Certificate authority

Comment:

What if the certificate authority discloses private information of users? Safe?

Follow-up:

Yes it is definitely possible that a CA could inadvertently discloses some private information. For example, a CA’s database could be compromised by some hackers, just like the credit-card numbers are disclosed in some hacking of e-business Web sites.

So in a sense, one could argue that our Internet security is quite fragile.

Comment:

Who will certify the public key of the certificate authority?

Follow-up:

A CA’s public key is not “certified” but just published in a widely accessible site so that everyone can verify it.

Are malware and computer virus related to Internet security?

Comment:

Does it mean that we should not use some not-so-famous browser to surf the net because those will lead to risky result?

Follow-up:

Yes definitely. In fact, we should all be very careful in using any software in nowadays computing environment because of the Internet. Specifically, a malicious software (called malware) can extract useful information (e.g., bank statements, etc.) from your computer and then send them off to some remote computers (e.g., the hackers’ computers) for launching further attacks.

We should not trust certificates from unknown sources/companies. We should not trust the “judgment” made by the browsers, which might have been altered by some malwares.

Comment:

How about computer virus? (Is computer virus related to Internet security?)

Follow-up:

Computer virus, like “malware” I mentioned above, is highly related to Internet security in the sense that nowadays computer virus is not about making fun of an innocent user (as in the past). Instead, a virus will be used for getting sensitive information and/or using your computer to launch further attacks to others (e.g., Distributed Denial-of-Service attacks, like attacking popular Web sites such as Amazon.com).

Most importantly, a computer virus spreads by using emails or some bogus links in a Web page.

So we have to be careful in opening email attachments and clicking on some Web links.

Internet Key: Key generation

Comment:

(I am) Still confused about public key cryptography.

Follow-up:

Simply put, in a public key cryptosystem, each user owns a pair of keys, one made public and the other kept secret. To send a message securely, the public key of the intended recipient is used for the encryption so that only the recipient can decrypt it. On the other hand, for digital signature, the signer uses his/her own private key to encrypt the message (or actually the digest of the message) so that everyone can decrypt it using the signer’s public key to verify it.

For those of you who are interested in the mathematical details, please study the attached lecture notes on public key cryptography (file: module3-PublicKeyCrypto.pdf).

Comment:

How does KDC work?

Follow-up:

The KDC shares secret key (or symmetric key) with every register user. Thus, by using this key, the KDC can send a newly generated key (denoted as R1 in Presentation #5) to a user requesting for a new key to be shared with another register user of the KDC. Once getting this R1, the two users can then transform it further using some agreed-upon protocol to generate the actual shared key which is unknown to the KDC.

Comment:

I want to know if it is possible to combine the use of public and private keys as follows.

Follow-up:

Yes of course your suggestion would work. In fact, it provides not only “confidentiality” but “non-repudiation” as well.