Internet Security: an overall view - PowerPoint PPT Presentation

1 / 53
About This Presentation

Internet Security: an overall view


In recent years, organizations have become increasingly dependent ... Impersonation. Securing the Web site itself. install all operating system security patches ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 54
Provided by: jas5110


Transcript and Presenter's Notes

Title: Internet Security: an overall view

Internet Security an overall view
Why Internet Needs Security
  • In recent years, organizations have become
    increasingly dependent on the data communication
    networks for their daily business communications,
    database retrieval, distributed data processing,
    and the internetworking of LANs.
  • The losses associated with security failures can
    be huge.

Loss from Cyberattacks
  • The cost of cyberattacks to U.S. businesses
    doubled to 10 billion in 1999, according to
    estimates from the Computer Security Institute
    (CSI) The research group today is
    releasing the results of its survey of 643 large
    organizations, showing estimated losses of 266
    million in 1999 from cybercrime, which is more
    than twice the amount lost in 1998.
  • - Los Angeles Times (03/22/00) P. C1 Piller,
  • (

  • Internet security
  • Consumers entering highly confidential
  • Number of security attacks increasing
  • Four requirements of a secure transaction
  • Privacy information not read by third party
  • Integrity information not compromised or altered

  • Authentication sender and receiver prove
  • Non-repudiation legally prove message was sent
    and received
  • Availability
  • Computer systems continually accessible

The Evolution of Cryptosystems
  • Cryptography
  • Secures information by encrypting it
  • Transforms data by using a key
  • A string of digits that acts as a password and
    makes the data incomprehensible to those without

The Evolution of Cryptosystems(Cont)
  • Cipher of cryptosystem technique for encrypting
  • Cipher-text encrypted data
  • Plaintext unencrypted data
  • Ciphers
  • Substitution cipher
  • Every occurrence of a given letter is replaced by
    a different letter

The Evolution of Cryptosystems(Cont)
  • Transposition cipher
  • Shifts the ordering of letters
  • Modern cryptosystems
  • Digital
  • Key length length of string used to encrypt and

Outline of Encryption
  • Secret-key encryption
  • Public-key encryption
  • Digital signature
  • Digital certificate
  • Certificate authority
  • Key Agreement Protocols
  • Key Management

Encryption Methods
  • The essential technology underlying virtually all
    automated network and computer security
    applications is cryptography
  • Two fundamental approaches are in use
  • conventional encryption, also known as symmetric
  • public-key encryption, also known as asymmetric

Secret-key Encryption
  • Secret-key cryptography
  • Same key to encrypt and decrypt message
  • Sender sends message and key to receiver
  • Problems with secret-key cryptography
  • Key must be transmitted to receiver
  • Different key for every receiver
  • Key distribution centers used to reduce these
  • Generates session key and sends it to sender and
    receiver encrypted with the unique key
  • Encryption algorithms
  • Dunn Encryption Standard (DES), Triple DES,
    Advanced Encryption Standard (AES)

Secret-key Encrytion(Cont)
  • Encrypting and decrypting a message using a
    symmetric key

Secret-key Encryption(Cont)
  • Distributing a session key with a key
    distribution center

Public Key Encryption
  • Asymmetric, involving the use of two separate
  • Based on mathematical functions rather than on
    simple operations on bit patterns
  • Misconceptions about public key encryption
  • it is more secure from cryptanalysis
  • it is a general-purpose technique that has made
    conventional encryption obsolete

Public Key Encryption Operation
Public Key Signature Operation
Characteristics of Public-Key
  • Infeasible to determine the decryption key given
    knowledge of the cryptographic algorithm and the
    encryption key.
  • Either of the two related keys can be used for
    encryption, with the other used for decryption.
  • Slow, but provides tremendous flexibility to
    perform a number of security-related functions
  • Most widely used algorithm is RSA
    http//, invented by Ron
    Rivest, Adi Shamir and Len Adleman at MIT in

Conventional EncryptionKey Distribution
  • Both parties must have the secret key
  • Key is changed frequently
  • Requires either manual delivery of keys, or a
    third-party encrypted channel
  • Most effective method is a Key Distribution
    Center (e.g. Kerberos)

Public-Key EncryptionKey Distribution
  • Parties create a pair of keys public key is
    broadly distributed, private key is not
  • To reduce computational overhead, the following
    process is then used
  • 1. Prepare a message.
  • 2. Encrypt that message using conventional
    encryption with a one-time conventional session
  • 3. Encrypt the session key using public-key
    encryption with recipients public key.
  • 4. Attach the encrypted session key to the
    message and send it.

