Secure E-Commerce: Understanding the Public Key Cryptography Jigsaw Puzzle
|
|
- Kristopher Wilkins
- 8 years ago
- Views:
Transcription
1 CRYPTOGRAPHY Secure E-Commerce: Understanding the Public Key Cryptography Jigsaw Puzzle Viswanathan Kodaganallur, Ph.D. Today almost all organizations use the Internet extensively for both intra- and inter-organizational communications. The Internet is also the exclusive vehicle for E-commerce transactions involving customers and other business partners. This eliminates the significant infrastructure costs of private data communications networks and enables even small companies to participate in E-commerce. However, extensive use of public media for transferring sensitive data poses serious security challenges. One of the main weapons in overcoming these challenges is public key cryptography. Although public key cryptography is extensively used today, relatively few people (managerial and technical) understand its essence, preferring to leave that to the specialists. Although the intricate technical details are best left to the specialists, a solid understanding of the broad picture is necessary and well within the reach of everyone. This article sets out to convey just such an understanding. BASICS OF SECRET COMMUNICATIONS Perfectly secure communication is impossible in theory. It is always a possibility for any message to fall into the wrong hands. The practical approach is to reduce the likelihood of this happening to acceptably small levels. Nowadays encryption is the main approach to keeping communications secret. A message being communicated () is encrypted in such a way that the encrypted message (text) can be understood only if it is decrypted. Clearly, the message is secret only to the extent that decrypting the text is difficult. A message can be encrypted in several ways. A procedure to encrypt a message is called a. A trivial (and not very secure) example of a is one that reverses the characters in a message. The recipient of the message, if aware of how the message has been encrypted, can decrypt it by reversing the characters in the text to recreate the. Another example is a substitution, which works by substituting each character VISWANATHAN KODAGANALLUR, Ph.D., is an Associate Professor of Computing and Decision Sciences at Seton Hall University's Stillman School of Business. He earned his Ph.D. in operations management from the Indian Institute of Management. Dr. Kodaganallur started his working career in academia. He then switched to the software development industry where he spent a decade before returning to academia in His research interests include information systems security, object-oriented software development, intelligent tutoring systems, and combinatorial optimization. 44 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
2 FIGURE 1 Encryption and Decryption with Key-Based Symmetric Ciphers Shared key Shared key Symmetric text Symmetric Encryption Decryption of the message with some other character. This can be decrypted via reverse substitution by a recipient who is aware of what substitutions have been made. In this example, the operates in conjunction with a secret key (the substitution scheme). The same used on the same with a different key will yield different text. Single-character substitution s can be easily cracked by cryptanalysts (people who break s) through techniques such as frequency analysis. For example, the most frequently occurring letters in English are e, t, and a. By counting the frequency of each letter in the text, a cryptanalyst can make a guess about which letters in the text probably map to these letters. Once these are established, other clues, such as which letters commonly precede and follow these letters, can be used to make further progress. More powerful s, called block s, encode a block of text at a time rather than just a single character. Under these, a block of text (say, 128 bits) is replaced with a different block of the same, or different, size. The number of possible transformations increases rapidly with the block size, consequently making cryptanalysis more difficult. Although people can come up with many different methods of encoding, the need for standardization makes it necessary to adopt one or a few methods universally. On the face of it this would seem to defeat the very purpose of encrypted communication. However, with something called key-based s, the text depends not only on the encryption procedure but also on a secret key used during the encryption process. For example, suppose the is (perhaps a credit card number). Let us suppose that some specified method X is being used for encryption. With the secret key , the might get encoded to 6bgs 8ys9 0ehw yhfk ; whereas, using the same method X but a different secret key, the would be encoded to something completely different. To decrypt messages encrypted using keybased s, one needs to know not only the encoding procedure but also the secret key value. Keeping the key hidden from all except the message recipient makes it very difficult for unauthorized parties to obtain the from the text, even if they know what kind of has been used. This process is illustrated in Figure 1. An example of a key-based block is DES (Data Encryption Standard), which was adopted as a standard by the U.S. government in 1977 and the financial industry in DES uses a 56-bit key. Today, DES is not considered safe enough primarily because of its small key size. Computing technology has become powerful enough for a cryptanalyst to exhaustively try all possible key combinations on a DES text within a reasonable amount of time and hence to decode DES text even without having the secret key. C R Y P T O G R A P H Y 45 J A N U A R Y / F E B R U A R Y
