Software Engineering 4C03: Web Encryption Software And It s Purpose

Transcription

1 Software Engineering 4C03: Web Encryption Software And It s Purpose Gordon Burtch Apr. 04, 2005 Dr. Kartik Krishman

2 Introduction This report details the methods and purposes of encryption software currently employed on the World Wide Web as well as current research in the field. The purpose of this document is to inform the reader of hazards which arise with communication via the internet. This is especially relevant to transmission of sensitive data. Following an explanation of the topic, a case study is provided which serves to convey the importance of web security. Background Encryption may be defined as follows: the encoding of information in such a manner that only a person with the proper knowledge may decode it. This knowledge can is analogous to a key for a lock. There are multiple methods of performing the encryption, all relying on the science of cryptography. Modern cryptography relies on the application of computers to the process, as humanbased code would be much too difficult to crack using a computer. There are two main groups of encryption methods in use today: Symmetric Key Encryption and Public Key Encryption. Symmetric Key encryption occurs when each computer has a secret key that it can use to encrypt a piece of information before it is sent over the network to another system. This requires that you know which computers will be talking to each other so that the key can be present on each one. It is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. A simple example of this might be to take the ASCII value of any given character. The transmitted data will appear to be random numbers. When the data is received, it is decrypted by converting from ASCII values, back into the standard alphabet. In this case, all that is necessary is knowledge of the encrypting function. To decrypt, the inverse function is applied to the encrypted data. Public Key encryption uses a combination of a private key and a public key. The private key is known only to your computer. The public key is advertised to the rest of the world. Any computer wishing to communicate with yours must encrypt the data using the public key. Large scale Public Key encryption requires additional factors to be feasible; digital certificates. Digital certificates are bits of information that indicate whether a Web server is trusted by a third party called a certificate authority. The certificate authority acts as a middleman that both computers trust. First confirming that each computer involved in the communication is who it says it is, it then provides the public keys of each computer to the other. Standard secure transactions via web browser now typically implement a combination of Private and Symmetric encryption. A symmetric key is

3 transmitted via Public Key encryption. Following this, all communication is then performed via Symmetric Key encryption. Indications of 128-bit or 512-bit encryption simply refer to the number of bits required to represent the hash value result of the employed encryption algorithm. A hash value is most easily described as a summary of the input value. It is calculated via a hash algorithm. A hash algorithm is not a 1-to-1 relation, but is rather a many-to-1 relation; the function is not invertible without a second piece of data. Case Studies E-Brokerage, a European based online brokerage, offers World Wide Web based securities trading for corporations and individuals on every major American and European stock exchange. A large proportion of the company s customer info is exchanged electronically via with third party companies. The broker needed to secure these data transfers for multiple reasons: 1. In order to comply with regulations governing the secure exchange of electronic information. 2. To secure confidential customer information, in keeping with customer privacy rights. 3. To protect against malicious activity founded on potentially stolen data. E-brokerage provides trades on Euronext, the Swedish and Luxembourg stock exchanges, the New York Stock Exchange (NYSE) and the NASDAQ. Any companies within the European Union exchanging information electronically are legally required to comply with the EU privacy directive, as well as multiple country specific regulations pertaining to the same subject. This particular company exchanges thousands of s a day with third-parties many containing confidential data. It becomes obvious, quite quickly, that encryption is necessary for the business to function internally, as well as in communication with its client base. Zurich Capital Markets (ZCM) is a leading asset management firm, providing financial services worldwide to a vast number of clients, having offices all over the world. The company has made use of various pieces of web restriction software for several years with an understanding of the importance of managed Internet use when it comes to their internal network. This understanding was based on the fact that malicious mobile code has been propagating itself across the internet quite rapidly, now being found on many websites. According to industry data, nearly half of all malicious mobile code is found on websites that most companies would not think to take a second look at; travel sites and search engines. Once the malicious code enters the network,

4 a large portion of it was found to spread viral worms by writing or reading to the registry and other activities. The remaining, larger, portion was found to be adding bookmarks, changing search pages or adding shortcuts onto the desktop. ZCM employs internet monitoring software to block employee access to high risk sites to minimize the risk of MMC attacks, such as web-borne viruses, Trojan horses, worms and script attacks. The software operates by identifying malicious code and entering the sites containing it into a database on a daily basis. This database is then automatically downloaded to employee systems each day. The database adds an additional layer of security to networks by preventing employees from unknowingly accessing sites that are infected with malicious code and spyware distributing sites. E-brokerage and ZCM are both examples of high risk situations relating to data transfer and corporate network security. The cases can become even more extreme, however, when it comes to things like national security; government, and government contracted corporations, networks and their fallibilities. As computers advance, it becomes increasingly more difficult to maintain the level of security one would like. In keeping with this concept, cryptography is a constant area of continuing research. Future Developments Current research into computer cryptography ranges from the highly theoretical down to the practical. Quantum cryptography, for example, is a branch of computer security which is based entirely upon the assumption of the availability of a quantum computer and is therefore highly theoretical. While quantum cryptography protocols have been developed and tested over relatively short distances (kilometers), they are by no means a practical method of encryption over the much larger distances required when communicating intercontinentally. Active networking is a fairly recent development in the world of computers. Its potential for greater functionality means it will likely enter into very high usage in the near future. In an active network, packets are not simply forwarded by a router. A router, on an active network, has the capability of processing the data contained in a packet in an application-specific way. Active networks will allow service providers, or even users, to mold the functionality of a network to their needs, by placing function-specific code into the network. Active networking is a technology that can be used to implement programmable networks - networks providing a basic hardware and software infrastructure, which can be dynamically adapted to the needs of the service provider or the user. They will allow dynamic service creation and deployment, i.e. a just in time approach to providing services in a future Internet. The concept of active networks presents a whole new facet in the study of cryptography and, as such, many corporations and a large portion of academia are researching this subject as well.

5 References 1. Alden W. Jackson and James P.G. Sterbenz. Active Networks: Introduction to a novel approach in computer networking. Dec. 4 th, Retrieved Apr. 1 st, _Networking.html 2. Tyson, Jeff. How Encryption Works. Retrieved March 28 th, PGP Corporate Publication. PGP Universal Case Study Retrieved March 28 th, Brokerage_040510_FL.pdf 4. CSO Online Custom Publication Vol. 1 No. 1. Case Study: Zurich Capital Markets. Oct. 15 th, Retrieved March 29 th,