Encryption
1. Translation Table
2. Word/byte rotation - XOR bit masking
3. Symmetric Key Encryption
Cryptography is used to implement privacy
Two steps involved:
Secure Socket Layer (SSL)
Many websites collect personal information but do not provide details about their information practices or their use of information.
Organizations to regulate privacy practices by developing standard technologies and procedures
Digital Certificates (unique digital ID) can be used to verify the identity of a person, website or JavaScript/ Java applet.
Email and Internet Security
1. Secure Sockets Layer (SSL).
Encryption Export Policy
Secure Electronic Transaction (SET) Protocol
Receiver’s Computer
Electronic Wallet
Financial EDI
Smart Cards
Smart card-based e-cash
Contactless IC Cards
Amplified Remote Sensing Card
Electronic Check Systems
Security First Network Bank (SFNB)
www.echecksecure.com
Encryption
is the conversion of plain text or data into a unintelligible form by means of
a reversible translation.
Decryption
: The inverse operation to encryption.1. Translation Table
- Simplest method.
- Easy to program
- Easy to break
- Refinements : Table rotation; Using several tables
2. Word/byte rotation - XOR bit masking
- If the words or bytes within a data stream are rotated, using multiple and variable direction and duration of rotation in an easily reproducible pattern, a stream of data can be quickly encoded with a method that is nearly impossible to break.
- If the code uses an XOR mask in combination with Word/byte rotation, code breaking becomes more difficult. (bits in certain positions are flipped from 1 to 0 or 0 to 1.)
- Other combinations: Pseudo-random effect.
- Sender and receiver share the same key.
- Highly efficient implementation.
- Only the key decrypts the message,
this assures authentication.
4. Asymmetric Key Encryption
- Most common Based on RSA Data Security Algorithm.
- Based on public keys.
- The public key is published.
- Private key encrypts the information.
- Public key decrypts the information.
- Requires more computation than symmetric method.
- High Security for short messages
Confidentiality
Confidentiality has two aims:- To use the digital signature or encrypted hash function to authenticate the identity of the sender.
- To protect the content of the message from eyes other than those of the intended recipient.
Cryptography is used to implement privacy
- Encoded message has no apparent meaning.
Two steps involved:
- In the first step, a clear message is
encrypted.
- The reverse aspect is the deciphering by the recipient.
Secure Socket Layer (SSL)
- Developed by Netscape for
transmitting private documents via theInternet
- Both supported by Netscape Navigator
and Internet Explorer
- Many websites use SSL to obtain confidential user information, such as credit card number.
Many websites collect personal information but do not provide details about their information practices or their use of information.
- Very few have disclosure notice to inform children to obtain parental permission before divulging personal information about themselves or their families.
Organizations to regulate privacy practices by developing standard technologies and procedures
- Government
- Industry Self-Regulation : Platform for Privacy Preferences Project (P3P), http://www.w3c.org/P3P/; TRUSTe, http://www.truste.org/; Better Business Bureau Online
Authentication
Authentication
is the process of identifying an individual or a message usually based on
username and password or a file signature.
Authentication
is distinct from authorization
- Log-in Passwords
- Weak method with short passwords
- Features commonly used to identify and
authenticate an user:: Something the user knows (e.g.
password).; Something the user has (e.g. token,
smartcard).; Something that is part of the user
(e.g. fingerprint).
Digital
Signature
A
digital signature is a code attached to an electronically transmitted message
to identify the sender. - The sender composes the document.
- The sender uses a hash algorithm to
create a “one-way”hash.
- The user uses his or her private part of
a public key system to encrypt the one-way hash to create the digital
signature.
- The sender then combines the original
document with the digital signature to create a new signed document and send it
to the receiver
- The receiver separates the document from its signature.
- The receiver decrypts the digital signature using the sender public key.
- The receiver applies the hashing algorithm to the original electronic document to produce a new one-way-hash.
Authorization
Gives
someone permission to do or have something.- Role or privileges based system.
- Access lists to hardware, programs,
data
Integrity
Integrity of data during transmission
and storage
- Content of transaction is not altered
by unauthorized users
In traditional network environment,
integrity is presented in
- Control Redundancy Check (CRC) : Addresses the tampering or loss of
information during a transfer; File is submitted to an algorithm that
generates a unique numberfor the message; On the receiving end, the file is processed
again with the same algorithm, the number generated is compared with the
original
- Secure Hash Algorithm (SHA-1) : Developed by National Institute of Standards
and Technology as afederal information processing standard.; Takes a message as input with a maximum
length of < 264bits.; Produces a 160-bit message digest output.; Every bit in the hash code is a function of
every bit of the input message
- RSA’sMessage Digest (MD5) : Developed by Ron Rivestand supported by RSA security (the most trusted names in e-security).; Netscape Navigator supports RSA’salgorithm and Microsoft Internet Explorer contains RSA’slicensed security software.; MD5 is most widely used secure hash algorithm.; Generates 128-bit message digest (however, not enough to resist brute force hacking)
- RIPEMD-160 :Developed in Europe.; Originally 128-bit algorithm, extended
160-bit
Auditing
As
no system will ever be completely secure, policies need to be devised where
unauthorized usage will not occur.
