Академический Документы
Профессиональный Документы
Культура Документы
• Mathematical functions
• Algorithms can be evaluated on inherent
strength, key length, etc.
• Examples: DES, RSA, MD5
Concepts - Protocols
• How algorithms are used
• “Series of steps, involving two or more parties,
designed to accomplish a task”
• Examples: SSL, TLS, PGP-DES-MD5
• Strong algorithms + weak protocols = low
security
• Protocols are often easier to attack than
algorithms
Definition Source: Bruce Schneier, Applied Cryptography
Concepts - Design Criteria
• When possible, don’t be original
– Massive peer review is best the assurance of security
– Choosing cross-industry standards means availability
of 3rd party toolkits, fewer errors
• Design by layers
– Firms can choose and selectively implement their
level of security
• Cost of breaking security vs. data value
Concepts - Transport Level
• Simple to implement via
3rd Party tools F IX
A p p lic a t io n
F IX
A p p lic a t io n
individually signed;
F IX T r a ile r F IX T r a ile r
S e c u r it y S tre a m S e c u r it y
F IX H e a d e r F IX H e a d e r
trivial to repudiate a
O p t io n a l F I X S e c u r it y
M essage M essage
F IX T r a ile r F IX T r a ile r
transaction
E n c ry p te d ,
A u th e n t ic a te d ,
V e r ifia b le In te g r ity
D a ta
• Individually signed E n c ry p te d E n c ry p te d
A p p lic a t io n A p p lic a t io n
repudiation harder F IX H e a d e r F IX S e s s io n
N o rm a l F IX
S e s s io n
F IX S e s s io n F IX H e a d e r
• Vulnerable to Traffic
E n c ry p te d E n c ry p te d
A p p lic a t io n A p p lic a t io n
M essage M essage
M essage M essage
Analysis
S ig n a tu r e S ig n a t u r e
F I X T r a ile r F IX T r a ile r
• Example: PGP-DES-
MD5
Concepts - Point to Point
• Difficulty: Low
• Can work at Transport B u y S id e
A
level
Authentication
Confidentiality
Integrity
• Key management is
easier
Hub C
• If a 3rd party is n
t
en at
lity
ia ion
fid ntic ity
r
Au onfi
th de
In enti ntia
te ca lity
Co uthe teg gr tio
involved, trust /
ity n
S e ll S id e A In S e ll S id e
B C
level
Data Flow
• Key management is
Co thent rity
Au Integ
rity n
a
tio
nfi
the nti
de catio
Au nfide
nti
eg
i
harder
alit n
Co
y
Hub
• Better accountability ta
Fl
o w Da
ta
Fl
o
Da w
through long-lasting S e ll S id e
B
S e ll S id e
C
signatures
Concepts - Combining Point to
Point, End to End
• Difficulty: Medium
• Confidentiality, B u y S id e
A
(Authentication,
Authentication
Confidentiality
Integrity) Point to Point
Integrity
r i t y io n
Au Integ
the rit
t
via Transport
Int ntica
nti y
eg
ca
the
tio
Au
n
• Additional lity
Hub C
Au onfi
t ia ion
Authentication / Integrity
th de
en at In enti ntia
n fid ntic ity te ca lity
r
Co uthe teg gr tio
ity n
A In
provided End to End via S e ll S id e
B
S e ll S id e
C
F IX E n g in e
contracts
N O TC l o uSd i g n e d ( S ig n e d F I X S e s s io n
H e re )
R e c ip ie n t
U ser A u t h e n t ic a t e s
ed F ir m n o t U s e r s
gn
Si
T
NO
U ser
Concepts - Per User
• More difficult to
implement
• Generally requires PKI Si
U ser gn
ed
• Provides accountability
at the individual level S ig n e d F I X E n g in e F IX S e s s io n
R e c ip ie n t
U ser
• Can be problematic as
A u t h e n t ic a t e s
U s e rs
ed
i gn
S
positions, account
balances, margin
How FIX is Generally Not Used
• Generally not Person
to Person
• Overhead of T ra d e r FIX B ro k e r
of a burden T ra d e r FIX B ro k e r
B U Y S ID E S E L L S ID E
How FIX is Used
• Business to Business B ro k e r
written on a firm to T ra d e r
FI
X
B ro k e r
FI
control T ra d e r
B U Y S ID E
X B ro k e r
B ro k e r
O M S
B ro k e r
B ro k e r
S E L L S ID E
How FIX is Used
• Firm to Hub
• Hub might introduce T ra d e r B ro k e r
liability issues
T ra d e r B ro k e r
O M S O M S
FIX
FIX
T ra d e r B ro k e r
• Rewriting, if done at T ra d e r
B U Y S ID E F IX N E T W O R K
B ro k e r
S E L L S ID E
FIX
FIX
T ra d e r B ro k e r
message signatures T ra d e r
O M S O M S
B ro k e r
difficult
T ra d e r B ro k e r
T ra d e r B ro k e r
B U Y S ID E S E L L S ID E
Past FIX Security - PGP-DES-
MD5
• Point to Point
F IX L o g o n
P G P E n c ry p te d
a n d S ig n e d
F IX L o g o n
exchange /
S e s s io n K e y
H eader
F I X T r a ile r
P G P E n c ry p te d
a n d S ig n e d
authentication in logon A u t e h t ic a t io n
S e s s io n K e y
F I X T r a ile r
O K
• DES data encryption C o m p u te
a n d V e r ify
F IX H e a d e r F IX H e a d e r " S ig n a tu r e "
checking “signature” D a ta
M essage
I n t e g r it y
" S ig n a t u r e "
session key
Strengths of PGP-DES-MD5