Dissertation submitted in partial fulfillment of the requirements for the degree Master in Internet, Computer and System Security
I hereby declare that I have observed scholarly conventions for the attribution of the work of others and that all work not attributed to others is my own. I view plagiarism as a serious theft to not just ones writings but also to ones thoughts. I strictly adhere to the fact that it must be avoided at any cost.
The Word Count of this Project is approximately 15000 words.
Internet is an uncontrolled and untapped world which cannot be explored to its fullest and at the same time none can exercise control on its content, behavior, misuse and security aspects. The various vulnerabilities demand a secure technique to highlight the vulnerabilities which is essential for small, medium and large businesses to maintain, secure confidential data and information regarding their business and observe customer confidentiality at al times. The security techniques make sure that all the various security protocols and encryption techniques are discussed and handled well.
The public key infrastructure, encryption, public cryptographic system makes sure that all the security issues relating to the environment are taken care at its best so that one is able to fetch the right perspective towards its further research and development. Finally the security protocols and techniques are discussed with the perspective of personal and professional practices like emails, legal aspects of cryptography and digital signatures. The usefulness of the security aspects related to SSL PKI, and digital certificate are discussed at large for fetching a strong understanding of these security technologies and their applications in the internet world. Proper explanation in the context of the real business scenario would be quite fruitful for devising a strategy to prepare for the worst situation.
To God is the glory for the successful completion of my course of study, research work and above all for His love, protection and guidance. I wish to acknowledge my indebtedness to all those who have assisted me in the preparation of this project work. I am particularly indebted to my supervisor <mention> for his personal interest, advice, and suggestions, which have proved very useful in the removal of abuses of facts and misplaced interpretations.
I also wish to express my thanks and profound gratitude to my father and my mother for their love, encouragement and financial support that has made my education a reality. I cherish in a very special way the loving understanding, and care which my father showed to me during this period. I must not forget too the moral support rendered to me by my brothers and sisters. To them and other members of my family who in one way or the other contributed to the success of this study I say thanks.
Internet security norms are to introduce the secure ways to communicate data using cryptographic systems. The public system of cryptography becomes fast the beginning for the growth of electronic trade and other applications that require the safety and the certification of identity in an open network as is the Internet. The widespread use of the public system cryptography requires a basic infrastructure of public key in order to publish and manage the public keys of users, whom publication constitutes necessity in order to function the public cryptographic system (Speed, 2003). Without such an infrastructure we cannot take the advantages that the public system of cryptography offers in combination with the symmetric system if cryptography. This thesis presents a total of characteristics that are publics for all the systems of infrastructure of the public key. Objective is to comprehended that it can be created a system of infrastructure of public key and simultaneously to mention theirs characteristics that offer to us the essential safety in order to do with safety our transactions as well as any their restrictive weaknesses in order to be puzzled for any chance corrections that should become. Also we dealt with legal subjects of digital signatures so much in the abroad as in United Kingdom, since the institutional frame shapes substantially the development of this technology delimiting the frames in which this will be moved (Stallings, 2003). We hope to contribute in the comprehension of subject which becomes topical since of enactment of the use of digital signatures so much in the public as in the private sector, in order to function are required fundamentally a creation of an infrastructure of the public key which will support secure digital transaction.
A. CHAPTER 1: SECURE INTERNETWORKING TRAFFIC
There is no a unique, public acceptable answer in this question, because the Internet is something different for each one of us:
· It is total computers that they discuss via fibber optics, telephone lines, satellite connections and other media.
· It is a part where you can speak to your friends and to your family to the all world.
· It is a part where you can take samples of games.
· It is an ocean of resources, that they wait for you to collect them.
· It is a part in order to do the research for a thesis or presentation of your company.
· Is a part where various dark types waiting for you to make you villain.
· It is an unlimited commercial occasion.
· It is a world team of support for each problem or need.
· It is a professional meeting point from all the fields of activity that is shared information on their work (John, 2006).
· Are hundreds libraries and file saves that open in front you.
· It is complete messy of time.
All these answers are right but are not no complete. Today the Internet is much more from that it was in the ’80’s decade and in five years by now it will grow more, and the games that are used today will be grandfathers of tools that we will use then. A right way in order to speak for the Internet is to say that it is the network that created by the collaboration of interconnection of computer networks (Stallings, 2003).
Figure 1 : Internet (Source: http://www.irchelp.org/irchelp/security/ics_files/icshub.jfif)
The word Internet is constituted by the conjunction of words interconnection and network. This means that hundreds connected networks that are composed from different goods of computers and different technologies are placed together so much smoothly from various departments and they appear like a Network. These connected networks usually use the sequence of communication TCP/IP (Transmission Control Protocol). The Protocol TCP/IP is a reliable with connection protocol and allows in a sequence of bytes that begins from a machine it is delivered in any other machine in the Internet without errors. The requirement for flexible architecture created applications with two requirements that oscillated from the transport of files as the transmission of speech in real time. These requirements led to the choice of network of transfer of parcel based on a layer of internet that provides services without connection. This layer is said layer of internet (internet layer). The layer that is found above the layer of internet in model TCP/IP is called transport layer, which provides in peer entities that are found in host the source and the destination the possibility of carrying out a discussion (Baccala, 2000). In the top of transport layer is found the application layer that includes all protocols of superior layers.
1.2 Internetworking Traffic
With the term Internetworking Traffic we mean the information that is transported in the Internet. With the current form of Internet, it allocates a big quantity of information and as professional tool have a lot of uses. The internet becomes progressively an important mean of publicity and a distribution channel of software, files and information (Keith and Richard, 2005). The most usual use of Internet is the exchange of electronic post. The electronic post is a professional and economic way to send and to receive messages and documents from entire the world in few only thinly. Anyone has an e-mail account can send messages in other users of internet and to a lot of networks connected with this via pylon of expense. Most e-mail programs allow the users to attach files of data and programs in their messages.
The internet organized the scattered sources in a total that has meaning thus the user does not need to learn special addresses and commands. The pages of Internet are now used for the transmission of news, for the distribution of information and lists of various products on fast reports and live sound and picture assigned in the other. The networks of computers use a variety of means of transmission, in which are included the wires of copper, the optical fibres, the transmissions of radio waves and microwaves, the infra red beams, and the beams of light laser. Each mean and technology of transmission has advantages and disadvantages. As an example even if a system with infra red beams can provide connections of network for portable computers that are moved in a room for the wireless transmission above an ocean it can need a satellite in orbit (Raymond, 2004).
Before the networks the transport of the data became with the use of magnetic means as film or the disks. Now it becomes with base certain services of transport of files. The widespread transport of files of Internet uses the FTP protocol (File Transfer Protocol of transport of files). FTP allows the transport of any file and it includes a mechanism that allows having the files property and restrictions of access. Also it can be used for the carrier of a copy of file between any pair of computers. The protocols of Internet include also a second service of transport of files that is named TFTP (Trivial File Transfer Protocol) what is useful for the process of departure of appliance of material that does not have disk in order to is stored the software of system.
Another protocol is the HTTP (Hypertext Transfer protocol-Protocol of transport of hypertext), is used for the carrier of documents of Web.
1.3 Security in the Internet
The distribution of data via the internet offers important advantages in combination their classic methods of distribution. The data become available in minimal time for use and exploitation independent from their volume while the cost of mission in any distance is exceptionally small (Tanenbaum, 2003). The use of internet adds however moreover threats at the safety of information. Also the connected in the Internet computers it is possible they constitute objective of various attacks.
At the realization of any communication or transaction via the internet it will be supposed it is ensured for the data that are trafficked in that:
· It is not readable and recognizable only that from the legal sender and their recipient.
· They have not been degraded at their transport via the internet. That is to say the message that was received is the same with what sent.
· The sender and the recipient are in point of fact those that claim that they are.
· The sender it is not impossible to deny the make that it sent the message.
· The confidential information is protected from not permitted revelation.
· The computers allocate satisfactory protection from viruses that are transmitted via the internet.
· The sensitive information is protected sufficiently when they are trafficked in via the internet with sufficient encryption.
There are various techniques that can be applied so it can be achieved the desirable level of safety of information that are stored in an informative system and are transmitted in the Internet. Such are the applications of encryption for authentication of users.
1.4 General Requirements for a secure network
The protection of network which is also connected with Internet is a subject that modern enterprises and organisms are called to face it. The general requirements of safety of networks and systems of information can be formulated with the following four, interrelated characteristics:
With the term disposal we mean that the data are accessible and the services function, despite that by any chance disturbances, as interruption of catering, natural destructions, accidents or attacks.
b. Verification of identity:
Confirmation of declared identity of institutions or users (Bejtlich, 2006). For the verification of identity are required suitable methods for various applications and services, as are the electronic contracting of convention, the control of access in certain data and services (e.g. for the tale-workers) and the verification of web sites (e.g., for internet banks). It should also be included the possibility of anonymity, since a lot of services do not only need the identity of user but reliable confirmation of certain criteria of (called “anonymous credentials”), as the solvency.