Nonrepudiation
“Nonrepudiationis
a proof that a message has been sent or received.”
“Nonrepudiationis
specially important for the secure completion of online transactions.”
Digital Certificates (unique digital ID) can be used to verify the identity of a person, website or JavaScript/ Java applet.
- Individual or business applies for a digital certificate from a certificate authority (CA)
- A verifies the identity of the requester and issues an encrypted digital certificate
- CA makes its own public key readily available through print publicity or on the Internet.
- Use X.509 standard, approved by International Telecommunication Union (ITU)
The certificate always include:
- Public key.
- The name of the entity.
- Expiration date.
- The name of the certification authority (CA).
- The digital signature of the CA.
- A serial number
Email and Internet Security
- Secure Sockets Layer (SSL).
- Secure Electronic Transactions (SET).
- Password Authentication Protocol/ Challenge Handshake Authentication Protocol(PAP/CHAP).
- Private Communications Technology (PCT).
- S/MIME
- Pretty Good Privacy (PGP).
1. Secure Sockets Layer (SSL).
- Created by Netscape
- Widely used
- Messages are contained in a program layer between an application and the Internet’s TCP/IP layers
- Uses RSA’sencryption system
- Uses temporary shared keys
- Implement Certificate Authorities (CA)
- Client and server certificates
2. Secure Electronic Transactions (SET)
- Enables the use of electronic payment methods and provides assurance about the identification of customers, merchants and banks.
- Industry protocol.
3. PAP/CHAP (password authentication protocol / challenge handshake authentication protocol.
- Commonly used with PPP (point-to-point protocol) connections. : The router (peer)at one end of the link transmits a user name and password pair.; The router (authenticator) at the other end determines whether it will accept this as identifying a valid user.
- With PAP the password is sent as open text, with CHAP is encrypted.
- With CHAP the authentication is repeated every 10 minutes, with PAP only at connection time.
4. Private Communications Technology (PCT).
- Microsoft Initiative.
- Symmetric encryption.
- Authenticates of server to client via
certificate or CA.
- Verifies message integrity with hash
function message digests
- Can be implemented with HTTP and FTP.
- Similar to Netscape’s SSL : Allows a stronger encryption
5. Secure multipurpose Internet mail
extensions (S/MIME).
- Secure method of sending e-mails.
- Based on MIME : Authentication, message integrity and non-repudiation of origin (digital signature), privacy and data security (encryption).;
- An IETF (Internet Engineering Task Force) standard –RFC 1521
6. Pretty Good Privacy (PGP)
- World’s de facto standard.
- Freeware (There is also a commercial
version).
Virtual
Private Network
A
virtual private network (VPN) is a network available when the user needs it.
- The node can join the network for any
desired function at any time, for any length of time (on-demand networking)
- Common approach: tunnel IP within IP,
with some layer in betweento provide the on-demand management.
- Two technologies: IP Security Protocol (IPSec).; Layer Two Tunneling Protocol (L2TP)
- Transport Layer Security (TLS) is used
for encapsulation of various higher-level protocols.
Encryption Export Policy
- Regulations affect the global use of
encryption techniques.
- Companies are allowed to export
encryption items (but with weak encryption)
- Encryption classified as a weapon
Electronic
Credit Card System on the Internet
The Players
The Players
- Cardholder
- Merchant (seller)
- Issuer (your bank)
- Acquirer (merchant’s financial institution, acquires the sales slips)
- Brand (VISA, Master Card)
Secure Electronic Transaction (SET) Protocol
- The message is hashed to a prefixed length of message digest.
- The message digest is encrypted with the sender’s private signature key, and a digital signature is created.
- The composition of message, digital signature, and Sender’s certificate is encrypted with the symmetric key which is generated at sender’s computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA.
- The Symmetric key itself is encrypted with the receiver’s public key which was sent to the sender in advance. The result is a digital envelope.
Receiver’s Computer
- The encrypted message and digital envelope are transmitted to receiver’s computer via the Internet.
- The digital envelope is decrypted with receiver’s private exchange key.
- Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and sender’s certificate.
- To confirm the integrity, the digital signature is decrypted by sender’s public key, obtaining the message digest.
- The delivered message is hashed to generate message digest.
- The message digests obtained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transmission. This step confirms the integrity.
