Internet 安全协议.ppt

Internet Security Protocols Internet 安全协议,HTTP Protocol Http协议,Hyper Text Transfer Protocol 超文本传输协议 Used on the Internet Internet上使用 Based on Request-Response Model 基于请求-响应模式,Static Web Page 静态Web页面,Fig 6.1,Example,Sample HTTP Interaction HTTP交互例子,Fig 6.2,Dynamic Web Page 动态Web页,Client sends HTTP Request 客户端发送HTTP请求 Server executes a program 服务器执行程序 Server sends back an HTTP Response 服务器返回一个HTTP响应,Dynamic Web Page 动态Web页,Fig 6.3,Active Web Page 活动Web页,Client sends HTTP Request 客户端发送HTTP请求 Server sends back HTML Page and a Client-side Program 服务器端返回HTML页和客户端程序 Examples: Applet, ActiveX Control 例如： Applet, ActiveX Control,Active Web Page 活动Web页,Fig 6.4,TCP/IP TCP/IP协议,Transmission Control Protocol/Internet Protocol 传输层控制协议/Internet协议 Convention for communication on the Internet Internet上通信的协定 Consists of five layers of software 包含5层软件,TCP/IP Layers TCP/IP层,Fig 6.5,TCP/IP Layers,Fig 6.6,TCP/IP Concept TCP/IP概念,All layers except physical layer communicate with adjacent layers on the same computer 除了物理层的所有层都和同一计算机上的相邻层进行通信 Physical layer is the only layer where actual transmission between two computers happens 物理层是唯一在两个计算机间进行实际数据传输的层,TCP/IP Communication TCP/IP通信,Fig 6.7,Data Exchange using TCP/IP Layers 使用TCP/IP层交换数据,Secure Socket Layer (SSL) 安全套接层,Worlds most widely used security mechanism on the Internet 全世界最广泛使用的Internet安全机制 Secures communication between a client and a server 实现客户端和服务器端的安全通信 Located between the Application and Transport Layers of TCP/IP protocol suite 位于TCP/IP协议组的应用层和传输层之间,Secure Socket Layer (SSL) 安全套接层,originally developed by Netscape 最初由Netscape 公司开发 SSL has two layers of protocols SSL有两层协议,SSL Architecture,Position of SSL in TCP/IP TCP/IP中SSL的位置,Fig 6.9,Data Exchange including SSL 包含SSL的数据交换,Fig 6.10,SSL Sub-Protocols SSL子协议,Handshake Protocol 握手协议 Record Protocol 记录协议 Alert Protocol 警报协议,SSL Handshake Message Format SSL握手消息格式,Fig 6.11,SSL Handshake Messages SSL握手消息,Fig 6.12,SSL Handshake Protocol SSL握手协议,comprises a series of messages in phases 由当前状态的一系列消息组成 Establish Security Capabilities（建立安全能力） Server Authentication and Key Exchange（服务器认证和密钥交换） Client Authentication and Key Exchange（客户端认证和密钥交换） Finish（完成）,SSL Handshake Process SSL握手处理,Fig 6.13,SSL Handshake Phase 1 SSL握手-1阶段,Fig 6.14,SSL Handshake Phase 2 SSL握手-2阶段,Fig 6.15,SSL Handshake Phase 3 SSL握手-3阶段,Fig 6.16,Web Browser,Web Server,Step 1: Certificate,Step 2: Client key exchange,Step 3: Certificate request,SSL Handshake Phase 4 SSL握手-4阶段,Fig 6.17,SSL Handshake SSL握手,Finished,SSL Record Protocol SSL记录协议,Confidentiality（保密性） using symmetric encryption with a shared secret key defined by Handshake Protocol（握手协议定义了加密的对称加密共享密钥） message is compressed before encryption（消息在加密前可以压缩） message integrity（消息完整性） using a MAC with shared secret key（定义了生成消息认证码的共享密钥）,SSL Record Protocol SSL记录协议,SSL Record Format SSL记录格式,SSL Alert Protocol SSL警报协议,conveys SSL-related alerts to peer entity（向对等实体传递SSL相关的警报） Severity（严重程度） warning or fatal（警告或致命） specific alert（特殊警报） unexpected message （意外消息）, bad record mac（不正确MAC）, decompression failure（解压失败）, handshake failure（握手失败）, illegal parameter（非法参数） close notify（结束通知）, no certificate（无证书）, bad certificate（坏证书）, unsupported certificate（不支持的证书）, certificate revoked（证书撤消）, certificate expired（证书过期）, certificate unknown（未知证书）,SHTTP 安全超文本传输协议,Not as popular as SSL 不如SSL流行 Encrypts individual messages 加密各个消息 Almost obsolete 很少使用,SHTTP and SSL Positions SHTTP和SSL的位置,Fig 6.24,Time Stamping Protocol (TSP) 时戳协议,Digital version of a notary service 公证服务的数字版 Security TS is a trusted time authority 安全时间戳就是一个可信的时间权威 Denote TS using a set of authentication integrated data 它用一段可认证的完整的数据表示时间戳,Time Stamping Protocol (TSP) 时戳协议,Prove that a document existed at a specific date and time 证明一个文档在特定的日期和时间存在 Time Stamping Authority (TSA) is used and create relatively uniform time denotation 时戳机构使用时戳协议, 产生相对统一的时间表示，这个时间为安全时间。