Download presentation
Presentation is loading. Please wait.
Published byDwight Peters Modified over 8 years ago
1
April 20023CSG11 Electronic Commerce Authentication John Wordsworth Department of Computer Science The University of Reading J.B.Wordsworth@rdg.ac.uk Room 129, Ext 6544
2
April 20023CSG12 Lecture objectives Explain the meaning of authentication and non- repudiation, and how they complement encryption. Describe the use of digital signatures in message authentication. Describe the use of digital certificates. Explain the role of certification authorities.
3
April 20023CSG13 What is authentication? Authentication means determining that that the parties to a transaction are who they claim to be. Non-repudiation means not allowing a party to a transaction to say afterwards that they were being impersonated by an impostor. Transactional security needs encryption and authentication.
4
April 20023CSG14 Message digest A message digest allows us to check if a message has been tampered with in transmission. A message digest is a (large) number created from a message by a hash function: MD2, MD4, MD5, SHA-1 If asymmetric encryption is available, message digests are usually transmitted as digital signatures.
5
April 20023CSG15 Alice sends a message Alice’s message in plaintext digital signature hash function message digest RSA Alice’s private key
6
April 20023CSG16 Bob receives Alice’s message Alice’s message in plaintext digital signature hash function message digest RSA Alice’s public key message digest ?
7
April 20023CSG17 Digital certificate Guarantees that a public key belongs to a certain entity. Format governed by international standard: ITU- X.509. Certification authorities issue the certificates; they are trusted third parties. It has the form of a message from the certificate authority signed with its digital signature.
8
April 20023CSG18 Contents of a digital certificate Hierarchical identification (distinguished name) of the entity to which the certificate belongs Hierarchical identification (distinguished name) of the certificate authority Date of issue and expiry of certificate Encryption details Public key of the entity
9
April 20023CSG19 Certification authority Issue certificates to applicants after sufficient enquiry. Applicants need to provide their public key, and proof of identity. Examples: Verisign, RSA Security, Interclear
10
April 20023CSG110 Certificate server Used to provide certificates to users within an organisation that they can use outside. The certificate server is certified by a certification authority. The certificate server issues certificates without further reference to the certification authority.
11
April 20023CSG111 Certificate revocation lists Lists of unexpired certificates that have been compromised Maintained by the certificate authorities Consulted (?) by browsers when a certificate is received from a server
12
April 20023CSG112 Key points Authentication is a necessary complement to encryption for transactional security. Digital signatures can be used to verify that messages have arrived unaltered from their senders. Public keys are verified by certification authorities, who act as trusted third parties, and maintain certificate revocation lists.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.