Saad Haj Bakry, PhD, CEng, FIEE
1
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE
PRESENTATIONS IN NETWORK SECURITYPRESENTATIONS IN NETWORK SECURITY
Saad Haj Bakry, PhD, CEng, FIEE 2
Secure Transactions Use of Symmetric Keys Use of Asymmetric Keys Public Key Infrastructure: PKI Security Protocols
Objectives / Contents
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 3
Secure Transactions RequirementsIssue FactPrivacy No Disclosure
Integrity No Alteration
Authentication Proof of Identity:Sender to Receiver / Receiver to Sender
Non-Repudiation Legal Proof of Transaction:
Message is Sent or Received
Availability System in Operation
“S-Business” Outcome: “Secure Business”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 4
DES: Data Encryption Standard AES: Advanced Encryption Standard KDC: Key Distribution Centre
Use of Symmetric Keys
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 5
DES: Data Encryption StandardA Symmetric Encryption Algorithm: 1950s A Symmetric Encryption Algorithm: 1950s
Triple Use (3 Keys in a Row): For More SecurityTriple Use (3 Keys in a Row): For More Security
Being Replaced BY: AESBeing Replaced BY: AES
Key Length is “56 bits”: Short / Easy to CrackKey Length is “56 bits”: Short / Easy to Crack
By US NSA (National Security Agency) & IBMBy US NSA (National Security Agency) & IBM
DES (K-1)DES (K-1) DES (K-2)DES (K-2) DES (K-3)DES (K-3)
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 6
AES: Advanced Encryption Standard
A Symmetric Encryption AlgorithmA Symmetric Encryption Algorithm
Criteria of Choice:Strength
Efficiency
Speed
Other Factors
Criteria of Choice:Strength
Efficiency
Speed
Other Factors
Five Finalists Under
Consideration: 2001
Five Finalists Under
Consideration: 2001
By US NIST: Replacing DES (National Institute of Standards & Technology)
By US NIST: Replacing DES (National Institute of Standards & Technology)
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 7
KDC: Key Distribution CentreTo Solve “Key-Exchange” Problem To Solve “Key-Exchange” Problem
S-R Session Key: Generated by KDC per TransactionS-R Session Key: Generated by KDC per Transaction
Problem: Centralized Security “Challenges to KDC !”Problem: Centralized Security “Challenges to KDC !”
All Transactions: Exchanged Through KDCAll Transactions: Exchanged Through KDC
KDC Shares a “Secrete Key”: With “Every User”KDC Shares a “Secrete Key”: With “Every User”
Session Key Sent to S-R : Using their Shared Keys with KDCSession Key Sent to S-R : Using their Shared Keys with KDC
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 8
SenderSender
KDC OperationReceiverReceiver
Communication NetworkCommunication Network
Symmetric Key (S)Symmetric Key (S)
Plain Text
Cipher Text
KDCKDC
Symmetric Key (R)Symmetric Key (R)
Symmetric Key (R)Symmetric Key (R)Symmetric Key (S)Symmetric Key (S)
Session Key
Session Key
Session Key
Session Key
Session KeySession Key
Plain Text
11
22 22
3333
Initiation
Generation Generation
Assignment Assignment
Transaction
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 9
Key Agreement Protocol:
KAP / Digital Envelop Key Management: KM Digital Signature Time-Stamping: Non-Repudiation Notary Authentication
Use of Asymmetric Key.
