The Internet and Network Security

Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi 11

The Internet and The Internet and Network SecurityNetwork Security

Dr. Tb. Maulana KusumaDr. Tb. Maulana [email protected]@staff.gunadarma.ac.id

http://staffsite.gunadarma.ac.id/mkusumahttp://staffsite.gunadarma.ac.id/mkusuma

Internet dan Jaringan KomputerInternet dan Jaringan Komputer

22Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi

An Overview of Telecommunications An Overview of Telecommunications and Networksand Networks

Telecommunications: Telecommunications: the electronic the electronic transmission of signals for transmission of signals for communicationscommunications

Telecommunications medium: Telecommunications medium: anything anything that carries an electronic signal and that carries an electronic signal and interfaces between a sending device and a interfaces between a sending device and a receiving devicereceiving device


An Overview of Telecommunications An Overview of Telecommunications and Networks (continued)and Networks (continued)


Use and Functioning of the InternetUse and Functioning of the Internet

Internet: Internet: a collection of interconnected a collection of interconnected networks, all freely exchanging informationnetworks, all freely exchanging information

ARPANETARPANET The ancestor of the InternetThe ancestor of the Internet A project started by the U.S. Department of A project started by the U.S. Department of

Defense (DoD) in 1969Defense (DoD) in 1969

Internet Protocol (IP): Internet Protocol (IP): communication communication standard that enables traffic to be routed standard that enables traffic to be routed from one network to another as neededfrom one network to another as needed


How the Internet WorksHow the Internet Works

The Internet transmits data from one computer The Internet transmits data from one computer (called a (called a hosthost) to another) to another

If the receiving computer is on a network to If the receiving computer is on a network to which the first computer is directly connected, it which the first computer is directly connected, it can send the message directlycan send the message directly

If the receiving computer is not on a network to If the receiving computer is not on a network to which the sending computer is connected, the which the sending computer is connected, the sending computer relays the message to sending computer relays the message to another computer that can forward itanother computer that can forward it


How the Internet Works (continued)How the Internet Works (continued)


How the Internet Works (continued)How the Internet Works (continued)

Data is passed in chunks called packetsData is passed in chunks called packets

Internet Protocol (IP): Internet Protocol (IP): communications communications standard that enables traffic to be routed from standard that enables traffic to be routed from one network to another as neededone network to another as needed

Transmission Control Protocol (TCP): Transmission Control Protocol (TCP): widely widely used transport-layer protocol that is used in used transport-layer protocol that is used in combination with IP by most Internet combination with IP by most Internet applicationsapplications

Uniform Resource Locator (URL): Uniform Resource Locator (URL): an assigned an assigned address on the Internet for each computeraddress on the Internet for each computer


Accessing the InternetAccessing the Internet

Connect via a LAN serverConnect via a LAN server

Connect via Serial Line Internet Protocol Connect via Serial Line Internet Protocol (SLIP)/Point-to-Point Protocol (PPP)(SLIP)/Point-to-Point Protocol (PPP)

Connect via an online serviceConnect via an online service

Other ways to connectOther ways to connect


Accessing the Internet Accessing the Internet (continued)(continued)


Internet and Telecommunications Internet and Telecommunications ServicesServices

E-mail and instant messagingE-mail and instant messaging Instant messaging:Instant messaging: a method that allows two a method that allows two

or more individuals to communicate online, or more individuals to communicate online, using the Internetusing the Internet

Internet cell phones and handheld computersInternet cell phones and handheld computers

Career information and job searchingCareer information and job searching

Web log (blog):Web log (blog): a Web site that people can a Web site that people can create and use to write about their observations, create and use to write about their observations, experiences, and feelings on a wide range of experiences, and feelings on a wide range of topicstopics


Internet and Telecommunications Internet and Telecommunications Services (continued)Services (continued)

Chat rooms:Chat rooms: enable two or more people to enable two or more people to engage in interactive “conversations” over the engage in interactive “conversations” over the InternetInternet

Internet phone and videoconferencing servicesInternet phone and videoconferencing services

