Upload
annice
View
40
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Internet dan Jaringan Komputer. The Internet and Network Security. Dr. Tb. Maulana Kusuma [email protected] http://staffsite.gunadarma.ac.id/mkusuma. An Overview of Telecommunications and Networks. Telecommunications: the electronic transmission of signals for communications - PowerPoint PPT Presentation
Citation preview
Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi 11
The Internet and The Internet and Network SecurityNetwork Security
Dr. Tb. Maulana KusumaDr. Tb. Maulana [email protected]@staff.gunadarma.ac.id
http://staffsite.gunadarma.ac.id/mkusumahttp://staffsite.gunadarma.ac.id/mkusuma
Internet dan Jaringan KomputerInternet dan Jaringan Komputer
22Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
An Overview of Telecommunications An Overview of Telecommunications and Networksand Networks
Telecommunications: Telecommunications: the electronic the electronic transmission of signals for transmission of signals for communicationscommunications
Telecommunications medium: Telecommunications medium: anything anything that carries an electronic signal and that carries an electronic signal and interfaces between a sending device and a interfaces between a sending device and a receiving devicereceiving device
33Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
An Overview of Telecommunications An Overview of Telecommunications and Networks (continued)and Networks (continued)
44Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Use and Functioning of the InternetUse and Functioning of the Internet
Internet: Internet: a collection of interconnected a collection of interconnected networks, all freely exchanging informationnetworks, all freely exchanging information
ARPANETARPANET The ancestor of the InternetThe ancestor of the Internet A project started by the U.S. Department of A project started by the U.S. Department of
Defense (DoD) in 1969Defense (DoD) in 1969
Internet Protocol (IP): Internet Protocol (IP): communication communication standard that enables traffic to be routed standard that enables traffic to be routed from one network to another as neededfrom one network to another as needed
55Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
How the Internet WorksHow the Internet Works
The Internet transmits data from one computer The Internet transmits data from one computer (called a (called a hosthost) to another) to another
If the receiving computer is on a network to If the receiving computer is on a network to which the first computer is directly connected, it which the first computer is directly connected, it can send the message directlycan send the message directly
If the receiving computer is not on a network to If the receiving computer is not on a network to which the sending computer is connected, the which the sending computer is connected, the sending computer relays the message to sending computer relays the message to another computer that can forward itanother computer that can forward it
66Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
How the Internet Works (continued)How the Internet Works (continued)
77Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
How the Internet Works (continued)How the Internet Works (continued)
Data is passed in chunks called packetsData is passed in chunks called packets
Internet Protocol (IP): Internet Protocol (IP): communications communications standard that enables traffic to be routed from standard that enables traffic to be routed from one network to another as neededone network to another as needed
Transmission Control Protocol (TCP): Transmission Control Protocol (TCP): widely widely used transport-layer protocol that is used in used transport-layer protocol that is used in combination with IP by most Internet combination with IP by most Internet applicationsapplications
Uniform Resource Locator (URL): Uniform Resource Locator (URL): an assigned an assigned address on the Internet for each computeraddress on the Internet for each computer
88Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Accessing the InternetAccessing the Internet
Connect via a LAN serverConnect via a LAN server
Connect via Serial Line Internet Protocol Connect via Serial Line Internet Protocol (SLIP)/Point-to-Point Protocol (PPP)(SLIP)/Point-to-Point Protocol (PPP)
Connect via an online serviceConnect via an online service
Other ways to connectOther ways to connect
99Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Accessing the Internet Accessing the Internet (continued)(continued)
1010Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Internet and Telecommunications Internet and Telecommunications ServicesServices
E-mail and instant messagingE-mail and instant messaging Instant messaging:Instant messaging: a method that allows two a method that allows two
or more individuals to communicate online, or more individuals to communicate online, using the Internetusing the Internet
Internet cell phones and handheld computersInternet cell phones and handheld computers
Career information and job searchingCareer information and job searching
Web log (blog):Web log (blog): a Web site that people can a Web site that people can create and use to write about their observations, create and use to write about their observations, experiences, and feelings on a wide range of experiences, and feelings on a wide range of topicstopics
1111Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Internet and Telecommunications Internet and Telecommunications Services (continued)Services (continued)
Chat rooms:Chat rooms: enable two or more people to enable two or more people to engage in interactive “conversations” over the engage in interactive “conversations” over the InternetInternet
Internet phone and videoconferencing servicesInternet phone and videoconferencing services
