1 / 36

A Review of Security Concerns, Techniques and Methodologies

Security for B2B Commerce. A Review of Security Concerns, Techniques and Methodologies. < Bills_Info > < Name > Bill Cafiero </ Name > < Phone > 972-231-2180</ Phone > < e-mail >jcaf@airmail.net </ e-mail > </ Bills_Info >.

dsonja
Download Presentation

A Review of Security Concerns, Techniques and Methodologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security for B2B Commerce A Review of Security Concerns, Techniques and Methodologies <Bills_Info> <Name>Bill Cafiero</Name> <Phone>972-231-2180</Phone> <e-mail>jcaf@airmail.net</e-mail> </Bills_Info>

  2. Honeywell intends to use the Internet to cut costs by $500M-$1B no later than 2005. Chairman Lawrence Bossidy The Internet is going to be about a lot more than the ability to call up stock quotes. It will really explode for us when broadband arrives.Disney CEO Michael Eisner Évery dealer in this country has about 70 days of supply. In simple truth, there's tremendous waste in that.GM CEO Jack Smith As highlighted in the now-famous destroyyourbusiness.com speech, old-line companies have to think in radically new ways. GE Chief Jack Welch Dot-Com is fast becoming DOW-Com

  3. Access points become International Partners Can Now Collaborate You’ll have access to your partners (and they’ll have access to you) Employees can work from home, at night, over the weekends, and on holiday Application servers can support entire divisions Every internal modem is now a gateway into a network of networks Strengths Become Weaknesses

  4. A New Focus Is Needed Yesterday Today External focus Internal focus Suppliers, customers, and prospects all need some form of access Access is granted to employees only Distributed assets Centralized assets Applications and data are distributed across servers, locations, and business units Applications and data are centralized in fortified IT bunkers Generate revenue Prevent losses The goal of security is to protect against confidentiality breaches The goal of security is to enable eCommerce IT control Business control Security manager decides who gets access Business units want the authority to grant access Source: Forrester Research, Inc.

  5. Electronic Business Is a Priority “Time to market” will always win over security if you are not careful Dynamic Networks and Security Confusion Who owns security? Who knows about new projects, new networks, new connections? Limited Security Resources and Expertise Security administrators in California earn an unburdened average of $73,863 (SANS 2000 salary survey) Average turnover is 24 months. Security Management Is Too Complex But there are security challenges

  6. …and more security challenges

  7. Some Examples

  8. Credit Card Data We can only guess what this breach cost Egghead in terms of downtime, audit, negative PR, and lost business. Sources inside the credit-card industry told ZDNet News that Egghead may warn up to 3.7 million credit-cards holders that their card numbers had been stolen.

  9. New technology is cool, but hardly ever secure Clay Shirky, a well-known open source pundit and partner with New York investment firm Accelerator Group, is thrilled by all this network openness. "I'm not worried about security, because security and convenience are always a tradeoff," he explains. "We walked around the Financial District with a laptop and an antenna, and we could pick up about six networks per block," says Matt Peterson, a network engineer

  10. AirTran

  11. AirTran Hacked

  12. Nothing is Sacred

  13. Consequences • Lack of consumer confidence • Exposure to Legal Liability • Decreased Stockholder Equity • Damaged Image - 30 Seconds on CNN • Decreased Employee Productivity • Loss of Intellectual Property & Assets

  14. The Issues • The rest of this presentation deals with message security: • What are our security needs? • Just how do cryptographic security techniques work? • In other words - a primer on authentication, encryption, digital signatures and key management

  15. What are the Security Needs? Alice and Bob are planning a merger Now I have the details on the merger Confidentiality

  16. What are the Security Needs? I will convince Bob that I am Alice Authentication

  17. What are the Security Needs? I’ll just change this a bit. Bob will never notice Integrity

  18. What are the Security Needs? You can’t deny your role in this transaction Bob Neither can you Alice Non-repudiation

  19. Basics of Encryption qazws ed ty xedcr dcrfv ui rgbth thn olputui n loijg frt ugd iopyt nuytrbyi This is plain text. It can be read by anyone. Encrypt Decrypt This is plain text. It can be read by anyone. PlainText CipherText PlainText • Encryption satisfies two of our needs: • Confidentiality - Original data is completely private • Integrity - Data has not been altered • Plus encryption provides an additional feature: • Access Control - Only those who have the right keys can decrypt the CipherText

