Week 4 Flashcards
List and briefly explain the requirements for message transmission security
(a) Confidentiality – means that during the transmission no observer can access the contents of the message and no observer can identify the sender and receiver. It thus protects information from disclosure to unauthorized persons.
(b) Integrity - requires that the recipient can be sure, whether accidentally, or because of an action by any party, the message has not been changed on the way thus maintaining consistency and accuracy of data.
(c) Authentication - the sender can be sure that the message reaches the intended recipient and only the intended recipient; similarly the recipient can be sure that the message came from the authentic the sender. This provides assurance to each participant about identity of the other.
(d) Non-Repudiation – None of the parties can later deny receiving or sending the message.
(e) Availability – guarantees availability to the legitimate users.
List and discuss some of the threats to e-commerce over the Internet.
a) Vandalism and sabotage - damages that hackers can do to a server, websites, hardware and software of a computer.
b) Breach of privacy or confidentiality - a third party intercepts a message between communicating parties to listen to or see what they are communicating.
c) Theft and fraud - This can be incidents like stealing credit card number of one party and make use of it without authorization and authentication from the owner. There are many reports of compromised credit card numbers used over the Internet.
d) Violations of data integrity – Instances where the message (e.g., order information or payment information) is changed, so the received message becomes different from the original message.
e) Denial of service – This is one of the most serious threat. Hackers use half open TCP connections, send millions of spurious requests and eventually eat up all the resources of the server. Once the server is crippled, legitimate users can not be served. Banks and financial institution are usually the victim of such attacks.
What is meant by a cipher? Give three examples of modern ciphers used in e-commerce and briefly
outline their main characteristics.
A cipher is an encryption algorithm which produces cipher text using a key.
The 3 examples of modern ciphers:
1. DES (Data Encryption Standard). A 64-bit block cipher with a 56-bit key organized with 16 rounds of operations.
2. Triple DES - With the increased processing power now-a-days, DES is considered unsecured. 3DES where the key length is 168 bits are used by many business organizations.
3. AES – Advanced Encryption Standard is intended to replace DES but the process may take few years. The principle drawback of DES that the algorithm is relatively sluggish in software and it is not flexible (key length is fixed). AES uses 128 bit block length and key length can be 128, 192 or 256 bits.
Explain what are meant by symmetric and asymmetric keys.
Symmetric key mean the sender and the receiver use the same key to encrypt or decrypt the message. The advantage
is that encryption/decryption process is fast. The disadvantage is that, we have to use different key every time we want to communicate a different person. Another problem is how to share secret key between parties.
Asymmetric keys means the sender will use one key to encrypt the message and the receiver must use the matching key to decrypt it. Every person can generate a pair of matching keys using asymmetric encryption algorithm: one is kept secret (private key) and the other is distributed, hence called public key. While sending a message, one is used to encrypt by the sender and the other is used to decrypt by the receiver(s). This solves the problem of key distribution.
But asymmetric encryption is slower than symmetric encryption.
Explain what is meant by hashing and why hashing is useful.
Hash function is a fixed length message digest or “fingerprint” which is generated from a digital document using a mathematical rule or algorithm, so that message can not be deduced from its hash. We can create a hash from a document, but we cannot recreate the document from a hash. Hashing is useful in checking the integrity of files and documents, and is also often used in digital signature algorithms. This is because a small change in the document would produce a completely different hash.
Outline a procedure for the design of secure systems.
a. Establish a security policy - decide what needs to be protected, what kinds of protection/level of protection is
needed, what are the responsibilities of different IT personnel, what are the auditing policy.
b. Design the security environment – ensure physical security, use the operating system and software that
suits the security requirement of the organization, look for bug and security breaches report and fix those
problems, use firewall appropriately configured.
c. Design / Decide Security Mechanisms – decide on cryptographic technologies, authentication methods and
security protocols.
d. Monitoring and auditing procedures- monitor access, audit trails, detect security breaches, prepare
contingency and recovery plans.
e. Evaluate, refine and maintain.
What is meant by a security protocol?
A protocol is an orderly sequence of steps that two or more parties follow in order to accomplish some joint task.
Security protocols generally mean a set of rules to ensure the security of messages being sent. Security protocol consists of authentication of parties in an exchange of messages, data integrity checks including replay of previous message, non-repudiation and key exchange.
Discuss what is meant by authentication.
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a way of identifying a user, typically by having the user enter a valid user name and password
before access can be granted. The process of authentication is based on each user having a unique set of criteria for gaining access. There is a set of username and password on the server that the user wishes to log on to. In Internet environment, a user or server can have digital certificate.
Describe a protocol for the mutual authentication of two participants communicating over an
insecure channel.
A simple protocol for mutual authentication between ‘A’ and ‘B’ via public keys
• ‘A’ wishes to undertake a secure transaction with ‘B’ via an insecure communication channel but want to be
assured of each other’s identity first.
• If A and B know each other’s public keys:
– A can generate a random message (M)
– A encrypts it with B’s public key and signs it with A’s private key
– A then sends the encrypted message to B
• B uses A’s public key and then B’s private key to obtain the message. Since the message can be decrypted
only with A’s public key, B can be assured of the identity of A.
• B sends the same message (M) back to A in the similar method, i.e., by encrypting it with A’s public key and
sign it with B’s private key.
• If A can retrieve the same message by using B’s public key only, A can be assured of the identity of B.
What is meant by a session key? How can public key encryption be used to securely exchange a
symmetric session key? Why would a symmetric session key be preferred to the use of the participants’
public/private key pairs for the messages that are exchanged?
A session key is an encryption key that is used to encrypt and decrypt messages that are exchanged during a
particular transaction or communication session. A session key is valid only for that particular session.
Assume that A and B wish to communicate securely over an open channel. If A knows B’s public key and B knows
A’s public key, then they can establish a secret shared session key as follows:
• A can generate a random session key K, encrypt it with B’s public key and then sign it with A’s private key. A then
sends this to B.
• B uses A’s public key and then B’s private K to obtain the session key K.
• Both A and B can be confident that K is a secret shared only by them.
From then on, message exchange between A and B is encrypted by the session key, K. Since only one key is used, the communication is much faster.
