it-e-57 Internet Security
In recent years, Internet changes our life a lot. We use e-mail and Internet phone to talk with
our friends, we get up-to-date information through web and we do shopping in the cyber-market.
Internet has many advantages over traditional communication channels, e.g. it's cost effective, it
delivers information fast and it is not restricted by time and place. [1]The more people use Internet,
the more concerns about Internet security.
In person-to-person community, security is based on physical cues. To name but a few, we
use our signature to authenticate ourselves; we seal letters to prevent others inspection and
modification; we receive receipt with the shop's chop to make sure we paid; we get information
from a reliable source. But in the Internet society, no such physical cue is available. There are
two areas that we concern about in Internet communication. The first one is secrecyhow do we
ensure no one reads the data during its transmission? The second one is authenticationhow do
we be sure that the identity of someone claiming "who it is". Imagine one day you receive an
e-mail, which the e-mail sender is "Bill Gates". How do you confirm the e-mail is actually sent
by Bill Gates?
Encryption is the way to solve the data security problem. In real life, if Tom wants to talk with
Mary secretly, he can choose a room with nobody there and talk with Mary quietly, or he can talk
with Mary using codes understandable by Tom and Mary only. We take the second approach
encryptionto transmit data through Internet. There are two kinds of encryption techniques
symmetric key encryption and asymmetric key encryption.
For symmetric key encryption, both parties should have a consensus about a secret encryption key.
When A wants to send a message to B, A uses the secret key to encrypt the message. After receiving the
encrypted message ,B uses the same (or derived)secret key to encrypt the message.The advantage of
using symmetric key encryption lies in its fast encryption and decryption processes(when compared
with asymmetric key encryption at the same security level). The disadvantages are , first, the encryption
key must be exchanged between two parties in a secure way before sending secret messages. Secondly,
we must use different keys with different parties. For example, if A communicates with B, C, D and E,
A should use 4 different keys. Otherwise, B will know what A and C as well as A and D has been
talking about. The drawbacks of symmetric key encryption make it unsuitable to be used in the Internet,
because it's difficult to find a secure way to exchange the encryption key.
For asymmetric key encryption, there is a pair of keys for each party: a public key and a
private key. The public key is freely available to the public, but only the key owner gets hold of
the private key. Messages encrypted by a public key can only be decrypted by its corresponding
private key, and vice versa. When A sends message to B, A first gets B's public key to encrypt
the message and sends it to A. After receiving the message, B uses his private key to decrypt the
message. The advantage comes in the public key freely available to the public, hence free from
any key exchange problem. The disadvantage is the slow encryption and decryption process.
[2]Almost all encryption schemes used in the Internet uses asymmetric key encryption for
exchanging the symmetric encryption key, and symmetric encryption for better performance.
Asymmetric key cryptography seems to attain secrecy in data transmission, but the authentication
problem still exists. Consider the following scenario: when A sends a message to B, A gets B's
public key from the Internetbut how can A know the public key obtained actually belongs to B?
Digital certificate emerges to solve this problem.
Digital certificate is an identity card counterpart in the computer society. When a person
wants to get a digital certificate, he generates his own key pair, gives the public key as well as
some proof of his identification to the Certificate Authority (CA). CA will check the person's
identification to assure the identity of the applicant.[3] If the applicant is really the one "who
claims to be", CA will issue a digital certificate, with the applicant's name, e-mail address and the
applicant's public key, which is also signed digitally with the CA's private key. When A wants to
send B a message, instead of getting B's public key, A now has to get B's digital certificate. A
first checks the certificate authority's signature with the CA's public key to make sure it's a
trustworthy certificate. Then A obtain B's public key from the certificate, and uses it to encrypt
message and sends to B.
Authentication is an important part everyday life. The lack of strong authentication has
inhibited the development of electronic commerce. It is still necessary for contracts, legal
documents and official letters to be produced on paper. Strong authentication is then, a key
requirement if the Internet is to be used for electronic commerce. Strong authentication is
generally based on modern equivalents of the one time pad. For example tokens are used in place
of one-time pads and are stored on smart cards or disks.
[4] Many people pay great amounts of lip service to security, but do not want to be bothered
with it when it gets in their way. It's important to build systems and networks in such a way that
the user is not constantly reminded of the security system around him. Users who find security
policies and systems too restrictive will find ways around them. Security is everybody's business,
and only with everyone's cooperation, an intelligent policy, and consistent practices, will it be
achievable.
1, cue [kju:]
n. 提示,暗示;线索
vt. 给…暗示
2, chop [tʃɔp]
n. 厚肉片,排骨
v. 剁碎,砍,切
3, secrecy ['si:krəsi]
n. 保密;秘密;隐蔽
4, symmetric [si'metrik]
a. 对称的
5, asymmetric [,eisi'metrik]
a. 不对称的
6, consensus [kən'sensəs]
n. 一致,合意,交感
7, cryptography [krip'tɔɡrəfi]
n. 密码学;密码使用法