Confirmation that the data have been dispatched, it is received is stored is complete and they have not suffered alteration
d. Observation of secrecy:
Protection of communications or stored given opposite interception and reading by not permitted individuals (Greene, 2004). It is particularly required for the transmission of sensitive data and she is one from the requirements that correspond in the concern of protection of private life of virtuous networks of communications.
It is a device which permits, restricts computer traffic in accordance to the security policies enforced in the business rules. Firewalls are either implemented through hardware, software, or both. They work best in detecting attacks that could enter or leave your system through an open port, such as worms and some Trojan horses. They do not scan the fragmented packets so in that way male wares attached to e-mails are still threats inside your network.
Figure 2 : Firewalls (Source:http://webhelp.esri.com/arcgisserver/9.2/dotNet/manager/graphics/firewall.PNG)
It is a device which functions as a networking component for storing and forwarding of packets to another network from that of senders.
Figure 3 : Routers (Source: http://www.smallnetbuilder.com/images_old/myimages/howto/two_routers.jpg)
It is an excellent network device which functions for communication with various types of networks with a different architecture and protocol usage.
Figure 4 : Gateways (Source:http://www.2n.cz/images2/obrazek_click/528/thumbnail.jpg)
1.5 Types of attacks at secured networks
a) Interceptions of communications.
The electronic communications can intercept and the data can be copied or modified. Interception it can be realized with various ways. Potential damage: The outlaw interception can cause damage, so as much violation of private life of individuals, what via the exploitation of data that they have been intercepted (Panko, 2004). Likely solutions: Defense against interception can emanate with the encryption of data that is transmitted via the network.
b) Not permitted access in computers and networks of computers (hacking, cracking)
The not permitted access in computer or in a network of computers is usually realized malicious with the intention of copy, modification or destruction of data.
Potential damage: The not permitted access has occasionally as motive mental challenge and no speculation. The protection at the not permitted access in personal information, included economic information, banking accounts and data of health, constitutes right of individuals (Thomas, 2004).
Likely solutions: The most common method of protection against not permitted access is the installation of a firewall. However, with this is provided limited only protection and also it should be supplemented by other controls of safety, as the recognition of attacks, the detection of access and the controls in the level of application (included “intelligent cards “).
c) Perturbation of networks (denial of service)
That is to say challenge of network collapse because of overloading. The networks are to a large extent digitized and are checked by computers.
The most common reason of perturbation of network existed at the past the damage in the system of computer that checks the network, while the attacks against network were directed mainly to their in question computers. Today, most attacks exploit weaknesses and liabilities of constitutive elements of network (functional systems, routers, switches, DNS etc). The attacks can receive various forms: a) Attacks against DNS, b) Attacks of routing, c) Attacks of refusal of benefit of service.
d) Potential damage:
The interruptions are detrimental for certain web pages, since the enterprises are based continuously more on the unhindered disposal of their network places for their commercial transactions.
Likely solutions: The attacks in DNS servers are faced firstly easily with the extension of protocols DNS, e.g. using secure extensions DNS that is based in public keys’ cryptography. Much difficult is the defense against attacks at the system of routing. Internet has been drawn for maximization of flexibility in the routing, while with this way is limited the probability of loss of service in the event that collapses a part of infrastructure of network. There are not effective means for sure protocols of routing, same in routers.
The volume of transmitted data does not allow in detail infiltration, since the verification would cause immobilization of networks. For this reason, the networks execute only basic infiltration and operations of control of access, while the most specialized operations of safety (e.g. control of identity, integrity, encryption) are placed in the limits of networks, that is to say in the terminals and in the servers of the networks that function as terminal points.
e) Implementation of malicious software that modifies or destroys data (viruses, worms and Trojan horses)
The computers function with software. Computational however can also be used and in order to it places except operation of computer, in order to it eliminates or modifies data. If such a computer is part of network of management, its dysfunction has extensive repercussions (Fazekas, 2004). The virus is type of malicious software. It is a program that repeats the code attached in other programs, with way in order that the code of virus is executed at the implementation of program of computer that has been offended. There are a lot of other types of malicious software: certain they only harm the computer where they have been copied, while other are transmitted in other found connections programs. But programs are presented as non-malignant, when however they open they express malicious attack for this reason they are called “Trojan Horses”. Other programs named “worms” do not offend other programs as the viruses, but create their copies, which with their line are repeated, submerging finally entire the system.
Potential damage: The viruses can be particularly devastating, as they appear also from the high cost of certain recent attacks.
Figure 5 : Trojan horse (Source:http://www.securitysoftwarezone.com/modules/news/files/trojan-horse.gif)
Likely solutions: The main way of defense is the software at the viruses (antivirus) that are sold in various forms, as example scanners for viruses and cleaners that locate and make useless known viruses (Nyman, 2006). Their main fault is that they do not even locate easily new viruses, with regular briefing. Other example of defense at the viruses is the controller of integrity. In order a virus can offend a computer; it will be supposed to change something in this system. The control of integrity could locate the changes, even if they have been caused by unknown viruses.
Figure 6: Worns (Source:http://d-extreme.blogspot.com/2006_12_01_archive.html&h=200&w=200&sz=)
f) Manipulation/false statement
With the re-establishment of network connection or the receipt of data, the user gathers the identity of its interlocutor with base circumjacent (context) the communication. The network provides certain clues as for this. However, the bigger danger of attacks emanates from individuals that know circumjacent “from in”, that is to say from initiating. When a user selects a number or a type of electronic address in the computer, it expects that he will reach in the desirable destination. This is enough for a lot of applications, no however for important professional transactions or for medical, economic or official communications, where is required higher degree of control of identity, integrity and observation of secrecy.
Potential damage: The manipulation of individuals or institutions is detrimental at different ways. The customers’ tale-charge probably malicious software from network place that uses a source as safe. Probably is given confidential information in error individuals. The manipulation it is possible to lead to refusal of recognition of online conventions.
Likely solutions: The attempts of import of verification of identity in the networks, in combination with the import of protocol SSL, it constitutes already useful step for the guarantee of certain level of observation of secrecy. Virtual Private Networks (VPN) use SSL and Insect for communications via precarious internet based and open channels, safeguarding given level of safety. These solutions of are however limited usefulness, since they are based on electronic certificates, without exists guarantee that this certificates do not have forged. This guarantee can be provided from third part that is often reported as “Beginning of Certification” or in the directive on the electronic signatures “Provider of Service of Certification”. The problem that concerns in the wider acceptance of this solution resembles with the problem of encryption – it is the need of interoperability and management of key. This does not constitute problem for the VPN, since they can be developed privately-owned solutions – it is however more major obstacle in public networks.
a. Apart from the attacks what other can affect the safety of network?
Apart from the malicious attacks at the networks, they can also be affected from unanticipated and involuntary makes, that can be owed in: a) natural destructions (e.g. storms, floods, fires, earthquakes), b) third parts that do not have conventional relation with the institution of exploitation or the user (e.g. interruption of benefit of service due to building work), c) third parts that have conventional relation with the institution of exploitation or the user (e.g. damage of equipment or software in constitutive parts or programs that has been delivered), d) human fault or bad management on behalf of the institution of exploitation of (included supplier of services) or the user (e.g. problems in the management of network, been mistaken installation of software).
B. CHAPTER 2: CRYPTOGRAPHY
2.1 Historical retrospection
The necessity of precaution of important information and professional secrets was already perceptible from very old. The first cryptographic text is dated by the season of 1500 B.C. in Babylon. It is coded current directives on the greasing of earthen vessels. In the most recent years, in the 2° world war cryptography it was the faculty to transmit, in coded form, drawings of also directive attacks in pincers of communication so cannot anybody “foreigner” can recognize the initial message. Today cryptography abstains a lot other the aim is the same: falsification of information so as to she becomes perceptible only from the one in which it is addressed (Mann, 2006).
Figure 7 : Cryptography (Source:http://img.zdnet.com/techDirectory/ENCRYPT.GIF)
2.2 What is cryptography?
In the past few year cryptography is one from the most popular subjects of discussions into the Internet and this because their users occupies the safety of information in the Internet.
Cryptography is the science of writing and transmission messages with methods that prohibit the access of third in the recorded or transmitted information with the utilization of powerful coding system.
2.3 Basic significances
Cryptography is a science that is based on the mathematics for the encoding and the decoding of data. The methods of encryption render sensitive personal given accessible only from those who they are suitable permitted. They ensure the secrecy in the digital communications but also the storage of sensitive information of the initial message it is named simple text (plaintext), while the inapprehensible message that results from the encryption of simple text is named cipher (cipher text).
Decipherment is the recuperation of simple text from the cipher with the application of reverse algorithm. The cipher text communication is effective, when only the individuals that participate in this can recover the content of initial message Cryptography it should not it is confused with the cryptanalysis, which is fixed as the science for the analysis and decoding of coded information without the use of reverse algorithm of encryption. The algorithm of encryption is a mathematic function that is used for the encryption and decipherment of information. As long as it increases the degree of complexity of algorithm, so much is decreased the probability to vilified by somebody. The algorithm of encryption functions in combination with a key (key), for the encryption of simple text. The same simple text is coded in different ciphers when are used different keys.
