310 likes | 325 Views
Explore the importance of security in e-transactions and the threats faced, requirements for building confidence, and techniques like encryption, authentication, and digital signatures to enhance trust.
E N D
Security and Trust for E-Transactions International Telecommunication Union (ITU) ITU-T Workshop on Multimedia Convergence ITU HQ, Geneva, Switzerland 12-15 March 2002 Alexander NTOKO, Head, E-Strategy Unit Telecommunication Development Bureau (BDT) ntoko@itu.int http://www.itu.int/ITU-D/e-strategy
…due to lack of confidence… …but in e-transactions, it is important to Know if you are dealing with a dog.
But what are the Security Threats? • Eavesdropping: where intermediaries “listen” in on private conversations • Manipulation: where intermediaries intercept and change information in a private communication • Impersonation: where a sender or receiver uses a false identity for communication
What are the Requirements?Building confidence in e-transactions • Confidentiality • Information accessed only by those authorized • Integrity • No information added, changed, or taken out • Authentication • Parties are who they pretend to be • Non-repudiation • Originator cannot deny origin • Infrastructure of trust • Automating the checking of identities
How can we Enhance trust? Confidentiality Encryption Who am I dealing with? Authentication Message integrity Message Digest Non-repudiation Digital Signature Third party evidence of authenticity Certificate Trusted certificate Certification Authorities
Symmetric key encryption system Same key is used to both encrypt and decrypt data Examples of encryption systems: DES, 3DES, RC2, RC4, RC5 DES: Data Encryption Standard, US Gov 1977, developed at IBM
Symmetric key encryption system • Advantages Fast, secure, widely understood • Disadvantages Requires secret sharing Requires large number of keys No authentication No non-repudiation
Public key encryption system • Concept introduced in 1976 by Diffie and Hellman • RSA, the most popular, was invented in 1977 by Rivest, Shamir, and Adleman • RSA (www.rsa.com) was founded in 1982 • Everyone has a private key and a public key • Sender uses the receiver’s public key to encrypt message • Only receiver’s private key can decrypt message • Discovering private key kept by one person is more difficult than discovering shared secret key
Public key encryption system Recipient’s Public Key Recipient’s Private Key Each user has 2 keys: what one key encrypts, only the other key in the pair can decrypt. Public key can be sent in the open. Private key is never transmitted or shared.
Public key encryption system • Example: RSA • Advantages No secret sharing risk Provides authentication, non-repudiation Infeasible to determine one key from the other • Disadvantages Computationally intense (in software, DES is at least 100 times faster than RSA) Requires authentication of public keys
Sender Authentication Sender’s Private Key Sender’s Public Key Using Public Key Encryption “backwards”provides authenticationof the sender
Message Digest Plaintext Digest Hash Algorithm - Used to determine if document has changed - Usually 128-bit or 160-bit “digests” - Infeasible to produce a document matching a digest - A one bit change in the document affects about half the bits in the digest
Message Digest • Common hash algorithms • MD2 (128-bit digest) • MD4 (128-bit digest) • MD5 (128-bit digest) • SHA-1 (160-bit digest)
Digital Signature Signer’s Private Key Encrypted Digest Digest Signed Document Hash Algorithm
Verifying the Digital Signaturefor Authentication and Integrity ? Digest Hash Algorithm Digest Signer’s Public Key Integrity: One bit change in the content changes the digest
Digital Signature Guarantees: • Integrity of documentOne bit change in document changes the digest • Authentication of senderSigner’s public key decrypts digest sent and decrypted digest matches computed digest • Non-repudiationOnly signer’s private key can encrypt digest that is decrypted by his/her public key and matches the computed digest. Non-repudiation prevents reneging on an agreement by denying a transaction.
Digital Certificate • A digital certificate or Digital IDis a computer-based record that attests to the binding of a public key to an identified subscriber. • Certificate issued by Certification Authority (CA). • Certified digital signature attests to message content and to the identity of the signer. • Combined with a digital time stamp, messages can be proved to have been sent at certain time.
Digital Envelope One time encryption Key Combines the high speed of DES (symmetric encryption) and the key management convenience of RSA (public key encryption) “Digital Envelope” Recipient’s Public Key
ITU-T X.509 Certificate • Standard certificate virtually everyone uses. • Includes: serial number, name of individual or system (X.500 name - e.g., CN=John Smith, OU=Sales, O=XYZ, C=US), issuer (X.500 name of CA), validity period, public key, cryptographic algorithm used, CA digital signature, etc., plus flexible extensions in Version 3. • Certificate is signed by the issuer to authenticate the binding between the subject name and the related public key.
ITU-T X.509 Certificate Version 3 • Version 3 standard extensions include subject and issuer attributes, certification policy information, key usage restrictions, e-mail address, DNS name, etc. • Example of special extensions: account number, postal address, telephone number, photograph (image data), birthday to block users younger than specified age to access certain contents of a Web server, preferred language, etc.
ITU E-Security – Brief Status of Activities But for it to make sense, it must be available to all… • Expanded from EC-DC to Secure e-transaction based on PKI as a result of partnership with WISeKey. • 20+ security companies worked for 16 months to develop infrastructure + Applications under ITU EC-DC • 100+ DCs interested in this project. Since deployment started in Q4 2001, 12 DCs countries from Africa, Asia Latin America scheduled to be operational in Q1 2002. • First ever deployment of digital certification technology and Apps (based on PKI) in the most of the DCs. • More thanUS$ 10 millionin in-kind contribution from industry partners. • Lauching multilateral framework (World e-Trust) to expand deployment to more developing countries.
ITU E-Security -Accomplishments …an enormous opportunity for the sub-Saharan African states. - World Bank.Without such initiatives, many countries would stay on the exit ramp. - OPTOROUTE OnlineEC-DC Does IT - Time MagazineThe conditions for safe e-business transactions ensured by the EC-DC …- UNIDO… essential in providing the infrastructure for global e-commerce. - International Law SectionEC-DC - Bridging the Digital Divide - International Security Review“… enabling one of the largest certified communities in the world…” - SmartCard Central
ITU E-Security– Solutions & Services Operational Certification Authority for DCs PKI-enabled Applications for Various Sectors Generic Cost-effective and Scalable Platform Strong Security - PSE (tokens, smart cards) Services and Solutions for Various Sectors
World e-Trust MoU–the way forward With more than 100 DCs and LDCs interested in E-Services infrastructure, how do we proceed? Objective: Technology neutral and technology independent framework for contributions towards a beneficial, non-exclusive, cost-effective and global deployment of secure e-transaction infrastructures, applications and services in DCs and LDCs worldwide. Framework: Self regulatory, self funding consisting of a Depository, a Steering Committee and Working Groups to undertake project activities. Signatories: ITU Member States, Sector Members, public or private sector willing to contribute to one or more activities to be undertaken within an established Working Group. Entry in Force: Signature of ITU, at least 5 Contributing entities and at least 10 Member States.