3 Prominent among the new approaches are AES (supports key sizes of 128, 192, and 256 bits), Triple DES (overcomes the limited key size by applying DES three times with two or three different keys), Rivest s (RC2, RC4, RC5, and RC6), and others such as IDEA (International Data Encryption Algorithm) and CAST. All the s mentioned above are called symmetric key s because the same secret key is used for encryption and decryption. Symmetric key s that are almost impossible to break are but one part of secure E-commerce. Other issues must be addressed for secure communications in today s world, where many parties need to communicate over an insecure medium such as the Internet. Any scheme that is used must ideally meet all of the following requirements: Confidentiality: It should be almost impossible for anyone but the intended recipient to de the message. This is the most obvious aspect of secure communications and is well addressed by the symmetric key s already mentioned. Scalability: The approach should be convenient to use when the number of communicants and messages is large. Secret communication with symmetric keys is not scalable when used in isolation. It runs into various problems when many unacquainted parties need to communicate secretly; as, for example, in E-commerce transactions. The biggest bottleneck with such systems is the distribution and management of the secret keys. Suppose there are n parties communicating with each other and all communications need to be secret; then each party has to keep track of one secret key for each of the n 1 parties with whom it needs to communicate. An even bigger problem is that of safely distributing the keys in the first place so that the secret keys do not fall into the wrong hands. It should be possible to exchange keys safely over insecure media; after all, it is not practical to expect that all communicating parties will meet in person to exchange keys. Furthermore, to break a, a cryptanalyst needs a lot of text created using a single key. Thus, to minimize the risk of compromising secrecy, it would be necessary to periodically change the symmetric keys used. This requirement further complicates the task of secure key distribution. Integrity: It should be possible for the recipient to verify that the message was not tampered with in transit. This is important because an attacker might intercept a message and insert a different one in its place. A contemporary example of this would be when a hacker intercepts a transmission from an E-commerce server to a client and inserts the hacker s own Web page in place of the server s page. An unsuspecting user might then enter sensitive information on the hacker s page and submit it to the hacker. Authentication: It should be possible for a message recipient to verify the identity of the message originator in order to avoid dealing with an imposter. This is essential because an imposter on the Web could easily pose as a genuine E-commerce vendor and steal sensitive information. Another related issue is that of nonrepudiation; a sender of a message (such as an important legal business document) should not be able to later claim to have never sent it. This goal is achieved once the identity of the sender of a message can be irrevocably established. I will now discuss the pieces of the public key cryptography jigsaw puzzle that address each of these issues. Table 1 summarizes the issues and the techniques that address each issue. Detailed descriptions of the techniques follow. ASYMMETRIC KEY CIPHERS We have already seen that key distribution and management is a problem with symmetric key s. Whitfield Diffie and Martin 46 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
4 TABLE 1 Issues in Public Key Cryptography Issue Technique Confidentiality Scalability Integrity Authentication Key-based s (symmetric and asymmetric) key s, digital certificates, and Secure Sockets Layer Message digests and digital signatures Digital certificates and certificate authorities Hellman of Stanford University made pathbreaking discoveries that gave birth to modern cryptography. They demonstrated for the first time that it is possible for communicating parties to exchange keys securely over insecure media. They also suggested the concept of asymmetric key s, wherein the keys used for encryption and decryption are different. Although they suggested the concept of asymmetric key s, they were unable to develop a concrete realization of the concept an actual that would work as they suggested. That was later done by the MIT team of Ron Rivest, Adi Shamir, and Leonard Adleman, who created RSA, the first asymmetric key. Another wellknown asymmetric key is the ElGamal. The two keys of an asymmetric form a key pair, with one of them being the private key and the other the public key. A key pair has the following properties: A message encrypted with a public key can be decoded only with the matching private key. In the case of reversible asymmetric key s, the converse also works a message encrypted with a private key can be decrypted only with the matching public key. Given a public key, it is almost impossible to figure out the matching private key. By almost impossible, we mean that, although it is theoretically possible to figure out the private key given only the public key, in practice it would take several years of computing. As the names imply, a private key is kept completely private no one but the owner knows this key but the public key can be widely distributed because it does not matter who gets hold of it. Communication using asymmetric key s is called public key cryptography. For a concrete illustration of how secure communication would work under this system, suppose person A wants to send a secret message to person B, and A and B already have each other s public keys (they could have exchanged them via , for example). Further, suppose that a hacker (H) is eager to listen in on this communication. A would first encrypt her message using B s public key and send the text to B. On receiving the message, B can decrypt it using his private key. Even if H sees the text, not possessing B s private key, H can do nothing useful with the data. This process is illustrated in Figure 2. B can now reply to A by encrypting the message with A s public key, and the conversation can proceed securely even though H can potentially intercept each and every byte of the transmissions. Although this seems to be a foolproof arrangement, this alone does not prevent H from being malicious. H might be able to intercept a message from A to B and replace it with his own message properly encrypted with B s public key (recall that B makes no effort to hide his public key). On receiving this message, B has no way of knowing that the integrity of the message has been compromised and that the message has really been sent by an imposter acting as A. Although confidentiality has not been compromised, there has been a security breach. How can B be sure of the authenticity of the sender of the message just by looking at the message? C R Y P T O G R A P H Y 47 J A N U A R Y / F E B R U A R Y
