utilization </li></ul></ul></ul><ul><ul><li>See “ A coming real estate crunch on the Net ” on WebCT </li></ul></ul><ul><ul><li>Thus IPv6 – 128 bits </li></ul></ul><ul><ul><ul><li>Billions and billions of addresses (a trillion trillion trillion to be exact) </li></ul></ul></ul>
    25. 25. Internet: Client/Server Paradigm <ul><li>It is service -oriented, and employs a request-response protocol </li></ul><ul><li>One type of server is the Domain Name Server. These are used to translate domain names to IP addresses </li></ul><ul><ul><li>A computer only needs to know the location of one DNS </li></ul></ul><ul><ul><li>A dozen or so “Root” servers maintain worldwide consistency of Domain to IP address </li></ul></ul>
    26. 26. The Client-Server Paradigm <ul><li>A server process, running on a server host, provides access to a service. </li></ul><ul><li>A client process, running on a client host, accesses the service via the server process. </li></ul><ul><li>The interaction of the process proceeds according to a protocol . </li></ul>
    27. 27. Protocols <ul><li>The language the nodes on a network use to communicate with each other. </li></ul><ul><ul><li>Analogy: We may agree to speak in English with certain grammatical rules. </li></ul></ul>
    28. 28. Protocol Examples <ul><li>TCP - Transport Control Protocol </li></ul><ul><li>IP - Internet Protocol </li></ul><ul><li>e-mail (Simple Mail Transfer Protocol, SMTP) </li></ul><ul><li>file transfer (File Transfer Protocol, FTP) </li></ul><ul><li>All are packet based </li></ul>
    29. 29. Putting Client/Server and Protocols Together <ul><li>A protocol/service session within the Client/Server model </li></ul><ul><ul><li>Session: the interaction between the server and one client. </li></ul></ul><ul><ul><li>The service managed by a server may be accessed by multiple clients who desire the service, sometimes concurrently . </li></ul></ul><ul><ul><li>Each client, when serviced by the server, engages in a separate session with the server, during which it conducts a dialog with the server until the client has obtained the service it required </li></ul></ul>
    30. 30. Example <ul><li>The dialog in each session follows a pattern prescribed in the protocol specified for the service. </li></ul><ul><li>World Wide Web session : </li></ul><ul><ul><li>Client : Hello, <client address> here. </li></ul></ul><ul><ul><li>Server : Okay. I am a web server and speak protocol HTTP4.0. </li></ul></ul><ul><ul><li>Client : Great, please get me the web page index.html at the root of your document tree. </li></ul></ul><ul><ul><li>Server : Okay, here’s what’s in the page: (contents follows). </li></ul></ul><ul><li>  </li></ul>
    31. 31. Internet Protocol – TCP/IP <ul><li>The TCP/IP protocol defines the interface between the physical infrastructure (streets, intersections) and the data flow (cars) </li></ul><ul><li>TCP = Transport Control Protocol </li></ul><ul><ul><li>Asking another device on the network if it is willing to accept information from the local device, receipt confirmation </li></ul></ul><ul><ul><li>Splits messages in PACKETS and assembles them back in proper sequence </li></ul></ul><ul><li>IP = Internet Protocol </li></ul><ul><ul><li>Approximately two hundred byte packets. IP labels the packet with source/destination address and contents. </li></ul></ul><ul><ul><li>Has rules for routing message packets </li></ul></ul><ul><ul><li>Handles the correct addressing </li></ul></ul>
    32. 32. TCP: Reliable Communication <ul><li>Problem: Packet-switched networks can be overrun, bottlenecks, routers go down, etc. </li></ul>
