Information Technology

1
Electronic Signatures and Security
2
Introduction

• Introduction - the need for security
• Elementary cryptography code breaking
• Private/public key encryption
• Electronic signatures
• Digitised signatures
• Digital signatures
• Other security measures
• Legal issues

3
Introduction

• the internet is an open network
• unprotected transactions are insecure
• need to be sure that the information
• safe from eavesdropping - needs privacy
• not tampered with - manipulation - needs
  integrity
• from the right person - impersonation - needs
  authentication

4
Elementary cryptography

• one-way functions
• easy to do, difficult to undo
• eg apply a key to a lock, but difficult to open
  without the key

• note difficult not impossible

5
Elementary cryptography

• simple cryptography - applying a key to keep
  writing a secret
• eg Caesar cipher - shifting letters of the
  alphabet 2 to the right so dear john becomes
  fgct lqjp

a b c d e f g h i j k l m n o p q r s t u v w x y
z c d e f g h i j k l m n o p q r s t u v w x y
z a b
6
Breaking codes

• Brute force method
• try each combination until it works - we might
  need 25 trys to break previous code
• random matching of letters (substitution
  cipher) avoids brute force
• Pattern matching methods
• looks at frequency of letters, average word
  length, letter combinations, etc
• randomly changing key avoids patterns

7
Private keys

• these single code systems are symmetric - same
  key used to encrypt and decrypt
• they use a private key - security depends on
  keeping the key secret

• problem how do you transmit the key securely?

8
Public/private key systems

• 1976 solution - use two different but related
  keys
• one locks and the other unlocks anything sent by
  its pair (asymmetric)
• one key is kept secret and the other made public
• requires a trusted keeper of the public key

9
(No Transcript)
10
Public/private key systems

• Step 1 receiver places public key with trusted
  public authority, and keeps the related secret
  private key

• Step 2 to send a message, sender looks up
  receivers public key and uses it to encrypt
  (lock) message

• Step 3 receiver (and only receiver) can use the
  secret key that decrypts (unlocks) that message

11
Example RSA algorithm

• RSA implementation based on prime numbers
• 5 x 7 35
• 11,927 x 20,903 249,310,081
• RSA 129 - challenge to crack the code of a 129
  digit prime number (estimated to take millions of
  years)

12
What is encryption?

• Encryption is the process of "scrambling"
  information into an unreadable form for security
  purposes

13
What is encryption?

• It was originally used as a tool in military
  communications

14
What is encryption?

• Computers have revolutionised cryptography in
  terms of levels of encryption and ability to
  decrypt

15
Common applications

• Protection of information transmitted during
  electronic banking transactions, such as ATM
  transactions, EFTPOS purchases and Internet
  transactions
• Encryption of email
• Encryption of files stored on computers
• Digital signatures

16
Why the controversy?

• Argument Free access to cryptography by the
  general public enables them to fulfil their right
  to protect the privacy of their communications,
  including commercially valuable data

17
Why the controversy?

• Argument The government needs to control the use
  of cryptography to enable eavesdropping on phone
  calls, email etc as part of its law enforcement
  activities

18
Encryption regulation

• Two ways governments can control encryption are
• export controls (the Wassenaar Arrangement)
• key escrow / recovery
• www.pgpi.org

19
Export controls
http//www.wassenaar.org/

• The Wassenaar Arrangement on Export Controls for
  Conventional Arms and Dual-Use Goods and
  Technologies - agreement between certain
  countries regarding weapons regulation

20
Export controls

• Objective - Wassenaar Arrangement - prevent
  acquisition of conventional arms and sensitive
  dual-use technologies for military purposes by
  States whose behaviour is, or becomes, a cause
  for serious international concern
• Encryption software is controlled under Category
  5 (Part 2) on the List of Dual-Use Goods and
  Technologies

21
Key escrow / recovery

• Key escrow mandatory for users of encryption
  products to provide a copy of the key to the
  government for law enforcement access
• Key recovery the key is kept by a third-party,
  generally a commercial service provider

22
Key escrow / recovery

• Under both systems keys and/or plaintext would
  only be available to law enforcement with a court
  warrant
• There are significant privacy concerns and
  security risks with this approach

23
Encryption regulation

• No direct controls limiting the domestic use of
  encryption
• The Telecommunications Legislation Amendment Act
  1997 requires carriage service providers to
  provide access to any data or communications
  which they transmit for their customers

24
Australian encryption regulation

• Australian export laws are based on the Wassenaar
  Arrangement and impose strict controls over the
  export of all cryptographic products, both
  hardware and software
• These controls are administered by the Director,
  Strategic Trade Policy and Operations (STPO), a
  division of the Defence Acquisition Organisation

25
Circumvention of Encryption

• Electronic
• Non-electronic

26
PGP

• http//www.pgpi.org/

27
Electronic Signatures

• What is a signature?
• Digital signatures use public key cryptography

28
Electronic Signatures

• Electronic
• Digitalised
• Digital

29
Digital signatures

• can get benefit of all 3 objects by double
  encryption
• first use your secret key (integrity
  authenticity)

• then receivers public key (privacy)

30
Digital signature
31
Electronic Signatures and Security