Saad Haj Bakry, PhD, CEng, FIEE 1 Information Security for e -Business Saad Haj Bakry, PhD, CEng, FIEE P RESENTATIONS IN N ETWORK S ECURITY

Saad Haj Bakry, PhD, CEng, FIEE

1

Information Security for e-Business

Saad Haj Bakry, PhD, CEng, FIEE

PRESENTATIONS IN NETWORK SECURITYPRESENTATIONS IN NETWORK SECURITY

Saad Haj Bakry, PhD, CEng, FIEE 2

Secure Transactions Use of Symmetric Keys Use of Asymmetric Keys Public Key Infrastructure: PKI Security Protocols

Objectives / Contents



Secure Transactions RequirementsIssue FactPrivacy No Disclosure

Integrity No Alteration

Authentication Proof of Identity:Sender to Receiver / Receiver to Sender

Non-Repudiation Legal Proof of Transaction:

Message is Sent or Received

Availability System in Operation

“S-Business” Outcome: “Secure Business”



DES: Data Encryption Standard AES: Advanced Encryption Standard KDC: Key Distribution Centre

Use of Symmetric Keys



DES: Data Encryption StandardA Symmetric Encryption Algorithm: 1950s A Symmetric Encryption Algorithm: 1950s

Triple Use (3 Keys in a Row): For More SecurityTriple Use (3 Keys in a Row): For More Security

Being Replaced BY: AESBeing Replaced BY: AES

Key Length is “56 bits”: Short / Easy to CrackKey Length is “56 bits”: Short / Easy to Crack

By US NSA (National Security Agency) & IBMBy US NSA (National Security Agency) & IBM

DES (K-1)DES (K-1) DES (K-2)DES (K-2) DES (K-3)DES (K-3)



AES: Advanced Encryption Standard

A Symmetric Encryption AlgorithmA Symmetric Encryption Algorithm

Criteria of Choice:Strength

Efficiency

Speed

Other Factors

Criteria of Choice:Strength

Efficiency

Speed

Other Factors

Five Finalists Under

Consideration: 2001

Five Finalists Under

Consideration: 2001

By US NIST: Replacing DES (National Institute of Standards & Technology)

By US NIST: Replacing DES (National Institute of Standards & Technology)



KDC: Key Distribution CentreTo Solve “Key-Exchange” Problem To Solve “Key-Exchange” Problem

S-R Session Key: Generated by KDC per TransactionS-R Session Key: Generated by KDC per Transaction

Problem: Centralized Security “Challenges to KDC !”Problem: Centralized Security “Challenges to KDC !”

All Transactions: Exchanged Through KDCAll Transactions: Exchanged Through KDC

KDC Shares a “Secrete Key”: With “Every User”KDC Shares a “Secrete Key”: With “Every User”

Session Key Sent to S-R : Using their Shared Keys with KDCSession Key Sent to S-R : Using their Shared Keys with KDC



SenderSender

KDC OperationReceiverReceiver

Communication NetworkCommunication Network

Symmetric Key (S)Symmetric Key (S)

Plain Text

Cipher Text

KDCKDC

Symmetric Key (R)Symmetric Key (R)

Symmetric Key (R)Symmetric Key (R)Symmetric Key (S)Symmetric Key (S)

Session Key

Session Key

Session Key

Session Key

Session KeySession Key

Plain Text

11

22 22

3333

Initiation

Generation Generation

Assignment Assignment

Transaction



Key Agreement Protocol:

KAP / Digital Envelop Key Management: KM Digital Signature Time-Stamping: Non-Repudiation Notary Authentication

Use of Asymmetric Key.



KAP: Key Agreement Protocol

Subject of Agreement: Symmetric Secret Key Subject of Agreement: Symmetric Secret Key

Secret Key: Suitable for Volumes of DataSecret Key: Suitable for Volumes of Data

Agreement Security: Use of Public KeyAgreement Security: Use of Public Key

Protocol: Rules of Agreement ProcessProtocol: Rules of Agreement Process

Public Key: Suitable for Limited VolumesPublic Key: Suitable for Limited Volumes

Digital Envelop: Secret Key in Public KeyDigital Envelop: Secret Key in Public Key



KAP Example: The Digital Envelop

Decrypt Receiver’s

“Private Key”

Decrypt Receiver’s

“Private Key”

Message: “Plain Text”

Message: “Cipher Text” (S-K)

Message “Cipher Text”

(S-K) Plus “Cipher SK” (P-K)

“Digital

Signature”: Possible

“Secret

Key”

