HUMAN NEURONS

Human brains contain around 100,000,000,000 neurons, each with an average 7,000 synaptic connections
to other neurons. Estimates for the number of synapses range from 1015 for a three-year-old child down to
1014 for an adult.

A deep neural network is one multiple hidden layers. Neural networks can take many shape and sizes and vary
in the number and configuration of conncetions.

7/11/18
LESSON 12

SECURITY

WHAT IS NETWORK SECURITY?

• CONFIDENTIALITY: only sender and intended receiver should understand message contents:
Ø sender encrypts message
Ø receiver decrypts message

• AUTHENTICATION: sender and receiver want to confirm identity to each other

• MESSAGE INTEGRITY: sender and receiver want to ensure message not altered without detection
• ACCESS AND AVAILABILITY: services must be accessible and available to users

Data are sensible and might be violated by intruders.

An intruder can:

• EAVESDROP: intercept messages

• INSERT MESSAGES
• IMPERSONATION: can fake (spoof) source address in packet
• HIJACKING: take over on going connection by removing sender or receiver and inserting himself
instead
• DENIAL OF SERVICE: prevent service from being used by others

52
THE LANGUAGE OF CRYPTOGRAPHY

Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a
particular form so that only those whom it is intended can read and process it. Encryption is a key concept in
cryptography: it is a process whereby a message is encoded in a format that cannot be read or understood by
an eavesdropper. The technique is old and was first used by Caesar to encrypt his messages using Caesar
cipher. A plain text from a user can be encrypted to a ciphertext, then send through a communication
channel and no eavesdropper can interfere with the plain text. When it reaches the receiver end, the
ciphertext is decrypted to the original plain text.

m = plaintext message
KA (m) = ciphertext, encrypted with key KA
m = KB(KA(m))

How is it possible to break an encryption scheme?

• CIPHER-TEXT ONLY ATTACK: the intruder has the ciphertext3 that can analyze;
• KNOWN-PLAINTEXT ATTACK: the intruder has the plaintext corresponding to ciphertext;
• TWO APPROACHES:
1) brute force à search through all keys
2) statistical analysis
• CHOSEN-PLAINTEXT ATTACKS: the intruder can get ciphertext for chosen plaintext.

SYMMETRIC KEY CRYPTOGRAPHY

This is the simplest kind of encryption that involves only one secret key to cipher and decipher information.
Symmetrical encryption is an old and best-known technique. It uses a secret key that can either be a
number, a word or a string of random letters. It is a blended with the plain text of a message to change the
content in a particular way. The sender and the recipient should know the secret key that is used to encrypt
and decrypt all the messages. Blowfish, AES, RC4, DES, RC5, and RC6 are examples of symmetric
encryption. The most widely used symmetric algorithm is AES-128, AES-192, and AES-256.

3
ciphertext is the encrypted text; plaintext is the text before the encryption.

53
The main disadvantage of the symmetric key encryption is that all parties involved have to exchange the key
used to encrypt the data before they can decrypt it.

Bob and Alice share the same (symmetric) key4: KS. The problem is that the users need to agree on the key.

SUBSTITUTION CIPHER: substituting one thing for another. It is a method of encrypting by which units
of plaintext are replaced with ciphertext, according to a fixed system; the “units” may be single letters (the
most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers
the text by performing the inverse substitution.

Monoalphabetic cipher: substitute one letter for another à uses fixed substitution over the entire message.

N SUBSTITUTION CIPHERS, M1, M2, M3, …, Mn

Cycling pattern à for each new plaintext symbol, use subsequent substitution pattern in cyclic pattern.

dog: d from M1, o from M2, g from M3.

DATA ENCRYPTION STANDARD (DES)

In 1973 the National Bureau of Standards (NBS) requested a cipher-algorithm. IBM proposed a first version
of DES. The National Security Agency (NSA) certified the model, but with some alterations:

v The key was reduced from 128 bit to 56 bit;

v Modification of the functions in the S-box.

In 1977 DES was available. In 2000 its successor (AES) debuted.

DES is the archetypal block cipher - an algorithm that takes a fixed-length string of plaintext bits and
transforms it through a series of complicated operations into another ciphertext-bit-string of the same length.
In the case of DES, the block size is 64 bits. DES also uses a key to customize the transformation, so that
decryption can supposedly only be performed by those who know the particular key used to encrypt. The
key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are
used solely for checking parity, and are thereafter discarded à hence the effective key length is 56 bits. The
key is nominally stored or transmitted as 8 bytes, each with odd parity.

