e-commerce 2014 - professor arun kumararunk.com/pdf/mcom/mcom2ndsem/presentation 5.pdf · 3...
TRANSCRIPT
![Page 1: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/1.jpg)
E-commerce 2014
Kenneth C. Laudon
Carol Guercio Traver
business. technology. society.
tenth edition
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
![Page 2: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/2.jpg)
Chapter 5E-commerce Security and Payment Systems
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
![Page 3: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/3.jpg)
3
International Organization for Standardization (ISO):
"The potential that a given threat willexploit vulnerabilities of an asset or group ofassets to cause loss or damage to the assets.The impact or relative severity of the risk isproportional to the business value of theloss/damage and to the estimated frequency ofthe threat."
![Page 4: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/4.jpg)
4
Terminate the Risk,
Minimize Probability of Occurrence,
Minimize Impact,
Transfer/Insurance
![Page 5: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/5.jpg)
What Is Good E-commerce Security?
To achieve highest degree of securityNew technologies
Organizational policies and procedures
Industry standards and government laws
Other factorsTime value of money
Cost of security vs. potential loss
Security often breaks at weakest link
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-5
![Page 6: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/6.jpg)
The E-commerce Security Environment
Figure 5.1, Page 252
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-6
![Page 7: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/7.jpg)
Table 5.3, Page 254
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-7
![Page 8: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/8.jpg)
The Tension Between Security andOther Values
Ease of useThe more security measures added, the more
difficult a site is to use, and the slower it becomes
Public safety and criminal uses of the InternetUse of technology by criminals to plan crimes or
threaten nation-state
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-8
![Page 9: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/9.jpg)
Security Threats in theE-commerce Environment
Three key points of vulnerability in e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet communications channels)
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-9
![Page 10: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/10.jpg)
Most Common Security Threats in the E-commerce Environment
Malicious code (malware, exploits)Drive-by downloads
Viruses
Worms
Ransomware
Trojan horses
Backdoors
Bots, botnets
Threats at both client and server levels
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-10
![Page 11: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/11.jpg)
Most Common Security Threats (cont.)
Potentially unwanted programs (PUPs) Browser parasites
Adware
Spyware
Phishing Social engineering
E-mail scams
Spear-phishing
Identity fraud/theft
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-11
![Page 12: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/12.jpg)
Most Common Security Threats (cont.)
HackingHackers vs. crackers
Types of hackers: White, black, grey hats
Hacktivism
Cybervandalism:Disrupting, defacing, destroying Web site
Data breachLosing control over corporate information to
outsiders
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-12
![Page 13: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/13.jpg)
Most Common Security Threats (cont.)
Credit card fraud/theft
Spoofing and pharming
Spam (junk) Web sites (link farms)
Identity fraud/theft
Denial of service (DoS) attack Hackers flood site with useless traffic to overwhelm
network
Distributed denial of service (DDoS) attack
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-13
![Page 14: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/14.jpg)
Most Common Security Threats (cont.)
Sniffing Eavesdropping program that monitors information
traveling over a network
Insider attacks
Poorly designed server and client software
Social network security issues
Mobile platform security issues Vishing, smishing, madware
Cloud security issues
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-14
![Page 15: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/15.jpg)
Technology Solutions
Protecting Internet communicationsEncryption
Securing channels of communicationSSL (Secure Sockets Layer), VPNs
Protecting networksFirewalls
Protecting servers and clients
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-15
![Page 16: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/16.jpg)
Tools Available to Achieve Site Security
Figure 5.5, Page 276
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-16
![Page 17: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/17.jpg)
Limits to Encryption Solutions
Doesn’t protect storage of private keyPKI not effective against insiders, employees
Protection of private keys by individuals may be haphazard
No guarantee that verifying computer of merchant is secure
CAs are unregulated, self-selecting organizations
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-17
![Page 18: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/18.jpg)
Securing Channels of Communication
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Establishes secure, negotiated client–server
session
Virtual Private Network (VPN) Allows remote users to securely access internal
network via the Internet
Wireless (Wi-Fi) networksWPA2
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-18
![Page 19: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/19.jpg)
Protecting Networks
Firewall Hardware or software
Uses security policy to filter packets
Two main methods: Packet filters
Application gateways
