Internet Security: an overall view

1
Internet Security an overall view
2
Why Internet Needs Security

• In recent years, organizations have become
  increasingly dependent on the data communication
  networks for their daily business communications,
  database retrieval, distributed data processing,
  and the internetworking of LANs.
• The losses associated with security failures can
  be huge.

3
Loss from Cyberattacks

• The cost of cyberattacks to U.S. businesses
  doubled to 10 billion in 1999, according to
  estimates from the Computer Security Institute
  (CSI) www.gocsi.com. The research group today is
  releasing the results of its survey of 643 large
  organizations, showing estimated losses of 266
  million in 1999 from cybercrime, which is more
  than twice the amount lost in 1998.
• - Los Angeles Times (03/22/00) P. C1 Piller,
  Charles
• (www.extremetech.com)

4
Introduction

• Internet security
• Consumers entering highly confidential
  information
• Number of security attacks increasing
• Four requirements of a secure transaction
• Privacy information not read by third party
• Integrity information not compromised or altered

5
Introduction(Cont)

• Authentication sender and receiver prove
  identities
• Non-repudiation legally prove message was sent
  and received
• Availability
• Computer systems continually accessible

6
The Evolution of Cryptosystems

• Cryptography
• Secures information by encrypting it
• Transforms data by using a key
• A string of digits that acts as a password and
  makes the data incomprehensible to those without
  it

7
The Evolution of Cryptosystems(Cont)

• Cipher of cryptosystem technique for encrypting
  messages
• Cipher-text encrypted data
• Plaintext unencrypted data
• Ciphers
• Substitution cipher
• Every occurrence of a given letter is replaced by
  a different letter

8
The Evolution of Cryptosystems(Cont)

• Transposition cipher
• Shifts the ordering of letters
• Modern cryptosystems
• Digital
• Key length length of string used to encrypt and
  decrypt

9
Outline of Encryption

• Secret-key encryption
• Public-key encryption
• Digital signature
• Digital certificate
• Certificate authority
• Key Agreement Protocols
• Key Management

10
Encryption Methods

• The essential technology underlying virtually all
  automated network and computer security
  applications is cryptography
• Two fundamental approaches are in use
• conventional encryption, also known as symmetric
  encryption
• public-key encryption, also known as asymmetric
  encryption

11
Secret-key Encryption

• Secret-key cryptography
• Same key to encrypt and decrypt message
• Sender sends message and key to receiver
• Problems with secret-key cryptography
• Key must be transmitted to receiver
• Different key for every receiver
• Key distribution centers used to reduce these
  problems
• Generates session key and sends it to sender and
  receiver encrypted with the unique key
• Encryption algorithms
• Dunn Encryption Standard (DES), Triple DES,
  Advanced Encryption Standard (AES)

12
Secret-key Encrytion(Cont)

• Encrypting and decrypting a message using a
  symmetric key

13
Secret-key Encryption(Cont)

• Distributing a session key with a key
  distribution center

14
Public Key Encryption

• Asymmetric, involving the use of two separate
  keys
• Based on mathematical functions rather than on
  simple operations on bit patterns
• Misconceptions about public key encryption
• it is more secure from cryptanalysis
• it is a general-purpose technique that has made
  conventional encryption obsolete

15
Public Key Encryption Operation
16
Public Key Signature Operation
17
Characteristics of Public-Key

• Infeasible to determine the decryption key given
  knowledge of the cryptographic algorithm and the
  encryption key.
• Either of the two related keys can be used for
  encryption, with the other used for decryption.
• Slow, but provides tremendous flexibility to
  perform a number of security-related functions
• Most widely used algorithm is RSA
  http//www.rsasecurity.com/, invented by Ron
  Rivest, Adi Shamir and Len Adleman at MIT in
  1977.

18
Conventional EncryptionKey Distribution

• Both parties must have the secret key
• Key is changed frequently
• Requires either manual delivery of keys, or a
  third-party encrypted channel
• Most effective method is a Key Distribution
  Center (e.g. Kerberos)

19
Public-Key EncryptionKey Distribution

• Parties create a pair of keys public key is
  broadly distributed, private key is not
• To reduce computational overhead, the following
  process is then used
• 1. Prepare a message.
• 2. Encrypt that message using conventional
  encryption with a one-time conventional session
  key.
• 3. Encrypt the session key using public-key
  encryption with recipients public key.
• 4. Attach the encrypted session key to the
  message and send it.

