Advanced Internet Technology

1
Advanced Internet Technology Application
Internet Security Security for e-Commerce

• Incheon Paik

2
Internet /WWW Security

• Fundamental Security Weakness of TCP/IP and WWW
  Protocol
• Designed for Information Open/Sharing/Distribution
  
• Openness of Unix System and Communication Utility
  Source
• Extension of Usage Broadly such as e-mail, BBS,
  Intranet, e-Commerce, etc
• Computer Network Hackers
• 40,000,000 Users in the World
• Not Trustable System
• Defect of Internet Related Software, Problem in
  System Management

3
Security in Internet

• Security of System
• Prevent the leakage of information in Internet
  information server, destruction or errors of
  application in server by the third party
• Solution Firewall
• Security of Network
• Prevent the leakage/modification of information
  running on Internet, usage of secret information
  by the third party
• Solution Cryptograpy, Web Security Protocol

4
Concept of Firewall System

• Active Defense System to Prevent the Security
  Problem or Threats on Intrenet
• Hardware or Software System to Prevent Illegal
  Traffic from Outside, and Allow the allowed or
  authenticated traffic only
• Give Transparency to Legal Users, and Make the
  Network Secure

Legal User
Internal Network
Outside Network
X
Illegal User
Firewall
5
Main Functions of Firewall System

• Access Control
• User Authentication
• Logging
• Encryption
• Protect Privacy
• Policy

6
Types of Firewall System

• Packet filtering
• Dual-homed
• Screen host
• Screen subnet

7
Packet Filtering
Internet
Screening Router
Internal Network
8
Principle of Filtering

• Action
• Protocol
• Source IP address
• Source port number(for TCP)
• Destination IP address
• Destination port number(for TCP)

Action Protocol Src Addr Src Port
Dest Addr Dest Port allow tcp
198.41.0.0 43
block tcp
gt5999
9
Dual-Homed
Internet
Dual-homed Host with proxy
Network Interface
Network Interface
Internal Network
10
Screen Host
Internet
Screening Router
Internal Network
Bastion Host
11
Screen Sub-Net
Internet
Internal Network
Internal Router
External Router
Perimeter Network(DMZ)
Bastion Host
12
Comparison of Each Type
Packet Filtering
Dual-Homed
Screen Host
Screen Sub-Net
Type
Function
Security Bad Very
Good Good Good Performance Netw
ork Very Good Bad
Good Good Performance Cost
Low High
High Very High Log Manage.
Very Bad Good Good
Good
13
Limitation of Firewall System

• No Measure to Internal Illegal Users
• No Measure to New Threats
• No Measure to the Access not through Firewall
• No Measure to Computer Virus
• Measure for Communication Security to Unspecified
  Multiples

14
Security Function of Network

• Confidentiality
• Disallowing eavesdropping of transmitting
  contents by third party
• Authentication
• Verification of Identification of Information
  Sender
• Integrity
• Damage of Information Transmitted
• Non-repudiation
• Prevent the Repudiation of Information Sender

15
Cryptography Algorithms

• Symmetric Algorithm (Secret Key Algorithm)
• Public Key Algorithm
• Message Digest

16
Symmetric Algorithm
K
K
Original PlainText
PlainText
CipherText
Encryption
Decryption

• Sender and Receiver Use Same Secret Key
• Fast Encryption and Decryption Used in Data
  Encryption
• Problems in sharing the Keys, Short in
  authentication
• Algorithms RC4, DES, IDEA, etc

17
Public Key Algorithm
Kpublic
Kprivate
Original PlainText
PlainText
CipherText
Encryption
Decryption

• Encryption Key(Public Key) and Decryption
  Key(Private Key) are different.
• No defect in security when send the key to
  receiver Used in Key distribution or electronic
  signature
• Low Speed in Encryption/Decryption
• Algorithm RSA, DSA, etc

18
Message Digest
PlainText
Digest
Compare
Encryption
Decryption
Digest
K
K

• Convert Given Information into Large Number(Hash
  Value) within Fixed Length Using One-way
  Function(Hash)
• Check the Modification of Original Text Getting
  the Hash Value from Received Information, then
  Compare Hash Value with Information
• Hash Function MD4, MD5, SHA(Secure Hash
  Algorithm) ?

19
Application of Cryptography (1)

• Confidentialiy

Digital Envelope
Step 1
Kpublic
Kprivate
KS
Kpublic(KS)
KS
Encryption
Decryption
Step 2
KS
KS
Original PlainText
PlainText
CipherText
Encryption
Decryption
20
Application of Cryptography (2)

• Authentication/Integrity/Non-Repudiation

PlainText
Digest
Compare
Encryption
Decryption
Digest
Digital Signature
Kprivate
Kpublic
21
DES

• DES divide the message into 64 bits block, key is
  set by fixed size.
• DES Operation
• Transposition of bits
• Substitution of Bit Groups
• Exclusive-Or Operation
• Etc. Operation

22
DES


http//www.itl.nist.gov/fipspubs/fip46-2.htm
23
Some Basics for Crypto Algoritms

Euler Totient Function F(n) is the number of
elements in the reduced set of residues modulo
n. Theorem For npq and p,q prime, F(n)
F(p) F(q) (p-1)(q-1). Example Let p3 and q5.
Then F(15) (3-1)(5-1) 2 4 8, and there
are 8 elements in the reduced set of residues
modulo 151,2,4,7,8,11,13,14.