Content streaming:Content streaming: a method for transferring a method for transferring multimedia files over the Internet so that the data multimedia files over the Internet so that the data stream of voice and pictures plays more or less stream of voice and pictures plays more or less continuously without a break, or very few of continuously without a break, or very few of themthem
Shopping on the WebShopping on the Web
1212Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Internet and Telecommunications Internet and Telecommunications Services (continued)Services (continued)
Web auctionsWeb auctions
Music, radio, and video on the InternetMusic, radio, and video on the Internet
Other Internet services and applicationsOther Internet services and applications
1313Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Intranets and ExtranetsIntranets and Extranets
IntranetIntranet Internal corporate network built using Internet Internal corporate network built using Internet
and World Wide Web standards and productsand World Wide Web standards and products Used by employees to gain access to Used by employees to gain access to
corporate informationcorporate information Slashes the need for paperSlashes the need for paper
1414Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Intranets and Extranets (continued)Intranets and Extranets (continued)
ExtranetExtranet A network based on Web technologies that links A network based on Web technologies that links
selected resources of a company’s intranet with its selected resources of a company’s intranet with its customers, suppliers, or other business partnerscustomers, suppliers, or other business partners
Virtual private network (VPN): Virtual private network (VPN): a secure connection a secure connection between two points across the Internetbetween two points across the Internet
Tunneling: Tunneling: the process by which VPNs transfer the process by which VPNs transfer information by encapsulating traffic in IP packets over information by encapsulating traffic in IP packets over the Internetthe Internet
1515Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Intranets and Extranets (continued)Intranets and Extranets (continued)
1616Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Net IssuesNet Issues
Management issuesManagement issues No centralized governing body controls the No centralized governing body controls the
InternetInternet
Service and speed issuesService and speed issues Web server computers can be overwhelmed by Web server computers can be overwhelmed by
the amount of “hits” (requests for pages) the amount of “hits” (requests for pages) More and more Web sites have video, audio clips, More and more Web sites have video, audio clips,
or other features that require faster Internet or other features that require faster Internet speedsspeeds
1717Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Net Issues (continued)Net Issues (continued)
PrivacyPrivacy Spyware:Spyware: hidden files and information trackers that hidden files and information trackers that
install themselves secretly when you visit some install themselves secretly when you visit some Internet sitesInternet sites
Cookie:Cookie: a text file that an Internet company can place a text file that an Internet company can place on the hard disk of a computer systemon the hard disk of a computer system
FraudFraud PhishingPhishing
1818Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Security ThreatsSecurity Threats
1919Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Passive AttacksPassive Attacks
Eavesdropping on transmissionsEavesdropping on transmissions
To obtain informationTo obtain information
Release of message contentsRelease of message contents Outsider learns content of transmissionOutsider learns content of transmission
Traffic analysisTraffic analysis By monitoring frequency and length of messages, By monitoring frequency and length of messages,
even encrypted, nature of communication may be even encrypted, nature of communication may be guessedguessed
Difficult to detectDifficult to detect
Can be preventedCan be prevented
2020Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Active AttacksActive Attacks
MasqueradeMasquerade Pretending to be a different entityPretending to be a different entity
ReplayReplay
Modification of messagesModification of messages
Denial of serviceDenial of service
Easy to detectEasy to detect Detection may lead to deterrentDetection may lead to deterrent
Hard to preventHard to prevent
2121Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Net Issues (continued)Net Issues (continued)
Security with encryption and firewallsSecurity with encryption and firewalls Cryptography:Cryptography: converting a message into a secret converting a message into a secret
code and changing the encoded message back to code and changing the encoded message back to regular textregular text
Digital signature:Digital signature: encryption technique used to verify encryption technique used to verify the identity of a message sender for processing online the identity of a message sender for processing online financial transactionsfinancial transactions
Firewall:Firewall: a device that sits between an internal a device that sits between an internal network and the Internet, limiting access into and out network and the Internet, limiting access into and out of a network based on access policiesof a network based on access policies
2222Magister Manajemen Sistem InformasiMagister Manajemen Sistem Informasi
Net Issues (continued)Net Issues (continued)
Cryptography is the process of converting a message Cryptography is the process of converting a message into a secret code and changing the encoded message into a secret code and changing the encoded message back into regular text.back into regular text.
Magister Manajemen Sistem Informasi 23
An Introduction ToAn Introduction To
PUBLIC PUBLIC
KEYKEY
INFRASTRUCTUREINFRASTRUCTURE
Tb. Maulana KusumaTb. Maulana Kusuma
Magister Manajemen Sistem Informasi 24
OutlineOutline
Introduction
How to build the trust ?
