《Internet安全协议.ppt》由会员分享,可在线阅读,更多相关《Internet安全协议.ppt(87页珍藏版)》请在三一办公上搜索。
1、Internet Security ProtocolsInternet 安全协议,HTTP ProtocolHttp协议,Hyper Text Transfer Protocol 超文本传输协议Used on the Internet Internet上使用Based on Request-Response Model 基于请求-响应模式,Static Web Page静态Web页面,Fig 6.1,Example,Sample HTTP InteractionHTTP交互例子,Fig 6.2,Dynamic Web Page动态Web页,Client sends HTTP Request 客
2、户端发送HTTP请求Server executes a program 服务器执行程序Server sends back an HTTP Response 服务器返回一个HTTP响应,Dynamic Web Page动态Web页,Fig 6.3,Active Web Page活动Web页,Client sends HTTP Request 客户端发送HTTP请求Server sends back HTML Page and a Client-side Program 服务器端返回HTML页和客户端程序Examples:Applet,ActiveX Control 例如:Applet,Activ
3、eX Control,Active Web Page活动Web页,Fig 6.4,TCP/IPTCP/IP协议,Transmission Control Protocol/Internet Protocol 传输层控制协议/Internet协议Convention for communication on the Internet Internet上通信的协定Consists of five layers of software 包含5层软件,TCP/IP LayersTCP/IP层,Fig 6.5,TCP/IP Layers,Fig 6.6,TCP/IP ConceptTCP/IP概念,Al
4、l layers except physical layer communicate with adjacent layers on the same computer 除了物理层的所有层都和同一计算机上的相邻层进行通信Physical layer is the only layer where actual transmission between two computers happens 物理层是唯一在两个计算机间进行实际数据传输的层,TCP/IP CommunicationTCP/IP通信,Fig 6.7,Data Exchange using TCP/IP Layers使用TCP/I
5、P层交换数据,Secure Socket Layer(SSL)安全套接层,Worlds most widely used security mechanism on the Internet 全世界最广泛使用的Internet安全机制Secures communication between a client and a server 实现客户端和服务器端的安全通信Located between the Application and Transport Layers of TCP/IP protocol suite 位于TCP/IP协议组的应用层和传输层之间,Secure Socket La
6、yer(SSL)安全套接层,originally developed by Netscape 最初由Netscape 公司开发SSL has two layers of protocols SSL有两层协议,SSL Architecture,Position of SSL in TCP/IPTCP/IP中SSL的位置,Fig 6.9,Data Exchange including SSL包含SSL的数据交换,Fig 6.10,SSL Sub-ProtocolsSSL子协议,Handshake Protocol 握手协议Record Protocol 记录协议Alert Protocol 警报协
7、议,SSL Handshake Message FormatSSL握手消息格式,Fig 6.11,SSL Handshake Messages SSL握手消息,Fig 6.12,SSL Handshake ProtocolSSL握手协议,comprises a series of messages in phases 由当前状态的一系列消息组成Establish Security Capabilities(建立安全能力)Server Authentication and Key Exchange(服务器认证和密钥交换)Client Authentication and Key Exchange
8、(客户端认证和密钥交换)Finish(完成),SSL Handshake Process SSL握手处理,Fig 6.13,SSL Handshake Phase 1 SSL握手-1阶段,Fig 6.14,SSL Handshake Phase 2 SSL握手-2阶段,Fig 6.15,SSL Handshake Phase 3 SSL握手-3阶段,Fig 6.16,Web Browser,Web Server,Step 1:Certificate,Step 2:Client key exchange,Step 3:Certificate request,SSL Handshake Phase
9、 4 SSL握手-4阶段,Fig 6.17,SSL Handshake SSL握手,Finished,SSL Record Protocol SSL记录协议,Confidentiality(保密性)using symmetric encryption with a shared secret key defined by Handshake Protocol(握手协议定义了加密的对称加密共享密钥)message is compressed before encryption(消息在加密前可以压缩)message integrity(消息完整性)using a MAC with shared s
10、ecret key(定义了生成消息认证码的共享密钥),SSL Record Protocol SSL记录协议,SSL Record FormatSSL记录格式,SSL Alert ProtocolSSL警报协议,conveys SSL-related alerts to peer entity(向对等实体传递SSL相关的警报)Severity(严重程度)warning or fatal(警告或致命)specific alert(特殊警报)unexpected message(意外消息),bad record mac(不正确MAC),decompression failure(解压失败),han
11、dshake failure(握手失败),illegal parameter(非法参数)close notify(结束通知),no certificate(无证书),bad certificate(坏证书),unsupported certificate(不支持的证书),certificate revoked(证书撤消),certificate expired(证书过期),certificate unknown(未知证书),SHTTP安全超文本传输协议,Not as popular as SSL 不如SSL流行Encrypts individual messages 加密各个消息Almost
