Download Security - The University of Texas at Dallas

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Cracking of wireless networks wikipedia , lookup

Cross-site scripting wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Wireless security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Unix security wikipedia , lookup

Security printing wikipedia , lookup

Mobile security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Authentication wikipedia , lookup

Computer security wikipedia , lookup

Cryptography wikipedia , lookup

Electronic authentication wikipedia , lookup

SHA-1 wikipedia , lookup

History of cryptography wikipedia , lookup

Web of trust wikipedia , lookup

Social engineering (security) wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Rainbow table wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

3-D Secure wikipedia , lookup

Certificate authority wikipedia , lookup

Cryptographic hash function wikipedia , lookup

Digital signature wikipedia , lookup

Transcript 
iSecuritas, Inc.
secure authenticated data exchange
Internet Security
UTD EMBA
March 30, 2001
iSecuritas, Inc. Confidential
1
Who were the first “hackers”?
• MIT's Tech Model Railroad Club
• PDP - 1
• 1961
iSecuritas, Inc. Confidential
2
You know your co-worker is a hacker when...
• Everyone who ticks him or her off gets a $26,000 phone
bill
• Has won the Publisher's Clearing House Sweepstakes
three years running
• Massive 401k contribution made in half-cent increments
• You hear them murmur, "Let's see you use that VISA
card now, Professor "I-Don't-Give-A's-To Any MBA
Candidate!"
iSecuritas, Inc. Confidential
3
How Secure is e-Business?
•Security attacks cost U.S. corporations $266 million last year. That's
more than double the average annual losses over the past three years.
•Cyber-crimes being investigated by the FBI have more than doubled in
the past year.
• In 1999, the number soared to over 8,300 according to reports filed
with the Computer Emergency Response Team, or CERT, at Carnegie
Mellon University in Pittsburgh.
•90 percent of survey respondents (primarily large corporations and
government agencies) detected some form of security breach last year.
•70 percent of respondents reported a serious security breach in the past
year (ie: financial fraud, denial of service attacks and data theft).
According to a report recently released by the Computer Security
Institute and the FBI Computer Intrusion Squad.
iSecuritas, Inc. Confidential
4
Categories of Internet Security
• Website Security
• Email Security
• Authentication
iSecuritas, Inc. Confidential
5
All Systems are Breakable!
iSecuritas, Inc. Confidential
6
Website Security
• Prevent Unauthorized Access to Website
– Manipulation of Website Information
– Protection of Proprietary Data
• Credit Card Numbers
• Confidential Customer Data
• Financial Information
iSecuritas, Inc. Confidential
7
Website Security
Website Security can be achieved by:
• Firewalls
• Software & System Architecture
• Security Procedures
iSecuritas, Inc. Confidential
8
In God We Trust….
All Others We Monitor
iSecuritas, Inc. Confidential
9
Email Security
Case Studies:
• International Satellite Company
• International Restaurant Company
• Your Company?
iSecuritas, Inc. Confidential
10
Email Security
Email Security can be achieved with:
• Encryption Software
– PGP, RSA, etc.
• ASP Based Secure Messaging
– iSecuritas
iSecuritas, Inc. Confidential
11
Authentication
iSecuritas, Inc. Confidential
12
Authentication
iSecuritas, Inc. Confidential
13
E-Sign Law
New Law for E-Signatures
• Electronic Signatures in Global and National
Commerce Act
• Effective October 1, 2000
• Nationwide Legality of Digital Signatures
• Agnostic about Implementation of e-Signatures
• Electronic Notarizations
• Opportunity to marry e-commerce with official,
regulated way for confirming identity
• Reduces Fraud possible with Paper Based Notaries
iSecuritas, Inc. Confidential
14
Authentication
Problem – Identity Theft
• Fastest Growing Financial Crime
» Industry Standard – August 21, 2000
• Theft of:
• Social Security Numbers
• Drivers License Numbers
• Mothers’ Maiden Names
• $1 Billion Problem?
iSecuritas, Inc. Confidential
15
Authentication
Problem – Identity Theft
Abraham Abdallah
“a pudgy, convicted swindler and high school dropout”,
NY Post March 20, 2001
Nyquist vs. E*Trade
[Buckman, "Heavy Losses: The Rise and Collapse of a Day
Trader," Wall Street Journal, Feb. 28, 2000]
iSecuritas, Inc. Confidential
16
Authentication
Solutions (?)
• Credit Card Transactions
• Digital Certificates
• Authentication Services
iSecuritas, Inc. Confidential