2.4.1 Asymmetric cryptography
Asymmetric cryptography uses two different keys for the encryption and decipherment. Each user has in his possession a pair of keys, the one is called public key and the other is called private key, the public key is publicized, while the private key is kept secret. The private key is not transmitted never in the network and the all communications is based on the public key. The need the sender and the recipient to be shared the same key disappears and together and a lot of problems that we will see below. The only requirement of asymmetrical cryptography is the trusted and cross-correlation confirmed of public keys with their holders so that is not possible deliberate or not impersonation. The asymmetrical encryption can be used not only for encryption, but also for production of digital signatures.
The private key is mathematically connected with the public key. Formally, therefore, it is possible is overcome such cryptosystem recovering the private key from state. The resolution of this problem is very difficult and usually requires the factorization of big number.
2.4.2 Symmetric Cryptography or Secret-Key Cryptography
In usual cryptography, the sender and the recipient of message know and use the same secret key. The sender uses the secret key in order to encrypt the message and the recipient uses the same key in order to decrypt the message. This method is called symmetric cryptography or cryptography secret key. Symmetric cryptography it is used not only for encryption, but also for certification of identity. Such a technique is Message Authentication Code (MAC).
The main problem of symmetric cryptography is the agreement of sender and recipient in the common secret key that encodes and decodes the all trafficked in information, without some other is informed of this. Advantage her is that she is more rapid than asymmetric cryptography.
2.4.3 Advantages and Disadvantages of Symmetrical and Asymmetrical Cryptography
The bigger problem of symmetric cryptography, as we reported briefly previously, is the agreement and the exchange of key, without some third person learns for this, the transmission through the Internet is not sure because anyone knows for the transaction and has the suitable means can record the all communication between sender and recipient and acquire the key. Then, it can be read, modify and forge the all messages that they exchange the two unsuspicious users. Of course, they can be based on other means of communication for the transmission of key (e.g. telephony), but even thus cannot be ensured that no one is not interfered between the line of communication of users. Asymmetrical cryptography gives solution in this problem because the sensitive information does not travel in the network.
Another one still advantage of asymmetrical cryptosystems is that they can provide digital signatures that cannot be recanted from their source. The certification of identity via symmetric encryption requires the common use of same key and many times over the keys is stored in computers that are in danger from exterior attacks. As result, the sender can recant earlier signed message, supporting that the secret key that had at some way is revealed. In asymmetrical cryptography it is not allowed such something after each user has exclusive knowledge of private key and is his own responsibility his keep.
Disadvantage of asymmetrical cryptography is the speed. As a rule, the process of encryption and certification of identity with symmetric key is considerably more rapid than the encryption and digital signature with pair of asymmetrical keys. This attribute is called guarantee of non-repudiation of the source. Also, enormous disadvantage of asymmetrical cryptography is the need for certification and verification of public keys from organisms (Certificate Authority) so that is ensured the possession the legal users.
When some fraud achieves and belies the organism, it can connect its name with the public key of legal user and pretend the identity of this legal user. In certain cases, asymmetrical cryptography is not essential and symmetrical cryptography from itself is enough. Such cases are surrounded closed, that does not have connection with the Internet. A computer can keep the secret keys of users that they wish to be served by this, since there is no fear for occupation of machine from exterior factors. Also, in the cases that the users can meet it and exchange the keys or when the encryption is used for local storage of certain files, asymmetrical cryptography is not essential.
The two cryptosystems can be applied together, combining good characteristics and eliminating their disadvantages.
2.4.4 Operations in cryptography
The professionals that deal with the safety have identified four words in order to they describe the all operations that he carries out cryptography in the simultaneously informative systems. The different operations are:
Cryptography is used in order to transform the information that is sent via Internet and is stored in their Servers so the content of data cannot be from those that spy. Certain calls this attribute secrecy but most use this word in order to they are reported in the protection of individual information.
There are methods that check if a message has been altered the moment of transport. Often this becomes with the codes of decomposition of messages digital signed. Authentication-ratification of genuineness. The digital Signatures are used in order to they ascertain the identity of sender of message. The recipients of message can check the identity of sender which signed digital the message. They can be used in combination with password or even replace them.
18.104.22.168 Non repudiation
The cryptographic proofs are created so the sender cannot disavow the make of mission of his message.
22.214.171.124 Cryptographic systems that are used today
In the past few years have been developed and used enough cryptographic systems for Internet. We can separate in two categories: First category is programs and protocols that are used for the encryption of messages of electronic post (e-mail). The most popular are:
2.5 PGP and S/MIME
The second category is protocols of network that is used in order to they provide confidentiality, integrity, recognition of identity in environment of network. Such systems need interaction of real time between t o n client and server in order to they work rightly.
2.5.1 PGP (pretty good privacy)
Cryptography of type PGP makes use of key for the encryption and a key for the decipherment. Traditional cryptography uses one only key which will be supposed it is acquaintance in both two parts so that becomes secured transport of data. In order to becomes secured exchange of key of encryption the key it is separated in two parts: public key and encryption key. Each public key of participating in the PGP encryption is free for each one while with private key becomes the decipherment of each message that has right public key.
2.6 S/MIME (multipurpose internet mail extensions)
The MIME is a standard for mission of files with binary attachments via Internet. The Secure/ [MIME] are its extension MIMIC standard for the recognition encoded e-mail. Contrary to the PGP the S/MIME was not applied as autonomous-program but as a tool that was drawn in order to it is added in various parcels of electronic post. Because this tool emanates from the RSA data security and includes authorizations for the all required algorithms and because the bigger companies that sell systems e-mail have already relation with the RSA data security, it is likely S/MIME to be used more from the salesmen of e-mail programs in relation with the PGP.
Figure 8 : S/MIME (Source:http://www.ibm.com/developerworks/lotus/library/securemessaging/speed1.jpg)
The S/MIME offers confidentiality because the cryptographic algorithm is determined by the user. It offers its integrity due to the interrelation of decomposition is determined by the user. In order to we send cryptographic message in somebody with the S/MIME it should we have a copy of his public key.
2.7 SSL (secure socket layer)
The SSL has been drawn for the sure transport of information through networks TCP/IP. Because it has not been drawn for certain concrete application it can be incorporated in many of them after become suitable adaptations in their source code. In order to it ensures the communication (from problems of interception, impersonation, it uses symmetric algorithms of encryption, digital certificates, interrelations of synopsis. For every of the technologies that it incorporates it provides the possibility of choice between their alternative forms of concretization. Thus each available combination of solutions for the technologies that it incorporates is named cryptographic packet SSL. For example a cryptographic parcel of SSL is RC4-MD5 that means that it uses algorithm RC4 it makes synopsis with algorithm MD5 and the key session it is length of 128 binary digits.
The S-HTTP it is a system for signature and encryption of information that is sent via the HTTP of protocol. The S-HTTP includes certain characteristics as is the faculty to have pre-signed texts that are found in web server.
Figure 9 : SHTTP (Source:http://www.windowsnetworking.com/img/gifbasic/inetrout.gif)
2.9 IPsec @ IPv6
The IPsec is a cryptographic protocol that works with the IPv4 the publication of IP standard that uses today Internet. The IPv6, the “next generation” IP, includes the IPsec. To IPsec is not offered for the integrity, the recognition of identity or the prohibition of disavowing but leaves these characteristically for the rest protocols. The IPsec has the faculty to provide recognition of identity, integrity and optionally the confidence of data on the all communications that take part on t o internet.
The SSH is the secure sell. It provides cryptographic protected virtual terminals and operations of transport of files.
Kerberos is a system of safety of network that contrary to but does not use technology of public key. It is based on symmetric ciphers that are shared between Kerberos server and each separate user. Each user has his password in order to encrypt messages that are sent in this user so as to they cannot be read from no other.
C. CHAPTER 3: SSL (SECURE SOCKET LAYER)
The SSL (Secure Socket Layer) is a general aim protocol on the mission of encrypted information via Internet. It was developed by Netscape and became accessible from the wide public from web browser and server Netscape. The idea was they imitate the sales of company with cryptographic activated web servers distributing free client who applied the same cryptographic protocols.
From then SSL it has been incorporated in a lot of other web servers so the support of SSL is not a competitive advantage but a necessity. To SSL is also used for no web applications as it is secure telnet. To SSL is now one from the most popular protocols of encryption in Internet.
3.1 What is SSL?
The SSL is a level (layer) between the line of TCP/IP of protocol and in the level of application. While the regular TCP/IP protocol simply sends an anonymous free error current of information between two computers, SSL adds many operations in this current, including:
· Proof genuineness and prohibition disavowal its server, using digital signatures.
