Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.

Published byHarold Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques."— Presentation transcript:

1 CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques

2 CSE 4482, Fall 2009, D Chan Two-factor Authentication zUsed to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. zUses what the user has and what the user knows. zExamples are to use a token with a dynamic password and ATM.

3 CSE 4482, Fall 2009, D Chan Biometrics zCan include fingerprint, hand geometry, voice etc. zHeld back by privacy concerns. zNot recognised legally in place of signature

4 CSE 4482, Fall 2009, D Chan Operating System Security zUse a standard checklist for configuration zImplement vendor updates zUse scanning software to detect vulnerabilities before implementation and periodically

5 CSE 4482, Fall 2009, D Chan Firewall zCan be hardware based only, e.g., a router. zCan be a server with sophisticated software, more granular and reliable than a router, provides better logs. zCan use artificial intelligence to check for patterns.

6 CSE 4482, Fall 2009, D Chan Firewall zEvery organization that hosts a web site should have a firewall to protect its internal network from hackers zThe firewall would block traffic that is definitely unacceptable.

7 CSE 4482, Fall 2009, D Chan Firewall zA typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. zA data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.

8 CSE 4482, Fall 2009, D Chan Firewall zA port is a logical connection point in a network device including a computer. zIt is used to standardize Internet traffic, e.g., web browsing uses port 80, e- commerce uses port 443.

9 CSE 4482, Fall 2009, D Chan Virus Protection zCompanies around the world spend about US $20 billion a year to clean up viruses zAll critical servers are protected zAll internet email is scanned zAutomated identification of workstations that do not have up-to-date signature files zOrganizations should block common virus file types to be proactive

10 CSE 4482, Fall 2009, D Chan Virtual Private Network zTo secure remote access to company systems by staff or contractors. zShould require two-factor authentication. zEncrypted traffic, bypasses firewall, secure tunnel should end at another firewall with traffic decrypted.

11 CSE 4482, Fall 2009, D Chan Intrusion Detection System zInstalled at critical points of a network to inspect incoming and outgoing traffic for anomalies and malicious messages. zAlerts systems administrators to take pre- emptive or corrective actions.

12 CSE 4482, Fall 2009, D Chan Intrusion Prevention System zCombines firewall and intrusion detection technologies. zRejects highly questionable or unacceptable traffic. zMore effective than firewalls but may have false positive.

13 CSE 4482, Fall 2009, D Chan Encryption zUses mathematics to scramble data. zUses a key and an algorithm. Commercial algorithms are public knowledge. zSymmetric key. zAsymmetric keys (private/public key pair).

14 CSE 4482, Fall 2009, D Chan Symmetric Key Encryption zThe same key is used to decrypt and encrypt zSimple to encrypt and decrypt zLarge number of keys required for one- on-one secret communication zNumber of keys for N people is N(N-1)/2 zNeed to secure the key

15 CSE 4482, Fall 2009, D Chan Asymmetric Encryption zA pair of key is generated by a user, a private key and a corresponding public key. zThe public key can be disclosed. The private key is secured. zPeople can use the public key to encrypt material.

16 CSE 4482, Fall 2009, D Chan Asymmetric Encryption zThe corresponding private key is needed to decrypt. zThe 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. zLonger keys than symmetric and therefore a longer process to encrypt and decrypt.

17 CSE 4482, Fall 2009, D Chan Asymmetric Encryption zNeeded for email encryption. zUsed for e-commerce, digital certificates and digital signatures. zNumber of keys for N users is 2N.

18 CSE 4482, Fall 2009, D Chan Digital Signature zA digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.

19 CSE 4482, Fall 2009, D Chan Digital Signature zThe sender uses an algorithm to compute a hash (garbled digest) of the document zSender uses its private key to encrypt the hash. zRecipient uses same algorithm to hash the plain text document when received. zRecipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.

20 CSE 4482, Fall 2009, D Chan Digital Certificate An electronic business card that establishes your credentials when doing business or other transactions on the Web. It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. People can use the certificate authority’s public key to verify the signature.

21 CSE 4482, Fall 2009, D Chan Certificate Authority zAn organization that issues digital certificates to companies and individuals zAn organization can issue digital certificates to its own customers or employees to authenticate local transactions zThe certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.

22 CSE 4482, Fall 2009, D Chan E-commerce Encryption zUses both symmetric keys and asymmetric keys zEnforced by the merchant zMerchant sends its certificate and public key to the browser

23 CSE 4482, Fall 2009, D Chan E-commerce Encryption zBrowser generates a symmetric key zBrowser encrypts the symmetric key with the merchant’s public key zBrowser authenticates the digital certificate zEncrypted symmetric key is sent to merchant

24 CSE 4482, Fall 2009, D Chan E-commerce Encryption zMerchant decrypts the symmetric key with its private key zThe symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.

25 CSE 4482, Fall 2009, D Chan Email Encryption zSender uses the recipient’s public key to encrypt the message zSender signs the message with own private key zRecipient uses own private key to decrypt message zRecipient uses sender’s public key to authenticate the digital signature

26 CSE 4482, Fall 2009, D Chan Conclusion zSecurity is increasingly important because of e-commerce. zSecurity is the responsibility of every employee. z Organizations should designate a chief information security officer to coordinate.

Download ppt "CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.

1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.
Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.

Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Similar presentations

Ads by Google