Internet Security

1
Internet Security

• How secure is Internet browsing?
• Is private information really kept private?
• Who do we trust?

2
Security

• Looking at .
• Security Basics
• HTTP authentication
• Single-key encryption
• Public-key encryption
• Digital Signatures and Certificates
• SSL

3
Authentication

• What is Authentication?
• Verifying the identities of the parties involved
• Typical user name and password
• Authentication applies to both client and server
• Client wants to know it is talking to the true
  server, not an imposter
• Server wants to know the client is a true
  client, not an imposter
• Problems with user names and password method?

4
Confidentiality

• What is Confidentiality?
• Only the parties involved can understand the
  communication
• e.g. ensure no one else can intercept the
  transmission of credit-card numbers
• Relies heavily on cryptography (many forms)
• Using cryptography requires special keys to
  encrypt and decrypt data. How and where do users
  access these keys? Are the keys secure themselves?

5
Integrity

• What is Integrity?
• Content of communication is not altered during
  transmission
• The alteration can be intentional or
  unintentional
• Need a mechanism to check if any character has
  been changed
• This can be accomplished again through
  cryptography

6
HTTP Authentication

• Basic HTTP authentication involves a username and
  password to access a web site
• Most web servers support this (Apache, Tomcat,
  IIS, ..)
• The use of a HTML form is common on web pages to
  send authentication details to a server

ltForm Action/Servlet/LoginHandler
MethodPostgt ltpgt ltInput type text name user
value size 15gt ltpgt ltInput type password
name password value size 15gt lt/formgt
7
HTTP Authentication

• The servlet LoginHandler can access the
  user/password parameter and maintain session
  control for the current session
• First, it checks the user name and password
• Then, it sets a new session for the user
• Finally, it redirects the user to the target URL

8
Servlet Based Authentication
User accounts database
Loginform.html
Login_servlet
Yes, valid user go to applications
No! Invalid user Login fails
9
Potential Problems

• Access control via password is susceptible to
  eavesdropping ? confidentiality not guaranteed
• Wiretapping is especially easy in a LAN
  environment
• Potential Confidentiality and Integrity problems
  not solved
• Need encryption based methods for
• Confidentiality
• Integrity
• Advanced level of authenticity
• You are what you say you are

10
Single Key Encryption

• Background
• aka Private Key Encryption
• Only type of encryption prior to public-key
  encryption
• By far the most common type of encryption in
  general
• Converts text to cyphertext
• Also referred to as conventional or symmetric
  encryption

11
Single Key Encryption

• Encryption Algorithm and Key
• single key encryption consists of an encryption
  algorithm and a key
• the key is a very large number
• the key is independent of the algorithm
• encryption process and decryption process use the
  same key
• E encrypt(K, M)
• E Encrypted message, K Key, M plain message

12
Single Key Encryption

• Level of security depends on
• complexity of encryption algorithm
• Should not be able to decrypt from the text alone
• Assumes that it is impossible to decrypt a
  message from knowledge of the text and knowledge
  of the algorithm alone
• The secrecy of the key
• Does not depend on the secrecy of the algorithm
• NB The key must be kept secret by both parties
  to avoid compromising security
• e.g. DES (Data Encryption Standard) algorithm

13
Public Key Encryption

• Overview
• milestone in the history of encryption
• not based on substitution and permutation like
  traditional methods
• based on mathematical functions
• known as asymmetric key encryption
• Background
• first introduced in 1976
• NSA (National Security Agency) claimed they also
  discovered it earlier !!

14
Problems addressed by Public Key Encryption

• Key distribution
• traditional methods use a single key
• communicators use the same key
• public key encryption makes use of two keys, one
  private and one public, to address this problem
• Authentication
• How to verify (authenticate) who sent the message
• Public key encryption allows for use of digital
  signatures to address this problem
• We will look at digital signatures later

15
Public Key Encryption

• Public key encryption is a way of encrypting
  messages in which every user has a public key and
  a private key
• Messages are sent encrypted with the receivers
  public key
• The receiver decrypts the message with their
  private key
• This means the private key is kept private only
  to the receiver of a message

16
Public/Secret Keys

• Public key P is made public to all
• Secret key S is kept secret by user
• For matched keys Si and Pi
• M Pi (Si (M)) S (Pi (M))
• It is crucial that the secret key cannot be
  determined from the public key
• This is achieved by having the secret pair be
  large prime numbers and the public key be their
  product (or some variation)