Content streaming:Content streaming: a method for transferring a method for transferring multimedia files over the Internet so that the data multimedia files over the Internet so that the data stream of voice and pictures plays more or less stream of voice and pictures plays more or less continuously without a break, or very few of continuously without a break, or very few of themthem

Shopping on the WebShopping on the Web


Internet and Telecommunications Internet and Telecommunications Services (continued)Services (continued)

Web auctionsWeb auctions

Music, radio, and video on the InternetMusic, radio, and video on the Internet

Other Internet services and applicationsOther Internet services and applications


Intranets and ExtranetsIntranets and Extranets

IntranetIntranet Internal corporate network built using Internet Internal corporate network built using Internet

and World Wide Web standards and productsand World Wide Web standards and products Used by employees to gain access to Used by employees to gain access to

corporate informationcorporate information Slashes the need for paperSlashes the need for paper


Intranets and Extranets (continued)Intranets and Extranets (continued)

ExtranetExtranet A network based on Web technologies that links A network based on Web technologies that links

selected resources of a company’s intranet with its selected resources of a company’s intranet with its customers, suppliers, or other business partnerscustomers, suppliers, or other business partners

Virtual private network (VPN): Virtual private network (VPN): a secure connection a secure connection between two points across the Internetbetween two points across the Internet

Tunneling: Tunneling: the process by which VPNs transfer the process by which VPNs transfer information by encapsulating traffic in IP packets over information by encapsulating traffic in IP packets over the Internetthe Internet


Intranets and Extranets (continued)Intranets and Extranets (continued)


Net IssuesNet Issues

Management issuesManagement issues No centralized governing body controls the No centralized governing body controls the

InternetInternet

Service and speed issuesService and speed issues Web server computers can be overwhelmed by Web server computers can be overwhelmed by

the amount of “hits” (requests for pages) the amount of “hits” (requests for pages) More and more Web sites have video, audio clips, More and more Web sites have video, audio clips,

or other features that require faster Internet or other features that require faster Internet speedsspeeds


Net Issues (continued)Net Issues (continued)

PrivacyPrivacy Spyware:Spyware: hidden files and information trackers that hidden files and information trackers that

install themselves secretly when you visit some install themselves secretly when you visit some Internet sitesInternet sites

Cookie:Cookie: a text file that an Internet company can place a text file that an Internet company can place on the hard disk of a computer systemon the hard disk of a computer system

FraudFraud PhishingPhishing


Security ThreatsSecurity Threats


Passive AttacksPassive Attacks

Eavesdropping on transmissionsEavesdropping on transmissions

To obtain informationTo obtain information

Release of message contentsRelease of message contents Outsider learns content of transmissionOutsider learns content of transmission

Traffic analysisTraffic analysis By monitoring frequency and length of messages, By monitoring frequency and length of messages,

even encrypted, nature of communication may be even encrypted, nature of communication may be guessedguessed

Difficult to detectDifficult to detect

Can be preventedCan be prevented


Active AttacksActive Attacks

MasqueradeMasquerade Pretending to be a different entityPretending to be a different entity

ReplayReplay

Modification of messagesModification of messages

Denial of serviceDenial of service

Easy to detectEasy to detect Detection may lead to deterrentDetection may lead to deterrent

Hard to preventHard to prevent



Security with encryption and firewallsSecurity with encryption and firewalls Cryptography:Cryptography: converting a message into a secret converting a message into a secret

code and changing the encoded message back to code and changing the encoded message back to regular textregular text

Digital signature:Digital signature: encryption technique used to verify encryption technique used to verify the identity of a message sender for processing online the identity of a message sender for processing online financial transactionsfinancial transactions

Firewall:Firewall: a device that sits between an internal a device that sits between an internal network and the Internet, limiting access into and out network and the Internet, limiting access into and out of a network based on access policiesof a network based on access policies



Cryptography is the process of converting a message Cryptography is the process of converting a message into a secret code and changing the encoded message into a secret code and changing the encoded message back into regular text.back into regular text.

Magister Manajemen Sistem Informasi 23

An Introduction ToAn Introduction To

PUBLIC PUBLIC

KEYKEY

INFRASTRUCTUREINFRASTRUCTURE

Tb. Maulana KusumaTb. Maulana Kusuma

[email protected]


OutlineOutline

Introduction

How to build the trust ?

