Bài giảng E-Business and e-Commerce - Chapter 7: Computer and Network Security

Chapter 7 – Computer and Network SecurityOutline7.1 Introduction7.2 Ancient Ciphers to Modern Cryptosystems7.3 Secret-key Cryptography7.4 Public Key Cryptography7.5 Key Agreement Protocols7.6 Key Management7.7 Digital Signatures7.8 Public Key Infrastructure, Certificates and Certification Authorities7.9 Cryptoanalysis7.10 Security Protocols 7.10.1 Secure Sockets Layer (SSL) 7.10.2 Secure Electronic Transaction™ (SET™)7.11 Security Attacks7.12 Network Security 7.12.1 Firewalls 7.12.2 Kerberos 7.12.3 BiometricsChapter 7 – Computer and Network SecurityOutline7.13 Steganography7.1 IntroductionInternet securityConsumers entering highly confidential informationNumber of security attacks increasingFour requirements of a secure transactionPrivacy – information not read by third partyIntegrity – information not compromised or alteredAuthentication – sender and receiver prove identitiesNon-repudiation – legally prove message was sent and receivedAvailabilityComputer systems continually accessible7.2 Ancient Ciphers to Modern CryptosystemsCryptographySecures information by encrypting itTransforms data by using a keyA string of digits that acts as a password and makes the data incomprehensible to those without itPlaintext – unencrypted dataCipher-text – encrypted dataCipher of cryptosystem – technique for encrypting messagesCiphersSubstitution cipherEvery occurrence of a given letter is replaced by a different letter7.2 Ancient Ciphers to Modern CryptosystemsTransposition cipherShifts the ordering of lettersModern cryptosystemsDigitalKey length – length of string used to encrypt and decrypt7.3 Secret-key CryptographySecret-key cryptographySame key to encrypt and decrypt messageSender sends message and key to receiverProblems with secret-key cryptographyKey must be transmitted to receiverDifferent key for every receiverKey distribution centers used to reduce these problemsGenerates session key and sends it to sender and receiver encrypted with the unique keyEncryption algorithmsDunn Encryption Standard (DES), Triple DES, Advanced Encryption Standard (AES)7.3 Secret-key CryptographyEncrypting and decrypting a message using a symmetric key7.3 Secret-key CryptographyDistributing a session key with a key distribution center7.4 Public Key CryptographyPublic key cryptographyAsymmetric – two inversely related keysPrivate keyPublic keyIf public key encrypts only private can decrypt and vice versaEach party has both a public and a private keyEither the public key or the private key can be used to encrypt a messageEncrypted with public key and private keyProves identity while maintaining securityRSA public key algorithm www.rsasecurity.com7.4 Public Key CryptographyEncrypting and decrypting a message using public-key cryptography7.4 Public Key CryptographyAuthentication with a public-key algorithm7.5 Key Agreement ProtocolsKey agreement protocolProcess by which parties can exchange keysUse public-key cryptography to transmit symmetric keysDigital envelopeEncrypted message using symmetric keySymmetric key encrypted with the public keyDigital signature7.5 Key Agreement ProtocolsCreating a digital envelope7.6 Key ManagementKey managementHandling and security of private keysKey generation The process by which keys are createdMust be truly random7.7 Digital SignaturesDigital signatureAuthenticates sender’s identityRun plaintext through hash functionGives message a mathematical value called hash valueHash value also known as message digestCollision Occurs when multiple messages have same hash valueEncrypt message digest with private-keySend signature, encrypted message (with public-key) and hash functionTimestampingBinds a time and date to message, solves non-repudiationThird party, timestamping agency, timestamps messags7.8 Public Key Infrastructure, Certificates and Certification AuthoritiesPublic Key Infrastructure (PKI)Integrates public key cryptography with digital certificates and certification authoritiesDigital certificateDigital document issued by certification authorityIncludes name of subject, subject’s public key, serial number, expiration date and signature of trusted third partyVerisign (www.verisign.com)Leading certificate authorityPeriodically changing key pairs helps security7.9 CryptoanalysisCryptoanalysisTrying to decrypt ciphertext without knowledge of the decryption keyTry to determine the key from ciphertext7.10 Security ProtocolsTransaction security protocolsSecure Sockets Layer (SSL)Secure Electronic Transaction™ (SET™)7.10.1 Secure Sockets layer (SSL)SSLUses public-key technology and digital certificates to authenticate the server in a transactionProtects information as it travels over InternetDoes not protect once stored on receivers serverPeripheral component interconnect (PCI) cardsInstalled on servers to secure data for an SSL transaction7.10.2 Secure ElectronicTransaction™ (SET™)SET protocolDesigned to protect e-commerce paymentsCertifies customer, merchant and merchant’s bankRequirementsMerchants must have a digital certificate and SET softwareCustomers must have a digital certificate and digital walletDigital walletStores credit card information and identificationMerchant never sees the customer’s personal informationSent straight to banksMicrosoft AuthenticodeAuthenticates file downloadsInforms users of the download’s author7.11 Security AttacksTypes of security attacksDenial of service attacksUse a network of computers to overload servers and cause them to crash or become unavailable to legitimate usersFlood servers with data packetsAlter routing tables which direct data from one computer to anotherDistributed denial of service attack comes from multiple computersVirusesComputer programs that corrupt or delete filesSent as attachments or embedded in other filesWormCan spread itself over a network, doesn’t need to be sent7.11 Security AttacksTypes of virusesTransient virusAttaches itself to specific programIs run every time the program is runResident virusOnce loaded operates for duration of computer’s useLogic bombTriggers when a given condition is met, such as clock on computer matching a specified timeTrojan horseMalicious program that hides within a friendly programWeb defacingHackers illegally change the content of a Web site7.11 Security AttacksAnti-virus softwareReactive – goes after already known viruseswww.mcafee.comVirusScan scans to search computer for virusesActiveShield checks all downloadswww.symantec.comAnother virus software distributorComputer Emergency Response Team (CERT®)Responds to reports of viruses and denial of service attacksProvides CERT Security Improvement Modules7.12 Network SecurityNetwork securityAllow authorized users accessPrevent unauthorized users from obtaining accessTrade-off between security and performance7.12.1 FirewallsFirewallProtects local area network (LAN) from outside intrudersSafey barrier for data flowing in and outProhibits all data not allowed or permits all data not prohibitedTypes of firewallsPacket-filtering firewallsRejects all data with local addresses from outsideExamine only the source of the contentApplication level firewallsAttempt to scan data7.12.2 KerberosKerberosUses symmetric secret-key cryptography to authenticate users in a networkAuthenticates a client computer and that computer’s authority to access specific parts of the network7.12.3 BiometricsBiometricsUses unique personal information to identifyExamples are fingerprints, eyeball iris scans or face scans7.13 SteganographySteganographyPractice of hiding information within other informationDigital watermarksHidden within documents and can be shown to prove ownership7.13 SteganographyExample of a conventional watermarkCourtesy of Blue Spike, Inc.7.13 SteganographyAn example of steganography: Blue Spike’s Giovanni digital watermarking processCourtesy of Blue Spike, Inc.