E-business Infrastructure and Security

E-business Infrastructure and Security Ron Cenfetelli Web Server Browser TCP/IP

History of the Internet Telegraph, the Victorian “Internet” Telephone “Internet” T-Carrier Systems (e.g. “T1”) for voice and data Teletypes Compuserve, Prodigy in the late 80’s Member ID: 70314.2261 Bulletin board systems (BBS) BITNET (non-IP based among universities)

History of the Internet The Development of the Internet In 1969, the U.S. Department of Defense’s Advanced Research Projects Agency (ARPA) established ARPANET The network had no central point and a message could be sent from one point to another through any number of routes. Computers exchanged information according to standards agreed upon by all participants, with no one person, institution, or organization “in charge.” Dr. J.C.R. Licklider A message can be thought of as a short sequence of “bits” flowing through the network from one multiaccess computer to another. It consists of two types of information: control and data. Control information guides the transmission of data from source to destination. ... In short, the message processors function in the system as traffic directors, controllers, and correctors. -Licklider & Taylor 1968

History of the Internet In 1986, the US National Science Foundation created a national network for university communications, which developed into NSFNET (based on TCP/IP) with a dazzling fast 56 kbps backbone. The linking of NSFNET and ARPANET (and other growing parallel networks) became the modern Internet

History of the Internet In the late 1980’s, the Internet was opened up beyond defense and academia to include business uses. 1993: Tim Berners-Lee invents the World Wide Web. First user-friendly WWW browser (Mosaic/Netscape) was invented by Marc Andreessen. This greatly simplified communication and use by the masses 0 to 65 million users in 1.5 years “ Business Killed the Internet Dead” Feb 1996

Growth in the Internet Population (% of Americans who go online) – source Pew Internet and American Life Foundation

January 16, 2008 “ Internet penetration continues to show signs of hitting a plateau. The percentage of former users who say they have no intention of going back online continues to increase, and less than half of those who have never used the Internet plan to log on in the coming year. “

Digital Divide? Age , Education , Income and Location appear to be highly predictive of broadband access

Internet Infrastructure Intranet T1 line Phone line T3 line Backbone Internet ISP Company A Person 2 POP NAP

Inside the Public Internet: Underlying Technology and Basic Capabilities of the Infrastructure Internet: A Network of Networks Interconnected Packet-Switching Networks IP: Software to Create a Virtual Network TCP: Software for Reliable Communication Clients + Servers Names for Computers Services

Internet: A Network of Networks Although claimed to be a network of equals, there is in fact a hierarchy of communication networks Internet Service Providers (ISPs) - Points of Presence (POP) on the Internet. They have a permanent IP address and necessary hardware to access the net. (Ex: Shaw, UUNET/Verizon) Regional/National Networks Example: BCNET http://www.bc.net/about_bcnet/what_is_bcnet.htm

Metropolitan Area Exchange – where the major networks “peer” and exchange traffic either mutually or fee-based vBNS - Very High Speed Backbone network. Ex: www. canarie .ca (10Gbps) So while the Internet was originally envisioned and designed to be a “mesh” of nodes, in reality, there exist major “superhighways” where heavy traffic flows between networks. Internet: A Network of Networks

http://www.caida.org/tools/visualization/walrus/gallery1/ries-t2.png

Jan 2000 Cooperative Association for Internet Data Analysis http://www.caida.org/analysis/topology/as_core_network/historical.xml

May 2003 http://www.caida.org/analysis/topology/as_core_network/historical.xml

April 2005 http://www.caida.org/analysis/topology/as_core_network/historical.xml

IP Addresses and the Domain Name System (DNS) From ARPANET days: The idea that humans can better remember a name (sauder.ubc.ca) than some random set of digits (137.82.66.178) A good thing for e-business! Internet Protocol (IP) address: Unique logical address for each device (e.g. your laptop) on the network Used by routers to direct messages Example: 137.82.66.178 Host server name Human readable address Example: www.sauder.ubc.ca Every device on the Internet must have a unique IP address (kinda/sorta)

IP Addresses and DNS Domain name service (DNS) Dynamically translates IP addresses to named host server, and back and maintains a current table of such translations Builds on hierarchical domain name space (e.g., www.sauder.ubc.ca) Top level: .com, .edu, .ca, .gov, .org, etc. Generic (gTLD) for organizations and functions (.com) Country code (ccTLD) for nations (.ca, .us, .it…) Overall managed by ICANN. Country codes are managed as determined by each country.

