Internet Security

22

PGP is a security technology which allows us to PGP is a security technology which allows us to send email that is authenticated and/or send email that is authenticated and/or encrypted.encrypted. Authentication confirms the identity of the Authentication confirms the identity of the sender or a message.sender or a message.Encryption scrambles the contents of a Encryption scrambles the contents of a message so that only the intended recipients message so that only the intended recipients can read it.can read it.Each user of PGP has a public and a private key. Each user of PGP has a public and a private key. They are generated in matched pairs: a public They are generated in matched pairs: a public key only ever works with its twin private key. key only ever works with its twin private key. A user's public key is not a secret and can be A user's public key is not a secret and can be distributed widely. distributed widely. A user's private key however must be kept A user's private key however must be kept secret, and is protected by a pass phrase (like a secret, and is protected by a pass phrase (like a password but longer).password but longer).

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy

33

A public key is used in two ways: A public key is used in two ways: Alice can authenticate a signed message from Bob using Alice can authenticate a signed message from Bob using his public key. If the message matches Bob's public key his public key. If the message matches Bob's public key then Alice can be sure that the message came from Bob.then Alice can be sure that the message came from Bob.Alice can send a secure message to Bob by encrypting Alice can send a secure message to Bob by encrypting the message using Bob's public key. The only person the message using Bob's public key. The only person who can decrypt the message is Bob.who can decrypt the message is Bob.

A private key also has two uses: A private key also has two uses: Bob can send an authenticated message to Alice by Bob can send an authenticated message to Alice by signing it with his private key. Since Bob is the only signing it with his private key. Since Bob is the only person who has his private key (and the pass phrase person who has his private key (and the pass phrase that protects it), Alice knows that if the message matches that protects it), Alice knows that if the message matches Bob's public key, then it must have been sent by Bob.Bob's public key, then it must have been sent by Bob.Bob can read a secure message sent by Alice by Bob can read a secure message sent by Alice by decrypting it with his private key.decrypting it with his private key.

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy

44

The SSL (Secure Sockets Layer) Handshake The SSL (Secure Sockets Layer) Handshake Protocol was developed to provide security and Protocol was developed to provide security and privacy over the Internet. privacy over the Internet. The SSL protocol runs in a "layer" above TCP/IP The SSL protocol runs in a "layer" above TCP/IP and below higher-level protocols such as HTTP and below higher-level protocols such as HTTP or IMAP. or IMAP. The SSL protocol is able to negotiate encryption The SSL protocol is able to negotiate encryption keys as well as authenticate the server before keys as well as authenticate the server before data is exchanged by the higher-level application. data is exchanged by the higher-level application. The SSL protocol maintains the security and The SSL protocol maintains the security and integrity of the transmission channel by using integrity of the transmission channel by using encryption, authentication and message encryption, authentication and message authentication codes. authentication codes.

SSL (Secure Sockets Layer)SSL (Secure Sockets Layer)

55

HTTPS stands for Hypertext Transfer HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer, or Protocol over Secure Socket Layer, or HTTP over SSL. HTTP over SSL. HTTPS encrypts and decrypts the page HTTPS encrypts and decrypts the page requests and page information between requests and page information between the client browser and the web server the client browser and the web server using a secure Socket Layer (SSL). using a secure Socket Layer (SSL). SSL transactions are negotiated by SSL transactions are negotiated by means of a keybased encryption means of a keybased encryption algorithm between the client and the algorithm between the client and the server.server.

HTTPSHTTPS

66

Short for Short for IP SecIP Security,urity, IPsec is a set of protocols IPsec is a set of protocols developed by the IETF to support secure developed by the IETF to support secure exchange of packets at the IP layer. exchange of packets at the IP layer.

IPsec supports two encryption modes: IPsec supports two encryption modes: Transport and Tunnel. Transport and Tunnel.

Transport mode encrypts only the data portion Transport mode encrypts only the data portion ((payloadpayload) of each packet, but leaves the header ) of each packet, but leaves the header untouched. untouched.

The more secure Tunnel mode encrypts both The more secure Tunnel mode encrypts both the header and the payload. On the receiving the header and the payload. On the receiving side, an IPSec-compliant device decrypts each side, an IPSec-compliant device decrypts each packet. packet.

IPsecIPsec

77

Short for Short for SSecure ecure EElectronic lectronic TTransaction,ransaction, a standard a standard that will enable secure credit card transactions on that will enable secure credit card transactions on the Internet. the Internet. SET has been endorsed by virtually all the major SET has been endorsed by virtually all the major players in the electronic commerce arena, including players in the electronic commerce arena, including Microsoft, Netscape, Visa, and Mastercard. Microsoft, Netscape, Visa, and Mastercard. By employing digital signatures, SET will enable By employing digital signatures, SET will enable merchants to verify that buyers are who they claim merchants to verify that buyers are who they claim to be. to be. It will protect buyers by providing a mechanism for It will protect buyers by providing a mechanism for their credit card number to be transferred directly to their credit card number to be transferred directly to the credit card issuer for verification and billing the credit card issuer for verification and billing without the merchant being able to see the number. without the merchant being able to see the number.

SET – Secure Electronic TransactionsSET – Secure Electronic Transactions