17
iSecuritas & MBE
iSecuritas, Inc. Confidential
18
iSecuritas, Inc. Confidential
Example 1: A CA Needs to Issue a Legally Binding Certificate
1)
User requests
certificate from CA’s
web site.
3)
10)
2)
8)
9)
CA releases
certificate and
notifies user.
IS sends
e-mail to
signer.
5)
CA web site submits
request to IS.
IS notifies CA.
6)
7)
Signer
visits
notary.
Notary ID’s signer,
fetches documents from
IS, witnesses signing
act.
CA fetches signed
document(s) from
IS.
iSecuritas, Inc. Confidential
4)
Notary D-signs
documents and
statements, then
forwards to IS.
IS applies 3rd party timestamp.
20
Example 2: A Corporate Banker Needs a Notarized Signature
3)
1)
Banker submits a
signature request
to his company’s
mainframe.
2)
8)
9)
Banker fetches
signed
document(s)
from IS.
iSecuritas, Inc. Confidential
4)
IS sends
e-mail to
signer
5)
Mainframe submits
request to IS
Notary ID’s signer,
and fetches
documents from IS
IS notifies banker.
7)
Signer
visits
notary
6)
IS applies 3rd party timestamp.
Notary D-signs
documents and
statements, then
forwards to IS.
21
Example 3: A Distributor Needs a Digital Signature on a PO
1)
9)
Signed
PO sent
to
account
rep ,
billing,
shipping,
etc..
2)
Distributor
fetches signed
PO from IS.
iSecuritas, Inc. Confidential
4)
3)
IS sends
e-mail to
signer.
User
fetches
PO.
5)
User fills out
and D-Signs
PO with
notarized
certificate,
sends signed
PO to IS.
Web site submits
request to IS.
7)
8)
User requests
PO on
distributor’s
web site.
IS notifies Distributor.
6)
IS applies 3rd party timestamp.
22
Encrypting with X.509
Bank wants to send Lawyer a secret message, but must do so
on the public internet.
Lawyer
gives
Bank their
certificate.
But
Lawyer
uses the
gibberish
iSecuritas, Inc. Confidential
Bank
verifies the
certificate
with the
CA.
And their
private
key
Bank uses
the public
key from and a secret
Lawyer’s message to
certificate, Lawyer,
As input to a
decryption
engine
as input
to an
encrypti
on
engine,
to produce
what looks
like
gibberish
To find out
what Bank
had to say
23
Signing with X.509
Lawyer wants proof that Bank wrote the message.
as input to a
Bank uses their hash engine
gibberish
to produce a
hash,(signature) and their
and uses this hash private key
as input to an
encryption
engine
and adds the
encrypted hash
to their
gibberish.
to produce a hash.
Lawyer uses the as input to a
hash engine
gibberish (not
the hash)
iSecuritas, Inc. Confidential
Then Lawyer takes
Bank’s encrypted
hash
and Bank’s
public key
as input to a
decryption
engine
to produce a hash. If
both hashes match, then
Lawyer knows that
Bank signed the
message.
24
X.509 Receipt
Bank wants proof that Lawyer saw the message on the Internet, Lawyer
must prove it.
Lawyer uses as input to
a hash
Bank’s
engine
message
Bank uses the
signature
and
Lawyer’s
public key
iSecuritas, Inc. Confidential
to produce a
hash, and uses and
this hash
private
key
to produce a hash.
as input to a
decryption
engine
as input to an
encryption
engine
Bank uses his
original
message
To produce an
encrypted
hash
(signature)
as input to
a hash
engine
to produce a
hash, if the
hashes match,
we have a valid
signature.
25
Obtaining an X.509 Certificate
Use a random
number to
generate
HUGE prime
numbers and
then create a
key pair.
Use the public
key and various
bits of
identifying data
to construct a
certificate
request,
iSecuritas, Inc. Confidential
Encrypt the private key with
a GOOD password that you
have memorized,
Name
E-Mail
Address
Etc.
and send it to the Certificate
Authority. They will investigate
your identity to varying degrees,
create a certificate that includes a
hash encrypted with their private
key,
and then store
it away some
place safe.
and then send
you a copy as
well as making it
a public record.
26
Related documents
Competitive Analysis - Green Technology Asia Pte Ltd
Competitive Analysis - Green Technology Asia Pte Ltd
User Defined Tag 1 - DA Document Manager
User Defined Tag 1 - DA Document Manager
What is the Patient Safety Communication System? It is a system
What is the Patient Safety Communication System? It is a system
Customer Spend Profile
Customer Spend Profile
GF-244: Cover Sheet for Confidential Records
GF-244: Cover Sheet for Confidential Records
RECEIVE AND TRANSMIT INFORMATION
RECEIVE AND TRANSMIT INFORMATION
Databases at Risk - ESG - Enterprise Strategy Group
Databases at Risk - ESG - Enterprise Strategy Group
Confidentiality Agreement – Management
Confidentiality Agreement – Management
Sales and Marketing Executive Why you`ll be so
Sales and Marketing Executive Why you`ll be so
best practice clinical note taking
best practice clinical note taking