Proxy servers (proxies) Software servers that handle all communications from
or sent to the Internet
Intrusion detection systems Intrusion prevention systems
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-19
![Page 20: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/20.jpg)
Firewalls and Proxy Servers
Figure 5.11, Page 289
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-20
![Page 21: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/21.jpg)
Protecting Servers and Clients
Operating system security enhancementsUpgrades, patches
Anti-virus software Easiest and least expensive way to prevent
threats to system integrity
Requires daily updates
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-21
![Page 22: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/22.jpg)
Management Policies, Business Procedures, and Public Laws
Worldwide, companies spend more than $65 billion on security hardware, software, services
Managing risk includes:Technology
Effective management policies
Public laws and active enforcement
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-22
![Page 23: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/23.jpg)
A Security Plan: Management Policies
Risk assessment
Security policy
Implementation plan Security organization
Access controls
Authentication procedures, including biometrics
Authorization policies, authorization management systems
Security audit
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-23
![Page 24: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/24.jpg)
Developing an E-commerce Security Plan
Figure 5.12, Page 291
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-24
![Page 25: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/25.jpg)
The Role of Laws and Public Policy Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals: National Information Infrastructure Protection Act of 1996
USA Patriot Act
Homeland Security Act
Private and private-public cooperation CERT Coordination Center
US-CERT
Government policies and controls on encryption software OECD, G7/G8, Council of Europe, Wassener Arrangement
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-25
![Page 26: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/26.jpg)
Types of Payment Systems
Cash Most common form of payment
Instantly convertible into other forms of value
No float
Checking transfer Second most common payment form in United States
Credit card Credit card associations
Issuing banks
Processing centers
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-26
![Page 27: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/27.jpg)
Types of Payment Systems (cont.)
Stored valueFunds deposited into account, from which funds
are paid out or withdrawn as needed
Debit cards, gift certificates
Peer-to-peer payment systems
Accumulating balanceAccounts that accumulate expenditures and to
which consumers make period payments
Utility, phone, American Express accounts
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-27
![Page 28: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/28.jpg)
Payment System StakeholdersConsumers
Low-risk, low-cost, refutable, convenience, reliability
Merchants Low-risk, low-cost, irrefutable, secure, reliable
Financial intermediaries Secure, low-risk, maximizing profit
Government regulators Security, trust, protecting participants and enforcing
reporting
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-28
![Page 29: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/29.jpg)
E-commerce Payment Systems
Credit cards42% of online payments in 2013 (United States)
Debit cards29% online payments in 2013 (United States)
Limitations of online credit card paymentSecurity, merchant risk
Cost
Social equity
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-29
![Page 30: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/30.jpg)
How an Online Credit Transaction Works
Figure 5.15, Page 302
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-30
![Page 31: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/31.jpg)
Alternative Online Payment SystemsOnline stored value systems:
Based on value stored in a consumer’s bank, checking, or credit card account
Example: PayPal
Other alternatives: Amazon Payments
Google Checkout
Bill Me Later
WUPay, Dwolla, Stripe
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-31
![Page 32: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/32.jpg)
Mobile Payment Systems
Use of mobile phones as payment devices established in Europe, Japan, South Korea
Near field communication (NFC) Short-range (2”) wireless for sharing data between
devices
Expanding in United States Google Wallet
Mobile app designed to work with NFC chips
PayPal
Square
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-32
![Page 33: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/33.jpg)
Digital Cash and Virtual Currencies
Digital cashBased on algorithm that generates unique
tokens that can be used in “real” world
Example: Bitcoin
Virtual currenciesCirculate within internal virtual world
Example: Linden Dollars in Second Life, Facebook Credits
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-33
![Page 34: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/34.jpg)
Electronic Billing Presentment and Payment (EBPP)
Online payment systems for monthly bills
50% of all bill payments
Two competing EBPP business models: Biller-direct (dominant model)
Consolidator
Both models are supported by EBPP infrastructure providers
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-34
![Page 35: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/35.jpg)
Cryptography
• I AM SPARTA
• 42 11 23 34 53 11 24 44 11
![Page 36: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/36.jpg)
Do you agree that trust is the
basis of all business / commercial
transactions?
What are the elements of trust
which you would look for in a
business relationship?