  20. Encryption • There are two types of algorithms • Symmetric (or Private Key) algorithms • Asymmetric (or Public Key) algorithms Both types of algorithms have advantages and disadvantages

  21. Private Key Encryption Shared Key Encrypt Decrypt PlainText PlainText CipherText • Symmetric Encryption • Ex: Data Encryption Standard (DES)

  22. Public Key Encryption Bob’s Public Key Bob’s Private Key Encrypt Decrypt PlainText PlainText CipherText • Asymmetric Key Encryption • Ex: Rivest Shamir Adleman (RSA)

  23. Public Key Encryption • Bob’s Private Key • Kept secret and secure by Bob • Used by Bob to decrypt messages from others; or… • Used by Bob to generate his digital signature • Bob’s Public Key • Made publicly available to others • Used by others to encrypt message for Bob; or… • Used by others to verify Bob’s digital signature Knowing the public key, it is not possible to deduce the private key

  24. Basics of Digital Signature This is plain text. It can be read by anyone. This is plain text. It can be read by anyone. Sign Verify tybs58bdn6 PlainText Signed PlainText • Digital Signatures satisfy the last two needs: • Authentication - The originator’s signature is on the file • Non-repudiation - The originator cannot deny signing the file

  25. How a Digital Signature Works Alice’s Signing Process Bob’s Verification Process Calculate fresh hash This is plain text. It can be read by anyone. This is plain text. It can be read by anyone. Calculate hash nh9ft4mjae tybs58bdn6 tybs58bdn6 nh9ft4mjae tybs58bdn6 Encrypt hash with Alice’s private key Decrypt original hash with Alice’s public key = ? This is plain text. It can be read by anyone. tybs58bdn6 tybs58bdn6 Compare decrypted hash with fresh hash Signed PlainText nh9ft4mjae

  26. Putting it All Together Decrypt and Verify Encrypt and Sign qazws ed ty xedcr dcrfv ui rgbth thn olputui n loijg frt ugd iopyt nuytrbyi This is plain text. It can be read by anyone. This is plain text. It can be read by anyone. tybs58bdn6 PlainText PlainText Signed CipherText Verify Hash • Confidentiality • Authentication • Integrity • Non-repudiation • and • Access control Are we done yet?

  27. Another Issue I’ll just substitute my public key for what Alice thinks is Bob’s public key Interloper’s Private Key Decrypt Alter Interloper uses Bob’s Public Key Interloper’s Public Key Masquerading as Bob’s Public Key Encrypt CipherText Bob’s Private Key Encrypt Decrypt PlainText PlainText It’s a valid message from Alice Public Key Substitution Risk

  28. Bob Certificate Issuance • Binds a key to its owner • Digitally signed by a “certification authority” • Guarantees integrity • Authenticates the owner • Prevents masquerading • Establishes trust • An electronic version of a “notary public”

  29. Key Expiry and Update • Public key expiry date defined in certificate • Set by security officer • Key update • Automatic • Transparent • Different rules for encryption and digital signature key pairs • Key histories • Easily decrypt data protected with “old” keys

  30. Third Party Trust Certification Authority Trust Trust Trust Bob Alice Third Party Trust

  31. Cross Certification Certification Authority Certification Authority Cross Certify Trust Trust Trust Trust Trust Trust Alice Bob Carol Ted

  32. The Real Issues • Cryptographic algorithms are not the problem • The problems are: • Large scale key management • Establishing and maintaining third party trust • Corporate control of information • Making cryptography accessible to everyone, across applications • Security has to be easy to use Key management issues...

  33. Key Management • The most difficult security problem • Generating keys • Keeping backup keys • Delivering keys • Dealing with compromised keys • Changing keys • Destroying old keys The Public Key advantage

  34. Bob Bob Key Management Lifecycle Key Generation Certificate Issuance Key Usage Key Expiry Key Update

  35. Summary • Five key security requirements • Confidentiality - Encryption • Integrity - Encryption • Authentication - Digital signature • Non-repudiation - Digital signature • Access Control - Encryption • Two types of algorithms • Private Key - Symmetric • Public Key - Asymmetric • Importance of key management • Certification of public keys Make security easy to use and implement it across all of your important applications

  36. Thank you

More Related