Unit 5 Cyptography

8/11/2019 Unit 5 Cyptography

1/131

DSZQSPHSBQIZ


2/131

Brief History of Cryptography!!!!

What is Cryptography? Science of writing secret code

is an art of protecting information by transferring

it (encrypting )into an unreadable format ,calledcipher text

The first use of cryptography in 1900 B.C.

Used by Egyptian scribe

Some experts say it appeared right after writing wasinvented


3/131

Encryption/ Decryption

Encryptionis the transformation of data into some unreadable form. Its purpose is to ensure privacy by keeping the information hidden from

anyone for whom it is not intended ,even those who can see encrypted data .

It is a procedure to convert a regular text into a coded or secret text .

Decryption: the reverse of encryption :it is the transformation of encrypteddata back into some intelligible form.

A basic task in cryptography is to enable users to communicate securely overan insecure channel in a way that guarantees their transmission privacy andauthenticity

.Providing privacy and authenticity remains a central goal for cryptographic

protocols.

Encryption DecryptionPlain Text Cipher Text Original Text

Encryption


4/131

Common Terms is Cryptography

system Intruder :An intruder is any person who does not have the authorization to access the

network or the information

Plaintext: It is an intelligible message that needs to be converted into an intelligible

message or encrypted message

Cipher text :A message in encrypted form

Encryption: is a method by which plaintext can be converted to cipher text

Decryption: is a method by which cipher text can be converted into a plaintext

Algorithm: A cryptography algorithm is a mathematical function .

Key: It is a string of digits


5/131

5

Keys

It is a variable value that is used bycryptographic algorithms to produce encryptedtext, or decrypt encrypted text.

The length of the key reflects the difficulty todecrypt from the encrypted message.

Encryption DecryptionPlaintext PlaintextCiphertext

Key Key


6/131

Example

Plain text Algorithm Cipher text Algorithm Plain text

Item Next letter Jufn Previous Letter Item

Message Previous 3

Letters

Next 3 Letters Message


7/131

Cryptography Broken Down!!!

Two kinds of cryptosystems:

Symmetric

Uses the same key (the secret key) to encrypt and

decrypt a message. Asymmetric

Uses one key (the public key) to encrypt a message and

a different key (the private key) to decrypt the message.


8/131

Symmetric key encryption system

Same key is used to both encrypt and decrypt data

Examples of encryption systems: DES, 3DES, AES


9/131

Symmetric Cryptosystem!

Secret Key (Symmetric)

Symmetrical Key encryption is also known as private key encryption

With secret key ,the same key is used to encrypt information and

decrypt information. Hence the operation is known as symmetric.

With secret key systems you dont know who sent the message or if it

is for a specific recipient ,Because anyone with the secret key could

create or read the message .

Encryption with Keys


Key

(Symmetric Cryptosystem)


10/131

The message:The sender and receiver know and use the same secret key.

The sender uses the secret key to encrypt the message.

The receiver uses the same secret key to decrypt the message


11/131

Same key is used to both encrypt or decrypt themessage .

This means that the sender & receiver had to agree in

advance of the key .

There are a wide variety of symmetric encryptionalgorithms.

The most widely used encryption algorithm was DES(Data Encryption standard ) which was sanctioned bythe National Institute of standards & technology (NIST)

DES was developed by IBM .

It is a block cipher scheme which encrypts a 64-bit datablock using a 56-bit key .

The block is transformed in such a way that it involvessixteen iterations. This is done by using the security key


12/131

Main challenge

Agreeing on the key while maintaining secrecy.

Trusting a phone system or some transmission medium.

The interceptor can read, modify, and forge allmessages


13/131

Limitations

Both parties must agree upon a shared secret key

If there are n correspondents ,you have to keep

track of n different secret keys .if the same key is

used by more than one correspondent ,thecommon key holders can read others mail

Symmetric encryption schemes are also subject

so authenticity problems .Since both the sender& the recipient cannot be proved .Both can

encrypt decrypt the message


14/131

Key Management!!!

Key management:

The generation, transmission, and storage of a key.

All cryptosystems must deal with key

management issues

Because all keys must remain secret there is

often difficulty providing secure key

management.


15/131

Key Pairs

A key is a unique digital identifier

Keys are produced using a random number generator

A key pair consists of two mathematically

related keys The privatekey is secret and under the sole

control of the individual

The publickey is open and published


16/131

Introduction of the Public Key!!!

Created to solve key management problems.

Created by Whitfield Diffie and Martin Hellman

in 1976.

Also called asymmetric system.

Encryption key: public key

Decryption key: private key


17/131

Public Key Cryptography

Public Key encryption is also known as asymmetricalencryption

It utilizes a pair of keysone public & one private (inpair)

Public key is made available to anyone who wants tosend an encrypted message to the holder of theprivate key .

The only way to decrypt the message is the private key.

In this way messages can be sent without agreeing onthe keys in advance .

