E-business Infrastructure and Security

E-business Infrastructure and Security

Ron Cenfetelli

History of the Internet

Telegraph, the Victorian “Internet”

Telephone “Internet”– T-Carrier Systems (e.g. “T1”) for voice

and data– Teletypes– Compuserve, Prodigy in the late 80’s

• Member ID: 70314.2261

– Bulletin board systems (BBS)– BITNET (non-IP based among universities)

History of the InternetThe Development of the Internet– In 1969, the U.S. Department of Defense’s

Advanced Research Projects Agency (ARPA) established ARPANET

– The network had no central point and a message could be sent from one point to another through any number of routes. Computers exchanged

information according to standards agreed upon by all participants, with no one person, institution, or organization

“in charge.”

Dr. J.C.R. Licklider

A message can be thought of as a short sequence of “bits” flowing through the network from one multiaccess computer to another. It consists of two types of information: control and data. Control information guides the transmission of data from source to destination. ... In short, the message processors function in the system as traffic directors, controllers, and correctors.

-Licklider & Taylor 1968

History of the Internet– In 1986, the US National Science Foundation

created a national network for university communications, which developed into NSFNET (based on TCP/IP) with a dazzling fast 56 kbps backbone.

– The linking of NSFNET and ARPANET (and other growing parallel networks) became the modern Internet

History of the Internet– In the late 1980’s, the Internet was opened up beyond defense

and academia to include business uses.

– 1993: Tim Berners-Lee invents the World Wide Web.

• First user-friendly WWW browser (Mosaic/Netscape) was invented by Marc Andreessen.

• This greatly simplified communication and use by the masses

– 0 to 65 million users in 1.5 years

• “Business Killed the Internet Dead”

Feb 1996

http://www.time.com/time/magazine/list/0,11627,1101960219,00.html

Growth in the Internet Population(% of Americans who go online) – source Pew Internet and American Life Foundation

Internet usage, Canada & US

January 16, 2008“Internet penetration continues to show signs of hitting a plateau. The percentage of former users who say they have no intention of going back online continues to increase, and less than half of those who have never used the Internet plan to log on in the coming year. “

Digital Divide?

Age, Education, Income and Location appear to be highly predictive of broadband access

Internet Infrastructure

Company A

Intranet

Person 2

POPT1 line

Phone line

NAP

T3 line

Backbone

Internet

ISP

Inside the Public Internet:

• Underlying Technology and Basic Capabilities of the Infrastructure o Internet: A Network of Networkso Interconnected Packet-Switching Networkso IP: Software to Create a Virtual Networko TCP: Software for Reliable Communicationo Clients + Serverso Names for Computerso Services

Internet: A Network of Networks

Although claimed to be a network of equals, there is in fact a hierarchy of communication networksInternet Service Providers (ISPs) - Points of Presence (POP) on the Internet. They have a permanent IP address and necessary hardware to access the net. (Ex: Shaw, UUNET/Verizon)

Regional/National Networks– Example: BCNET

• http://www.bc.net/about_bcnet/what_is_bcnet.htm

Metropolitan Area Exchange – where the major networks “peer” and exchange traffic either mutually or fee-based

vBNS - Very High Speed Backbone network. Ex: www.canarie.ca (10Gbps)

So while the Internet was originally envisioned and designed to be a “mesh” of nodes, in reality, there exist major “superhighways” where heavy traffic flows between networks.

Internet: A Network of Networks

Source: Fitzgerald & Dennis

http

://w

ww

.cai

da.o

rg/t

ools

/vis

uali

zati

on/w

alru

s/ga

ller

y1/r

ies-

t2.p

ng

Bus

ines

sWee

k: 1

5 Ja

n 20

07

IP Addresses and the Domain Name System (DNS)

From ARPANET days: The idea that humans can better remember a name (sauder.ubc.ca) than some random set of digits (137.82.66.178)– A good thing for e-business!

