Security fundamentals for e commerce(400)


Published on

Security fundamentals for E-Commerce

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security fundamentals for e commerce(400)

  1. 1. Y FL AMTE Team-Fly®
  2. 2. Security Fundamentals for E-Commerce
  3. 3. For quite a long time, computer security was a rather narrow field ofstudy that was populated mainly by theoretical computer scientists, electricalengineers, and applied mathematicians. With the proliferation of open sys-tems in general, and the Internet and the World Wide Web (WWW) in par-ticular, this situation has changed fundamentally. Today, computer andnetwork practitioners are equally interested in computer security, since theyrequire technologies and solutions that can be used to secure applicationsrelated to electronic commerce (e-commerce). Against this background, thefield of computer security has become very broad and includes many topicsof interest. The aim of this series is to publish state-of-the-art, high standardtechnical books on topics related to computer security. Further informationabout the series can be found on the WWW by the following URL: Also, if you’d like to contribute to the series and write a book about atopic related to computer security, feel free to contact either the Commis-sioning Editor or the Series Editor at Artech House. Recent Titles in the Artech House Computer Security Series Rolf Oppliger, Series EditorInformation Hiding Techniques for Steganography and Digital Watermarking, Stefan Katzenbeisser and Fabien A. P. PetitcolasSecurity Fundamentals for E-Commerce, Vesna HasslerSecurity Technologies for the World Wide Web, Rolf Oppliger For a complete listing of the Artech House Computing Library, turn to the back of this book.
  4. 4. Security Fundamentals for E-Commerce Vesna Hassler Pedrick Moore Technical Editor Artech House Boston • London
  5. 5. Library of Congress Cataloging-in-Publication DataHassler, Vesna. Security fundamentals for E-commerce / Vesna Hassler; Pedrick Moore, technical editor. p. cm. — (Artech House computer security series) Includes bibliographical references and index. ISBN 1-58053-108-3 (alk. paper) 1. Electronic commerce—Security measures. 2. Broadband communication systems. I. Moore, Pedrick. II. Title. III. Series. HF5548.32 .H375 2000 658.8’4—dc21 00-064278 CIPBritish Library Cataloguing in Publication DataHassler, Vesna Security fundamentals for e-commerce. — (Artech House computer security series) 1. Business enterprises—Computer networks—Security measures 2. Electroniccommerce—Security measures 3. Broadband communication systems I. Title II. Moore, Pedrick 005.8 ISBN 1-58053-406-6Cover design by Wayne McCaul© 2001 ARTECH HOUSE, INC.685 Canton StreetNorwood, MA 02062All rights reserved. Printed and bound in the United States of America. No part of this bookmay be reproduced or utilized in any form or by any means, electronic or mechanical, in-cluding photocopying, recording, or by any information storage and retrieval system, with-out permission in writing from the publisher. All terms mentioned in this book that are known to be trademarks or service marks havebeen appropriately capitalized. Artech House cannot attest to the accuracy of this informa-tion. Use of a term in this book should not be regarded as affecting the validity of any trade-mark or service mark.International Standard Book Number: 1-58053-108-3Library of Congress Catalog Card Number: 00-06427810 9 8 7 6 5 4 3 2 1
  6. 6. Contents ix3.2 Public Key Infrastructure 533.2.1 X.509 Certificate Format 543.2.2 Internet X.509 Public Key Infrastructure 593.3 Encoding Methods 61 Part 2 Electronic Payment Security 654 Electronic Payment Systems 674.1 Electronic Commerce 674.2 Electronic Payment Systems 684.2.1 Off-line Versus Online 694.2.2 Debit Versus Credit 704.2.3 Macro Versus Micro 704.2.4 Payment Instruments 704.2.5 Electronic Wallet 754.2.6 Smart Cards 754.3 Electronic Payment Security 765 Payment Security Services 795.1 Payment Security Services 795.1.1 Payment Transaction Security 815.1.2 Digital Money Security 835.1.3 Electronic Check Security 835.2 Availability and Reliability 846 Payment Transaction Security 856.1 User Anonymity and Location Untraceability 856.1.1 Chain of Mixes 86
  7. 7. To my families, Ristic′ and Hassler
  8. 8. Contents Preface xix What is covered in this book xix Is security an obstacle to e-commerce development? xx Why I wrote this book xxi Some disclaimers xxi How to read this book xxi Acknowledgements xxii Part 1 Information Security 1 1 Introduction to Security 3 1.1 Security Threats 3 1.2 Risk Management 4 1.3 Security Services 5 1.4 Security Mechanisms 6 vii
  9. 9. viii Security Fundamentals for E-Commerce 2 Security Mechanisms 11 2.1 Data Integrity Mechanisms 11 2.1.1 Cryptographic Hash Functions 12 2.1.2 Message Authentication Code 14 2.2 Encryption Mechanisms 15 2.2.1 Symmetric Mechanisms 15 2.2.2 Public Key Mechanisms 24 2.3 Digital Signature Mechanisms 36 2.3.1 RSA Digital Signature 37 2.3.2 Digital Signature Algorithm 38 2.3.3 Elliptic Curve Analog of DSA 40 2.3.4 Public Key Management 41 2.4 Access Control Mechanisms 41 2.4.1 Identity-Based Access Control 42 2.4.2 Rule-Based Access Control 43 2.5 Authentication Exchange Mechanisms 43 2.5.1 Zero-Knowledge Protocols 44 2.5.2 Guillou-Quisquater 44 2.6 Traffic Padding Mechanisms 45 2.7 Message Freshness 46 2.8 Random Numbers 47 3 Key Management and Certificates 51 3.1 Key Exchange Protocols 51 3.1.1 Diffie-Hellman 52 3.1.2 Elliptic Curve Analog of Diffie-Hellman 53
  10. 10. x Security Fundamentals for E-Commerce 6.2 Payer Anonymity 88 6.2.1 Pseudonyms 88 6.3 Payment Transaction Untraceability 90 6.3.1 Randomized Hashsum in iKP 90 6.3.2 Randomized Hashsum in SET 90 6.4 Confidentiality of Payment Transaction Data 91 6.4.1 Pseudorandom Function 91 6.4.2 Dual Signature 93 Y 6.5 6.5.1 FL Nonrepudiation of Payment Transaction Messages Digital Signature 95 96 AM 6.6 Freshness of Payment Transaction Messages 98 6.6.1 Nonces and Time Stamps 98 TE 7 Digital Money Security 101 7.1 Payment Transaction Untraceability 101 7.1.1 Blind Signature 102 7.1.2 Exchanging Coins 102 7.2 Protection Against Double Spending 103 7.2.1 Conditional Anonymity by Cut-and-Choose 103 7.2.2 Blind Signature 104 7.2.3 Exchanging Coins 104 7.2.4 Guardian 105 7.3 Protection Against of Forging of Coins 110 7.3.1 Expensive-to-Produce Coins 110 7.4 Protection Against Stealing of Coins 111 7.4.1 Customized Coins 111 8 Electronic Check Security 119 Team-Fly®
  11. 11. Contents xi8.1 Payment Authorization Transfer 1198.1.1 Proxies 1209 An Electronic Payment Framework 1259.1 Internet Open Trading Protocol (IOTP) 1259.2 Security Issues 1279.3 An Example With Digital Signatures 128 Part 3 Communication Security 13310 Communication Network 13510.1 Introduction 13510.2 The OSI Reference Model 13610.3 The Internet Model 13810.4 Networking Technologies 14110.5 Security at Different Layers 14310.5.1 Protocol Selection Criteria 14510.6 Malicious Programs 14610.6.1 The Internet Worm 14710.6.2 Macros and Executable Content 14910.7 Communication Security Issues 14910.7.1 Security Threats 15010.7.2 Security Negotiation 15310.7.3 TCP/IP Support Protocols 15410.7.4 Vulnerabilities and Flaws 15410.8 Firewalls 157
  12. 12. xii Security Fundamentals for E-Commerce 10.9 Virtual Private Networks (VPN) 158 11 Network Access Layer Security 161 11.1 Introduction 161 11.2 Asynchronous Transfer Mode (ATM) 162 11.2.1 ATM Security Services 164 11.2.2 Multicast Security 169 11.2.3 ATM Security Message Exchange 169 11.2.4 ATM VPN 169 11.3 Point-to-Point Protocol (PPP) 170 11.3.1 Password Authentication Protocol (PAP) 173 11.3.2 Challenge-Handshake Authentication Protocol (CHAP) 174 11.3.3 Extensible Authentication Protocol (EAP) 176 11.3.4 Encryption Control Protocol (ECP) 179 11.4 Layer Two Tunneling Protocol (L2TP) 179 12 Internet Layer Security 185 12.1 Introduction 185 12.2 Packet Filters 186 12.2.1 Filtering Based on IP Addresses 186 12.2.2 Filtering Based on IP Addresses and Port Numbers 188 12.2.3 Problems With TCP 191 12.2.4 Network Address Translation (NAT) 195 12.3 IP Security (IPsec) 196 12.3.1 Security Association 197 12.3.2 The Internet Key Exchange (IKE) 199 12.3.3 IP Security Mechanisms 204 12.4 Domain Name Service (DNS) Security 210
  13. 13. Contents xiii12.5 Network-Based Intrusion Detection 21012.5.1 Network Intrusion Detection Model 21212.5.2 Intrusion Detection Methods 21312.5.3 Attack Signatures 21513 Transport Layer Security 22113.1 Introduction 22113.2 TCP Wrapper 22213.3 Circuit Gateways 22313.3.1 SOCKS Version 5 22313.4 Transport Layer Security (TLS) 22513.4.1 TLS Record Protocol 22613.4.2 TLS Handshake Protocol 22713.5 Simple Authentication and Security Layer (SASL) 23213.5.1 An Example: LDAPv3 With SASL 23313.6 Internet Security Association and Key Management Protocol (ISAKMP) 23513.6.1 Domain of Interpretation (DOI) 23513.6.2 ISAKMP Negotiations 23614 Application Layer Security 24314.1 Introduction 24314.2 Application Gateways and Content Filters 24414.3 Access Control and Authorization 24514.4 Operating System Security 24614.5 Host-Based Intrusion Detection 24914.5.1 Audit Records 249
