© 1998-2002 itu telecommunication development bureau (bdt) – e-strategy unit. all rights...
TRANSCRIPT
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 1
Security and Trust for E-Transactions
Alexander NTOKO, Head, E-Strategy UnitTelecommunication Development Bureau (BDT)[email protected] http://www.itu.int/ITU-D
Regional Seminar on E-Commerce for CEE, CIS and Baltic States
Bucharest, Romania14-17 May 2002
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 2
There is a Growing Need for Security…
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 3
…due to lack of confidence…
“On the Internet, nobodyknows you’re a dog…”
Identification isthe Challenge
…but in e-transactions, it is important to Know if you are dealing with a dog.
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 4
But what are the Security Threats?
o Eavesdropping: where intermediaries “listen” in on private conversations
o Manipulation: where intermediaries intercept and change information in a private communication
o Impersonation: where a sender or receiver uses a false identity for communication
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 5
What are the Requirements?Building confidence in e-transactions
o Confidentiality• Information accessed only by those authorized
o Integrity• No information added, changed, or taken out
o Authentication• Parties are who they pretend to be
o Non-repudiation• Originator cannot deny origin
o Infrastructure of trust• Automating the checking of identities
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 6
How can we Enhance trust?
Confidentiality EncryptionWho am I dealing with? AuthenticationMessage integrity Message DigestNon-repudiation Digital SignatureThird party evidence of authenticity CertificateTrusted certificate Certification Authorities
Symmetric key encryption system
Same key is used to both encrypt and decrypt data
Examples of encryption systems: DES, 3DES, RC2, RC4, RC5DES: Data Encryption Standard, US Gov 1977, developed at IBM
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 8
Symmetric key encryption system
o AdvantagesFast, secure, widely understood
o Disadvantages
Requires secret sharing
Requires large number of keys
No authentication
No non-repudiation
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 9
Public key encryption system
o Concept introduced in 1976 by Diffie and Hellman
o RSA, the most popular, was invented in 1977 by Rivest, Shamir, and Adleman
o RSA (www.rsa.com) was founded in 1982
o Everyone has a private key and a public keyo Sender uses the receiver’s public key to encrypt
messageo Only receiver’s private key can decrypt messageo Discovering private key kept by one person is
more difficult than discovering shared secret key
Public key encryption system
Each user has 2 keys: what one key encrypts,only the other key in the pair can decrypt.Public key can be sent in the open.Private key is never transmitted or shared.
Recipient’s Public Key Recipient’s Private Key
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 11
Public key encryption system
o Example: RSAo Advantages
No secret sharing riskProvides authentication, non-repudiationInfeasible to determine one key from the other
o DisadvantagesComputationally intense (in software, DES is at least 100 times faster than RSA)Requires authentication of public keys
Sender Authentication
Using Public Key Encryption “backwards” provides authentication of the sender
Sender’s Public KeySender’s Private Key
Message Digest
Hash Algorithm
Digest
- Used to determine if document has changed- Usually 128-bit or 160-bit “digests”- Infeasible to produce a document matching
a digest- A one bit change in the document affects
about half the bits in the digest
Plaintext
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 14
Message Digest
o Common hash algorithms• MD2 (128-bit digest)• MD4 (128-bit digest)• MD5 (128-bit digest)• SHA-1 (160-bit digest)
Digital Signature
Signer’s Private Key
SignedDocument
EncryptedDigestHash
Algorithm
Digest
Verifying the Digital Signaturefor Authentication and Integrity
Hash Algorithm
Digest
Digest??
Signer’sPublic Key
Integrity: One bit change in the content changes the digest
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 17
Digital Signature
Guarantees:o Integrity of document
One bit change in document changes the digest
o Authentication of senderSigner’s public key decrypts digest sent and decrypted digest matches computed digest
o Non-repudiationOnly signer’s private key can encrypt digest that is decrypted by his/her public key and matches the computed digest. Non-repudiation prevents reneging on an agreement by denying a transaction.
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 18
Digital Certificate
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 19
Digital Certificate
o A digital certificate or Digital ID is a computer-based record that attests to the binding of a public key to an identified subscriber.
o Certificate issued by Certification Authority (CA).o Certified digital signature attests to message
content and to the identity of the signer.o Combined with a digital time stamp, messages can
be proved to have been sent at certain time.
Digital Envelope
Combines the high speed of DES (symmetric encryption) and the key management convenience of RSA (public key encryption)
“DigitalEnvelope”
One timeencryption Key
Recipient’sPublic Key
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 21
ITU-T X.509 Certificate
o Standard certificate virtually everyone uses.o Includes: serial number, name of individual
or system (X.500 name - e.g., CN=John Smith, OU=Sales,
O=XYZ, C=US), issuer (X.500 name of CA), validity period, public key, cryptographic algorithm used, CA digital signature, etc., plus flexible extensions in Version 3.
o Certificate is signed by the issuer to authenticate the binding between the subject name and the related public key.
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 22
ITU-T X.509 Certificate Version 3
o Version 3 standard extensions include subject and issuer attributes, certification policy information, key usage restrictions, e-mail address, DNS name, etc.
o Example of special extensions: account number, postal address, telephone number, photograph (image data), birthday to block users younger than specified age to access certain contents of a Web server, preferred language, etc.
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 23
Security Technologies – Which One?
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 24
Components of PKI
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 25
Using tokens to secure B2B e-marketplace
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 26
Signing and encrypting Email
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 27
Securing Access to E-Mail using PSE
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 28
Thank you
for your attention