Internet Protocol (IP) address:– Unique logical address for each device (e.g. your laptop) on the network– Used by routers to direct messages– Example: 137.82.66.178

Host server name– Human readable address– Example: www.sauder.ubc.ca

Every device on the Internet must have a unique IP address (kinda/sorta)

IP Addresses and DNS

Domain name service (DNS) – Dynamically translates IP addresses to named host

server, and back and maintains a current table of such translations

– Builds on hierarchical domain name space (e.g., www.sauder.ubc.ca)

– Top level: .com, .edu, .ca, .gov, .org, etc.• Generic (gTLD) for organizations and functions (.com)• Country code (ccTLD) for nations (.ca, .us, .it…)• Overall managed by ICANN. Country codes are managed

as determined by each country.

More on IP AddressesFour 8 bit addresses = 32 bits = 2^32 = 4.3 Billion possible unique addresses (IPv4)– Not completely true. Inefficiencies due to “block” assignments of first IP

“octet” (e.g. UBC’s 137). Actually 3.7 billion.

A looming shortage of addresses! – The number of available IPv4 addresses (http://www.bgpexpert.com/addrspace2007.php):

• 2007: 1.3 billion, 64.9% utilization • 2008: 1.1 billion, 69.7% utilization

– See “A coming real estate crunch on the Net” on WebCT– Thus IPv6 – 128 bits

• Billions and billions of addresses (a trillion trillion trillion to be exact)

Internet: Client/Server Paradigm

It is service-oriented, and employs a request-response protocol

One type of server is the Domain Name Server. These are used to translate domain names to IP addresses– A computer only needs to know the location of one DNS– A dozen or so “Root” servers maintain worldwide consistency

of Domain to IP address

The Client-Server ParadigmA server process, running on a server host, provides access to a service.A client process, running on a client host, accesses the service via the server process.The interaction of the process proceeds according to a protocol.

...

s e rvic e re que s t

a s e rve r pro c e s s

a c l ie nt pro c e s s

a s e rvic e

The C l i e nt -Se r ve r P ar adi g m , c o nc e ptual

Se r ve r ho s t

C l i e nt ho s t

Protocols

The language the nodes on a network use to communicate with each other.– Analogy: We may agree to speak in English with

certain grammatical rules.

Protocol Examples

TCP - Transport Control ProtocolIP - Internet Protocol e-mail (Simple Mail Transfer Protocol, SMTP) file transfer (File Transfer Protocol, FTP) All are packet based

Putting Client/Server and Protocols Together

A protocol/service session within the Client/Server model– Session: the interaction between the server and one client. – The service managed by a server may be accessed by multiple

clients who desire the service, sometimes concurrently. – Each client, when serviced by the server, engages in a separate

session with the server, during which it conducts a dialog with the server until the client has obtained the service it required

Example

The dialog in each session follows a pattern prescribed in the protocol specified for the service.

World Wide Web session:

Client: Hello, <client address> here.

Server: Okay. I am a web server and speak protocol HTTP4.0.

Client: Great, please get me the web page index.html at the root of your document tree.

Server: Okay, here’s what’s in the page: (contents follows).

Internet Protocol – TCP/IPThe TCP/IP protocol defines the interface between the physical infrastructure (streets, intersections) and the data flow (cars)TCP = Transport Control Protocol– Asking another device on the network if it is willing to accept information

from the local device, receipt confirmation– Splits messages in PACKETS and assembles them back in proper

sequence

IP = Internet Protocol– Approximately two hundred byte packets. IP labels the packet with

source/destination address and contents.– Has rules for routing message packets – Handles the correct addressing

TCP: Reliable CommunicationProblem: Packet-switched networks can be overrun, bottlenecks, routers go down, etc.

Network DNetwork C

Network A

Network B

Router

Router

Router Router

TCP Helps IP Guarantee DeliveryTransmission Control Protocol: Whereas IP manages addressing and routing, TCP manages successful delivery between hosts

– “Catches” all of the packets sent by IP.

– Reassembles the packets in the proper sequential order

– Makes sure all of the data has arrived.

• If not, TCP sends a request to the server requesting the missing packet be resent.

– Upon completion of reorganizing the data, TCP allows the data stream to viewed.

More on TCP/IP

TCP/IP is TCP and IP working together– TCP takes care of the communication between your

application software (i.e. your browser) and your network software.