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 10
KAP: Key Agreement Protocol
Subject of Agreement: Symmetric Secret Key Subject of Agreement: Symmetric Secret Key
Secret Key: Suitable for Volumes of DataSecret Key: Suitable for Volumes of Data
Agreement Security: Use of Public KeyAgreement Security: Use of Public Key
Protocol: Rules of Agreement ProcessProtocol: Rules of Agreement Process
Public Key: Suitable for Limited VolumesPublic Key: Suitable for Limited Volumes
Digital Envelop: Secret Key in Public KeyDigital Envelop: Secret Key in Public Key
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 11
KAP Example: The Digital Envelop
Decrypt Receiver’s
“Private Key”
Decrypt Receiver’s
“Private Key”
Message: “Plain Text”
Message: “Cipher Text” (S-K)
Message “Cipher Text”
(S-K) Plus “Cipher SK” (P-K)
“Digital
Signature”: Possible
“Secret
Key”
Decrypt
(Message) Using
“Secret Key”
Message: “Plain Text”
Envelop
Encrypt
(Secret Key)
Using
Receiver’s
“Public Key”
Encrypt
(Secret Key)
Using
Receiver’s
“Public Key”
SenderSender
ReceiverReceiver
Encrypt (Message)
Using “Secret Key”
Encrypt (Message)
Using “Secret Key”
“Secret
Key” “Secret
Key”
Decrypt
(Message) Using
“Secret Key”
Decrypt
(Message) Using
“Secret Key”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 12
Key Management
Theft (mishandling) & Attack (cryptanalysis)Theft (mishandling) & Attack (cryptanalysis)
Key Generation: Secure “Long Keys”Key Generation: Secure “Long Keys”
Key Generation Problem:
Sometimes choice is from a small set
Key Generation Problem:
Sometimes choice is from a small set
Recommendation:
Key generation
should be truly
“random”
Recommendation:
Key generation
should be truly
“random”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 13
Digital Signature (1/2)
Objective: (P-K) Authentication / IntegrityObjective: (P-K) Authentication / Integrity
Hash FunctionHash
FunctionMessage:Plain Text
SENDER
SENDER
Message Digest
Encrypt(Sender
Private Key)
Encrypt(Sender
Private Key)
“Sender Authenticated”
Encrypt(Receiver
Public Key)
Encrypt(Receiver
Public Key)
Message: Cipher Text
Electronic Signature
++
ReceiverReceiverDecrypt (Sender
Public Key)
Decrypt (Sender
Public Key)
Message:Plain Text
Message Digest
Message Digest
Decrypt (Receiver
Private Key)
Decrypt (Receiver
Private Key)
Message Digest
Message Digest
Message: Cipher Text
Hash FunctionHash
Function“Message Integrity”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 14
Handwritten Signature: Document Independent
(same for all documents) Authentication Only
Handwritten Signature: Document Independent
(same for all documents) Authentication Only
Digital Signature: Document Dependent
(based on message contents)
Authentication & Integration
Digital Signature: Document Dependent
(based on message contents)
Authentication & Integration
Problem (Digital Signature): Non-repudiation (proof that the message has been sent)
Problem (Digital Signature): Non-repudiation (proof that the message has been sent)
Digital Signature (2/2)
Use: US DSA: “Digital Signature Algorithm”
Use: US DSA: “Digital Signature Algorithm”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 15
Time-stamping / Non-Repudiation (1/2)
Objective: Binding “time and date”
to digital documents Important for electronic
contracts
Objective: Binding “time and date”
to digital documents Important for electronic
contracts
Third Party: Time-stamping
Agency /
Legal Witness
Third Party: Time-stamping
Agency /
Legal Witness
Time-Stamping Agency
Time-Stamping Agency
Sender / ReceiverSender / Receiver
Sender / ReceiverSender / Receiver
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 16
11SENDER
SENDER
Time-stamping Agency: • Input: Ciphered & Signed Message• Output: Time & Date Stamp Agency Stamp (Signature)
(Using the Agency’s Private Key)
Time-stamping Agency: • Input: Ciphered & Signed Message• Output: Time & Date Stamp Agency Stamp (Signature)
(Using the Agency’s Private Key)
Message: Cipher Text
Sender Electronic Signature
Time-stamping / Non-Repudiation (2/2)
22
11
22
33
Time & Date Stamp
44
Agency Stamp (Signature)
Proof of receipt may be required “same route back” from the “receiver”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 17
TRANSMITTER
NOTARYNOTARY
RECEIVER
MESSAGE
NETWORK SERVICES Message with Guarantee of
Sender’s Identity
NOTARY MAY USE:
Encryption (DES) / Digital Signature / Other Methods
Notary Authentication
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 18
PKI: Objectives / Organizations Digital Certificates:
Structure / Trust / Validity
Public Key Infrastructure: PKI
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 19
PKI: Public Key Infrastructure (1/2)
Objective: Authentication of Parties
in a Transaction
Objective: Authentication of Parties
in a Transaction
IPRA:Internet Policy Registration
Authority (The Root Certification Authority)
IPRA:Internet Policy Registration
Authority (The Root Certification Authority)
Hierarchy Hierarchy
IPAIPA
Policy Creation Authorities
Policy Creation Authorities
CA: Certification Authorities
CA: Certification Authorities
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 20
PKI: Public Key Infrastructure (2/2)
CA take the
responsibility of
authentication
CA take the
responsibility of
authentication
DC are publicly
available and are
issued / held by CA
in “CR: Certificate
Repository”
DC are publicly
available and are
issued / held by CA
in “CR: Certificate
Repository”
CA: Certification Authorities
CA: Certification Authorities
DC: Digital CertificatesDC: Digital Certificates
Using Public Key Cryptography
Using Public Key Cryptography
DS: Digital SignaturesDS: Digital Signatures
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 21
Digital Certificate: Structure
Field ExplanationName (Subject) Individual / company being certified
Serial Number For management / organization
Public Key Public key of the individual / company
Expiration Date Certification need to be renewed
Signature of Trusted CA For confirmation
Other Information Relevant / needed data.
