- 1. Pengamanan DigitalLukito Edi Nugroho
2. Transaksi Elektronis Transaction : an action or activity
involvingtwo parties or things that reciprocally affect orinfluence
each other [Merriam-Websters Dictionary of Law] Biasanya melibatkan
pertukaran atauperpindahan barang, jasa, atau uang Transaksi
elektronis adalah transaksi yangmenggunakan media elektronis
Komputer sebagai alat pemroses Pertukaran atau perpindahan
menggunakan jaringan komputer dan Internet 3. Transaksi Elektronis
Transaksi elektronis pada umumnya bersifat: Tidak langsung
pertukaran atau perpindahan melewati satu atau lebih pihak-pihak
eksternal Kedua pihak yang terlibat tidak bertemu secara fisik
Transaksi elektronis berpotensi menjadiobyek gangguan/ancaman
keamanan karena: Data/informasi yang terlibat memiliki nilai Jarak
virtual antara pihak-pihak yang terlibat memungkinkan terjadinya
intervensi pihak eksternal 4. Jenis-Jenis Ancaman/Serangan Serangan
untuk mendapatkan akses (accessattacks) Berusaha mendapatkan akses
ke berbagai sumber daya komputer atau data/informasi Serangan untuk
melakukan modifikasi (modificationattacks) Didahului oleh usaha
untuk mendapatkan akses, kemudian mengubah data/informasi secara
tidak sah Serangan untuk menghambat penyediaan layanan(denial of
service attacks) Menghambat penyediaan layanan dengan cara
mengganggu jaringan komputer 5. Access Attacks Dumpster diving
mencari informasi daritumpukan kertas/dokumen yang telahdibuang
Eavesdropping mendengarkanpercakapan/komunikasi antara dua pihak
Snooping mengintip isi file orang lain (baiksecara fisis maupun
elektronis) Interception memonitor lalulintas data dijaringan
komputer 6. Cara-Cara Melakukan Access Attacks Sniffing
Memanfaatkan metode broadcasting dalam LAN Membengkokkan aturan
Ethernet, membuatnetwork interface bekerja dalam mode promiscuous
Contoh-contoh sniffer: Sniffit, TCP Dump, Linsniffer Mencegah efek
negatif sniffing Pendeteksian sniffer (local & remote)
Penggunaan kriptografi (mis: ssh sbg pengganti telnet) 7. Cara-Cara
Melakukan Access Attacks Spoofing Memperoleh akses dengan acara
berpura-pura menjadi seseorang atau sesuatu yang memiliki hak akses
yang valid Spoofer mencoba mencari data dari user yang sah agar
bisa masuk ke dalam sistem (mis: username &
password)ClientPenyerangServerLogon Invalid logonClient ServerLogon
Logon berhasilPada saat ini, penyerang sudah mendapatkan username
& passwordyang sah untuk bisa masuk ke server 8. Cara-Cara
Melakukan Access Attacks Man-in-the-middle Membuat client dan
server sama-sama mengirabahwa mereka berkomunikasi dengan pihak
yangsemestinya (client mengira sedang berhubungandengan server,
demikian pula sebaliknya) Client Man-in-the-middleServer 9.
Cara-Cara Melakukan Access Attacks Menebak password Dilakukan
secara sistematis dengan teknik brute-force atau dictionary Teknik
brute-force: mencoba semua kemungkinanpassword Teknik dictionary:
mencoba dengan koleksi kata-kata yang umum dipakai, atau yang
memiliki relasidengan user yang ditebak (tanggal lahir, namaanak,
dsb) 10. Modification Attacks Biasanya didahului oleh access attack
untukmendapatkan akses Dilakukan untuk mendapatkan keuntungandari
berubahnya informasi Contoh: Pengubahan nilai kuliah Penghapusan
data utang di bank Mengubah tampilan situs web 11. Denial of
Service Attacks Berusaha mencegah pemakai yang sah untukmengakses
sebuah sumber daya atau informasi Biasanya ditujukan kepada
pihak-pihak yang memilikipengaruh luas dan kuat (mis:
perusahaanbesar, tokoh-tokoh politik, dsb) Teknik DoS Mengganggu
aplikasi (mis: membuat webserver down) Mengganggu sistem (mis:
membuat sistem operasi down) Mengganggu jaringan (mis: dengan TCP
SYN flood) 12. Kriptografi Teknik untuk meningkatkan keamanan
data/informasi dengan cara menyamarkan data/informasi ke dalam
bentuk yang tidak dapatdimengerti dengan mudah Proses: enkripsi dan
dekripsi Komponen kriptografi Fungsi enkripsi (dan dekripsi) Kunci
Kekuatan metode kriptografi terletak padakekuatan algoritmanya dan
tingkatkerahasiaan kunci 13. Jenis-Jenis Kriptografi Kriptografi
simetris Kunci enkripsi = kunci dekripsi Kelebihan: cepat (karena
sederhana) Kelemahan: bagaimana mendistribusikan kunci secara
rahasia ? Kriptografi asimetris (a.k.a. kriptografi kuncipublik)
Kunci enkripsi bersifat publik, kunci dekripsi bersifat privat
Kelebihan: memungkinkan pertukaran data antar pihak yang tidak
saling mengenal Kelemahan: lebih lambat daripada kriptografi
simetris (karena algoritmanya lebih kompleks) 14. Jenis-Jenis
Kriptografi Kriptografi hibrid Kunci sesi yang bersifat unik dan
sekali pakai Teknik simetris enkripsi & dekripsi data/pesan
Teknik asimetris enkripsi & dekripsi kunci sesi Teknik hibrid
menggabungkan kelebihan dua teknik lainnya Teknik simetris untuk
menangani data/pesan cepat Teknik asimetris mengijinkan pertukaran
data dapatdilakukan secara aman dalam lingkungan publik 15.
