Security and AuthenticationSecurity and Authentication

Daniel L. Silver, Ph.D.Daniel L. Silver, Ph.D.

Acadia & Dalhousie Univs.Acadia & Dalhousie Univs.

2

ObjectivesObjectives

To introduce the basics E-Commerce To introduce the basics E-Commerce security issues and web entity security issues and web entity

authenticationauthentication

3

OutlineOutline

Why is security such an issue?Why is security such an issue? Physical securityPhysical security IT Security Basics – FirewallsIT Security Basics – Firewalls Public Key Cryptography Public Key Cryptography SSL – Secure Socket LayerSSL – Secure Socket Layer SET – Secure Electronic TransactionsSET – Secure Electronic Transactions

4

Why is Security an Issue?Why is Security an Issue?

The Internet lets you travel outside of your The Internet lets you travel outside of your network and others travel in – Those network and others travel in – Those travelers are not all friendly!travelers are not all friendly!

Critical and private information can be Critical and private information can be snooped — sniffedsnooped — sniffed

Information can be deleted or destroyedInformation can be deleted or destroyed The Internet provides an opportunity for The Internet provides an opportunity for

anonymous and rapid theft of lots of moneyanonymous and rapid theft of lots of money

5

How many categories/classes of security How many categories/classes of security invasions/breaches can you find?invasions/breaches can you find?

User/password – shoulder surfingUser/password – shoulder surfing Trojan horsesTrojan horses Password breaking (various strategies)Password breaking (various strategies) Denial of service attacks – flood the server with Denial of service attacks – flood the server with

requestsrequests Packet sniffing on net (wire tap, wireless recon.)Packet sniffing on net (wire tap, wireless recon.) Spoofing websitesSpoofing websites Dumpster diving – garbage searchDumpster diving – garbage search

7

Protec tion Ass uranceAuthorization Accountability Availability

=Design Assurance=Development Assurance=Operational Assurance

Authentication

Cryptography

Components of SecurityComponents of Security

Diagram by Konstantin Beznosov

8

Five Major Requirements of a Five Major Requirements of a Secure TransactionSecure Transaction

Privacy – how to ensure information has not been Privacy – how to ensure information has not been captured by a third partycaptured by a third party

Integrity – how to ensure the information has not Integrity – how to ensure the information has not been altered in transitbeen altered in transit

Authentication – how to ensure the identity of the Authentication – how to ensure the identity of the sender and receiversender and receiver

Authorization – how to ensure a user has the Authorization – how to ensure a user has the authority to access / update information authority to access / update information

Non-repudiation – how do you legally prove that a Non-repudiation – how do you legally prove that a message was sent or receivedmessage was sent or received

9

Physical SecurityPhysical Security

Large mainframe systems have always had Large mainframe systems have always had adequate physical securityadequate physical security

The transition from LAN to WAN to The transition from LAN to WAN to Internet has caused new interest in these Internet has caused new interest in these methodsmethods

Physical security means locked doors and Physical security means locked doors and security personnelsecurity personnel

Options are to host on a secure ISP/ASP (Options are to host on a secure ISP/ASP (InternetHostingInternetHosting.com.com))

10

IT Security BasicsIT Security Basics

Avoidance – preventing a security breachAvoidance – preventing a security breach– Using a firewall system to frontend your Using a firewall system to frontend your

intranet (or intranet (or LAN) LAN) to the Internetto the Internet Minimization – early warning signals and Minimization – early warning signals and

action plans so as to reduce exposureaction plans so as to reduce exposure– Attempted to access secure directoriesAttempted to access secure directories

Recovery - regular backups should be made Recovery - regular backups should be made and recovery periodically testedand recovery periodically tested

11

Using a FirewallUsing a Firewall

– A firewall server or router acts as an electronic A firewall server or router acts as an electronic security copsecurity cop

– No machine other than firewall is directly No machine other than firewall is directly accessible from Internetaccessible from Internet

– May also function as a “proxy” server allowing May also function as a “proxy” server allowing intranet systems to access only portions of the intranet systems to access only portions of the InternetInternet