  14. 14. xiv Security Fundamentals for E-Commerce 14.5.2 Types of Intruders 249 14.5.3 Statistical Intrusion Detection 250 14.6 Security-Enhanced Internet Applications 251 14.7 Security Testing 251 Part 4 Web Security 255 15 The Hypertext Transfer Protocol 257 15.1 Introduction 257 15.2 Hypertext Transfer Protocol (HTTP) 258 15.2.1 HTTP Messages 260 15.2.2 Headers Leaking Sensitive Information 262 15.2.3 HTTP Cache Security Issues 263 15.2.4 HTTP Client Authentication 264 15.2.5 SSL Tunneling 267 15.3 Web Transaction Security 268 15.3.1 S-HTTP 270 16 Web Server Security 273 16.1 Common Gateway Interface 274 16.2 Servlets 276 16.3 Anonymous Web Publishing: Rewebber 277 16.4 Database Security 277 16.5 Copyright Protection 280
  15. 15. Contents xv17 Web Client Security 28517.1 Web Spoofing 28617.2 Privacy Violations 28717.3 Anonymizing Techniques 28817.3.1 Anonymous Remailers 28917.3.2 Anonymous Routing: Onion Routing 29017.3.3 Anonymous Routing: Crowds 29117.3.4 Web Anonymizer 29517.3.5 Lucent Personalized Web Assistant (LPWA) 29518 Mobile Code Security 29918.1 Introduction 29918.2 Helper Applications and Plug-Ins 30218.3 Java 30218.3.1 Java Safety 30418.3.2 Java Type Safety 30518.3.3 Java Threads and Timing Attacks 30718.3.4 Java Applets 30818.3.5 Malicious and Hostile Applets 30918.3.6 Stack Inspection 31018.3.7 Protection Domains in JDK 1.2.x 31218.3.8 Writing Secure Applications in Java 31418.4 ActiveX Controls and Authenticode 31518.5 JavaScript 31619 Web-Based E-Commerce Concepts 32119.1 Introduction 32119.2 XML-Based Concepts 322
  16. 16. xvi Security Fundamentals for E-Commerce 19.3 Micropayment Markup 324 19.4 Joint Electronic Payments Initiative (JEPI) 324 19.5 Java Commerce 325 Part 5 Mobile Security 329 20 Mobile Agent Security 331 20.1 Introduction 331 20.2 Mobile Agents 333 20.3 Security Issues 334 20.4 Protecting Platforms From Hostile Agents 336 20.5 Protecting Platforms From Agents Tampered With by Hostile Platforms 337 20.5.1 Path Histories 337 20.5.2 State Appraisal 338 20.5.3 Signing of Mutable Agent Information 338 20.6 Protecting Agents From Hostile Platforms 339 20.6.1 Cryptographic Traces 340 20.6.2 Partial Result Chaining 341 20.6.3 Environmental Key Generation 343 20.6.4 Computing With Encrypted Functions 344 20.6.5 Code Obfuscation 344 20.6.6 Tamper-Resistant Hardware 345 20.6.7 Cooperating Agents 345 20.6.8 Replicated Agents 346 20.7 Standardization Efforts 348 21 Mobile Commerce Security 353 21.1 Introduction 353 21.2 Technology Overview 354
  17. 17. Contents xvii21.3 GSM Security 35621.3.1 Subscriber Identity Confidentiality 35921.3.2 Subscriber Identity Authentication 35921.3.3 Data and Connection Confidentiality 36021.4 Wireless Application Protocol 36121.4.1 Wireless Transport Layer Security (WTLS) 36321.4.2 WAP Identity Module 36421.4.3 WML Security Issues 36421.5 SIM Application Toolkit 36421.6 Mobile Station Application Execution Environment (MExE) 36521.7 Outlook 36622 Smart Card Security 36922.1 Introduction 36922.2 Hardware Security 37122.3 Card Operating System Security 37322.4 Card Application Security 37422.5 Java Card 37622.6 SIM Card 37722.7 Biometrics 37722.7.1 Physiological Characteristics 38122.7.2 Behavioral Characteristics 382 Afterword 385 About the Authors 389 Index 391
  18. 18. PrefaceDuring the last year there has hardly been an issue of a computer or businessmagazine not flooded with buzzwords like “e-commerce,” “Internet,”“Web,” or “security.” E-commerce (electronic commerce) is a result of mov-ing the economy to a new medium, namely the computer network. For themost part, interconnected networks all over the world use a common set ofprotocols (i.e., TCP/IP), thus making up the Internet. The World WideWeb (WWW, or simply the Web), which started as a client-server applica-tion, has turned into a new platform providing virtual information centers,shopping malls, marketplaces, stock markets, and the like. Recently, theInternet has started to spread “over the air,” or merge with the mobilecommunication network, thus opening up new vistas for a ubiquitous“e-conomy.”What is covered in this bookE-commerce can take place between companies and customers (business-to-customer), between companies (business-to-business), or between custom-ers/companies and public administration (e-government). A typicale-commerce transaction involves information about goods or services, offers,ordering, delivery, and payment. Obviously, since these processes take placein a public and therefore, un-trusted network, there are many security issues xix
  19. 19. xx Security Fundamentals for E-Commerceinvolved, such as verification of the identities of the participants, or protec-tion of data in transfer. Security issues in e-commerce applications canmostly be found in many other network applications as well. Some securityrequirements are, however, specific to e-commerce and demand specially tai-lored security concepts (e.g., electronic payment). The purpose of this bookis to give an in-depth overview of all the basic security problems and solu-tions that can be relevant for an e-commerce application.Is security an obstacle to e-commerce development? YI do not consider IT (Information Technology) security to be the main FLobstacle to widespread use of e-commerce. Many people do take that view,however, mainly because of the frequent reports on security incidents1 anddenial-of-service attacks.2 One “positive” consequence of such attacks is that AMcertain governments have now recognized the importance of a common net-work security infrastructure, because vulnerabilities at one place on the net-work can create risks for all.3 Security technologies are, for the most part, TEsufficiently mature for e-commerce. To some extent they are also standard-ized to ensure at least minimal interoperability (e.g., X.509 certificate for-mat), although more work on profiling has to be done to ensure trueinteroperability. Basic security technologies are, however, not yet backed byappropriate international legislation. For example, there is no internationallegal framework for the acceptance of digital signatures. This is unfortunatelynot restricted to security, because other aspects of e-commerce transactions,such as taxation, liability, and ownership, are also not regulated in manycountries. Another problem is that some countries control or even prohibitthe use and the export of cryptography. Many governments now seem tohave realized that this is an obstacle to economic development. The U.S.government, for example, finally relaxed export regulations significantly inJanuary 2000 (e.g., Netscape 4.7 can now be exported with 128-bit encryp-tion keys). Furthermore, IT products with security functionality supportingcritical tasks should be carefully evaluated and certified by trusted third par-ties, as is common for products such as elevators or trains, i.e., for safety-critical systems in general. Finally, security is an area requiring constant1. http://www.cert.org2. Team-Fly®
  20. 20. Preface xxisupervision and upgrading, in view of the steady increase in computingpower and improvement in crackers’ skills.4Why I wrote this bookMy main motivation for writing this book was to support my lecture on net-work and e-commerce security at the Technical University of Vienna. Thereare many useful works on individual aspects of e-commerce security such ascryptography, network or Web security, or electronic payment systems. Nev-ertheless, I wanted a book I could recommend to my students that wouldcover (and update) all topics that I considered relevant. It can be said thatthis book is the result of my eight years of experience teaching computer andnetwork security at the graduate level. The book is also intended for all ITprofessionals and others with some technical background who are interestedin e-commerce security.Some disclaimersThis book does not cover all aspects of e-commerce, nor does it discuss spe-cific e-commerce models and their particular security requirements. As itsname says, the book deals with the fundamental security issues that one mustconsider when developing an e-commerce application. It does not alwaysprovide a detailed discussion of the security topics mentioned, but gives ref-erences instead. Whenever possible, I also provide URLs, but unfortunately Icannot guarantee that they will still be valid at the time of reading. In addi-tion, draft documents representing work in progress (e.g., by IETF, W3C,and other standardization bodies) may also be expired or no longer available.Throughout the book I have mentioned certain company or product names:their sole purpose is to provide examples, not to give preference over othercompanies or products.How to read this bookThe book has five parts. Each part can be read individually, but each buildsupon the previous parts. For example, the basic security mechanisms are4. In technical circles, a “hacker” refers to someone who tries to break into a computer sys- tem purely for the challenge, to prove that it can be done. A “cracker,” on the other hand, breaks into a system with malicious intent.