The most widely used public key algorithm is RSA


18/131

Public key encryption system

Each user has 2 keys: what one key encrypts,

only the other key in the pair can decrypt.

Public key can be sent in the open.

Private key is never transmitted or shared.

Eg. RSA (Rivest, Shamir, andAdleman)

RecipientsPublicKey Recipients PrivateKey


19/131

Public & Private Keys

Public and Private Key pairs comprise of twouniquely related cryptographic keys.

Public key is made accessible to everyone, whereasPrivate key remains confidential to its respectiveowner.

Since both keys are mathematically related only thecorresponding private key can decrypt theircorresponding public key.


20/131

How its works!!!!



Encryption Key (Ke)

(Asymmetric Cryptosystem)

Decryption Key (Kd)


21/131


22/131


23/131

Advantages

Message confidentiality Can be proved :thesender uses the recipients public key to encrypt amessage ,so that only the private key holder can

decrypt the message ,no one else . Authenticity of the message originator can beproved : The receiver uses his private key toencrypt a message ,to which only the sender has

access . Easy to distribute public key : The public key of

the pair can be easily distributed .


24/131


Complimentary Algorithms are used to encryptand decryptdocuments

@#@#@$$56455908283923

542#$@$#%$%$^&

Encryption key

Decryption key Unreadable Format


25/131

Public Key Infrastructure in Action

Public Key Private Key

Secure Transmission

Signatures

Decrypting

Encrypting

Encrypting

Decrypting

M Di


26/131

Message Digest

Used to determine if document has changedUsually 128-bit or 160-bit digests

Infeasible to produce a document matching a digest

A one bit change in the document affects about half the

bits in the digestEg. SHA-1 (160-bit digest), Secure Hash Algorithm

Hash Algorithm

Digest

Plaintext


27/131

Hash function

Hash function is a formula that converts amessage of a given length into a string or digitscalled a message digest .

A mathematical transformation is used by thehash function to encrypt information such that itis irreversible .

The encrypted cipher text message cannot bedecrypted back to plain text .


28/131

How it works X sends message to Y

Sender Receiver

The sender generates a message

A Message Digest of the message is created using the hash function

The sender attaches is digital signature to the end of the message

The sender encrypts both message and signature with receivers public

keys Using a private key ,the entire message is encrypted by the receiver

The receiver calculates the message digest using the hash function

The receiver uses the same hash function that the sender uses ,and whichhas been agreed upon in advance .

The main advantage is that even if an unauthorized person access Xspublic key ,he will not be able to get to the hash function generated keythis making the digital signature authentic and secure

X Y


29/131

Trusted Electronic

Transactions


30/131

ELECTRONIC TRANSACTIONS

Streamline Reporting ProcessReduce burden on regulated community

Efficient Record Retention

Timely and Accurate Data Retrieval and Access

Emergency Response (24/7 access)

Community-Right-to-Know


31/131

CAN ELECTRONIC DATA BE TRUSTED?

Accuracy andAuthenticity

Decisions regarding Environmental Health and ImpactSecurity

Protection from unauthorized access

Tamper-resistantAccidentalhuman errors

Intentional - Fraud Credibility in Judicial Proceedings

Effective Enforcement

Plaintiff/Defendant Subpoena


32/131

Evidence must be unambiguous to be admissiblein court

Once admitted into Court, evidence must bepersuasiveto a jury

JUDICIAL CREDIBILITY is the Highest Standard

for Trusted Data **


33/131

1. AUTHENTICATION: the ability to prove the senders identity

2. REPORT INTEGRITY: the ability to prove that there has been no change during

transmission, storage, or retrieval

3. NON-REPUDIATION: the ability to prove that the originator of a report intended to bebound by the information contained in the report

WHAT DETERMINES A LEGALLY BINDING

REPORT ?

NON-REPUDIATION

AUTHENTICATION

REPORT INTEGRITY


34/131

TRUST IN PAPER-BASED REPORTS


35/131

ELECTRONIC REPORTING


36/131

FROM PAPER TO ELECTRONIC: Repudiation

Risks in Basic Electronic Transactions

I did not send that report !

That report is not the one I sent !

I did not mean that !


37/131

I did not send that report !

Identity of user is unknown

Possible Solutions:

Telephone call follow-upTerms and Conditions Agreement (TCA) / Mailed Certification

Agreement

Mail a Diskette Containing Electronic Data

That report is not the one I sent ! Identity of user is unknown Possible Solutions:

Telephone call follow-up

Terms and Conditions Agreement (TCA) / Mailed Certification

Agreement

Mail a Diskette Containing Electronic Data

Ensuring Authenticity and Report Integrity in

Electronic Transactions Digital Signatures

Public Key Infrastructure


38/131

Public Key Infrastructure (PKI)

PKI is a combination of software, encryption

technologies and facilities that can facilitate trusted

electronic transactions.