Basic Cryptography

One way hashing

Digital Signature

Certification Authority

CA Component

Future Technology


Electronic CommerceElectronic Commerce

Traditional TradingTraditional Trading• Paper Based

• Based on Trust

EDI (Electronic Data Interchange)EDI (Electronic Data Interchange)• Secure

• Closed• Proprietary

InternetInternet• Not Secure

• Open• Open System


Electronic Commerce : The ProblemElectronic Commerce : The Problem

Paper Based Trading

EDI (Electronic Data Interchange)

Internet Based E-Commerce

How to build the TRUST ?How to build the TRUST ?


Information over the Internet is Free, Available, Unencrypted, and Untrusted. Not desirable for many Applications

Electronic Commerce Software Products Financial Services Corporate Data Healthcare Subscriptions Legal Information

The Problem (cont’d)The Problem (cont’d)


Another ProblemAnother Problem


PrivacyPrivacy

IntegrityIntegrity

AuthenticationAuthentication

NonrepudiationNonrepudiation

Interception Spoofing

Modification Proof of parties involved

Multiple Security Issues to be SolvedMultiple Security Issues to be Solved


Trust in conducting e-commerceTrust in conducting e-commerce

AUTHENTICATIONAUTHENTICATION

to identify the parties involved

CONFIDENTIALITYCONFIDENTIALITY

to keep the information private

INTEGRITYINTEGRITY

to prevent the manipulation of information

NON-REPUDIATIONNON-REPUDIATION

to prevent the denial of information by the owner


Trust in paper based commerceTrust in paper based commerce

AUTHENTICATIONAUTHENTICATION

wrote a letter and sign

CONFIDENTIALITYCONFIDENTIALITY

put the letter in envelope and seal it

INTEGRITYINTEGRITY

send it by certified mail, make a copy and send it twice

NON-REPUDIATIONNON-REPUDIATION

have a witness verified that our signature was authentic


Technology OutlineTechnology Outline

Basic CryptographyBasic Cryptography• Symmetric Cryptography• Asymmetric Cryptography

One Way HashingOne Way Hashing

Digital SignatureDigital Signature

C.A. & Digital CertificateC.A. & Digital Certificate


Cryptography Cryptography ConceptsConcepts

Encryption :Kepada Yth Bapak Asep

di Tempat

Dengan hormat ….

Kami ingin memberitahukan bahwa gaji

bapak naik 100 % terhitung dari sekarang

Terimakasih

Ksjdksjdkskjksd

jsdkjsk

ksjdksjdksj

ksdjksdjskjdskjd skdj ksjdk sjd ksdjsj

ksjdksjdksj dksjd

jskdj sk

jsdkjskdjskjd

Decryption :Kepada Yth Bapak Asep

di Tempat

Dengan hormat ….

Kami ingin memberitahukan bahwa gaji

bapak naik 100 % terhitung dari sekarang

Terimakasih

Ksjdksjdkskjksd

jsdkjsk

ksjdksjdksj

ksdjksdjskjdskjd skdj ksjdk sjd ksdjsj

ksjdksjdksj dksjd

jskdj sk

jsdkjskdjskjd

Requires : an ALGORITHM and a KEY

cipher text

Algorithm


Symmetric CryptographySymmetric Cryptography

EncryptionKepada Yth Bapak Asep

di Tempat

Dengan hormat ….

Kami ingin memberitahukan ak naik 100

Kepada Yth Bapak Asep

di Tempat

Dengan hormat ….

Kami ingin memberitahukan

Algorithm

DecryptionKepada Yth Bapak Asep

di Tempat

Dengan hormat ….



di Tempat

Dengan hormat ….


Algorithm

Requires : SHARED KEY

Example : DES,IDEA,Red Pike,RC2,RC4


Symmetric Cryptography (cont’d)Symmetric Cryptography (cont’d)

Characteristic :

• High Performance

• Useful for Fast Encryption / Decryption

• Key management is not practical


Asymmetric CryptographyAsymmetric Cryptography

EncryptionKepada Yth Bapak Asep

di Tempat

Dengan hormat ….



di Tempat

Dengan hormat ….