Uniform Resource Locator (URL) http://www.sauder.ubc.ca/bcom/ PROTOCOL FOR THE WEB DIRECTORY Domain Name Uniform Resource Locater (URL) Host Computer Top Level Domain (TLD)

More on IP Addresses Four 8 bit addresses = 32 bits = 2^32 = 4.3 Billion possible unique addresses (IPv4) Not completely true. Inefficiencies due to “block” assignments of first IP “octet” (e.g. UBC’s 137). Actually 3.7 billion. A looming shortage of addresses! The number of available IPv4 addresses ( http://www.bgpexpert.com/addrspace2007.php) : 2007: 1.3 billion, 64.9% utilization 2008: 1.1 billion, 69.7% utilization See “ A coming real estate crunch on the Net ” on WebCT Thus IPv6 – 128 bits Billions and billions of addresses (a trillion trillion trillion to be exact)

Internet: Client/Server Paradigm It is service -oriented, and employs a request-response protocol One type of server is the Domain Name Server. These are used to translate domain names to IP addresses A computer only needs to know the location of one DNS A dozen or so “Root” servers maintain worldwide consistency of Domain to IP address

The Client-Server Paradigm A server process, running on a server host, provides access to a service. A client process, running on a client host, accesses the service via the server process. The interaction of the process proceeds according to a protocol .

Protocols The language the nodes on a network use to communicate with each other. Analogy: We may agree to speak in English with certain grammatical rules.

Protocol Examples TCP - Transport Control Protocol IP - Internet Protocol e-mail (Simple Mail Transfer Protocol, SMTP) file transfer (File Transfer Protocol, FTP) All are packet based

Putting Client/Server and Protocols Together A protocol/service session within the Client/Server model Session: the interaction between the server and one client. The service managed by a server may be accessed by multiple clients who desire the service, sometimes concurrently . Each client, when serviced by the server, engages in a separate session with the server, during which it conducts a dialog with the server until the client has obtained the service it required

Example The dialog in each session follows a pattern prescribed in the protocol specified for the service. World Wide Web session : Client : Hello, <client address> here. Server : Okay. I am a web server and speak protocol HTTP4.0. Client : Great, please get me the web page index.html at the root of your document tree. Server : Okay, here’s what’s in the page: (contents follows).

Internet Protocol – TCP/IP The TCP/IP protocol defines the interface between the physical infrastructure (streets, intersections) and the data flow (cars) TCP = Transport Control Protocol Asking another device on the network if it is willing to accept information from the local device, receipt confirmation Splits messages in PACKETS and assembles them back in proper sequence IP = Internet Protocol Approximately two hundred byte packets. IP labels the packet with source/destination address and contents. Has rules for routing message packets Handles the correct addressing

TCP: Reliable Communication Problem: Packet-switched networks can be overrun, bottlenecks, routers go down, etc.

TCP Helps IP Guarantee Delivery Transmission Control Protocol : Whereas IP manages addressing and routing, TCP manages successful delivery between hosts “ Catches” all of the packets sent by IP. Reassembles the packets in the proper sequential order Makes sure all of the data has arrived. If not, TCP sends a request to the server requesting the missing packet be resent. Upon completion of reorganizing the data, TCP allows the data stream to viewed.

More on TCP/IP TCP/IP is TCP and IP working together TCP takes care of the communication between your application software (i.e. your browser) and your network software . IP takes care of the communication with other computers . TCP is responsible for breaking data down into IP packets before they are sent, and for assembling the packets when they arrive. Also reliable delivery. IP is responsible for sending the packets to the receiver. Analogy: TCP is like a Taxicab Dispatcher, IP is like a Taxicab

Routers Internet Routers POP NAP

Routers Routers are what truly make the Internet what it is They route IP message traffic between other routers They can connect separate networks even those with different network protocols (Ethernet, Token-ring). They allow for multiple paths /router chooses the “best” path or route (“Dynamic” instead of static). Routers use a routing table of possible paths. Dynamic refers to the changing nature of this table. Analogous to getting updated traffic reports. If a relied-upon router goes down, an alternative path is found With TCP/IP, routers can send a single message around multiple paths and the packets that make up that message can arrive out of sequence . TCP/IP puts everything back in order. Packets can travel independently of one another to the destination. This might help to explain why VOIP sounds like it does

TCP/IP – Organized Chaos Brad sends “HELLO” to Al Al H E L Internet L O Packet Router

Internet  World Wide Web Internet = A “network of networks” encompassing millions of computers linked via a variety of means (fiber, wireless, etc.) using various protocols WWW = A method of accessing information that uses a specific protocol (e.g. HTTP) for sharing “pages”, graphics and other multimedia using browsers and “hyperlinks” Internet WWW

HTML H yper T ext M arkup L anguage (HTML) specifies how to author web pages on the WWW. Consists of predefined < tags> <b> start bold font; </b> stop bold font <table> start a new table; </table> end table Cascading style sheets (CSS) Specify classes with style attributes. More advanced than HTML

