260 likes | 419 Views
ACG 5458 Encryption, Digital Signatures, and Message Digests. Cryptography and Authentication. Security Issues Encryption Techniques, Key Infrastructures and Key Management Digital Signature Technology Role of Certificate Authorities in Key Management.
E N D
ACG 5458 Encryption, Digital Signatures, and Message Digests
Cryptography and Authentication • Security Issues • Encryption Techniques, Key Infrastructures and Key Management • Digital Signature Technology • Role of Certificate Authorities in Key Management
Five Security Services that Ensure Reliable, Trustworthy Transmission of Business Messages • Confidentiality • Integrity • Nonrepudiation • Authentication • Authorization (Access Control)
OBJECTIVE TECHNIQUES SECURITY Privacy of message Encryption Confidentiality Message Hashing (Digest) Digital signatures Message Integrity Detecting message tampering Authentication Origin verification Something you are Something you have Something you know Proof of origin, time, and exact contents Non-repudiation Digital signatures Time stamps Bi directional hashing Access Controls Limiting entry to authorized users Firewalls Authentication controls Overview of Primary Security Issues
Confidentiality • Confidentiality refers to the unavailability of a message to non-authorized readers • On the Internet, that involves making the message uninterruptible by others, usually through encryption
Integrity Integrityrefers to the confidence that the contents of the message received are exactly the same as the contents of the message sent by the sender. Verification of integrityinvolves calculating and verifying a hash total of the message by both the sender and the receiver’s determination, similar to a check-sum digit. SHA-1 – Secure Hash Algorithm 1 a standard hashing algorithm.
Authentication Authenticationrefers to the confidence that the message received really came from who the sender claims to be. For Internet messages, authentication involves showing one, two or three of the following factors: • Something only you have (token) • Something only you know (PIN) • Something only you are (fingerprints or signature) Common authentication measures include: Tokens, digital signatures, biometric devices, challenge-response systems, bi-directional digests, one-time-passwords, and smart cards
Nonrepudiation Nonrepudiation eliminates the ability of the sender to acknowledge that a communication or transaction has occurred. Nonrepudiation involves • Proof of origin (sender authentication) • Proof of time (time message was created or sent) • Proof of content (message integrity) It can also include proof of receipt by the recipient
Access Controls Access controls refer to restricting unauthorized parties from entry to data sharing Common access controls firewalls and authentication controls
Encryption Techniques • Encryption is the transformation of data via a one-way mathematical function, into a form that is unreadable by anyone who does not possess the appropriate key. • Key: binary code used to transform the data • Cleartext: message in readable form • Ciphertext: encrypted message
What Determines Cryptography Strength? • The cryptographic algorithm • The length of the key (direct relationship to strength of security: longer is better) • The protocol used to generate/manage/store the keys
Symmetric Encryption • Secret key: so how do you share it? • Fast speed and difficult to crack if key is large • Single DES: developed by IBM in 1977; 56 bits • Can be cracked in less than a day • Triple DES: encrypts-decrypts-encrypts with 2 keys • New standard: AES – 128, 192, 256 bit keys • “Rijndael” winner of the international competition
Receiver Sender identicalAESkeys Encoded Message Cleartext Message Cleartext Message encrypt decrypt Single Symmetric Encryption Method
PKE - Public-Private Key Pairs • Uses a one-way function to develop a public and private key • Private key will encrypt, but not decrypt and vice versa • RSA is the primary key pair technology • Can be used in a variety of ways – Get the basics and then consider how it is applied in practice
Student Professor Transmitted Message Professor’s Reading Of Penelope’s medical condition Penelope’s medical condition Professor’s Public Key Professor’s Private Key Encoded Message encrypt decrypt Confidentiality without origin authentication PKE Used to Provide Confidentiality
PKE Used to Authenticate Sender Professor Student Transmitted Message Penelope’s Reading Of the Meeting Request Professor Requesting A Meeting Professor’s Private Key Professor’s Public Key Encoded Message encrypt decrypt Origin Authentication because only the professor has the professor’s private key
Penny reading her grade PKE Used to Provide Confidentiality and Authentication of Sender Professor Penelope’s Private Key Student Penelope’s Public Key Prof sending her grade Prof’s Private Key Prof’s Public Key Double encoded message encrypt encrypt decrypt decrypt Origin authentication and confidentiality but way too slow
Symmetric and PKE Combination Sender Receiver AES key encrypted with public key Recipient’s Public Key Recipient’s Private Key Random AES key Random AES key encrypt decrypt Clear Text Clear Text encrypt AES Encoded Message decrypt
Message Hashing A message hash (or digest) is a mathematical representation of the message that has the following characteristics: • Used a “one way” mathematical function • The full data set cannot be reproduced from the hash • No two data sets will result in the same hash • Used to determine if a message has been altered • Can be used with encrypted and nonencrypted data • Similar to an accounting check-sum control
Message Hash and Digital Signatures Digital signatures are message digests (hashes) that are encrypted with the sender’s private key The encrypted hash is sent with the message as the signature Digital signatures • Bind the message origin to the exact contents of the message • Establish sender authentication and message integrity (nonrepudiation)
Sender Receiver DES key encrypted with public key Recipient’s Public Key Recipient’s Private Key Random DES key Random DES key encrypt decrypt Clear Text decrypt Clear Text encrypt DES Encoded Message Sender’s Public Key Sender’s Private Key R-calculate and Verify digest Calculate digest Encoded Digest decrypt encrypt Digital Signature and Encryption for Confidentiality
Certificate Authorities Certificate authorities manage key pairs, verify key holders/users and issues digital certificates • VeriSign is the largest CA • Issues/Revokes key certificates • Publishes certificate revocation lists (CRLs) • May issue various grades of certificates • Industry standard for a digital certificate is ITU-T.X509
Algorithm To Be Signed Certificate Signature Identifier Subject Signature Validity Serial Public Object Optional Version Algorithm Issuer Time Subject Extensions Number Key ID Parameters Identifier Period Info. Counter CA’s User of DN DN certificates issued by this CA Subject Extension Algorithm Criticality Extension Public Object ID Flag Value Key ID Object Optional ID Parameters Optional Object Algorithm ID DN=Distinguished Name Parameters X.509 version 3 Certificate Format
SCENARIO A Public Certificate Provide key generating software Authority Individual • Verify individual Proof of identification • Generate own key • Issue certificate pair • Maintain public • Keep private key key & certificate Certificate General Certification Authority
Key Management • Key generation • Key registration • Key escrow and recovery • Key updates and replacement • Key revocation and destruction
Implications for the Accounting Profession Accountants need skills to understand • Confidentiality • Message Integrity • Authentication • Nonrepudiation • Access Controls • Internal Control and Risk Analysis