· Proof genuineness and prohibition disavowal client, using digital signatures.
· Confidence of data with the use of cryptography
· Integrity of data with the use of code proof of genuineness of messages
Figure 10 : SSL (Source:http://www.securityfocus.com/unix/images/ssl_02.jpg)
Cryptography it is a fast developing sector and the cryptographic protocols they do not work if the two parts of communication do not use the same algorithms. For the reason this SSL is expansion able and it can be adapted easily. When a program that it uses SSL tries to communicate with another, then the two programs electronic compare elements and determine who the more possible cryptographic algorithm that allocates joint is. This transaction is named SSL Hello.
The SSL was drawn for use in world level, but was developed in the United States and it is included in the programs that are sold by companies of United States for use in the abroad. For the reason this SSL contains a lot of operations drawn so as to it can arrange itself with the governmental restrictive policies on issues export of cryptographic systems of United States.
3.2 Publications of SSL
The SSL was drawn by Netscape for use with Netscape Navigator. The publication of 1.0 protocol was used in t o Netscape. Publication 2.0 was included with Netscape Navigator 1 and 2. Since SSL 2.0 was published, Microsoft created a similar secure link protocol, named PCT, which remedied certain weaknesses of SSL 2.0. The advantages of PCT was incorporated in the SSL 3.0.To SSL 3.0 protocol was used as the base for Transport layer security (TLS) protocol that was developed by the IETF.
The SSL 3.0 offers a lot of characteristics theoretical but also practical interest.
3.3.1 Segregation of duties
The SSL uses separate algorithms for the encryption, the proof of genuineness and the integrity of data with different keys that are named secretively, for each operation. The basic advantage of this segregation of duties is that the bigger keys they can be used for the proof of genuineness and for the integrity of data, while the smaller keys to be used for the secrecy.
The SSLv3 is provided for the connections that encrypted but is proved their genuineness and are protected against premeditated alterations from somebody attacker. This perhaps is useful in the event that the encryption is prohibited from the law as in France.
The choice of algorithms and the length of keys are determined by the SSL server, but are also limited by the two side’s server and client.
The encryption and decipherment of public key are a time-consuming process. How many when is rather repeated this treatment for each communication between the client and the server. The SSL applications can store conceitedly (cache) a secret “master secret”, that is maintained inalterable between the SSL of connections. This allows in the new SSL connections to begin immediately the sure communication, without it needs are executed more operations of public key.
3.3.3 Testimonial based on the proof of genuineness
The SSL provide for the proof of genuineness and the two, client and server, via the use of digital certificates and digital signed challenges of recognition. The SSLv3 uses X.509 v.3 certificates nevertheless the IETF standardization of SSL (TLS) perhaps uses different goods of certificates since they are standardized. The proof of genuineness is an optional part of protocol, nevertheless the certificates server are effective permitted from the current SSL applications.
3.3.4 Protocol Agnostic
Even if the SSL was drawn in order to it runs in the top of TCP/ΙΡ, this in reality can run in the each top reliable connection-oriented, protocol as is the X.25 or the OSI. The SSL protocol cannot run in the top of not reliable protocol as is the IP User Data gram Protocol (UDP).
The all SSL communication takes part on simple double direction current In the case of TCP/IP; the doors that are usually used are these in following:
keyword Decimal Port Purpose
https 443/tcp SSL-protected HTTP
ssmtp 465/tcp SSL-protected SMTP (mail sending)
snews 563/tcp SSL-protected Usenet News
ssl-ldap 636/tcp SSL-proteeted LDAP
spop3 995/tcp SSL-protected POP3 (mail retrieving)
3.3.5 Protection against the man-in-the-middle and replay attacks
The SSL protocol is specifically drawn in order to it protects against the man-in-the-middle and replay attacks. In a man-in-the-middle attack, attacking is interfered and intercepts the all communications between the two parts, making him each one believe that this communicates with the other.
The SSL gives protection against the man-in-the-middle attack making use of digital certificates in order to it allows in the web user to learn the ratified name web site. In a replay attack, attacking is copied the communications between the two parts and repeats the messages. As an example attacking perhaps it copies a message between user and an economic institution (bank) having it informs that an electronic payment possibly becomes. Repeating this message, it can cause a lot of other electronic payments.
3.3.6 Support for compaction
As the encrypted data, cannot compact the SSL ensures for the future the faculty compacts the data of user before these be encrypted. The SSL supports a lot of algorithms of compaction. However it does not exist today any SSL application that would incorporate the compaction. Note The encrypted data cannot compact because the good encryption moves drastically each repetition the resemblance that is moved at the duration of compaction. If our encrypted data can compact, then our encryption is not good.
3.4 Compatibility with SSL 2.0
The SSLv3.0 servers can accept connections from SSLv2.0 clients and handle the message automatically without exists need to reconnect client.
3.5 Digital certificates
The SSL makes extensive use of certificates of public skey on the proof of genuineness so much client what server in the SSL transactions. The SSL makes use of X.509 v.3 of certificates on the control of RSA pair of keys and a modified X.509 certificate on the control of public keys that is used by the U.S. Department of Defense Forteza/DMS protocol of exchange of keys. The SSL supports the following goods of certificates: – RSA certificates of public key with public keys of arbitrary length
-RSA certificates of public key that are limited in the 512 bits for use in the cryptographic software’s that are to be exported.
– RSA certificates only on signature, which contain RSA public keys that are used only for the signature of data and no for encryption
– DSS certificates
– Diffie-Hellman certificates
The use of certificates is optional. SSL requires testimonial server unless the SSL applications and client and server use Diffie-Hellman protocol of exchange of keys. 4.5 SSL Applications SSL was drawn initially in July 1994 and was one from the basic enterprising plans for Netscape. Netscape drew it creates browser that would allow in the user to execute encrypted communications with servers Netscape using a protocol of her own property.
3.6 Record of implementation
SSL obviously decreases the speed of transmission of information via Internet. The record of deceleration is mainly result of encryption and decipherment of public key that is required in order to be established the first SSL connection. Compared to this the additional encryptions and decipherments of data with their RC2, RC4 or the DES are practically insignificant.
Users of SSL report that the deceleration reaches the +50%, compared with the mission of information without use SSL.
Users with SPARC Station 10s have reported that the encryption and decipherment of public key require roughly three CPU seconds per user with a key 124-bit. This means that will exist a pause of three seconds between t o opening of connection in a SSL server and in the acquisition of HTML of page from server. Because the SSL can store silent (cache) a secret “master secret”, this delay affects only in the first SSL transaction between client and server.
If we have a fast computer and don’t relatively slow connection in the network the additional SSL it can be insignificant, specifically if we send big quantities of information above a simple SSL session or above multiple SSL sessions that use a public “master secret”.
On the other hand if we require “to serve” big size of SSL HTTP of applications in thin, we have to decide either in the market of exceptionally fast computer or in the hardware help for public key operations. In order to decrease the effect of SSL, a lot of organisms transmit the volume of their information “clearly” and they use the SSL only for encryption of sensitive data. Unfortunately this leaves virtuous open in an attack, because not encrypted HTML files can be modified at the transmission, since these are sent from client in server, with a specialized program infiltration of packets and import of new elements (injection). As an example it could be changed action tag in a HTML form, so instead of storing the number of credit card in the suitable system of treatment, this be placed in a piratical computer in southern America. If we suppose that the operator of piratical system can take signed digital ID from its own SSL server, then perhaps it is very difficult for user that was deceived with this subterfuge to discover that it was victim of attack.
3.7 SSL: From the side of user
Netscape Navigator but also Microsoft’s Internet Explorer contains extensive support for the SSL. This part describes the way of support for the transport of documents with the use of cryptography.
Netscape Navigator uses the term ‘secure document’ as an abbreviation on the phrase “documents that are transmitted using SSL”.
Actually the documents that are transported using SSL are sure or uncertain that the documents that are sent not encrypted. Simply they are cryptographic protected against the eavesdropping and in the modification of their content at the duration of transport.
3.8 Selecting operations in their Browsers
Netscape Navigator and Microsoft’s Internet Explorer check the SSL behavior via the use of various tables of control (panels). Netscape Navigator has in obvious point Security button.
D. CHAPTER 4: DIGITAL TECHNIQUES FOR RECOGNITION OF IDENTITY
The infrastructure of Public Key (Public Key Infrastructure – PKI) constitutes a combination of software, technologies of cryptography and services, who certifies the validity each individual that is involved in a transaction in the Internet, and at the same time protects the safety of transaction.
The PKI incorporates digital certificates, cryptography public key and beginnings of certification in a sure architectural form. A formal concretization of PKI includes the benefit of digital certificates in users, servers and software of users. At the same time it offers line of tools for the management, renewal and retraction of certificates.
Figure 11 : PKI (Source:http://www.va.gov/proj/vapki/PKIinstall/VA_PKI_Partner_External_Cert_Guide_R5_clip_image010.jpg)
4.2 Basic characteristics of PKI
The Public Key Infrastructure in its simpler form is a system for the publication of public keys that is used in cryptography public key. There are two basic operations that are common in all PKIs:
The certification is the process of correspondence and engagement of public key in an individual, organism or other entity, or in a part of information as some right (permission) or characteristic (attribute).