5 FIGURE 2 Secret Communication with Public Keys and Ciphers A s computer B s computer B s public key B s private key text FIGURE 3 Double Encryption Scheme with Public Key Cryptography p B s public key A s private key text 1 B s computer text B s private key A s public key text 1 There is a way by which confidentiality, integrity, and authentication can all be achieved with asymmetric s. Let us assume as before that A and B have exchanged public keys. Now, when A wants to send a message to B, A first encrypts the message using B s public key and then encrypts the resulting text once again using her own private key and sends the resultant doubly encrypted message to B. B first uses A s public key and, on the result, uses his own private key to get back the original message. Figure 3 illustrates this process. This approach provides confidentiality. H can decrypt using A s public key and undo the effect of A s private key; but the result is still text created with B s public key that requires B s private key to decrypt. Not possessing B s private key, H can go no further. This approach preserves integrity. The second step in the decryption process by B is to use A s public key. This can work only on a message encrypted with A s private key. Not having A s private key, H cannot insert anything that will decrypt properly with A s public key. 48 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
6 This approach provides authentication. When B uses A s public key followed by his own private key and gets anything meaningful, it is clear that the message was actually sent by A. No one other than A could have sent anything that could be decrypted meaningfully with A s public key. Although this seems to be a complete solution, it leaves open two problems: Encryption and decryption with asymmetric key s are extremely computing intensive. The operations are slower by a factor of 100 when compared with symmetric key s. Thus, the above scenario is actually impractical from a computing-time perspective. key s are therefore seldom used for entire communications unless the amount of data being encrypted is very small. We will see later in the article that they are generally used only to exchange public keys spontaneously when needed, and to use these keys to agree on a symmetric session key. The session key is then used for the rest of the session with a symmetric key. Communicating parties would need to manage large numbers of public keys, and if two unacquainted parties needed to communicate they would have to go through the ritual of public key exchange first but how do they trust each other in the first place? Digital certificates and certificate authorities, discussed later, address this issue. Although the method of double encryption of the message does solve the integrity problem, we have seen that it is not practical. A practical approach is based on digital signatures. DIGITAL SIGNATURES To explain how digital signatures work, I first need to introduce the concept of message digests. A message digest is a simple number that can be quickly calculated from an input message. A good message digest has the property that if even a single bit of the input message is changed, the digest calculated will have a different value. Further, it is almost impossible to intentionally construct two messages that have the same digest value. For the moment, assume that we are concerned only about integrity and that there is no requirement for confidentiality. (I will bring confidentiality back into the equation later.) In such a case, when A sends a message to B, A can send the message along with its calculated digest value. On receiving the message, B re-computes the digest value and compares it to the value sent by A. If the two match, B can be confident that the message was not changed in any way in transit; if the message was modified, the two message digest values would not match. It is easy to see that message digests alone are insufficient to thwart a hacker. After all, the hacker can interpose and replace the message with a new one and also replace the digest with the digest corresponding to the new message. Thus, the recipient will find that the digests match even though the message has lost its integrity. Digital signatures use the concept of message digests with an added twist based on asymmetric keys to completely thwart hackers from surreptitiously modifying a message in transit. Once again we assume that our only concern is integrity. Using digital signatures, when A sends a message to B, A first calculates the message digest. A then encrypts the message digest with her private key. The result is the digital signature of the message. A now sends the original message along with its digital signature to B. Because the message digest is only a simple number, using asymmetric key s on it is not computationally intensive. On receiving the message, B first uses A s public key to decrypt the digital signature. This provides B with the message digest value. B can then independently generate the message digest from the message and compare the two. If they C R Y P T O G R A P H Y 49 J A N U A R Y / F E B R U A R Y