PKI provides an electronic framework i.e.software & a set of rules & practices for secure

communication & transaction between organizations

& individuals

PKI ComponentsKey Pairs

Certificate Authority



39/131

39

PKI Structure

Certification Authority Directory services

User

Services,

Banks,

Webservers

Public/Private Keys


40/131

Certification Authorities(CAs)

A trusted authority

Responsible for creating the key pair, distributing theprivate key, publishing the public key and revoking the

keys as necessary The Passport Office of the Digital World

An organization that issues public key certificates(DigitalSignature).

Signed by certification authoritys own private keys, containsname of the person, persons public key, a serial number, andother info.,

Example: verisign corp.


41/131

A Certifying Authority is a trusted agency whose centralresponsibility is to issue, revoke, renew and provide directories forDigital Certificates.

The certificate authority issues a digital certificate to companiesand organizations that are accessible via the internet .

They are issued for a certain period of time and are used as aguarantee of the security of a website .

It is also referred to as a reliable third party

Certificate Authority


42/131

CSC1720Introduction toInternet

All copyrights reserved by C.C. Cheung 2003. 42

CA model (Trust model)

Root Certificate

CA Certificate

Browser Cert.

CA Certificate

Server Cert.


43/131

Different kinds of certificates

Certification authorities Certificates contain public key of CAs and name of service

this can in turn be signed by other certification authorities.

Server Certificates contain public key of SSL server,

name of the organization running the server, Internet hostname, serverspublic key.

Personal Certificates

contains individuals name and public key.

other information is also allowed.

Software Publisher Certificates certificates used to sign the distributed software.

Digital Signature


44/131

Digital Signature


45/131

Digital Signature

A Digital Signature is a method of verifying the

authenticity of an electronic document. A digital signature is a personalized thumb print. It is theencryption of an electronic document by a key

Characteristics

a protocol that produces the same effect as realsignature.

Only the sender can mark it.

Easily identifiable by others as one from the sender.

Used to confirm agreement to a message.


46/131

Digital signature can be used in all electronic

communications Web, e-mail, e-commerce, electronic banking and

general security & authentication of documents

It is an electronic stamp or seal that append tothe document.

It Ensures that the document is being

unchanged during transmission.


47/131

The IT Act has given legal recognition to digital

signature meaning, thereby, that legally it has thesame value as handwritten or signed signatures

affixed to a document for its verification

The Information Technology Act, 2000 provides

the required legal sanctity to the digital signatures

based on asymmetric cryptosystems.

The digital signatures are now accepted at par

with handwritten signatures and the electronicdocuments that have been digitally signed are

treated


48/131

Physical Signature / Digital Signature

Physical Signature Digital Signature

Physical Signature is just a writing

on paper

Digital Signature encompasses

crucial parameters of identification

Physical Signature can be copied It is IMPOSSIBLE to copy a Digital

signature

Physical Signature does not give

privacy to content

Digital Signature also enables

encryption and thus privacy

Physical Signature cannot protect

the content

Digital Signature protects the

content


49/131

How digital Signature works?

User A

User B

Use As private key to sign the document

Transmit via the Internet

User B received

the document with

signature attached

Verify the signature

by As public key stored

at the directory


50/131

Report Encryption Algorithm Digitally Signed

An individual digitally signs a document using the private key component of his certificate.

Digital Signatures

Private key


51/131

Authentication and Verification

The individuals public key, published by the CA decrypts and verifies the digitalsignature.

Digitally Signed

Public Key

Decryption Algorithm


52/131

Advantages

Signer authentication: The signer of the document is theowner of the private key for creating the signature andunless that is lost ,the digital signature cannot be altered byany other means

Message authentication: Today digital signature areprobably more authenticated than the paper signatureitself .Any alteration can be detected at the receiving endusing the public key

Efficient: The creation and use of digital signature andexchange digitally signed content is more efficient than

paper signatures .Digital signature can be automaticallycreated using programs these days and hence the creationtime is also quite less


53/131

Limitations

If the private key is lost the content signed

using that key is fully compromised and can be

tampered with

The issuer of the digital signature could givecompromise security by giving your private

key to someone else .


54/131

A digital signature is an electronic method

of signing an electronic document

Digital Certificate is a computer based

record that

Identifies the Certifying Authority issuing

it

Has the name or the identity of its

subscriber

Contains the subscriber's public key

Is digitally signed by the CertifyingAuthority issuing it

digital signatures are used to verify the

trustworthiness of information

Digital certificates are used to verify the

trustworthiness of a website

. However, in the case of digitalsignatures, the recipient must have a

relationship with the sender or hosting

site.

Organizations using digital certificatesdon't require a relationship with the

remote site; they just need the ability to

identify which digital certificate authority

was used by the site to validate it


55/131

Digital Certificates

Digital Certificate is a data with digital

signature from one trusted Certification

Authority (CA).