4
Key is knowing substitution pattern in mono alphabetic substitution pattern.

54
The DES respects Shannon’s desirable properties of cipher algorithm:
• DIFFUSION: the text’s structure is altered and and spread all over the ciphertext.
• CONFUSION: the message and the key are combined in a complex way.

ADVANCED ENCRYPTION STANDARD (EAS)

AES is a subset of the Rijndael block cipher developed by two Belgian cryptographers, Vincent
Rijmen and Joan Daemen, who submitted a proposal to NIST during the AES selection process. Rijndael
is a family of ciphers with different key and block sizes. For AES, NIST selected three members of the
Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.
AES became effective as a federal government standard on May 26, 2002, after approval by the Secretary of
Commerce.
AES is based on a design principle known as a substitution - permutation network - and is efficient in both
software and hardware. Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant
of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast,
Rijndael per se is specified with block and key sizes that may be any multiple of 32 bits, with a minimum of
128 and a maximum of 256 bits.
AES operates on a 4 × 4 column-major order array of bytes, termed the state. Most AES calculations are
done in a particular finite field.

PUBLIC KEY CRYPTOGRAPHY

The public key cryptography is a completely new approach. Also known as asymmetrical encryption, which
is a relatively new method, compared to symmetric encryption. Asymmetric encryption uses two keys to
encrypt a plain text. Secret keys are exchanged over the Internet or a large network. It ensures that
malicious persons do not misuse the keys. It is important to note that anyone with a secret key can decrypt
the message and this is why asymmetrical encryption uses two related keys to boosting security. A public
key is made freely available to anyone who might want to send you a message. The second private key is kept a
secret so that you can only know.
A message that is encrypted using a public key can only be decrypted using a private key, while also, a
message encrypted using a private key can be decrypted using a public key. Security of the public key is not
required because it is publicly available and can be passed over the internet. Asymmetric key has a far better
power in ensuring the security of information transmitted during communication.

55
Asymmetric encryption is mostly used in day-to-day communication channels, especially over the Internet.
Popular asymmetric key encryption algorithm includes EIGamal, RSA, DSA, Elliptic curve techniques,
PKCS.
The sender and the receiver do not share the same secret key. Substantially it works that I encrypt with the
public Bob’s public key and he will decrypt with his private key:

• PUBLIC KEY: public encryption key known to all;

• PRIVATE KEY: private decryption key known only to the receiver.

SIMMETRYC VS ASYMMETRIC

• Symmetric encryption uses a single key that needs to be shared among the people who need to receive
the message, while asymmetrical encryption uses a pair of public key and a private key to encrypt
and decrypt messages when communicating.
• Symmetric encryption is an old technique while asymmetric encryption is relatively new.
• Asymmetric encryption was introduced to complement the inherent problem of the need to share the
key in symmetrical encryption model, eliminating the need to share the key by using a pair of
public-private keys.
• Asymmetric encryption takes relatively more time than the symmetric encryption.

When it comes to encryption, the latest schemes may necessarily the best fit. You should always use the
encryption algorithm that is right for the task at hand. In fact, as cryptography takes a new shift, new
algorithms are being developed in a bid to catch up with the eavesdroppers and secure information to
enhance confidentiality.

HOW THE ASYMMETRIC ENCRYPTION FUNCTIONS

56
Requirements:

1) need K+B (.) and K-B (.) such that:

K-B (K+B (m)) = m

2) given public key K+B, it should be impossible to compute the private key K-B.

Prerequisite:

x mod n = remainder of x when divide by n

Facts:

[(a mod n) + (b mod n)] mod n = (a + b) mod n

[(a mod n) - (b mod n)] mod n = (a - b) mod n (a mod n) d mod n = ad mod n
[(a mod n) x (b mod n)] mod n = (a x b) mod n

Example.

x = 14
n = 10
d=2
(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196
xd mod 10 = 6

RSA (Rivest, Shamir, Adelson algorithm)5: creating public/private key pair.

The message is just a bit pattern, that can be uniquely represented by an integer number à encrypting a
message is equivalent to encrypting a number.

Example.

m = 10010001 à this message is uniquely represented by the decimal number 145. To encrypt m, it’s
encrypted the corresponding number, which gives a new number.

