370 likes | 390 Vues
Explore the evolution of internet security, types of attacks, encryption techniques, and the importance of integrating security into enterprise systems. Learn about cryptography methods, authentication, authorization, and ensuring secure transactions in a digital environment.
E N D
Emerging Topics Related to Enterprise Integration IST 421 Spring 2004 Lecture 12
Security • 1996, Dan Farmer, a security consultant used a tool known as SATAN to check security of a number of Internet sites • 2200 sites examined • 65% were vulnerable to attack • Sites belonged to banks, insurance companies, credit card companies and government departments
Security • Reasons why the internet is insecure compared with other closed networks: • Internet protocols are public; intruders know more about Internet than a proprietary network • Internet is pervasive • Web servers are extensible: they are connected to all types of technologies
Security • Speed of development of Internet has been huge; little thought given to security aspects • Browsers originally had very little functionality • Demand to increase functionality resulted in plug-ins which had serious security flaws
Security • Myth about computer security is that intrusions are carried out by software experts • Forms of attack: • Integrity threats: intruder modifies stored data or data in transit • Confidentiality threats: reading important stored data like credit card details • Denial of service threats: flooding a Web server with transactions
Security • Authentication threats: intruder impersonates a legitimate user, such as a B2B system user making large financial transactions
Examples of Attacks • Non-technical attacks • Guessing someone’s password • Stealing a password • Destructive devices • E-mail bomb • Viruses
Examples of Attacks • Scanners – a program which detects security weaknesses • Security Administrator’s Tool for Analyzing Networks (SATAN) • It detected a weakness and provided an authoritative tutorial on the weakness • Was developed for the UNIX operating system
Examples of Attacks • Password crackers – program that attempts to find out a user’s password or the identity of a number of passwords stored on a computer • Originally developed to help administer systems
Examples of Attacks • Sniffers – read the packets of data that travel around a network • Designed to determine the efficiencies and inefficiencies in a network, i.e., bottlenecks • Used to siphon off sensitive data • Trojan horses – code which looks legitimate but attempts to do something which the user does not expect it to do. • Very difficult to detect • Example, shareware program which allows several uses, but then destroys many of the files
Examples of Attacks • Spoofing – intruder uses a computer to masquerade as another trusted computer in order to carry out operations • IP-spoofing
Security • Security is often an afterthought in the implementation of a new technology • Security needs to be built in from the ground up • Whenever information is • sent or received from enterprise-wide systems, • when interfaces to systems are built, • or when middleware is being implemented • security must be considered
Security • In most cases B2B application integration security will be built on top of an existing security structure • Top Secret, RACF, or others • In addition to integrating applications, B2B application integrations needs to integrate the security system
Security • Five fundamental requirements of secure transaction: • Privacy: How do you ensure that the information you transmit over the Internet has not been captured without your knowledge? • Integrity: How do you ensure that the information you send or receive has not be compromised or altered?
Security • Authentication: How do the sender and receiver of a message prove their identities to each other? • Authorization: How do we ensure that users can access certain necessary resources, while valuable information is protected? • Nonrepudiation: How do you legally prove that a message was sent or received?
Cryptography • First recorded in ancient Egypt • Two main methods were: • substitution ciphers – every occurrence of a given letter is replaced by a different letter • Caesar Cipher • and transposition ciphers – ordering of the letters is shifted
Cryptography • Symmetric key cryptography • Sender encrypts the data using an algorithm which depends on a key • Encrypted data is sent over some insecure medium such as the Internet • Key is conveyed to the recipient in a secure method • Recipient received the key and decrypts the message
Cryptography • Public key cryptography • Does not require the used of the same key to encrypt and decrypt • Uses two keys, a public key and a private key • One key is held securely, while the other is distributed • Keys must be generated in pairs and it must be computationally infeasible to obtain one key from the other key alone
Cryptography • Information encrypted by one key can be decrypted only the other key of the key pair • Originally proposed in 1976 by Whitfield Diffie and Martin Hellman
Techniques and Tools • Logging tools – monitor the use of a computer and log events that occur to a secure file • User mistyping a password several times • Virus scanners • Network topology techniques • Firewall • Security checking software
Mobile Computing • Main driver behind evolution of the Internet is mobile computing • Cellular phones • Small, lightweight computers • Given rise to the term m-commerce • e-commerce activities which are carried out on the move
Mobile Computing • Problems with mobile computing: • Mobile devices are less powerful than computers found in offices; limits the amount of client code that can be embedded in these devices • Bandwidth can be a problem depending on location of use
Mobile Computing • Reliability is a concern; subject to interruptions in service which can cause problems for the application • Mobile applications have less interaction with a network
Mobile Computing • Non-system problems with mobile computing: • Survey conducted by International Data Corporation (2000) 9% of mobile phone users accessed the Internet with cell phone • 6% of net users had access to a wireless device • In U.S. mobile phone pricing structure is different than that found in Europe • User pays for both outbound and inbound communication
Mobile Computing • U.S. wireless telecommunications industry lags behind that in Europe • Land-based telephony has been very reliable • U.S. wireless coverage is poor • Lack of development of wireless technology and standards • U.S. will lag behind Europe and Japan in development of ubiquitous computing
Applications of Mobile Computing • Active badges • Badge has microprocessor in it • Track staff within a building or campus • Badge emits a 48 bit code which is transmitted as an infrared signal to sensors in the building • Sensor information stored in a database of badge wearers • Can also be used to tag valuable equipment tripping an alarm if moved
Applications of Mobile Computing • Visiting Nurse Service of New York • Hand-held computer on patient home visits • Data is gathered and sent to a hospital server via mobile phone link • Problems have included poor battery performance and some interruptions in service in some locations
Applications of Mobile Computing • Tracking cows in Britain • BSE outbreak in 1990s, health offices now require farmers to report cow births, deaths, and import or export information • Normal procedure is to record information on a postcard • Using mobile phone, fill in a form with details and send it to a government database
Applications of Mobile Computing • Tracking stolen cars • Patrol cars can now be equipped with a computer which access law enforcement databases • Officer enters car registration number and is presented with information on vehicle registration, driver’s license, whether the car is stolen. • Radio modems transmit messages using high degree of security
Mobile System Aspects • Special Protocols • Protocol mediates between protocols used by mobile phones and IP protocol used with Internet • Wireless Application Protocol (WAP) uses Wireless Markup Language (WML) • i-mode popular Japanese-based wireless Internet service using cHTML (compact HTML) • Sun J2ME (Java 2 Micro Edition) uses MIDP (Mobile Information Device Profile) as an API
Markup Languages • Wireless Markup Language (WML) is similar to HTML • Number of tags to display visual elements • Developed using XML • Defines the content of screens known as cards • Less sophisticated than HTML due to limited content delivered on device screens
Markup Languages • WML: • Facilities for defining a screen or card and a set of screens (a deck) • Facilities for defining actions to be taken when an event occurs • Facilities for carrying out tasks such as refreshing a screen • Facilities for displaying and processing user input
Markup Languages • WML: • Facilities for hyperlinking • Facilities for displaying images • Facilities for text formatting
<?xml version = "1.0"?> <!DOCTYPE wml PUBLIC "-//WAPFORUM//DTD WML 1.2//EN" "http://www.wapforum.org/DTD/wml12.dtd"> <!-- Fig. 26.5 : index.wml --> <!-- tip test start screen --> <wml> <card id = "index" title = "Tip Test"> <do type = "accept" label = "Enter"> <go href = "WAP/info.wml"/> </do> <p> eLearning Programming Tips </p> </card> </wml>
Openwave UP simulator • Sun Mobility Systems