- Email: [email protected]
How digital certificates work
Abstracts of Recent Articles and Literature
Online security is Swiss cheese, a survey finds, Michael Tarsala.Dan Farmer, the author of SATAN has
been finding holes in Web site security systems. He claims that many highly visible commercial Web sites can be easily broken into by hackers. Over the last couple of months, Farmer has been carrying out a non-scientific survey of the security measures on high profile commercial Web sites. He tested - without breaking into - about 2200 computer systems on the Internet using SATAN. Of the sites tested 70-80% had what Farmer considered to be “serious security flaws”. About one third of the sites had no security at all. Of the 660 banks in the survey, 68% had sites considered to be highly vulnerable. However, Farmer said that there were many sites that had done a good job of security He believes that securing Web sites effectively is very difficult for large organizations. Investor’s Business Daily, January 20, 1997.
Cryptography: a key to growth -
and crime,
Nicholas Bray. Once associated with spies and wartime
code breakers, cryptography has been transformed through advanced encryption techniques that allow electronic messages to be transmitted in virtually unbreakable code. These techniques could turn the Internet into a secure place to do business, but they could also make it a place where terrorists and drug smugglers could collaborate and launder money without inference from law-enforcement agencies. The OECD must choose, crudely speaking, between curbing criminals and expanding the global economy by speeding the Internet’s development into an electronic marketplace. A draft text of the guidelines, which officials approved during an OECD meeting in December leaves business representatives far from happy The draft guidelines give governments, rather than businesses, the lead in determining how cryptography technology develops. Cryptography could add to the Internet’s momentum by allowing companies and individuals to negotiate contracts and conduct financial transactions over the Internet, free from fears of fraud or interception. The downside is that free availability of unbreakable cryptography would also give thieves and tax-evaders free run ofthe Internet, letting them send messages that even powerful government computers could not decipher. Wall StreetJournal Europe, January 27, 1997. How digital certificates work. Digital certificates
62
may soon become the most reliable option for authenticating users on a network. Traditionally, authentication of a user on a network has been achieved by issuing a user ID that was some variant of the user’s name and a password chosen by the user. However, passwords are not airtight security measures. Password are made further insecure now that people are using dial-in over phone lines and the Internet. A hacker could easily crack an eight digit password and gain access to sensitive information. Advanced security technology such as token cards has been proposed to boost security for authenticating remote users, however, token cards can be stolen. Digital certificates could be the best solution. They provide cheap, easy and secure authentication. Certificates are a combination of public-key and private key cryptography. Users apply to a certificate authority (CA) to obtain a digital certificate. The amount of information the CA requires depends on the type of certificate to be issued. To use the keys, the user must enter a password or a personal ID number - an obvious security weakness. There is talk of using token cards for this purpose and eventually even fingerprint readers. In a VeriSign transaction, for example, suppose a World Wide Web browser wanted to enter a page on a Web server that was secured and required a certiticate. The server sends its certificate to the client. Specifically, it sends the client its VeriSign public key, encrypted and signed with the private key it was assigned by VeriSign. The browser already has a VeriSign private key embedded. It uses its public key to decrypt the message. The browser knows that the server is authenticated by VeriSign because the encryption was done using a VeriSign private key The server then asks for the client’s certificate. The process then occurs in reverse and the keys have been exchanged. The client and server can exchange session keys which can encrypt all data transfers from then on. L.AN Ames, January 6, 1997, p. 39. Cyberclash over cybercash, Lisa Picarille. Electronic commerce on the Internet may be a reality, but users still don’t have a high level of trust and security in online transactions. CertCo has unveiled a plan to create an infrastructure that will let banks conduct secure online transactions that are fully insured and can be audited. The company also plans to release
Online security is Swiss cheese, a survey finds, Michael Tarsala.Dan Farmer, the author of SATAN has
been finding holes in Web site security systems. He claims that many highly visible commercial Web sites can be easily broken into by hackers. Over the last couple of months, Farmer has been carrying out a non-scientific survey of the security measures on high profile commercial Web sites. He tested - without breaking into - about 2200 computer systems on the Internet using SATAN. Of the sites tested 70-80% had what Farmer considered to be “serious security flaws”. About one third of the sites had no security at all. Of the 660 banks in the survey, 68% had sites considered to be highly vulnerable. However, Farmer said that there were many sites that had done a good job of security He believes that securing Web sites effectively is very difficult for large organizations. Investor’s Business Daily, January 20, 1997.
Cryptography: a key to growth -
and crime,
Nicholas Bray. Once associated with spies and wartime
code breakers, cryptography has been transformed through advanced encryption techniques that allow electronic messages to be transmitted in virtually unbreakable code. These techniques could turn the Internet into a secure place to do business, but they could also make it a place where terrorists and drug smugglers could collaborate and launder money without inference from law-enforcement agencies. The OECD must choose, crudely speaking, between curbing criminals and expanding the global economy by speeding the Internet’s development into an electronic marketplace. A draft text of the guidelines, which officials approved during an OECD meeting in December leaves business representatives far from happy The draft guidelines give governments, rather than businesses, the lead in determining how cryptography technology develops. Cryptography could add to the Internet’s momentum by allowing companies and individuals to negotiate contracts and conduct financial transactions over the Internet, free from fears of fraud or interception. The downside is that free availability of unbreakable cryptography would also give thieves and tax-evaders free run ofthe Internet, letting them send messages that even powerful government computers could not decipher. Wall StreetJournal Europe, January 27, 1997. How digital certificates work. Digital certificates
62
may soon become the most reliable option for authenticating users on a network. Traditionally, authentication of a user on a network has been achieved by issuing a user ID that was some variant of the user’s name and a password chosen by the user. However, passwords are not airtight security measures. Password are made further insecure now that people are using dial-in over phone lines and the Internet. A hacker could easily crack an eight digit password and gain access to sensitive information. Advanced security technology such as token cards has been proposed to boost security for authenticating remote users, however, token cards can be stolen. Digital certificates could be the best solution. They provide cheap, easy and secure authentication. Certificates are a combination of public-key and private key cryptography. Users apply to a certificate authority (CA) to obtain a digital certificate. The amount of information the CA requires depends on the type of certificate to be issued. To use the keys, the user must enter a password or a personal ID number - an obvious security weakness. There is talk of using token cards for this purpose and eventually even fingerprint readers. In a VeriSign transaction, for example, suppose a World Wide Web browser wanted to enter a page on a Web server that was secured and required a certiticate. The server sends its certificate to the client. Specifically, it sends the client its VeriSign public key, encrypted and signed with the private key it was assigned by VeriSign. The browser already has a VeriSign private key embedded. It uses its public key to decrypt the message. The browser knows that the server is authenticated by VeriSign because the encryption was done using a VeriSign private key The server then asks for the client’s certificate. The process then occurs in reverse and the keys have been exchanged. The client and server can exchange session keys which can encrypt all data transfers from then on. L.AN Ames, January 6, 1997, p. 39. Cyberclash over cybercash, Lisa Picarille. Electronic commerce on the Internet may be a reality, but users still don’t have a high level of trust and security in online transactions. CertCo has unveiled a plan to create an infrastructure that will let banks conduct secure online transactions that are fully insured and can be audited. The company also plans to release