Decrypt

(Message) Using

“Secret Key”

Message: “Plain Text”

Envelop

Encrypt

(Secret Key)

Using

Receiver’s

“Public Key”

Encrypt

(Secret Key)

Using

Receiver’s

“Public Key”

SenderSender

ReceiverReceiver

Encrypt (Message)

Using “Secret Key”

Encrypt (Message)

Using “Secret Key”

“Secret

Key” “Secret

Key”

Decrypt

(Message) Using

“Secret Key”

Decrypt

(Message) Using

“Secret Key”



Key Management

Theft (mishandling) & Attack (cryptanalysis)Theft (mishandling) & Attack (cryptanalysis)

Key Generation: Secure “Long Keys”Key Generation: Secure “Long Keys”

Key Generation Problem:

Sometimes choice is from a small set

Key Generation Problem:

Sometimes choice is from a small set

Recommendation:

Key generation

should be truly

“random”

Recommendation:

Key generation

should be truly

“random”



Digital Signature (1/2)

Objective: (P-K) Authentication / IntegrityObjective: (P-K) Authentication / Integrity

Hash FunctionHash

FunctionMessage:Plain Text

SENDER

SENDER

Message Digest

Encrypt(Sender

Private Key)

Encrypt(Sender

Private Key)

“Sender Authenticated”

Encrypt(Receiver

Public Key)

Encrypt(Receiver

Public Key)

Message: Cipher Text

Electronic Signature

++

ReceiverReceiverDecrypt (Sender

Public Key)

Decrypt (Sender

Public Key)

Message:Plain Text

Message Digest

Message Digest

Decrypt (Receiver

Private Key)

Decrypt (Receiver

Private Key)

Message Digest

Message Digest


Hash FunctionHash

Function“Message Integrity”



Handwritten Signature: Document Independent

(same for all documents) Authentication Only

Handwritten Signature: Document Independent

(same for all documents) Authentication Only

Digital Signature: Document Dependent

(based on message contents)

Authentication & Integration

Digital Signature: Document Dependent

(based on message contents)

Authentication & Integration

Problem (Digital Signature): Non-repudiation (proof that the message has been sent)

Problem (Digital Signature): Non-repudiation (proof that the message has been sent)

Digital Signature (2/2)

Use: US DSA: “Digital Signature Algorithm”

Use: US DSA: “Digital Signature Algorithm”



Time-stamping / Non-Repudiation (1/2)

Objective: Binding “time and date”

to digital documents Important for electronic

contracts

Objective: Binding “time and date”

to digital documents Important for electronic

contracts

Third Party: Time-stamping

Agency /

Legal Witness

Third Party: Time-stamping

Agency /

Legal Witness

Time-Stamping Agency

Time-Stamping Agency

Sender / ReceiverSender / Receiver

Sender / ReceiverSender / Receiver



11SENDER

SENDER

Time-stamping Agency: • Input: Ciphered & Signed Message• Output: Time & Date Stamp Agency Stamp (Signature)

(Using the Agency’s Private Key)

Time-stamping Agency: • Input: Ciphered & Signed Message• Output: Time & Date Stamp Agency Stamp (Signature)

(Using the Agency’s Private Key)


Sender Electronic Signature

Time-stamping / Non-Repudiation (2/2)

22

11

22

33

Time & Date Stamp

44

Agency Stamp (Signature)

Proof of receipt may be required “same route back” from the “receiver”



TRANSMITTER

NOTARYNOTARY

RECEIVER

MESSAGE

NETWORK SERVICES Message with Guarantee of

Sender’s Identity

NOTARY MAY USE:

Encryption (DES) / Digital Signature / Other Methods

Notary Authentication



PKI: Objectives / Organizations Digital Certificates:

Structure / Trust / Validity

Public Key Infrastructure: PKI



PKI: Public Key Infrastructure (1/2)

Objective: Authentication of Parties

in a Transaction

Objective: Authentication of Parties

in a Transaction

IPRA:Internet Policy Registration

Authority (The Root Certification Authority)

IPRA:Internet Policy Registration

Authority (The Root Certification Authority)

Hierarchy Hierarchy

IPAIPA

Policy Creation Authorities

Policy Creation Authorities

CA: Certification Authorities




PKI: Public Key Infrastructure (2/2)

CA take the

responsibility of

authentication

CA take the

responsibility of

authentication

DC are publicly

available and are

issued / held by CA

in “CR: Certificate

Repository”

DC are publicly

available and are

issued / held by CA

in “CR: Certificate

Repository”



DC: Digital CertificatesDC: Digital Certificates

Using Public Key Cryptography

Using Public Key Cryptography

DS: Digital SignaturesDS: Digital Signatures



Digital Certificate: Structure

Field ExplanationName (Subject) Individual / company being certified

Serial Number For management / organization

Public Key Public key of the individual / company

Expiration Date Certification need to be renewed

Signature of Trusted CA For confirmation

Other Information Relevant / needed data.



