E - SECURITY

COMPUTER SECURITY

BY

DR. D. SAHUUTKAL

UNIVERSITY

INTRODUCTIONSecurity encompasses a set of measures and procedures to guard against theft, attack, crime, and sabotage. The goal of computer security is to maintain the integrity, availability, and privacy of information entrusted to the system.

Unauthorized access, revelation, or destruction of data can violate individual privacy. Corruption of business data can result in significant and potentially catastrophic losses to Companies.

In order to build a secure e-Commerce system, we need to employ cryptographic techniques. Cryptography is originally about keeping messages secret.

SECURITY THREATS AND GOALS

1. Unauthorized disclosure of information2. Unauthorized alteration or destruction of information3. Unauthorized use of service4. Denial of service to legitimate users5. Interruption & disruption in communications

A computer is secure if you can depend on it and its software to behave as you expect.

PENETRATION ATTEMPTSLogged-on TerminalPasswordsBrowsingTrap doors (secret points of entry without access authorization)Electronic eavesdropping (electromagnetic pickup of screen radiation)Mutual trust Trojan Horse (program may be written to steal user passwords)Computer Worms (programs can attack via a network and deny service)Computer VirusesTrial & Error

E-Security according to Consumers mean:• Protection of Personal Information• Protection of Assets

E-Security according to Corporate, Government and Other Institutions mean:• Protection of Information• Protection of Systems(* The type of information and systems for corporate, Government and other institutions are different)

E-SECURITY FOR DIFFERENT INSTITUTIONS

VICTIMIZED FIRMS• Banks• Financial Companies• Insurance companies• Brokerage Houses• Consultants• Network Service Providers• Textile Business• Wholesale/ Retail Traders• Government Contractors• Government agencies• Hospitals• Medical Laboratories• Utility Companies• Universities, etc……….(The list goes on as no firm is fully immune to e-threats)

THREATS• Uncover confidentiality

• Leak Authentication and Access Control

• Conduct ID theft

• Hacking

• Virus

• Client based security threats

• Server based security threats

• Other threats

Security ConcernsWorry 1: I transmit my credit card information over the internet. Can people other than the intended recipient read it?Worry 2: I agree to pay Rs 10000/- for the goods. Will this payment information be captured and changed by someone on the internet?Worry 3: This company claims itself to be company X. Is this the real company X? The aforementioned worries can be summarized into three security requirements namely : 1. Confidentiality 2. Integrity 3. Authentication

SECURITY SERVICES• MESSAGE :

1. CONFIDENTIALITY (SENDER AND RECEIVER EXPECT PRIVACY)2. INTEGRITY (DATA MUST ARRIVE AT THE RECEIVER EXACTLY AS SENT)3. AUTHENTICATION (THE RECEIVER NEEDS TO BE SURE OF SENDERS IDENTITY)4. NONREPUDIATION (A SENDER MUST NOT BE ABLE TO DENY SENDING A MESSAGE THAT HE SENT)

• ENTITY :AUTHENTICATION (USER IDENTIFICATION)

Privacy and Confidentiality: Information must be kept away from unauthorized parties.

Security and Integrity: Message must not be altered or tampered with.

Authenticity: Sender and recipient must prove their identities to each other.

Non-Repudiation: Proof is needed that the message was indeed received.

4 BASIC SECURITY PRINCIPLES

BASIC E-SECURITY TIPSUse firewall

Use virus protection software

Use strong passwords

Back up your files on a regular basis

Do not keep a computer online when not in use

Do not open e-mail attachments from strangers

Disable scripts

Firewall : A network node consisting of both hardware and software that isolates a private network from public networks.

Secure access (password authentication)

Secure interconnection

Secure personal connection

Secure networking (VPNs)

Secure managed services

Secure Hypertext Transfer Protocol (S-HTTP)

Secure/Multipurpose Internet mail Extensions (S/MIME)

Secure electronic transaction (SET)

Secure socket layer (SSL)

E-SECURITY STANDARDS

Secure socket layer (SSL) A special communication protocol used by Web browsers and servers to encrypt all communications online. This protocol makes secure Web transmissions transparent to end users.

