Published on

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs.
  2. 2. Objectives <ul><li>To introduce the basics E-Commerce security issues and web entity authentication </li></ul>
  3. 3. Outline <ul><li>Why is security such an issue? </li></ul><ul><li>Physical security </li></ul><ul><li>IT Security Basics – Firewalls </li></ul><ul><li>Public Key Cryptography </li></ul><ul><li>SSL – Secure Socket Layer </li></ul><ul><li>SET – Secure Electronic Transactions </li></ul>
  4. 4. Why is Security an Issue? <ul><li>The Internet lets you travel outside of your network and others travel in – Those travelers are not all friendly! </li></ul><ul><li>Critical and private information can be snooped — sniffed </li></ul><ul><li>Information can be deleted or destroyed </li></ul><ul><li>The Internet provides an opportunity for anonymous and rapid theft of lots of money </li></ul>
  5. 5. How many categories/classes of security invasions/breaches can you find? <ul><li>User/password – shoulder surfing </li></ul><ul><li>Trojan horses </li></ul><ul><li>Password breaking (various strategies) </li></ul><ul><li>Denial of service attacks – flood the server with requests </li></ul><ul><li>Packet sniffing on net (wire tap, wireless recon.) </li></ul><ul><li>Spoofing websites </li></ul><ul><li>Dumpster diving – garbage search </li></ul>
  6. 6. How many categories/classes of security invasions/breaches can you find? <ul><li>Hacking user IDs and passwords </li></ul><ul><li>Denial of service/access </li></ul><ul><li>Physical invasion of a data centre </li></ul><ul><li>Social Engineering – exploit human good nature to get info you should not have </li></ul><ul><li>Internet Packet Sniffing </li></ul><ul><li>Taking advantage of known frailties in systems </li></ul><ul><ul><li>Domain Hijacking – impersonating another legitimate domain </li></ul></ul><ul><ul><li>Buffer Overflows </li></ul></ul><ul><ul><li>Viruses </li></ul></ul><ul><li>Attacks by employees </li></ul>
  7. 7. Components of Security Diagram by Konstantin Beznosov
  8. 8. Five Major Requirements of a Secure Transaction <ul><li>Privacy – how to ensure information has not been captured by a third party </li></ul><ul><li>Integrity – how to ensure the information has not been altered in transit </li></ul><ul><li>Authentication – how to ensure the identity of the sender and receiver </li></ul><ul><li>Authorization – how to ensure a user has the authority to access / update information </li></ul><ul><li>Non-repudiation – how do you legally prove that a message was sent or received </li></ul>
  9. 9. Physical Security <ul><li>Large mainframe systems have always had adequate physical security </li></ul><ul><li>The transition from LAN to WAN to Internet has caused new interest in these methods </li></ul><ul><li>Physical security means locked doors and security personnel </li></ul><ul><li>Options are to host on a secure ISP/ASP ( InternetHosting .com ) </li></ul>
  10. 10. IT Security Basics <ul><li>Avoidance – preventing a security breach </li></ul><ul><ul><li>Using a firewall system to frontend your intranet (or LAN) to the Internet </li></ul></ul><ul><li>Minimization – early warning signals and action plans so as to reduce exposure </li></ul><ul><ul><li>Attempted to access secure directories </li></ul></ul><ul><li>Recovery - regular backups should be made and recovery periodically tested </li></ul>
  11. 11. Using a Firewall <ul><ul><li>A firewall server or router acts as an electronic security cop </li></ul></ul><ul><ul><li>No machine other than firewall is directly accessible from Internet </li></ul></ul><ul><ul><li>May also function as a “proxy” server allowing intranet systems to access only portions of the Internet </li></ul></ul><ul><ul><li>Internet security methods are focused at the firewall reducing cost and admin overhead </li></ul></ul>
  12. 12. Security through HTTPS Browser Client 1 Server A HTTP TCP/IP HTTP Server App. Server Fire Wall Server Server C Server B
  13. 13. IT Security Basics <ul><li>Passwords (and potentially User Ids) should be forced to change periodically </li></ul><ul><li>Passwords should be difficult to guess </li></ul><ul><ul><li>Try to create passwords such as: </li></ul></ul><ul><ul><li>To Be or Not To Be  2bon2b </li></ul></ul><ul><li>Databases should be secured in terms of access rights to data (usually by individual or group) </li></ul>
  14. 14. IT Security Basics <ul><li>Software, particularly low layer components such as the operating system and DBMS, should be kept to recent patch levels </li></ul><ul><li>Access from dial-in lines should be limited and if possible call-back systems can be used </li></ul>
  15. 15. Cryptography <ul><li>Cryptography or ciphering is an ancient method of encoding a message — only a receiver with a key can decipher the content </li></ul><ul><li>A single (symmetric) secret key is used to encrypt and decrypt </li></ul><ul><li>Requires the communication of the key between sender and receiver! </li></ul><ul><li>Basis of nuclear war-head command and control security </li></ul>