This data contains:

Who owns this certificate

Who signed this certificate

The expired date

User name & email address

What is a Digital Signature


56/131

What is a Digital SignatureCertificate?

Digital signature certificates (DSC) are the digitalequivalent (that is electronic format) of physical orpaper certificates.

Examples of physical certificates are drivers' licenses,passports or membership cards.

Certificates serve as a proof of identity of an individualfor a certain purpose; for example a driver's licenseidentifies someone who can legally drive in aparticular country.

Likewise, a digital certificate can be presentedelectronically to prove your identity, to accessinformation or services on the Internet or to signcertain documents digitally.


57/131

Why is Digital Signature Certificate (DSC) required?Like physical documents are signed manually,

electronic documents, for example e-forms arerequired to be signed digitally through Digital SignatureCertificate.

Who issues the Digital Signature Certificate?

A licensed Certifying Authority (CA) issues the digitalsignature.

Certifying Authority (CA) means a person who hasbeen granted a license to issue a digital signaturecertificate under Section 24 of the Indian IT-Act 2000.

The list of licensed CAs along with their contactinformation is available on www.mca.gov.in . You canobtain your DSC from Veracity IT & Legal Services.


58/131

Advantages of Digital Certificates

Decrease the number of passwords a user has

to remember to gain access to different

network domains.

They create an electronic audit trail thatallows companies to track down who executed

a transaction or accessed an area.

Security Standards For electronic


59/131


Payment System

A secured payment transaction system is of

critical importance to e-commerce

Without security standard ,one cannot

assume the success of e-commerce

There are two common standards used for

a secure electronic payment system

SSL

SET


60/131

Secure Socket layer (SSL) SSL is a protocol for giving data security layers between high-

level

It is a key protocol for securing web transactions ,data packets

in the internet

It provides sever & client authentication and an encrypted

SSL connection

It uses public key cryptography and system for validating

public key & digital certificates over the server .

SSL Provides 3 basic services :Sever authentication ,client

authentication & encrypted SSL connection .

SSL sever authentication uses public Key cryptography to

validate server's digital certificate and public key on the client

;s machine


61/131

What Happens When a Web Browser Connects

to a Secure Web Site


62/131


63/131

SSL Working

An SSL certificate allows sensitive information

to be encrypted during online transactions

Authenticated information about the owner of

the certificate is also contained in it.

The identity of the owner of the certificate is

verified by the certificate Authority at the

time of its issue


64/131

What Can SSL Do?

It provides the following

Data Encryption ,Server Authentication ,Message integrity

,Optional Client authentication .

SSL provides a security handshake protocol to start theTCP/IP connection. The consequence of this handshake is that

the client and server agree on the level of security they would

use & completes any verification necessities for the

connection .After that ,it is only used to decrypt and encrypt

the message stream .


65/131

SSL includes two sub-protocols: the SSL

Record Protocol and the SSL HandshakeProtocol.

Record Protocol -- defines the format used to

transmit data. Handshake Protocol -- using the Record

protocol to exchange messages b/t an SSL-

enable server and an SSL-enable client.


66/131

SSL usage Any online store

Anyone who accepts online orders & payments throughcredit cards

A site that offers a login or sign in

Anyone processing sensitive data such as the address

,birth date ,license or ID Numbers Anyone who is required to comply with privacy &

Security requirements

Anyone who values privacy & security requirements

Anyone who values privacy & expects others to trustthem

Challenge-Response e-mail system


67/131

Challenge-Response e-mail system It is an anti-spam system which is designed to shift the filtering

workload from the recipient to the spammer (or the legitimate

sender). The fundamental idea is that spammers will not take the time to

confirm that they want to send you email, but a legitimate senderwill.

The system maintains two lists of addresses: a "blacklist" of senders

that will always be blocked, and a "whitelist" of senders that willnever be blocked.

If someone sends you email from an address not listed in eitherlist, they will get an "challenge" (and their message will be queuedtemporarily).

If they give the correct "response" to the challenge, they get addedto your white list and their queued message(s) get forwarded toyou.

Regulations of the Internet encryption


68/131

Regulations of the Internet encryption

technologies

Encryption technology is being widely used today by enterprise aswell as individuals consumer to protect the proprietary data andconfidentiality of communication via e-mail or chat .

For Example we use our credit cards for booking movies ,air or railtickets over the internet on encrypted channels and feel safe thatour personal or credit card information is not compromised when intransit .

Similar technology can be also used by criminals to sendinformation via the internet and escape without being interceptedby the government bodies; hence regulations need to be in place bythe security organizations of different nations governing the use of

encryption technology and the purpose for which it can be used . Such regulations need to be in force for protecting the lives ofmillions of people which might be compromised by negativeelement of the society .

But there has to be regulations related to what information can beaccess and decrypted by the government bodies


69/131

Government regulation on encryption

Encryption systems across the world are controlled byregulation imposed by various governments.

