Академический Документы
Профессиональный Документы
Культура Документы
The commercial version satisfies users who want a product that comes with
vendor support
It is based on algorithms that have survived extensive public review and are
considered extremely secure
Content-Type
• Describes the data contained in the body with sufficient detail that the receiving user agent
can pick an appropriate agent or mechanism to represent the data to the user or otherwise
deal with the data in an appropriate manner
Content-Transfer-Encoding
• Indicates the type of transformation that has been used to represent the body of the message
in a way that is acceptable for mail transport
Content-ID
Content-Description
• A text description of the object with the body; this is useful when the object is not readable
Table 19.2
MIME
Content
Types
Table 19.3
MIME Transfer Encodings
Table 19.4
Native and Canonical Form
S/MIME Functionality
Enveloped data Signed data
• Consists of encrypted content of any type and • A digital signature is formed by taking the message
encrypted content encryption keys for one or more digest of the content to be signed and then
recipients encrypting that with the private key of the signer
• The content plus signature are then encoded using
base64 encoding
• A signed data message can only be viewed by a
recipient with S/MIME capability
S/MIME
Algorithms
Used in
S/MIME
Table 19.6
S/MIME Content Types
Securing a MIME Entity
• S/MIME secures a MIME entity with a
signature, encryption, or both
• The MIME entity is prepared according to the
normal rules for MIME message preparation
– The MIME entity plus some security-related data,
such as algorithm identifiers and certificates, are
processed by S/MIME to produce what is known
as a PKCS object
– A PKCS object is then treated as message content
and wrapped in MIME
• In all cases the message to be sent is
converted to canonical form
EnvelopedData
• The steps for preparing an envelopedData MIME
are:
Generate a pseudorandom session key for a particular symmetric
encryption algorithm
For each recipient, encrypt the session key with the recipient’s
public RSA key
The user of some related A user’s public key must be A user requires access to a
administrative utility must be registered with a certification local list of certificates in
capable of generating separate authority in order to receive an order to verify incoming
Diffie-Hellman and DSS key pairs X.509 public-key certificate signatures and to encrypt
and should be capable of outgoing messages
generating RSA key pairs
• A system administrator
Automated
manually configures each
system with its own keys and • Enables the on-demand
with the keys of other creation of keys for SAs and
communicating systems facilitates the use of keys in a
• This is practical for small, large distributed system with
relatively static environments an evolving configuration
Manual
ISAKMP/Oakley
• The default automated key management protocol
of IPsec
• Consists of:
• Oakley Key Determination Protocol
• A key exchange protocol based on the Diffie-Hellman
algorithm but providing added security
• Generic in that it does not dictate specific formats
• Internet Security Association and Key Management
Protocol (ISAKMP)
• Provides a framework for Internet key management and
provides the specific protocol support, including formats, for
negotiation of security attributes
• Consists of a set of message types that enable the use of a
variety of key exchange algorithms
Features of IKE Key Determination
• Algorithm is characterized by five important
features:
• It employs a mechanism known as cookies to thwart clogging attacks
1.
56
Outline
• Web Security Considerations
• Secure Socket Layer (SSL) and Transport Layer
Security (TLS)
• Secure Electronic Transaction (SET)
57
Web Security Considerations
• The WEB is very visible.
• Complex software hide many security flaws.
• Web servers are easy to configure and
manage.
• Users are not aware of the risks.
58
Security facilities in the TCP/IP
protocol stack
59
SSL and TLS
• SSL was originated by Netscape
• TLS working group was formed within IETF
• First version of TLS can be viewed as an
SSLv3.1
60
SSL Architecture
61
SSL Record Protocol Operation
62
SSL Record Format
63
SSL Record Protocol Payload
64
Handshake Protocol
• The most complex part of SSL.
• Allows the server and client to authenticate
each other.
• Negotiate encryption, MAC algorithm and
cryptographic keys.
• Used before any application data are
transmitted.
65
Handshake Protocol Action
Henric Johnson 66
Transport Layer Security
• The same record format as the SSL record format.
• Defined in RFC 2246.
• Similar to SSLv3.
• Differences in the:
– version number
– message authentication code
– pseudorandom function
– alert codes
– cipher suites
– client certificate types
– certificate_verify and finished message
– cryptographic computations
– padding
67
Secure Electronic Transactions
• An open encryption and security specification.
• Protect credit card transaction on the Internet.
• Companies involved:
– MasterCard, Visa, IBM, Microsoft, Netscape, RSA,
Terisa and Verisign
• Not a payment system.
• Set of security protocols and formats.
68
SET Services
• Provides a secure communication channel in a
transaction.
• Provides tust by the use of X.509v3 digital
certificates.
• Ensures privacy.
69
SET Overview
• Key Features of SET:
– Confidentiality of information
– Integrity of data
– Cardholder account authentication
– Merchant authentication
70
SET Participants
Henric Johnson 71
Sequence of events for transactions
1. The customer opens an account.
2. The customer receives a certificate.
3. Merchants have their own certificates.
4. The customer places an order.
5. The merchant is verified.
6. The order and payment are sent.
7. The merchant request payment authorization.
8. The merchant confirm the order.
9. The merchant provides the goods or service.
10. The merchant requests payments.
72
Dual Signature
DS EKRc [ H ( H ( PI ) || H(OI))]
73
Payment processing
75
Payment processing
• Payment Authorization:
– Authorization Request
– Authorization Response
• Payment Capture:
– Capture Request
– Capture Response
76