1) Choose two larges prime numbers p, q (1024 bit each);

2) Compute n = pq, z = (p-1)(q-1);

5
RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems and is widely used for secure data
transmission. In such a cryptosystem, the encryption key is public and it is different from the decryption key which
is kept secret (private). In RSA, this asymmetry is based on the practical difficulty of the factorization of the
product of two large prime numbers, the "factoring problem". The acronym RSA is made of the initial letters of
the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in
1978. A user of RSA creates and then publishes a public key based on two large prime numbers, along with an
auxiliary value. The prime numbers must be kept secret. Anyone can use the public key to encrypt a message,
but with currently published methods, and if the public key is large enough, only someone with knowledge of
the prime numbers can decode the message feasibly. Breaking RSA encryption is known as the RSA problem.
Whether it is as difficult as the factoring problem remains an open question. RSA is a relatively slow algorithm,
and because of this, it is less commonly used to directly encrypt user data. More often, RSA passes encrypted
shared keys for symmetric key cryptography which in turn can perform bulk encryption-decryption operations
at much higher speed.

57
 3) Choose e (e<n) that has no common factors with z (e,z are relatively prime);
4) Choose d such that (ed – 1) is exactly divisible by z (ed mod z = 1)
5) Public key is (n,e). Private key is (n,d).

6) To encrypt message m (<n), compute c = me mod n

7) To decrypt received bit pattern, c, compute: m = cd mod n

m = (me mod n) d mod n

Example.

Bob choose:
p=5 n = 35 e = 5 (e, z are relatively prime)
à
q=7 z = 24 d = 29

Encrypting 8-bit messages:

ENCRYPT: bit pattern m me c = me mod n

00001000 12 24832 17

DECRYPT: c c m = cd mod n
17 48483497459685384037732304… 12

K-B (K+B (m)) =m= K+B (K-B (m))

use public key use private key
first, followed first, followed
by private key by public key

The result is the same.

AUTHENTICATION

The objective is for Alice to prove to Bob he identity. She can’t simply tell “Bob it’s me, Alice”, because Bob
can’t see her.

• SCENARIO 1: Alice could prove her identity in an IP packet, containing her source IP address, but
Trudy could create a packet spoofing Alice’s address.
• SCENARIO 2: Alice sends her secret password to guarantee who she is, but Trudy could record
Alice’s packet and later play it back to Bob (playback attack).
• SCENARIO 2.1: Alice says, “I’m Alice” and sends her encrypted secret password to prove it, but the
record and playback still works.
• SCENARIO 3: nonce is number (R) used once-in-a-lifetime à to prove that Alice exists, Bob sends
Alice nonce, R. Alice must return R, encrypted with shared secret key à nonce: public key
cryptography.

58
 But Trudy could pose as Alice (to Bob) and as Bob to Alice:

Bob receives everything that Alice sends, and vice versa: the problem is that Trudy as well.

DIGITAL SIGNATURES

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents.
A valid digital signature gives a recipient reason to believe that the message was created by a known sender
(authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message
was not altered in transit (integrity).

Digital signatures are like electronic “fingerprints.” In the form of a coded message, the digital signature
securely associates a signer with a document in a recorded transaction. Digital signatures use a standard,
accepted format, called Public Key Infrastructure (PKI), to provide the highest levels of security and universal
acceptance. Digital signatures employ asymmetric cryptography. In many instances they provide a layer of
validation and security to messages sent through a non-secure channel: properly implemented, a digital
signature gives the receiver reason to believe the message was sent by the claimed sender.

The sender (Bob) digitally sign documents, establishing he is the document’s creator/owner. The digital
signature is verifiable and no-forgeable: the recipient (Alice) can prove to someone that Bob, and no one else
(including Alice herself), must have sign the document.
The digital signature can be considered as a numerical value that is represented as a sequence of characters.
The creation of a digital signature is a complex mathematical process that can only be created by a
computer.

Consider a scenario where Alice has to digitally sign a file or an email and send it to Bob.