12、obsolete 很少使用,SHTTP and SSL PositionsSHTTP和SSL的位置,Fig 6.24,Time Stamping Protocol(TSP)时戳协议,Digital version of a notary service 公证服务的数字版Security TS is a trusted time authority 安全时间戳就是一个可信的时间权威Denote TS using a set of authentication integrated data 它用一段可认证的完整的数据表示时间戳,Time Stamping Protocol(TSP)时戳协议,Pr
13、ove that a document existed at a specific date and time 证明一个文档在特定的日期和时间存在Time Stamping Authority(TSA)is used and create relatively uniform time denotation 时戳机构使用时戳协议,产生相对统一的时间表示,这个时间为安全时间。,Time Stamping Protocol Step 1时戳协议-1步,Fig 6.25,Time Stamping Protocol Step 2时戳协议-2步,Fig 6.26,Client,TSA,Step 2:T
14、ime Stamping Request,Message Digest,Time Stamping Protocol Step 3时戳协议-3步,Fig 6.27,Application of security time stamping安全时间戳应用,随着计算机网络的快速发展,招标投标也由原来的手工操作方式逐步转变为在Internet网上进行。网上招标投标是指通过专用招标投标电子商务平台,将招标投标过程中的各个角色,如供应商、招标机构、评标专家、政府监督机构等连接起来,企业、机关和个人在网上传递投标数据,评标、开标均采用电子手段,通过网络发布中标结果的一种招投标方式。,Application
15、 of security time stamping安全时间戳应用,在招投标系统中,时间和数字签名都是很重要的证明文件有效性的内容。数字时间戳(DTS)就是用来证明电子数据的收发时间。用户将需要加时间戳的文件经加密后形成文档,然后将摘要发送到时戳中心,该时戳中心对原稿加上时间后,进行数字签名,用私钥加密,并发送给原用户。数字时间戳有效地为文件发表时间提供了很好的证据。,Secure Electronic Transaction 安全电子交易(SET),open encryption&security specification(开放的加密安全规范)to protect Internet cre
16、dit card transactions(保护互联网上的信用卡交易)developed in 1996 by Mastercard,Visa etc(由Mastercard和 Visa公司在1996年开发)not a payment system(本身不是一个支付系统)rather a set of security protocols&formats(而是一个安全协议和格式集)secure communications amongst parties(为交易各方提供安全信道)trust from use of X.509v3 certificates(通过使用X.509v3 证书提供信任)
17、privacy by restricted info to those who need it(限制信息提供以确保私密性),Secure Electronic Transaction 安全电子交易(SET),Merchant does not get to know the credit card details of the cardholder 商店不知道持卡人信用卡的细节Requires software set up on the client as well as server 要求在客户机和服务器上安装软件,SET ParticipantsSET参与方,SET Transactio
18、n ProcessSET交易过程,customer opens account(顾客开通帐户)customer receives a certificate(顾客收到证书)merchants have their own certificates(商家拥有自己的证书)customer places an order(顾客进行订购)merchant is verified(商家被验证)order and payment are sent(发送订购和付款信息)merchant requests payment authorization(商家请求付款认证)payment gateway autho
19、rizes payment(支付网关授权付款)merchant confirms order(商家确认订购)merchant provides goods or service(商家提供商品和服务)merchant requests payment(商家请求支付),SET Dual Signature Concept双重签名概念,customer creates dual messages 客户产生双重消息order information(OI)for merchant 给商家的订货消息payment information(PI)for bank 给银行的支付消息neither party
20、 needs details of other 任何一方都不需要他方的细节信息but must know they are linked 但是必须知道它们相关联use a dual signature for this 使用双重签名signed concatenated hashes of OI&PI,SET Dual Signature Concept双重签名概念,Purchase-related information(购买相关信息发给支付网关)(a)PI(付款信息)DSPI+OI(对PI和 OI求出的数字签名)OIMD(OI消息摘要)(b)All above are encrypted
21、with K(所有上述信息用K加密)(c)Digital envelope is created by encrypting K with the payment gateways public key(用支付网关公钥加密K,生成数字信封),SET Dual Signature Concept双重签名概念,2.Order-related information(订单相关信息发给商家)QI(订单信息)DSPI+OI(对PI和 OI求出的数字签名)PIMD(PI消息摘要)3.Cardholder certificate(持卡人证书发给商家和支付网关),SET Dual Signature Conc
22、ept双重签名概念,Fig 6.31,SET ModelSET模型,SSL versus SETSSL与SET,Electronic Money电子货币,Digital version of money 货币的数字版Takes the form of computer disk files 采用计算机磁盘文件形式Can be identified/anonymous,online/offline 可以署名/匿名,联机/脱机,Model of Electronic Money电子货币模型,Electronic Money Secure Step 1电子货币安全步骤1,Fig 6.43,Elect
