the web's security blanket

7/28/2019 The Web's Security Blanket

http://slidepdf.com/reader/full/the-webs-security-blanket 1/31

Verisign: The Web’s

Security Blanket

BIZBEE



Case Overview

University of Pittsburgh’s e-Store an example of Internettrust (security) services offered by VeriSign

VeriSign has grown early expertise in public keyencryption into related Internet security infrastructure

businesses Dominates the Web site encryption services market with

over 75% market share

Provides secure payment services

Provides businesses and government agencies withmanaged security services

Provides domain name registration, and manages the.com and .net domains



VeriSign:Enable everyone, everywhere to use the

Internet with confidence

• Through its acquisition of Network Solutions, VeriSignserves as the gateway to establishing an online identityand Web presence, with more than 24 million domainname registrations in .com, .net and .org .

• As the leader in the Web site security market, VeriSignprovides Internet authentication, validation and paymentservices.

• Through VeriSign Global Registry Services, VeriSign

maintains the definitive directory of over 24 million Webaddresses and is responsible for the infrastructure thatpropagates this information throughout the Internet.VeriSign Global Registry Services responds to over 1.5

billion DNS look-ups daily.



List documents used as part of transaction and how they can

be secured with digitalcertificate

credit card purchase loan promissary note

contract

no-accountability notices



What are Digital Certificates?

A digital certificate (DC) is a digital filethat certifies the identity of an individual or institution, or even a router seeking access

to computer- based information. It isissued by a Certification Authority (CA),and serves the same purpose as a driver’s

license or a passport.

http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213831,00.html

http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213831,00.html



What are Certification Authorities?

Certification Authorities are the digital world’s

equivalent to passport offices. They issue digitalcertificates and validate holders’ identity and

authority.They embed an individual or institution’s public

key along with other identifying information intoeach digital certificate and then

cryptographically sign it as a tamper-proof sealverifying the integrity of the data within it, andvalidating its use.



Bob’spublic

key

Bob’sidentifying

information

CAprivate

key

KB

+

certificate forBob’s public key,

signed by CA

Digitalsignature

(encrypt)KB+

KCA-

Bob’spublic

key

Bob’sidentifying

information

CAprivate

key

KB

+

certificate forBob’s public key,

signed by CA

Digitalsignature

(encrypt)KB+

KCA

What is the Process in obtaining acertificate?



Example of a Certificate:

Serial number (unique to issuer)

info about certificate owner, including algorithmand key value itself (not shown) info about

certificate

issuer valid dates

digitalsignatureby issuer



Public & Private Keys

Public and Private Key pairs comprise of twouniquely related cryptographic keys.

Public key is made accessible to everyone,whereas Private key remains confidential to itsrespective owner.

Since both keys are mathematically related onlythe corresponding private key can decrypt their corresponding public key.



How do You Obtain An Individual’s

Public Key? When Alice wants Bob’s public key:

• Alice gets Bob’s certificate (from Bob or elsewhere).

• apply CA’s public key to Bob’s certificate, get Bob’s public

key

K B+

digitalsignature(decrypt)

KB+

CApublic

keyKCA

Bob’spublic

key



Where are Digital CertificatesUsed?

In a number of Internet applications

that include:

1.Secure Socket Layer (SSL) developedby Netscape Communications Corporation

2. Secure Multipurpose Internet MailExtensions (S/MIME) Standard for securing email and electronic datainterchange (EDI).



3. Secure Electronic Transactions (SET) protocol for securing electronic payments

4. Internet Protocol Secure Standard(IPSec) for authenticating networkingdevices

Wher e are Digital CertificatesUsed?



How Digital Certificates are Usedfor Message Encryption



Do Digital Certificates HaveVulnerabilities?

One problem with a digital certificate iswhere it resides once it is obtained.

The owner's certificate sits on hiscomputer, and it is the sole responsibilityof the owner to protect it.

If the owner walks away from hiscomputer, others can gain access to it anduse his digital certificate to executeunauthorized business.



The best way to address the vulnerabilitiesof digital certificates is by combining themwith biometric technology, as that confirms

the actual identity of the sender, rather than the computer.

Do Digital Certificates HaveVulnerabilities?



Who oversees VeriSign?

There was no legal or political entity thatoversees online security. However, since9-11, there is a new national mandate for stronger security measures online.



Additional security technologyfor authentication

PKI / Encryption / SSL

Firewall

Digital Certificate Password and PIN

Token

Smart Card Biometrics



What is Biometrics ?

Definition: Measurement of body’s unique

characteristics or behavior

Types: Voice, Signature, Facial, Palm, EyFingerprint

System components:

HW -sensor SW -algorithm, API

Middleware and application



Privacy Concern: Minutiae

Extraction

Fingerprints cannot be reproduced from minutiae

template



Areas of Biometrics

Application Physical access control

Data access security

Time and attendance ID theft prevention

Privacy protection

Fraud reduction

Cost-effective and high security



Semiconductor Sensors



Traditional Optical Sensor



EyeD Mouse TM

Award-winning world’s first biometric mouse Most ergonomic & durable fingerprint sensor State-of-the-art fingerprint matching algorithm Matching software: SecuDesktop, SecuIBAS

(Features: logon, File En/Decryption, Screen Saver)



Biometrics Applications

B iometr ics Overview

Financial Sector

Point of Sale

ATM

Online Banking

Passport Control

Border Control

Medical Records Mgt

HIPAA Compliance

Door Lock

Time-Attendance

Computer Security

Access Control

Network Security

e-Commerce

Mobile Phone

Call Center

Internet Phone

Immigration

Telecommunication

Medical Facility and Attendance

National ID

Correctional Facility

AFIS

DMV

Social Security

Welfare Payment

Missing Child

Access Control

Ticket-less Travel

Anti-terrorist security

Public Sector Social Service Aviation & Travel



Thank You!

the web's security blanket

Documents