WWW WWW Chapter 10 Encryption: A Matter of Trust
Mar 26, 2015
WWWWWW
Chapter 10
Encryption: A Matter of Trust
2WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
OBJECTIVES
• What is Encryption?• Basic Cryptographic Algorithm• Digital Signatures• Major Attacks on Cryptosystems• Digital Certificates• Key Management• Internet Security Protocols & Standards• Government Regulations
Encryption: Objectives
3WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
WHAT IS ENCRYPTION?
• Based on use of mathematical procedures to scramble data to make it extremely difficult to recover the original message
• Converts the data into an encoded message using a key for decoding the message
Encryption: What is Encryption?
4WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
WHAT DOES ENCRYPTION SATISFY?
• Authentication
• Integrity
• Non-repudiation
• Privacy
Encryption: What is Encryption?
5WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
BASIC CRYPTOGRAPHIC ALGORITHM
• Secret Key– The sender and recipient possess the same
single key
• Public Key– One public anyone can know to encrypt– One private only the owner knows to decrypt– Provide message confidentiality– Prove authenticity of the message of originator
Encryption: Basic Cryptographic Algorithm
6WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
COMMONLY USED CRYPTOSYSTEMS
• RSA Algorithm– Most commonly used but vulnerable
• Data Encryption Standards (DES)– Turns a message into a mess of unintelligible
characters
• 3DES• RC4• International Data Encryption Algorithm (IDEA)
Encryption: Basic Cryptographic Algorithm
7WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
DIGITAL SIGNATURES
• Transform the message signed so that anyone who reads it can be sure of the real sender
• A block of data representing a private key
• Serve the purpose of authentication
Encryption: Digital Signatures
8WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
MAJOR ATTACKS ON CRYPTOSYSTEMS
• Chosen-plaintext Attack
• Known-plaintext Attack
• Ciphertext-only Attack
• Third-party Attack
Encryption: Major Attacks on Cryptosystems
9WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
DIGITAL CERTIFICATES
• An electronic document issued by a certificate authority (CA) to establish a merchant’s identity by verifying its name and public key
• Includes holder’s name, name of CA, public key for cryptographic use, duration of certificate, the certificate’s class & ID
Encryption: Digital Certificates
10WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
CLASSES OF CERTIFICATES
• Class 1– Contains minimum checks on user’s background– Simplest & quickest
• Class 2– Checks for information e.g. names, SSN, date of
birth– Requires proof of physical address, etc.
Encryption: Digital Certificates
11WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
CLASSES OF CERTIFICATES (Cont’d)
• Class 3– You need to prove exactly who you are & that you
are responsible– Strongest
• Class 4– Checks on things like user’s position in an
organization in addition to class 3 requirements
Encryption: Digital Certificates
12WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
KEY MANAGEMENT
• Key Generation & Registration
• Key Distribution
• Key Backup / Recovery
• Key Revocation & Destruction
Encryption: Key Management
13WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
THIRD PARTY SERVICES
• Public Key Infrastructure– Certification Authority– Registration Authority– Directory Services
• Notary Services
• Arbitration Services
Encryption: Key Management
14WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
INTERNET SECURITY PROTOCOLS & STANDARDS
• Web Application– Secure Socket Layer (SSL)– Secure Hypertext Transfer Protocol (S-HTTP)
• E-Commerce– Secure Electronic Transaction (SET)
• E-Mail– PGP– S/MIME
Encryption: Internet Security Protocols & Standards
15WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
SSL
• Operates between application & transport layers
• Most widely used standard for online data encryption
• Provide services:– Server authentication– Client authentication– Encrypted SSL connection
Encryption: Internet Security Protocols & Standards
16WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
S-HTTP
• Secures web transactions merely
• Provides transaction confidentiality, integrity & non-repudiation of origin
• Able to integrate with HTTP applications
• Mainly used for intranet communications
• Does not require digital certificates / public keys
Encryption: Internet Security Protocols & Standards
17WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
SET
• One protocol used for handling funds transferred from credit card issuers to a merchant’s bank account
• Provides confidentiality, authentication & integrity of payment card transmissions
• Requires customers to have digital certificate & digital wallet
Encryption: Internet Security Protocols & Standards
18WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
PGP
• Encrypts the data with one-time algorithm, then encrypts the key to the algorithm using public-key cryptography
• Supports public-key encryption, symmetric-key encryption & digital signatures
• Supports other standards, e.g. SSL
Encryption: Internet Security Protocols & Standards
19WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
S/MIME
• Provides security for different data types & attachments to e-mails
• Two key attributes:– Digital signature– Digital envelope
• Performs authentication using x.509 digital certificates
Encryption: Internet Security Protocols & Standards
20WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
GOVERNMENT REGULATIONS
• National Security Agency (NSA)
• National Computer Security Center (NCSC)
• National Institute of Standards & Technology (NIST)
• Office of Defense Trade Controls (DTC)
Encryption: Government Regulations
WWWWWW
Chapter 10
Encryption: A Matter of Trust