Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy...
-
Upload
georgiana-lester -
Category
Documents
-
view
218 -
download
2
Transcript of Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy...
![Page 1: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/1.jpg)
Arab Academy for Science & Technology and Maritime Transport
eRepresented By :Ahmed EldemallawyAhmed Madani
![Page 2: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/2.jpg)
Agenda e-Mail e-Commerce• Email
• Email Security Enhancements• PGP (Pretty Good Privacy )• S/MIME (Secure/Multipurpose Internet
Mail Extensions)
![Page 3: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/3.jpg)
email is one of the most widely used and regarded network services
currently message contents are not secure
![Page 4: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/4.jpg)
Email Security Enhancements
confidentiality authentication message integrity non-repudiation of origin
![Page 5: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/5.jpg)
Pretty Good Privacy (PGP) widely used to secure emails developed by Phil Zimmermann selected best available crypto algs. to use integrated into a single program available on Unix, PC, Macintosh and Amiga
systems originally free, now have commercial versions
available also
![Page 6: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/6.jpg)
PGP Operation – Authentication
M HEP
KRa
|| Z Z-1
MDP
KUa
H
Compare
Source A Destination B
EKRa[H(M)]
![Page 7: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/7.jpg)
PGP Operation – Confidentiality
MZ EC
Ks
||
Source A Destination B
EP
KUb
DP
KRb
DC Z-1
M
EKUb[Ks]
![Page 8: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/8.jpg)
PGP Operation – Confidentiality & Authentication
M HEP
KRa
|| Z EC
Ks
||
EP
KUb
EKUb[Ks]
DP
KRb
DC Z-1
M
KUa
EKRa[H(M)]
Compare
DP
H
Source A Destination B
![Page 9: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/9.jpg)
PGP Operation – Compression
by default PGP compresses message after signing but before encrypting
uses ZIP compression algorithm
![Page 10: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/10.jpg)
PGP Operation – Email Compatibility when using PGP will have binary data to send
(encrypted message etc) however email was designed only for text hence PGP must encode raw binary data into
printable ASCII characters uses radix-64 algorithm
• maps 3 bytes to 4 printable chars• also appends a CRC
PGP also segments messages if too big
![Page 11: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/11.jpg)
PGP Operation – SummaryX file
Signaturerequired?
Yes Generate SignatureX signature || X
No
Confidentialityrequired?
Yes Encrypt key,XX EKUB
[Ks]||EKs[X]
No
Convert to radix 64X R64[X]
Generic Transmission Diagram (from A)
CompressX Z(X)
![Page 12: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/12.jpg)
Convert using radix 64X R64-1[X]
Confidentialityrequired?
Yes decrypt key,XX DKRb
[Ks]; XDKs[X]
No
PGP Operation – Summary
DecompressX Z-1(X)
Signaturerequired?
Yes Strip signature from XVerify signature
No
Generic Reception Diagram (to B)
![Page 13: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/13.jpg)
PGP Session Keys
need a session key for each message• of varying sizes: 56-bit DES, 128-bit CAST or IDEA,
168-bit Triple-DES
generated using ANSI X12.17 mode
![Page 14: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/14.jpg)
PGP Public & Private Keys
since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message• could send full public-key with every message• but this is inefficient
rather use a key identifier based on key• is least significant 64-bits of the key• will very likely be unique
also use key ID in signatures
![Page 15: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/15.jpg)
PGP Key Rings
each PGP user has a pair of keyrings:• public-key ring contains all the public-keys of other
PGP users known to this user, indexed by key ID• private-key ring contains the public/private key pair(s)
for this user, indexed by key ID & encrypted keyed from a hashed passphrase
![Page 16: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/16.jpg)
Private key Ring
SelectIDA
Encrypted Private key
DC
Passphrase H
RNG
Public key Ring
SelectIDB
Key ID
Key ID
M HEP
KRa
|| EC
Ks||EP
KUb
Output
PGP Message Generation
![Page 17: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/17.jpg)
DP
KRb
DC
KUa
Compare
DP
H
Receiver’sKey ID
EncryptedSession key
EncryptedMessage +Signature
Private key Ring
Select Encrypted Private key
DC
Passphrase H
Sender’sKey ID
Encrypteddigest
Message
Public key Ring
Select
PGP Message Reception
![Page 18: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/18.jpg)
S/MIME (Secure/Multipurpose Internet Mail Extensions) security enhancement to MIME email
• original Internet RFC822 email was text only• MIME provided support for varying content types and
multi-part messages• with encoding of binary data to textual form• S/MIME added security enhancements
have S/MIME support in various modern mail agents: MS Outlook, Netscape etc
![Page 19: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/19.jpg)
S/MIME Functions
enveloped data• encrypted content and associated keys
signed data• encoded message + signed digest
clear-signed data• cleartext message + encoded signed digest
signed & enveloped data• nesting of signed & encrypted entities
![Page 20: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/20.jpg)
S/MIME Cryptographic Algorithms
hash functions: SHA-1 & MD5 digital signatures: DSS & RSA session key encryption: ElGamal & RSA message encryption: Triple-DES, RC2/40 and
others have a procedure to decide which algorithms to
use
![Page 21: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/21.jpg)
S/MIME Certificate Processing
S/MIME uses X.509 v3 certificates managed using a hybrid of a strict X.509 CA
hierarchy & PGP’s web of trust each client has a list of trusted CA’s certs and own public/private key pairs & certs certificates must be signed by trusted CA’s
![Page 22: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/22.jpg)
Certificate Authorities
have several well-known CA’s Verisign one of most widely used Verisign issues several types of Digital IDs with increasing levels of checks & hence trust
Class Identity Checks Usage
