1 / 24

Supporting Technologies III: Security

Supporting Technologies III: Security. 11/16 Lecture Notes. Outline. Internet Security encryption, digital signatures, digital certificates SSL, SET Firewalls Virtual Private Networks Electronic Payment Systems protocols electronic card systems (credit cards, elec. Wallet) ecash, echeck.

ping
Download Presentation

Supporting Technologies III: Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Supporting Technologies III: Security 11/16 Lecture Notes

  2. Outline • Internet Security • encryption, digital signatures, digital certificates • SSL, SET • Firewalls • Virtual Private Networks • Electronic Payment Systems • protocols • electronic card systems (credit cards, elec. Wallet) • ecash, echeck

  3. Internet Security • Major barrier to e-commerce • Requirements for secure e-commerce: • Authenticity: Is the sender of the message who they claim to be? • Privacy: Are the contents of a message secret? • Integrity: Have the contents of a message been modified during transmission? • Nonrepudiation: Can the sender of a message deny that they actually sent the message?

  4. Cryptography • 4 parts: • Plaintext - original message (readable form). • Ciphertext - encrypted plaintext message (unreadable form). • Encryption Algorithm - mathematical formula used to compute a ciphertext from a plaintext (and decrypt a ciphertext to recover the plaintext). • Key - secret key used to encrypt and decrypt a message.

  5. (Key) (Key) Original Plaintext Plaintext Ciphertext Encryption Decryption A (very) simple Symmetric Key Encryption example Plaintext: ecommerce Encryption Algorithm: substitute each letter with a letter that is Key many after it in the alphabet. Wrap around. Key: 3 (ex: a d ) Ciphertext: hfrpphufh Decryption: substitute each letter with a letter that is Key many before it in the alphabet.

  6. For encryption, a mathematical formula which involves the key is used. (usually) • Usually the algorithm is known. • The security of the system is dependent on the key. • Generally, the longer the key, the harder to break the message by trying all the possibilities: “Brute Force Attack” • ex: binary key of 4 bits long 24 =16 possibilities • ex: 56 bits long 256  72 quadrillion possibilities : will take some time to crack it • Life of the key is an important criterion to determine length of a key (credit card number vs. credit history of an individual).

  7. Public Key Encryption • Uses two different keys instead of one. • Private Key: known by owner only • Public Key: known publicly (published) • A message encrypted using the Private Key can only be decrypted using the Public Key, and vice versa. • RSA is a well known Public Key algorithm. Public Key of recipient Private Key or recipient Original Plaintext Plaintext Ciphertext Encryption Decryption

  8. Digital Signatures • Used for ensuring that a message is actually coming from the person you think sent it. • Based on public key encryption. • Sender creates a phrase and encrypts it with his/her private key. • The phrase is attached to the message and the combined message is encrypted with the recipient’s public key. • Recipient decrypts the message using its private key, then decrypts the signature with the sender’s public key.

  9. Message Text Message Text Signature Signature Digital Signatures (public key of recipient) (private key of recipient) encryption Ciphered Text decryption sender receiver (private key of sender) (public key of sender)

  10. Digital Certificates • Used to assure authenticity of the sender. • Issued by third parties: certificate authorities (CA). • Individuals and companies apply by sending CA their public key and identifying info. • CA verifies this info and creates a certificate containing public key and identifying info and encrypts this using its private key. • When someone wants to send the applicant a message, they request the certificate, decrypt it and obtain the public key. • Certificates to authenticate web sites, software companies, etc. CA companies include VeriSign.

  11. Secure Socket Layer (SSL) • Protocol to handle encryption between web browsers and web servers (transparently). • Operates at TCP/IP layer. Client contacts the server. ex: https://www.wellsfargo.com They agree on a protocol suite (the algorithm). All communications are encrypted.

