1 / 37

Electronic Exchange of Information

Electronic Exchange of Information. Network. Participant. Participant. What could go wrong in this setting ?. Three Scenarios. Alice buys a book from Bob’s book store. Inter-corporate trading for Charlie’s Plastic Company. Daisy electronic market. Alice Buys a Book.

dot
Download Presentation

Electronic Exchange of Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Exchange of Information Network Participant Participant What could go wrong in this setting ? Mngt 3862/99 James Clark

  2. Three Scenarios • Alice buys a book from Bob’s book store. • Inter-corporate trading for Charlie’s Plastic Company. • Daisy electronic market. Mngt 3862/99 James Clark

  3. Alice Buys a Book • Alice shops for a book on the internet using WWW. • She finds the desired book from Bob’s book store and makes the order using a web form provided by Bob’s. • Bob confirms that the order really comes from Alice’s. • She sends her credit card number, suitably encrypted. • The book is delivered through UPS. Mngt 3862/99 James Clark

  4. Inter-Corporate Trading • Charlie’s Plastic Makers is a medium-sized company in Canada with long-established requirements for high-quality plastic which it buys from Plasticorp. • Plasticorp aims to reduce costs of customer transactions by using secure messaging with its regular customers. • Origin and confidentiality of all correspondence must be ensured. Mngt 3862/99 James Clark

  5. Daisy's Electronic Market • Daisy is an entrepreneurial small businessperson who works from her home basement. • She buys items from suppliers willing to do business wholly electronically, repackages them, and sells them through a WWW storefront. • Effective marketing of the web page and very low overhead provide Daisy’s competitive edge. Mngt 3862/99 James Clark

  6. What are the issues? • Accountability -- Security relevant activities on a system can be traced to individuals who may be held responsible for their actions • Availability -- System resources are safeguarded from tampering and are available for authorized users at the time and in the format needed • AccessControl -- Access to the system resources is limited to authorized individuals, entities, or processes • Confidentiality -- Information is not accessed by or disclosed to unauthorized individuals, entities, or processes • Identification and Authentication -- Verification that the originator of a transaction is the originator • Integrity -- Information is not undetectably altered or destroyed by an unauthorized person or process • Non-repudiation -- Undeniable proof of participation by the sender and/or receiver in a transaction • Privacy – individual rights to nondisclosure Mngt 3862/99 James Clark

  7. Security Overview (Figure 5-1) • Countermeasures are procedures, either physical or logical, that recognize, reduce, or eliminate a threat Mngt 3862/99 James Clark

  8. What is Security? • Dictionary Definition: protection or defense against attack, interference, espionage, etc. Mngt 3862/99 James Clark

  9. Confidentiality private exchange of information only from originator to intended recipient Integrity no modification to the information exchanged without consent Authentication/Identification ensuring that an individual is who she claims to be. E-comm Requirements Network Participant Participant Mngt 3862/99 James Clark

  10. Security – The Business Challenge Who’s the bad guy? Competitors, foreign governments, network hackers, disgruntled ex-employees, news and media, unauthorized customers, employees, etc? How do I protect my information from the bad guys, without making employees and authorized users less productive? Outsiders 20% Insiders 80% How can I administer security consistently, reliably, and cost effectively across all of my distributed information resources ? Studies show 80% of real security problems are caused by authorized users Mngt 3862/99 James Clark

  11. Unauthorized or Unintended use of information Technology assets for… Personal gain Theft, fraud Prestige Revenge Terrorism What Is Hacking? Mngt 3862/99 James Clark

  12. Hacks mean business…and they hurt Corporate image Customer & Employee Privacy Real $$$$ often in millions Why is hacking a problem? Mngt 3862/99 James Clark

  13. Hacked Web Site Before…. Mngt 3862/99 James Clark

  14. …And After Mngt 3862/99 James Clark

  15. Interruption Interception Modification Masquerade Intranet has 3 separate components Secrecy Integrity Availability Security Threats Network Participant Participant Mngt 3862/99 James Clark

  16. Protecting ElectronicCommerce Assets • You cannot hope to produce secure commerce systems unless there is a written security policy • What assets are to be protected • What is needed to protect those assets • Analysis of the likelihood of threats • Rules to be enforced to protect those assets Mngt 3862/99 James Clark

  17. Affordability – how much does it cost? Functionality – Are the computers still easy to use Cultural Compatibility – Does it conflict with normally accepted practices at the site Legality – does it meet the company’s legal requirements Security Policy Mngt 3862/99 James Clark

  18. Isolated Intranet – simple & secure but no access to to internet. firewall Proxy Servers-only IP address of proxy Access Control Access control files Restrictions by IP Address Data Security Mechanisms Basic security in HTTP Encryption Security Mechanisms Mngt 3862/99 James Clark

  19. Firewall Capability Firewall can • Focus for security decisions • Enforce security policy • Log internet activity • Limit exposure • keeps one section of intranet separate from another Firewall can not • Protect against malicious insiders • Protect against connections that do not go through it • Protect against new threats • Protect against viruses Mngt 3862/99 James Clark