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 22
Digital Certificate: Signature of Trust
Public Key (Name / Subject)Public Key (Name / Subject)
Private Key (CA)Private Key (CA)
Hash FunctionHash Function
Signature of Trusted CASignature of Trusted CA
OROR
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 23
Digital Certificate: Expiration
Need for Change of Key (Pairs)Need for Change of Key (Pairs)
Expiration Date: Long use of key
leads to vulnerability
Expiration Date: Long use of key
leads to vulnerability
Key Compromised: Cancellation / Renew
Key Compromised: Cancellation / Renew
CA has “CRL: Certificate Revocation List”CA has “CRL: Certificate Revocation List”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 24
Internet “Secure Socket Layer”: SSL Visa / Master Card:
Secure Electronic Transaction: SET Microsoft Authenticode
Security Protocols
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 25
SSL: Secure Sockets Layer (1/2)
Sender Sender ReceiverReceiver
Application SoftwareApplication Software Application SoftwareApplication Software
by: Netscape Communications
also used by: MS Internet Explorer
SSLSSL SSLSSL
TCPTCP TCPTCP
IPIP IPIPTCP/IPTCP/IPData- -gram
Virtual Circuit
“Message Interpretation” (to protect Internet transactions)
Messages
“Browsers”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 26
SSL: Secure Sockets Layer (2/2)
Functions: Protects “private information from source to destination”
Authenticates “receiver / server in a transaction”
Functions: Protects “private information from source to destination”
Authenticates “receiver / server in a transaction”
Tools: Public Key /
Digital Certificate Session (Secret) Keys
Tools: Public Key /
Digital Certificate Session (Secret) Keys
PCI: “Peripheral Component Interconnect” cards
Installed on “Web Servers” to secure data over an entire SSL transaction “from sender / client to receiver / server”
PCI: “Peripheral Component Interconnect” cards
Installed on “Web Servers” to secure data over an entire SSL transaction “from sender / client to receiver / server”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 27
SET: Secure Electronic Transaction
Objective: protecting
e-commerce
payment
transactions
Objective: protecting
e-commerce
payment
transactions
by: Visa & Master-Card
Authenticating the
Parties Involved:
“Customer”
“Merchant”
“Bank”
Authenticating the
Parties Involved:
“Customer”
“Merchant”
“Bank”
Using “Public-Key Cryptography
Using “Public-Key Cryptography
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 28
Microsoft Authenticode
Objective: Safety of software ordered online Objective: Safety of software ordered online
Authenticode is built into MS Internet ExplorerAuthenticode is built into MS Internet Explorer
Authenticode interacts with Digital CertificatesAuthenticode interacts with Digital Certificates
Digital Certificates should be obtained by software publishersDigital Certificates should be obtained by software publishers
Digital Certificates can be obtained from CA “VeriSign”Digital Certificates can be obtained from CA “VeriSign”
Information Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 29
e-Business Transactions: security measures
Use of Symmetric Keys: standards: DES, AES / key distribution: KDC
Use of Asymmetric Keys: symmetric key distribution: KAP, digital envelop / digital signature / time stamping: non-repudiation / notary
Public Key Infrastructure: digital certificate. Security Protocols: Internet: SSL / Banking: SET /
Microsoft: Authenticode.
RemarksInformation Security for e-Business
Saad Haj Bakry, PhD, CEng, FIEE 30
References B.R. Elbert, Private Telecommunication Networks, Artech House, US,
1989. Telecommunications Management: Network Security, The National
Computer Centre Limited, UK, 1992 K.H. Rosen, Elementary Number Theory and its Applications, 4th
Edition, Addison Wesley / Longman, 1999. ISO Dictionary of Computer Science: The Standardized Vocabulary
(23882), ISO, 1997. F. Botto, Dictionary of e-Business, Wiley (UK), 2000. H.M. Deitel, P.J. Deitel, K. Steinbuhler, e-Business and e-Commerce
for Managers, Prentice-Hall (USA), 2001
Information Security for e-Business