Basic Cryptography
One way hashing
Digital Signature
Certification Authority
CA Component
Future Technology
Magister Manajemen Sistem Informasi 25
Electronic CommerceElectronic Commerce
Traditional TradingTraditional Trading• Paper Based
• Based on Trust
EDI (Electronic Data Interchange)EDI (Electronic Data Interchange)• Secure
• Closed• Proprietary
InternetInternet• Not Secure
• Open• Open System
Magister Manajemen Sistem Informasi 26
Electronic Commerce : The ProblemElectronic Commerce : The Problem
Paper Based Trading
EDI (Electronic Data Interchange)
Internet Based E-Commerce
How to build the TRUST ?How to build the TRUST ?
Magister Manajemen Sistem Informasi 27
Information over the Internet is Free, Available, Unencrypted, and Untrusted. Not desirable for many Applications
Electronic Commerce Software Products Financial Services Corporate Data Healthcare Subscriptions Legal Information
The Problem (cont’d)The Problem (cont’d)
Magister Manajemen Sistem Informasi 28
Another ProblemAnother Problem
Magister Manajemen Sistem Informasi 29
PrivacyPrivacy
IntegrityIntegrity
AuthenticationAuthentication
NonrepudiationNonrepudiation
Interception Spoofing
Modification Proof of parties involved
Multiple Security Issues to be SolvedMultiple Security Issues to be Solved
Magister Manajemen Sistem Informasi 30
Trust in conducting e-commerceTrust in conducting e-commerce
AUTHENTICATIONAUTHENTICATION
to identify the parties involved
CONFIDENTIALITYCONFIDENTIALITY
to keep the information private
INTEGRITYINTEGRITY
to prevent the manipulation of information
NON-REPUDIATIONNON-REPUDIATION
to prevent the denial of information by the owner
Magister Manajemen Sistem Informasi 31
Trust in paper based commerceTrust in paper based commerce
AUTHENTICATIONAUTHENTICATION
wrote a letter and sign
CONFIDENTIALITYCONFIDENTIALITY
put the letter in envelope and seal it
INTEGRITYINTEGRITY
send it by certified mail, make a copy and send it twice
NON-REPUDIATIONNON-REPUDIATION
have a witness verified that our signature was authentic
Magister Manajemen Sistem Informasi 32
Technology OutlineTechnology Outline
Basic CryptographyBasic Cryptography• Symmetric Cryptography• Asymmetric Cryptography
One Way HashingOne Way Hashing
Digital SignatureDigital Signature
C.A. & Digital CertificateC.A. & Digital Certificate
Magister Manajemen Sistem Informasi 33
Cryptography Cryptography ConceptsConcepts
Encryption :Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan bahwa gaji
bapak naik 100 % terhitung dari sekarang
Terimakasih
Ksjdksjdkskjksd
jsdkjsk
ksjdksjdksj
ksdjksdjskjdskjd skdj ksjdk sjd ksdjsj
ksjdksjdksj dksjd
jskdj sk
jsdkjskdjskjd
Decryption :Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan bahwa gaji
bapak naik 100 % terhitung dari sekarang
Terimakasih
Ksjdksjdkskjksd
jsdkjsk
ksjdksjdksj
ksdjksdjskjdskjd skdj ksjdk sjd ksdjsj
ksjdksjdksj dksjd
jskdj sk
jsdkjskdjskjd
Requires : an ALGORITHM and a KEY
cipher text
Algorithm
Magister Manajemen Sistem Informasi 34
Symmetric CryptographySymmetric Cryptography
EncryptionKepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan
Algorithm
DecryptionKepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan
Algorithm
Requires : SHARED KEY
Example : DES,IDEA,Red Pike,RC2,RC4
Magister Manajemen Sistem Informasi 35
Symmetric Cryptography (cont’d)Symmetric Cryptography (cont’d)
Characteristic :
• High Performance
• Useful for Fast Encryption / Decryption
• Key management is not practical
Magister Manajemen Sistem Informasi 36
Asymmetric CryptographyAsymmetric Cryptography
EncryptionKepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan
Algorithm
Private KeyPrivate Key
DecryptionKepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan
Algorithm
Public KeyPublic Key