1. Alice selects the file to be digitally signed or clicks on “sign” in her email application

59
 2. The hash6 value of the file content or the message is calculated by Alice’s computer
3. This hash value is encrypted with Alice’s Signing Key (which is a Private Key) to create the Digital
Signature.
4. Now, the original file or email message along with its Digital Signature are sent to Bob.
5. After Bob receives the signed message, the associated application (such as email application)
identifies that the message has been signed. Bob’s computer then proceeds to:
Ø Decrypt the Digital Signature using Alice’s Public Key
Ø Calculate the hash of the original message
Ø Compare the (a) hash it has computed from the received message with the (b) decrypted hash
received with Alice's message.
6. Any difference in the hash values would reveal tampering of the message.

There are simple digital signatures: Bob signs the message (m) by encrypting it with its private key K-B,
creating a signed message, K-B (m).

Suppose that Alice receives the message (m), with the signature: m, K-B (m). Alice verifies m signed by Bob
by applying Bob’s public key K+B to K-B (m) then checks: K+B (K-B (m)) = m à whoever signed must have used
Bob’s private key. Alice can verify that:

• Bob signed the message;

• No one else signed the message;
• Bob signed m and not m’.

No-repudiation: the sender cannot deny having sent the message à Alice can take m and the signature,
K-B (m), to court and prove that Bob signed it.

MESSAGE DIGESTS

A message digest is a cryptographic hash function containing a string of digits created by a one-way hashing
formula. Message digests are designed to protect the integrity of a piece of data or media to detect changes
and alterations to any part of a message. They are a type of cryptography utilizing hash values that can warn
the copyright owner of any modifications applied to their work.

6
A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash
is substantially smaller than the text itself and is generated by a formula in such a way that it is extremely unlikely
that some other text will produce the same hash value.
Hashes play a role in security systems where they’re used to ensure that transmitted messages have not been
tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The
recipient then decrypts both the message and the hash, produces another hash from the received message, and
compares the two hashes. If they’re the same, there is a very high probability that the message was transmitted
intact.

60
Message digest hash numbers represent specific files containing the protected works. One message digest is
assigned to particular data content. It can reference a change made deliberately or accidentally, but it
prompts the owner to identify the modification as well as the individual(s) making the change. Message
digests are algorithmic numbers.
When the message is large à H: Hash function à H(m).

Hash function properties:

• many to one;
• produces fixed-size messages digest (fingerprints)
• given message digest x, computationally infeasible to find m such that: x = H(m).

The MD5 message-digest algorithm is a widely used hash function producing a 128-bithash value. Although
MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from
extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against
unintentional corruption. It remains suitable for other non-cryptographic purposes, for example for
determining the partition for a particular key in a partitioned database.
One basic requirement of any cryptographic hash function is that it should be computationally infeasible to
find two distinct messages which hash to the same value. MD5 fails this requirement catastrophically;
such collisions can be found in seconds on an ordinary home computer.
The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012.
The CMU Software Engineering Institute considers MD5 essentially “cryptographically broken and
unsuitable for further use”.
SHA-17 is also used:

• US standard [NIST, FIPS PUB 180-1];

• 160-bit message digest.

DIGITAL SIGNATURE - SIGNED MESSAGE DIGEST

A message digest is a fixed size numeric representation of the contents of a message, computed by a hash
function. A message digest can be encrypted, forming a digital signature.
Messages are inherently variable in size. A message digest is a fixed size numeric representation of the
contents of a message. A message digest is computed by a hash function, which is a transformation that
meets two criteria:

1) The hash function must be one way. It must not be possible to reverse the function to find the
message corresponding to a particular message digest, other than by testing all possible messages.
2) It must be computationally infeasible to find two messages that hash to the same digest.

The message digest is sent with the message itself. The receiver can generate a digest for the message and
compare it with the digest of the sender. The integrity of the message is verified when the two message digests
are the same. Any tampering with the message during transmission almost certainly results in a different
message digest.
A message digest created using a secret symmetric key is known as a Message Authentication Code (MAC),
because it can provide assurance that the message has not been modified.
The sender can also generate a message digest and then encrypt the digest using the private key of an
asymmetric key pair, forming a digital signature. The signature must then be decrypted by the receiver,
before comparing it with a locally generated digest.

7
It is part of the Secure Hash Algorithms, a family of cryptographic hash functions published by the National
Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS).

61
 Alice verifies signature,
Bob sends digitally
integrity of digitally
signed message:
signed message:

INTERNET CHECKSUM

The Internet checksum is a method to calculate the checksum used to verify the integrity of the data contained
in the packets transmitted on the network, for example the IP header8. The Internet checksum has some
properties of hash function:

• produces fixed length digest (16-bit sum) of message;

• is many-to-one.