    33. 33. TCP Helps IP Guarantee Delivery <ul><li>Transmission Control Protocol : Whereas IP manages addressing and routing, TCP manages successful delivery between hosts </li></ul><ul><ul><li>“ Catches” all of the packets sent by IP. </li></ul></ul><ul><ul><li>Reassembles the packets in the proper sequential order </li></ul></ul><ul><ul><li>Makes sure all of the data has arrived. </li></ul></ul><ul><ul><ul><li>If not, TCP sends a request to the server requesting the missing packet be resent. </li></ul></ul></ul><ul><ul><li>Upon completion of reorganizing the data, TCP allows the data stream to viewed. </li></ul></ul>
    34. 34. More on TCP/IP <ul><li>TCP/IP is TCP and IP working together </li></ul><ul><ul><li>TCP takes care of the communication between your application software (i.e. your browser) and your network software . </li></ul></ul><ul><ul><li>IP takes care of the communication with other computers . </li></ul></ul><ul><ul><li>TCP is responsible for breaking data down into IP packets before they are sent, and for assembling the packets when they arrive. Also reliable delivery. </li></ul></ul><ul><ul><li>IP is responsible for sending the packets to the receiver. </li></ul></ul><ul><ul><li>Analogy: TCP is like a Taxicab Dispatcher, IP is like a Taxicab </li></ul></ul>
    35. 35. A “Packet”
    36. 36. Routers Internet Routers POP NAP
    37. 37. Routers <ul><li>Routers are what truly make the Internet what it is </li></ul><ul><ul><li>They route IP message traffic between other routers </li></ul></ul><ul><ul><li>They can connect separate networks even those with different network protocols (Ethernet, Token-ring). </li></ul></ul><ul><ul><li>They allow for multiple paths /router chooses the “best” path or route (“Dynamic” instead of static). Routers use a routing table of possible paths. Dynamic refers to the changing nature of this table. Analogous to getting updated traffic reports. </li></ul></ul><ul><ul><ul><li>If a relied-upon router goes down, an alternative path is found </li></ul></ul></ul><ul><ul><li>With TCP/IP, routers can send a single message around multiple paths and the packets that make up that message can arrive out of sequence . TCP/IP puts everything back in order. Packets can travel independently of one another to the destination. </li></ul></ul><ul><ul><li>This might help to explain why VOIP sounds like it does </li></ul></ul>
    38. 38. TCP/IP – Organized Chaos Brad sends “HELLO” to Al Al H E L Internet L O Packet Router
    39. 39. Internet in Action Internet 101.org © 1997-2004 Scott Cottingham
    40. 40. Internet  World Wide Web <ul><li>Internet = A “network of networks” encompassing millions of computers linked via a variety of means (fiber, wireless, etc.) using various protocols </li></ul><ul><li>WWW = A method of accessing information that uses a specific protocol (e.g. HTTP) for sharing “pages”, graphics and other multimedia using browsers and “hyperlinks” </li></ul>Internet WWW
    41. 41. HTML <ul><li>H yper T ext M arkup L anguage (HTML) specifies how to author web pages on the WWW. </li></ul><ul><li>Consists of predefined < tags> </li></ul><ul><ul><li><b> start bold font; </b> stop bold font </li></ul></ul><ul><ul><li><table> start a new table; </table> end table </li></ul></ul><ul><li>Cascading style sheets (CSS) </li></ul><ul><ul><li>Specify classes with style attributes. More advanced than HTML </li></ul></ul>
    42. 42. Web Protocol - HTTP <ul><li>H yper T ext T ransfer P rotocol </li></ul><ul><li>Defines how messages are formatted and transmitted on the WWW </li></ul><ul><li>Describes what actions Web servers and browsers should take in response to various commands </li></ul><ul><li>A request/response paradigm </li></ul><ul><li>HTTP is a connectionless and stateless protocol </li></ul>