,Time Stamping Protocol Step 1 时戳协议-1步,Fig 6.25,Time Stamping Protocol Step 2 时戳协议-2步,Fig 6.26,Client,TSA,Step 2:Time Stamping Request,Message Digest ,Time Stamping Protocol Step 3 时戳协议-3步,Fig 6.27,Application of security time stamping 安全时间戳应用,随着计算机网络的快速发展，招标投标也由原来的手工操作方式逐步转变为在Internet网上进行。网上招标投标是指通过专用招标投标电子商务平台，将招标投标过程中的各个角色，如供应商、招标机构、评标专家、政府监督机构等连接起来，企业、机关和个人在网上传递投标数据，评标、开标均采用电子手段，通过网络发布中标结果的一种招投标方式。,Application of security time stamping 安全时间戳应用,在招投标系统中，时间和数字签名都是很重要的证明文件有效性的内容。数字时间戳（DTS）就是用来证明电子数据的收发时间。用户将需要加时间戳的文件经加密后形成文档，然后将摘要发送到时戳中心，该时戳中心对原稿加上时间后，进行数字签名，用私钥加密，并发送给原用户。数字时间戳有效地为文件发表时间提供了很好的证据。,Secure Electronic Transaction 安全电子交易(SET),open encryption & security specification（开放的加密安全规范） to protect Internet credit card transactions（保护互联网上的信用卡交易） developed in 1996 by Mastercard, Visa etc（由Mastercard和 Visa公司在1996年开发 ） not a payment system（本身不是一个支付系统） rather a set of security protocols & formats（而是一个安全协议和格式集） secure communications amongst parties（为交易各方提供安全信道） trust from use of X.509v3 certificates（通过使用X.509v3 证书提供信任） privacy by restricted info to those who need it（限制信息提供以确保私密性）,Secure Electronic Transaction 安全电子交易(SET),Merchant does not get to know the credit card details of the cardholder 商店不知道持卡人信用卡的细节 Requires software set up on the client as well as server 要求在客户机和服务器上安装软件,SET Participants SET参与方,SET Transaction Process SET交易过程,customer opens account（顾客开通帐户） customer receives a certificate（顾客收到证书） merchants have their own certificates（商家拥有自己的证书） customer places an order（顾客进行订购） merchant is verified（商家被验证） order and payment are sent（发送订购和付款信息） merchant requests payment authorization（商家请求付款认证） payment gateway authorizes payment （支付网关授权付款） merchant confirms order（商家确认订购） merchant provides goods or service（商家提供商品和服务） merchant requests payment（商家请求支付）,SET Dual Signature Concept 双重签名概念,customer creates dual messages 客户产生双重消息 order information (OI) for merchant 给商家的订货消息 payment information (PI) for bank 给银行的支付消息 neither party needs details of other 任何一方都不需要他方的细节信息 but must know they are linked 但是必须知道它们相关联 use a dual signature for this 使用双重签名 signed concatenated hashes of OI & PI,SET Dual Signature Concept 双重签名概念,Purchase-related information（购买相关信息发给支付网关） （a) PI(付款信息） DSPI+OI（对PI和 OI求出的数字签名） OIMD （OI消息摘要） (b)All above are encrypted with K(所有上述信息用K加密) (c)Digital envelope is created by encrypting K with the payment gateways public key(用支付网关公钥加密K，生成数字信封),SET Dual Signature Concept 双重签名概念,2. Order-related information（订单相关信息发给商家） QI(订单信息） DSPI+OI（对PI和 OI求出的数字签名） PIMD （PI消息摘要） 3. Cardholder certificate(持卡人证书发给商家和支付网关),SET Dual Signature Concept 双重签名概念,Fig 6.31,SET Model SET模型,SSL versus SET SSL与SET,Electronic Money 电子货币,Digital version of money 货币的数字版 Takes the form of computer disk files 采用计算机磁盘文件形式 Can be identified/anonymous, online/offline 可以署名/匿名，联机/脱机,Model of Electronic Money 电子货币模型,Electronic Money Secure Step 1 电子货币安全步骤1,Fig 6.43,Electronic Money Security Step 2 电子货币安全步骤2,Fig 6.44,Identified