1 / 27

Comp2513 Security and Authentication

Comp2513 Security and Authentication. Daniel L. Silver, Ph.D. Objectives. To introduce the basics E-Commerce security issues and web entity authentication Reference: Deital Ch. 7. Outline. Why is security such an issue? Physical security IT Security Basics – Firewalls

kory
Download Presentation

Comp2513 Security and Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Comp2513Security and Authentication Daniel L. Silver, Ph.D.

  2. Objectives • To introduce the basics E-Commerce security issues and web entity authentication • Reference: Deital Ch. 7 Daniel L. Silver

  3. Outline • Why is security such an issue? • Physical security • IT Security Basics – Firewalls • Public Key Cryptography • SSL – Secure Socket Layer • SET – Secure Electronic Transactions Daniel L. Silver

  4. Why is Security an Issue? • The Internet lets you travel outside of your network and others travel in – Those travelers are not all friendly!! • Critical and private information can be snooped - sniffed • Information can be deleted or destroyed • The Internet provides an opportunity for anonymous and rapid theft of large quantities of money Daniel L. Silver

  5. How many categories/classes of security invasions/breaches can you find? • User/password – shoulder surfing • Trojan horses • Password breaking (various strategies) • Denial of service attacks – flood the server with requests • Packet sniffing on net (wire tap, wireless recon.) • Spoofing websites • Dumpster diving – garbage search Daniel L. Silver

  6. Five Major Requirements of a Secure Transaction • Privacy – how to ensure information has not been captured by a third party • Integrity – how to ensure the information has not been altered in transit • Authentication – how to ensure the identity of the sender and receiver • Authorization – how to ensure a user has the authority to access / update information • Non-repudiation – how do you legally prove that a message was sent or received Daniel L. Silver

  7. Physical Security • Large mainframe systems have always had adequate physical security • The transition from LAN to WAN to Internet has caused new interest in these methods • Physical security means locked doors and security personnel • Options are to host on a secure ISP/ASP (InternetHosting.com) Daniel L. Silver

  8. IT Security Basics • Avoidance – preventing a security breach • Using a firewall system to frontend your intranet (or LAN) to the Internet • Minimization – early warning signals and action plans so as to reduce exposure • Attempted to access secure directories • Recovery - regular backups should be made and recovery periodically tested Daniel L. Silver

  9. Using a Firewall • A firewall server or router acts as an electronic security cop • No machine other than firewall is directly accessible from Internet • May also function as a “proxy” server allowing intranet systems to access only portions of the Internet • Internet security methods are focused at the firewall reducing cost and admin overhead Daniel L. Silver

  10. Security through HTTPS Server A Client 1 HTTP TCP/IP HTTP Server App. Server Browser Fire Wall Server Server B Server C Daniel L. Silver

  11. IT Security Basics • Passwords (and potentially User Ids) should be forced to change periodically • Passwords should be difficult to guess • Try to create passwords such as: To Be or Not To Be => 2bon2b • Databases should be secured in terms of access rights to data (usually by individual or group) Daniel L. Silver

  12. IT Security Basics • Software, particularly low layer components such as the operating system and DBMS, should be kept to recent patch levels • Access from dial-in lines should be limited and if possible call-back systems can be used Daniel L. Silver

  13. Cryptography • Cryptogrpahy or ciphering is an ancient method of encoding a message - only a receiver with a key can decipher the content • A single (symetric) secret key is used to encrypt and decrypt • Requires the communication of the key between sender and receiver ???? • Basis of nuclear war-head CAC security Daniel L. Silver

  14. 14-15-17-12 • 12-14-1-14-9-25-9-2-14 • 17-12 • 11-1-23-12-9 Daniel L. Silver

  15. Public Key Cryptography • In 1976 Diffie and Hellman at Standford U. developed public-key cryptography • Asymetric in nature: • Private key – kept secret by owner • Public key – distributed freely to all who wish to send • Generated by computer algorithm, so a mathematical relation exists between them ... however ... • It is computationally difficult to determine the private key from the public key, even with knowledge of the encryption algorithm Daniel L. Silver

  16. Public Key Cryptography • The keys come in the form of tightly coupled pairs which anyone can generate using methods such as RSA, SHA-1, DSA (RSA is most common) • Javascript demo: http://shop-js.sourceforge.net/crypto2.htm • There is only one public key corresponding to any one private key and vice versa • Sender encodes data using public key of receiver • Receiver decodes data using unique private key, no one else can do the same • This ensures integrity of the data Daniel L. Silver

  17. Authentication • How can you be sure that the person sending the encrypted data is who they say they are • This requires some method of authenticating the identity of the sender • The solution is for the sender to “sign” the data using his/her private key – the data is encrypted using the sender’s private key • The receiver validates (decrypts the data) the “signature” using the sender’s public key • This will work as long as receiver can be sure the sender’s public key belongs to the sender and not an imposter … enter PKI Daniel L. Silver

  18. Integrity and Authentication • Example: Consider a merchant wants to send a secure message to a customer: • Merchant encrypts message using customer’s public key • Merchant then signs message by encrypting with their private key • Customer decrypts using the merchants public key to prove authenticity of sender • Customer decrypts using their private key to ensure integrity of message Daniel L. Silver

  19. PKI – Public Key Infrastructure • Integrates PK cryptography with digital certificates and certificate authorities (CA) • Digital certificate = issued by a CA, includes user name, public key, serial number, expiration date, signature of trusted CA (message encrypted by CA’s private key) • Receipt of a valid certificate is proof of identity – can be checked at CAs sight • www.verisign.com is major player Daniel L. Silver

  20. Model for Network Security Trusted Third Party Authentication or Certificate Authority Sender Receiver Message Message Information Channel Secret Information Secret Information Opponent Daniel L. Silver

  21. Security and HTTPS • Certificate is an entity’s public key plus other identification (name, CA signature) • SSL – Secure Socket Layer • Lies between TCP/IP and HTTP and performs encryption • HTTPS is the HTTP protocol that employs SSL – it uses a separate server port (default = 443) Daniel L. Silver

  22. Security through HTTPS Bank Server Client 1 Dedicated HTTP TCP/IP Browser Server A port = 80 HTTP Server App. Server Database Server HTTPS port = 443 prog.jsp URL index.html Daniel L. Silver

  23. SSL – Secure Socket Layer • Client makes HTTPS connection to server • Server sends back SSL version and certificate • Client checks if certificate from CA • Client creates session “premaster secret”, encrypts it and sends it to server and creates “master secret” • Server uses its private key to decrypt “premaster secret” and create the same “master secret” • The master secret is used by both to create session keys for encryption and decryption Daniel L. Silver

  24. SET – Secure Electronic Transfer • Developed by Visa & Mastercard • Designed to protect E-Comm transactions • SET uses digital certificates to authenticate customer, merchant and financial institution • Merchants must have digital certificate and special SET software • Customers must have digital certificate and SET e-Wallet software Daniel L. Silver

  25. Major Architectural Components of the Web Bank Server Client 1 Browser HTTP TCP/IP Server A HTTP Server App. Server Database Server Internet Client 2 Browser prog.jsp URL index.html Server B Bank Server Daniel L. Silver

  26. Resources / References • RSA demos: http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/ http://islab.oregonstate.edu/koc/ece575/02Project/Mor/ Daniel L. Silver

  27. THE ENDdanny.silver@acadiau.ca

More Related