7 FIGURE 4 Creating and Verifying Digital Signatures A s private key Digest Algorithm message digest digital signature B s computer A s public key digital signature Digest Algorithm message digest 1 message digest 2 If the two digests match then B knows that the message is genuine match, then B is confident that no one has tampered with the message. This process is illustrated in Figure 4. Under this scenario, it is impossible for the hacker (H) to undetectably replace the transmission with a new message and a matching digital signature because H does not have A s private key. Suppose H does replace the message with a new message and replaces the digital signature with one generated using his own private key and then sends the message and the signature to B. B, assuming that the message is coming from A, will use A s public key on the digital signature. This will fail to produce the actual message digest that H calculated because H did not use A s private key. B will thus know that someone has tampered with the message. Digital signatures do not address the confidentiality issue at all. They do solve the integrity problem completely. To a limited extent, they also solve the problem of authentication, if the message recipient has the public key of the sender. In real terms it is impractical to expect that any two communicants will have each other s public keys readily available at all times. We need a scalable way of exchanging public keys spontaneously with a guarantee of the identities of the parties involved. This is where digital certificates and certificate authorities come into the picture. DIGITAL CERTIFICATES As before, let us assume that A and B have already exchanged public keys and trust each other. Suppose C now wants to have a secure communication with A, but A and C are not mutually acquainted. Unless A knows or trusts C, A will refuse to have a secure conversation with C. Suppose B knows and trusts C. Now, because A trusts B and B trusts C, there is a chain of trust potentially enabling A to trust C. How is this chain of trust established electronically? Because B trusts C, B can issue a digital certificate to C. A digital certificate consists of identifying information about an entity along with the signed public key of that entity. It essentially states that the issuer of the certificate believes that the public key in the certificate belongs to the person whose identifying information appears in the certificate. To issue a digital certificate to C, B creates a structure that contains identifying information about C (e.g., the name and other important public information) and attaches C s public key encrypted with the private key of B. Because B is the only entity that can use B s private key, the certificate 50 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
8 FIGURE 5 B Creating a Digital Certificate for C B s private key Digest Algorithm message digest Information about B Information about C C s public key digital signature C s digital certificate essentially represents that B vouches for C s identity, and anyone having B s public key can verify the fact. This process is illustrated in Figure 5. The above arrangement works fine when there is an intermediary such as B who can establish a chain of trust between the communicating parties. In most business situations, especially in Web-based business-toconsumer E-commerce, this requirement would be cumbersome. This issue is addressed by certificate authorities. CERTIFICATE AUTHORITIES Certificate authorities (CAs) are organizations specifically created to issue digital certificates after properly verifying the identities of entities requesting them. Many CAs exist; some well-known ones are Verisign, Certisign, and Thawte. CAs are assumed to be trusted parties and hence the certificates issued by them serve to verify the identities of the parties presenting them. For example, in a Web-based E-commerce transaction, a buyer would want to ensure that she is really dealing with a genuine Web site and not that of an imposter before entering sensitive information such as a credit card number. The vendor can establish identity by presenting a digital certificate issued by a CA. The public keys of CAs are widely distributed. All Web browsers typically come pre-installed with these public keys. Suppose two parties A and C are unacquainted and one of them, say C, wishes to initiate a secure conversation with the other. C first gets a digital certificate from a CA and presents it to A. A already has the public key of well-known CAs and hence can use the appropriate one to extract C s public key from the certificate. Similarly, A can present her certificate to C, from which C can get A s public key. The above mechanism can be employed to spontaneously exchange public keys with complete confidence about the identities of the communicating parties. However, as already mentioned, using public key encryption is computing intensive and impractical for complete conversations. This final hurdle is addressed by Secure Sockets Layer. SECURE SOCKETS LAYER Secure Sockets Layer (SSL) was created by Netscape Corporation to address the difficulty of using public key encryption for complete conversations. It provides a way to use a symmetric key (much more efficient than asymmetric key s) in a secure manner. It is specifically designed for Web-based E-commerce wherein a browser and server need to engage in a secure conversation. The following steps occur in an SSL-based exchange: C R Y P T O G R A P H Y 51 J A N U A R Y / F E B R U A R Y