Algorithm

Private KeyPrivate Key

DecryptionKepada Yth Bapak Asep

di Tempat

Dengan hormat ….



di Tempat

Dengan hormat ….


Algorithm

Public KeyPublic Key


Also known as Public Key Cryptography

• Public Key is distributed to public

• Private Key is kept private

• IF Private Key is used to encrypt then ONLY Public Key can decrypt

• IF Public Key is used to encrypt then ONLY Private Key can decrypt

Asymmetric Cryptography (cont’d)Asymmetric Cryptography (cont’d)


Public Key & Private Key :

• Generated as a pair of keys• Derived from very large prime number• It’s impossible to determine one knowing each other• Strength of Key : 512 bit, 1024 bit, 2048 bit ……• Example : RSA, ECC, DSA

Asymmetric Cryptography (cont’d)Asymmetric Cryptography (cont’d)


One Way HashOne Way Hash


di Tempat

Dengan hormat ….


One way hashfunction

A0 B0 C0 E0 G0 D0F0 80 87 80 70 30

DIGEST / DIGEST / FINGERPRINTFINGERPRINT

• Produce unique fingerprint of data (128/160 bits)

• No Key is used

• Irreversible

• A one bit change in the message affects at least half the bits in the digest

• Used to determine if data has been changed


One Way Hash (cont’d)One Way Hash (cont’d)


di Tempat

Dengan hormat ….



A0 B0 C0 E0 30 70 80 A0

A0 B0 C0 E0 30 70 80 A0


A0 B0 C0 E0 30 70 80 A0


di Tempat

Dengan hormat ….


A0 B0 C0 E0 30 70 80 A0

equal ?

Example : MD5, SHA-1




di Tempat

Dengan hormat ….



A0 B0 C0 E0 G0 D0F0 80 87 80 70 30

Sender’sPrivate Key

ENCRYPT

XX B0 XX E0 XX D0F0 XX 87 XX 70 30

DIGITAL SIGNATURE


Whole MechanismWhole Mechanism


di Tempat

Dengan hormat ….


A0 B0 C0 E0 30 70 80 A0

A0 B0 C0 E0 30 70 80 A0


di Tempat

Dengan hormat ….


A0 B0 C0 E0 30 70 80 A0


di Tempat

Dengan hormat ….


A0 B0 C0 E0 30 70 80 A0

Budi AsepPrivate KeyPrivate Key


Private KeyPrivate Key



di Tempat

Dengan hormat ….


A0 B0 C0 E0 30 70 80 A0

A0 B0 C0 E0 30 70 80 A0

Equal ?

A0 B0 C0 E0 30 70 80 A0

A0 B0 C0 E0 30 70 80 A0


Achieving 4 Cornerstones of TrustAchieving 4 Cornerstones of Trust

AUTHENTICATIONAUTHENTICATIONthe use of private key to encrypt digest - only sender’s public key can decrypt

CONFIDENTIALITYCONFIDENTIALITYencrypt the message with recepient public key - only sender’s private key can decrypt

INTEGRITYINTEGRITYcomparing the digest from decrypting digital signature

NON-REPUDIATIONNON-REPUDIATIONdigital signature do the job


Services

Public Key Technology

Digital Certificates

Certification Authorities

Security Management

Technology

Infrastructure

PR

IVA

CY

AU

TH

EN

TIC

AT

ION

INT

EG

RIT

Y

NO

N-R

EP

UD

IAT

ION

• Public Key Technology Best Suited to Solve Business Needs• Infrastructure = Certification Authorities

Public Key SecurityPublic Key Security


About the KeyAbout the Key

• Pseudo Random Number• Key size is vital. The longest is the strongest.• Private Key must be kept private :

• File based storage (using PIN/ PassPhrase• SmartCard storage (using PIN as the protection


The Problem of Distributing Public KeyThe Problem of Distributing Public Key

MAN IN THE MIDDLE OF ATTACK


The Problem of Distributing Public KeyThe Problem of Distributing Public Key

How do I know who the public key belongs to ?

