elc 200 day 11 introduction to e-commerce 1 copyright, tony gauvin, umfk, 2011
TRANSCRIPT
Agenda Questions? Assignment 2 corrected
10 A’s, 1 B, 1 C, 1 D and 2 non-submits
Assignment 3 PAST Due Will be graded by next class
Assignment 4 Posted Due March 14 Assignment4.pdf
Quiz 1 will be March 11 (next Class) Chap 1-5, Open Book, Open Notes, On Blackboard, 85 Min 20 M/C @ 4 points each 4 short essays @ 5 points each 1 extra credit question on Web Browswers worth 5 points
Finish Chap 5, Ecommerce Security and Payment systems
e-commerce
Kenneth C. LaudonCarol Guercio Traver
business. technology. society.
eighth edition
Copyright © 2012 Pearson Education, Inc.
Learning Objectives. Describe how technology helps protect the security of messages sent
over the Internet. Identify the tools used to establish secure Internet communications
channels and protect networks, servers, and clients. Discuss the importance of policies, procedures, and laws in creating
security. Describe the features of traditional payment systems. Explain the major e-commerce payment mechanisms. Describe the features and functionality of electronic billing presentment
and payment systems.
Insight on Technology: Class Discussion
Think Your Smartphone Is Secure? What types of threats do smartphones face? Are there any particular vulnerabilities to this
type of device? What did Nicolas Seriot’s “Spyphone” prove?
http://www.spyphone.com/ Are apps more or less likely to be subject to
threats than traditional PC software programs?
Copyright © 2012 Pearson Education, Inc. Slide 5-6
Copyright © 2011 Pearson Education, Inc.
Technology Solutions
Protecting Internet communications (encryption)
Securing channels of communication (SSL, S-HTTP, VPNs)
Protecting networks (firewalls)
Protecting servers and clients
Slide 5-7
Copyright © 2011 Pearson Education, Inc.
Tools Available to Achieve Site Security
Figure 5.7, Page 287
Slide 5-8
Copyright © 2011 Pearson Education, Inc.
Encryption
EncryptionTransforms data into cipher text readable only
by sender and receiverSecures stored information and information
transmissionProvides 4 of 6 key dimensions of e-commerce
security: 1. Message integrity2. Nonrepudiation3. Authentication4. Confidentiality
Slide 5-9
12-10© 2007 Prentice-Hall, Inc
What Is Encryption? A way to transform a message so that only the sender and recipient can
read, see, or understand it
Plaintext (cleartext): the message that is being protected
Encrypt (encipher): transform a plaintext into ciphertext
Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message
Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines
Plaintext + key = Ciphertext
Ciphertext – key = Plaintext
12-11© 2007 Prentice-Hall, Inc
Symmetric Key Encryption
Message“Hello”
EncryptionMethod &
Key
SymmetricKey
Party A
Party B
InterceptorNetwork
Encrypted Message
Encryption uses anon-secret encryption method and
a secret key
12-12© 2007 Prentice-Hall, Inc
Simple example (encrypt) Every letter is converted to a two digit number
A=1, Z = 26 ANTHONY 01 14 20 08 15 14 25 Produce any 4 digit key 3654 (10N-1 choices = 9,999) Add together in blocks of 4 digits 0114 + 3654 = 3768 2008 + 3654 = 5662 1514 + 3654 = 5168 2500 + 3654 = 6154 (pad with 00 to make even)
Send 3768566251686154 to fellow Spy
12-13© 2007 Prentice-Hall, Inc
Simple example (Decrypt) Received 3768566251686154 from fellow Spy
Break down in 4 digits blocks 3768 /5662 /5168 /6154
Get right Key 3654 Subtract key from blocks of 4 digits 3768 - 3654 = 114 5662 - 3654 = 2008 5168 - 3654 = 1514 6154 - 3654 = 2500 If result is negative add 10000
Break down to 2 digits and decode 01 = A, 14 =N, 20 = T, 08 = H
Copyright © 2011 Pearson Education, Inc.
Symmetric Key Encryption
Sender and receiver use same digital key to encrypt and decrypt message
Requires different set of keys for each transaction
Strength of encryption Length of binary key used to encrypt data
2N-1 possible keys to guess
Advanced Encryption Standard (AES) Most widely used symmetric key encryption
Uses 128-, 192-, and 256-bit encryption keys
Other standards use keys with up to 2,048 bits
Slide 5-14
Copyright © 2011 Pearson Education, Inc.
Public Key Encryption
Uses two mathematically related digital keys Public key (widely disseminated)
Private key (kept secret by owner)
Both keys used to encrypt and decrypt message
Once key used to encrypt message, same key cannot be used to decrypt message
Sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it
Slide 5-15
Copyright © 2011 Pearson Education, Inc.
Public Key Cryptography – A Simple Case
Figure 5.8, Page 289
Slide 5-17
12-18© 2007 Prentice-Hall, Inc
Public Key EncryptionPublic Key Encryption for Confidentiality
EncryptedMessage
EncryptedMessage
Party A Party B
Encrypt withParty B’s Public Key
Decrypt withParty B’s Private Key
Decrypt withParty A’s Private Key
Encrypt withParty A’s Public Key
Note:Four keys are used to encryptand decrypt in both directions
Copyright © 2010 Pearson Education, Inc.
Public Key Encryption Using Digital Signatures and Hash Digests
Hash function: Mathematical algorithm that produces fixed-length number called
message or hash digest
Hash digest of message sent to recipient along with message to verify integrity
Hash digest and message encrypted with recipient’s public key
Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation
Slide 5-19
12-20© 2007 Prentice-Hall, Inc
Digital Signature: Sender
DS
Plaintext
MD
Hash
Sign (Encrypt) MD withSender’s Private Key
To Create the Digital Signature:
1. Hash the plaintext to createa brief message digest; This isNOT the digital signature
2. Sign (encrypt) the messagedigest with the sender’s privatekey to create the digitalSignature
12-21© 2007 Prentice-Hall, Inc
Digital Signature
SenderReceiver
DS Plaintext
Add Digital Signature to Each MessageProvides Message-by-Message Authentication
Encrypted for Confidentiality
12-22© 2007 Prentice-Hall, Inc
Digital Signature
SenderEncrypts Receiver
Decrypts
Send Plaintext plus Digital SignatureEncrypted with Public key of receiver
DS Plaintext
Transmission
12-23© 2007 Prentice-Hall, Inc
Digital Signature: Receiver
DSReceived Plaintext
MDMD
1.Hash
2.Decrypt withTrue Party’sPublic Key
3.Are they Equal?
1. Hash the receivedplaintext with the samehashing algorithm the
sender used. This givesthe message digest
2. Decrypt the digitalsignature with the sender’spublic key. This also shouldgive the message digest.
3. If the two match, the message is authenticated;The sender has the true
Party’s private key
Copyright © 2011 Pearson Education, Inc.
Public Key Cryptography with Digital
Signatures
Figure 5.9, Page 291
Slide 5-24
Copyright © 2011 Pearson Education, Inc.
Digital Envelopes
Address weaknesses of: Public key encryption
Computationally slow, decreased transmission speed, increased processing time
Symmetric key encryption Insecure transmission lines
Uses symmetric key encryption to encrypt document
Uses public key encryption to encrypt and send symmetric key
Slide 5-25
Copyright © 2011 Pearson Education, Inc.
Creating a Digital Envelope
Figure 5.10, Page 292
Slide 5-26
12-28© 2007 Prentice-Hall, