Advanced Internet Technology

1
Advanced Internet Technology Application
Internet Security Security for e-Commerce

• Incheon Paik

2
Internet /WWW Security

• Fundamental Security Weakness of TCP/IP and WWW
  Protocol
• Designed for Information Open/Sharing/Distribution
  
• Openness of Unix System and Communication Utility
  Source
• Extension of Usage Broadly such as e-mail, BBS,
  Intranet, e-Commerce, etc
• Computer Network Hackers
• 40,000,000 Users in the World
• Not Trustable System
• Defect of Internet Related Software, Problem in
  System Management

3
Security in Internet

• Security of System
• Prevent the leakage of information in Internet
  information server, destruction or errors of
  application in server by the third party
• Solution Firewall
• Security of Network
• Prevent the leakage/modification of information
  running on Internet, usage of secret information
  by the third party
• Solution Cryptograpy, Web Security Protocol

4
Concept of Firewall System

• Active Defense System to Prevent the Security
  Problem or Threats on Intrenet
• Hardware or Software System to Prevent Illegal
  Traffic from Outside, and Allow the allowed or
  authenticated traffic only
• Give Transparency to Legal Users, and Make the
  Network Secure

Legal User
Internal Network
Outside Network
X
Illegal User
Firewall
5
Main Functions of Firewall System

• Access Control
• User Authentication
• Logging
• Encryption
• Protect Privacy
• Policy

6
Types of Firewall System

• Packet filtering
• Dual-homed
• Screen host
• Screen subnet

7
Packet Filtering
Internet
Screening Router
Internal Network
8
Dual-Homed
Internet
Dual-homed Host with proxy
Network Interface
Network Interface
Internal Network
9
Screen Host
Internet
Screening Router
Internal Network
Bastion Host
10
Limitation of Firewall System

• No Measure to Internal Illegal Users
• No Measure to New Threats
• No Measure to the Access not through Firewall
• No Measure to Computer Virus
• Measure for Communication Security to Unspecified
  Multiples

11
SQL Injection

• Example of Incorrectly filtered escape character
• statement SELECT FROM users WHERE name
  userName
• userName variable as
• a or t t
• SELECT FROM users WHERE name a OR
  tt
• The evaluation of t t is always true

12
Security Function of Network

• Confidentiality
• Disallowing eavesdropping of transmitting
  contents by third party
• Authentication
• Verification of Identification of Information
  Sender
• Integrity
• Damage of Information Transmitted
• Non-repudiation
• Prevent the Repudiation of Information Sender

13
Cryptography Algorithms

• Symmetric Algorithm (Secret Key Algorithm)
• Public Key Algorithm
• Message Digest

14
Symmetric Algorithm
K
K
Original PlainText
PlainText
CipherText
Encryption
Decryption

• Sender and Receiver Use Same Secret Key
• Fast Encryption and Decryption Used in Data
  Encryption
• Problems in sharing the Keys, Short in
  authentication
• Algorithms RC4, DES, IDEA, etc

15
Public Key Algorithm
Kpublic
Kprivate
Original PlainText
PlainText
CipherText
Encryption
Decryption

• Encryption Key(Public Key) and Decryption
  Key(Private Key) are different.
• No defect in security when send the key to
  receiver Used in Key distribution or electronic
  signature
• Low Speed in Encryption/Decryption
• Algorithm RSA, DSA, etc

16
Message Digest
PlainText
Digest
Compare
Encryption
Decryption
Digest
K
K

• Convert Given Information into Large Number(Hash
  Value) within Fixed Length Using One-way
  Function(Hash)
• Check the Modification of Original Text Getting
  the Hash Value from Received Information, then
  Compare Hash Value with Information
• Hash Function MD4, MD5, SHA(Secure Hash
  Algorithm) ?

17
Application of Cryptography (1)

• Confidentialiy

Digital Envelope
Step 1
Kpublic
Kprivate
KS
Kpublic(KS)
KS
Encryption
Decryption
Step 2
KS
KS
Original PlainText
PlainText
CipherText
Encryption
Decryption
18
Application of Cryptography (2)

• Authentication/Integrity/Non-Repudiation

PlainText
Digest
Compare
Encryption
Decryption
Digest
Digital Signature
Kprivate
Kpublic
19
DES

• DES divide the message into 64 bits block, key is
  set by fixed size.
• DES Operation
• Transposition of bits
• Substitution of Bit Groups
• Exclusive-Or Operation
• Etc. Operation

20
DES


http//www.itl.nist.gov/fipspubs/fip46-2.htm
21
Some Basics for Crypto Algoritms

Euler Totient Function F(n) is the number of
elements in the reduced set of residues modulo
n. Theorem For npq and p,q prime, F(n)
F(p) F(q) (p-1)(q-1). Example Let p3 and q5.
Then F(15) (3-1)(5-1) 2 4 8, and there
are 8 elements in the reduced set of residues
modulo 151,2,4,7,8,11,13,14.

22
Some Basics for Crypto Algoritms

Fermats Theorem Let p be prime. Then for
every a such that gcd(a,p) 1. ap-1 mod p
1 - Eulers Generalization a F(n) mod n
1 Where ax mod n 1, gcd(a,n) 1, x aF(n)-1
mod n When n is prime number, x an-2 mod
n Example n is prime number Let a 3 and n
7. Then x 35 mod 7, which we saw earlier is 5.
This checks, because 3 5 mod 7 1.

23
Some Basics for Crypto Algoritms

Exponentiation Ciphers (Pohlig-Hellman and RSA
Schemes) C Me mod n --- (1) M
Cd mod n --- (2) C
fastexp(M,e,n) M fastexp(C,d,n) MF(n) mod n
1 -? Fermats Theorem This property implies
that if e and d satisfy the relation ed mod F(n)
1 --- (3) then Eq. (1) is the
inverse of Eq. (2).

24
Some Basics for Crypto Algoritms

Exponentiation Ciphers (Pohlig-Hellman and RSA
Schemes) Theorem Given e and d satisfying Eq.
(3) and a message M ( 0,n-1 such that gcd(M,n)
1, (Me mod n)d mod n M Proof Refer to the
Dennings Book Pohlig-Hellman Scheme Example
Let p 11, whence F(p) p 1 10. Choose d7
and compute e inv(7,10) 3. Suppose M5. Then
M is enciphered as C Me mod p 53 mod 11
4. Similarly, C is deciphered as M Cd mod p
47 mod 11 5.

25
Some Basics for Crypto Algoritms

Rivest-Shamir-Adleman (RSA) Scheme Example
npq. Thus F(n) (p 1)(q-1) Example Let p
5 and q7, whence nqp 35 and F(n) (5-1)(7-1)
24. Pick d 11. Then einv(11,24) 11(in
fact, e and d will always be the same for p5 and
q7). Suppose M2. Then C Me mod n 211 mod
35 2048 mod 35 18, and Cd mod n 1811 mod
35 2 M.

26
Certificate Authority and Digital Certificate

• Certificate Authority (CA)
• To Certify that somebodys public key is
  certainly his one.
• Certificate Authority certify somebodys public
  key by encrypting it with his own private key.
• Digital Certificate
• Public key encrypted by CAs private key
• In CA, after making digital certificate, encrypt
  the original plain text (1), digital signature
  (2), and his own digital certificate (3) with
  random private key (4), and then encrypt this
  private key by receivers public key. Finally
  send these two encrypted data to the receiver.

27
WWW Security Protocol

• Communication Security to Unspecified Multiples

PGP
PEM
Content Security
HTTP Layer
Message Security
S-HTTP
SEA
Channel Security
SSL
SSH
PCT
28
SSL(Secure Socket Layer) (1)

• Developed by Netscape Co.
• Provide Secure Service among Internet
  Applications Through Secure Channel
• Layer Model of SSL

• https//www.whitehouse.gov/first-lady-wardrobe.htm
  l
• HTTPS uses TCP port 443

29
SSL(Secure Socket Layer) (2)

• Operation Model of SSL

• Certify Client/Server and Exchange Session Key
  Using Public Key Cryptography (Handshake
  Protocol)
• Carry out Symmetric Key based Secure
  Communication between Application Reality using
  Shared Session Key (Record Protocol)

Client System
Server System
HTTP
Web Client
Web Server
General HTTP Message
General HTTP Message
Secure Channel
Transport Layer
Transport Layer
Crypto Module
Crypto Module
30
S-HTTP(Secure HTTP) (1)

• S-HTTP Add Secure Functions to HTTP at EIT
• Communicate in the unit of transaction based on
  client/server model, provide secure services at
  end point.
• Support Transaction Confidentiality, Message
  Integrity, Sender Certification, and
  Non-Repudiate using various crypto algorithm
• Developed Secure Mosaic and Secure httpd products
  to support S-HTTP1.1 Spec. by NCSA
• shttp// www.whitehouse.gov/presidential-desserts.
  html

31
S-HTTP(Secure HTTP) (2)

• Operation Model of S-HTTP

Client System
Server System

• Corresponding Encrypting Algorithm
• and Signature Mechanism according to
• the request is applied to HTTP message,
• Encapsulated into S-HTTP
• S-HTTP messages are transmitted with S-HTTP
  header to describe message type and encryption
  method

Web Client
Web Server
S-HTTP
Crypto Module
Crypto Module
Encrypted or Signed Message
Encrypted or Signed Message
Normal Channel
Transport Layer
Transport Layer
32
Electronic Payment System
33
Classification of E-Payment System
34
Electronic Cash System
35
Secure Electronic Transaction (SET) Protocol
36
Secure Electronic Transaction (SET) Protocol
SET Encryption Overview
37
Secure Electronic Transaction (SET) Protocol
Card Holder Registration
38
Secure Electronic Transaction (SET) Protocol
Cardholder receives response and requests
registration form
39
Secure Electronic Transaction (SET) Protocol
Merchant Registration
40
Secure Electronic Transaction (SET) Protocol
Merchant receives registration form and requests
certificates