One of the primary methods of regulating encryptionby the government is by the use of export restrictions

If anyone needs to export encrypted data ,they need alicense from a licensing authority which might be thegovernment agency or a third party governmentcertified authority .

Some of these regulations are continually challenged in

the courts ,but the government are bound by securityconcerns that would arise if such regulations are not inplace

Digital Signatures Controls on


70/131

Digital Signatures Controls on

Encryption

The most commonly found internet security mechanism today isSSL encryption .

A well designed security solution should have the following attributes

Data transfer from browser to server ,server to browser ,should beencrypted

Any file attachments should be encrypted and digitally singed toensure security of the consumer who downloads or uploads theseattachments

All digital signatures should have some accountability mechanism tobe validated in the receiving end

Authentication mechanism should be foolproof ,smart cards can beused to store certificates to ascertain consumer authenticity

Not only the fillable fields in the form ,but the whole content of theweb page should be encryptable and digitally sign able

Specific Issues in US Encryption


71/131

Specific Issues in US Encryption

Controls

Three problems deter widespread acceptance of encryption

Successful encryption requires that all participating parties use the sameencryption scheme .Within an organization ,or a group expected tocooperate (such as banks) ,standards have to be establishes that makeencryption feasible

The distribution keys has been a second barrier to wider use ofencryption ,as there is no easy way to distribute the secret key to a personnot known The only safe way to distribute the secret key is in person ,andthen the distributor must provide a different secret key for each person.Even public key schemes require method for key distribution

The final deterrent to widespread acceptance of encryption is its

difficulty to use .The user interface to encryption must be simplified .ForEncryption to flourish average consumer must find the software easy touse for commercial applications .


72/131

?

Do Digital Certificates Have


73/131


Vulnerabilities?

One problem with a digital certificate is where itresides once it is obtained.

The owner's certificate sits on his computer, andit is the sole responsibility of the owner toprotect it.

If the owner walks away from his computer,others can gain access to it and use his digital

certificate to execute unauthorized business.



74/131

The best way to address the vulnerabilities ofdigital certificates is by combining them with

biometric technology, as that confirms the

actual identity of the sender, rather than thecomputer.


Vulnerabilities?



75/131


Payment System

A secured payment transaction system is ofcritical importance to e-commerce .

Without security standard ,one cannot

assume the success of e-commerce

There are two common standards used for a

secure electronic payment system .

SSL

SET


76/131

What is SSL?

A protocol developed by Netscape.

It is a whole new layer of protocol which

operates above the Internet TCP protocol and

below high-level application protocols.


77/131

SSL

SSL is a communications protocol layer which can

be placed between TCP/IP and HTTP

It intercepts web traffic and provides security

between browser and server

Encryption is used to guarantee securecommunication in an insecure environment

SSL uses public-key cryptography


78/131

What is SSL?

h ?


79/131

What Can SSL Do?

SSL uses TCP/IP on behalf of the higher-levelprotocols.

Allows an SSL-enabled server to authenticate

itself to an SSL-enabled client;

Allows the client to authenticate itself to the

server;

Allows both machines to establish anencrypted connection.

h ?


80/131

What Does SSL Concern?

SSL server authentication.

SSL client authentication. (optional)

An encrypted SSL connection or

Confidentiality. This protects against electronic

eavesdropper.

Integrity. This protects against hackers.

SS ki


81/131

SSL Working

An SSL certificate allows sensitive informationto be encrypted during online transactions

Authenticated information about the owner of

the certificate is also contained in it.

The identity of the owner of the certificate is

verified by the certificate Authority at the

time of its issue

SSL components


82/131

SSL components

SSL Handshake Protocol

negotiation of security algorithms and parameters

key exchange

server authentication and optionally client authentication

SSL Record Protocol

fragmentation

compression

message authentication and integrity protection

encryption

SSL Alert Protocol

error messages (fatal alerts and warnings)

SSL Change Cipher Spec Protocola single message that indicates the end of the SSL handshake

SSL A hi


83/131

Henric Johnson 83

SSL Architecture


84/131

SSL includes two sub-protocols: the SSL

Record Protocol and the SSL HandshakeProtocol.

Record Protocol -- defines the format used to

transmit data. Handshake Protocol -- using the Record

protocol to exchange messages b/t an SSL-

enable server and an SSL-enable client.


85/131

The exchange of messages facilitates thefollowing actions:

Authenticate the server to the client; Allows

the client and server to select a cipher thatthey both support; Optionally authenticate

the client to the server; Use public-key

encryption techniques to generate sharesecrets; Establish an encrypted SSL conn.

SSL


86/131

SSL usage Any online store

Anyone who accepts online orders & payments throughcredit cards

A site that offers a login or sign in

Anyone processing sensitive data such as the address

,birth date ,license or ID Numbers Anyone who is required to comply with privacy &

Security requirements

Anyone who values privacy & security requirements

Anyone who values privacy & expects others to trustthem

SSL S i ti


87/131

SSL Summarization

Exists between raw TCP/IP and Application Layer. Features added to streams by SSL

Authentication and Nonrepudiation of Server, using Digital Signatures.

