NOTE: Free essay sample provided on this page should be used for references or sample purposes only. The sample essay is available to anyone, so any direct quoting without mentioning the source will be considered plagiarism by schools, colleges and universities that use plagiarism detection software. To get a completely brand-new, plagiarism-free essay, please use our essay writing service.
One click instant price quote
The recent acceleration in the uptake of electronic commerce (e-commerce) over the Internet has focused the need for methods to be developed by which to securely transfer data over what amounts to a worldwide public network. The most commonly cited example of this requirement is the ability of customers to make electronic purchases from company Web sites using debit cards such as VISA cards. Public confidence in e-commerce has to be high for it to succeed and to continue to grow, whether via existing debit card transactions or more tightly integrated electronic cash systems. In the academic world, the need for security in data exchanges is not intuitively seen to be so high. Whereas e-commerce relies on secure channels between sites that may often lie on opposite sides of the globe, the nature of "sensitive" academic transactions is more likely to be localised within individual campuses. However, the requirement is still there.
For example exam marks may need to be entered by university departments into centrally maintained databases, centralised purchasing may lead to financial information being exchanged, and of course remote computing access (or Web-based booking systems for such access) may result in password information being transmitted. This report looks at the potential for widespread deployment of Secure Internet Protocols within UK HEIs, offering an overview of what are likely to be the important issues involved. We review past JISC reports on security, on existing and future technology, and we comment on the current stances of UKERNA and, as far as can be deduced, the UK Government. The report concludes with some key observations. 2 Overview of Secure Protocol Technology The case for adoption of Secure Internet Protocol technology is one made very strongly by Phil Zimmermann, author of the public domain PGP (Pretty Good Privacy) system (1991): "Today, if the Government wants to violate the privacy of ordinary citizens, it has to expend a certain amount of expense and labor to intercept and steam open and read paper mail, and listen to and possibly transcribe spoken telephone conversation.
This kind of labor-intensive monitoring is not practical on a large scale. This is only done in important cases when it seems worthwhile. More and more of our private communications are being routed through electronic channels. Electronic mail is gradually replacing conventional paper mail.
E-mail messages are just too easy to intercept and scan for interesting keywords. This can be done easily, routinely, automatically, and undetectable on a grand scale. " He adds: "If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. So do defense contractors, oil companies, and other corporate giants. But ordinary people and grassroots political organizations mostly have not had access to affordable military grade public-key cryptographic technology.
Until now, PGP empowers people to take their privacy into their own hands. There's a growing social need for it. That's why I wrote it. " PGP is just one means to obtain privacy when communicating (e. g.
by e-mail) on a LAN or over the worldwide Internet. The scope for adoption of secure protocols is broad. It is important to understand that the issue of authentification (proving who sent the message) is different to the issue of secure transmission (preventing the message being "snooped" and read in transit, or being altered in transit). There may be many cases where confirming identity is all that is required, the most common instance probably being a password system for a user login.
The danger for users entering passwords over the Internet (e. g. a lecturer on sabbatical in the USA accessing their home university account on JANET) is of course that the password may be snooped. Current technology to avoid this problem tends to focus on one-time passwords, passwords which if compromised could not be used again successfully, as the password changes with each use. One instance is S/Key, by which a user has a list of passwords supplied, and each password is discarded once used. This causes a need for risk assessment between the danger of having a password list (which could be printed, or photocopied) and having the password snooped in transit.
Security Dynamics's option to this problem is a product known as SecurID. Here, a user has a small card or key fob (a token) on which is displayed a 6 -digit number which changes each 60 seconds. Each token has a unique serial number which is registered with the authenticating software, which, if the authenticating server and token maintain synchronised time, allows that server to know the code on display to the user. This is a one-time password system with the benefit of no "written down" component. A PIN code is also required for authentication, should the token fall into the wrong hands (the old security maxim of "something you know, plus something you have"). Drawbacks are that SecurID requires replacement of service software on hosts using it, the token can be lost, and the PIN can still be snooped (leaving only the six digit protection).
SecurID is being evaluated at Southampton as part of JTAP Project 631, which is investigating methods by which secure access can be given to remote and transient users on a (campus) network. SecurID is supported by CheckPoint in their Firewall- 1 product, allowing users to authenticate through a firewall (which may then initiate a secure channel). The "next generation" of SecurID promises to be BOKS, a system that does not rely on a physical token. This technology is also under investigation under JTAP Project 631. While a number of US Universities have bought into SecurID, it is not clear that widespread adoption of such a technology would be practical for the UK. The cost per token is certainly one deterrent.