Magister Manajemen Sistem Informasi 37
Also known as Public Key Cryptography
• Public Key is distributed to public
• Private Key is kept private
• IF Private Key is used to encrypt then ONLY Public Key can decrypt
• IF Public Key is used to encrypt then ONLY Private Key can decrypt
Asymmetric Cryptography (cont’d)Asymmetric Cryptography (cont’d)
Magister Manajemen Sistem Informasi 38
Public Key & Private Key :
• Generated as a pair of keys• Derived from very large prime number• It’s impossible to determine one knowing each other• Strength of Key : 512 bit, 1024 bit, 2048 bit ……• Example : RSA, ECC, DSA
Asymmetric Cryptography (cont’d)Asymmetric Cryptography (cont’d)
Magister Manajemen Sistem Informasi 39
One Way HashOne Way Hash
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
One way hashfunction
A0 B0 C0 E0 G0 D0F0 80 87 80 70 30
DIGEST / DIGEST / FINGERPRINTFINGERPRINT
• Produce unique fingerprint of data (128/160 bits)
• No Key is used
• Irreversible
• A one bit change in the message affects at least half the bits in the digest
• Used to determine if data has been changed
Magister Manajemen Sistem Informasi 40
One Way Hash (cont’d)One Way Hash (cont’d)
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
One way hashfunction
A0 B0 C0 E0 30 70 80 A0
A0 B0 C0 E0 30 70 80 A0
One way hashfunction
A0 B0 C0 E0 30 70 80 A0
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
A0 B0 C0 E0 30 70 80 A0
equal ?
Example : MD5, SHA-1
Magister Manajemen Sistem Informasi 41
Digital SignatureDigital Signature
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
One way hashfunction
A0 B0 C0 E0 G0 D0F0 80 87 80 70 30
Sender’sPrivate Key
ENCRYPT
XX B0 XX E0 XX D0F0 XX 87 XX 70 30
DIGITAL SIGNATURE
Magister Manajemen Sistem Informasi 42
Whole MechanismWhole Mechanism
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
A0 B0 C0 E0 30 70 80 A0
A0 B0 C0 E0 30 70 80 A0
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
A0 B0 C0 E0 30 70 80 A0
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
A0 B0 C0 E0 30 70 80 A0
Budi AsepPrivate KeyPrivate Key
Public KeyPublic Key
Private KeyPrivate Key
Public KeyPublic Key
Kepada Yth Bapak Asep
di Tempat
Dengan hormat ….
Kami ingin memberitahukan ak naik 100
A0 B0 C0 E0 30 70 80 A0
A0 B0 C0 E0 30 70 80 A0
Equal ?
A0 B0 C0 E0 30 70 80 A0
A0 B0 C0 E0 30 70 80 A0
Magister Manajemen Sistem Informasi 43
Achieving 4 Cornerstones of TrustAchieving 4 Cornerstones of Trust
AUTHENTICATIONAUTHENTICATIONthe use of private key to encrypt digest - only sender’s public key can decrypt
CONFIDENTIALITYCONFIDENTIALITYencrypt the message with recepient public key - only sender’s private key can decrypt
INTEGRITYINTEGRITYcomparing the digest from decrypting digital signature
NON-REPUDIATIONNON-REPUDIATIONdigital signature do the job
Magister Manajemen Sistem Informasi 44
Services
Public Key Technology
Digital Certificates
Certification Authorities
Security Management
Technology
Infrastructure
PR
IVA
CY
AU
TH
EN
TIC
AT
ION
INT
EG
RIT
Y
NO
N-R
EP
UD
IAT
ION
• Public Key Technology Best Suited to Solve Business Needs• Infrastructure = Certification Authorities
Public Key SecurityPublic Key Security
Magister Manajemen Sistem Informasi 45
About the KeyAbout the Key
• Pseudo Random Number• Key size is vital. The longest is the strongest.• Private Key must be kept private :
• File based storage (using PIN/ PassPhrase• SmartCard storage (using PIN as the protection
Magister Manajemen Sistem Informasi 46
The Problem of Distributing Public KeyThe Problem of Distributing Public Key
MAN IN THE MIDDLE OF ATTACK
Magister Manajemen Sistem Informasi 47
The Problem of Distributing Public KeyThe Problem of Distributing Public Key
How do I know who the public key belongs to ?