– IP takes care of the communication with other computers.– TCP is responsible for breaking data down into IP packets

before they are sent, and for assembling the packets when they arrive. Also reliable delivery.

– IP is responsible for sending the packets to the receiver.– Analogy: TCP is like a Taxicab Dispatcher, IP is like a Taxicab

A “Packet”

Routers

POP

NAPInternet

Routers

RoutersRouters are what truly make the Internet what it is

– They route IP message traffic between other routers

– They can connect separate networks even those with different network protocols (Ethernet, Token-ring).

– They allow for multiple paths /router chooses the “best” path or route (“Dynamic” instead of static). Routers use a routing table of possible paths. Dynamic refers to the changing nature of this table. Analogous to getting updated traffic reports.

• If a relied-upon router goes down, an alternative path is found

– With TCP/IP, routers can send a single message around multiple paths and the packets that make up that message can arrive out of sequence. TCP/IP puts everything back in order. Packets can travel independently of one another to the destination.

– This might help to explain why VOIP sounds like it does

TCP/IP – Organized Chaos

Brad sends “HELLO” to Al

Al

H

EL

L

O

PacketRouter

Internet World Wide Web

Internet = A “network of networks” encompassing millions of computers linked via a variety of means (fiber, wireless, etc.) using various protocolsWWW = A method of accessing information that uses a specific protocol (e.g. HTTP) for sharing “pages”, graphics and other multimedia using browsers and “hyperlinks”

Internet WWW

HTML

HyperText Markup Language (HTML) specifies how to author web pages on the WWW.Consists of predefined <tags>– <b> start bold font; </b> stop bold font– <table> start a new table; </table> end table

Cascading style sheets (CSS)– Specify classes with style attributes. More advanced than

HTML

http://images.google.com/imgres?imgurl=www.stars.com/Authoring/HTML/4/Tags/wdvlmap.gif&imgrefurl=http://www.stars.com/Authoring/&h=194&w=157&prev=/images%3Fq%3DHTML%26num%3D20%26hl%3Den

Web Protocol - HTTPHyperText Transfer ProtocolDefines how messages are formatted and transmitted on the WWWDescribes what actions Web servers and browsers should take in response to various commandsA request/response paradigmHTTP is a connectionless and stateless protocol

Dealing with a lack of Connection & StateHTTP is a connectionless and stateless protocol– No “knowledge” of prior transmissions/transactions

An IP address is an imperfect means of identifying a user and their current state.“Workarounds” have been developed – ActiveX, Java, JavaScript and cookies – Ex: Cookies

• a “message” stored on the user’s harddrive holding information about the user. Exchanged between the browser and a server.

• Purpose: to identify repeated users and prepare customized pages for them

Cookies

Example:

www.msblabs.org FALSE /tools/scratch-pad/ FALSE1227994064 data Ron%20is%20leaving%20a%20cookie

Try it out at http://www.msblabs.org/tools/scratch-pad/index.php

Search for “cookies.txt” file under Documents and Settings

Web 2.0 – Moving beyond HTML

As noted, a collective term for the enhancement of social aspectsBut also includes the technology and standards to facilitate interactivity and dealing with a lack of connection & state– Ex: Ajax for improved response to address “stateless” issues

• Asynchronous Javascript with XML • The “old fashioned” way: For every request made by a user, a new web

page has to be loaded• With Ajax, HTML is generated locally allowing exchange of just the

relevant information updates– Ex: Google Maps

A “Mashup” of Google Maps and Craigslist

A classic example of Web 2.0: www.housingmaps.comThe social platform of Craigslist

+ The AJAX interactivity of Google Maps

= A forum for finding relevant rentals nearby

A summary of Internet InfrastructureAlthough a remarkable phenomenon, the Internet is still operating on essentially the same technology as 40 years agoRenovations planned:– IPv6: more addresses– Continual use of “add-ons” such as AJAX

But still the same basic technology, just faster and more ubiquitous

Security

Why Security Matters to e-Business

Peter Steiner -p. 61, The New Yorker, (July 5, 1993)

Wednesday, 2 January 2008,

Malware marries Web 2.0

“Where human beings solve the puzzles the viruses cannot."

