Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
821
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
34
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs.
  • 2. Objectives
    • To introduce the basics E-Commerce security issues and web entity authentication
  • 3. Outline
    • Why is security such an issue?
    • Physical security
    • IT Security Basics – Firewalls
    • Public Key Cryptography
    • SSL – Secure Socket Layer
    • SET – Secure Electronic Transactions
  • 4. Why is Security an Issue?
    • The Internet lets you travel outside of your network and others travel in – Those travelers are not all friendly!
    • Critical and private information can be snooped — sniffed
    • Information can be deleted or destroyed
    • The Internet provides an opportunity for anonymous and rapid theft of lots of money
  • 5. How many categories/classes of security invasions/breaches can you find?
    • User/password – shoulder surfing
    • Trojan horses
    • Password breaking (various strategies)
    • Denial of service attacks – flood the server with requests
    • Packet sniffing on net (wire tap, wireless recon.)
    • Spoofing websites
    • Dumpster diving – garbage search
  • 6. How many categories/classes of security invasions/breaches can you find?
    • Hacking user IDs and passwords
    • Denial of service/access
    • Physical invasion of a data centre
    • Social Engineering – exploit human good nature to get info you should not have
    • Internet Packet Sniffing
    • Taking advantage of known frailties in systems
      • Domain Hijacking – impersonating another legitimate domain
      • Buffer Overflows
      • Viruses
    • Attacks by employees
  • 7. Components of Security Diagram by Konstantin Beznosov
  • 8. Five Major Requirements of a Secure Transaction
    • Privacy – how to ensure information has not been captured by a third party
    • Integrity – how to ensure the information has not been altered in transit
    • Authentication – how to ensure the identity of the sender and receiver
    • Authorization – how to ensure a user has the authority to access / update information
    • Non-repudiation – how do you legally prove that a message was sent or received
  • 9. Physical Security
    • Large mainframe systems have always had adequate physical security
    • The transition from LAN to WAN to Internet has caused new interest in these methods
    • Physical security means locked doors and security personnel
    • Options are to host on a secure ISP/ASP ( InternetHosting .com )
  • 10. IT Security Basics
    • Avoidance – preventing a security breach
      • Using a firewall system to frontend your intranet (or LAN) to the Internet
    • Minimization – early warning signals and action plans so as to reduce exposure
      • Attempted to access secure directories
    • Recovery - regular backups should be made and recovery periodically tested
  • 11. Using a Firewall
      • A firewall server or router acts as an electronic security cop
      • No machine other than firewall is directly accessible from Internet
      • May also function as a “proxy” server allowing intranet systems to access only portions of the Internet
      • Internet security methods are focused at the firewall reducing cost and admin overhead
  • 12. Security through HTTPS Browser Client 1 Server A HTTP TCP/IP HTTP Server App. Server Fire Wall Server Server C Server B
  • 13. IT Security Basics
    • Passwords (and potentially User Ids) should be forced to change periodically
    • Passwords should be difficult to guess
      • Try to create passwords such as:
      • To Be or Not To Be  2bon2b
    • Databases should be secured in terms of access rights to data (usually by individual or group)
  • 14. IT Security Basics
    • Software, particularly low layer components such as the operating system and DBMS, should be kept to recent patch levels
    • Access from dial-in lines should be limited and if possible call-back systems can be used
  • 15. Cryptography
    • Cryptography or ciphering is an ancient method of encoding a message — only a receiver with a key can decipher the content
    • A single (symmetric) secret key is used to encrypt and decrypt
    • Requires the communication of the key between sender and receiver!
    • Basis of nuclear war-head command and control security
  • 16.
    • 14-15-17-12
    • 12-14-1-14-9-25-9-2-14
    • 17-12
    • 11-1-23-12-9
  • 17. Public Key Cryptography
    • In 1976 Diffie & Hellman at Stanford U. developed public-key cryptography
    • Asymmetric:
      • Private key – kept secret by owner
      • Public key – distributed freely to all who wish to send
      • Generated by computer algorithm, so a mathematical relation exists between them ... however ...
      • It is computationally difficult to determine the private key from the public key, even with knowledge of the encryption algorithm
  • 18. Public Key Cryptography
    • The keys come in the form of tightly coupled pairs which anyone can generate using methods such as RSA, SHA-1, DSA (RSA is most common)
      • Javascript demo: http://shop-js.sourceforge.net/crypto2.htm
    • There is only one public key corresponding to any one private key and vice versa
    • Sender encodes data using public key of receiver
    • Receiver decodes data using unique private key, no one else can do the same
    • This ensures integrity of the data
  • 19. Authentication
    • How can you be sure that the person sending the encrypted data is who they say they are
    • This requires some method of authenticating the identity of the sender
    • The solution is for the sender to “sign” the data using his/her private key – the data is encrypted using the sender’s private key
    • The receiver validates (decrypts the data) the “signature” using the sender’s public key
    • This will work as long as receiver can be sure the sender’s public key belongs to the sender and not an imposter … enter PKI
  • 20. Integrity and Authentication
    • Example: Consider a merchant wants to send a secure message to a customer:
      • Merchant encrypts message using customer’s public key
      • Merchant then signs message by encrypting with their private key
      • Customer decrypts using the merchants public key to prove authenticity of sender
      • Customer decrypts using their private key to ensure integrity of message
  • 21. PKI – Public Key Infrastructure
    • Integrates PK cryptography with digital certificates and certificate authorities (CA)
    • Digital certificate = issued by a CA, includes user name, public key, serial number, expiration date, signature of trusted CA (message encrypted by CA’s private key)
    • Receipt of a valid certificate is proof of identity – can be checked at CAs sight
    • www.verisign.com is major player
  • 22. Model for Network Security Information Channel Message Secret Information Message Secret Information Sender Receiver Trusted Third Party Authentication or Certificate Authority Opponent
  • 23. Security and HTTPS
    • Certificate is an entity’s public key plus other identification (name, CA signature)
    • SSL – Secure Socket Layer
      • Lies between TCP/IP and HTTP and performs encryption
    • HTTPS is the HTTP protocol that employs SSL – it uses a separate server port (default = 443)
  • 24. Security through HTTPS Browser Database Server Client 1 Server A URL HTTP TCP/IP HTTP Server App. Server index.html Bank Server Dedicated prog.jsp HTTPS port = 80 port = 443
  • 25. SSL – Secure Socket Layer
    • Client makes HTTPS connection to server
    • Server sends back SSL version and certificate
    • Client checks if certificate from CA
    • Client creates session “premaster secret”, encrypts it and sends it to server and creates “master secret”
    • Server uses its private key to decrypt “premaster secret” and create the same “master secret”
    • The master secret is used by both to create session keys for encryption and decryption
  • 26. SET – Secure Electronic Transfer
    • Developed by Visa & Mastercard
    • Designed to protect E-Comm transactions
    • SET uses digital certificates to authenticate customer, merchant and financial institution
    • Merchants must have digital certificate and special SET software
    • Customers must have digital certificate and SET e-Wallet software
  • 27. Major Architectural Components of the Web Internet Browser Database Server Client 1 Server A Server B Bank Server URL HTTP TCP/IP Browser Client 2 HTTP Server App. Server index.html Bank Server prog.jsp
  • 28. Resources / References
    • RSA demos: http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/
    • http://islab.oregonstate.edu/koc/ece575/02Project/Mor/
  • 29. THE END [email_address]