Authentication and Nonrepudiation of Client, using Digital Signatures.

Data confidentiality through Encryption.

Data Integrity through the use of message authentication codes.

Functions Separation of duties.

Efficiency.

Certification - based authentication

Protocol Agnostic.

Transport Layer Security is being tried out.

S S k t l (SSL)


88/131

Secure Socket layer (SSL) SSL is a protocol for giving data security layers between high-level application

protocol & TCP/IP , it is a security protocol .

It provides the following

Data Encryption ,Server Authentication ,Message integrity ,Optional Clientauthentication .

SSL provides a security handshake protocol to start the TCP/IP connection. Theconsequence of this handshake is that the client and server agree on the level of

security they would use & completes any verification necessities for theconnection .After that ,it is only used to decrypt and encrypt the message stream .

It is a key protocol for securing web transactions ,data packets in the internet

.It provides sever & client authentication and an encrypted SSL connection

.It uses public key cryptography and system for validating public key & digitalcertificates over the server .

SSL Provides 3 basic services :Sever authentication ,client authentication &encrypted SSL connection .

SSL sever authentication uses public Key cryptography to validate server's digitalcertificate and public key on t he client ;s machine

Secure Electronic Transaction (SET)


89/131

Secure Electronic Transaction (SET)

Developed by Visa and MasterCard

Designed to protect credit card transactions

on the Internet

SET is a system for ensuring the security of

financial transactions on the Internet

Set of security protocols and formats

Not a payment system

Ensures privacy.


90/131

Henric Johnson 90

Secure Electronic Transactions

Key Features of SET: Confidentiality of information- all messages

encrypted

Integrity of data Cardholder account authentication

Merchant authentication

Trust: all parties must have digital certificates Privacy: information made available only when and

where necessary

SET B i R i t


91/131

SET Business Requirements

Provide confidentiality of payment andordering information

Ensure the integrity of all transmitted data

Provide authentication that a cardholder is alegitimate user of a credit card account

Provide authentication that a merchant canaccept credit card transactions through itsrelationship with a financial institution

SET B i R i t ( td)


92/131

SET Business Requirements (contd)

Ensure the use of the best securitypractices and system design techniques toprotect all legitimate parties in anelectronic commerce transaction

Create a protocol that neither depends ontransport security mechanisms norprevents their use

Facilitate and encourage interoperabilityamong software and network providers

Participants in the SET System


93/131

SET Transactions


94/131

SET Transactions


95/131

The customer opens an account with a card issuer. MasterCard, Visa, etc.

The customer receives a X.509 V3 certificate signed by a bank. X.509 V3

A merchant who accepts a certain brand of card must possess two X.509 V3 certificates. One for signing & one for key exchange

The customer places an order for a product or service with a merchant.

The merchant sends a copy of its certificate for verification.

Sequence of events for transactions


96/131

Henric Johnson 96

Sequence of events for transactions

1. The customer opens an account.2. The customer receives a certificate.

3. Merchants have their own certificates.

4. The customer places an order.

5. The merchant is verified.6. The order and payment are sent.

7. The merchant request payment authorization.

8. The merchant confirm the order.

9. The merchant provides the goods or service.10. The merchant requests payments.

Components to build Trust


97/131

Data Confidentiality

EncryptionWho am I dealing with? Authentication

Message integrity Message Digest

Non-repudiation Digital SignatureAccess Control Certificate Attributes

Conclusion


98/131

With the help of the above discussions, the SET protocol appearsto be complete, sound, robust and reasonably secure for the

purpose of credit-card transactions.

However, it is important that the encryption algorithms and key-

sizes used, will be robust enough to prevent observation by hostile

entities.

The secure electronic transactions protocol (SET) is important for

the success of electronic commerce.

Secure electronic transactions will be an important part of

electronic commerce in the future.Without such security, the interests of the merchant, the

consumer, and the credit or economic institution cannot be served.

Contd


99/131

Contd



Encryption Key (Ke)(Asymmetric Cryptosystem)

Decryption Key (Kd)



Key

(Symmetric Cryptosystem)

Encryption DecryptionPlain Text Cipher Text Original TextEncryption

Secure Email Protocols


100/131

Secure Email Protocols

PEM (Privacy Enhanced Mail) Is a standards that provides security-related services foe

electronic mail application

Commonly used with SMTP (simple mail transport protocol)

PEM Features

Includes encryption ,authentication & key management

It allows use of both public & Private key cryptography

It uses the data encryption standard(DES) algorithm forencryption & RSA algorithm for sender authentication &

key management . It verifies the identity of the message originator & verifies

whether any of the original text has been altered .

PGP (Pretty Good Privacy )


101/131

PGP (Pretty Good Privacy )

PGP is a file based product developed by software engineer Phil Zimmerman in1991

It is a free software that encrypts email .