• Digital Certificates Digital Certificates
• Certification AuthorityCertification Authority
Magister Manajemen Sistem Informasi 48
Digital Digital CertificateCertificate
• A certificate binds a public key to an owner
• It is the envelope to distribute public key
• The trusted CA digitally sign the certificate to verify the ownership of the key itself
Magister Manajemen Sistem Informasi 49
Contain :• Detail about Owner• Detail about certificate issuer (CA)• Public Key• Validity and Expiration dates• Digital Signature of the certificate by the CA• Time Stamp
Distributed through Directory Server / LDAP (Lightweight Directory Access Protocol)
Digital Certificate (cont’d)Digital Certificate (cont’d)
Magister Manajemen Sistem Informasi 50
Before two parties exchange data using Public Key cryptography, each wants to be sure that the other party is authenticated.
Before B accepts a message with A’s Digital Signature, B wants to be sure that the public key belongs to A and not to someone masquerading as A on an open network.
One way to be sure, is to use a trusted third party to authenticate that the public key belongs to A. Such a party is known as a Certification Authority (CA).
Once A has provided proof of identity, the Certification Authority creates a message containing A’s name and public key. This message is known as a Digital Certificate.
~~~~~~~~~~~~
DigitalSignature
Digital Certificate (cont’d)Digital Certificate (cont’d)
Magister Manajemen Sistem Informasi 51
• A Digital Certificate is simply an X.509 defined data structure with a Digital Signature. The data represents who owns the certificate, who signed the certificate, and other relevant information.
Version #Serial #
Signature AlgorithmIssuer Name
Validity PeriodSubject Name
Subject Public KeyIssuer Unique ID
Subject Unique IDExtensions
Digital SignatureDigital Signature
X.509 Certificate• When the signature is
generated by a Certification Authority (CA), the signature can be viewed as trusted.
• Since the data is signed, it can not be altered without detection.
• Extensions can be used to tailor certificates to meet the needs of end applications.
CA Authorized
Digital Certificate (cont’d)Digital Certificate (cont’d)
Magister Manajemen Sistem Informasi 52
Certificate: Data: Version: 3 (0x2) Serial Number: 30:fa:e0:de:85:a3:72:a3:9e:07:03:23:05:77:8c:4b:3d:2b:49:70 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=AVITrust DEMO Certification/[email protected], OU=DEMO Certification, O=AVITrust, C=ID Validity Not Before: Mar 23 04:36:01 2001 GMT Not After : May 22 04:36:01 2001 GMT Subject: O=PHPCA, C=ID, CN=Avinanta Tarigan/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b1:66:84:83:fa:7d:c4:c9:40:c3:af:b6:0b:79: c0:06:d0:8e:d8:96:2f:66:64:a3:8f:ef:7b:e0:3b: 4a:e7:27:d7:48:28:e6:99:ef:2f:2d:45:a0:45:c6: 89:de:35:71:10:52:9e:87:40:40:46:a0:be:cd:68: a6:8c:a9:75:81:19:81:f6:14:d1:8f:b7:b0:51:21: eb:d3:aa:38:58:ca:f5:24:52:0a:6e:aa:60:79:09: d7:2d:42:64:84:4e:b4:82:11:48:6d:2d:ea:fe:87: 56:05:49:e0:33:df:ad:82:60:2b:34:9a:fc:7d:46: de:97:b9:e8:ce:6c:4f:da:8d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection Netscape Cert Type: SSL Client, S/MIME Netscape Comment: AVITrust Demo Certificate, for Cheating Purposes ONLY X509v3 Subject Key Identifier: 1C:39:81:38:6D:E0:DE:49:D6:E9:A1:D3:BF:1A:87:CB:86:8F:95:12 X509v3 Authority Key Identifier: keyid:2B:81:22:E4:D4:D1:28:4E:7C:E5:86:32:BF:29:35:54:99:FB:AA:8B