![Page 37: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/37.jpg)
A MATTER OF TRUST
• Building Trust: Direct trust relationship
![Page 38: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/38.jpg)
Some every day transactions:
Credit Card
Contract
Notarized
Notarized
Document
Medical
Records
Why do we place trust
in these transactions?• Authentication
• Access control
• Confidentiality
• Integrity
• Non-repudiation
![Page 39: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/39.jpg)
So, why PKI?
• PKI technology provides all of the
elements we expect from a secure
transaction• Authentication
• Access control
• Confidentiality
• Integrity
• Non-repudiation
![Page 40: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/40.jpg)
What is Public Key Infrastructure?
“...a system for establishing the identity of
people who hold cryptographic keys.”
---Web Security & Commerce
by Simson Garfinkel & Gene Spafford
But Why?
![Page 41: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/41.jpg)
What is a PKI? Another definition.
• A system that establishes and
maintains trustworthy e-business
environments through the
generation and distribution of keys
and certificates.
![Page 42: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/42.jpg)
What is a PKI? Yet, another
definition.
Public Key Infrastructure (abbr. PKI) a
comprehensive system that provides public-
key encryption and digital signature
services to ensure confidentiality, access
control, data integrity, authentication and
non-repudiation.
![Page 43: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/43.jpg)
Why the need for PKI?
• Internet-enabled E-Commerce -- identify users accessing sensitive information?
(Authentication)
– control who accesses information (Access Control)
– be sure communication is private but carried over the Internet? (Privacy)
– ensure data has not been tampered with? (Integrity)
– provide a digital method of signing information and transactions? (Non-repudiation)
![Page 44: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/44.jpg)
Transaction Value
Tru
st
an
d C
on
fid
en
tiali
ty
Web Presence
Shopping
Supply Chain Integration
Customer Integration
Contract Buying
Service/Support
Taking Orders
What Level of Trust (or Security)?
![Page 45: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/45.jpg)
• Building Trust: Third party trust relationship
Certificate Authority
Implied Trust
![Page 46: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/46.jpg)
PKI Components
• Public/private key pair
• Digital certificate
• Certificate authority
• LDAP directory
• Authentication device
LDAP: Lightweight Directory Access Protocol
![Page 47: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/47.jpg)
Cryptography
Message Digest
Symmetric Key Encryption
Public Key Encryption
![Page 48: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/48.jpg)
Symmetric Key Encryption
Cleartext Message Cipher Text Cleartext Message
DES | RC4 DES | RC4Four score and seven years
ago, our forefathers
brought forth the proposition
Four score and seven years
ago, our forefathers
brought forth the proposition
sdfklj98a475$56jhgv98456vjnf84576FGHH78lfkghj-506#6lkjg4#$5;lkn;t7;lsk%0
DEC: digital electronic control
![Page 49: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/49.jpg)
Public/Private KeyOne half of a key pair is used to encrypt,
the other half is used to decrypt.
Encryption
Recipient’s
PublicKey
Recipient’s
Private
Key
Decryption
![Page 50: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/50.jpg)
How does PKI work?
Original
Message
Encrypted
& Signed
Sender’s
Private KeyHash CodeDigital
Signature
Symmetric Key
Recipient’s
Public Key
Encrypted
Symmetric
KeySender
Original
Message
Apply Hash
Algorithm
![Page 51: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/51.jpg)
How does PKI work?
Symmetric Key
Encrypted
& Signed
Encrypted
Symmetric
Key
Recipient’s
Private Key
Original
Message
Hash
Algorithm
Digital
Signature
Hash CodeSender’s
Public Key
Messag
e
verified
Recipient
![Page 52: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/52.jpg)
Certification Authority
Certificate
Repository
Certificate
Revocation
Key Backup
& Recovery
Automatic
Key Update
Key Histories
General PKI Requirements
Support for
non-repudiation
Cross-certification
Timestamping
Application
software
![Page 53: E-commerce 2014 - Professor Arun Kumararunk.com/pdf/MCom/mcom2ndsem/Presentation 5.pdf · 3 International Organization for Standardization (ISO): "The potential that a given threat](https://reader031.vdocuments.us/reader031/viewer/2022030407/5a839c987f8b9aa24f8eecc6/html5/thumbnails/53.jpg)
Digital Signatures
Working of the Digital Signature by Using Hashing