Internet Security Basics

Symmetric Encryption

Symmetric key should NOT travel un-protected over a network. Following are two algorithms normally used to exchange the keys.

1. Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.

2. RSA as key exchange algorithm.

Alice Bob

Encryption Algorithms

1. RC4 (Rivest Cipher 4) was designed by Ron Rivest of RSA Security in 1987. RC4 5% performance degradation.

2. DES (Data Encryption Standard (IBM)) 24% performance degradation.

PKI Encryption

Important: These forms the basis for all the internet security protocols.

Alice Bob

PKI Digital Signatures

Third PKI-Rule Satisfied.

First & Third PKI Rule Satisfied.

Unique sequence number is used inside the Digital Signatures to prevent interception and replay of the messages.

Certificates and Certificate Authorities

Here’s a trust relationship between a customer, his bank and his credit card company.

When he drops a cheque at his bank to pay-off his credit card bill, he is assured that his credit card will be paid.

Some of the well known are: 1. Verisign, Inc.2. Entrust Technologies.3. Baltimore Technologies.4. Thawte.

You can be a CA on your own using free and open source OpenSSL.

Carries Bobs Distinguished Name (DN) and his Public Key with other details.

CA will do a lot of physical validations and issue a certificate to Bob. Normally Bob gets that either through email or CA requests him to download it from their web site.

You can store the certificate on your file system as a file (.cer), right click and check the properties.

You can check the CAs and trusted parties certificates installed on your browser.

Internet Explorer > Tools > Internet Options > Content > Certificates (button)

X.509 v3 Structure of a certificate

The structure of an X.509 v3 digital certificate is as follows:• Certificate

• Version • Serial Number • Algorithm ID • Issuer • Validity

– Not Before – Not After

• Subject • Subject Public Key Info

– Public Key Algorithm – Subject Public Key

• Issuer Unique Identifier (Optional) • Subject Unique Identifier (Optional) • Extensions (Optional)

• Certificate Signature Algorithm • Certificate Signature

Issuer and subject unique identifiers were introduced in Version 2, Extensions in Version 3.

Certificate filename extensions

Common filename extensions for X.509-certificates are:

• .DER - DER encoded certificate

• .PEM - (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" (also sometimes represented as .CER)

• .P7B - See .p7c

• .P7C - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)

• .PFX - See .p12

• .P12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected)

• PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C-file is just a degenerated SignedData structure, without any data to sign.

• PKCS#12 evolved from the PFX (Personal inFormation eXchange) standard and is used to exchange public and private objects in a single file.

• A .PEM-file may contain certificate(s) or private key(s), enclosed between the appropriate BEGIN/END-lines (CERTIFICATE or RSA PRIVATE KEY).

PeopleSoft uses PEM

format.