• Digital Certificates Digital Certificates

• Certification AuthorityCertification Authority


Digital Digital CertificateCertificate

• A certificate binds a public key to an owner

• It is the envelope to distribute public key

• The trusted CA digitally sign the certificate to verify the ownership of the key itself


Contain :• Detail about Owner• Detail about certificate issuer (CA)• Public Key• Validity and Expiration dates• Digital Signature of the certificate by the CA• Time Stamp

Distributed through Directory Server / LDAP (Lightweight Directory Access Protocol)

Digital Certificate (cont’d)Digital Certificate (cont’d)


Before two parties exchange data using Public Key cryptography, each wants to be sure that the other party is authenticated.

Before B accepts a message with A’s Digital Signature, B wants to be sure that the public key belongs to A and not to someone masquerading as A on an open network.

One way to be sure, is to use a trusted third party to authenticate that the public key belongs to A. Such a party is known as a Certification Authority (CA).

Once A has provided proof of identity, the Certification Authority creates a message containing A’s name and public key. This message is known as a Digital Certificate.

~~~~~~~~~~~~

DigitalSignature



• A Digital Certificate is simply an X.509 defined data structure with a Digital Signature. The data represents who owns the certificate, who signed the certificate, and other relevant information.

Version #Serial #

Signature AlgorithmIssuer Name

Validity PeriodSubject Name

Subject Public KeyIssuer Unique ID

Subject Unique IDExtensions


X.509 Certificate• When the signature is

generated by a Certification Authority (CA), the signature can be viewed as trusted.

• Since the data is signed, it can not be altered without detection.

• Extensions can be used to tailor certificates to meet the needs of end applications.

CA Authorized



Certificate: Data: Version: 3 (0x2) Serial Number: 30:fa:e0:de:85:a3:72:a3:9e:07:03:23:05:77:8c:4b:3d:2b:49:70 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=AVITrust DEMO Certification/[email protected], OU=DEMO Certification, O=AVITrust, C=ID Validity Not Before: Mar 23 04:36:01 2001 GMT Not After : May 22 04:36:01 2001 GMT Subject: O=PHPCA, C=ID, CN=Avinanta Tarigan/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b1:66:84:83:fa:7d:c4:c9:40:c3:af:b6:0b:79: c0:06:d0:8e:d8:96:2f:66:64:a3:8f:ef:7b:e0:3b: 4a:e7:27:d7:48:28:e6:99:ef:2f:2d:45:a0:45:c6: 89:de:35:71:10:52:9e:87:40:40:46:a0:be:cd:68: a6:8c:a9:75:81:19:81:f6:14:d1:8f:b7:b0:51:21: eb:d3:aa:38:58:ca:f5:24:52:0a:6e:aa:60:79:09: d7:2d:42:64:84:4e:b4:82:11:48:6d:2d:ea:fe:87: 56:05:49:e0:33:df:ad:82:60:2b:34:9a:fc:7d:46: de:97:b9:e8:ce:6c:4f:da:8d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection Netscape Cert Type: SSL Client, S/MIME Netscape Comment: AVITrust Demo Certificate, for Cheating Purposes ONLY X509v3 Subject Key Identifier: 1C:39:81:38:6D:E0:DE:49:D6:E9:A1:D3:BF:1A:87:CB:86:8F:95:12 X509v3 Authority Key Identifier: keyid:2B:81:22:E4:D4:D1:28:4E:7C:E5:86:32:BF:29:35:54:99:FB:AA:8B

Signature Algorithm: sha1WithRSAEncryption 46:65:b0:ad:33:d3:17:b6:5c:4a:9d:0b:fd:4b:d2:80:ee:3b: cb:b3:30:f7:5a:fd:b3:24:79:45:d7:0a:b3:66:60:d8:8a:a0: 40:db:ea:39:0b:9e:d4:a7:a5:59:75:50:11:03:6a:ed:96:3f: f3:16:a3:f5:eb:f9:10:1f:47:4d:7a:3d:c8:ac:af:fa:2f:3d: 4c:1f:55:9a:30:ce:fb:e7:0a:ab:79:ab:4a:b2:cb:da:21:d4: 59:9e:75:f2:b6:76:42:62:51:48:7f:5c:f0:e4:b4:8d:b8:a3: 45:3f:9c:5d:f7:c7:73:8e:7a:56:11:3f:f5:4b:eb:fc:21:0c: 54:0f:7c:a8:11:b9:fd:64:e7:b4:11:24:57:02:2e:00:87:8a: fa:56:bf:cf:9b:36:65:40:21:4a:51:8b:7f:49:ab:e5:77:a1: 51:67:c6:7c:ed:45:59:61:a2:11:52:21:d9:75:ff:bd:15:ea: eb:a4:fb:1c:0e:a6:89:86:98:67:12:15:34:41:d6:67:02:ce: b0:10:13:87:26:88:02:03:5e:b3:92:f2:f7:df:0d:16:9b:ed: dc:a1:11:a3:e3:34:c7:cb:1f:94:c2:b2:0c:f5:d0:89:a1:50: 27:89:f3:92:ce:49:d1:cd:3a:b8:d6:42:8f:2c:7f:4b:fe:7e: b2:fd:ef:28






Certification Authority

• Trusted (Third) Party

• Enrolls and Validates Subscribers

• Issues and Manages Certificates

• Manages Revocation and Renewal of Certificates

• Establishes Policies & Procedures

What’s Important

• Operational Experience

• High Assurance Security Architecture

• Scalability

• Flexibility / Tailorability

• Interoperability

• Outsource vs. Inhouse

• Trustworthiness

Certification Authority = Basis of Trust

What is a Certification Authority?What is a Certification Authority?


Certification Authority (cont’d)Certification Authority (cont’d)

• Authoring the Certificates

• Responsible in validating the owner of the public key

• Distribute the Certificates in CA’s Directory Server

• Create CRL (Certification Revocation List)

• Usually Government Institution or National Chamber of Commerce


• When someone receives a certificate, why should they trust the signature?

• Trusted CAs are required in order to verify a signature. If you Trust the CA that signed the certificate, you can trust the certificate.

• Many Companies are embedding Trusted CA Certificates in their Certificate Enabled products

– Netscape Navigator (Options, Security Preferences, Site Cert)

– Microsoft Internet Explorer (Tool, Internet Options, Content, Cert)

• Some products refer to Trusted CAs as Trusted Site Certificates.