  16. 16. <ul><li>14-15-17-12 </li></ul><ul><li>12-14-1-14-9-25-9-2-14 </li></ul><ul><li>17-12 </li></ul><ul><li>11-1-23-12-9 </li></ul>
  17. 17. Public Key Cryptography <ul><li>In 1976 Diffie & Hellman at Stanford U. developed public-key cryptography </li></ul><ul><li>Asymmetric: </li></ul><ul><ul><li>Private key – kept secret by owner </li></ul></ul><ul><ul><li>Public key – distributed freely to all who wish to send </li></ul></ul><ul><ul><li>Generated by computer algorithm, so a mathematical relation exists between them ... however ... </li></ul></ul><ul><ul><li>It is computationally difficult to determine the private key from the public key, even with knowledge of the encryption algorithm </li></ul></ul>
  18. 18. Public Key Cryptography <ul><li>The keys come in the form of tightly coupled pairs which anyone can generate using methods such as RSA, SHA-1, DSA (RSA is most common) </li></ul><ul><ul><li>Javascript demo: </li></ul></ul><ul><li>There is only one public key corresponding to any one private key and vice versa </li></ul><ul><li>Sender encodes data using public key of receiver </li></ul><ul><li>Receiver decodes data using unique private key, no one else can do the same </li></ul><ul><li>This ensures integrity of the data </li></ul>
  19. 19. Authentication <ul><li>How can you be sure that the person sending the encrypted data is who they say they are </li></ul><ul><li>This requires some method of authenticating the identity of the sender </li></ul><ul><li>The solution is for the sender to “sign” the data using his/her private key – the data is encrypted using the sender’s private key </li></ul><ul><li>The receiver validates (decrypts the data) the “signature” using the sender’s public key </li></ul><ul><li>This will work as long as receiver can be sure the sender’s public key belongs to the sender and not an imposter … enter PKI </li></ul>
  20. 20. Integrity and Authentication <ul><li>Example: Consider a merchant wants to send a secure message to a customer: </li></ul><ul><ul><li>Merchant encrypts message using customer’s public key </li></ul></ul><ul><ul><li>Merchant then signs message by encrypting with their private key </li></ul></ul><ul><ul><li>Customer decrypts using the merchants public key to prove authenticity of sender </li></ul></ul><ul><ul><li>Customer decrypts using their private key to ensure integrity of message </li></ul></ul>
  21. 21. PKI – Public Key Infrastructure <ul><li>Integrates PK cryptography with digital certificates and certificate authorities (CA) </li></ul><ul><li>Digital certificate = issued by a CA, includes user name, public key, serial number, expiration date, signature of trusted CA (message encrypted by CA’s private key) </li></ul><ul><li>Receipt of a valid certificate is proof of identity – can be checked at CAs sight </li></ul><ul><li> is major player </li></ul>
  22. 22. Model for Network Security Information Channel Message Secret Information Message Secret Information Sender Receiver Trusted Third Party Authentication or Certificate Authority Opponent
  23. 23. Security and HTTPS <ul><li>Certificate is an entity’s public key plus other identification (name, CA signature) </li></ul><ul><li>SSL – Secure Socket Layer </li></ul><ul><ul><li>Lies between TCP/IP and HTTP and performs encryption </li></ul></ul><ul><li>HTTPS is the HTTP protocol that employs SSL – it uses a separate server port (default = 443) </li></ul>
  24. 24. Security through HTTPS Browser Database Server Client 1 Server A URL HTTP TCP/IP HTTP Server App. Server index.html Bank Server Dedicated prog.jsp HTTPS port = 80 port = 443
  25. 25. SSL – Secure Socket Layer <ul><li>Client makes HTTPS connection to server </li></ul><ul><li>Server sends back SSL version and certificate </li></ul><ul><li>Client checks if certificate from CA </li></ul><ul><li>Client creates session “premaster secret”, encrypts it and sends it to server and creates “master secret” </li></ul><ul><li>Server uses its private key to decrypt “premaster secret” and create the same “master secret” </li></ul><ul><li>The master secret is used by both to create session keys for encryption and decryption </li></ul>
  26. 26. SET – Secure Electronic Transfer <ul><li>Developed by Visa & Mastercard </li></ul><ul><li>Designed to protect E-Comm transactions </li></ul><ul><li>SET uses digital certificates to authenticate customer, merchant and financial institution </li></ul><ul><li>Merchants must have digital certificate and special SET software </li></ul><ul><li>Customers must have digital certificate and SET e-Wallet software </li></ul>
  27. 27. Major Architectural Components of the Web Internet Browser Database Server Client 1 Server A Server B Bank Server URL HTTP TCP/IP Browser Client 2 HTTP Server App. Server index.html Bank Server prog.jsp
  28. 28. Resources / References <ul><li>RSA demos: </li></ul><ul><li> </li></ul>
  29. 29. THE END [email_address]