See link On WebCT

Security in the Physical World

Lock

Security forces

Safe

Signature

Physical barriers

Fingerprint

Seal

Contract

E-business Security Needs

ConfidentialityAuthentication– Ability to verify the identity of people/organizations

Data/Message Integrity– Ensuring communications were not modified in transit/storage

Nonrepudiation – Parties cannot deny a communication

• Proof that the sender sent and proof that the receiver received

A Simulation…

Let’s pretend that each of us in the room is a node on the Internet. – Just like the real Internet, messages are sent from a sender

to a receiver via the intermediate nodes. Each intermediate node helps pass along a packet to its destination.

– All messages being transmitted must go through a physically adjacent node

– As a result, each message is viewable by each node (as is the case in the real world Internet!)

TCP/IP –Organized Chaos

Brad sends “HELLO” to Al

Al

H

EL

L

O

PacketRouter

A Simulation…I’ll post these slides after 30JAN

e-Business Security Needs

ConfidentialityAuthentication– Ability to verify the identity of people/orgs.



• Proof that the sender sent and proof that the receiver received• Non-repudiation is a property achieved through cryptographic methods

which prevents an individual or entity from denying having performed a particular action related to data

Asymmetric Keys and PKIAsymmetric Keys and PKI

Asymmetric

Keys

and PKI

Asy

mm

etric

Key

s an

d P

KI

Message Integrity – Threats & Solutions

Old world solutions– Seal

Digital world solutions– Hashing

Internet solutions– Hashing– Digital signatures (also addresses the problem of

authentication!)

PKI Components: Digital Signature

Encrypted with a private key and attached like a signature to a hashed message, to ensure authentication, message integrity and non-repudiation.

Hashing

Another use of “one way” functions!You can start from the same data and get the same result, but it is nearly impossible to work backwardsA hash forms a “message digest” of the data. A smaller versionHowever, the values for the one way hash function are not secret

Hash Example

We could choose an algorithm “Sum (mod 12)”123 222 143 212 (four 8 bit characters)Sum = 700, mod 12 4“4” is the hash (or checksum)

Hashingmessage Hashing

algorithmA valuesay X

message

X=Hash Value

message

X

Hashing algorithm

Y

Sender

Receiver If X = Y, message sent and received are the same.

message

X

PKI Components:Digital Signature (cont.)

Note how the private/public key process is reversed!Cleartext message

Computedigest from

hashingalgorithm

Sender encryptswith his private key

EncryptDigest

Cleartextmessage

Transmission

Receiver decrypts w/ Sender’s

public key

DecryptDigest

Computeexpecteddigest fromhashing

algorithm

Confirm or deny integrity

of message

DigitalSignature

Digest Digest

Expected Digest







Asymmetric

Keys

and PKI

Asy

mm

etric

Key

s an

d P

KI

Hierarchies of Trust

Certificates -- Endorsements– Digital ids issued by Certificate Authorities (CA)

• Public Organizations: Versign, IBM• Private Organizations: Federal Express

Public/Private Keys– Two mathematically related strings of numbers

Encryption– The process of using digital keys to scramble digital

communications

PKI Components: Digital certificate

A digital file issued to an individual or company by a certifying authority that contains the individual’s or company’s public key and verifies the individual’s or company’s identity.– Identification information– Public key– Expiration date– The CA– All encrypted with the CA’s private key

PKI Components:Certification Authority

Certification authority (CA)– A trusted entity (e.g., VeriSign.com) that issues and

revokes public key certificates and certificate revocation lists (CRLs)

Certificate repository (CR)– A publicly accessible electronic database that holds

information such as certificates and CRLs.

http://www.verisign.com/index.html







Asymmetric

Keys

and PKI

Asy

mm

etric

Key

s an

d P

KI

Putting it all together…

Customer Internet merchant

Certificate authority

Customer’s info requests and Merchant’s info are exchanged.