Digital Signature
  • An electronic message that can be used by someone
    to authenticate the identity of the sender of a
    message or of the signer of a document.
  • Can also be used to ensure that the original
    content of the message or document that has been
    conveyed is unchanged.
  • Additional benefits
  • Easy transportation, not easily repudiated, not
    imitated by someone else, and automatically

Digital Signature Process
Public Key Certificates
  • 1. A public key is generated by the user and
    submitted to Agency X for certification.
  • 2. X determines by some procedure, such as a
    face-to-face meeting, that this is authentically
    the users public key.
  • 3. X appends a timestamp to the public key,
    generates the hash code of the result, and
    encrypts that result with Xs private key forming
    the signature.
  • 4. The signature is attached to the public key.

Certificate Authority
  • A certificate authority is a trusted organization
    that can vouch for the authenticity of the person
    or organization using authentication.
  • A person wanting to use a CA registers with the
    CA and must provide some proof of identify.
  • The CA issues a digital certificate that is the
    requestor's public key encrypted using the CA's
    private key as proof of identify.
  • This certificate is then attached to the user's
    email or Web transactions in addition to the
    authentication information.
  • The receiver then verifies the certificate by
    decrypting it with the CA's public key -- and
    must also contact the CA to ensure that the
    user's certificate has not been revoked by the
  • For higher level security certification, the CA
    requires that a unique fingerprint (key) be
    issued by the CA for each message sent by the

VeriSign, Inc
  • Headquartered in Mountain View, California, a
    leading provider of Internet trust services
    authentication, validation and payment - needed
    by Web sites, enterprises, and e-commerce service
    providers to conduct trusted and secure
    electronic commerce and communications over IP
  • To date, VeriSign has issued over 215,000 Web
    site digital certificates and over 3.9 million
    digital certificates for individuals.

VeriSign, Inc
  • Group Approves VeriSign's Control Over Web
    Addresses Wall Street Journal (04/03/01) P. B4
    Bridis, Ted
  • In a 12-3 vote, ICANN's board approved its
    new deal with VeriSign, allowing the company to
    retain control of the .com domain without
    divesting portions of its business. By Dec. 2002,
    VeriSign will give up the .org domain, and the
    .net domain will be surrendered at a later date,
    although VeriSign will have a chance to bid for
    control of the .net domain. There were a few
    changes made to the agreement. The 10,000 fee
    that registrars pay to VeriSign was dropped and
    VeriSign now has to spend 200 million toward the
    research necessary to create a directory of all
    domain names. Further, VeriSign must keep the
    registrar and registry portions of its business
    separate or it will face fines. The U.S. Commerce
    Department still has to approve the deal, and
    four members of Congress have suggested that the
    Commerce Department "fully analyze" competitive
    concerns stemming from the new deal. These
    suggestions, which were made by Reps.
  • (http//

Key Agreement Protocols
  • Key agreement protocol
  • Process by which parties can exchange keys
  • Use public-key cryptography to transmit symmetric
  • Digital envelope
  • Encrypted message using symmetric key
  • Symmetric key encrypted with the public key
  • Digital signature

Key Agreement Protocols
  • Creating a digital envelope

Key Management
  • Key management
  • Handling and security of private keys
  • Key generation
  • The process by which keys are created
  • Must be truly random

Web Security
  • Web Vulnerabilities
  • Unauthorized alteration of data at the Web site
  • Unauthorized access to the underlying operating
    system at the Web server
  • Eavesdropping on messages passed between a Web
    server and a Web browser
  • Impersonation
  • Securing the Web site itself
  • install all operating system security patches
  • install the Web server software with minimal
    system privileges
  • use a more secure platform
  • Securing the Web application
  • Secure HyperText Transfer Protocol (S-HTTP)
  • Secure Sockets Layer (SSL)

Security Protocols
  • Transaction security protocols
  • Secure Sockets Layer (SSL)
  • Secure Electronic Transaction (SET)

  • Protocols that sit between the underlying
    transport protocol (TCP) and the application
  • Uses public-key technology and digital
    certificates to authenticate the server in a
  • Protects information as it travels over Internet
  • Does not protect once stored on receivers server
  • Peripheral component interconnect (PCI) cards
  • Installed on servers to secure data for an SSL

SSL Implementation
  • Focused on the initialization/handshaking to set
    up a secure channel
  • Client specifies encryption method and provides
    challenge text
  • Server authenticates with public key certificate
  • Client send master key, encrypted with server key
  • Server returns a message encrypted with the
    master key
  • The message (key) is used to generate the key
    sending message from client to the server
  • Digital signatures used in initialization are
    based on RSA after initialization, single key
    encryption systems like DES can be used