9 The server presents a digital certificate issued by a CA. The browser verifies the certificate and extracts the server s public key. The browser then generates a symmetric key (called session key). The browser encrypts the session key with the server s public key and sends it to the server. The server extracts the session key. The browser and server conduct a secret conversation using the shared session key, but they can use a symmetric key for much greater efficiency. Server and browser discard the session key at the end of the conversation. In the above scenario, only the server is authenticated by means of a digital certificate; this is all that is typically needed for business-to-consumer E-commerce. A version of SSL includes client authentication as well, which can be used when both parties need to be authenticated. When we see in our browser s address line, it indicates that SSL, and therefore the full weight of public key cryptography, is in use. CONCLUSIONS This article has introduced the essential aspects of public key cryptography. We looked at the shortcomings of symmetric key s used in isolation and showed how public key cryptography based on asymmetric key s overcomes the problems by enabling confidentiality, message integrity, and authentication. Finally, we looked at the essentials of SSL, which combines the power of public key cryptography with the speed of symmetric key s to provide security and efficiency. References 1. Harold F. Tipton (Editor), Micki Krause (Editor), Information Security Management Handbook, Fifth Edition, Auerbach Publications, Charlie Kaufman, Radia Perlman, Mike Speciner, Network Security: Private Communication in a Public World, Second Edition, Prentice Hall, I N F O R M A T I O N S Y S T E M S S E C U R I T Y
Overview of CSS SSL. SSL Cryptography Overview CHAPTER
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers
More informationCRYPTOGRAPHY IN NETWORK SECURITY
ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can
More informationIs your data safe out there? -A white Paper on Online Security
Is your data safe out there? -A white Paper on Online Security Introduction: People should be concerned of sending critical data over the internet, because the internet is a whole new world that connects
More informationSavitribai Phule Pune University
Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
More information159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology
Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication
More informationWeb Security: Encryption & Authentication
Web Security: Encryption & Authentication Arnon Rungsawang fenganr@ku.ac.th Massive Information & Knowledge Engineering Department of Computer Engineering Faculty of Engineering Kasetsart University, Bangkok,
More informationProperties of Secure Network Communication
Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able to understand the contents of the transmitted message. Because eavesdroppers may intercept the message,
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationSecuring your Online Data Transfer with SSL
Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does
More informationDigital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate
More informationSecuring your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.
More informationSecure Socket Layer. Introduction Overview of SSL What SSL is Useful For
Secure Socket Layer Secure Socket Layer Introduction Overview of SSL What SSL is Useful For Introduction Secure Socket Layer (SSL) Industry-standard method for protecting web communications. - Data encryption
More informationThe science of encryption: prime numbers and mod n arithmetic
The science of encryption: prime numbers and mod n arithmetic Go check your e-mail. You ll notice that the webpage address starts with https://. The s at the end stands for secure meaning that a process
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationSecurity & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173
Security & Privacy on the WWW Briefing for CS4173 Topic Outline 1. Information Security Relationship to safety Definition of important terms Where breaches can occur Web techniques Components of security
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect
More informationHow To Encrypt Data With Encryption
USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars Alternate Title? Boy, am I surprised. The Entrust guy who has mentioned PKI during every Security
More information7! Cryptographic Techniques! A Brief Introduction
7! Cryptographic Techniques! A Brief Introduction 7.1! Introduction to Cryptography! 7.2! Symmetric Encryption! 7.3! Asymmetric (Public-Key) Encryption! 7.4! Digital Signatures! 7.5! Public Key Infrastructures
More informationGT 6.0 GSI C Security: Key Concepts
GT 6.0 GSI C Security: Key Concepts GT 6.0 GSI C Security: Key Concepts Overview GSI uses public key cryptography (also known as asymmetric cryptography) as the basis for its functionality. Many of the
More informationData Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin. www.itmr.ac.in
01 0110 0001 01101 WHITE PAPER ON Data Encryption Prepared by Mohammed Samiuddin www.itmr.ac.in Contents INTRODUCTION... 2 NEED FOR DATA ENCRYPTION... 3 DUE CARE... 3 REPUTATIONAL RISK... 3 REGULATORY
More information1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies
1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
More informationComputer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt
Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt 1 Lecture 11: Network Security Reference: Chapter 8 - Computer Networks, Andrew S. Tanenbaum, 4th Edition, Prentice
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationCommon security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon
1 Common security requirements Basic security tools Secret-key cryptography Public-key cryptography Example Online shopping with Amazon 2 Alice credit card # is xxxx Internet What could the hacker possibly
More informationInformation Security
Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked
More informationSymmetric Key cryptosystem
SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single
More informationEncryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1
Encryption, Data Integrity, Digital Certificates, and SSL Developed by Jerry Scott 2002 SSL Primer-1-1 Ideas Behind Encryption When information is transmitted across intranets or the Internet, others can
More informationCryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.