1 name/email check web browsing/email
2+ enroll/addr check email, subs, s/w validate
3+ ID documents e-banking/service access
![Page 23: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/23.jpg)
Agenda e-Mail e-Commerce
• Web security• SSL (Secure Socket Layer)• TLS (Transport Layer Security)• SET (Secure Electronic Transactions)
![Page 24: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/24.jpg)
Web Security
Web now widely used by business, government, individuals
but Internet & Web are not protected against attacks have a variety of threats
• integrity• confidentiality• denial of service• authentication
need added security mechanisms
![Page 25: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/25.jpg)
SSL (Secure Socket Layer)
transport layer security service originally developed by Netscape uses TCP to provide a reliable end-to-end service SSL has two layers of protocols
![Page 26: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/26.jpg)
SSL Architecture
IP
TCP
SSL Record Protocol
HTTPSSL Alert Protocol
SSL ChangeCipher Spec
Protocol
SSL ChangeCipher Spec
Protocol
![Page 27: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/27.jpg)
SSL Architecture
SSL session• an association between client & server• created by the Handshake Protocol• define a set of cryptographic parameters• may be shared by multiple SSL connections
SSL connection• a transient, peer-to-peer, communications link• associated with 1 SSL session
![Page 28: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/28.jpg)
SSL Record Protocol
confidentiality• using symmetric encryption with a shared secret key
defined by Handshake Protocol• IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-
40, RC4-128• message is compressed before encryption
message integrity• using a MAC with shared secret key
![Page 29: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/29.jpg)
SSL Change Cipher Spec Protocol
one of 3 SSL specific protocols which use the SSL Record protocol
single message 1 byte with value 1 causes pending state to become current updating the cipher suite in use
![Page 30: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/30.jpg)
SSL Alert Protocol conveys SSL-related alerts to peer entity severity
• warning or fatal specific alert
• unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter
• close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown
compressed & encrypted like all SSL data
![Page 31: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/31.jpg)
SSL Handshake Protocol
allows server & client to:• authenticate each other• to negotiate encryption & MAC algorithms• to negotiate cryptographic keys to be used
include a series of messages in phases• Establish Security Capabilities• Server Authentication and Key Exchange• Client Authentication and Key Exchange• Finish
![Page 32: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/32.jpg)
SSL Handshake ProtocolClient Server
Client_hello
Server_hello
Certificate
Server_key_exchange
Certificate_request
Server_hello_done
Phase 1Establish security capabilities, includingprotocol version, session ID, cipher suite,compression method, and initial randomnumbers.
Phase 2Server may send certificate, key exchange,and request certificate. Server signals endof hello message phase.
![Page 33: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/33.jpg)
SSL Handshake Protocol
Certificate
Change_cipher_spec
Client_key_exchangeCertificate_verify
Change_cipher_specFinished
Finished
Phase 3Client sends certificate if requested. Clientsends key exchange. Client may sendcertificate verification.
Phase 4Change cipher suite and finishhandshake protocol.
![Page 34: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/34.jpg)
TLS (Transport Layer Security)
IETF standard RFC 2246 similar to SSLv3 with minor differences
• in record format version number• uses HMAC for MAC• a pseudo-random function expands secrets• has additional alert codes• some changes in supported ciphers
![Page 35: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/35.jpg)
Secure Electronic Transactions (SET)
![Page 36: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/36.jpg)
Secure Electronic Transactions (SET) open encryption & security specification to protect Internet credit card transactions developed in 1996 by Mastercard, Visa etc not a payment system rather a set of security protocols & formats
• secure communications amongst parties• trust from use of X.509v3 certificates• privacy by restricted info to those who need it
![Page 37: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/37.jpg)
SET Components
![Page 38: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/38.jpg)
SET Transaction customer opens account customer receives a certificate merchants have their own certificates customer places an order merchant is verified order and payment are sent merchant requests payment authorization merchant confirms order merchant provides goods or service merchant requests payment
![Page 39: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/39.jpg)
Dual SignaturePI
OI
H
H
|| H
PIMD
OIMD
POMD
E
KRc
DualSignature
![Page 40: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/40.jpg)
PI
DualSignature
+
+OIMD
E
Ks
E
KUb
Purchase Request Customer
Digital Envelop
+
+PIMD
OI+
DualSignature
+
+CardholderCertificate
ReceivedBy merchant
Passed on byMerchant toPayment gateway
![Page 41: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/41.jpg)
Digital Envelop
+
+PIMD
OI+
DualSignature
+
+CardholderCertificate
Passed on byMerchant to
Payment gateway
H
||
OIMD
POMD
DPOMD
Compare
KUc
Purchase Request Merchant
![Page 42: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/42.jpg)
Payment Gateway Authorization
Digital Envelop
+
D
KRb
Ks
D
PI
DualSignature
+
+
OIMD
H
||
Compare
KUc
D
![Page 43: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/43.jpg)
Payment Capture
merchant sends payment gateway a payment
capture request gateway checks request then causes funds to be transferred to merchants
account notifies merchant using capture response
![Page 44: Arab Academy for Science & Technology and Maritime Transport e Represented By : Ahmed Eldemallawy Ahmed Madani.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649ec65503460f94bd1cdf/html5/thumbnails/44.jpg)
Questions