1 / 29

Security

Security. Critical for e-commerce. Security concerns. confidentiality – preventing unauthorised people from seeing your data; authentication – making sure the people you are dealing with are who they say they are;

mahlah
Télécharger la présentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Critical for e-commerce

  2. Security concerns • confidentiality – preventing unauthorised people from seeing your data; • authentication – making sure the people you are dealing with are who they say they are; • non-repudiation – if you’ve sent a message you cannot subsequently claim that you didn’t; • integrity – preventing data being changed by unauthorised people; • authorisation.

  3. Encryption • Encryption means converting messages into a secret code. • Encryption solves the problem of confidentiality in principle. • It also provides the basic techniques that are used to solve the problems of authentication and integrity.

  4. Encryption

  5. The Caesar Cipher

  6. “I owe you five pounds” encrypts to “L rzh crx ilyh srxqgv” It is usual to use lower case only and to arrange the letters in fixed length groups, thus: “lrzhc rxily hsrxq gv”

  7. Transformation & Transposition • Caesar cipher is a transforming cipher • Possible to transpose text

  8. Transposition • “THIS IS A SECRET” • Key = 4213 • First letter moves to fourth • Second letter moves to second • Third letter moves to first etc, etc • Transposes to ???

  9. Answer • “IHST ASSI RCEE T”

  10. Playfair Cipher

  11. Breaking a cipher • The Caesar cipher can be attacked and broken in two ways: • by key search: there are only 25 possible keys so we can try them all; • by analysis of letter frequencies. • The Playfair cipher can be broken by analysis of frequencies. None of these attacks needs a knowledge of the plain text.

  12. Symmetric (or private key) encryption algorithms The Caesar cipher and the Playfair cipher are examples of symmetric encryption algorithms, in which the same key is used for encryption as for decryption.

  13. Data Encryption Standard (DES) • the most widely used symmetric encryption algorithm; • developed largely by IBM • first published by the US National Security Agency in 1975. • uses a 56-bit key but, for greater security, often used in a form that takes two 56-bit keys and applied the algorithm three times (triple DES).

  14. International Data Encryption Algorithm (IDEA) • similar in principle to DES; • uses a 128-bit key for greater resilience; • developed in Switzerland by ETH Zurich and Ascom AG. • patented but free from US government attempts to prevent export!

  15. Key management • If N individuals are exchanging encrypted messages with each other, using a symmetric cipher, Nx(N-1)/2 distinct keys are required. • From time to time it is desirable to change the keys. • Requires a secure method by which two people can agree on a key. • The result is a serious management problem.

  16. The Life Cycle of a Key • Key is created. • Key is distributed. • Key is activated. • Key is deactivated and replaced. • Key is terminated, either by destruction or archiving (escrow).

  17. Prime numbers A prime number is a (positive, whole) number, such as 23, that is not divisible by any other (positive, whole) number except itself or 1. To factor a number is to express it as a product of prime numbers, e.g., 391=1723 or 25=55. Factoring the product of two very large primes (say 100 digits each) will take even the fastest computer hundreds of years.

  18. Diffie-Hellman key exchange • Published in 1976. • Allows two people to agree on key with no danger of someone else discovering it.

  19. Public Keys • Using large prime numbers two keys can be created. • Public and private keys. • Public Key • Like open box • Put in message • Send to receiver • Private key opens it

  20. public key This is Plaintext 123@8(@0kfl30kfl Encryption Ciphertext private key 123@8(@0kfl30kfl This is Plaintext Decryption Ciphertext Plaintext Public Keys Plaintext

  21. In these algorithms, the key used to encrypt a message (the public key) is different from the key used to decrypt it (the private key). Although the public key and the private key are related, it is computationally impracticable to compute the private key from the public key. Asymmetric (or public key) encryption algorithms (1)

  22. Asymmetric (or public key) encryption algorithms (2) • Normal use allows lots of people to send messages to a server that only the server can read.

  23. RSA: a typical public key algorithm (simplified) • Public key is a large (200 digit) number, with the property that it is the product of two large primes. • To decrypt a message, you need to know these two primes, that is, they constitute the private key. • To find the private key from the public key, would take the fastest available computer a few million years. • A small example has public key 7081 and the private key 73, 97.

  24. Key management with a public key cipher • Using a public key cipher, N individuals can safely exchange encrypted messages using only N distinct keys. • An individual distributes his or her public key freely but always keeps the private key secret. • Public keys are registered with a certification authority.

  25. Practical policies • Asymmetric (public key) ciphers are comparatively slow. • Symmetric (private key) ciphers are much faster.

  26. Identification and Authentication Standard ways of identifying and authenticating oneself: • UID identifies and password authenticates; • bank card identifies and PIN authenticates; • credit card identifies and signature authenticates.

  27. Digital Certificates • A statement issued by one person stating that the public key of another person has a certain value. • Bodies that are trusted to issue digital certificates are called certification authorities. • Two standards for the content of a certificate, defined by ITU-T X509 standard and by IETF in RFC 1422.

  28. Content of digital certificates • Serial number • Issuer’s name • Issuer’s uid • Validity period • Subject’s name • Subject’s uid • Subject’s public key • CA’s digital signature

  29. Certification Authorities • Internet Policy Registration Authority signs certificates for • policy creation authorities who sign certificates for • certification authorities who sign certificates for • indiviuals and organisations.

More Related