Cryptography: Motivation Many areas have sensitive information, e.g. Data Structures and Algorithms Cryptography Goodrich & Tamassia Sections 3.1.3 & 3.1.4 Introduction Simple Methods Asymmetric methods:
More informationIntroduction to Cryptography
Introduction to Cryptography Part 3: real world applications Jean-Sébastien Coron January 2007 Public-key encryption BOB ALICE Insecure M E C C D channel M Alice s public-key Alice s private-key Authentication
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?
More informationChapter 9 Key Management 9.1 Distribution of Public Keys 9.1.1 Public Announcement of Public Keys 9.1.2 Publicly Available Directory
There are actually two distinct aspects to the use of public-key encryption in this regard: The distribution of public keys. The use of public-key encryption to distribute secret keys. 9.1 Distribution
More informationNetwork Security. HIT Shimrit Tzur-David
Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key
More informationE-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications
Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html
More informationINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHY AUTHOR: ANAS TAWILEH anas@tawileh.net Available online at: http://www.tawileh.net/courses/ia This work is released under a Creative Commons Attribution-ShareAlike 2.5 License
More informationWhat is network security?
Network security Network Security Srinidhi Varadarajan Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application
More informationAn Introduction to Cryptography as Applied to the Smart Grid
An Introduction to Cryptography as Applied to the Smart Grid Jacques Benoit, Cooper Power Systems Western Power Delivery Automation Conference Spokane, Washington March 2011 Agenda > Introduction > Symmetric
More informationWeb Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn
Web Payment Security A discussion of methods providing secure communication on the Internet Group Members: Peter Heighton Zhao Huang Shahid Kahn 1. Introduction Within this report the methods taken to
More informationAn Introduction to digital signatures
An Introduction to digital signatures This document is an extract from the book Ecommerce - Legal Issues authored by Rohas Nagpal. This book is available as courseware for the Diploma in Cyber Law and
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationAs enterprises conduct more and more
Efficiently handling SSL transactions is one cornerstone of your IT security infrastructure. Do you know how the protocol actually works? Wesley Chou Inside SSL: The Secure Sockets Layer Protocol Inside
More informationPrivyLink Internet Application Security Environment *
WHITE PAPER PrivyLink Internet Application Security Environment * The End-to-end Security Solution for Internet Applications September 2003 The potential business advantages of the Internet are immense.
More informationNetwork Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室
Network Security 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室 Security Attacks Normal flow: sender receiver Interruption: Information source Information destination
More informationChapter 7: Network security
Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport
More informationBuilding Customer Confidence through SSL Certificates and SuperCerts
Building Customer Confidence through SSL Certificates and SuperCerts Contents 1. Overview 2. Why SSL? 3. Who needs an SSL certificate? 4. How to tell if a website is secure 5. Browser warnings 6. What
More informationChapter 10. Cloud Security Mechanisms
Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based
More informationNetwork Security (2) CPSC 441 Department of Computer Science University of Calgary
Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationAN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES
HYBRID RSA-AES ENCRYPTION FOR WEB SERVICES AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES Kalyani Ganesh
More informationUnderstanding Digital Certificates and Secure Sockets Layer (SSL)
Understanding Digital Certificates and Secure Sockets Layer (SSL) Author: Peter Robinson January 2001 Version 1.1 Copyright 2001-2003 Entrust. All rights reserved. Digital Certificates What are they?