The validation is the process of verification of force certificate.
Certification:— The certification is the basic operation of all PKIs. It is the way with which are published the values of public keys and the information that corresponds in these values. A certificate is the way with which the PKI transmits the prices of public keys, or information that is related with them or even the two.
As generally speaking a certificate is a collection of information that has been signed digital by the entity that publishes them. These certificates are characterized by the type of information that contains.
An identity certificate simply identifies an entity, called the subject the certificate and brings the prices of public keys of this entity. An attribute certificate describes not-entity as some right or characteristic.
The user of a certificate is the entity that is based on the information which it contains the certificate, entrusting the issuer on the “genuineness of” certificates. The issuer of certificates is called Certificate Authority – CA.
The existence of PKI allows the sure communication with alone condition the knowledge of public key from the CA. The sender acquires his testimonial recipient from the CA, which contains the public keys of recipient, while its genuineness is ensured by the digital signature of certificate from himself the CA.
The information that is contained in a certificate, the relation of CA and certificate user as well as subject certificate constitutes basic characteristics of various PKIs. The relation of confidence (trust relationship) between the CA, certificate user and certificate subject constitutes also basic characteristic of PKIs.
In order to help and explain these significances, we present an example using the certificates of identity. Imagine that Alice wishes to communicate certainly with Bob using a public cryptographic system. Alice should know the price of public key of Bob. Without a system of infrastructure of public key Alice should have direct knowledge of price of key of Bob and consequently Bob it should communicate with Alice via a sure channel so that it makes her known the price of his public key. If Alice wishes now communicate and with Doug, it should also it has direct knowledge of public key of Doug. With a PKI, Alice should only know the price of public key of CAs that signs the key. The beginning of Certification would publish a certificate of identity for each one from the public keys of Bob and Doug which it would sign with its own private key. Then if Alice wishes to communicate with Bob or Doug, she can use the suitable certificate in order to it receives the right price of public key of each one. In this case, Alice is the user of certificates while Bob and Doug constitute also two subjects of different certificates.
The information that is included in a certificate is a basic characteristic of different PKIs. Also, the relation between the CA, the user of certificates and the subject of Certificates shapes an other basic characteristic PKI. All these three can be distinct entities, as in the above example, or even the three it can be the same entity. The relations of confidence between the three also shape a third basic characteristic of PKIs. In the above example, Alice should entrust the certificates of CA’s. If Alice and the CA are distinct entities, the way with which Alice will entrust the CA it will determine how much confidence shows using the certificates of CA’s on secure communications.
Regulations of CA:——– Most PKIs allow in CAs to certify other CAs. The certificates that are used for this operation are called certificates CA (CA – certificates) contrary to the certificates of users (user certificates). As generally speaking, is possible the existence of arbitrary number from CAs in a way from user in some other. Thus, sender that wishes to send a secure message in somebody that is certified by a other CA it will be supposed it verifies the identity of all CA that intervenes until it acquires his certificate recipient. This process is called verification of way of certification (certification path validation). The length of way of certification is the number of CA that intervenes from the sender in the recipient, or the number of certificates that it should verifies the sender until he acquires the public key of recipient. The way of form 2 is constituted by three certificates:
The Certificate 1 is CA-certificate that has been published by CA X for CA Y, CA Y has published Certificate 2 for CA Z, who end has published a end-user certificate for recipient. When the sender verifies the way of certification, he begins with the public key of CA X which uses him in order to verifies the certificate 1. Afterwards it uses the public key of CA Y, which acquired from the certificate 1 in order to it verifies the certificate 2, acquiring thus the public key of CA Z, which can end use in order to it verifies the certificate 3 and it recovers the public key of recipient.
4.3 What are the basic operations of PKI
The basic operations/services of Infrastructures of Public Key are the following: Confidentiality: It is the protection of data against not permitted access or their notification. This service materializes itself via mechanisms of control of access in the case of storage of data and via coding at their mission. The infrastructure of Public Key provides coding, after the mechanisms of control of access are materialized primarily by the combination of methods of authentication and authorization. Integrity: It is the protection of data against not permitted modification or their replacement. It is provided by mechanisms cryptography as electronic signatures. Non-Repudiation: The Non-Repudiation combines the services of Certification and Integrity. The sender of data cannot deny that he created and dispatched the message. Asymmetrical cryptography provides electronic signatures, in consequence only the sender of message could possess the particular signature. In this way, anyone, and naturally the recipient of message, can confirm the electronic signature of sender.
4.4 Recognition of identity
The recognition of identity is a essential element of current life, but also future also. Big organisms use special discreet signals (budges) recognition of identity for the workers, in order to they help the guardians in to decide who they will leave to enter in the buildings and who will remain outside. Governments use documents of identity in order to they check their borders. The computers use different types of systems in order to they determine the identity of their users, and in order to they check the access of their information and their services.
4.5 Systems for recognition of identity based on certificates Authentication: is the confirmation of identity of individual or source of mission of information. Each user that wishes it confirms the identity of other person or server with which it communicates, is based on the certification. The traditional methods of certification are the following:
· With certain code that we know, as the PIN of banking card or password account
· With some object that we have in our property, reason charm the key of door or a banking card
· With fingerprints, voice recognition etc.
The certificate is the way with which the Infrastructure of Public Key transmits the prices of public keys or information that is related with them, or even the two. The issue of certificates is named Certificate Authority – CA. The issuers of Certification ensure the publication and the distribution of public keys and receive the public key of interested user. If the user acts in the particular case as private individual, will be supposed to grant the all essential elements that prove his identity. In opposite case, the user is considered that he acts on behalf of some enterprise, therefore owes to grant the all legal information that is required for the reliability and its legal operation.
Substantially a digital certificate constitutes a digital signed statement from a beginning of certification, which:
1. It determines the beginning of certification that published it
2. It contains the name and certain other information of registered
3. It contains the public key of registered, which is digital signed from the start certification that published him
For the certification of identity dealing are used the certificates of safety, that moreover guarantee also the safety of network place. There two types of certificates:
· The personal certificates, which constitute a type of guarantee that the user he is the one that it declares that it is. In them is registered personal information, as name of user and code access. Afterwards, this information is stored in a certificate, which is used when is sent personal information in transporters of control of identity that requires certificate. Also, a personnel certificate it allows in user it receives encrypted messages from the remainder users.
· The certificates of network places, which contain information that certifies that the particular web page is genuine and sure. This ensures that no other site cannot present itself with the identity genuine, sure locality. Also, the certificates of network places are dated at their publication. When you try to be connected with website a organism, the program of reading verifies the address Internet that is stored in the certificate and checks his date of expiry. If this information is not valid or if it has expired, then a warning message is presented (Warning).
They have been developed or are found under manufacture various protocols of safety that make use of above techniques, as the SSL (Secure Sockets Layer), Netscape, and the SET (Secure Electronic Transactions), that was developed by Visa and MasterCard. By them is today used the SSL. Enough web pages are equipped with programs that use this protocol, deterring thus the not permitted persons from their access in data that are dispatched by and to these web pages. Such sites they are named sure. The most known web browsers support protocol SSL and the encryption that it offers, while they inform the user that it is found in sure locality and can send information secure. With this protocol the communications are realized in coded form and moreover become control of authenticity of web page. The process of sure communication has as follows:
· Browser is connected with the sure network place.
· The network place declares its identity, which is checked with the certificates that are published by services of certification.
· The sure web page and browser they agree in the use of concrete key of/algorithm where it is used for encryption the remainder communication.
· The data where they are trafficked in it are encrypted with the key/algorithm that was agreed in the previous step.
4.6 Using the digital signatures for recognition of identity
The digital signatures use the cryptography of the public key. The user allocates two keys (the public and the private) which have a certain mathematic correlation. The relation of keys is such where if somebody knows a key it is practically impossible to calculate the other. A key is used for the creation of signature and the other for its verification. The differentiation by the encryption, lies in that for the creation of electronic signature the sender uses his private key and for the verification its the recipient uses the public key of sender.
In the process of creation and verification of signature is involved also the significance of interrelation of breaking to pieces (or fragmented – one way hash). With the application of interrelation of breaking to pieces, by a message of its independent size, is produced the “synopsis”, which is a line from bits concrete size (e.g. 128 or 160 bits). The synopsis of message (fingerprint or message digest) is a digital representation of message, is unique for the message and represents him. The interrelation of breaking to pieces is one-way because from the synopsis that creates, he is calculatingly impossible somebody it exports the initial message. The probability two messages they have the same synopsis is exceptionally small. This means that if the message of sender has certain concrete synopsis and the message that it receives the recipient (using its same interrelation of breaking to pieces) produces different synopsis, then the message at his transmission has been degraded (not integrity). Any change in a message involves also the creation of different synopsis.