    43. 43. Dealing with a lack of Connection & State <ul><li>HTTP is a connectionless and stateless protocol </li></ul><ul><ul><li>No “knowledge” of prior transmissions/transactions </li></ul></ul><ul><li>An IP address is an imperfect means of identifying a user and their current state. </li></ul><ul><li>“ Workarounds” have been developed </li></ul><ul><ul><li>ActiveX, Java, JavaScript and cookies </li></ul></ul><ul><ul><li>Ex: Cookies </li></ul></ul><ul><ul><ul><li>a “message” stored on the user’s harddrive holding information about the user. Exchanged between the browser and a server. </li></ul></ul></ul><ul><ul><ul><li>Purpose: to identify repeated users and prepare customized pages for them </li></ul></ul></ul>
    44. 44. Cookies <ul><li>Example: </li></ul>www.msblabs.org FALSE /tools/scratch-pad/ FALSE 1227994064 data Ron%20is%20leaving%20a%20cookie Try it out at http://www.msblabs.org/tools/scratch-pad/index.php Search for “cookies.txt” file under Documents and Settings
    45. 45. Web 2.0 – Moving beyond HTML <ul><li>As noted, a collective term for the enhancement of social aspects </li></ul><ul><li>But also includes the technology and standards to facilitate interactivity and dealing with a lack of connection & state </li></ul><ul><ul><li>Ex: Ajax for improved response to address “stateless” issues </li></ul></ul><ul><ul><ul><li>Asynchronous Javascript with XML </li></ul></ul></ul><ul><ul><ul><li>The “old fashioned” way: For every request made by a user, a new web page has to be loaded </li></ul></ul></ul><ul><ul><ul><li>With Ajax, HTML is generated locally allowing exchange of just the relevant information updates </li></ul></ul></ul><ul><ul><ul><ul><li>Ex: Google Maps </li></ul></ul></ul></ul>
    46. 46. A “Mashup” of Google Maps and Craigslist <ul><li>A classic example of Web 2.0: www.housingmaps.com </li></ul><ul><li>The social platform of Craigslist </li></ul><ul><li>+ The AJAX interactivity of Google Maps </li></ul><ul><li>= A forum for finding relevant rentals nearby </li></ul>
    47. 47. A summary of Internet Infrastructure <ul><li>Although a remarkable phenomenon, the Internet is still operating on essentially the same technology as 40 years ago </li></ul><ul><li>Renovations planned: </li></ul><ul><ul><li>IPv6: more addresses </li></ul></ul><ul><ul><li>Continual use of “add-ons” such as AJAX </li></ul></ul><ul><li>But still the same basic technology , just faster and more ubiquitous </li></ul>
    48. 48. Security
    49. 49. Why Security Matters to e-Business Peter Steiner -p. 61, The New Yorker, (July 5, 1993)
    50. 50. Wednesday, 2 January 2008,
    51. 53. Malware marries Web 2.0 “ Where human beings solve the puzzles the viruses cannot.&quot;
    52. 54. See link On WebCT
    53. 55. Security in the Physical World Lock Security forces Safe Signature Physical barriers Fingerprint Seal Contract
    54. 56. E-business Security Needs <ul><li>Confidentiality </li></ul><ul><li>Authentication </li></ul><ul><ul><li>Ability to verify the identity of people/organizations </li></ul></ul><ul><li>Data/Message Integrity </li></ul><ul><ul><li>Ensuring communications were not modified in transit/storage </li></ul></ul><ul><li>Nonrepudiation </li></ul><ul><ul><li>Parties cannot deny a communication </li></ul></ul><ul><ul><ul><li>Proof that the sender sent and proof that the receiver received </li></ul></ul></ul>
    55. 57. A Simulation… <ul><li>Let’s pretend that each of us in the room is a node on the Internet. </li></ul><ul><ul><li>Just like the real Internet, messages are sent from a sender to a receiver via the intermediate nodes. Each intermediate node helps pass along a packet to its destination. </li></ul></ul><ul><ul><li>All messages being transmitted must go through a physically adjacent node </li></ul></ul><ul><ul><li>As a result, each message is viewable by each node (as is the case in the real world Internet!) </li></ul></ul>
    56. 58. A Simulation… <ul><li>I’ll post these slides after 30JAN </li></ul>