Sertifikat Digital Bukti otentik terhadap hak-hak untukmelakukan
transaksi untuk layanan-layananyang diberikan Penting untuk
layanan-layanan on-line, untukmeyakinkan pemakai bahwa
merekamengakses layanan yang diinginkan Contoh kasus KlikBCA
beberapa tahun yang lalu Sertifikat digital dikeluarkan oleh
lembagathird-party yang dipercaya (trusted) yangdisebut Certificate
Authority 16. Protokol-Protokol Aman Secure Socket Layer (SSL)
Dikembangkan oleh Netscape pengamananpada lapisan transport
Digunakan untuk mengamankan komunikasiantara client dan browser
https (http over ssl) Secure HTTP (shttp) Secure shell (SSH)
sebagai pengganti telnet 17. The Vision of Korean E-Government
Worlds Foremost Open E-Government Innovate Service Delivery
mechanisms Network based Government Enhance efficiency and
transparency of Knowledge based Government public sector Realize
sovereignty of the people Participatory Government
KnowledgeGovernmentSharingAgency Collective1Portal Resolution
Opinion/ Internet petition IntegratedAgencyCivil Petition
Processing2Mobile CenterPetition through platform fax, e-
Agencymail, Internet, etc. 3Public Fax, Mail,Local Petition
TelephoneOffice Agency Information N and ServiceVisitingAgency Web
SitesLink betweenTai M. ChungAgenciesInternet Management Technology
Lab. Provide various information and integratedSungkyunkwan
University services 18. Requirements for good e-Gov services
ReadinessConvenience- Service that everyone- easy services to use
:can use : WhoeverWhenever, whereverReliabilitySecurity- Service
that is always - Service that is securedusable : Whenever- make
private information secure 19. A case of Phishing Phising = Private
data + fishingThe email comes with various attributes of the
legitimate bank Involve Fabricated URL Card NumberFabricated E-mail
The phish site indeed looks like a simple ligitimate survey, except
the demand for user ID or a debit card number Fabricated Web site
20. Attacking Objects are Generalized From special target like
internet banking to everything Information systems are all related
the offline systems in lifeHomepage Internet banking fabrication
Service denial Attacking special targetEvery system networked
toinformation systems 21. Need for e-Gov Security G2BGov &
Industry Gov. Support Attacking Privacy OutsourcingG2G Attacking
Multiple Targets Attacking Enterprise Information Information
Sharing Targets networked Attacking Critical
InfrastructureNetworking Threats to Shared Information G2C Public
Opinion E-Petition ServicePublic welfare 22. Security Measures for
e-GovernmentManagementTechnology Access Control Authentication
EncryptionTask Balance Access Control Human ResourceNon-repudiation
Integrity EducationLawa & RegulationsNational
CollaborationResearch & DevelopmentPhysical Security Escort
ServiceBackup & ERGate ControlUbiquitous Government 23.