Considering that the sender has a concrete pair of keys and his private key is in the complete possession his, then make that the sender uses his private key in order to encrypt the message, he certifies in the recipient where the decrypt with corresponding public key of (sender) the identity of sender (authenticity). The digital signature is a way authentication of sender of message. Creation and verification of digital signature: The use of electronic signature includes two processes: the creation of signature and its verification. Below, we will report step to step the energies of sender and recipient so that becomes comprehensible the mechanism of creation and verification of digital signature.
E. CHAPTER 5: LEGAL ASPECTS OF CRYPTOGRAPHY AND DIGITAL SIGNATURES
5.1 Cryptography and legislation of exports
In this part we will give a very concise description of cryptographic policies of export in twelve countries. We underline that the laws and the regulations change continuously, and the information that we will give here are indicative the present situation based on the existing legal frame. For example, the regulations of export in various countries it is likely they change in the close future according to the new American policy. Moreover, certain countries can have different policies for tangible and different for the immaterial products. The immaterial products are products that can download from the Internet. Australian government is accused for lack of co-ordination in the establishment of policy with regard to the export, the import, and the internal use of cryptographic products. The recent clarifications declare that does not exist any restriction in the import and the internal use, but that the export is checked by the department of defense according to the regulation Wassenaar. In Brazil while it does not exist any restriction of any type today, they exist proposals for a new law which will require from the users to register their products, Brazil it is not part of Wassenaar Arrangement.
In Canada does not exist any restriction in the import and the internal use of products of encryption today. The Canadian policy of export is conforming the policies of countries as the United States, the United Kingdom, and Australia with the significance that the establishment of safety communications of Canada (CSE) collaborates the corresponding beginnings in the reported countries. China is one from the countries with the more powerful restrictions in the cryptography system. Authorization is required for the export, the import, or the internal use of any product of cryptosystem. There are various restrictions in the regulations of export, and China does not participate in the regulation Wassenaar. The European Union supports intensely the legal use of cryptography systems and is in the first line of reaction of restrictions in the cryptosystems. While this policy is encouraged by Germany, there are various restrictive policies between the other member states.
France got used to have powerful restrictions in the import and the internal use of products of encryption, but the more essential restrictions they were suppressed the beginnings 1999. The regulations of export are conform the regulation Wassenaar and are checked by the service Central de la Securite (SCSSI). In Germany does not exist any restriction in the import or the use of any software or material of encryption. Moreover, the restrictions in the regulations of export were suppressed in June 1999. In Italy while the unhindered use of cryptography systems is supported by the Italian Authorities, have existed proposals for controls of cryptography systems, .there is not restriction of imports, but the export is checked according to the regulation Wassenaar from the ministry of foreigner trade. The policy of United Kingdom is similar with that of Italy, but with still more sincere proposals for the new internal controls of cryptography systems. The export is checked by the department of trade and industry. The internal use, the export, and the import of cryptographic products are checked closely in Israel. There are proposals for small relaxations of regulations, but only for the cryptographic products that are used for the aims of certification of identity. In Japan does not exist any restriction in the import or for the use of encryption products. The export is checked according to the regulation Wassenaar from the department of control of export of safety of ministry of international marketing and industry. In Russia the Russian policy is similar with the policies of China and Israel in combination the authorizations that are required for the import and the internal use of products of encryption. Contrary to those countries, nevertheless, Russia is participating in the regulation of Wassenaar. The export of cryptographic products from Russia requires as generally speaking an authorization. In the South Africa does not exist no restriction in the internal use of cryptography systems, but the import of cryptographic products requires a valid authorization from the department of control of equipment. The export is checked by the department of growth and protection of defensive equipment. The South Africa does not participate in the regulation Wassenaar. In following table 75 countries have been divided in five categories according to the policies of encryption that they apply as these were in effect also in 1999.
5.1 Digital Signatures and restrictions of export
The digital applications of signatures are one from the nine special categories of system cryptography that raise automatically in the frame of relaxed regulations of trade. The digital applications of signatures that use basic sizes of key of algorithm RSA more from 512 bit were exportable even before year 2000. Nevertheless, existed certain restrictions at the growth of digital application of signatures that uses a reversed algorithm (that is to say the operation of signature is a type of reverse operation for the encryption), as the RSA. In this case, the application should sign a part of the message, no itself the message, otherwise, the message should be transmitted with the signature attached. If the message is not transmitted with the signature, NSA considers this process almost-encryption and it considers that the government owned controls should be applied.
5.2 Institutional and legislative initiatives for Digital Signatures
Already from 1979, begin to be developed international initiatives, from the United Nations, the European Union and other international organisms of standardization, for the “standardization” and the “safety of” electronic communications between organisms and companies. Such programs are known with the names EDI, UNCITRAL, EDIFACT, TEDIS etc. and they had as their characteristic that they were addressed in “closed” – relatively teams, that should adopt conventionally the proposed models in the from of each other communication. However, with the growth of internet and the infiltration of big masses in this, it became at an early date perceptible that, the conventional relations for the acceptance of technical systems of safety in the electronic communication was not enough, and that existed need for more general legislative regulation.
In the USA has been observed a crowd of legislative regulations and other forms of rules that are related with the use, production and safety of electronic signatures. Even if a big part of this legislation has passed in the competences of state, exists also a part of relative federal laws, bills and regulating standards that fix this particular type of technology. However the USA participate in a revision of their legislation so that they guarantee legally the electronic signature is important to be marked that as one degree it was entirely possible is maintained the force of electronic signatures based on the existing American commercial right. As an example Universal Commercial Code (UCC), that it initially had as aim to harmonize the legislation of government owned commercial transactions constituted an important mean via which would be developed the legislation on the electronic signatures. There was a clause in the law that dictated that certain presses of conventions should be “written” and “signed” by the interested parts. The definitions that the UCC gives in these terms, and the interpretation that has been given by the American case law it shows that these terms cover enough wide spectrum so as to they include under their significance type scripted signatures, photocopied, as well as via fax. Thus is logically given birth the question, how much electronic signatures could include itself in the above frame. Such a version is related with a decision that is published by the General Accountancy Office (GAO) in December 1991. To GAO was asked by National Institute of Standards and Technologies (NIST) how much they could be created conventional obligations using the use of electronic methods of data exchange according to the model EDI of which the electronic signatures are a type. Giving its approval so as to they are used the electronic signatures in valid contracts (GAO) pointed out two important factors. Firstly the higher level of operational effectiveness of hence also the efficiency that would result from the use of its technology in enterprising sector. The second point that was stressed was the technological guarantees that existed so as to be ensured the safety and the integrity of message. Such guarantees were various technological standards that were proposed by the NIST and were adopted later by the American Ministry of Trade. Concretely FIPS PUB 180-1 that was published in April 1995 contains Secure Hash Algorithm standard (SHA) the sha-1, that it is required to use all federal departments and offices for the production and confirmation of digital signatures. Based on these two reasons to the improvement of enterprising competitiveness and guarantee of secrecy and integrity of messages via the adoption of various technological models that guarantees this, GAO led to the conclusion that it is reason to be interpreted the law with such a way to allow the application of these technological developments, unless the law from alone excludes from the provisions proportional interpretations if political reasons of state of interest impose differently. Consequently contracting can create legally conventional obligations using electronic means of exchange the data adopting the models of NIST with regard to the safety and the privacy. Apart from the legal and technical models that we reported above exist also other federal and electronic signatures. The first law that regulated subjects with regard to electronic signatures was voted by the State of Utah of USA in 1995 and then, immediately afterwards, in 1996, corresponding law from the State of Florida. Government Paperwork Elimination Act. that was placed in force in October 1998 aims at the promotion of electronic transactions between the federal governments owned offices. It aims to achieves this objective compelling the government to render the various documents available in electronic form at least of 18 months from this date of force of law. The law also fixed that the electronic files that are submitted are maintained according to the processes that are determined in this might not be disputed as for their legal force independent if they are in electronic format. Moreover the law fixes that Office Management And Budget (OMB) will be supposed to see that in time interval no bigger than five years afterwards the date of force of law, the federal offices provide the possibility of observation and dissimulation as well as the use and acceptance of electronic signatures in those who they select their electronic transactions together. The law of internal reconstruction of income that is established in July 1998, requires from the Ministry of Finance to develop the processes and that regulations in order to be allowed the use of electronic signatures. Another law is Electronic Communication Privacy Act which prohibits the use the alteration and as generally speaking that malicious intervention in anything which is transported electronic via telecommunications networks. Thus of course this law offers some protection against the illegal use from somebody of third party of the electronic communications and the digital signatures.
Apart from these laws there are pending this moment tens bills with regard to relevant subjects in the Congress. Between them is the law of Digital Signature and Electronic Authentication (SEAL) which approves the use of electronic certification and authenticity from some economic institution for the operation of its activities, of course from concrete conditions.