Signature Algorithm: sha1WithRSAEncryption 46:65:b0:ad:33:d3:17:b6:5c:4a:9d:0b:fd:4b:d2:80:ee:3b: cb:b3:30:f7:5a:fd:b3:24:79:45:d7:0a:b3:66:60:d8:8a:a0: 40:db:ea:39:0b:9e:d4:a7:a5:59:75:50:11:03:6a:ed:96:3f: f3:16:a3:f5:eb:f9:10:1f:47:4d:7a:3d:c8:ac:af:fa:2f:3d: 4c:1f:55:9a:30:ce:fb:e7:0a:ab:79:ab:4a:b2:cb:da:21:d4: 59:9e:75:f2:b6:76:42:62:51:48:7f:5c:f0:e4:b4:8d:b8:a3: 45:3f:9c:5d:f7:c7:73:8e:7a:56:11:3f:f5:4b:eb:fc:21:0c: 54:0f:7c:a8:11:b9:fd:64:e7:b4:11:24:57:02:2e:00:87:8a: fa:56:bf:cf:9b:36:65:40:21:4a:51:8b:7f:49:ab:e5:77:a1: 51:67:c6:7c:ed:45:59:61:a2:11:52:21:d9:75:ff:bd:15:ea: eb:a4:fb:1c:0e:a6:89:86:98:67:12:15:34:41:d6:67:02:ce: b0:10:13:87:26:88:02:03:5e:b3:92:f2:f7:df:0d:16:9b:ed: dc:a1:11:a3:e3:34:c7:cb:1f:94:c2:b2:0c:f5:d0:89:a1:50: 27:89:f3:92:ce:49:d1:cd:3a:b8:d6:42:8f:2c:7f:4b:fe:7e: b2:fd:ef:28
Magister Manajemen Sistem Informasi 53
Magister Manajemen Sistem Informasi 54
Magister Manajemen Sistem Informasi 55
Magister Manajemen Sistem Informasi 56
Magister Manajemen Sistem Informasi 57
Certification Authority
• Trusted (Third) Party
• Enrolls and Validates Subscribers
• Issues and Manages Certificates
• Manages Revocation and Renewal of Certificates
• Establishes Policies & Procedures
What’s Important
• Operational Experience
• High Assurance Security Architecture
• Scalability
• Flexibility / Tailorability
• Interoperability
• Outsource vs. Inhouse
• Trustworthiness
Certification Authority = Basis of Trust
What is a Certification Authority?What is a Certification Authority?
Magister Manajemen Sistem Informasi 58
Certification Authority (cont’d)Certification Authority (cont’d)
• Authoring the Certificates
• Responsible in validating the owner of the public key
• Distribute the Certificates in CA’s Directory Server
• Create CRL (Certification Revocation List)
• Usually Government Institution or National Chamber of Commerce
Magister Manajemen Sistem Informasi 59
• When someone receives a certificate, why should they trust the signature?
• Trusted CAs are required in order to verify a signature. If you Trust the CA that signed the certificate, you can trust the certificate.
• Many Companies are embedding Trusted CA Certificates in their Certificate Enabled products
– Netscape Navigator (Options, Security Preferences, Site Cert)
– Microsoft Internet Explorer (Tool, Internet Options, Content, Cert)
• Some products refer to Trusted CAs as Trusted Site Certificates.
~~~~~~~~~~~~
DigitalSignature
?
Trusted Trusted CA’sCA’s
Magister Manajemen Sistem Informasi 60
Public Key InfrastructurePublic Key Infrastructure
Typically consist of :
• Certification Authorities
• Registration Authorities
• Directories
• PKI-Enabled Applications
• Policies & Procedures
Usually :
• 20 % technology
• 80 % policy
Magister Manajemen Sistem Informasi 61
Future EnhancementFuture Enhancement
Stronger Non-Repudiation :Stronger Non-Repudiation :• What do you have ?What do you have ?
The use of smartcard to store private key
• What do you know ?What do you know ?Protecting the smartcard with PIN
• WhenWhenThe use of global timestamp server
• Who you are ?Who you are ?Biometrics Validation to activate SmartCard :
• Fingerprint Scan
• Retina Scan, Voice Recognition
• DNA Validation, etc.
Magister Manajemen Sistem Informasi 62
ConclusionConclusion
PKI brings 4 basic principle in building the trust from paper based
The CA is needed to verify public key by envelope it in Digital Certificate
PKI : 20% technology, 80% policy
Stronger Non-Repudiation is supported
PKI is an umbrella for E-Commerce
Magister Manajemen Sistem Informasi 63
Symmetric Key vs. Public Key EncryptionSymmetric Key vs. Public Key Encryption - Public key is easier to manage than symmetric key. Easier to recover when compromised.
Digital SignatureDigital Signature - Provides a digital seal indicating who signed the data. Can be used in many applications.
Digital CertificateDigital Certificate - Identity data signed by a Certification Authority. Provides a Trusted source of identification.
Authentication/Access ControlAuthentication/Access Control - Digital Certificates can be used to identify users and limit access to information, systems, etc. on Open Networks.
Conclusion (cont’d)Conclusion (cont’d)