More informationCryptography and Network Security Chapter 9
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,
More informationLukasz Pater CMMS Administrator and Developer
Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign
More informationSSL/TLS: The Ugly Truth
SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography
More informationEmail: The Electronic Postcard. By Daniel Herren
Email: The Electronic Postcard By Daniel Herren 1 Table of Contents 1.0 Introduction.page 3 2.0 Internet Overview...page 3,4 3.0 Email vulnerabilities...page 5-7 3.1 Privacy..page 5 3.2 Authentication.page
More informationYou re FREE Guide SSL. (Secure Sockets Layer) webvisions www.webvisions.com +65 6868 1168 sales@webvisions.com
SSL You re FREE Guide to (Secure Sockets Layer) What is a Digital Certificate? SSL Certificates, also known as public key certificates or Digital Certificates, are essential to secure Internet browsing.
More informationThe Case For Secure Email
The Case For Secure Email By Erik Kangas, PhD, President, Lux Scientiae, Incorporated http://luxsci.com Contents Section 1: Introduction Section 2: How Email Works Section 3: Security Threats to Your Email
More informationmod_ssl Cryptographic Techniques
mod_ssl Overview Reference The nice thing about standards is that there are so many to choose from. And if you really don t like all the standards you just have to wait another year until the one arises
More informationSecure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https
More informationunderstanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES
understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES contents UNDERSTANDING SSL CERTIFICATES...1 What Is SSL and What Are SSL Certificates?...1 Features of SSL...1 Encryption...1
More informationSSL A discussion of the Secure Socket Layer
www.harmonysecurity.com info@harmonysecurity.com SSL A discussion of the Secure Socket Layer By Stephen Fewer Contents 1 Introduction 2 2 Encryption Techniques 3 3 Protocol Overview 3 3.1 The SSL Record
More informationUsing ASP-Based Message Encryption Project To Teach Information Security Concepts
Using ASP-Based Message Encryption Project To Teach Information Security Concepts Qidong Cao College of Business Administration, Winthrop University Rock Hill, SC 29733, USA caoq@winthrop.edu John S. Davis
More informationUnderstanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES
Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES Understanding SSL Certificates 2 Secure Socket Layer (SSL) certificates are widely used to help secure and authenticate
More informationSoftware Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald 0043306
Software Engineering 4C03 Research Project An Overview of Secure Transmission on the World Wide Web Sean MacDonald 0043306 Tuesday April 5, 2005 Introduction Software Engineering 4C03 Research Project
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure
More informationLecture G1 Privacy, Security, and Cryptography. Computing and Art : Nature, Power, and Limits CC 3.12: Fall 2007
Lecture G1 Privacy, Security, and Cryptography Computing and Art : Nature, Power, and Limits CC 3.12: Fall 2007 Functionalia Instructor Chipp Jansen, chipp@sci.brooklyn.cuny.edu Course Web Page http://www.sci.brooklyn.cuny.edu/~chipp/cc3.12/
More informationHow encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and
How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and non-repudiation. How to obtain a digital certificate. Installing
More informationIntroduction to Network Security Key Management and Distribution
Introduction to Network Security Key Management and Distribution Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of Science and Technology cetinkayae@mst.edu http://web.mst.edu/~cetinkayae/teaching/cpe5420fall2015
More information7 Key Management and PKIs
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 7 Key Management and PKIs 7.1 Key Management Key Management For any use of cryptography, keys must be handled correctly. Symmetric keys must be kept secret.
More informationUnderstanding and Integrating KODAK Picture Authentication Cameras
Understanding and Integrating KODAK Picture Authentication Cameras Introduction Anyone familiar with imaging software such as ADOBE PHOTOSHOP can appreciate how easy it is manipulate digital still images.
More informationConnected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)
Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.
More informationWhat is an SSL Certificate?