– Internet security methods are focused at the Internet security methods are focused at the firewall reducing cost and admin overheadfirewall reducing cost and admin overhead

12

Security through HTTPSSecurity through HTTPS

Browser

Client 1 Server AHTTP

TCP/IPHTTPServer

App.Server

FireWall

Server

Server C

Server B

13

IT Security BasicsIT Security Basics

Passwords (and potentially User Ids) should Passwords (and potentially User Ids) should be forced to change periodicallybe forced to change periodically

Passwords should be difficult to guessPasswords should be difficult to guess– Try to create passwords such as:Try to create passwords such as:

To Be or Not To Be To Be or Not To Be 2bon2b2bon2b Databases should be secured in terms of Databases should be secured in terms of

access rights to data (usually by individual access rights to data (usually by individual or group) or group)

14

IT Security BasicsIT Security Basics

Software, particularly low layer Software, particularly low layer components such as the operating system components such as the operating system and DBMS, should be kept to recent patch and DBMS, should be kept to recent patch levelslevels

Access from dial-in lines should be limited Access from dial-in lines should be limited and if possible call-back systems can be and if possible call-back systems can be usedused

15

CryptographyCryptography

Cryptography or ciphering is an ancient Cryptography or ciphering is an ancient method of encoding a message — only a method of encoding a message — only a receiver with a key can decipher the contentreceiver with a key can decipher the content

A single (symmetric) secret key is used to A single (symmetric) secret key is used to encrypt and decryptencrypt and decrypt

Requires the communication of the key Requires the communication of the key between sender and receiver!between sender and receiver!

Basis of nuclear war-head command and Basis of nuclear war-head command and control security control security

17

Public Key CryptographyPublic Key Cryptography

In 1976 Diffie & Hellman at Stanford U. In 1976 Diffie & Hellman at Stanford U. developed developed public-key cryptographypublic-key cryptography

Asymmetric:Asymmetric:– Private key – kept secret by ownerPrivate key – kept secret by owner

– Public key – distributed freely to all who wish to send Public key – distributed freely to all who wish to send

– Generated by computer algorithm, so a mathematical Generated by computer algorithm, so a mathematical relation exists between them ... however ... relation exists between them ... however ...

– It is computationally difficult to determine the private It is computationally difficult to determine the private key from the public key, even with knowledge of the key from the public key, even with knowledge of the encryption algorithmencryption algorithm

18

Public Key CryptographyPublic Key Cryptography The keys come in the form of tightly coupled pairs The keys come in the form of tightly coupled pairs

which anyone can generate using methods such as which anyone can generate using methods such as RSA, SHA-1, DSA (RSA is most common)RSA, SHA-1, DSA (RSA is most common)– Javascript demo: Javascript demo: http://shop-js.sourceforge.net/crypto2.htmhttp://shop-js.sourceforge.net/crypto2.htm

There is only one public key corresponding to any There is only one public key corresponding to any one private key and vice versaone private key and vice versa

Sender encodes data using public key of receiverSender encodes data using public key of receiver Receiver decodes data using unique private key, Receiver decodes data using unique private key,

no one else can do the sameno one else can do the same This ensures integrity of the dataThis ensures integrity of the data

19

AuthenticationAuthentication How can you be sure that the person sending the How can you be sure that the person sending the

encrypted data is who they say they areencrypted data is who they say they are This requires some method of authenticating the This requires some method of authenticating the

identity of the senderidentity of the sender The solution is for the sender to “sign” the data using The solution is for the sender to “sign” the data using

his/her private key – the data is encrypted using the his/her private key – the data is encrypted using the sender’s private keysender’s private key

The receiver validates (decrypts the data) the The receiver validates (decrypts the data) the “signature” using the sender’s public key“signature” using the sender’s public key

This will work as long as receiver can be sure the This will work as long as receiver can be sure the sender’s public key belongs to the sender and not an sender’s public key belongs to the sender and not an imposter … enter PKIimposter … enter PKI