Secure ElectronicTransaction (SET)
  • SET protocol
  • Designed to protect e-commerce payments
  • Certifies customer, merchant and merchants bank
  • Requirements
  • Merchants must have a digital certificate and SET
  • Customers must have a digital certificate and
    digital wallet
  • Digital wallet
  • Stores credit card information and identification
  • Merchant never sees the customers personal
  • Sent straight to banks
  • Microsoft Authenticode
  • Authenticates file downloads
  • Informs users of the downloads author

SET Participants Interactions
Agents in SET
  • Cardholder, workstation of the person holding the
  • Merchant, needs merchant CA (MCA)
  • CAs
  • Security services
  • Certificates
  • Financial institution

Ideal Components of Electronic Cash
  • Independent of physical location
  • Security
  • Privacy
  • Off-line payment
  • No need for third-party vendor
  • Transferability to other users
  • Divisibility
  • Making change

Digital Wallet (SET)
  • In the physical world, your wallet stores your
    credit cards and cash. In the online world, your
    digital wallet is installed as a plug-in to your
    web browser. Like your real wallet, your digital
    wallet stores your credit card number and your
    shipping information. Unlike your real wallet,
    you need to the know the secret "password" to use
    what's inside. Your wallet implements the
    "encryption" that makes SET secure.
  • See Digital Wallet Demo

Security Attacks
  • Types of security attacks
  • Denial of service attacks
  • Use a network of computers to overload servers
    and cause them to crash or become unavailable to
    legitimate users
  • Flood servers with data packets
  • Alter routing tables which direct data from one
    computer to another
  • Distributed denial of service attack comes from
    multiple computers

Security Attacks
  • Viruses
  • Computer programs that corrupt or delete files
  • Sent as attachments or embedded in other files
  • Worm
  • Can spread itself over a network, doesnt need to
    be sent

Security Attacks( Passive vs. Active )
  • Passive Attacks
  • Eavesdropping
  • Monitoring
  • Active Attacks
  • Modification
  • Hacking
  • Software bombing
  • Disrupting

Security Attacks
  • Anti-virus software
  • Reactive goes after already known viruses
  • http//
  • VirusScan scans to search computer for viruses
  • ActiveShield checks all downloads
  • Another virus software distributor
  • Computer Emergency Response Team (CERT)
  • Responds to reports of viruses and denial of
    service attacks
  • Provides CERT Security Improvement Modules

Network Security
  • Main Purpose
  • Allow authorized users access
  • Prevent unauthorized users from obtaining access
  • Trade-off between security and performance

  • Firewall
  • Protects local area network (LAN) from outside
  • Safey barrier for data flowing in and out
  • Prohibits all data not allowed or permits all
    data not prohibited
  • Types of firewalls
  • Packet-filtering firewalls
  • Rejects all data with local addresses from
  • Examine only the source of the content
  • Application level firewalls
  • Attempt to scan data

Packet-level firewall
  • Examines the source and destination address of
    every network packet that passes through it and
    only allows packets that have acceptable source
    and destination addresses to pass.
  • Vulnerable to IP-level spoofing, accomplished by
    changing the source address on incoming packets
    from their real address to an address inside the
    organizations network.
  • Many firewalls have had their security
    strengthened since the first documented case of
    IP spoofing in December 1994.

Application-level firewall
  • Acts as an intermediate host computer or gateway
    between the Internet and the rest of the
    organizations network.
  • In many cases, needs special programming codes to
    permit the use of application software unique to
    the organization.
  • Difference
  • packet-level firewalling - prohibits only
    disabled accesses
  • application-level firewalling - permits only
    authorized accesses

  • Kerberos
  • Uses symmetric secret-key cryptography to
    authenticate users in a network
  • Authenticates a client computer and that
    computers authority to access specific parts of
    the network

  • Biometrics
  • Uses unique personal information to identify
  • Examples are fingerprints, eyeball iris scans or
    face scans

  • Steganography
  • Practice of hiding information within other
  • Digital watermarks
  • Hidden within documents and can be shown to prove

Steganography (Example 1)
  • Example of a conventional watermark

Steganography (Example 2)
  • An example of steganography Blue Spikes
    Giovanni digital watermarking process

  • 1. e-Business e-Commerce for Manageers,
  • Deitel,Deitel and Steinbuhler, Prentice-Hall,2002
  • 2.

Thank you!
Write a Comment
User Comments (0)