It is mostly used for personal e-Mail security

PGP supports public-key & symmetric key encryption as well as digital signatures

It operates by encrypting the data with one time algorithm & then encrypting thekey to the algorithm using public key cryptography

PGP also supports other standards such as SSL & lightweight Directory accessprotocol(LDAP)

LDAP is a standard for accessing specific information ,including stored public keycertificates

It is freely available for DOS ,Macintosh ,UNIX,& OS/2 systems

PGP provides secure encryption of documents & data files that even advanced

supercomputers are hard pressed to crack The process is so simple that anyone with a PC can do it with almost no effort .

S/MIME (Multipurpose Internet Mail Extension )


102/131

S/MIME (Multipurpose Internet Mail Extension )

Was developed by RSA in 1996 as a securityenhancement to old MIME standard for

internet email

It is built on public key cryptography standards S/MIME is considered powerful because it

provides security for different data types & for

email attachments

MSP(Message security protocol)


103/131

MSP is used by the US government & governmentagencies to provide security for e-mail

Its function is securing e-mail attachments acrossmultiple platforms

It operates at the application level of the internet& does not involve the intermediate messagetransfer system .

An MSP message includes the original message

content & specific security parameters requiredby the recipients to decrypt or validate themessage when received .

Creation of digital signature


104/131

Creation of digital signature

According to the Act ,Asymmetrical or public key cryptographyinvolving a pair of keys (private or public is used for creating adigital signature

Steps to create digital signature

Signer demarcates the message

Hash function is the signer's software computes a hash resultunique to the message

The signer software then transforms (encrypts) the hash result into adigital signature using a signers private key. the resulting digitalsignature are unique to both the message and the private key isused to create it .

The digital signature (a digitally signed message hash result of themessage ) is attached to both its message and stored or transmittedwith its message .digital signature is unique to its message .signersends both digital signature and message to recipient

Digital Signature Generation and


105/131

Verification

Message Sender Message Receiver

Message Message

Hash function

Digest

Encryption

Signature

Hash function

Digest

Decryption

Expected Digest

Private

Key

Public

Key

Verification


106/131

Verification

The recipient of a digitally signed message canverify both that the message originated from

the person who se signature is attached and

that the message has not been altered eitherintentionally or accidently since it was signed

.Furthermore ,secure digital signature cannot

be repudiated ,the signer of a document

cannot later disown it by claiming the

signature was forged .

Steps to verify digital signature


107/131

Steps to verify digital signature

For verifying the digital signature first of all ,the recipientreceives digital signature and the message

He applies signers public key on the digital signature &recovers the hash result from the digital signature .

After this ,he computes a new hash result of the original

message by applying the same hash function used by thesigner to create the digital signature

Lastly he compares the two hash results ,if they areidentical ,it indicates that the message has not beenmodified .If two hash results are not same ,it would mean

that the message either origated somewhere else wasaltered after it was signed and the recipet in such case canreject the message .

Applications


108/131

Applications

Digital certificate


109/131

Digital certificate

A digital certificate is called an electronic identity cardand is used for establishing the users credentials whenconducting transactions over the web. A digitalcertificate is defined as a method of verifyingauthencity electronically >the digital certificate is

equivalent to real identification, such as a driverslicense. diffrent certifying authorities provide it .Digitalcertificates are used to confirm a website ,or a visitorto a website ,is the entity or person they declare to be.they are like an electronic testimonial issued by a

certificate ion authority to ascertain the identity of anorganization when doing business dealings on theinternet .

Contents of digital certificate


110/131

Contents of digital certificate

Holders name ,organization ,address

Name of the certificate authority

Public key of the holders for cryptographic use

Time limit (these certificates are issued for a

period of six months to a year)

Digital certificate identification number

Security in Transmission


111/131

Security in Transmission

Secure Socket Layer (SSL)

https

Submission is encrypted by the sender with recipients public key

After receipt, submission is decrypted with recipientsprivate key

Wh t Sh ld B Si d ?


112/131

What Should Be Signed ?

Balance between capturing the entire content of

the transaction vs. ease of data integration

Data that is Machine readable but which separates

user entry content from context: database, commadelimited, spreadsheet, etc

Data that records content and context but which are

not easily integrated into databases: word, pdf, image,

html, etc

Ensuring Non repudiation in Electronic


113/131

Ensuring Non-repudiation in Electronic

Transactions

Capturing Complete Transactions in Archive

Signing the content and context of a transaction

Storing the signed transaction in a data warehouse without manual

intervention

Granting Public Access to paper reports


114/131

g p p p

Public comes into agency office

Public provides drivers license or other identification

Agency can monitor who is accessing data

Providing Trusted Electronic Access


115/131

to Data

Identity of user is unknown

Access cannot be monitored

Relying on the Certificate Authority

Applying PKI to Public Access


116/131

PublicDigital

Certificate

In order to obtain access to Community Right to Know Data, individuals firstobtain digital Certificates.