  21. 21. xxii Security Fundamentals for E-Commerceexplained in Part 1, so they are not explained again when mentioned else-where. It is not necessary to study all of the math in Part 1 to understandother parts of the book. It is sufficient, for example, to read the beginning ofa section explaining a specific security mechanism to get an idea of themechanism’s purpose. Part 2 concentrates on the specific security require-ments of electronic payment systems. Part 3 addresses communication secu-rity, i.e., security issues in transferring data over an insecure network. Part 4gives an overview of Web-related security issues and solutions. Finally, Part 5deals with mobility aspects of both the code (mobile agents) and the cus-tomer (mobile devices and smart cards) from the security point of view.AcknowledgementsI am deeply grateful to all those who supported me, directly and indirectly, inwriting this book. Here I mention only some of them. Special thanks to RolfOppliger for introducing me to Artech House, encouraging me to write thebook, and supporting my proposal until it was accepted. He was a greatreviewer and helped me enormously to improve the quality of the content byhis expert advice and many useful and important references. Special thanks toPeddie Moore for her friendship and the great moral support from the verybeginning of the project. She not only improved the language and the style ofthe text, but also helped me correct many ambiguous or imperfect explana-tions. Thanks to Matthew Quirk for supporting Peddie and reviewing ourwork. Many thanks to Viki Williams, Susanna Taggart, and Ruth Young ofArtech for their very professional and kind support. Thanks to my colleagues,Oliver Fodor and Herbert Leitold, for helping me find several important refer-ences. Many thanks to Prof. Mehdi Jazayeri, my department head, and my col-leagues from the Distributed Systems Group for their support andunderstanding. Thanks to my students who attended the e-commerce securitylecture for their interesting classroom discussions. Finally, very special thanksto my husband Hannes for his support, love, understanding, the many goodtechnical books he bought for our home library, and excellent cooking duringthe numerous weekends I spent working at home. I hope that you will enjoy reading the book, and that you will learnsomething from it. I am grateful for any feedback. You can reach me Vesna Hassler Vienna, October 2000
  22. 22. Part 1Information SecurityThe Internet is a large and convenient network for transferring data andtherefore seems to provide an ideal infrastructure for electronic commerce.Unfortunately, it is also a public and very insecure infrastructure, so data intransfer used for e-commerce must be protected by some form of informa-tion security. Part 1 explains basic information security services and crypto-graphic techniques to implement them. 1
  23. 23. 1Introduction to SecurityThis chapter presents a brief introduction to information security andexplains the fundamental terms. It gives an overview of the basic informationsecurity services and security mechanisms that can be used to support a spe-cific security policy.1.1 Security ThreatsWhy would someone need a special security functionality? What can happenif he doesn’t have it? Systems can be exposed to many different types ofthreats or attacks. The term system here means a service available in a com-munication network, such as the Internet. It may be a logon service offeredby a computer running a specific operating system, or a virtual shopping mallon a merchant’s Web site. The users and providers of such services, includinghuman users, computers (hosts), and computer processes, are known asprincipals. Attacks on a system can be classified as several types: Eavesdropping—intercepting and reading messages intended for other principals; Masquerading—sending/receiving messages using another principal’s identity; 3
  24. 24. 4 Security Fundamentals for E-Commerce Message tampering—intercepting and altering messages intended for other principals; Replaying—using previously sent messages to gain another principal’s privileges; Infiltration—abusing a principal’s authority in order to run hostile or malicious programs; Traffic analysis—observing the traffic to/from a principal; Denial-of-service—preventing authorized principals from accessing various resources.1.2 Risk ManagementThe process of enhancing a system with security functionality always beginswith a thorough analysis of the most probable threats and the system’s vul-nerabilities to them. Risk analysis [1] evaluates the relationship between theseriousness of a threat, its frequency of occurrence (probability), and the costof implementing a suitable protection mechanism. Seriousness can bemeasured by the cost of repairing any damage caused by a successful attack.Table 1.1 shows a simplified analysis of the total cost (1 means lowest totalcost, 9 means highest) that could be caused by a particular attack. This meas-ure is sometimes referred to as the risk level, and the whole process is calledrisk management. Obviously, if an attack is likely to occur often and is veryserious, it will be expensive to recover from. Consequently, it will pay off toimplement suitable protection. Risk analysis should be done in the planning phase, before a specificsecurity solution is implemented. However, since most systems that needprotection are quite complex, it is impossible to be completely sure that the Table 1.1 Risk Levels 1-9 Threat probabilitySeriousness Seldom Not often OftenNot serious 1 2 3Serious 4 5 6Very serious 7 8 9
  25. 25. Introduction to Security 5security measures implemented are sufficient. The Internet is a constantlychanging environment, also from the security perspective; new vulnerabilitiesand new, more efficient, attacks are being discovered all the time. It is therole of compliance management to analyze whether the security functionalityin place offers the kind of protection it is expected to.1.3 Security ServicesOn the basis of the results of risk analysis, one can define a security policy thatclearly specifies what must be secured [2]. A security policy usually cannotcover all possible risks to the system, but it represents a reasonable trade-offbetween risks and available resources. The functions that enforce the securitypolicy are referred to as security services. The services are implemented bysecurity mechanisms that are in turn realized by cryptographic algorithms andsecure protocols. The International Organization for Standardization1 defines the follow-ing basic security services [3]: Authentication—ensures that a principal’s identity or data origin is genuine; Access control—ensures that only authorized principals can gain access to protected resources; Data confidentiality—ensures that only authorized principals can un- derstand the protected data (also called privacy); Data integrity—ensures that no modification of data has been per- formed by unauthorized principals; Nonrepudiation—ensures that a principal cannot be denied from per- forming some action on the data (e.g., authoring, sending, receiving). An authentication service can ensure that a communication party isreally what it claims to be. This type of authentication is called peer entityauthentication. If an authentication service delivers proof that a piece of infor-mation originates from a certain source, it is called data origin authentication. Data confidentiality services may also be of different types. To ensureconfidentiality between two communication parties that establish a commu-nication channel, a connection confidentiality service is employed. If the1. ISO,
  26. 26. 6 Security Fundamentals for E-Commercecommunication channel is only logical, the service is referred to as connection-less confidentiality. If only certain parts of messages to be exchanged must beprotected, a selective field confidentiality service is needed. For example, whenHTTP messages are SSL-protected, there is connection confidentiality; if onlysome parts of HTTP messages are encrypted (e.g., by S-HTTP), there is selec-tive field confidentiality. Traffic flow confidentiality protects against trafficanalysis. Similar to data confidentiality services, data integrity services are differ-ent for connection-oriented and connectionless protocols. For connection-oriented protocols they may even provide message recovery. Data integrityservices can also protect selected fields of messages only. According to the ISO, nonrepudiation services can prevent denial ofthe origin of data or the delivery of data. There are two additional possibili-ties: nonrepudiation of submission and nonrepudiation of receipt. However,they require a very complex infrastructure and are not discussed in this book.1.4 Security MechanismsSecurity mechanisms can be specific or pervasive. The following specific secu-rity mechanisms can be used to implement security services: Encryption mechanisms; Digital signature mechanisms; Access control mechanisms; Data integrity mechanisms; Authentication exchange mechanisms; Traffic padding mechanisms; Routing control mechanisms; Notarization mechanisms. Encryption mechanisms protect the confidentiality (or privacy) of data.An encryption mechanism always uses a key available only to a defined groupof people. Such a group can consist of one person (the receiver of theencrypted data) or several people (e.g., all parties involved in a communica-tion session). As will be explained later, a digital signature is even more powerful thana hand-written signature. It can be generated by a special digital signaturemechanism as well as by some encryption mechanisms.