  12. message + + Digital envelop Digital envelop Bob’s private key Alice’s private key decrypt Symmetric key message encrypt Message digest Digital signature Encrypted message message Encrypted message + Message digest Encrypted message Digital envelop decrypt encrypt Symmetric key + Symmetric key Alice’s certificate Alice’s certificate compare Bob’s certificate decrypt encrypt Alice’s public key Digital signature Message digest Bob’s public key

  13. SSL Protocol 1. At Alice’s site, the message to be sent is hashed to a previous fixed length for message digest. 2. The message digest is encrypted with Alice’s private key and the output is a digital signature. 3. The digital signature and Alice’s certificate are attached to the original message. Alice generates a secret key using the symmetric (DES) algorithm and uses that key to encrypt this bundle. 4. Alice encrypts the symmetric key with Bob’s public key which resides in Bob’s certificate (received in advance). The result is a digital envelop. 5. The encrypted message and the digital envelop are transmitted to Bob’s computer over the Internet.

  14. SSL Protocol (cont’d) 6. The digital envelop is decrypted with Bob’s private key. 7. Using the restored secret key, Bob decrypts the message, obtaining the original message, digital signature, and Alice’s certificate. 8. To confirm the integrity, Bob decrypts the digital signature by Alice’s public key (that resides in Alice’s certificate), obtaining the message digest. 9. Bob hashes the delivered message to generate a message digest. 10. The message digest obtained by steps 8 and 9 are compared to confirm that they are correctly received. This step confirms the integrity.

  15. Payment on the Internet • Electronic Credit Cards • Electronic Fund Transfer and Debit Cards • Stored-Value Cards and E-Cash • Electronic Check Systems • Unified Systems

  16. Electronic Credit Cards • Players: Cardholder: consumer who uses credit cards. Merchant: offers goods/services, accepts credit cards. Card Issuer: financial institution (bank) that establishes accounts for cardholders and issues credit cards. Acquirer: financial institution (bank) that establishes accounts for merchants and acquires the vouchers of authorized sales slips. Card Brand: bank card associations (Visa, MasterCard) that provide networks to connect the involved financial institutions.

  17. Conventional Credit Card Procedure 4. Sells sales slip and pays a fee 2. Show credit card “capture” cardholder merchant 1. Issue plastic credit card 3. Authorization 5. Payment request 6. Amount Transfer Card Brand Issuer Bank Issuer Bank merchant account Cardholder account

  18. Secure Electronic Transaction (SET) Protocol • Designed to fully automate the credit card procedure and carry it out on the Internet. • Four entities: Cardholder: keeps a certificate in electronic wallet Merchant : keeps a certificate in electronic wallet Certificate Authority (CA): issues certificates Payment Gateway: connects networks of banks to the Internet (other entities are beyond the scope of SET)

  19. SET protocol Certificate authority Payment Gateway Customer with digital wallet .25 E-merchant Credit card brand and Banks

  20. Electronic Fund Transfer and Debit Cards on the Internet Conventional Electronic Fund Transfer: merchant customer VAN VAN bank bank Automated clearinghouse

  21. Electronic Fund Transfer on the Internet INTERNET merchant customer Cyber Bank Cyber Bank Payment Gateway Payment Gateway VAN VAN bank bank Automated clearinghouse

  22. Stored Value Cards and E-Cash • Avoids high fees for small payments (micropayments) • provides anonymity, convenience • eliminates multiple currency problem • smart card: introduced in 1970s (non-Internet). Ex: phone, transportation, copies. • Now has IC chips. Can recharge card. Use through your PC. Ex: Mondex, VisaCash.

  23. Electronic Check Systems • Similar security mechanism as in SET, but different use of procedures.(similar to electronic fund transfer). • For B2B transactions: • High security required • needs to be integrated to accounting system • a trusted third party must keep copy of records • ex: SafeCheck. • For more info www.echeck.org

  24. Unified Payment Systems • Online e-check merging with Electronic fund transfer and electronic credit cards. • Ex: Security First Network Bank (www.sfnb.com), Bank of America, VisaCash (stored-value money card), ePay (EFT), electronic bill payment, MasterCard.

More Related