Digital Certificate: Signature of Trust

Public Key (Name / Subject)Public Key (Name / Subject)

Private Key (CA)Private Key (CA)

Hash FunctionHash Function

Signature of Trusted CASignature of Trusted CA

OROR



Digital Certificate: Expiration

Need for Change of Key (Pairs)Need for Change of Key (Pairs)

Expiration Date: Long use of key

leads to vulnerability

Expiration Date: Long use of key

leads to vulnerability

Key Compromised: Cancellation / Renew

Key Compromised: Cancellation / Renew

CA has “CRL: Certificate Revocation List”CA has “CRL: Certificate Revocation List”



Internet “Secure Socket Layer”: SSL Visa / Master Card:

Secure Electronic Transaction: SET Microsoft Authenticode

Security Protocols



SSL: Secure Sockets Layer (1/2)

Sender Sender ReceiverReceiver

Application SoftwareApplication Software Application SoftwareApplication Software

by: Netscape Communications

also used by: MS Internet Explorer

SSLSSL SSLSSL

TCPTCP TCPTCP

IPIP IPIPTCP/IPTCP/IPData- -gram

Virtual Circuit

“Message Interpretation” (to protect Internet transactions)

Messages

“Browsers”



SSL: Secure Sockets Layer (2/2)

Functions: Protects “private information from source to destination”

Authenticates “receiver / server in a transaction”

Functions: Protects “private information from source to destination”

Authenticates “receiver / server in a transaction”

Tools: Public Key /

Digital Certificate Session (Secret) Keys

Tools: Public Key /

Digital Certificate Session (Secret) Keys

PCI: “Peripheral Component Interconnect” cards

Installed on “Web Servers” to secure data over an entire SSL transaction “from sender / client to receiver / server”

PCI: “Peripheral Component Interconnect” cards

Installed on “Web Servers” to secure data over an entire SSL transaction “from sender / client to receiver / server”



SET: Secure Electronic Transaction

Objective: protecting

e-commerce

payment

transactions

Objective: protecting

e-commerce

payment

transactions

by: Visa & Master-Card

Authenticating the

Parties Involved:

“Customer”

“Merchant”

“Bank”

Authenticating the

Parties Involved:

“Customer”

“Merchant”

“Bank”

Using “Public-Key Cryptography

Using “Public-Key Cryptography



Microsoft Authenticode

Objective: Safety of software ordered online Objective: Safety of software ordered online

Authenticode is built into MS Internet ExplorerAuthenticode is built into MS Internet Explorer

Authenticode interacts with Digital CertificatesAuthenticode interacts with Digital Certificates

Digital Certificates should be obtained by software publishersDigital Certificates should be obtained by software publishers

Digital Certificates can be obtained from CA “VeriSign”Digital Certificates can be obtained from CA “VeriSign”



e-Business Transactions: security measures

Use of Symmetric Keys: standards: DES, AES / key distribution: KDC

Use of Asymmetric Keys: symmetric key distribution: KAP, digital envelop / digital signature / time stamping: non-repudiation / notary

Public Key Infrastructure: digital certificate. Security Protocols: Internet: SSL / Banking: SET /

Microsoft: Authenticode.

RemarksInformation Security for e-Business


References B.R. Elbert, Private Telecommunication Networks, Artech House, US,

1989. Telecommunications Management: Network Security, The National

Computer Centre Limited, UK, 1992 K.H. Rosen, Elementary Number Theory and its Applications, 4th

Edition, Addison Wesley / Longman, 1999. ISO Dictionary of Computer Science: The Standardized Vocabulary

(23882), ISO, 1997. F. Botto, Dictionary of e-Business, Wiley (UK), 2000. H.M. Deitel, P.J. Deitel, K. Steinbuhler, e-Business and e-Commerce

for Managers, Prentice-Hall (USA), 2001


Documents

Saad Haj Bakry, PhD, CEng, FIEE 1 Information Security for e -Business Saad Haj Bakry, PhD, CEng, FIEE P RESENTATIONS IN N ETWORK S ECURITY