Web Protocol - HTTP H yper T ext T ransfer P rotocol Defines how messages are formatted and transmitted on the WWW Describes what actions Web servers and browsers should take in response to various commands A request/response paradigm HTTP is a connectionless and stateless protocol

Dealing with a lack of Connection & State HTTP is a connectionless and stateless protocol No “knowledge” of prior transmissions/transactions An IP address is an imperfect means of identifying a user and their current state. “ Workarounds” have been developed ActiveX, Java, JavaScript and cookies Ex: Cookies a “message” stored on the user’s harddrive holding information about the user. Exchanged between the browser and a server. Purpose: to identify repeated users and prepare customized pages for them

Cookies Example: www.msblabs.org FALSE /tools/scratch-pad/ FALSE 1227994064 data Ron%20is%20leaving%20a%20cookie Try it out at http://www.msblabs.org/tools/scratch-pad/index.php Search for “cookies.txt” file under Documents and Settings

Web 2.0 – Moving beyond HTML As noted, a collective term for the enhancement of social aspects But also includes the technology and standards to facilitate interactivity and dealing with a lack of connection & state Ex: Ajax for improved response to address “stateless” issues Asynchronous Javascript with XML The “old fashioned” way: For every request made by a user, a new web page has to be loaded With Ajax, HTML is generated locally allowing exchange of just the relevant information updates Ex: Google Maps

A “Mashup” of Google Maps and Craigslist A classic example of Web 2.0: www.housingmaps.com The social platform of Craigslist + The AJAX interactivity of Google Maps = A forum for finding relevant rentals nearby

A summary of Internet Infrastructure Although a remarkable phenomenon, the Internet is still operating on essentially the same technology as 40 years ago Renovations planned: IPv6: more addresses Continual use of “add-ons” such as AJAX But still the same basic technology , just faster and more ubiquitous

Why Security Matters to e-Business Peter Steiner -p. 61, The New Yorker, (July 5, 1993)

Malware marries Web 2.0 “ Where human beings solve the puzzles the viruses cannot."

Security in the Physical World Lock Security forces Safe Signature Physical barriers Fingerprint Seal Contract

E-business Security Needs Confidentiality Authentication Ability to verify the identity of people/organizations Data/Message Integrity Ensuring communications were not modified in transit/storage Nonrepudiation Parties cannot deny a communication Proof that the sender sent and proof that the receiver received

A Simulation… Let’s pretend that each of us in the room is a node on the Internet. Just like the real Internet, messages are sent from a sender to a receiver via the intermediate nodes. Each intermediate node helps pass along a packet to its destination. All messages being transmitted must go through a physically adjacent node As a result, each message is viewable by each node (as is the case in the real world Internet!)

A Simulation… I’ll post these slides after 30JAN

e-Business Security Needs Confidentiality Authentication Ability to verify the identity of people/orgs. Data/Message Integrity Ensuring communications were not modified in transit/storage Nonrepudiation Parties cannot deny a communication Proof that the sender sent and proof that the receiver received Non-repudiation is a property achieved through cryptographic methods which prevents an individual or entity from denying having performed a particular action related to data Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI

Message Integrity – Threats & Solutions Old world solutions Seal Digital world solutions Hashing Internet solutions Hashing Digital signatures (also addresses the problem of authentication!)

PKI Components: Digital Signature Encrypted with a private key and attached like a signature to a hashed message, to ensure authentication, message integrity and non-repudiation.

Hashing Another use of “ one way ” functions! You can start from the same data and get the same result, but it is nearly impossible to work backwards A hash forms a “message digest” of the data. A smaller version However, the values for the one way hash function are not secret

Hash Example We could choose an algorithm “Sum (mod 12)” 123 222 143 212 (four 8 bit characters) Sum = 700, mod 12  4 “4” is the hash (or checksum)

Hashing Hashing algorithm A value say X Hashing algorithm Y Sender Receiver If X = Y, message sent and received are the same. X message message X=Hash Value message X message

PKI Components: Digital Signature (cont.) Note how the private/public key process is reversed! Compute digest from hashing algorithm Encrypt Digest Transmission Decrypt Digest Compute expecteddigest from hashing algorithm Confirm or deny integrity of message Cleartext message Sender encrypts with his private key Cleartext message Receiver decrypts w/ Sender’s public key Digital Signature Digest Digest Expected Digest

e-Business Security Needs Confidentiality Authentication Ability to verify the identity of people/orgs. Data/Message Integrity Ensuring communications were not modified in transit/storage Nonrepudiation Parties cannot deny a communication Proof that the sender sent and proof that the receiver received Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI Asymmetric Keys and PKI

Hierarchies of Trust Certificates -- Endorsements Digital ids issued by Certificate Authorities (CA) Public Organizations: Versign, IBM Private Organizations: Federal Express Public/Private Keys Two mathematically related strings of numbers Encryption The process of using digital keys to scramble digital communications

PKI Components: Digital certificate A digital file issued to an individual or company by a certifying authority that contains the individual’s or company’s public key and verifies the individual’s or company’s identity . Identification information Public key Expiration date The CA All encrypted with the CA’s private key

PKI Components: Certification Authority Certification authority (CA) A trusted entity (e.g., VeriSign.com) that issues and revokes public key certificates and certificate revocation lists (CRLs) Certificate repository (CR) A publicly accessible electronic database that holds information such as certificates and CRLs.