    57. 59. e-Business Security Needs <ul><li>Confidentiality </li></ul><ul><li>Authentication </li></ul><ul><ul><li>Ability to verify the identity of people/orgs. </li></ul></ul><ul><li>Data/Message Integrity </li></ul><ul><ul><li>Ensuring communications were not modified in transit/storage </li></ul></ul><ul><li>Nonrepudiation </li></ul><ul><ul><li>Parties cannot deny a communication </li></ul></ul><ul><ul><ul><li>Proof that the sender sent and proof that the receiver received </li></ul></ul></ul><ul><ul><ul><li>Non-repudiation is a property achieved through cryptographic methods which prevents an individual or entity from denying having performed a particular action related to data </li></ul></ul></ul>Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI
    58. 60. Message Integrity – Threats & Solutions <ul><li>Old world solutions </li></ul><ul><ul><li>Seal </li></ul></ul><ul><li>Digital world solutions </li></ul><ul><ul><li>Hashing </li></ul></ul><ul><li>Internet solutions </li></ul><ul><ul><li>Hashing </li></ul></ul><ul><ul><li>Digital signatures (also addresses the problem of authentication!) </li></ul></ul>
    59. 61. PKI Components: Digital Signature <ul><li>Encrypted with a private key and attached like a signature to a hashed message, to ensure authentication, message integrity and non-repudiation. </li></ul>
    60. 62. Hashing <ul><li>Another use of “ one way ” functions! </li></ul><ul><li>You can start from the same data and get the same result, but it is nearly impossible to work backwards </li></ul><ul><li>A hash forms a “message digest” of the data. A smaller version </li></ul><ul><li>However, the values for the one way hash function are not secret </li></ul>
    61. 63. Hash Example <ul><li>We could choose an algorithm “Sum (mod 12)” </li></ul><ul><li>123 222 143 212 (four 8 bit characters) </li></ul><ul><li>Sum = 700, mod 12  4 </li></ul><ul><li>“4” is the hash (or checksum) </li></ul>
    62. 64. Hashing Hashing algorithm A value say X Hashing algorithm Y Sender Receiver If X = Y, message sent and received are the same. X message message X=Hash Value message X message
    63. 65. PKI Components: Digital Signature (cont.) Note how the private/public key process is reversed! Compute digest from hashing algorithm Encrypt Digest Transmission Decrypt Digest Compute expecteddigest from hashing algorithm Confirm or deny integrity of message Cleartext message Sender encrypts with his private key Cleartext message Receiver decrypts w/ Sender’s public key Digital Signature Digest Digest Expected Digest
    64. 66. e-Business Security Needs <ul><li>Confidentiality </li></ul><ul><li>Authentication </li></ul><ul><ul><li>Ability to verify the identity of people/orgs. </li></ul></ul><ul><li>Data/Message Integrity </li></ul><ul><ul><li>Ensuring communications were not modified in transit/storage </li></ul></ul><ul><li>Nonrepudiation </li></ul><ul><ul><li>Parties cannot deny a communication </li></ul></ul><ul><ul><ul><li>Proof that the sender sent and proof that the receiver received </li></ul></ul></ul>Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI
    65. 67. Hierarchies of Trust <ul><li>Certificates -- Endorsements </li></ul><ul><ul><li>Digital ids issued by Certificate Authorities (CA) </li></ul></ul><ul><ul><ul><li>Public Organizations: Versign, IBM </li></ul></ul></ul><ul><ul><ul><li>Private Organizations: Federal Express </li></ul></ul></ul><ul><li>Public/Private Keys </li></ul><ul><ul><li>Two mathematically related strings of numbers </li></ul></ul><ul><li>Encryption </li></ul><ul><ul><li>The process of using digital keys to scramble digital communications </li></ul></ul>
    66. 68. PKI Components: Digital certificate <ul><li>A digital file issued to an individual or company by a certifying authority that contains the individual’s or company’s public key and verifies the individual’s or company’s identity . </li></ul><ul><ul><li>Identification information </li></ul></ul><ul><ul><li>Public key </li></ul></ul><ul><ul><li>Expiration date </li></ul></ul><ul><ul><li>The CA </li></ul></ul><ul><ul><li>All encrypted with the CA’s private key </li></ul></ul>