  27. 27. Introduction to Security 7 Authentication can be based on an encryption mechanism, but for politi-cal reasons this is not always legal or desirable. Therefore several mechanismshave been developed whose only purpose is authentication exchange. Access control mechanisms are closely connected with authentication.Each principal is assigned a set of access permissions or rights (e.g., read, write,execute). Each access to a protected resource is mediated by a central comput-ing facility called a reference monitor. In order to be able to use its access per-missions, a principal has to be successfully authenticated first. If access controlis implemented correctly, most infiltration attacks pose no danger. Data integrity mechanisms protect data from unauthorized modifica-tion. They can, for example, use digital signatures of message digests computedby a cryptographic hash function. Traffic padding mechanisms offer protection against traffic analysis.Sometimes an adversary can draw conclusions from observing, for example, achange in the amount of data exchanged between two principals. Therefore itmay be advisable to generate “dummy” traffic to keep the level approximatelyconstant, so that the adversary cannot gain any information. A routing control mechanism makes it possible to choose a specific pathfor sending data through a network. In this way, trusted network nodes can beselected so that the data is not exposed to security attacks. Moreover, if dataentering a private network has no appropriate security label, the networkadministrator can decide to reject it. Notarization mechanisms are provided by a third-party notary that mustbe trusted by all participants. The notary can assure integrity, origin, time ordestination of data. For example, a message that has to be submitted by a spe-cific deadline may be required to bear a time stamp from a trusted time serviceproving the time of submission. The time service could affix a time stamp and,if necessary, also digitally sign the message. The following sections of this chapter describe most of the specific secu-rity mechanisms and explain some of the most frequently used cryptographictechniques for their implementation. Routing control mechanisms are notdescribed in detail since they use a combination of authentication and accesscontrol mechanisms as well as certain other mechanisms that are outside thescope of this book. Nor are notarization mechanisms considered further, sincethey are based on authentication and nonrepudiation mechanisms. The ISO standard [3] defines the placement of security services andmechanisms in the OSI (Open Systems Interconnection) seven-layer refer-ence model. Some services may be provided at more than one layer if theeffect on security is different (Table 1.2 [4]).
  28. 28. 8 Security Fundamentals for E-Commerce Table 1.2 Placement of Security Services in the OSI 7-Layer Reference Model Application Presentation Session Transport Nonrepudiation of Delivery Network Nonrepudiation of Origin Data Link Selective Field ConfidentialityPhysical Selective Field Connection Y Integrity Selective Field FL Connection Connectionless Integrity Connection AM Integrity with Integrity with Recovery Recovery Peer Entity Peer Entity Peer Entity Authentication Authentication Authentication TE Data Origin Data Origin Data Origin Authentication Authentication Authentication Access Control Access Control Access Control Service Service Service Connection Integrity Connection Integrity Connection without Recovery without Recovery Integrity without Recovery Connectionless Connectionless Connectionless Integrity Integrity Integrity Connectionless Connectionless Connectionless Connectionless Confidentiality Confidentiality Confidentiality ConfidentialityConnection Connection Connection Connection ConnectionConfidentiality Confidentiality Confidentiality Confidentiality ConfidentialityTraffic Flow Traffic Flow Traffic FlowConfidentiality Confidentiality Confidentiality Pervasive security mechanisms are not specific to any particular securityservice. Trusted functionality mechanisms provide a trusted computing basefor performing security-critical operations. Security labels indicate the sensi-tivity level of data (e.g., top secret). Security recovery includes measures suchas blacklisting of hosts or users, or disconnection from a public network. Asecurity audit provides constant supervision of the security-critical activitiesin a system under protection. Its task is also to test for adequacy of systemcontrols and compliance with the established security policy (compliancemanagement). The results of auditing are referred to as the security audit trail Team-Fly®
  29. 29. Introduction to Security 9(e.g., log files). Finally, the role of event detection or intrusion detection is toobserve specific security violations or potentially dangerous events, or thenumber of occurrences of a specific event. For example, if the security policyof a LAN does not permit users to log in from outside the network, it is pos-sible to detect any such attempts by automatically searching the log files forlogin attempts where the user domain is different from the local one. Security mechanism management, as specified in the ISO standard, isconcerned with the management of individual mechanisms. One of its mostimportant functions is key management, which involves the generation andsecure distribution of cryptographic keys. References[1] Ekenberg, L., and M. Danielson, “Handling Imprecise Information in Risk Manage- ment,” In Information Security – the Next Decade, Eloff, J. H. P., and S. H. von Solms (eds.), London: Chapman & Hall, 1995.[2] Muftic′, S., Security Mechanisms for Computer Networks, Chichester: Ellis Horwood Ltd., 1989.[3] International Organization for Standardization, Information Technology – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture, ISO IS 7498-2, 1989.[4] Hassler, V., Aspects of Group Communications Security, Ph.D. dissertation, Graz Uni- versity of Technology, Graz, Austria, 1995.
  30. 30. 2Security MechanismsThis chapter deals with security mechanisms that can be used to realize infor-mation security services. It first explains which cryptographic systems orcryptosystems are suitable for implementation and then describes the mostwidely used ones in detail.2.1 Data Integrity MechanismsOne way to protect data integrity is to use an encryption mechanism (e.g.,DES in CBC mode, see Section 2.2). In this way both data integrity and dataconfidentiality are ensured. Unfortunately, encryption alone is not secureenough because of the possibility of bit flipping attacks [1]. If no authentica-tion is provided, an attacker can flip bits in the ciphertext (i.e., exchange “0”for “1” or vice versa) without being detected. If the encrypted plaintext is nota human-readable message but a string automatically processed by a runningprogram, the result from decryption of the altered ciphertext can potentiallybe interpreted in such a way as to cause serious damage to the program or thereceiving host. The protection is either to add some authentication informa-tion to the plaintext before encryption or, if only integrity protection isrequired, to send the original message together with the ciphertext. Another way to ensure integrity is to use a digital signature mechanism(see Section 2.3). Digital signatures provide not only data integrity but also 11
  31. 31. 12 Security Fundamentals for E-Commercenonrepudiation. If only data integrity is desired, without confidentiality ornonrepudiation, it can be achieved by applying a message authenticationcode (MAC) based on a cryptographic hash function to the data to be pro-tected (see Section 2.1.2). In general, cryptographic hash functions are veryfast—far faster than encryption mechanisms.2.1.1 Cryptographic Hash FunctionsIf a cryptographic hash function is applied to an input value of any length(up to a maximum possible length, for example 264 for SHA-1), the resultingoutput value will always be of a constant length (for example, 160 bit forSHA-1). This fixed-length output is referred to as the message digest or check-sum, or hashsum. Since the set of all possible inputs is much larger than theset of all possible outputs, many different input values will be mapped to thesame output value. However, it should be rendered computationally expen-sive to find different inputs that are mapped to the same output. In otherwords, the function must be made easy to compute in one direction (i.e., h:input → output), but not in the opposite direction. For this reason, crypto-graphic hash functions are often referred to as the one-way (hash) functions.Strictly speaking, a cryptographic hash function y = h (x) must satisfy the fol-lowing conditions: It is computationally infeasible to find (a) x such that h (x) = y, for any given y (b) y ≠ x such that h (x) = h (y), for any given x (c) (x,y) such that h (x) = h (y) In general, there are two serious types of attacks against cryptographichash functions. The first consists in finding a message M’ yielding the samehashsum as the original message M. Such an attack can be very dangerouswhere a digital signature is generated from the shorter hashsum instead offrom the longer message. This is usually done as a matter of convenience, forgenerating a signature is a time- and resource-consuming task. As an exam-ple, suppose that A edited a message M and signed the hashsum h(M ), Mbeing a bank order to transfer 100 euros to B ’s account. If condition (b)were not satisfied, B could easily find another message M’ so that h(M )=h(M’ ), in which 10,000 euros instead of 100 euros would be transferred. Ifcondition (a) were satisfied, however, this type of attack would be extremelytime consuming even for short hashsums.