Security is of the utmost importance when doing business on the Web. Your customers want to know that their information is protected when crossing data lines. A Thawte SSL Web Server Certificate or SuperCert
More informationThree attacks in SSL protocol and their solutions
Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland zhon003@ec.auckland.ac.nz Abstract Secure Socket Layer (SSL) and Transport Layer
More informationAn Introduction to Cryptography and Digital Signatures
An Introduction to Cryptography and Digital Signatures Author: Ian Curry March 2001 Version 2.0 Copyright 2001-2003 Entrust. All rights reserved. Cryptography The concept of securing messages through
More informationWhy you need secure email
Why you need secure email WHITE PAPER CONTENTS 1. Executive summary 2. How email works 3. Security threats to your email communications 4. Symmetric and asymmetric encryption 5. Securing your email with
More informationSECURITY IN NETWORKS
SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,
More informationLecture 9: Application of Cryptography
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
More informationNotes on Network Security Prof. Hemant K. Soni
Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications
More informationCenter for Internet Security. INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Private and Public Key Cryptography and Ransomware December 2014 Authored by:ted Fischer (CIS) Security Operations
More informationReview of methods for secret sharing in cloud computing
Review of methods for secret sharing in cloud computing Dnyaneshwar Supe Amit Srivastav Dr. Rajesh S. Prasad Abstract:- Cloud computing provides various IT services. Many companies especially those who
More informationPublic Key Cryptography of Digital Signatures
ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES Daniela Bojan and Sidonia Vultur Abstract.The new services available on the Internet have born the necessity of a permanent
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationWhat Are Certificates?
The Essentials Series: Code-Signing Certificates What Are Certificates? sponsored by by Don Jones W hat Are Certificates?... 1 Digital Certificates and Asymmetric Encryption... 1 Certificates as a Form
More informationChapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography
Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:
More informationAuthentication Application
Authentication Application KERBEROS In an open distributed environment servers to be able to restrict access to authorized users to be able to authenticate requests for service a workstation cannot be
More informationSSL. Secure Sockets Layer. - a short summary - By Christoph Gutmann and Khôi Tran
SSL Secure Sockets Layer - a short summary - By Christoph Gutmann and Khôi Tran Page 1 / 7 Table of contents 1. Brief historic outline of SSL 2. Why did SSL come to life? 3. How does SSL work? 4. Where
More informationKey Management (Distribution and Certification) (1)
Key Management (Distribution and Certification) (1) Remaining problem of the public key approach: How to ensure that the public key received is really the one of the sender? Illustration of the problem
More informationSSL Handshake Analysis
SSL Handshake Analysis Computer Measurement Group Webinar Nalini Elkins Inside Products, Inc. nalini.elkins@insidethestack.com Inside Products, Inc. (831) 659-8360 www.insidethestack.com www.ipproblemfinders.com
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationPHOENIX: SECURE FILE TRANSFER USING SSL
Phoenix: Secure File Transfer Using SSL 1 PHOENIX: SECURE FILE TRANSFER USING SSL ARJUN VENKATRAMAN arjun.dhanush@gmail.com Phoenix: Secure File Transfer Using SSL 2 1. INTRODUCTION TO SSL 1.1 SSL: The
More informationcipher: the algorithm or function used for encryption and decryption
! "# $ %& %'()! *,+ & -.! % %- / 0-1 2+ 34 576!! 8 9! ": ;
More informationAC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY DEC 2014
Q.2a. Define Virus. What are the four phases of Viruses? In addition, list out the types of Viruses. A virus is a piece of software that can infect other programs by modifying them; the modification includes
More informationCHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS
70 CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS 4.1 INTRODUCTION In this research work, a new enhanced SGC-PKC has been proposed for improving the electronic commerce and
More informationSecure Network Communication Part II II Public Key Cryptography. Public Key Cryptography
Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem
More informationSecurity Digital Certificate Manager
IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,
More informationAssociate Prof. Dr. Victor Onomza Waziri
BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,
More informationWhat is a digital certificate, why do I need one, and how do I get it?
PKI FAQ s What is a digital signature and how do you get one? You can t buy a digital signature. It s not like a handwritten one. A digital signature is different every time it is made, and is related
More informationIT Networks & Security CERT Luncheon Series: Cryptography
IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI
More informationCryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.
Cryptosystems Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K. C= E(M, K), Bob sends C Alice receives C, M=D(C,K) Use the same key to decrypt. Public
More information