    67. 69. PKI Components: Certification Authority <ul><li>Certification authority (CA) </li></ul><ul><ul><li>A trusted entity (e.g., VeriSign.com) that issues and revokes public key certificates and certificate revocation lists (CRLs) </li></ul></ul><ul><li>Certificate repository (CR) </li></ul><ul><ul><li>A publicly accessible electronic database that holds information such as certificates and CRLs. </li></ul></ul>
    68. 70. e-Business Security Needs <ul><li>Confidentiality </li></ul><ul><li>Authentication </li></ul><ul><ul><li>Ability to verify the identity of people/orgs. </li></ul></ul><ul><li>Data/Message Integrity </li></ul><ul><ul><li>Ensuring communications were not modified in transit/storage </li></ul></ul><ul><li>Nonrepudiation </li></ul><ul><ul><li>Parties cannot deny a communication </li></ul></ul><ul><ul><ul><li>Proof that the sender sent and proof that the receiver received </li></ul></ul></ul>Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI
    69. 71. Putting it all together… Customer Internet merchant Certificate authority Customer’s info requests and Merchant’s info are exchanged. Customer verifies Merchant (received msg’s are signed with a hash that can be decrypted with the merchant’s public keys held by CA) Provides encrypted information for purchases ( encrypted with merchant’s public key). Credit card and message digest is signed with customer’s private key. Merchant verifies Customer (received msg’s are signed with a hash that can be decrypted with the customer’s public keys held by CA) Customer’s Public Key Merchant’s Public Key
    70. 72. More Security and Identification We’ve discussed how to ID ourselves across the Internet, but how do we ID ourselves at our “point of presence”?
    71. 73. Physical Security Means <ul><li>Physical Media </li></ul><ul><ul><li>Smartcards </li></ul></ul><ul><ul><li>Tokens </li></ul></ul><ul><li>Biometrics </li></ul><ul><ul><li>Face recognition, Retina </li></ul></ul><ul><ul><li>Voice </li></ul></ul><ul><ul><li>Fingerprints, skin chemicals </li></ul></ul><ul><ul><li>Won’t work for 1% of the population </li></ul></ul>
    72. 74. You've got security (Wired News Sep. 21, 2004) <ul><li>“ Passwords alone won't be enough to get onto America Online under a new, optional log-on service that makes AOL the first major U.S. online business to offer customers a second layer of security. The so-called two-factor authentication scheme will cost $1.95 a month in addition to a one-time $9.95 fee. It is initially targeted at small businesses, victims of identity theft and individuals who pay a lot of bills and conduct other financial transactions through their AOL accounts. Subscribers get a matchbook-size device from RSA Security displaying a six-digit code that changes every minute. The code is necessary to log on, so a scammer who guesses or steals a password cannot access the account without the device in hand. </li></ul>
    73. 76. How the SmartCard (SecurID) Works <ul><li>Time based </li></ul><ul><ul><li>Client-side and server-side components are designed to be synchronized </li></ul></ul><ul><ul><li>The server is synched with a time server </li></ul></ul><ul><ul><li>The SecurID hardware token has a built-in clock and is guaranteed for three to five years </li></ul></ul><ul><li>Each client-side 6 digit token-code is valid for sixty-seconds and one authentication per sixty-second window </li></ul>