Still the Electronic Financial Services Efficiency Act would recognize the validity of digital signatures and other forms of certification and authenticity in a lot of categories economic and commercial transactions. This law would allow the use of digital signatures from any institution in all kinds’ written communication with the federal government or any federal department the office or any federal court. In Europe, the first relative national laws on the legal recognition of electronic signatures were placed in force in 1997 in Italy and in the Federal Republic of Germany.
Today, all the developed world, has shaped a relative institutional frame, with which places conditions, under which it recognizes legally the Electronic Signatures.
5.3 Enactment of Electronic Signatures
Concretely in the USA, it is in effect from 30 June 2000, “Electronic Signature Law”, which, the chairman of America Bill Clinton, signed – characteristically with his electronic signature, using an intelligent card (“smart card”). This statute is constituted by 46 articles via which is attempted a analytic and explicit configuration of concrete institutional frame for the electronic signatures and for provider services of certification (the legal frame in which will move the obligations and their rights against their customers that use the services of certification that provide). The above law is intended to facilitate the use of electronic signatures in the inter-country or foreigner trade giving equal legal force in the electronic signed conventions, the files and in most commercial and consuming transactions. This law is placed in force for the above by 1 October, 2000.
“Electronic Signature Law” does not legislate the electronic signatures and the conventions that are signed with this way as automatically valid and binding, but it fixes that the signatures and the conventions with regard to the inter-country or foreigner transactions of trade cannot find itself invalid and unexcitable simply because they are with electronic form. In consequence, an electronic signature or a convention has the same effect with a traditional signature or a convention that is written with ink in paper, and the same rules of law and the elements of conventions is in effect. If a disagreement results with regard to the validity of contract the contracting part can require in order to it ratifies the signature, it checks the third authority, the CA in order to confirm the content of contract at the duration of its implementation process which can be difficult in the digital transactions rather that in the traditional operational transactions.
The main characteristics of law are the ratification of electronic signatures, conventions, and files. So expressly from the law that a signature, convention, or other file with regard to a transaction so much in inter-country or even in the foreigner trade cannot be disputed legally its force, or the possibility of imposition of sanctions that arises from this simply because they are in electronic form. In other words, an electronic signature, a convention, or a file can be used precisely as a traditional signature which is created with the use of ink in the paper of document, convention or file offering precisely the same degree of ratification in signing. The second main point that arises from the law is that of technological neutrality. No particular technology or methodology is required to be used in order to be created a valid electronic signature, in order to signs a file the one valid contract.
The European Union, with the No 93/99 Directive the (13-12-1999), called her states-member, harmonies their right with the beginnings that were determined in this till the 19th July 2001, and recognize thus – those who did not have it already makes the electronic signatures as “equivalent” with by one’s own hand, under of course from concrete conditions. Here we owe to stress, that, as in the subject of “protection of personal data”, the European Union, was yet again differentiated perceptibly by the United States of America, placing stricter specifications for the equivalent recognition of electronic signatures, to profit and protection of her citizens. Of course, because the globalization of market, the different technologies that were already applied, but also because the changeable technology, the European Directive tried to be, (and it accomplished it!), particularly neutral and general in her definitions, avoiding it adopts a concrete technology or it works out technically certain models. Instead of this, “it created” and “at the same time permitted” a “Committee”, that, in collaboration with the European Committee of Standardization CEN (Committee European de Normalization) and ETSI (European Telecommunication Standardization Institute) that they function for this aim under the guidance of EESSI (European Electronic Signature Standardization Initiative), will study, will determine technically and will enact, in future, the “more special specifications of” forecasts that are reported in the Directive. (Already have been worked out enough models by referring more special subjects of operation of electronic signatures from this two Organisms and which are found in the stage of their evaluation” by the “Committee” so that follow afterwards and their legislative “adoption”). But states that allocate already relative legislation are Japan, Canada, Australia, Singapore, Argentina, Malaysia, etc. Before examine the existing institutional frame that it conditions, the electronic signatures, it is essential to examine and analyze first, what is and how the electronic signatures are function. Firstly, we should see what the attributes that a signature should have are. A signature, electronic or handwritten, will be supposed, at least in satisfactory – if no absolute degree, produces the following results:
A. IDENTIFICATION SIGNING (that is to say “who signs” – “reading of” signature) B. AUTHENTICITY SIGNING (that is to say that ensures that “in point of fact of being this” – it cannot be placed by other)
C. DETERMINATION OF OBJECT OF SIGNATURE (that is to say “what covers the signature” – “is not degraded” his will of signing)
D. MAINTENANCE FOR NOT FUTURE RENUNCIATION (that is to say “engagement” of signing person- duration of above consequences).
These four conditions of identification, authenticity, the possibility of destination’s precise object that have been signed electronic, and the engagement signing so he or she cannot deny that the signature is his or her, are materialized with the methods asymmetric cryptography, which we analyzed in previous chapter. In this point appear Third Trusted Entities and offer as Providers of Services of Certification after concrete processes of verification, individual certificates of (limited usually force) on the cross-correlation of concrete person with a concrete public key. When therefore the holder of private key and the relative certificate of his public key, sign (activating his private key) and send a document in a third party, then apart from himself the document, reaches in the recipient (simultaneously) an encrypted “imprint” of the document (- electronic signature) and his testimonial sender. Thus, if third person decrypts (with the public key that is contained in the certificate) this “coded imprint”, the result should agrees precisely with the “imprint” (“algorithm of summary”) of the envoy document. Provided that, now, third person checks (in the published “list of recalled certificates” (CRL) the certificates of the provider) and that the certificate has not been recalled (e.g. because report of private key in third or its loss) and is in point of fact powerful, then third person can certainty be based (and with responsibility of editor of certificate) on that the document is inalterable and that it emanates from the sender that says the certificate! With corresponding way, e.g. coding (with our private key) a “application of access” in a removed system, this receives our certificate and, making proportional control, “identifies” and “authenticates” the applicant, therefore allows him proportionally or not the access. “Testimonial” that provider publishes of Services of Certification is not nothing other despite a standardized electronic file that contains somebody prototyped fields (as: Serial Number of Certificate, Date of Publication and Expiry, Elements of Editor, Elements of certify-Subject, the Public Key that is certified etc.) something that is to say as a “electronic identity” with information corresponding with those that has also our police identity (plus certain fields with regard to the algorithms that are used and other technical information). “Model” that has prevailed for such certificates of electronic signature is the “X.509” in deed the last publication of “Version 3”, which allocates enough “flexibility” and parameterization in the fields that it supports.
Operations – Services of a Provider of Services and Certification Provider of Services and Certification is imposed to offer to the certified-subscribers and to the third-users of the certificates a line from services that are grouped and are included under the following different “functional entities”:
Service of Registration (Registration Authority – RA), who has as mission receives applications and supporting documents from interested, checks and confirms their identity and the real possession of key that is certified, sends command and elements in the “Editor Testimonial” on the publication of relative certificate and files the supporting documents on the case juridical or extra judicial resolution of difference. Editor of Certificates (Certification Authority – CA), who publishes the certificates according to the technical specifications that is fixed in the “Regulation of Certification” and with the elements that have received from the Service of Registration, and informs for this publication the other entities, as always make at the renewal, pause or retraction of certificates.
In any case however, the T.S.A. should function (- if it has not been included under the form of other of T.S.A.) and as “Fundamental Editor Testimonial” (Root CA) creating an initial pair of keys with that signs its certificate and the certificates (or) ‘Editor Testimonial” (and perhaps and the “Services of Registration”) that will function under its monitoring for the benefit of services of certification to the public. With this way, each third person that entrusts particular “Third Trusted Entity” is enough only installs as reliable “Root CA-Certificate” in his computer, in order that each certificate that is published in the “chain (testimonial) confidence” that it probably begins from this testimonial [Root CA Editor of Certificates (and) Service of Registration certificates of subscribers becomes automatically acceptable from his computer. The existence of “this signed testimonial” Root CA, solves the problem: “and who certifies to me his testimonial “Editor of Certificates” that it signs your certificate” – question, that could – differently he is interminable! Having henceforth get `an idea’ for “how functions a PKI infrastructure and the “operations that made by the Provider of Services of Certification”, can see more specifically and the institutional frame that is in for the electronic signatures, after however we are first reported in the main points of directive of European Parliament and Council with regard to common frame for electronic signatures (98/C 325/04) (It was submitted by the Committee on 16 June 1998). Let’s see now briefly the main points of directive. In the second article it gives the legal definitions of electronic signature, which methods are recognized legally for the creation of electronic signatures, what considers recognized testimonial, and it fixes the significance of the provider of the digital certificates. In the third article which has title access in the market is left in the member state a flexibility with regard to in the processes of voluntary accreditation that aim in the achievement of improved level of benefit of services of certification. It is clarified however that the all conditions that are connected with their in question mechanisms should be objective, transparent, and proportional and lead to discriminations. In the fourth article it is reported that each member state applies the national provisions that established by the application of present directive for the providers of the services of certification installed in theirs territory, as well as for the services that these provide. And still that the member states cannot limit the benefit of services of certification that emanates from other member state in the field that is covered by the present directive. In the fifth article is ensured the legal consolidation of electronic signatures as equivalent with by one’s own hand and in the sixth article is described the obligations and the legal responsibility that it brings provider of testimonial against the users which entrust it for the publication of their digital certificates. In the seventh article is guaranteed legally the right of companies of benefit of services of certification that is in countries except European Union to be possible to provide under certain conditions services of certification in member states her, In the eighth article it is reported expressly the obligation of benefits of services of certification to ensure the personal data of their customers, from by any chance escapes and do not reveal these only that in cases where such something is essential for the juridical research. In the ninth and tenth article is reported the creation of advisory committee which the scientific opinion of on subjects of signatures and certification will take into consideration seriously the European Committee. Finally with the 13th article it is fixed as terminal date of conformity with the above directive 31 December 2000 according to which the member states will be supposed to harmonize their national legislation with the above directive and to announce in the European Union the total of legal provisions that has established so as to is realized their harmonization with the Community right.