Secure electronic transaction (SET) a set of cryptographic protocols jointly developed by Visa, Master card, Netscape, and Microsoft and designed to provide secure Web credit card transactions for both consumers and merchants.

SET is established on top of SSL, understanding SSL Is understanding foundation of SET. The protocol S-HTTP applies SSL between Web servers and browsers , which communicated by HTTP protocol. SSL protocol performs message exchanges.

CRYPTOGRAPHY

Cryptography is the science of using mathematics to encrypt and decrypt data.

It is of two categories• Symmetric encryption/Secret Key cryptography (uses the same key for encryption and decryption)• Asymmetric encryption/Public Key Cryptography(uses a public key and a private key)

• Data Encryption Standard(DES):It is a symmetric algorithm Designed by IBM for the U.S. Government in 1977. It is based on a 56 bit key. It is reasonably secure since all possible keys are exhaustively tried to break the code and it takes a long time even with fast computers. It applies transformation on blocks of 64 bit corresponding to binary encoding

Data that can be read and understood without any special measures is called plain text or clear text. The method of disguising plaintext in such a way as to hide its substance is called encryption. Encrypting plaintext results in unreadable gibberish called cipher text. You use encryption to ensure thatinformation is hidden from anyone for whom it is not intended, even those who can see the encrypted data. The process of reverting cipher text to its original plaintext is called decryption

Plain TextEncryption

Cipher TextDecryption

Plain Text

The RSA algorithm, named for its creators Ron Rivest, Adi Shamir, and Leonard Adleman, is currently one of the favorite public key encryption methods.

The RSA Algorithm

Example of how an encrypted message may look after using RSA Algorithm:

Recipient: Bob Key Encryption Algorithm: rsaEncryption Encrypted Key: 3D2AB25B1EB667A40F504CC4D778EC399A899C8790EDECEF062CD739492C9CE5 8B92B9ECF32AF4AAC7A61EAEC346449891F49A722378E008EFF0B0A8DBC6E621 EDC90CEC64CF34C640F5B36C48EE9322808AF8F4A0212B28715C76F3CB99AC7E 609787ADCE055839829E0142C44B676D218111FFE69F9D41424E177CBA3A435B Content Encryption Algorithm: aes128-cbc IV: 5732164B3ABB6C4969ABA381C1CA75BA Encrypted Content: 67290EF00818827C777929A56BC3305B

DIGITAL SIGNATURES

• A digital signature is a cryptographic mechanism that performs a similar function like a written signature, used to verify the origin and contents of the message.

• It may be implemented with the use of RSA public key encryption in a way that provides both security and authentication of message. To make a DS, a sender encrypts a message with his private key.

• Assuming that B receives a message M signed by A the digital signature must satisfy the following requirements :

1. It must be possible for B to validate A’s signature on M

2. It must be impossible for anyone to forge A’s signature3. It must be impossible for A to repudiate the message M

• Secure transport stacks

• Kerberos

• Secure transactions over the internet

• UNIX security

• Password security systems - one time passwords - smart cards

• Electronic mail

• Server security

• Network security

SECURITY TOOLS

CASE STUDY

Australian Government Initiative

ICICI PRUDENTIAL

CONCLUSIONE-security can never be perfect because a better system will be broken into by a better cracker

Solutions?Better education of people using systemBetter system usage and monitoringBetter enforcement and legislation without infringing on privacy

“The price of freedom is eternal vigilance”

Reference BooksOperating Systems By MILAN MILENKOVICData Communications & Networking By B. A. FOROUZANElectronic Commerce By TURBAN,LEE,KING & CHUNGElectronic Commerce By CHAN,LEE,DILLON & CHANG