23、ronic Money Security Step 2电子货币安全步骤2,Fig 6.44,Identified Electronic Money标识电子货币,Bank can track customers spending 银行可以跟踪客户的花费Can lead to privacy concerns 涉及到个人隐私Very simple to implement 简单易于实现,Identified Electronic Money标识电子货币,Fig 6.45,Anonymous Electronic Money匿名电子货币,Bank cannot track customers spe
24、nding 银行不能跟踪客户的花费Safe from privacy concerns 保证个人隐私安全Slightly complex to implement 实现有些复杂,Anonymous Electronic Money匿名电子货币,Double Spending Problem重复使用问题,Customer can spend the same piece of electronic money more than once 客户可以不止一次的使用同一个电子货币Who is liable in such a fraud?谁对这类欺诈负责?Dangerous can be avoid
25、ed in case of online electronic money 联机电子货币可以避免危险,Double Spending Problem重复使用问题,Email concept电子邮件,Consists of two main partsHeader 头Body 内容Securing emails 安全电子邮件PEMPGPS/MIME,Email Header and Body电子邮件的头和内容,Fig 6.48,Simple Mail Transport Protocol(SMTP)简单电子邮件传输协议,Protocol in TCP/IP Application Layer T
26、CP/IP应用层协议Used for email communication between email servers of the sender and the receiver 用于发送方和接收方电子邮件服务器间的电子邮件通信Simple to understand 容易理解,Email Transmission using SMTP使用SMTP传输电子邮件,Fig 6.49,Email Example电子邮件例子,Fig 6.50,S:220 Simple Mail Transfer Service ReadyC:HELO S:250 C:MAIL FROM:S:250 OKC:RCP
27、T TO:S:250 OKC:RCPT TO:S:250 OKC:DATAS:354 Start mail input;end with C:actual contents of the message C:C:C:S:250 OKC:QUITS:221 Service closing transmission channel,PEM Security Features隐私增强型邮件协议安全特点,Fig 6.51,PEM OperationsPEM的操作,Fig 6.52,规范转换,数字签名,加密,64进制编码,Base-64 Encoding Concept64进制编码概念,Fig 6.56
28、,Pretty Good Privacy(PGP)极棒隐私协议,widely used de facto secure email 实际中广泛使用的安全邮件协议developed by Phil Zimmermann 由Phil Zimmermann开发selected best available crypto algs to use 采用常用的加密算法实现,Pretty Good Privacy(PGP)极棒隐私协议,integrated into a single program 集成为单个程序available on Unix,PC,Macintosh and Amiga system
29、s 可用于Unix,PC,Macintosh and Amiga系统中free,now have commercial versions available also 免费,Pretty Good Privacy(PGP)极棒隐私协议,PGP Security FeaturesPGP的安全特点,Fig 6.59,PGP OperationsPGP操作,数字签名,压缩,加密,数字封包,64进制编码,PGP OperationsPGP操作,Lempel-Ziv Algorithm(Zip)ZIP,Fig 6.61,Multipurpose Internet Mail Extensions(MIME
30、)多用途Internet邮件扩充协议,Traditional email communication is text-only 传统的邮件通信仅为文本通信Modern email communication demands multimedia(sound,video,pictures,etc)现代邮件通信要求多媒体Enhancements provided in the form of MIME MIME提供了增强型功能,MIME Extensions to Email电子邮件的MIME扩展,Fig 6.63,From:Atul Kahate To:Amit JoshiSubject:Cov
31、er image for the bookMIME-Version:1.0Content-Type:image/gif,S/MIME Content TypesS/MIME内容类型,S/MIME FunctionalitiesS/MIME功能,Fig 6.65,S/MIME FunctionalitiesS/MIME功能,enveloped dataencrypted content and associated keyssigned dataencoded message+signed digestclear-signed datacleartext message+encoded sign
32、ed digestsigned&enveloped datanesting of signed&encrypted entities,Wireless Security无线安全,Wireless communication protocols are becoming popular 无线通信协议普及Concerns regarding wireless security are being raised 对无线安全的关注与日俱增How to secure Wireless Application Protocol(WAP)?如何保证无线应用协议的安全,Mobile Phone and Internet移动电话和Internet,Fig 6.68,WAP SecurityWAP安全,Wireless Transport Layer Security(WTLS)无线传输层安全Similar to SSL in concept 在概念上像SSLConversions between WTLS and SSL lead to security concerns WTLS与SSL间的转换导致安全问题,WAP StackWAP堆栈,Fig 6.69,WTLS SecurityWTLS安全,Fig 6.69,