Customer verifies Merchant (received msg’s are signed with a hash that can be decrypted with the merchant’s public keys held by CA)

Provides encrypted information for purchases (encrypted with merchant’s public key). Credit card and message digest is signed with customer’s private key.

Merchant verifies Customer (received msg’s are signed with a hash that can be decrypted with the customer’s public keys held by CA)

Customer’s Public Key

Merchant’s Public Key

More Security and Identification

We’ve discussed how to ID ourselves across the Internet, but how do we ID ourselves at our “point of presence”?

Physical Security Means

Physical Media– Smartcards– Tokens

Biometrics– Face recognition, Retina– Voice– Fingerprints, skin chemicals– Won’t work for 1% of the population

You've got security (Wired News Sep. 21, 2004)

“Passwords alone won't be enough to get onto America Online under a new, optional log-on service that makes AOL the first major U.S. online business to offer customers a second layer of security.

The so-called two-factor authentication scheme will cost $1.95 a month in addition to a one-time $9.95 fee. It is initially targeted at small businesses, victims of identity theft and individuals who pay a lot of bills and conduct other financial transactions through their AOL accounts.

Subscribers get a matchbook-size device from RSA Security displaying a six-digit code that changes every minute. The code is necessary to log on, so a scammer who guesses or steals a password cannot access the account without the device in hand.

How the SmartCard (SecurID) Works

Time based– Client-side and server-side

components are designed to be synchronized

– The server is synched with a time server

– The SecurID hardware token has a built-in clock and is guaranteed for three to five years

Each client-side 6 digit token-code is valid for sixty-seconds and one authentication per sixty-second window

How the SmartCard (SecurID) Works

Output token code is a function of time and a seed value unique to card– What function? A hash function!– Why? It’s “one way” and thus computationally infeasible to

“work backwards” based upon the token codes– The server carries out the same function based upon the

card’s seed and the current time– If a match, then access is authorized

• (Apparently the server can adjust for card time “drift”, e.g., can determine a set of values several minutes before or after current time and matches)

Biometrics: Face

Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html

Biometrics: Voice


Biometrics: Fingerprint


Security Limitations

True strength depends on:– Security protocol used to invoke the encryption

function– Trust in the platform executing the protocol– Cryptographic algorithm– Length of the key(s) used for encryption/decryption– Protocol used to manage/generate keys– Storage of secret keys

Limitations

Humans are the weakest link in the chain

In the end, everything is only ones and zeroes!

Combination is Best Security

Something you have…– Token (smartcard)– Biometric

PLUS something you know– Password

• Use mixture of uppercase and lowercase letters• Include numbers or symbols• Change your password every six months

Viruses,Worms, and Trojan horses…Virus: a program that propagates itself by infecting other programs on the same computer. – From erasing files to innocuous pop-ups

Code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to an otherwise innocent host program. It may damage hardware, software, or information. A true virus does not spread without human action to move it along, such as sharing a file or sending an e-mail (thus different from a worm)Now seeing viruses on cell phones and other “non-PC” devicesSony’s rootkit DRM fiasco

Worm: a program that propagates itself. Unlike a virus a worm can spread itself automatically over the network from one computer to the next. – Through automatic file sending and receiving features– Essentially a Virus that can spread itself

– Myspace Worm using Quicktime

Viruses, Worms and Trojan horses…

Trojan horse: programs that appear desirable but actually contain something harmful. – Example: you may download what looks like a free

game but when you run it, it erases every file in that directory.

Viruses, Worms and Trojan horses…

See link On WebCT

Another way of looking at it

+ +

“Symantec says the Trojan.Silentbanker has so far targeted over 400 banks around the world, but according to a blog posted by Symantec's Liam O’Murchu on January 14 [2008], the most worrying aspect is that the Trojan can perform man-in-the-middle attacks (where an attacker can read, insert and modify messages between two parties without either party knowing).” http://m-net.net.nz/2157/latest-news/latest-news/trojan.silentbanker-defeats-2-factor-authentication-attacks-400-b.php

Questions? Comments?

Date post:	13-Nov-2014
Category:	Technology
Upload:	kimmy-chen
View:	6,453 times
Download:	2 times