Solutions for Content Security - DRMUSER A USER B
Encrypted(Packaged) DocEncrypted Doc DRM DRM ClientClientOriginal
DocEnterprise ApplicationsEDMS, KMS, E-mail, DRM SERVERUsage
DataPackaging ServerLicensing ManagerUsage TracingDirectory
InterfacePolicy Manager ServerDRM Module Control Flow Doc Flow
Directory Server 24. AdministratorHow it worksManages security
policy, users authority and monitors a robust audittrail using
web-based management tool All documents are automatically encrypted
according to users authority when user requests a document from
User B is blocked from DMS Server approaching to DMS SystemDocument
ManagementSystem with DocumentSafer Server AuthorizedUnauthorized
Internal User A Internal User BUnauthorizedinternal user B
Outflowhas noIllegal external user cant authority to open any
documents opendocumentExternal User 25. Services to be
Protectede-nationa e-finance e-govldefens
ee-commercee-communitye-educationSecure WorldCirculation
&Development Management of of SocialSecure
DocumentatmosphereSecure e-petition & Implementation of
Encryptione-commerceSystem 26. A Standards-Based Framework for a
SingleEuropean Electronic Market (SEEM) Open, global standards,
protocols & interfaces Interoperable applications and platforms
Trusted and sustainable infrastructure Compatibility between
business practices Catalog information exchange Payment methods
Security 27. e-Gov Procurement (e-GP) Example Standards Prevent
failures Increase efficiency of complex operations Introduce order
and predictabi-lity in electronic exchanges Reduce risk Increase
trust Enhance B2G/G2G connectivity and interoperability Generate
trust in electronic experience Enhance competition and inclusion
Enhance efficiency and flexibility of public procurement function
Enhance cooperation and transparency Facilitate evolution and
innovation Increase return, reliability of investments Avoid vendor
lock-in 28. SOME STANDARDS FOR eGP DATA CENTER IT ServiceSite
security (RFCManagement 2196) (ISO/IEC 20000) Network
security(ISO/IEC 18028-1 ) eGP DataProcessing Computer
securityCenter ISO/IEC 15408 Directory Service (LDAP, DSML)
Reliability(HTTP-R) [email protected] 29. SOME STANDARDS FOR
eGPTRANSACTION SYSTEMS Information security management eGP System
(ISO/IEC 27001) System integration/Collaboration Facilities
Information SecurityE-Catalog PurchasingControls` (ISO 17999)
Reliability (HTTP-R)E-Reverse Auctions Information Security
E-TenderingTesting(OSSTMM) [email protected] 27, 2009 30. KEY
STANDARDS FOR eGP eTENDERINGQUESTIONS & ANSWERSSYSTEM
Authentication (X509,XML DSig, XKMS) SupplierSUPPLIER Profiles
Q&ASROSTERTraceabilityUB(ISO 13335 )PUPDOCUMENTBid Bid Vault
YLSTORE DocumentsEI Decrypted RE Encrypted BidsBidsSRS Encrypted
Receipts PROCESSINGEncryption TIMETABLE(SSL, XML Encryp)
[email protected] 31. Estonian ID card and PKIThe purpose of
Estonian ID-card project was to use nation-wide electronicidentity
and develop a new personal identification card that would bea
generally acceptable identification document and contain both
visually andelectronically accessible information.The Estonian
ID-card facilities:The certificate inserted in the ID-card includes
the personal identificationcode, which enables to identify the
individual at once. A certificate, which enables to sign documents
according to the DigitalSignatures Act, is inserted in the ID-card
chip.There exists a lot of similar projects in other countries
(Belgium, Finland,Italy etc.), but using of ID-card services at
large you can find in Estonia asin pilot country. 32. eServicesThe
set of facilities for the ISAuthentication (ID-card + 5 Internet
bank services);Authorization;MISP (Mini Info System Portal) portal
services;Simple queries to Estonian national databases;The
facilities for developing complex business model queries (queries
to different databases and registers);The writing operation into
databases;The facility to send large amount of data (over 10Mb)
from database to database over the Internet;Secure data exchange,
logs storing;Queries surveillance possibility;The integration with
citizen portal for adding new services;The integration with
entrepreneurs portal for adding new services;Central and local
monitoring;The special database for storing services WSDL
descriptions. 33. Functional schemeAuthenti- cationCA
ofUsersserversCA of citizensPortal CitizenCentral Centralserver
serverInternetSecuritySSL channels,SecurityAdapter- Security
Security serverdigitaly signedserverMISP server server
serverencrypted messagesCivil servantCentral monitoring Data-IS of
an baseLocal Local monitoringmonitoringorganizat.Databaseprocessors
34. Germanys e-Gov Security as a key requirement for eGovernment
Web Services Paperless processes Electronic Forms with
electronicSignatures Encryption for confidentiality, PKI for
authentification Development of OSCI-Transport 1.2 in 2002 Secure
message exchange based on XML-Technologies Implementing a Registry
for OSCI-Transport bases Web-Services Interconnecting the
Registries of Residents as Killer-application Standardization at
the application level (OSCI-XMeld) Nation-wide in use since Jan. 1,
2007 Other applications followed (e. g. Interior, Justice, Finance)
Next steps Adopting international web service security in
OSCI-Transport 2 New Projects at the European level