  32. 32. Security Mechanisms 13 The second type of attack is much more serious. This is when B tries tofind two messages, M and M ’, that yield the same hashsum but havecompletely different meanings. Suppose B wants A to transfer 10,000 eurosto B ’s account. B knows that A would never agree to transfer more than 100euros, so it is necessary somehow for B to obtain A’s signature on the home-banking order. Note that in this case B has much more freedom, since thereare many different ways to say that A wants to give B 100 euros, or 10,000euros. Therefore the probability of finding two suitable messages is signifi-cantly higher than in the first attack, in which one of the messages is given.Actually, the probability is quite surprisingly higher, which is often referredto as the birthday paradox. Birthday ParadoxThe birthday paradox can be explained in terms of a hash function with peo-ple as inputs and birthdays as outputs—thus, h(person) = birthday. There are over five billion people on our planet, and only 366 differentbirthdays. The first type of attack goes as follows: Given a particular personA, how many randomly chosen people must be asked for their birthdays untilthere is a probability higher than 50% that one of them has the same birth-day as A? The answer is 183. The second type of attack (birthday attack)needs the smallest group of randomly chosen people for which there is aprobability higher than 50% that at least two people in the group have thesame birthday. This group needs only 23 people. In terms of cryptographic hash functions, the first attack would requirehundreds of thousands of years of computing time, while the second attackwould be a matter of hours, at least for short (less than 100-bit) hashsums.For this reason it is of crucial importance to use a cryptographic hash func-tion that not only satisfies the conditions (a) - (b), but also produces outputsthat are long enough to make the birthday attack infeasible with currenttechnology. The most popular cryptographic hash function family is the MD (mes-sage digest) family developed by R. Rivest. MD5, which is specified in aRequest for Comments (RFC) document issued by the Internet EngineeringTask Force [2],1 is the latest member of the family. Since it has a 128-bit out-put, it is potentially vulnerable to a birthday attack and therefore not consid-ered secure enough for the latest technology (it also has some structuralproblems).1.
  33. 33. 14 Security Fundamentals for E-Commerce SHA-1 (Secure Hash Standard) is a much better choice since it pro-duces a 160-bit output [3]. It is based on principles similar to those used byR. Rivest when designing MD4 and MD5. The input message can be up to264 bits long. It is divided into 512-bit blocks that are sequentially processedin such a way that the hashsum depends on all input blocks. A block consistsof 16 words. Words are basic processing units on which the following opera-tions are performed: • Bitwise logical “and,” “inclusive-or,” “exclusive-or,” and “complement”; 32 • Addition modulo 2 ; • Circular left shift. SHA-1 additionally uses some carefully chosen constants. The compu-tation requires two buffers with five 32-bit words each, and a sequence ofeighty 32-bit words. The standard describes two methods of computation,one of which requires less memory than the other, but longer execution time.Implementers can make use of these possibilities to trade off memory againstexecution time.2.1.2 Message Authentication CodeCryptographic hash functions can be used to implement a data authentica-tion mechanism. Data authentication is a combination of authentication anddata integrity. The so-called MAC is computed in the following way: MAC(message) = f (Secret Key, message)in which f () is a function based on a specific combination of the crypto-graphic hash functions. If a sender and a receiver both know the secret key,the receiver can check the sender authenticity and the message integrity byapplying the combination of known cryptographic hash functions to thesecret key and the message. The first proposal for MAC computation wassimply to apply a cryptographic hash function h() to the concatenation of thesecret key and the message, that is, to compute h(Secret Key, message) orh(message, Secret Key). Unfortunately, that approach proved to be insecure[4].2 A combined approach was to prefix and suffix two different secret keys2. See CRYPTO/EUROCRYPT papers at index.htm
  34. 34. Security Mechanisms 15and compute h(Secret Key 1, message, Secret Key 2). This approach is muchmore secure, but there is an attack, although impractical, that makes it possi-ble to find the secret keys. The best approach so far is to apply an iteratedhash function [4], for example h[secret key, h(secret key, message)], and usesome padding. This approach was chosen as mandatory to implement formany Internet security protocols [5], such as IPsec and SSL/TLS.2.2 Encryption MechanismsA data confidentiality service can be implemented with encryption mecha-nisms. A cryptographic system, or cryptosystem, is a single parameter family{E K }K ∈K of invertible transformations EK :M → Cfrom a space M of plaintext (or unencrypted) messages to a space C of cipher-text (or encrypted) messages. The cryptographic key K is selected from afinite set K called the keyspace. Basically, there are two types of cryptosystems,namely symmetric or secret key systems, and asymmetric or public key systems.The inverse transformation ( E K ) −1 is denoted by DK . E K is referred to asencryption and DK as decryption.2.2.1 Symmetric MechanismsIn a symmetric cryptosystem, the encryption and decryption transformationsare identical or easily derived from each other. If the message to be encrypted(plaintext) is denoted by M, the encrypted message (cyphertext) by C, andthe cryptographic key by K, the symmetric encryption E and decryption Dcan be defined as follows: E K (M ) = C DK (C ) = M In a symmetric cryptosystem the same key is used for both encryptionand decryption. This key is called the secret key since it must remain secret toeverybody except the message sender(s) and the message receiver(s). Obvi-ously, it is necessary that the receiver obtain not only the encrypted message,but also the corresponding key. The encrypted message may be sent over an
  35. 35. 16 Security Fundamentals for E-Commerceinsecure communication channel—after all, that is why it needs to beencrypted. The key, however, must not be sent over the same channel, andthis leads to a serious problem of symmetric cryptosystems: key management.The secret key must either be sent over a separate, secure channel (e.g., asealed envelope), or it must be sent encrypted. For the encryption ofsymmetric keys in transfer, a public key mechanism can be used (seeSection 2.2.2). One-Time PadEncryption techniques are much older than computers. In fact, one of theearliest known encryption techniques was used by the Roman dictator JuliusCaesar (100–44 B.C.). In the Caesar Cipher, each plaintext character of theLatin alphabet is replaced by the character three positions to the right of it(“A” is replaced by “D,” “B” by “E,” etc.). The one-time pad is also a classictechnique. Invented by Gilbert Vernam in 1917 and improved by MajorJoseph Mauborgne, it was originally used for spy messages. The one-time pad is very important for cryptography because it is theonly perfect encryption scheme known. In other words, the ciphertext yieldsabsolutely no information about the plaintext except its length [6]. The defi-nition of perfect secrecy given by C. E. Shannon in 1943 is actually youngerthan the one-time pad. It turns out that perfect secrecy requires that • The encryption key be at least as long as the message to be encrypted; • Each key be used only once. This is exactly the case with the one-time pad. Unfortunately, it makeskey management extremely difficult, since new keys must be exchanged eachtime. The one-time pad key is a large, nonrepeating set of truly random keyletters. The encryption is the addition modulo 26 of one plaintext characterand one one-time pad key character. Plaintext characters are mapped tonumbers corresponding to their positions in the English alphabet. The one-time pad is a symmetric mechanism, since the same key is used for bothencryption and decryption. For example, Plaintext: M E S S A G E Key: T B F R G F A Ciphertext: G G Y K H M F
  36. 36. Security Mechanisms 17because M+T mod 26 = 13+20 mod 26 = 7 = G E+B mod 26 = 5+2 mod 26 = 7 = G S+F mod 26 = 19+6 mod 26 = 25 = Yand so on. Decryption works the other way around, that is by subtracting the let-ters of the ciphertext and the letters of the key modulo 26: G–T mod 26 = 7–20 mod 26 = −13 mod 26 = 13 = M G–B mod 26 = 7–2 mod 26 = 5 = Ε Y–F mod 26 = 25–6 mod 26 = 19 = Sand so on. Data Encryption StandardThe Data Encryption Standard (DES) was developed in the United States byIBM and NIST (the National Institute of Standards and Technology3) in1976. DES is standardized as the Data Encryption Algorithm (DEA) byANSI (the American National Standards Institute4) [7], and as DEA-1 byISO5 [8]. Its main advantage, apart from not yet being broken by cryptoana-lysts despite its age, is that it can be easily and efficiently implemented inhardware. More information on the background of DES can be found in [6]. DES is a block cipher since it encrypts data in 64-bit blocks. If data islonger, it must be divided into 64-bit blocks. It may happen that the last partof some data is shorter than 64 bits. In such a case it is usual to fill theremaining part of the block with zeros (padding). The result of DES encryp-tion is also a 64-bit block. The key has 56 bits and 8 parity bits. The samealgorithm is used for both encryption and decryption, but with reverse keyordering.DES TechniquesThe main cryptographic techniques applied in DES are confusion and diffusion.Both techniques were known long before DES, but in DES they were3. http://www.csrc.nist.gov4. http://www.ansi.org5.
