Cryptography & Internet Security

CRYPTOGRAPHY & INTERNET SECURITY Cryptography & Secure Transactions

Cryptography

Encrypt before sending, decrypt on receiving (plain text and cipher text) Cryptography & Secure Transactions

Cryptography All cryptosystems are based only on three Cryptographic Algorithms:

Message Digest (MD2-4-5, SHA, SHA-1, …) Maps variable length plaintext into fixed length ciphertext No key usage, computationally infeasible to recover the plaintext Private KEY (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …) Encrypt and decrypt messages by using the same Secret Key

Public KEY (DSA, RSA, …) Encrypt and decrypt messages by using two different Keys: Public Key, Private Key (coupled together) Cryptography & Secure Transactions

Cryptography Two components: key, and the algorithm Algorithms are publicly known and Secrecy is in the Key Key distribution must be secure

Plaintext Encryption Ciphertext Decryption Plaintext Hello World &$*£(“!273 Hello World Key Key Cryptography & Secure Transactions

Cryptography Symmetric Key Cryptography (DES, Triple DES, RC4): KE = KD Asymmetric Key Cryptography (RSA): KE ¹ KD Cryptography & Secure Transactions

Private Key Cryptography The Sender and Receiver share the same Key which is private

Plaintext Encryption Ciphertext Decryption Plaintext

Sender/Receiver’s Sender/Receiver’s Private Key Private Key Diffie-Hellman Key Exchange Algorithm Cryptography & Secure Transactions

Public Key Cryptography Both the Sender and Receiver have their Private Key and Public Key Messages are encrypted using receiver’s Public Key and the receiver decrypts it using his/her Private Key

Plaintext Encryption Ciphertext Decryption Plaintext

Receiver’s Public Key Receiver’s Private Key Cryptography & Secure Transactions

Digital Signature

Message Message

Digest Digest Hash Function Hash Function Algorithm Algorithm

Digest Public Key

Private Key Encryption Decryption

Signature Expected Actual Digest Digest Cryptography & Secure Transactions

Digital Certificate HTTPS communication is done using Public Key Cryptography The public Keys are distributed using Digital Certificates Digital Certificates contain the Public Key and is digitally signed by a trusted Certificate Authority (CA) like Verisign or Thawte Cryptography & Secure Transactions

Digital Certificate CERTIFICATE

Issuer

Subject

Subject Public Key

Issuer Digital Signature Cryptography & Secure Transactions

SSL Transport Layer Security (TLS) and Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. SSL encrypts the segments of network connections at the Transport Layer end-to-end. SSL authentication is unilateral: only the server is authenticated (the client knows the server's identity), but not vice versa (the client remains unauthenticated or anonymous). In applications design, SSL is usually implemented on top of any of the Transport Layer protocols, encapsulating the application-specific protocols; such as HTTP to form HTTPS Cryptography & Secure Transactions

SSL: How it Works A SSL client (browser) and server (web server) negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection's security. The handshake begins when a client connects to a SSL-enabled server requesting a secure connection, and presents a list of supported CipherSuites (ciphers and hash functions). From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision. The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certificate authority (CA), and the server's public encryption key. Cryptography & Secure Transactions

SSL: How it Works In order to generate the session keys used for the secure connection, the client encrypts a random number (RN) with the server's public key (PbK), and sends the result to the server. Only the server should be able to decrypt it (with its private key (PvK)): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data. The client knows PbK and RN, and the server knows PvK and (after decryption of the client's message) RN. A third party may only know RN if PvK has been compromised. From the random number, both parties generate key material for encryption and decryption. This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes. If any one of the above steps fails, the SSL handshake fails, and the connection is not created. Cryptography & Secure Transactions

SET Architecture

End Web Site User

Payment Credit Gateway Card Company