But given message with given hash value, it is easy to find another message with the same hash value:

PUBLIC-KEY CERTIFICATION

8
In a data packet sent via the Internet, the data (payload) are preceded by header information such as the
sender’s and the recipient’s IP addresses, the protocol governing the format of the payload and several other
formats. The header’s format is specified in the Internet Protocol.

62
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic
document used to prove the ownership of a public key. The certificate includes information about the key,
information about the identity of its owner (called the subject), and the digital signature of an entity that has
verified the certificate’s contents (called the issuer). If the signature is valid, and the software examining the
certificate trusts the issuer, then it can use that key to communicate securely with the certificate’s subject.
In email encryption, code signing, and e-signature systems, a certificate’s subject is typically a person or
organization. However, in Transport Layer Security (TLS) a certificate’s subject is typically a computer or
other device, though TLS certificates may identify organizations or individuals in addition to their core role
in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for
being a part of HTTPS, a protocol for securely browsing the web.
In a typical public-key infrastructure (PKI) scheme, the certificate issuer is a certificate authority (CA),
usually a company that charges customers to issue certificates for them. By contrast, in a web of trust scheme,
individuals sign each other’s keys directly, in a format that performs a similar function to a public key
certificate.

Example.

Trudy plays pizza prank on Bob:

• Trudy creates an e-mail order: «Dear Domino’s Pizza, please deliver to me four pepperoni pizzas. Thank
you, Bob»;
• Trudy signs order with her private key;
• Trudy sends order to Domino’s Pizza;
• Trudy sends to Domino’s her public key, but says it’s Bob’s;
• Domino’s verifies signature à delivers four pizzas to Bob;
• Bob doesn’t even like pepperoni.

CERTIFICATION AUTHORITIES

The certification authority (CA) binds the public key to a particular entity E. E (person, router) register its
public key with CA:

• E provides proof of identity to CA;

• CA creates certificate binding E to its public key;
• Certificate containing E’s pubic key digitally signed by CA à CA says “This is E’s public key”.

When Alice wants Bob’s public key:

• Gets Bob’s certificate;

• Applies CA’s public key to Bob’s certificate and gets Bob’s public key.

63
SECURE E-MAIL

Email encryption is encryption of email messages to protect the content from being read by other entities
than the intended recipients. Email encryption may also include authentication. Email is prone to disclosure
of information. Most emails are currently transmitted in the clear (not encrypted) form. By means of some
available tools, persons other than the designated recipients can read the email contents.
Email encryption can rely on public-key cryptography, in which users can each publish a public key that
others can use to encrypt messages to them, while keeping secret a private key they can use to decrypt such
messages or to digitally encrypt and sign messages they send.

Alice wants to send a confidential email (m) to Bob:

ALICE:
• generates random symmetric private keys (KS);
• encrypts message with KS (for efficiency);
• also encrypts KS with Bob’s public key;
• sends both KS(m) and KB(KS) to Bob.

BOB:
• uses his private key to decrypt and recover KS;
• uses KS to decrypt KS(m) to recover m.

Alice wants to provide sender authentication and message integrity:

• Alice digitally signs the message;

• sends both message (in the clear) and digital signature.

Alice wants to provide secrecy, sender authentication and message integrity:

• Alice uses three keys:

a) her private key,
b) Bob’s public key,
c) newly created symmetric key.

64
KEY ESCROW

Key escrow is a cryptographic key exchange process in which a key is held in escrow, or stored, by a third
party: under certain circumstances, an authorized third party may gain access to those keys. These third
parties may include businesses, who may want access to employees’ private communications, or
governments, who may wish to be able to view the contents of encrypted communications.
A key that is lost or compromised by its original user(s) may be used to decrypt encrypted material, allowing
restoration of the original material to its unencrypted state. Key escrow systems provide a backup source for
cryptographic keys. Escrow systems are somewhat risky because a third party is involved.