  37. 37. 18 Security Fundamentals for E-Commercecombined for the first time in such a way as to result in an encryption algo-rithm that has withstood all cryptoanalysts’ attacks for twenty-four years now. The purpose of confusion is to obscure the relationship between theplaintext and the ciphertext. Substitution is an example of a confusion tech-nique. However, if one encrypts an English text simply by substituting, forexample, letter K for letter A, then someone analyzing the ciphertext can eas-ily conclude that K stands for A by comparing the relative frequency of Kin the ciphertext with the well-known relative letter frequencies for English.There are better substitution techniques that can change the probabilities tosome extent, but in general, substitution alone is not sufficiently secure. In DES, substitution is done not with letters, but with bit strings. DES Yhas eight different substitution tables called S-boxes. Each S-box uses a 6-bit FLinput and a 4-bit output. An S-box is a table with 4 rows (0–3) and 16(0–15) columns. Each entry in the table is a 4-bit binary number. For exam-ple, the S-box No.1 is shown in Table 2.1. AM The substitution is defined as follows: To determine the row in anS-box, take the first and the last bit of the input. The middle four bits yieldthe column. The output (substitution result) is the entry at the intersection TEof the row and the column. For example: S-box No. 1 Input: 110011; The first and the last bit are 11 ⇒ row 3; The middle four bits are 1001 ⇒ column 9; Output: the number in row 3, column 9 is 1110 = 10112. Table 2.1 DES S-Box No. 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 150 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 71 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 82 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 03 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 Team-Fly®
  38. 38. Security Mechanisms 19 S-boxes are crucial for DES security, although substitution is generallya weak technique. The S-boxes are nonlinear and therefore very difficult toanalyze. It was not until 1992 that the design criteria for the S-boxes wereeven published. Actually, it is possible to find better S-boxes than the DESS-boxes, but it is not an easy task. Diffusion dissipates the redundancy of the plaintext by spreading itout over the ciphertext. An example of a diffusion technique is permutation.A very simple permutation of the word MESSAGE is SMEEGAS. In thisexample, the key is 2317654, meaning: Move the first letter to the secondposition, move the second letter to the third position, etc. In DES thereare several permutations. The initial permutation, for example, begins asfollows: 58, 50, 42, 34, 26, 18, 10, 2, 60, 52…,meaning: move bit 58 of the plaintext to bit position 1, move bit 50 of the plaintext to bit position 2,and so on. Another type of permutation used in DES is the expansion permutation,which, as the name says, yields a longer output than the input. In this waythe dependency of the output bits on the input bits can occur at an earlierstage in the DES computation. A small change in either the plaintext or thekey produces a significant change in the ciphertext, which is referred to as theavalanche effect. Without this effect it would be easy to observe the propaga-tion of changes from the plaintext to the ciphertext, which would make cryp-toanalysis easier.DES RoundsDES has sixteen rounds. A simplified DES computation is shown in Figure 2.1.In each round, a 48-bit subkey computed by the compression permutation isXORed (i.e., added modulo 2) to the right half of the data expanded to 48 bitsby the expansion permutation. The result is fed into the S-boxes. The result ofthe S-box substitution is permuted once more (P-box permutation). Beforethe first round the data is permuted with the initial permutation. After the lastround, the intermediate result is permuted for the last time. This final permuta-tion is the inverse of the initial permutation. These two permutations do notaffect DES’s security, however.
  39. 39. 20 Security Fundamentals for E-Commerce Plaintext Initial Permutation L0 R0 Expansion Permutation ⊕ S-Boxes Key K1 P-Box Permutation L1= R0 R1 ... L15 R15 Expansion Permutation S-Boxes Key K16 ⊕ P-Box Permutation R16 L16 =R15 Final Permutation CiphertextFigure 2.1 DES. Like many other symmetric block ciphers, DES is also a Feistel net-work [6]. The name comes from Horst Feistel, who first proposed such a net-work in the early 1970s. In a Feistel network the plaintext is divided into twohalves for the first round of computation, which is repeated a number of times(i.e., in the subsequent rounds). Generally, the output of the ith round isdetermined from the output of the previous round in the following way: L i = R i −1 R i = L i ⊕ f (R i −1 , K i )where f () represents the round function, and Ki the key for the ith round.Triple DESSince DES is, in contrast to the one-time pad, not perfectly secure and thusvulnerable to a brute-force attack (the trying of all possible keys), key length
  40. 40. Security Mechanisms 21plays a significant security role. Nowadays it is not recommended to use DESwith a 56-bit key. The algorithm itself does not allow varying key lengths,but it can be applied more than once with different keys, which effectivelymeans using a longer key. This is possible because DES is not an algebraicgroup, as was proven by Campbell and Wiener in 1992. If one takes a 64-bitinput and applies all possible DES keys to encrypt it, there will be 256 < 1017 20different 64-bit outputs. However, there are 264! > 1010 possible 64-bit out-puts [9]. In other words, most of the outputs are “unused” by one DES key.This effectively means that for the given keys K 1 and K 2 there is usually nokey K 3 such that E K 2 ( E K 1 ( M )) = E K 3 ( M ). One can therefore conclude thatmultiple DES encryption is stronger than single DES encryption. Surpris-ingly, however, double DES is not much stronger than single DES because ofthe meet-in-the-middle attack [9]. Triple DES was finally adopted as astronger variant of DES, even if only two different keys, K 1 and K 2 , areused: ( ( C = E K 1 DK 2 E K 1 (M ) )) D instead of E in the middle of the expression is introduced forcompatibility with single DES. In other words, if triple DES encryption isdefined as a new function with two parameters E 3( K 1 , K 2 ), thenE 3( K 1 , K 1 ) represents single DES encryption.DES ModesDES, like all other block ciphers, can be applied in several different modes,for example • Electronic codebook (ECB) mode; • Cipher-block chaining (CBC) mode; • Cipher feedback (CFB) mode; • Output feedback (OFB) mode; • Counter mode. ECB is the fastest and easiest mode. In this mode each plaintext blockis encrypted independently from other blocks. It is, however, the least securemode, since identical plaintext blocks result in identical ciphertext blockssuch that block redundancies in the plaintext can easily be detected. CBC
  41. 41. 22 Security Fundamentals for E-Commercesolves this problem by introducing feedback. Each plaintext block Pi is“chained” to the encryption result Ci-1 of the previous plaintext block Pi-1: Encryption:C i = E K (Pi ⊕ C i −1 ) Decryption: Pi = C i −1 ⊕ DK (C i ) The first plaintext block is chained to an initialization vector (IV)known to both the sender and the receiver (i.e., C 1 = E K (P1 ⊕ IV )). Some-times it is necessary to encrypt data units smaller than the block size, forexample, if there is no time to wait for enough data to fill a block. In suchcases CFB is used, which also adds feedback and requires an IV. With OFB,most of the encryption process can occur off-line, before the plaintext mes-sage even exists. With both CFB and OFB, a block cipher is actually usedas a stream cipher. Unlike block ciphers, stream ciphers convert plaintext tociphertext one bit or byte at a time. If it is necessary to encrypt data units smaller than the block size, blockciphers can also be applied in counter mode. In counter mode, sequencenumbers or pseudorandom sequences are used as the input to the encryptionalgorithm.DES TodayThe fastest DES chips today achieve an encryption speed of approximately 1Gbps with a 56-bit key. The fastest software solutions are much slower,about 10 Mbps. The latest record in cracking DES (as of September 1999), set bythe Electronic Frontier Foundation’s “Deep Crack” is 22 hours and 15 min-utes [10]. It involved about 100,000 PCs on the Internet. It was performedas a “known ciphertext attack” based on a challenge from the RSA Laborato-ries.6 The task was to find a 56-bit DES key for a given plaintext and a givenciphertext. Other Symmetric Encryption AlgorithmsIDEA (International Data Encryption Algorithm), proposed in 1992, wasthe “European answer to DES” and to the United States export restrictionson cryptographic algorithms. IDEA is a block cipher that encrypts a 64-bitplaintext block with a 128-bit key. It applies the same basic cryptographictechniques as DES (confusion and diffusion), but is twice as fast. Its “disad-vantages” are that it has not been cryptoanalyzed as long as DES, and that it6.
  42. 42. Security Mechanisms 23is patented and must be licensed for commercial use. The patent holder is theSwiss company ASCOM.7 RC (Rivest Cipher) is a family of symmetric algorithms. RC2 is avariable-key-size 64-bit block cipher that was designed as a possible replace-ment for DES. RC2 and RC4 with a 40-bit key were used in the Netscapeimplementation of SSL (Secure Sockets Layer) since they were the first cryp-tographic algorithms allowed for export from the United States. However, in1995 Doligez successfully cracked RC4 (a stream cipher) with a 40-bit key inless than 32 hours by a brute-force attack.8 RC5 is a block cipher with a vari-able block size, key size, and number of rounds. The latest algorithm in theseries is RC6, an improved version of RC5, which was submitted by RSALaboratories, Inc. as a candidate for the Advanced Encryption Standard inApril 1998. Advanced Encryption StandardThe designation Advanced Encryption Standard (AES,9 will replace DES.RC6, MARS, Rijndael, Serpent, and Twofish are the five finalist AES candi-date algorithms that are currently (as of November 1999) being analyzed bythe global cryptographic community. RC610 by Rivest et al. is a parameterized family of encryption algo-rithms. As DES, it is based on a Feistel network. The parameters are wordsize, number of rounds, and key length. The version submitted as an AEScandidate operates with 32-bit words and has 20 rounds. Software imple-mentations in ANSI C on a 200 MHz Pentium achieve a rate of about 45Mbps. Hardware implementation estimates are about 1.3 Gbps. MARS is a block cipher supporting 128-bit blocks and variable key sizedeveloped at IBM Research.11 It is also a Feistel network, but offers bettersecurity than triple DES. Hardware implementations are approximately 10times faster than software implementations in C, which achieve about 65Mbps on a 200 MHz Pentium-Pro.7.