Smart card technology, covered later in this report, would seem to offer a more flexible and (probably) less vendor-specific solution. An alternative to one-time passwords, The Kerberos Authentication System uses a series of DES-encrypted messages to prove to a server that a client is running on behalf of a particular user. A simplified description of the Kerberos protocol is as follows: When a client wishes to contact a particular server, it first contacts an authentication server (AS). Both the user and the server are required to have keys registered with the AS; the user's key is derived from a password that they choose, and the server key is randomly generated. The AS creates a new random key, called the session key. It encrypts one copy of the session key with the server's key, along with the name of the user and an expiration time.
This is known as the ticket. The AS then creates a new copy of the session key, encrypts it with the user's key, and passes both it and the ticket to the client. The client can then decode the session key and create an authenticator, which contains (among other things) the current time. The authenticator is encrypted using the session key. The ticket and the authenticator are then passed to the server by the client, which decrypts the ticket and uses the resultant session key to decrypt the authenticator.
If the time that is extracted from the authenticator is the current time (in practice a leeway of around 5 minutes is allowed), then the user is authenticated. Kerberos requires that client and server software are modified in order for it to be used; however, an increasing quantity of software now has Kerberos built in, and support is promised in Windows 2000 Server. Public key cryptography offers another authentication (and encryption) solution. It works on the basis that two keys can be generated, each of which decodes data encrypted by the other. A public key system such as PGP allows users to generate private / public key pairs.
One key is retained by the user as a private key, the other is released as a public key. Authentication can then be achieved by the sender signing a message with their private key - the recipient with the public key then knows when decrypting that only the sender holds the unique private key with which the message was originally encrypted. For privacy, the sender encrypts with the recipient's public key, so that only the recipient can decode the data. Because the encryption method can be computationally expensive, authentication typically (e. g.
in PGP) involves just encrypting an MD 5 hash of the message (which in itself further protects against tampering) and privacy involves encrypting an IDEA key which in turn is used to encode the message text. This system is believed to be robust, and PGP has been in service for some eight years using it. The main use of PGP is for secure e-mail. Its main weakness remains in the trust placed on the public key. If a user signs (encrypts) a message with an imposter's public key, thinking it to be the intended recipient's real public key, the imposter can decode the message with their own private key which matches the fake public key. For this reason, "trusted" public key servers have been set up for PGP, and many conferences and meetings feature "key signing" events.
In recent years Certificate Authorities (CAs) have blossomed on the Internet. The market leaders are currently Verisign and Thawte. A company which wants to offer a "secure" Web site can obtain a certificate from a CA which contains the company's public key and which is also encrypted by Verisign using their private key. When a customer wants to access the company Web site to (for example) buy a product online, their browser inspects the company's certificate. Because Verisign have their public key built in to all common browsers (e. g.
Netscape Communicator and Microsoft Internet Explorer) the customer's browser can verify the certificate (to identify the company) and then use the company's authenticated public key when exchanging data with the Web site. The one leap of faith here is that the customer trusts the built-in certificate (which they may not even be aware of). Since they " re running the browser code anyway, that leap of faith is not so big. The hot issue at present is the building of a tractable Public Key Infrastructure (PKI). One method to circulate public keys is by building them into the browser. PGP users often trust public keys displayed on Web pages, or even received in e-mails from the (supposed) sender.
If Web page keys are to be trusted, one might argue that it is better to abstract public key distribution to the DNS (Domain Name Service), and work is ongoing in that area. One emerging standard for PKI appears to be X. 509 v 3 certificates, with LDAP as the directory service to serve them. A digital certificate is an electronic statement signed by an independent trusted third party, typically a Certification Authority. The X 509 standard defines the format for these certificates, incorporating information about the subject being certified, including: Subject Identification: data about the object being certified (a person's name, e-mail address, organisation) Public Key Information: the public key of the subject being certified (usually an RSA public key, in a similar vein to PGP signatures) Certifying Authority signature: the trusted third party digital signa...
Free research essays on topics related to: e commerce, private key, e g, public key, third party
Research essay sample on Public Key Private Key