The technical problem is a largely structural one since access to protected information must be
provided only to the intended recipient and at least one third party. The third party should be permitted
access only under carefully controlled conditions, as for instance, a court order. Thus far, no system design
has been shown to meet this requirement fully on a technical basis alone. All proposed systems also require
correct functioning of some social linkage, as for instance the process of request for access, examination of
request for legitimacy (as by a court), and granting of access by technical personnel charged with access
control. All such linkages / controls have serious problems from a system design security perspective. Systems
in which the key may not be changed easily are rendered especially vulnerable as the accidental release of
the key will result in many devices becoming totally compromised, necessitating an immediate key change
or replacement of the system.
On a national level, this is controversial in many countries due to technical mistrust of the security of the
escrow arrangement (due to a long history of less than adequate protection of others' information by
assorted organizations, public and private, even when the information is held only under an affirmative
legal obligation to protect it from unauthorized access), and to a mistrust of the entire system even if it
functions as designed. Thus far, no key escrow system has been designed which meets both objections and
nearly all have failed to meet even one.
Key escrow is proactive, anticipating the need for access to keys; a retroactive alternative is key disclosure law,
where users are required to surrender keys upon demand by law enforcement, or else face legal penalties.
Key disclosure law avoids some of the technical issues and risks of key escrow systems, but also introduces
new risks like loss of keys and legal issues such as involuntary self-incrimination. The ambiguous term key
recovery is applied to both types of systems.

SSL: SECURE SOCKETS LAYER

The SSL is a widely deployed security protocol: it is supported by almost all browsers and web servers. It
provides confidentiality, integrity and authentication and it is the standard security technology for
establishing an encrypted link between a web server and a browser or an email service or a client. This link
ensures that all data passed between the web server and browsers remain private and integral. SSL is an
industry standard and it is used by millions of websites in the protection of their online transactions with
their customers. SSL allows sensitive information such as credit card numbers, social security numbers, and
login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent
in plain text, leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent
between a browser and a web server, they can see and use that information.

65
More specifically, SSL is a security protocol. Protocols describe how algorithms should be used. In this case,
the SSL protocol determines variables of the encryption for both the link and the data being transmitted.
All browsers have the capability to interact with secured web servers using the SSL protocol. However, the
browser and the server need what is called an SSL Certificate to be able to establish a secure connection à
to be able to create an SSL connection a web server requires an SSL Certificate. When you choose to
activate SSL on your web server you will be prompted to complete a number of questions about the identity
of your website and your company. Your web server then creates two cryptographic keys: a Private Key and
a Public Key.
The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data
file also containing your details. You should then submit the CSR. During the SSL Certificate application
process, the Certification Authority will validate your details and issue an SSL Certificate containing your
details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private
Key. Your web server will then be able to establish an encrypted link between the website and your
customer’s web browser. The most important part of an SSL certificate is that it is digitally signed by a
trusted CA, like DigiCert. Anyone can create a certificate, but browsers only trust certificates that come
from an organization on their list of trusted CAs. Browsers come with a pre-installed list of trusted CAs,
known as the Trusted Root CA store. In order to be added to the Trusted Root CA store and thus become a
Certificate Authority, a company must comply with and be audited against security and authentication
standards established by the browsers.
An SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third
party has authenticated that organization’s identity. Since the browser trusts the CA, the browser now
trusts that organization’s identity too. The browser lets the user know that the website is secure, and the
user can feel safe browsing the site and even entering their confidential information.

The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide
them with a key indicator to let them know they are currently protected by an SSL encrypted session - the
lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the
details about it. All SSL Certificates are issued to either companies or legally accountable individuals.

Typically, an SSL Certificate will contain your domain name, your company name, your address, your city,
your state and your country. It will also contain the expiration date of the Certificate and details of the
Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure
site it will retrieve the site’s SSL Certificate and check that it has not expired, it has been issued by a
Certification Authority the browser trusts, and that it is being used by the website for which it has been
issued. If it fails on any one of these checks the browser will display a warning to the end user letting them
know that the site is not secured by SSL.

14/11/18
LESSON 14

INTERNET THREATS

Security is a complex issue. Most of the time it is threatened by some of the following risks:

• MALWARE: or “malicious software,” is an umbrella term that describes any malicious program or
code that is harmful to systems. Hostile, intrusive, and intentionally nasty, malware seeks to invade,
damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by
taking partial control over a device’s operations. It interferes with normal functioning. Malware is
all about making money off you illicitly. Although malware cannot damage the physical hardware
of systems or network equipment (with one known exception—see the Google Android section
below), it can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy
on your computer activity without your knowledge or permission. Here are the most common
offenders in the rogues’ gallery of malware:

66