Conclusion and Recommendations
With the possibility that have the electronic signatures of offering reliable solutions in the all the above applications, and to the extend they will be used rightly also with no doubts in the beginnings that condition it (real control of elements certified from the Services of Registration of T.S.A., protection of private key without its report in third, direct retraction when results relative reason etc), the electronic signatures offer the answer in most problems of safety in the Internet, giving thus prospect and safety in the development of electronic trade, that constitutes the future of developed economy.
The electronic signatures are today used:
a. For the valid – legally signature of electronic documents (It is required they are covered the conditions of article 3§1 of p. [d].)
b. For checked (personal) access in Telemetric Services (Removed recognition and authenticity of persons and computers in applications of electronic trade, internet banking, subscribing services
c. For encryption of data and documents (guarantee of secrecy)
d. For “signature” and other digital objects (software, electronic books, digital films) e. For reliable assurances third (e.g. Provider of Services of Certification for the use of Time Stamp in electronic documents, signature of certificates with certified attributes of subject (Attribute Authority of) but even his biometric elements, e.g. photograph, finger imprints, iris etc). At the same time, are found in development planning where in future:
i) They will allow the utilization of Electronic Signatures from each digital mean (mobile telephone, bi-directional television etc.)
ii) they will offer the possibility for selective projection of certified attributes of subject, at it will, in any his removed communication, maintaining thus where wishes itself – and it is not imposed by the circumstances opposite the anonymity (with the use of pseudonym).
With datum that with the existing today technology, the applications of commensurable cryptography (that is naturally uses and certain qualitative characteristics, for example size of keys over 512bits) are theoretically inviolable, in combination and with their legislative consolidation in world – almost level, are created evidences of transaction of (any nature and if they were this) that committed somebody using his electronic signature.
Thus, using graded Policies of Certificates and policies of signature in various applications, we have the possibility of creating the desirable level of ‘legal engagement’ of our “co-contractor”, from a simple level of internal clerical control of company (e.g. electronic signature of electronics of access/hour card of work by the employee and her use after the administration as probative means for simple constitution), until our connection with sure banking systems of transactions as well as the signature of big value of conventions from distance, with given the possibility of our juridical protection in the case of renunciation of signature from our co-contractor. Of course, each innovation and admission has also her report! Thus it should not is not reported the powerfully formulated reserve” enough thinkers for the big danger that it can hide the completion of ‘digitalization’ until our personal will!
Our likely absolute dependence from plastic (intelligent) card of – institution of our electronic signatures, in a season where only with the use of this card we might buy, we communicate, we execute all kinds transaction and we even acquire access, not only in removed networks, but in our car or in our house, and consequent – reasons-need for “her incorporation” in the body of subject (probably in the “hand or in the forehead”), creates unpleasant sentiments in the humanity and makes one big portion of persons feel uncomfortably with all these and they face it with religionist disposal.
Nevertheless the electronic signatures, offering a reliable solution in the need for safety in the Cyberspace, constitute, in point of fact, with the electronic trade, the future. Every country should immediately activate the existing institutional forecasts and, with right briefing and guidance of citizen, it promotes carefully every society in the Society of Information of 21st century.
Bejtlich, R (2006). Extrusion Detection: Security Monitoring for Internal Intrusions. Addison Wesley.
Baccala, B (2000). Internet Organization [online]. Connected: An Internet Encyclopedia 3rd ed. Available: http://www.freesoft.org/CIE/Topics/67.htm.
Cobion AG (2003). Internet Usage Study.Avalaible: http://www1.cobion.com/pdf/com/orangeboxweb/iuas_example_report_en.pdf.
C.P. Pfleeger & S. Pfleeger (2002). “Security in Computing 3rd ed.” (Prentice Hall International).
Data Encryption Standard Federal Information Processing Standards (1993). Publication 46-2. December.
Diffie, W. and Hellman, Μ. Ε (1976). “New directions in cryptography.” IEEE Transactions on Information Theory, 22, pp. 644-654.
Dreaming Tree Technology, Inc (2005). Top7 Steps to Internet Security. [online]. Available: http://www.dreamingtreetech.com/doc-seven-steps.asp.
ElGamal (1985). T. “A public key cryptosystem and a signature scheme Based on discrete logarithms.” IEEE Transactions on Information Theory, 31, pp. 469-472.
Fazekas, C.P (2004). 1984 is Still Fiction: Electronic Monitoring in the Workplace and U.S Privacy Law. Available from Duke Law and Technology Review. Available:
Gollmann, D (2004). Computer Security. John Wiley and Sons.
Greene T. C (2004). Computer Security: for Home and Small Office. Apress.
John Haggerty and Madjid Merabti (2006). Proc. First Conference on Advances in computer Security and Forensics, July. 13-14.
Keith J. Jones, Richard Bejtlich and Curtis W. Rose (2005). Real Digital Forensics: Computer Security and Incident Response. Addison-Wesley.
M.E. Whitman & H.J. Mattord (2003). “Principles of Information Security” (Thomson Course Technology).
Mann I (2006). Risk Assessment Framework: Session 3. Available from ECSC e-commerce security consultants.
Nyman, N.J (2006). Risky Business: What Must Employers Do to Shield Against Liability for Employee Wrongdoings in the Internet Age?. Available: http://www.1ctjournal.washington.edu/Vol1/a007Nyman.html.
Panko, R.R (2004). Corporate Computer and Network Security. International Edition, Pearson Prentice Hall.
Processor (2006). Tech and Trends: Monitoring Employee Internet Usage, Vol 28, Issue 15, pp 29. Available:
Raymond R. Panko (2004). Corporate Computer and Network Security. Pearson Education International.
Rivest, R., Shamir, A. and Adleman, L (1978). “A method for obtaining Digital signatures and public key cryptosystems.” Communications Of the ACM, 21, pp. 120-126.
Speed, T. and Ellis, J (2003). Internet Security: A Jumpstart for Systems Administrators and IT Managers. Digital Press.
Stallings, William (2003).Network Security Essentials, 2nd Edition. Prentice Hall.
Simson Garfinkel with Gene Spafford (1997). Web Security & Commerce, First edition; June. OReilly & Associates, Inc.
Tanenbaum S. Andrew (2003). Computer Networks, 4th Edition. Pearson Education International.
Thomas, T (2004). Network Security First-Step. Cisco Press.
Figure 1 : Internet (Source: http://www.irchelp.org/irchelp/security/ics_files/icshub.jfif) 10
Figure 2 : Firewalls (Source:http://webhelp.esri.com/arcgisserver/9.2/dotNet/manager/graphics/firewall.PNG) 15
Figure 3 : Routers (Source: http://www.smallnetbuilder.com/images_old/myimages/howto/two_routers.jpg) 15
Figure 4 : Gateways (Source:http://www.2n.cz/images2/obrazek_click/528/thumbnail.jpg) 16
Figure 5 : Trojan horse (Source:http://www.securitysoftwarezone.com/modules/news/files/trojan-horse.gif) 19
Figure 6: Worns (Source:http://d-extreme.blogspot.com/2006_12_01_archive.html&h=200&w=200&sz=) 20
Figure 7 : Cryptography (Source:http://img.zdnet.com/techDirectory/ENCRYPT.GIF) 23
Figure 8 : S/MIME (Source:http://www.ibm.com/developerworks/lotus/library/securemessaging/speed1.jpg) 30
Figure 9 : SHTTP (Source:http://www.windowsnetworking.com/img/gifbasic/inetrout.gif) 31
Figure 10 : SSL (Source:http://www.securityfocus.com/unix/images/ssl_02.jpg) 34
Figure 11 : PKI (Source:http://www.va.gov/proj/vapki/PKIinstall/VA_PKI_Partner_External_Cert_Guide_R5_clip_image010.jpg) 42
Cite this Internet Security and Use
Internet Security and Use. (2016, Oct 24). Retrieved from https://graduateway.com/internet-security-and-use/