117/131

Public

After contributing a certificate to gain access, The individuals certificate can be

cross-referenced with other security databases to monitor suspect individuals.

Digital

Certificates Agency

California Digital Signature Regulations


118/131


Definitions

Digital Signatures Must Be Created By An Acceptable

Technology- Criteria For Determining AcceptabilityList of Acceptable Technologies

Provisions For Adding New Technologies to the List of

Acceptable Technologies

Issues to Be Addressed By Public Entities When Using

Digital Signatures

California Code of Regulations

Title 2. Administration DIVISION 7. CHAP 10. DIGITAL SIGNATUREShttp://www.ss.ca.gov/digsig/regulations.htm

http://www.ss.ca.gov/digsig/regulations.htmhttp://www.ss.ca.gov/digsig/regulations.htm


119/131

The technology known as Public Key Cryptography is an

acceptable technology for use by public entities inCalifornia, provided that the digital signature is created

consistent with the provisions in Section 22003(a)1-5.

"Acceptable Certification Authorities" means a certification

authority that meets the requirements of either Section

22003(a)6(C) or Section 22003(a)6(D).

"Approved List of Certification Authorities" means the list

of Certification Authorities approved by the Secretary of

State to issue certificates for digital signature transactions

involving public entities in California.

Summary: Electronic Report Transactions are


120/131

Unsigned Web formscan be sent by anyone. They can be tampered in

transmission and the sender cant be legally verified

Unsigned Data in a databasecan be altered and does not provide

adequate evidence in a court of law

Data on Diskettecan be altered without visible evidence

subject to fraud and easily repudiated:

Summary, cont.


121/131

Digitally signed reports can also be repudiated, if the signed data is storedindependently of the form question data.

Conclusion: Ensuring Trusted Electronic

Transactions


122/131

Transactions

1. PKI supports trusted electronic report transactions:

Authentication- authenticates the

sender of a report

Report Integrity- invalidates a report if it has been tampered.

Non-repudiation- sender and document

are authenticated- the sender cannot

deny having sent the report

Conclusion, cont.


123/131

2. PKI supports trusted access to Public Data:

Agencies require individuals to contribute digital certificates in order to gain

access.

Agencies can track who gains access at what time

The names of individuals who seek access can be cross-referenced with

additional security databases to protect public safety

Conclusion, cont.


124/131

3. Complete Archiving ensures that a legal record of a transaction can be trusted : Non-repudiation- Storing a copy of the entire data (including questions on

the form) with the digital signature.


125/131

What cryptography cant do ?


126/131

Rely-On Solutions

Protect unencrypted documents. Protect against stolen encryption keys.

Against denial-of-service attacks.

Against the record of a note that a message was

sent.

Against a traitor or a mistake.

Working Encryption Systems


127/131

Rely-On Solutions

Programs PGP(Pretty Good Privacy).

S/MIME.

Protocols

SSL(Secure Socket Layer). PCT(Private Communications Technology).

S-HTTP(Secure HTTP).

Cybercash.

Contd


128/131

Rely-On Solutions

SET(used in web shopping). Electronic Wallet with User.

Server that runs on Merchants web site.

SET payment server runs in merchants bank.

DNSSEC(Domain Name System Security).

IPSec and IPv6. IPsec works with IPv4 and standard version used today

works for IPv6 and includes IPsec.

Kerberos.

Network Layer Security Protocol(IPsec)


129/131

Rely-On Solutions

IP Security protocol - a suite of protocols that provides security at thenetwork layer.

Network layer must provide

Secrecy - hide message from any third party that is "wire tapping" thenetwork.

Source authentication -IP datagram with a particular IP sourceaddress, it might authenticate the source.

there are two principal protocols:

the Authentication Header (AH) protocol.

provides source authentication and data integrity but not secrecy.

the Encapsulation Security Payload (ESP) protocol.

provides data integrity and secrecy.Security Agreement (SA) - the source and network hosts handshake and

create a network layer logical connection

What is SSL ?


130/131

Rely-On Solutions

Exists between raw TCP/IP and Application Layer. Features added to streams by SSL

Authentication and Nonrepudiation of Server, using Digital Signatures.

Authentication and Nonrepudiation of Client, using Digital Signatures.

Data confidentiality through Encryption.

Data Integrity through the use of message authentication codes.

Functions Separation of duties.

Efficiency.

Certification - based authentication

Protocol Agnostic.

Transport Layer Security is being tried out.

Secure Web Server


131/131

Implements cryptographic protocols. Safeguard any personal info received or

collected.

Resistant to a determined attack over the I-net.

Bad Guys Bad Guys

SERVER ACTIVE

AND PROVIDES

SECURE WEB SERVER

ATTACK ATTACK

ATTACK

Documents

Unit 5 Cyptography