~~~~~~~~~~~~

DigitalSignature

?

Trusted Trusted CA’sCA’s


Public Key InfrastructurePublic Key Infrastructure

Typically consist of :

• Certification Authorities

• Registration Authorities

• Directories

• PKI-Enabled Applications

• Policies & Procedures

Usually :

• 20 % technology

• 80 % policy


Future EnhancementFuture Enhancement

Stronger Non-Repudiation :Stronger Non-Repudiation :• What do you have ?What do you have ?

The use of smartcard to store private key

• What do you know ?What do you know ?Protecting the smartcard with PIN

• WhenWhenThe use of global timestamp server

• Who you are ?Who you are ?Biometrics Validation to activate SmartCard :

• Fingerprint Scan

• Retina Scan, Voice Recognition

• DNA Validation, etc.


ConclusionConclusion

PKI brings 4 basic principle in building the trust from paper based

The CA is needed to verify public key by envelope it in Digital Certificate

PKI : 20% technology, 80% policy

Stronger Non-Repudiation is supported

PKI is an umbrella for E-Commerce


Symmetric Key vs. Public Key EncryptionSymmetric Key vs. Public Key Encryption - Public key is easier to manage than symmetric key. Easier to recover when compromised.

Digital SignatureDigital Signature - Provides a digital seal indicating who signed the data. Can be used in many applications.

Digital CertificateDigital Certificate - Identity data signed by a Certification Authority. Provides a Trusted source of identification.

Authentication/Access ControlAuthentication/Access Control - Digital Certificates can be used to identify users and limit access to information, systems, etc. on Open Networks.

Conclusion (cont’d)Conclusion (cont’d)

Documents

The Internet and Network Security