Presentation on theme: "Security for Internet and Web Based Application Richard N. Zobel Department of Computer Science University of Manchester Oxford Road Manchester, M13 9PL,"— Presentation transcript:
Security for Internet and Web Based Application Richard N. Zobel Department of Computer Science University of Manchester Oxford Road Manchester, M13 9PL, UK For The 4th International Conference on Information Integration and Web-based Applications and Services September 10-12, 2002
Outline zIntroduction. zProvision of Secure Access to Services. zEncryption and Decryption of Messages. zCurrent System Technical Problems. zSecurity Issues. zDigital Signatures. zDigital Watermarks. zNetwork Attacks. zCase Studies.
Introduction z WWW Provides Easy Access and Communication z Requires Responsibility z Mischief and Criminal Activities z Opportunities and Problems of Provision of Security z Compromise between Privacy and (Inter)National Interests z Private Security and National Security Conflicts z Human Rights Issues, Data Protection z E-Business z Emphasis on Communicating Users - Initially for Simulators
zInitial Login and Password yOnly Allows Access to the Registration Process yFurther Security Required for Various Activities Related to Required Services z 3 - Tiered Process yGUI - the Interface yServlets for User Choices ySecurity DataBase Access Provision of Secure Access to Services
zThe following figures illustrate the Authentication Process: yThe Secure Federate Architecture yThe Software Implementation of the Architecture zThe Principle Concerns the Provision and Acceptance of Personal Details: yE.g. Those used by Current Banking Systems or their Equivalent zShort Cuts, Through PIN Codes are Allowed unless Compromised zAuthentication May also be through Digital Signatures, Authentication and Digital Certificates Provision of Secure Access to Services
Encryption and Decryption of Messages zSymmetric Keys yProblems - Use Fast Computers to Crack Codes zAsymmetric Keys yPublic and Private Keys zRSA (Rivest-Shamir-Adleman) - Uses Integer Factorisation zGiven Public (Encryption) Key - Difficult to Determine Private (Decryption) Key zDegree of Difficulty relates to Number of Bits y1024 bits gives a Reasonable Degree of Security
zTwo distinct primes p i and q i are selected then φ(p i )= p i -1, and φ(q i )= q i -1 if gcd(p i, q i )=1 then φ(p i q i )=φ(p i )φ(q i ) where φ(n) is called the Euler phi function, gcd is the greatest common divisor If p i and q i are each 1024 bit long, it is almost impossible, given present technology, to factor the modulus into p i and q i. zThe sender chooses: y Public key e i such that e i ≤ p i q i where e i and φ(p i q i ) are relatively prime. y Private key d i is computed such that e i ∙d i =1(mod(p i -1)(q i -1)). y The encryption function is e(pt)=pt^d i mod p i q i where pt is the plaintext and pt< p i q i. yThe decryption function d(ct)=ct ^ e i mod p i q i where ct is the cipher text. zThe sender has public key pair (p i q i, e i ) and private key d i zThe receiver has access to the public key of the sender RSA Algorithm
z An elliptic curve is defined by an equation of the form: Elliptic Curves
Current System Technical Problems zSecurity Level and Cost Balance yNo guarantee yClever Mathematics zPrivacy and the Security Services yCriminal and Law Enforcement yConflict between private individuals/organisations and security services yHuman rights, data protection, computer firewalls, private protection yExpect criminals to be detected and punished zSecurity, Secrecy and Confidentiality zNational and Cultural Differences
Digital Signatures zEquivalent to hand written signature ( but more repeatable !) zMore secure and useful: yNon-repudiation yGuarantees of Authenticity and Integrity of data zSignature yDerived from both the data and the signer, who has the public key yDoes not guarantee the signer is the owner of the public key yThis can be guaranteed by the use of Digital Certificates xIdentity Certificates (eg X.509) - public key and sufficient data to identify the key holder xAccreditation - Identifies key holder as a group holder eg Doctor xAuthorisation – Used for delegation of authority
Digital Signatures zCertification Authority (CA) – An agent of trust in a Public Key Infrastructure (PKI) yVerifies user’s identities yIssues keys to users yCertifies users public keys yPublishes users Certificates yIssues Certificates revocation lists
Digital Watermarks zNew area - ~ 7 years old zOriginal watermark use – prevention of copying of bank notes and legal documents zDigital watermarks now have wider applications yCopyright protection images, text, multimedia data yIdentification of data ownership yIdentification of those who handle or receive it yTracing and proof of ownership yGuaranteeing that images and data have not been tampered with zProliferation of the use of “invisible” watermarking zIdentification and protection against attack
Digital Watermarks zInitial Applications in imaging zSystematically modifying and image in minor ways imperceptible to the eye yGeometric modifications yStochastic modifications ySpatial or frequency domain modifications yExample of bank notes zLimitations yCapacity to discretely contain the watermark yOpen to attack by use of image processing techniques yIdentify presence of watermark yAttempt to remove watermark
Digital Watermarks zApplications yImages ySequence of images (subliminal !) yAny data, including text and figures (.ps,.pdf.doc,.rtf, etc) zMap Errors yDeliberate yIdentification for Copyright yO.S. (Ordnance Survey) Maps yEuro currency notes - map of Europe
Network Attacks zDisclosure of data, mis-use of data yIntruder attack yMore common - credit card details, use of private yAny data, including text and figures (.ps,.pdf.doc,.rtf, etc) zCorruption of data - Virus attack yDestruction yModification yInterception zDenial of Service Attack
Forensic Profiling zInvolves identifying, preserving and analysing digital evidence y In a way which could lead to the profiling and conviction of offenders zProfiling gives a general biographical description of the most likely type of unknown offender zTwo types of profiling yInductive - scientific approach using experimental, statistical, correlation analysis yDeductive - based on forensic evidence pointing to a particular crime- scene and the behavioral reconstruction of the possible offender zProblems y Lack of standards, poor analysis techniques, lack of specialists and inadequate training.
Case Studies z1. Mobile Phones yAnalog phones had little or no security yDigital phones offer much better prospects yCurrent GSM phones offer some relatively unsophisticated protocol and encryption standards yAs shown in the following figures yK i is the subscriber’s authentication key yA 3 Algorithm is the signal response calculation (SRES) yA 5 Algorithm is the keystream generation calculation yA 8 Algorithm is the cyphering key calculation (Kc)
z2. Distributed Interactive Simulation yInvolves real-time interconnection of simulations and simulators on the network yInitially developed for military systems - use ATM private networks yMany civil applications - use Internet, lack security yUse Internet Protocol Security (IPSEC) end-to-end mechanism for protecting data using tunneling yAlternatively use a virtual private network (simulates a private network over a public network such as the Internet) VPN, which can be enhanced through use of encryption and firewall and tunneling mechanisms
Case Studies z3. Distance Learning yNew research at Manchester (Computer Science) yEmploys a remote and powerful simulation tool, which acts as a server, spawning simulations for use by course developers and students yLocal use of an animator, which provides for interactive use of simulations running elsewhere in the network yCan be used for diverse dynamic systems simulation for continuous, discrete event or mixed systems in fields as diverse as mechanical engineering, finance and scheduling.
Conclusions zSecurity for Internet and Web based systems and users is now a major priority issue yTwo Central Issues yAchieving Secure Access to Systems yAchieving Secure Access to Data yFour Central Facilities yAuthentication yCertification yDigital Certificates yTrusted Certification Authority
Conclusions zAll of these are needed for support of secure e-business and e- commerce. zDigital watermarks are of increasing importance yAttack problems yStandards are needed zSome widely differing case studies have been presented. These illustrate the importance of networking and associated security issues.