20

Integrity and AuthenticationIntegrity and Authentication Example: Consider a merchant wants to Example: Consider a merchant wants to

send a secure message to a customer:send a secure message to a customer:– Merchant encrypts message using customer’s Merchant encrypts message using customer’s

public keypublic key– Merchant then signs message by encrypting Merchant then signs message by encrypting

with their private keywith their private key– Customer decrypts using the merchants public Customer decrypts using the merchants public

key to prove authenticity of senderkey to prove authenticity of sender– Customer decrypts using their private key to Customer decrypts using their private key to

ensure integrity of messageensure integrity of message

21

PKI – Public Key InfrastructurePKI – Public Key Infrastructure

Integrates PK cryptography with digital Integrates PK cryptography with digital certificates and certificate authorities (CA)certificates and certificate authorities (CA)

Digital certificate = issued by a CA, includes user Digital certificate = issued by a CA, includes user name, public key, serial number, expiration date, name, public key, serial number, expiration date, signature of trusted CA (message encrypted by signature of trusted CA (message encrypted by CA’s private key)CA’s private key)

Receipt of a valid certificate is proof of identity – Receipt of a valid certificate is proof of identity – can be checked at CAs sightcan be checked at CAs sight

www.verisign.comwww.verisign.com is major player is major player

22

Model for Network SecurityModel for Network Security

Information Channel

Message

SecretInformation

Message

SecretInformation

Sender Receiver

Trusted Third Party

Authenticationor Certificate

Authority

Opponent

23

Security and HTTPSSecurity and HTTPS

Certificate is an entity’s public key plus Certificate is an entity’s public key plus other identification (name, CA signature)other identification (name, CA signature)

SSL – Secure Socket LayerSSL – Secure Socket Layer– Lies between TCP/IP and HTTP and performs Lies between TCP/IP and HTTP and performs

encryptionencryption HTTPS is the HTTP protocol that employs HTTPS is the HTTP protocol that employs

SSL – it uses a separate server port (default SSL – it uses a separate server port (default = 443)= 443)

24

Security through HTTPSSecurity through HTTPS

Browser

DatabaseServer

Client 1

Server A

URL

HTTPTCP/IP

HTTPServer

App.Server

index.html

BankServer

Dedicated

prog.jsp

HTTPS

port = 80

port = 443

25

SSL – Secure Socket LayerSSL – Secure Socket Layer

1.1. Client makes HTTPS connection to serverClient makes HTTPS connection to server2.2. Server sends back SSL version and certificateServer sends back SSL version and certificate3.3. Client checks if certificate from CAClient checks if certificate from CA4.4. Client creates session “premaster secret”, Client creates session “premaster secret”,

encrypts it and sends it to server and creates encrypts it and sends it to server and creates “master secret”“master secret”

5.5. Server uses its private key to decrypt “premaster Server uses its private key to decrypt “premaster secret” and create the same “master secret”secret” and create the same “master secret”

6.6. The master secret is used by both to create The master secret is used by both to create session keys for encryption and decryptionsession keys for encryption and decryption

26

SET – Secure Electronic TransferSET – Secure Electronic Transfer

Developed by Visa & MastercardDeveloped by Visa & Mastercard Designed to protect E-Comm transactionsDesigned to protect E-Comm transactions SET uses digital certificates to authenticate SET uses digital certificates to authenticate

customer, merchant and financial institutioncustomer, merchant and financial institution Merchants must have digital certificate and Merchants must have digital certificate and

special SET softwarespecial SET software Customers must have digital certificate and Customers must have digital certificate and

SET e-Wallet softwareSET e-Wallet software

27

Major Architectural Components Major Architectural Components of the Webof the Web

InternetInternet

Browser

DatabaseServer

Client 1

Server A

Server BBank

Server

URL

HTTPTCP/IP

Browser

Client 2 HTTPServer

App.Server

index.html

BankServer

prog.jsp

28

Resources / ReferencesResources / References

RSA demos: RSA demos: http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/

http://islab.oregonstate.edu/koc/ece575/02Project/Mor/http://islab.oregonstate.edu/koc/ece575/02Project/Mor/