  43. 43. 24 Security Fundamentals for E-Commerce Rijndael, a block cipher by Joan Daemen and Vincent Rijmen12 has avariable block length and key length. Currently (as of November 1999) it isspecified how to use keys with a length of 128, 192, or 256 bits to encryptblocks with a length of 128, 192 or 256 bits. Rijndael is not a Feistelnetwork, but defines a round as a composition of three distinct invertibleuniform transformations, called “layers.” A C implementation with a 128-bitkey and 128-bit block has a rate of about 30 to 70 Mbps on a 200 MHz Pen-tium. In dedicated hardware, rates of 1 Gbps and higher could be achieved. Serpent is a 128-bit block cipher designed by Ross Anderson, EliBiham, and Lars Knudsen.13 The currently fastest C version runs at about 26Mbps on a 200 MHz Pentium, which is comparable to DES, but the design-ers believe it to be more secure than triple DES. Serpent’s structure is verysimilar to DES. It has 32 rounds and uses stronger S-boxes. Twofish is a 128-bit block cipher (a 16-round Feistel network) pro-posed by Schneier14 that accepts a variable-length key up to 256 bits. For a256-bit key, the throughput achieved on a 200 MHz Pentium is about 45Mbps for C implementations. The hardware performance is up to about 1.2Gbps with a 150 MHz clock.2.2.2 Public Key MechanismsThe problem of key management in symmetric cryptosystems was success-fully solved by the introduction of public key cryptosystems. These are oftenexplained with the mailbox analogy as illustrated in Figure 2.2. The mailboxrepresents the public key, since anyone can throw a letter into it. However,only the mailbox owner has the mailbox key—the private key—with whichshe can open the mailbox and take out the letter. In a public key cryptosystem, the encryption and decryption keys differin such a way that it is not computationally feasible to derive one key fromthe other. One key is referred to as the private key and must be kept secret.Another key is referred to as the public key and should be made public, whicheliminates the necessity of transmitting it in a secure way. The public keyencryption transformation E PuK and decryption transformation DPrK aredenoted as12.
  44. 44. Security Mechanisms 25 Public key Private keyFigure 2.2 Mailbox as an analogy to a public key cryptosystem. E PuK (M ) = C D PrK (C ) = D PrK (E PuK (M )) = MThe encryption transformation E is uniquely determined through the publickey PuK, so it is usual to write EOwnerID (ID stands for “identity”). The sameapplies to the decryption transformation, which is usually written DOwnerID. The pioneers of public key cryptography are W. Diffie and M. E. Hell-man [11], who invented one of the first two public key cryptosystems (thesecond, by Merkle and Hellman, was based on the knapsack problem, but itwas cracked a long time ago). RSARSA is the most famous and widely used public key system. It was inventedin 1978 by R. Rivest, A. Shamir, and L. Adleman [12], whose family names’initials form the name of the algorithm. The difficulty of breaking RSA isbased on the factoring problem. However, it has never been mathematicallyproven that it is equally difficult to factor a large composite number as tobreak RSA. In RSA, the large composite number is referred to as the modulus n =pq, p and q being large primes. Public key or public exponent e can be chosenas a prime number relatively prime to ( p − 1)(q − 1). Private key or privateexponent d is then chosen to satisfy the following congruence: ed ≡ 1mod f(n ) (Eq. 2.1)
  45. 45. 26 Security Fundamentals for E-CommerceTo understand the congruence, we must first review some simple rules frommodular arithmetic and number theory in general. Modular arithmetic oper-ates with residues (represented by r): a modn = r ⇒ a = qn + r , 0 ≤ r < n (Eq. 2.2)For example, 35 mod 4 = 3 since 35 = 8∗4 + 3. All possible residues modulo4 are {0,1,2,3}. Like the nonmodular arithmetic everyone is familiar with, modulararithmetic is commutative, associative, and distributive with respect to addi-tion and multiplication, that is,(a + b ) modn = (a modn) + (b modn) = (b + a) modn;(ab ) modn = (a modn)(b modn) = (ba) modn;[(a + b ) + c ]modn = (a modn) + (b modn) + (c modn) =[a + (b + c )]modn;[(ab )c ]modn = (a modn)(b modn)(c modn) = [a(bc )]modn;[(a + b )c ]modn =[(a modn) + (b modn)](c modn) = (ac ) modn + (bc ) modn Two integers a and b can be congruent (“≡”) modulo n, that is, a ≡ b modn ⇒ n| (a − b ) “a | b” means “a divides b,” or “b is a multiple of a” (for example, 2divides 8). In other words, if two integers a and b have equal residues modulon, they are also congruent modulo n: (a modn) = (b modn) ⇒ a ≡ b modn (Eq. 2.3)For example, 35 and 59 are congruent modulo 4 since 35 mod 4 = 59 mod 4= 3. To determine the private RSA exponent d, one must compute themodular inverse of the public exponent e. To find the modular inverse meansfinding x such that ax modn = 1
  46. 46. Security Mechanisms 27However, if a and n are not relatively prime, there is no solution (gcd standsfor “greatest common divisor”): 2x mod14 = 1 no solution for x since gcd(2,14) ≠1 To compute the modular inverse, the number of positive integers lessthan the modulus and relatively prime to the modulus is needed. Thisnumber is usually referred to as Euler’s Totient Function f(n). For p prime,f(p) = p − 1. For the RSA modulus n = pq, f(n) = ( p − 1)(q − 1)Given f(n), the inverse modulo n of any number relatively prime to n can becomputed in the following way: ax modn = 1 ⇒ x = a f( n )−1 modn , in which gcd(a ,n) = 1 a f( n ) modn = 1, if gcd(a ,n) = 1 (Eq. 2.4) For example, one can compute x from 5x mod 6 = 1 in the followingway: f(n = 6 = 2 × 3) = (2 − 1)(3 − 1) = 2 x = 52 −1 mod 6 = 5 (5 × 5 mod 6 = 1) This result comes from Euler’s generalization of Fermat’s Little Theo-rem (FLT). FLT gives the formula for computing inverses modulo a prime: ax mod p = 1 ⇒ x = a p −2 modn in which p prime and gcd(a , p) = 1 a p −1 mod p = 1 if p prime and gcd(a , p) = 1 To compute d in RSA, one must first find the inverse modulo f(n).RSA encryption and decryption are defined as encryptionC = M e modn
  47. 47. 28 Security Fundamentals for E-Commerce Decryption M = C d modn = M ed modn = M M is the message to be encrypted (plaintext) and C is ciphertext. If thedecryption equation is divided by M, the result is M ed modn = M / divide by M Med-1mod n = 1 Comparing this equation with the formula for computing the modular Yinverse from Euler’s generalization of FLT (2.4) shows that (ed – 1) must bea multiple of f(n), or, in other words, that f(n) | (ed – 1). As we already FLknow from (2.2), this condition can be expressed as ed ≡ 1mod f(n) AMwhich is the RSA congruence from the beginning of this section (2.1). There is one more confusing aspect to examine. That is, (2.4) requires TEthat M and n be relatively prime. How can that be guaranteed? It can happenthat a message does not satisfy this condition (i.e., that either gcd(M,n) = p orgcd(M,n) = q). Luckily, the RSA formula holds even in such cases. The prooffor gcd(M,n) = p is as follows: Let M = cp. It holds that M f(q ) modq = 1 sincegcd(M,q) = 1 (see FLT): M f(q ) modq = 1 / f( p ) [M ( ) ] f( q ) f q modq = M f( n ) modq = 1 ⇒ M f( n ) = 1 + kq /multiply by M = cp M f( n )+ 1 = M + kcpq = M + kcn M f( n )+ 1 ≡ M modn M f( n ) ≡ 1modn Since f(n) | (ed – 1), the following holds true: Team-Fly®
  48. 48. Security Mechanisms 29 M ed −1 ≡ 1modn M ed −1 modn = 1 /multiply by M M ed modn = Mand this is the RSA decryption.Primality TestFor RSA it is of crucial importance that p and q, the factors of the modulus n,be large primes. How can one find a large prime? It is not just a randomnumber, although when generating an RSA modulus one should try to picktwo large primes as randomly as possible. A simple primality test is based onthe following theorem: If there exist solutions to (x 2 ≡ 1 mod p) other than±1, then p is not a prime. The test then goes thus: If p > 2 prime, then (x 2 ≡ 1 mod p) has only two solutions,(x 1 ≡ 1mod p) and (x 2 ≡ −1mod p). The proof of the theorem is very simple. It is necessary to find solutionsfor x 2 − 1 ≡ 0 mod p (x + 1)(x − 1) ≡ 0mod p p can divide (x + 1) or (x − 1) or both. If p divides both, then it holdsthat x + 1 = kp x − 1 = jp If these two equations are subtracted, it can be concluded that pequals 2: 2 = (k − j ) p ⇒ p = 2 This is a contradiction, since p must be greater than 2. Now assumethat p divides (x + 1). In this case it holds that