Electronic Money 标识电子货币,Bank can track customers spending 银行可以跟踪客户的花费 Can lead to privacy concerns 涉及到个人隐私 Very simple to implement 简单易于实现,Identified Electronic Money 标识电子货币,Fig 6.45,Anonymous Electronic Money 匿名电子货币,Bank cannot track customers spending 银行不能跟踪客户的花费 Safe from privacy concerns 保证个人隐私安全 Slightly complex to implement 实现有些复杂,Anonymous Electronic Money 匿名电子货币,Double Spending Problem 重复使用问题,Customer can spend the same piece of electronic money more than once 客户可以不止一次的使用同一个电子货币 Who is liable in such a fraud? 谁对这类欺诈负责？ Dangerous can be avoided in case of online electronic money 联机电子货币可以避免危险,Double Spending Problem 重复使用问题,Email concept 电子邮件,Consists of two main parts Header 头 Body 内容 Securing emails 安全电子邮件 PEM PGP S/MIME,Email Header and Body 电子邮件的头和内容,Fig 6.48,Simple Mail Transport Protocol (SMTP)简单电子邮件传输协议,Protocol in TCP/IP Application Layer TCP/IP应用层协议 Used for email communication between email servers of the sender and the receiver 用于发送方和接收方电子邮件服务器间的电子邮件通信 Simple to understand 容易理解,Email Transmission using SMTP 使用SMTP传输电子邮件,Fig 6.49,Email Example 电子邮件例子,Fig 6.50,S: 220 hotmail.com Simple Mail Transfer Service Ready C: HELO yahoo.com S: 250 hotmail.com C: MAIL FROM: S: 250 OK C: RCPT TO: S: 250 OK C: RCPT TO: S: 250 OK C: DATA S: 354 Start mail input; end with C: actual contents of the message C: C: C: S: 250 OK C: QUIT S: 221 hotmail.com Service closing transmission channel,PEM Security Features 隐私增强型邮件协议安全特点,Fig 6.51,PEM Operations PEM的操作,Fig 6.52,规范转换,数字签名,加密,64进制编码,Base-64 Encoding Concept 64进制编码概念,Fig 6.56,Pretty Good Privacy (PGP) 极棒隐私协议,widely used de facto secure email 实际中广泛使用的安全邮件协议 developed by Phil Zimmermann 由Phil Zimmermann开发 selected best available crypto algs to use 采用常用的加密算法实现,Pretty Good Privacy (PGP) 极棒隐私协议,integrated into a single program 集成为单个程序 available on Unix, PC, Macintosh and Amiga systems 可用于Unix, PC, Macintosh and Amiga系统中 free, now have commercial versions available also 免费,Pretty Good Privacy (PGP) 极棒隐私协议,http:/www.pgp.com/downloads/index.html,PGP Security Features PGP的安全特点,Fig 6.59,PGP Operations PGP操作,数字签名,压缩,加密,数字封包,64进制编码,PGP Operations PGP操作,Lempel-Ziv Algorithm (Zip) ZIP,Fig 6.61,Multipurpose Internet Mail Extensions (MIME) 多用途Internet邮件扩充协议,Traditional email communication is text-only 传统的邮件通信仅为文本通信 Modern email communication demands multimedia (sound, video, pictures, etc) 现代邮件通信要求多媒体 Enhancements provided in the form of MIME MIME提供了增强型功能,MIME Extensions to Email 电子邮件的MIME扩展,Fig 6.63,From: Atul Kahate To: Amit Joshi Subject: Cover image for the book MIME-Version: 1.0 Content-Type: image/gif ,S/MIME Content Types S/MIME内容类型,S/MIME Functionalities S/MIME功能,Fig 6.65,S/MIME Functionalities S/MIME功能,enveloped data encrypted content and associated keys signed data encoded message + signed digest clear-signed data cleartext message + encoded signed digest signed & enveloped data nesting of signed & encrypted entities,Wireless Security 无线安全,Wireless communication protocols are becoming popular 无线通信协议普及 Concerns regarding wireless security are being raised 对无线安全的关注与日俱增 How to secure Wireless Application Protocol (WAP)? 如何保证无线应用协议的安全,Mobile Phone and Internet 移动电话和Internet,Fig 6.68,WAP Security WAP安全,Wireless Transport Layer Security (WTLS) 无线传输层安全 Similar to SSL in concept 在概念上像SSL Conversions between WTLS and SSL lead to security concerns WTLS与SSL间的转换导致安全问题,WAP Stack WAP堆栈,Fig 6.69,WTLS Security WTLS安全,Fig 6.69,