17
Public Key Encryption Example
Bobs public and secret keys
Alices public and secret keys
PB
SB
PA
SA
18
Sending Securely

• M ? PA (M) ? ? SA (M) ? M

Bob encrypts with Alices public key
Alice decrypts with her secret key
Only Alice can read the message
19
Sending Securely
PA (M)
SA (PA (M))
PB
PA
SB
M
SA
M
Bob
Alice
20
Authentication of Sender

• However there is 1 problem with this method
• Previously, Alice does not know that the message
  is actually from Bob just because it claims to be
  from him. Anyone could have sent it since Alices
  public key is publicly available
• In order for Bob to prove he sent the message, he
  can send another digitally signed message to
  Alice using his secret key. Alice can then check
  if the two messages decrypt to the same message

21
Authentication of Sender

• M ? PA (M) ? ? SA (M) ? M
• M ? SB (M) ? ? PB (M) ? M

Bob encrypts with Alices public key
Alice decrypts with her secret key
Bob resends encrypted with HIS secret key
Alice decrypts with Bobs public key and compares
M to M
M M ?
22
Authentication of Sender
PA (M)
SA (PA (M))
M
PB
PA
SB
SA
M
M
Bob
Alice
SB (M)
PB (SB (M))
M M ?
23
Digitally-Signed Encryption

• The previous two methods can be combined so that
  the message is both encrypted and authenticated
• Bob encrypts with his secret key and Alices
  public key
• Alice decrypts with her secret key and Bobs
  public key

24
Digital Signatures

• A digital signature is basically a way to ensure
  that an electronic document is authentic, meaning
  that you know who created the document and you
  know that it has not been altered in any way
  since that person created it
• Authentication can be handled by
• Password
• Checksum
• Private Key Encryption
• Public Key Encryption
• Digital Certificates

25
Checksum Example
Byte 1 Byte 2 Byte 3 Byte 4 Byte 5 Byte 6 Byte 7 Byte 8 Total Checksum
212 232 54 135 244 15 179 80 1151 127
1151 / 256 4.496 (round to 4) 4 256
1024 1151 1024 127
26
Digital Signature Standard (DSS)

• A National Institute of Standards and Technology
  (NIST) standard for digital signatures, used to
  authenticate both a message and the signer.
• DSS is based on a type of public key encryption
  method that uses the Digital Signature Algorithm
  (DSA)
• DSA has a security level comparable to RSA
  (Rivest-Shamir-Aldeman) cryptography, having
  1024-bit keys

27
Digital Certificates

• To implement public key encryption on a large
  scale (e.g. a secure Web Server) requires digital
  certificates
• A digital certificate is basically a bit of info
  that says that the web server is trusted by an
  independent source known as a Certificate
  Authority (CA)
• e.g. Verisign.com

28
Digital Certificates

• The CA acts as a middle man that both computers
  trust
• It confirms that each computer is in fact who it
  says it is
• It then provides the public keys of each computer
  to each other

29
Digital Certificates
Excerpted from Verisign.com white paper
30
SSL

• Secure Socket Layer (SSL)
• Popular implementation of public-key encryption,
  developed by Netscape, which is designed to
  provide secure communications on the Internet.
• TCP/IP governs the transport and routing of data
  over the Internet, while other protocols (e.g.
  HTTP, IMAP) run on top of TCP/IP in the sense
  that they all use TCP/IP to support typical
  application tasks such as displaying web pages or
  running email servers

31
SSL

• SSL protocol runs above TCP/IP and below
  higher-level protocols. It allows an SSL-enabled
  server to authenticate itself to an SSL-enabled
  client
• This in turn allows the client to authenticate
  itself to the server
• Both machines can now establish an encrypted
  connection

32
SSL
HTTP
LDAP
IMAP
Application layer
Network layer
Secure Sockets Layer
TCP/IP Layer
33
SSL

• SSL is used to encrypt the data between browser
  and server
• De facto standard for secure communication on the
  Web
• SSL support built into both Netscape and IE
  browser
• Requires a web server to install a digital
  certificate
• Obtained through Verisign.com, Netscape, etc
• Data encryption and decryption is completely
  transparent to programmers
• No additional Java coding required
• Only requirement is for Web server to support SSL!

34
Security references

• Check out
• http//www.cookiecentral.com
• Contains many FAQ
• Examples
• Good web resource

35
Summary

• We have looked at
• Basics
• Authentication
• Confidentiality
• Integrity
• HTTP authentication
• Single-key encryption
• Public-key encryption
• Digital Signatures and Certificates
• SSL