  49. 49. 30 Security Fundamentals for E-Commerce x − 1 = kp ⇒ x ≡ 1mod pwhich is the first possible solution if p is a prime. Similarly, if p divides (x − 1), it also holds that x − 1 = jp ⇒ x ≡ −1mod pwhich is the second possible solution for p prime. This theorem is used in Lehmann’s primality test, but because theprobability of success in one pass is not higher than 50%, the Rabin-Millertest is usually preferred in practice (see [6]).RSA TodayIn hardware, RSA is about a thousand times slower than DES: the RSA hard-ware encryption speed with a 512-bit key is about 1 Mbps. In software, DESis about a hundred times faster than RSA: the RSA software encryption speedis about 10 Kbps. According to Moore’s law, computing power doublesapproximately every 18 months, and computing costs fall to 1/10 after fiveyears. Since RSA and DES are, unlike the one-time pad, not perfectly secure,it is necessary to use longer keys as encryption technology improves. Thisposes a major problem if RSA or any other nonperfect cryptosystem is usedfor digital signatures (see Section 2.3) of legal documents. Let us supposesomebody digitally signs a will today with a 512-bit RSA key and dies in2020. In twenty years it will probably be quite cheap to break a 512-bit RSAkey, and that might prove an irresistible temptation for less preferred heirs. Security of RSA depends on the difficulty of factoring the modulus n.In August 1999, a team of scientists of the National Research Institute forMathematics and Computer Science in the Netherlands, led by Herman teRiele, succeeded in factoring a 512-bit number [13]. About 300 fast worksta-tions and PCs had spent about 35 years of computing time to find the primefactors. They were running in parallel, mostly overnight and on weekends, sothe whole task was accomplished in about seven months. In practical terms,this means that the key size of 512 bits is no longer safe against even a moder-ately powerful attacker. Some 25 years ago it was estimated that 50 billionyears of computing time would be needed to factor a 512-bit number, so theDutch result is a major scientific breakthrough. The latest news about breaking RSA (as of September 1999) is that thefamous Israeli cryptographer Adi Shamir has designed a factoring devicenamed “TWINKLE” (The Weizmann INstitute Key Locating Engine) thatcan be used to break a 512-bit RSA key within a few days [14]. For this,
  50. 50. Security Mechanisms 31about 300 to 400 devices would be necessary, each costing about $5,000.Although the use of TWINKLE would be quite expensive (approximately $2million), it is a very good reason to abandon the use of 512-bit RSA encryp-tion in all existing applications immediately. Elliptic CurvesElliptic curves have been studied extensively for the past 150 years, but theirapplication to cryptography was first proposed in 1985 by Neal Koblitz andVictor Miller, independently. Elliptic curves can be used to define public keycryptosystems that are close analogs of the existing schemes. However, onlythose elliptic curve cryptosystems whose security depends on the elliptic curvediscrete logarithm problem are of special interest today, since the only availablealgorithms for solving these problems need exponential time. In other words,these methods become infeasible much faster than the methods for solvingthe integer factorization problem that RSA is based upon (such methodsneed subexponential time) [15]. This means that an elliptic curve cryptosys-tem requires much shorter keys than RSA to achieve the same level of secu-rity. For example, a 160-bit elliptic curve key is roughly as secure as a1024-bit RSA key. This advantage is of crucial importance for devices withlimited storage and processing capacity, such as smart cards. Elliptic curve cryptosystems are far more complicated to explainthan RSA. An excellent interactive Web tutorial on elliptic curves, which wasused as one of the sources for the following explanation, is published byCerticom.15 Elliptic curve groups are additive groups; that is, their basic function isaddition: the sum of two points on an elliptic curve must also be a point onthe elliptic curve. The addition is defined geometrically. To illustrate how itworks, we will consider here elliptic curves over real numbers. The negative of a point P = (x P , y P ) is its reflection on the x-axis:−P = (x P ,− y P ) . To double a point P, that is, to add it to itself, one draws atangent line to the curve at point P. If y P ≠ 0, then the tangent line intersectsthe elliptic curve at exactly one other point, (−2P ), which is reflected on thex-axis to 2P (see Figure 2.3). It holds that P + (−P ) = O , the point at infinity. By the same principle one can compute 2P, 3P, etc. In general, to addtwo distinct points P and Q (P ≠ −Q ), one draws a line through them. Theline intersects the elliptic curve at one point, -R, which is reflected on thex-axis to the point R = P + Q.15.
  51. 51. 32 Security Fundamentals for E-Commerce y 10 5 -2P = (-2,1) P = (1,1) tangent line x -1 1 2 3 4 5 2P = (-2,-1) -5 -10Figure 2.3 Elliptic curve y 2 =x 3 −3x +3. Now the elliptic curve discrete logarithm problem can be defined: Givenpoints P and Q in the group, find a number k such that kP = Q. Thealgorithms available for solving this problem need to be much longer thanthe algorithms for solving the standard discrete logarithm problem (seeSection 2.3.2). The slope s of the tangent line for an elliptic curveF = − y 2 + x 3 + ax + b is computed as follows (∂ means derivation): s = −(¶F / ¶x ) / (¶F / ¶y ) = (3x 2 + a) / 2 yFor the point P = (1,1) from Figure 2.3 the slope s is ( ) s = 3x 2 − 3 / 2 y P = 0 pIt means that the tangent line at P is defined as y = 1. To find the coordinatesof Q = −2P one determines the point of intersection of the tangent line andthe elliptic curve. We already know that y Q = 1, so x Q can be computed fromthe elliptic curve equation: 3 1 = x Q − 3x Q + 3
  52. 52. Security Mechanisms 33 ( )( ) 2 3 x Q − 3x Q + 2 = 0 = x Q + 2 x Q − 1 ⇒ x Q = −2 (since x P alreadyequals 1)In general, the coordinates of Q = 2P for an elliptic curve y 2 = x 3 + ax + bcan be computed as follows: s = (3x 2 + a) / (2 y P ) P x Q = s 2 − 2x P ( yQ = − y P + s x P − xQ )For this type of elliptic curve it must hold that the discriminant of the cubicx 3 + ax + b is not zero, that is, 4a 3 + 27b 2 ≠ 0. In other words, the cubicmust not have multiple roots [16].Galois FieldsElliptic curves over real numbers are not suitable for cryptographic purposes.To define an elliptic curve cryptosystem, elliptic curves over finite fields areused. In particular, the characteristic two finite fields are of special interestsince they lead to the most efficient implementations of elliptic curve arith-metic. Such a finite field is the Galois Field (GF) of a polynomial, GF(2m). GF is called finite because it has a finite number of elements (2m ele-ments). GF(2m) can be defined by either polynomial representation or optimalnormal basis representation. Here the polynomial representation is preferredfor purposes of explanation. An element of GF(2m) is a polynomial of theform am −1x m −1 + am −2 x m −2 +K +a2 x 2 + a1x + a 0 , in which ai = 0 or 1 The coefficients of the polynomial ai are integers modulo 2 (i.e., theyare always reduced modulo 2). The elements of GF(2m ) can be expressed asvectors of the form (am −1 , am −2 K , a2 , a1 , a 0 )
  53. 53. 34 Security Fundamentals for E-Commerce Table 2.2 ( ) Elements of GF 2 4 Polynomial Vector 0 0000 1 0001 x 0010 x +1 0011 x2 0100 x2 + 1 0101 2 x +x 0110 ... ... 3 2 x +x +x 1110 3 2 x +x +x +1 1111To define GF(2m ) completely, one should reduce the polynomials as well.For this purpose, an irreducible polynomial f (x) is needed, whose role is simi-lar to that of a prime modulus in the standard discrete logarithm problem. Itsdegree is m, and it must not be factorable into polynomials of degree lessthan m, with coefficients 0 or 1. The leading coefficient must always equal 1: x m + f m −1x m −1 + f m −2 x m −2 +K + f 2 x 2 + f 1x + f 0 , in which f i = 0 or 1As an example, the elements of GF(2 4 ) are shown in Table 2.2. Let the irreducible polynomial be f (x ) = x 4 + x + 1. When two ele-ments from GF(2 4 ) are added, the coefficients of the corresponding powersare added modulo 2: (x 2 + 1)(x 3 + x 2 + x ) = (1 mod 2)x 3 + (2 mod 2)x 2 + (1 mod 2)x + (1 mod1) = x 3 + x + 1 The same holds for subtraction. When two elements from GF(2 4 ) aremultiplied, the result of the multiplication must also be an element of GF