Putting it all together… Customer Internet merchant Certificate authority Customer’s info requests and Merchant’s info are exchanged. Customer verifies Merchant (received msg’s are signed with a hash that can be decrypted with the merchant’s public keys held by CA) Provides encrypted information for purchases ( encrypted with merchant’s public key). Credit card and message digest is signed with customer’s private key. Merchant verifies Customer (received msg’s are signed with a hash that can be decrypted with the customer’s public keys held by CA) Customer’s Public Key Merchant’s Public Key

More Security and Identification We’ve discussed how to ID ourselves across the Internet, but how do we ID ourselves at our “point of presence”?

Physical Security Means Physical Media Smartcards Tokens Biometrics Face recognition, Retina Voice Fingerprints, skin chemicals Won’t work for 1% of the population

You've got security (Wired News Sep. 21, 2004) “ Passwords alone won't be enough to get onto America Online under a new, optional log-on service that makes AOL the first major U.S. online business to offer customers a second layer of security. The so-called two-factor authentication scheme will cost $1.95 a month in addition to a one-time $9.95 fee. It is initially targeted at small businesses, victims of identity theft and individuals who pay a lot of bills and conduct other financial transactions through their AOL accounts. Subscribers get a matchbook-size device from RSA Security displaying a six-digit code that changes every minute. The code is necessary to log on, so a scammer who guesses or steals a password cannot access the account without the device in hand.

How the SmartCard (SecurID) Works Time based Client-side and server-side components are designed to be synchronized The server is synched with a time server The SecurID hardware token has a built-in clock and is guaranteed for three to five years Each client-side 6 digit token-code is valid for sixty-seconds and one authentication per sixty-second window

How the SmartCard (SecurID) Works Output token code is a function of time and a seed value unique to card What function? A hash function! Why? It’s “ one way ” and thus computationally infeasible to “work backwards” based upon the token codes The server carries out the same function based upon the card’s seed and the current time If a match, then access is authorized (Apparently the server can adjust for card time “drift”, e.g., can determine a set of values several minutes before or after current time and matches)

Biometrics: Face Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html

Biometrics: Voice Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html

Biometrics: Fingerprint Source: http://www.zdnet.com/products/stories/reviews/0,4161,2204062,00.html

Security Limitations True strength depends on: Security protocol used to invoke the encryption function Trust in the platform executing the protocol Cryptographic algorithm Length of the key(s) used for encryption/decryption Protocol used to manage/generate keys Storage of secret keys

Limitations Humans are the weakest link in the chain In the end, everything is only ones and zeroes!

Combination is Best Security Something you have … Token (smartcard) Biometric PLUS something you know Password Use mixture of uppercase and lowercase letters Include numbers or symbols Change your password every six months

Viruses ,Worms, and Trojan horses… Virus: a program that propagates itself by infecting other programs on the same computer . From erasing files to innocuous pop-ups Code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to an otherwise innocent host program. It may damage hardware, software, or information. A true virus does not spread without human action to move it along, such as sharing a file or sending an e-mail (thus different from a worm) Now seeing viruses on cell phones and other “non-PC” devices Sony’s rootkit DRM fiasco

Worm: a program that propagates itself . Unlike a virus a worm can spread itself automatically over the network from one computer to the next. Through automatic file sending and receiving features Essentially a Virus that can spread itself Myspace Worm using Quicktime Viruses, Worms and Trojan horses…

Trojan horse: programs that appear desirable but actually contain something harmful. Example: you may download what looks like a free game but when you run it, it erases every file in that directory. Viruses, Worms and Trojan horses …

“ Symantec says the Trojan.Silentbanker has so far targeted over 400 banks around the world, but according to a blog posted by Symantec's Liam O’Murchu on January 14 [2008], the most worrying aspect is that the Trojan can perform man-in-the-middle attacks (where an attacker can read, insert and modify messages between two parties without either party knowing).” http://m-net.net.nz/2157/latest-news/latest-news/trojan.silentbanker-defeats-2-factor-authentication-attacks-400-b.php

A local Trojan Horse Vancouver Sun - October 6, p. A3

E-business Infrastructure and Security

More Related Content

E-business Infrastructure and Security