    74. 77. How the SmartCard (SecurID) Works <ul><li>Output token code is a function of time and a seed value unique to card </li></ul><ul><ul><li>What function? A hash function! </li></ul></ul><ul><ul><li>Why? It’s “ one way ” and thus computationally infeasible to “work backwards” based upon the token codes </li></ul></ul><ul><ul><li>The server carries out the same function based upon the card’s seed and the current time </li></ul></ul><ul><ul><li>If a match, then access is authorized </li></ul></ul><ul><ul><ul><li>(Apparently the server can adjust for card time “drift”, e.g., can determine a set of values several minutes before or after current time and matches) </li></ul></ul></ul>
    75. 78. Biometrics: Face Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html
    76. 79. Biometrics: Voice Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html
    77. 80. Biometrics: Fingerprint Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html
    78. 81. Security Limitations <ul><li>True strength depends on: </li></ul><ul><ul><li>Security protocol used to invoke the encryption function </li></ul></ul><ul><ul><li>Trust in the platform executing the protocol </li></ul></ul><ul><ul><li>Cryptographic algorithm </li></ul></ul><ul><ul><li>Length of the key(s) used for encryption/decryption </li></ul></ul><ul><ul><li>Protocol used to manage/generate keys </li></ul></ul><ul><ul><li>Storage of secret keys </li></ul></ul>
    79. 82. Limitations <ul><li>Humans are the weakest link in the chain </li></ul><ul><li>In the end, everything is only ones and zeroes! </li></ul>
    80. 83. Combination is Best Security <ul><li>Something you have … </li></ul><ul><ul><li>Token (smartcard) </li></ul></ul><ul><ul><li>Biometric </li></ul></ul><ul><li>PLUS something you know </li></ul><ul><ul><li>Password </li></ul></ul><ul><ul><ul><li>Use mixture of uppercase and lowercase letters </li></ul></ul></ul><ul><ul><ul><li>Include numbers or symbols </li></ul></ul></ul><ul><ul><ul><li>Change your password every six months </li></ul></ul></ul>
    81. 84. Viruses ,Worms, and Trojan horses… <ul><li>Virus: a program that propagates itself by infecting other programs on the same computer . </li></ul><ul><ul><li>From erasing files to innocuous pop-ups </li></ul></ul><ul><li>Code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to an otherwise innocent host program. It may damage hardware, software, or information. </li></ul><ul><li>A true virus does not spread without human action to move it along, such as sharing a file or sending an e-mail (thus different from a worm) </li></ul><ul><li>Now seeing viruses on cell phones and other “non-PC” devices </li></ul><ul><li>Sony’s rootkit DRM fiasco </li></ul>
    82. 85. <ul><li>Worm: a program that propagates itself . Unlike a virus a worm can spread itself automatically over the network from one computer to the next. </li></ul><ul><ul><li>Through automatic file sending and receiving features </li></ul></ul><ul><ul><li>Essentially a Virus that can spread itself </li></ul></ul><ul><ul><li>Myspace Worm using Quicktime </li></ul></ul>Viruses, Worms and Trojan horses…
    83. 86. <ul><li>Trojan horse: programs that appear desirable but actually contain something harmful. </li></ul><ul><ul><li>Example: you may download what looks like a free game but when you run it, it erases every file in that directory. </li></ul></ul>Viruses, Worms and Trojan horses …
    84. 87. “ Symantec says the Trojan.Silentbanker has so far targeted over 400 banks around the world, but according to a blog posted by Symantec's Liam O’Murchu on January 14 [2008], the most worrying aspect is that the Trojan can perform man-in-the-middle attacks (where an attacker can read, insert and modify messages between two parties without either party knowing).” http://m-net.net.nz/2157/latest-news/latest-news/trojan.silentbanker-defeats-2-factor-authentication-attacks-400-b.php
    85. 88. A local Trojan Horse Vancouver Sun - October 6, p. A3
    86. 89. Questions? Comments?