20
Digital Signature

• An electronic message that can be used by someone
  to authenticate the identity of the sender of a
  message or of the signer of a document.
• Can also be used to ensure that the original
  content of the message or document that has been
  conveyed is unchanged.
• Additional benefits
• Easy transportation, not easily repudiated, not
  imitated by someone else, and automatically
  time-stamped.

21
Digital Signature Process
22
Public Key Certificates

• 1. A public key is generated by the user and
  submitted to Agency X for certification.
• 2. X determines by some procedure, such as a
  face-to-face meeting, that this is authentically
  the users public key.
• 3. X appends a timestamp to the public key,
  generates the hash code of the result, and
  encrypts that result with Xs private key forming
  the signature.
• 4. The signature is attached to the public key.

23
Certificate Authority

• A certificate authority is a trusted organization
  that can vouch for the authenticity of the person
  or organization using authentication.
• A person wanting to use a CA registers with the
  CA and must provide some proof of identify.
• The CA issues a digital certificate that is the
  requestor's public key encrypted using the CA's
  private key as proof of identify.
• This certificate is then attached to the user's
  email or Web transactions in addition to the
  authentication information.
• The receiver then verifies the certificate by
  decrypting it with the CA's public key -- and
  must also contact the CA to ensure that the
  user's certificate has not been revoked by the
  CA.
• For higher level security certification, the CA
  requires that a unique fingerprint (key) be
  issued by the CA for each message sent by the
  user.

24
VeriSign, Inc

• Headquartered in Mountain View, California, a
  leading provider of Internet trust services
  authentication, validation and payment - needed
  by Web sites, enterprises, and e-commerce service
  providers to conduct trusted and secure
  electronic commerce and communications over IP
  networks.
• To date, VeriSign has issued over 215,000 Web
  site digital certificates and over 3.9 million
  digital certificates for individuals.

25
VeriSign, Inc

• Group Approves VeriSign's Control Over Web
  Addresses Wall Street Journal (04/03/01) P. B4
  Bridis, Ted
• In a 12-3 vote, ICANN's board approved its
  new deal with VeriSign, allowing the company to
  retain control of the .com domain without
  divesting portions of its business. By Dec. 2002,
  VeriSign will give up the .org domain, and the
  .net domain will be surrendered at a later date,
  although VeriSign will have a chance to bid for
  control of the .net domain. There were a few
  changes made to the agreement. The 10,000 fee
  that registrars pay to VeriSign was dropped and
  VeriSign now has to spend 200 million toward the
  research necessary to create a directory of all
  domain names. Further, VeriSign must keep the
  registrar and registry portions of its business
  separate or it will face fines. The U.S. Commerce
  Department still has to approve the deal, and
  four members of Congress have suggested that the
  Commerce Department "fully analyze" competitive
  concerns stemming from the new deal. These
  suggestions, which were made by Reps.
• (http//www.washingtonpost.com/wp-dyn/articles/A35
  085-2001Apr3.html)

26
Key Agreement Protocols

• Key agreement protocol
• Process by which parties can exchange keys
• Use public-key cryptography to transmit symmetric
  keys
• Digital envelope
• Encrypted message using symmetric key
• Symmetric key encrypted with the public key
• Digital signature

27
Key Agreement Protocols

• Creating a digital envelope

28
Key Management

• Key management
• Handling and security of private keys
• Key generation
• The process by which keys are created
• Must be truly random

29
Web Security

• Web Vulnerabilities
• Unauthorized alteration of data at the Web site
• Unauthorized access to the underlying operating
  system at the Web server
• Eavesdropping on messages passed between a Web
  server and a Web browser
• Impersonation
• Securing the Web site itself
• install all operating system security patches
• install the Web server software with minimal
  system privileges
• use a more secure platform
• Securing the Web application
• Secure HyperText Transfer Protocol (S-HTTP)
• Secure Sockets Layer (SSL)

30
Security Protocols

• Transaction security protocols
• Secure Sockets Layer (SSL)
• Secure Electronic Transaction (SET)

31
SSL

• Protocols that sit between the underlying
  transport protocol (TCP) and the application
• Uses public-key technology and digital
  certificates to authenticate the server in a
  transaction
• Protects information as it travels over Internet
• Does not protect once stored on receivers server
• Peripheral component interconnect (PCI) cards
• Installed on servers to secure data for an SSL
  transaction

32
SSL Implementation

• Focused on the initialization/handshaking to set
  up a secure channel
• Client specifies encryption method and provides
  challenge text
• Server authenticates with public key certificate
• Client send master key, encrypted with server key
• Server returns a message encrypted with the
  master key
• The message (key) is used to generate the key
  sending message from client to the server
• Digital signatures used in initialization are
  based on RSA after initialization, single key
  encryption systems like DES can be used

