Embed Size (px)
Citation preview
Lesson 12Cryptography
forE-Commerce
Approaches to Network Security
• Separate Security Protocol--SSL
• Application-Specific Security--SHTTP
• Security with Core Protocols--IPsec
• Parallel Security Protocol--Kerberos
Protocol and Security: SSL
HTTP
TCP
IP
NOT SECURE
SSL
TCP
IP
HTTP FTPSMTP
SECURE
The TCP connection(“3-way Handshake”)
client ServerSYN
Client sends connection request,Specifying a port to connect toOn the server.
client ServerSYN/ACK
Server responds with both anacknowledgement and a queuefor the connection.
client ServerACK
Client returns an acknowledgementand the circuit is opened.
SSL in ActionCLIENT SERVER
1ClientHello
2ServerHello
3ServerKey Exchange
4ServerHelloDone
5
ClientKey Exchange
6ChangeCiperSpec
7Finished
SSL in ActionCLIENT SERVER
4ServerHelloDone
5
ClientKey Exchange
6ChangeCiperSpec
7Finished
8ChangeCipherSpec
9 Finished
Protocol and Security: SHTTP
HTTP
TCP
IP
NOT SECURE SECURE
HTTP
TCP
IP
Security
Protocol and Security: IPSEC
HTTP
TCP
IP
NOT SECURE SECURE
HTTP
TCP
IPSEC
Protocol and Security: Parallel
HTTP
TCP
IP
NOT SECURE SECURE
HTTP
TCP
IP
Kerberos
PROTOCL COMPARISONS
• Separate Protocol
• Application Protocol
• Integrated with Core
• Parallel Protocol
A B C D E
A - Full securityB - Multiple ApplicationsC - Tailored Services
D - Transparent to ApplicationsE - Easy to Deploy
What is Cryptography
• Protecting information by transforming it into an unreadable format
• Encryption is the process that transforms the data into the unreadable format, Decryption restores it to its original format.
• Used to prevent information from “falling into the wrong hands”
• Data is only available to the people that are supposed to see it
Uses of Cryptography
Use
Keeping Secrets
Providing Identity
Verifying Info
Service
Confidentiality
Authentication
Message Integrity
Protects Against
Eavesdropping
Forgery & Masquerade
Alteration
Cryptography in Use Today
• SSL -- Secure Socket Layer• TLS -- Transport Layer Security protocol• IPsec -- Internet Protocol Security• SET -- Secure Electronic Transactions • Smart Cards• VPN -- Virtual Private Network• File or Disk Encryption Tools• Remote access: SSH -- Secure Shell • Digital Signature Algorithm -- DSA• EMAIL: PGP -- Pretty Good Privacy• PKI -- Public Key Infrastructure
Cryptographic Classifications
• Secret Key Cryptography– Symmetric Encryption– All Parties have same key
• Public Key Cryptography– Asymmetric Encryption– Different Keys: public and private
Secret Key CryptographySymmetric Encryption
Professor Student
Step 4- Decipher with secret key
Step 3 - Send Encrypted Message
Step 2-Encipher with secret key
Step 1- Secret Key Exchange occurs
Secret Key Cryptography
• PROs:– Very Secret– Key Size Determines how hard to break
• CONs:– Key Management is a Burden– Cryptography can be slow
Symmetirc Encrpytion Algorithms
• DES Data Encryption Standard• 3DES Triple-Strength DES• RC2 Rivest Cipher 2• RC4 Rivest Cipher 4
All commonly used with SSL
Public Key Cryptography
• Digital Signatures and Public Key Encryption– Message encrypted or signed with private key of
sender and public key of recipient– Recipient decrypts with own private key and
sender’s public key– Only sender has the right private key so if it
decrypts it must have come from the sender– NOTE: Assumes keys have not been compromised
Public Key CryptographyAsymmetric Encryption
Step 1- Create Public and Private Keys
Professor Student
Step 3- Encipher with public Key
Step 2 - Send Public Key to Student
Step 4 -Send Encrypted Message
Step 5- Decipher with private key
Public Key Cryptography
• PROs:– As Shown this Proves Identity– This Results in a Digital Signature
• Used to authenticate digital material• Prove identity and validity of action or material
• CONs:– Burdensome if you need widespread use
Combining the Best of Both
Professor StudentStep 1- Create Public and Private Keys
Step 1- Generatea Secret Key
Step 2 - Send Public Key to Student
Step 4 -Send Encrypted Message
Step 5- Decipher with private keyand retrieve secret key
Step 3- EncipherSecret Key with Public Key
Uses of Public Key Cryptography
• Digital Signatures– Used to authenticate digital material– Prove identity and validity of action or
material
• Transmission of symmetric key (public key encryption is generally slower)
Public Key Infrastructure
The Mainstream method (using public key cryptography ) by which to ensure key management and reliable authentication and encryption between two objects that are communicating over a single open network
Public Key Infrastructure
Purpose: provide an environment that addresses today’s business, legal, network, and security demands for trust and confidentiality
Environment: policies, protocols, services and standards that support public key cryptogrpahy
Public Key Infrastructure
Provides: – Strong user identification– Cryptographic Services– Evidence for non-repudiation among
strangers
Technology Components of PKI
• Keys: public and private• Certificate Authority (CA)
– Responsible trusted 3rd party that issues, revokes, and manages digital certificates
• Registration Authority (RA)– Optional entity implicity trusted by a CA to
validate another entity’s indentity prior to the CA issuing a digital certificate
– Usually needed in large PKI deployments
Technology Components of PKI
• Digital Certificates– Fundamental to PKI– Credentials issued to an entity that
uniquely identifies the entity for all others– The credentials act like a “passport”– Digital Certificates contain the entity’s
public key
Technology Components of PKI
• Repository– The workhorse of PKI– Stores certificates and entity information– Provides lookup and retrieval services to
an enterprise– Also handles certificate revocation list
(CRL) checking
Other Components of PKI
• Policy Management Authority (PMA) – Policy Approval Authority
• Develops governing policy for PKI
– Policy Creation Authority (PCA)• Implements PKI policy through CA
establishment
PKI Policy
• Primary PKI Policies– Certificate Policy (CP)
• What the PKI environment does• Publicly available document• Policy Approval Authority
– Certification of Practice Statement(CPS)• How the PKI environment does it• Details the functions of the PKI• Internal document
PKI in ActionCertificate Authority
Certificate Repository
ME YOU
Generate Keys
Generate Keys
Register with CA Register with CA
DigitalCertificatesReturned
PKI in ActionCertificate Authority
Certificate Repository
ME YOU
Encrypt With
Private Key
Decrypt With
Public Key
Send Encrypted Message
Request/GetDigitalCertificate
Summary
• Cryptography ensures CIA• Public Key Cryptography ensures
Authentication
• Public Key Cryptography ensures non-repudiation
