|
Internet Security In our day to day life Security is the most important thing for us. Actually what is this security? In Internet (or) in computers security means to prevent accessing important files from the unauthorised people. This can be maintained by keeping username and passwords. These username and passwords can be managed by using protocols like TCP/IP.
Protect Money
TCP --Transmission Control Protocol.
IP --Internet Protocol.
These contains addresses, hostnames and subnets to manage the security. These can be maintained by using IP sniffing and spoofing.
Spoofing and Sniffing are security threats that targets the layers of networking infrastructure supporting applications that use internet.Users do not interact directly with these lower layers and are typically completely unaware that they exist.With a deliberate consideration of these threats, it is impossible to build effective security in to higher levels.
Sniffing is a passive security attack in which a machine separated from the intended destination reads data on a network. Passive security attacks are those that do not alter the normal flow of data on a communication link or inject data in to the link. These leads to leakage of different kinds of information.
Passwords.
Financial account numbers.
Confidential or Sensitive data.
Lowlevel Protocol information.
To prevent sniffing attack, we have to understand network segments & trust between computer systems.
Methods to provide Internet Security
Firewalls
Because the global networking has increased the information flow and depends upon our computing technology, Information system managers have realized the need to protect their computing systems, networks from damage and theft. A firewall gate way is one tool that can help entrace an organisation`s network security policy.
A firewall, per se consists of a machine or machines that are separated from both the external network, such as internet and the internal network by a collection of software that forms the bricks within the wall. It has some properties.
All traffic in either direction must pass through the firewalls. Only traffic authorized by the local security policy will be allowed to pass. The firewall is immune to penetration.
S-HTTP
The S-HTTP protocol was designed to add security at the application level. The objective was to add support for a wide range of security mechanisms on top of the interactions between Web browser and Web server. In S-HTTP the data sent between the client and server is encrypted using SSL. Protection mechanisms include the following:
Digital signature
Messages authentication
Message encryption
Secure Sockets Layer (SSL)
Another approach to security is to add a layer on top of the existing network transport protocol and beneath the application. The secure Sockets Layer (SSL) protocol takes this approach by adding an intermediate step, requiring negotiation of secure transmission options, to the establishment of a network connection. Data flowing between the client and the server on that connection is encrypted before transmission and decrypted before in can be used by the recieveing system.
Encription: Outbound encrypted data is encapsulated and forwarded to the Internet by the Transport Control Protocol.
Dectryption: Inbound encrypted data is received and sent on the the SSL layer for decryption.
Advantages:
The advantage of SSL is it can be applied to any Internet application, not just the World Wide Web.
Once the SSL connection has been negotiated between a server and a client, the resulting data communication channel is private, authenticated, and reliable.
SSL client and server exchange information:
The SSL client and server exchange information in a connection opening handshake sequence before opening the secure channel
Client hello - Challenge data and cipher specification.
Server hello - Connection ID, public key certificate, cipher specifications.
Client master key - encrypted master key
Client finish - Connection ID, encrypted
Server Verify - Encrypted challenge data
Server finish - Session ID a
This process starts with the client sending a client-hello message that refers to a previous session identifier. Both client and server maintain a cache of session identifiers which include encryption options received from the other system. If the server recognizes the client and the specified session ID, the SSL channel can be initiated without the need to resend any keys.
The connections described so far will authenticate the server to the client, but client authentication is also possible with SSL. The server can request authentication information with a "request-certificate" message after the server-verify message, which includes a different bit private key, which the server will be able to decrypt using the client's declared public key, thus authenticating the client.
SET (Secure Electronic Transaction)
Secure Electronic Transaction (SET) is an open specification for protecting payment card purchases on any type of network. The SET specification incorporates the use of public key cryptography to protect the privacy of personal and financial information over any open network. The following processing definitions will explain Basics of Credit Card Business.
Basics of Credit Card business
Cardholder The consumer, customer, you!
Issuer The bank which has issued you a credit card.
Merchant The party from whom you are buying goods and services.
Acquired The financial institution/bank which establishes an account with the merchant and processes payment authorizations and transactions for the merchant.
Payment Gateway A device operated by an acquirer (financial institution) that processes the merchant payment message.
Brand Visa, MasterCard, Discover, etc.
SET Requirements
Provide confidentiality of payment information and enable confidentiality of order information that is transmitted along with the payment information.
Ensure the integrity of all transmitted data.
Provide authentication that a cardholder is a legitimate user of a branded payment card account.
Provide authentication that a merchant can accept branded payment card transactions through its relationship with an acquiring financial institution.
Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction.
Create a protocol that neither depends on transport security mechanisms nor prevents their use.
Facilitate and encourage interoperability among software and network providers.
Encryption
Every body knows that, if you want to keep something private, you have got to hide it. To send a private message to a friend, you put it in a sealed cover. You will want to make sure that the seal can`t read the message. For that problem the current solution is encryption.
Cryptography has been used for centuries to protect sensitive information as it is transmitted from one location to another. In a cryptographic system, a message is encrypted using a key. The resulting ciphertext is then transmitted to the recipient where it is decrypted using a key to produce the original message. There are two primary encryption methods:
Secret-Key cryptography
Public-key cryptography
Secret-Key Cryptography
Secret-Key Cryptography, also known as s >y mmetric cryptography, uses the same key to encrypt and decrypt the message. Therefore, the sender and the recipient of a message must share a secret, namely the key.
Public-key Cryptography
Public-key cryptography also known as asymmetric cryptography, uses two keys: one key to encrypt the message and the other key to decrypt the message. The two keys are mathematically related so that data encrypted with either key can only be decrypted using the other.
Goals of Cryptography
The goal of Cryptography systems is to produce a highlevel of confidentiality, integrity, non-repudiation and authenticity to information that is exchanged over the internet where people and business are involved in E-Commerce.
Authentication
It provides 2 services.The first is to identify the origin of a message and provide some assurance that is authentic. The second is to verify the identity of a person logging on to a system and after doing so, continue to verify their identity incase someone tries to break in to the connection as user. Cryptography can be used in a number of ways to keep information private and provide framework for secure message exchange and transactions. All the following are enabled through Cryptographic technologies.
Pretty Good Privacy (PGP)
It is software encryption program that enables the users to create secure messages and communicate securely over insecure communication links such as e-mail and netnews. PGP uses various forms of encryption and combines messages with a simple packet format to provide a simple and efficient security mechanism for the transmission of messages over the Internet and other networks. Why Use PGP? Most people use PGP because they want to protect their electronic files and communications. The reasons are
If you do not want your messages to fall in the hands of other companies.
If you want to keep your files private from hackers.
If you believe you have right to private conversations.
If you want a simple method to authenticate messages.
|