33
Secure ElectronicTransaction (SET)

• SET protocol
• Designed to protect e-commerce payments
• Certifies customer, merchant and merchants bank
• Requirements
• Merchants must have a digital certificate and SET
  software
• Customers must have a digital certificate and
  digital wallet
• Digital wallet
• Stores credit card information and identification
• Merchant never sees the customers personal
  information
• Sent straight to banks
• Microsoft Authenticode
• Authenticates file downloads
• Informs users of the downloads author

34
SET Participants Interactions
35
Agents in SET

• Cardholder, workstation of the person holding the
  card
• Merchant, needs merchant CA (MCA)
• CAs
• Security services
• Certificates
• Financial institution

36
Ideal Components of Electronic Cash

• Independent of physical location
• Security
• Privacy
• Off-line payment
• No need for third-party vendor
• Transferability to other users
• Divisibility
• Making change

37
Digital Wallet (SET)

• In the physical world, your wallet stores your
  credit cards and cash. In the online world, your
  digital wallet is installed as a plug-in to your
  web browser. Like your real wallet, your digital
  wallet stores your credit card number and your
  shipping information. Unlike your real wallet,
  you need to the know the secret "password" to use
  what's inside. Your wallet implements the
  "encryption" that makes SET secure.
• See Digital Wallet Demo

38
Security Attacks

• Types of security attacks
• Denial of service attacks
• Use a network of computers to overload servers
  and cause them to crash or become unavailable to
  legitimate users
• Flood servers with data packets
• Alter routing tables which direct data from one
  computer to another
• Distributed denial of service attack comes from
  multiple computers

39
Security Attacks

• Viruses
• Computer programs that corrupt or delete files
• Sent as attachments or embedded in other files
• Worm
• Can spread itself over a network, doesnt need to
  be sent

40
Security Attacks( Passive vs. Active )

• Passive Attacks
• Eavesdropping
• Monitoring
• Active Attacks
• Modification
• Hacking
• Software bombing
• Disrupting

41
Security Attacks

• Anti-virus software
• Reactive goes after already known viruses
• http//www.mcafee.com/
• VirusScan scans to search computer for viruses
• ActiveShield checks all downloads
• www.symantec.com
• Another virus software distributor
• Computer Emergency Response Team (CERT)
• Responds to reports of viruses and denial of
  service attacks
• Provides CERT Security Improvement Modules

42
Network Security

• Main Purpose
• Allow authorized users access
• Prevent unauthorized users from obtaining access
• Trade-off between security and performance

43
Firewalls

• Firewall
• Protects local area network (LAN) from outside
  intruders
• Safey barrier for data flowing in and out
• Prohibits all data not allowed or permits all
  data not prohibited
• Types of firewalls
• Packet-filtering firewalls
• Rejects all data with local addresses from
  outside
• Examine only the source of the content
• Application level firewalls
• Attempt to scan data

44
Packet-level firewall

• Examines the source and destination address of
  every network packet that passes through it and
  only allows packets that have acceptable source
  and destination addresses to pass.
• Vulnerable to IP-level spoofing, accomplished by
  changing the source address on incoming packets
  from their real address to an address inside the
  organizations network.
• Many firewalls have had their security
  strengthened since the first documented case of
  IP spoofing in December 1994.

45
Application-level firewall

• Acts as an intermediate host computer or gateway
  between the Internet and the rest of the
  organizations network.
• In many cases, needs special programming codes to
  permit the use of application software unique to
  the organization.
• Difference
• packet-level firewalling - prohibits only
  disabled accesses
• application-level firewalling - permits only
  authorized accesses

46
Kerberos

• Kerberos
• Uses symmetric secret-key cryptography to
  authenticate users in a network
• Authenticates a client computer and that
  computers authority to access specific parts of
  the network

47
Biometrics

• Biometrics
• Uses unique personal information to identify
• Examples are fingerprints, eyeball iris scans or
  face scans

48
Steganography

• Steganography
• Practice of hiding information within other
  information
• Digital watermarks
• Hidden within documents and can be shown to prove
  ownership

49
Steganography (Example 1)

• Example of a conventional watermark

50
Steganography (Example 2)

• An example of steganography Blue Spikes
  Giovanni digital watermarking process

51
References

• 1. e-Business e-Commerce for Manageers,
• Deitel,Deitel and Steinbuhler, Prentice-Hall,2002
• 2. www.extremetech.com
• 3.www.pcmagzine.com.
• 4.www.rsasecurity.com
• 5.www.seruritysearch.net

52
Questions?
53
Thank you!