i Securitas Inc secure authenticated data exchange Internet

i. Securitas, Inc. secure authenticated data exchange Internet Security UTD EMBA March 30, 2001

i. Securitas, Inc. Confidential 1

Who were the first “hackers”? • MIT's Tech Model Railroad Club • PDP - 1 • 1961 i. Securitas, Inc. Confidential 2

You know your co-worker is a hacker when. . . • Everyone who ticks him or her off gets a $26, 000 phone bill • Has won the Publisher's Clearing House Sweepstakes three years running • Massive 401 k contribution made in half-cent increments • You hear them murmur, "Let's see you use that VISA card now, Professor "I-Don't-Give-A's-To Any MBA Candidate!" i. Securitas, Inc. Confidential 3

How Secure is e-Business? • Security attacks cost U. S. corporations $266 million last year. That's more than double the average annual losses over the past three years. • Cyber-crimes being investigated by the FBI have more than doubled in the past year. • In 1999, the number soared to over 8, 300 according to reports filed with the Computer Emergency Response Team, or CERT, at Carnegie Mellon University in Pittsburgh. • 90 percent of survey respondents (primarily large corporations and government agencies) detected some form of security breach last year. • 70 percent of respondents reported a serious security breach in the past year (ie: financial fraud, denial of service attacks and data theft). According to a report recently released by the Computer Security Institute and the FBI Computer Intrusion Squad. i. Securitas, Inc. Confidential 4

Categories of Internet Security • Website Security • Email Security • Authentication i. Securitas, Inc. Confidential 5

All Systems are Breakable! i. Securitas, Inc. Confidential 6

Website Security • Prevent Unauthorized Access to Website – Manipulation of Website Information – Protection of Proprietary Data • Credit Card Numbers • Confidential Customer Data • Financial Information i. Securitas, Inc. Confidential 7

Website Security can be achieved by: • Firewalls • Software & System Architecture • Security Procedures i. Securitas, Inc. Confidential 8

In God We Trust…. All Others We Monitor i. Securitas, Inc. Confidential 9

Email Security Case Studies: • International Satellite Company • International Restaurant Company • Your Company? i. Securitas, Inc. Confidential 10

Email Security can be achieved with: • Encryption Software – PGP, RSA, etc. • ASP Based Secure Messaging – i. Securitas, Inc. Confidential 11

Authentication i. Securitas, Inc. Confidential 12

Authentication i. Securitas, Inc. Confidential 13

E-Sign Law New Law for E-Signatures • Electronic Signatures in Global and National Commerce Act • Effective October 1, 2000 • Nationwide Legality of Digital Signatures • Agnostic about Implementation of e-Signatures • Electronic Notarizations • Opportunity to marry e-commerce with official, regulated way for confirming identity • Reduces Fraud possible with Paper Based Notaries i. Securitas, Inc. Confidential 14

Authentication Problem – Identity Theft • Fastest Growing Financial Crime » Industry Standard – August 21, 2000 • Theft of: • Social Security Numbers • Drivers License Numbers • Mothers’ Maiden Names • $1 Billion Problem? i. Securitas, Inc. Confidential 15

Authentication Problem – Identity Theft Abraham Abdallah “a pudgy, convicted swindler and high school dropout”, NY Post March 20, 2001 Nyquist vs. E*Trade [Buckman, "Heavy Losses: The Rise and Collapse of a Day Trader, " Wall Street Journal, Feb. 28, 2000] i. Securitas, Inc. Confidential 16

Authentication Solutions (? ) • Credit Card Transactions • Digital Certificates • Authentication Services i. Securitas, Inc. Confidential 17

i. Securitas & MBE i. Securitas, Inc. Confidential 18

i. Securitas, Inc. Confidential

Example 1: A CA Needs to Issue a Legally Binding Certificate 1) User requests certificate from CA’s web site. 3) 10) 2) 8) 9) CA releases certificate and notifies user. IS sends e -mail to signer. 5) CA web site submits request to IS. IS notifies CA. 6) 7) Signer visits notary. Notary ID’s signer, fetches documents from IS, witnesses signing act. CA fetches signed document(s) from IS. i. Securitas, Inc. Confidential 4) Notary D-signs documents and statements, then forwards to IS. IS applies 3 rd party timestamp. 20

Example 2: A Corporate Banker Needs a Notarized Signature 3) 1) Banker submits a signature request to his company’s mainframe. 2) 8) 9) Banker fetches signed document(s) from IS. i. Securitas, Inc. Confidential 4) IS sends e-mail to signer 5) Mainframe submits request to IS Notary ID’s signer, and fetches documents from IS IS notifies banker. 7) Signer visits notary 6) IS applies 3 rd party timestamp. Notary D-signs documents and statements, then forwards to IS. 21

Example 3: A Distributor Needs a Digital Signature on a PO 1) 9) Signed PO sent to account rep , billing, shipping, etc. . 2) Distributor fetches signed PO from IS. i. Securitas, Inc. Confidential 4) 3) IS sends e-mail to signer. User fetches PO. 5) User fills out and D-Signs PO with notarized certificate, sends signed PO to IS. Web site submits request to IS. 7) 8) User requests PO on distributor’s web site. IS notifies Distributor. 6) IS applies 3 rd party timestamp. 22

Encrypting with X. 509 Bank wants to send Lawyer a secret message, but must do so on the public internet. Lawyer gives Bank their certificate. But Lawyer uses the gibberish i. Securitas, Inc. Confidential Bank verifies the certificate with the CA. And their private key Bank uses as input the public key from and a secret to an Lawyer’s message to encrypti on certificate, Lawyer, engine, As input to a decryption engine to produce what looks like gibberish To find out what Bank had to say 23

Signing with X. 509 Lawyer wants proof that Bank wrote the message. to produce a as input to a hash, (signature) and their Bank uses their hash engine and uses this hash private key gibberish as input to an encryption engine and adds the encrypted hash to their gibberish. to produce a hash. Lawyer uses the as input to a gibberish (not hash engine as input to a the hash) Then Lawyer takes decryption Bank’s encrypted and Bank’s engine hash public key i. Securitas, Inc. Confidential to produce a hash. If both hashes match, then Lawyer knows that Bank signed the message. 24

X. 509 Receipt Bank wants proof that Lawyer saw the message on the Internet, Lawyer must prove it. to produce a Lawyer uses as input to hash, and uses and a hash Bank’s this hash private engine message key Bank uses the signature and Lawyer’s public key i. Securitas, Inc. Confidential to produce a hash. as input to a decryption engine as input to an encryption engine Bank uses his original message To produce an encrypted hash (signature) as input to a hash engine to produce a hash, if the hashes match, we have a valid signature. 25

Obtaining an X. 509 Certificate Use a random number to generate HUGE prime numbers and then create a key pair. Use the public key and various bits of identifying data to construct a certificate request, i. Securitas, Inc. Confidential Encrypt the private key with a GOOD password that you have memorized, Name E-Mail Address Etc. and then store it away some place safe. and send it to the Certificate Authority. They will investigate your identity to varying degrees, create a certificate that includes a hash encrypted with their private key, and then send you a copy as well as making it a public record. 26