  20. On 8 February, 1587 Elizabeth I of England signed  Mary's death warrant, and she was executed at Fotheringay Castle. The execution did not go well for Mary as the executioner was unable to sever her neck with one blow, and was forced to use a grinding motion on her to complete the task. All because of weak encryption. Mngt 3862/99 James Clark

  21. Encryption • Helps guarantee privacy & authentication • Two types of encryption • public-key encryption • Private key - symmetric-key cryptography Mngt 3862/99 James Clark

  22. Private Key Encryption 2. Doug locks box with key to the lock 4. Nola uses duplicate key and unlocks box. 3. Box is transported to Nola 1. Doug places document in strongbox 5. Nola retrieves document Also referred to as symmetric key or secret key cryptography Mngt 3862/99 James Clark

  23. Symmetric Key Encryption( Private Key ) Plain-text input Plain-text output Cipher-text “The quick brown fox jumps over the lazy dog” “The quick brown fox jumps over the lazy dog” “AxCv;5bmEseTfid3)fGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!q3%” Encryption Decryption Same key (shared secret) Mngt 3862/99 James Clark

  24. If N people need to communicate pairwise, then N(N-1)/2 keys need to distributed. How should the secret key be exchanged? Any symmetric key method that uses more than 40 bit keys are viewed as strong encryption. Export is limited by regulation. Examples of Algorithms DES SkipJack IDEA RC2 & RC4 Examples & Problems Mngt 3862/99 James Clark

  25. Public Key Encryption 2. Doug locks box with righty key to the lock 4. Nola gets copy of Bob’s lefty key and unlocks box. 3. Box is transported to Nola 1. Doug places document in strongbox 5. Nola retrieves document Mngt 3862/99 James Clark

  26. Public Key Encryption public private Clear-text input Clear-text output Cipher-text “The quick brown fox jumps over the lazy dog” “The quick brown fox jumps over the lazy dog” “Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Encryption Decryption Different keys Recipient’spublic key Recipient’s private key Mngt 3862/99 James Clark

  27. Public Key Pairs public private SMART CARD private 123 89 3486 M Public and private keys are always generated as amatchedpair Keys are mathematically related but it is computationally infeasible to deduce a private key from its public key Private keys are kept secret - preferably by being stored in a tamper-resistant chip Public keys are just that - public! Mngt 3862/99 James Clark

  28. Key Management • Ideally, every person has twokey pairs: • Key-exchange key pair • Signature key pair • Key pairs are distinct • Public and private keys are always generated as a pair at the user’s machine • Public key can be openly shared • Private key is always kept private(it never leaves the machine where it was generated) Mngt 3862/99 James Clark

  29. Key Pair Use • Key-exchange key pair • Recipient’s public key is used to send a randomly chosen communication key • Signature key pair • Sender’s private signing key is used in digital signature operations • Recipient verifies signature using sender’s public signing key Mngt 3862/99 James Clark

  30. In private key systems, the same key is used to encrypt and decrypt. So a single key has to be shared between devices/individuals who need to communicate. In public key systems, two keys are generated. A message encrypted with one, can be decrypted with the other. Concept of a private (secret) key and a public key. Main Differences Mngt 3862/99 James Clark

  31. Computationally very complex 1000 times slower on average than private key systems. Key management how can an individual trust the public key? How do they know that it really belongs to an individual? the need for certification authorities Verisign USPS Problems With Public Key Encryption Mngt 3862/99 James Clark

  32. Ensure Your BrowserIs SecureThe information-like credit card numbers- you share with Web sites is only as safe as your Web browser. Use the free Browser Check to ensure you've got the latest, most secure Web browser. • With one click, Browser Check instantly tells you: • What browser and version you're using • Your browser's encryption strength-standard 40-bit SSL, or 128-bit SSL: the strongest encryption available • Upgrade recommendations Browser check Mngt 3862/99 James Clark

  33. Encryption Options • Secure HTTP (S-HTTP) • Secure Sockets Layer (SSL) most popular • Private Communication Technology (PCT) • Secure Electronic Transfer (SET) Mngt 3862/99 James Clark

  34. Secure Socket Layer (SSL) • Netscape has designed a security protocol called Secure Sockets Layer (SSL) • which provides data encryption • server authentication • message integrity • optional client authentication for a TCP/IP connection • Web pages that have a SSL connection start with https: instead of http: Mngt 3862/99 James Clark

  35. Normally the padlock or key icon will change and become closed or unbroken when entering a secure site Secure Site Mngt 3862/99 James Clark

  36. Table Summary of Security Issues Mngt 3862/99 James Clark

  37. access access codeaccess controlauthenticationauthorizationCertificate Authoritycrackdata integritydigital certificatedigital envelopedigital signaturefirewallhackhackerIP spoofing passwordPKIPretty Good PrivacyS-HTTPS/MIMEsecure serversecuritySETsmart cardSOCKSSSLtokenTrojan horseusernamevirus Definitions Mngt 3862/99 James Clark

More Related