Electronic Wallet
- Keep customer’s certificate in his or her PC or IC card
- A consortium of companies including Visa, MaterCard, JCB, and American Express : established a company called SETCo.; performs the interoperability test and issues a SET Mark as a confirmation of interoperability
- IC card allows customers to use the
embedded certificate on any computer with reader attached: contact IC card or contactlessIC card
Secure Electronic Transaction (SET)
- Complex
- SET is tailored to the credit card
payment to the merchants.
- SET
protocol hides the customer’s credit card information from merchants, and also
hides the order information to banks, to protect privacy. This scheme is called
dual signature.
Secure Socket Layer (SSL)
- Simple
- SSL
is a protocol for general-purpose secure message exchanges (encryption).
- SSL
protocol may use a certificate, but there is no payment gateway. So, the
merchants need to receive both the ordering information and credit card
information, because the capturing process should be initiated by the
merchants.
Electronic
Fund Transfer
Electronic Fund Transfer on the
Internet
- transfer a money value from one bank
account to another in the same or different account
- has been used since 70s through automated clearinghouses (ACHs) : dedicated financial VAN links the banks through ACHs.; customer link to the bank’s server by a dial-up connection.; security of VAN is higher than the Internet
- Internet-based EFT today
- require connection between
cyber-banks and security protection : payment gateways are developed
Debit
Cards
- A delivery vehicle of cash in an
electronic form
- also known as check card : credit card -pay later.; debit card -pay now, immediately
deducted from you checking or saving account
- many ATM cards has the features of a
debit card
Financial EDI
- It is an EDI used for financial
transactions :EDI is a standardized way of
exchanging messages between businesses.;EFT can be implemented using a
Financial EDI system
- Safe Financial EDI needs to adopt a
security scheme used for the SSL protocol
- Extranet encrypts the packets
exchanged between senders and receivers using the public key cryptography
Electronic
Cash and Micropayments
Stored Value Cards and Electronic Cash
- small transaction.
- minimum chargeof credit cards
- The concept of e-cash is used in the non-Internet environment
- Plastic cards with magnetic stripes (old technology)
- Includes IC chips with programmable functions on them which makes cards “smart”
- One e-cash card for one application
- Recharge the card only at designated
locations, such as bank office or a kiosk. : Future: recharge at your PC.; e.g. Mondex& VisaCash
Mondex
Makes Shopping Easy
- Shopping with Mondex
- Adding money to the card
- Payments in a new era of electronic
shopping
- Paying on the Internet
- Shopping with Mondex
- Adding money to the card Payments in a
new era of electronic shopping
- Paying on the Internet
Electronic
Money
DigiCash
- The analogy of paper money or coin : electronic bills, each with a unique
identification.; prevent duplication of bills
- Expensive, as each payment transaction must be reported to the bank and recorded
- Conflict with the role of central bank’s bill issuance
- Legally, DigiCash is not supposed to
issue more than an electronic gift certificate even though it may be accepted
by a wide number of member stores
Stored Value Cards
- No issuance of money–Debit card a
delivering vehicle of cash in an electronic form
- Either anonymous or onymous
- Advantage of an anonymous card : the card may be given from one person to another
Smart card-based e-cash
- Can be recharged at home through the
Internet
- Can be used on the Internet as well
as in a non-Internet environment
Ceiling of Stored Values
- To prevent the abuse of stored values in money laundry
- S$500 in Singapore; HK$3,000 in Hong
Kong
Multiple Currencies
- Can be used for cross border payments
Contactless IC Cards
Proximity Card
- Used to access buildings and for
paying in buses and other transportation systems
- Bus, subway and toll card in many
cities
Amplified Remote Sensing Card
- Good for a range of up to 100 feet,
and can be used for tolling moving vehicles at gates
- Pay toll without stopping (e.g.
Highway 91 in California)
Electronic
Check Systems
Electronic Check Systems
- high processing cost for paper checks, which is the most popularpayment method for remote payees
- expect to becomemajor payment medium in B2B
- security features are basically the same as SET : encryption, digital signature, and certificates
- usage procedures are different from SET
Electronic Checkbook
- Counterpart of electronic wallet
- To be integrated with the accounting information system of business buyers and with the payment server of sellers
- To save the electronic invoice and receipt of payment in the buyers and sellers computers for future retrieval.
- Example : SafeCheck
- Used mainly in B2B
Integrating
Payment Methods
Two potential consolidations:
- The on-line electronic check is merging with EFT
- The electronic check with a
designated settlement date is merging with electronic credit cards
- First cyberbank
- Lower service charges to challenge the service fees of traditional banks
- VisaCash is a debit card
- ePay is an EFT service
Links
www.echeck.orgwww.echecksecure.com
www.safecheck.com
www.ecoin.com
www.mondex.com
www.paypal.comperson-to-person payments
www.c2it.comCitibank
www.ecoin.com
www.mondex.com
www.paypal.comperson-to-person payments
www.c2it.comCitibank
http://www.aect.cuhk.edu.hk/~ect7010/Materials/Lecture/Lec4.pdf