24
Some Basics for Crypto Algoritms

Fermats Theorem Let p be prime. Then for
every a such that gcd(a,p) 1. ap-1 mod p
1 Eulers Generalization a F(n) mod n
1 Example Let a 3 and n 7. Then x 35 mod
7, which we saw earlier is 5. This checks,
because 3 5 mod 7 1.

25
Some Basics for Crypto Algoritms

Exponentiation Ciphers (Pohlig-Hellman and RSA
Schemes) C Me mod n --- (1) M
Cd mod n --- (2) C
fastexp(M,e,n) M fastexp(C,d,n) MF(n) mod n
1 -? Fermats Theorem If e and d satisfy the
relation ed mod F(n) 1, then Eq. (1) is the
inverse of Eq. (2).

26
Some Basics for Crypto Algoritms

Exponentiation Ciphers (Pohlig-Hellman and RSA
Schemes) Theorem Given e and d satisfying Eq.
(2.4) and a message M ( 0,n-1 such that
gcd(M,n) 1, (Me mod n)d mod n M Proof
Refer Dennings Book Pohlig-Hellman Scheme
Example Let p 11, whence F(p) p 1 10.
Choose d7 and compute e inv(7,10) 3. Suppose
M5. Then M is enciphered as C Me mod p 53
mod 11 4. Similarly, C is deciphered as M
Cd mod p 47 mod 11 5.

27
Some Basics for Crypto Algoritms

Rivest-Shamir-Adleman (RSA) Scheme Example
npq. Thus F(n) (p 1)(q-1) Example Let p
5 and q7, whence nqp 35 and F(n) (5-1)(7-1)
24. Pick d 11. Then einv(11,24) 11(in
fact, e and d will always be the same for p5 and
q7). Suppose M2. Then C Me mod n 211 mod
35 2048 mod 35 18, and Cd mod n 1811 mod
35 2 M.

28
Certificate Authority and Digital Certificate

• Certificate Authority (CA)
• To Certify that somebodys public key is
  certainly his one.
• Certificate Authority certify somebodys public
  key by encrypting it with his own private key.
• Digital Certificate
• Public key encrypted by CAs private key
• In CA, after making digital certificate, encrypt
  the original plain text (1), digital signature
  (2), and his own digital certificate (3) with
  random private key (4), and then encrypt this
  private key by receivers public key. Finally
  send these two encrypted data to the receiver.

29
WWW Security Protocol

• Communication Security to Unspecified Multiples

PGP
PEM
Content Security
HTTP Layer
Message Security
S-HTTP
SEA
Channel Security
SSL
SSH
PCT
30
SSL(Secure Socket Layer) (1)

• Developed by Netscape Co.
• Provide Secure Service among Internet
  Applications Through Secure Channel
• Layer Model of SSL

• https//www.whitehouse.gov/first-lady-wardrobe.htm
  l
• HTTPS uses TCP port 443

31
SSL(Secure Socket Layer) (2)

• Operation Model of SSL

• Certify Client/Server and Exchange Session Key
  Using Public Key Cryptography (Handshake
  Protocol)
• Carry out Symmetric Key based Secure
  Communication between Application Reality using
  Shared Session Key (Record Protocol)

Client System
Server System
HTTP
Web Client
Web Server
General HTTP Message
General HTTP Message
Secure Channel
Transport Layer
Transport Layer
Crypto Module
Crypto Module
32
S-HTTP(Secure HTTP) (1)

• S-HTTP Add Secure Functions to HTTP at EIT
• Communicate in the unit of transaction based on
  client/server model, provide secure services at
  end point.
• Support Transaction Confidentiality, Message
  Integrity, Sender Certification, and
  Non-Repudiate using various crypto algorithm
• Developed Secure Mosaic and Secure httpd products
  to support S-HTTP1.1 Spec. by NCSA
• shttp// www.whitehouse.gov/presidential-desserts.
  html

33
S-HTTP(Secure HTTP) (2)

• Operation Model of S-HTTP

Client System
Server System

• Corresponding Encrypting Algorithm
• and Signature Mechanism according to
• the request is applied to HTTP message,
• Encapsulated into S-HTTP
• S-HTTP messages are transmitted with S-HTTP
  header to describe message type and encryption
  method

Web Client
Web Server
S-HTTP
Crypto Module
Crypto Module
Encrypted or Signed Message
Encrypted or Signed Message
Normal Channel
Transport Layer
Transport Layer
34
Electronic Payment System
35
Classification of E-Payment System
36
Secure Electronic Transaction (SET) Protocol
SET Encryption Overview
Suggested By VISA and MasterCard Co. Credit Card
Based
37
Secure Electronic Transaction (SET) Protocol
Hierarchy of Trust
38
Secure Electronic Transaction (SET) Protocol
Card Holder Registration
39
Secure Electronic Transaction (SET) Protocol
Cardholder receives response and requests
registration form
40
Secure Electronic Transaction (SET) Protocol
Merchant Registration
41
Secure Electronic Transaction (SET) Protocol
Merchant receives registration form and requests
certificates
42
Secure Electronic Transaction (SET) Protocol
Purchase Request
43
Secure Electronic Transaction (SET) Protocol
Cardholder receives response and sends request
44
Secure Electronic Transaction (SET) Protocol
Merchant processes request message
45
Secure Electronic Transaction (SET) Protocol
Payment Authorization
46
Secure Electronic Transaction (SET) Protocol
Payment Gateway processes authorization request
47
Secure Electronic Transaction (SET) Protocol
Payment Capture
48
Secure Electronic Transaction (SET) Protocol
Payment Gateway processes capture request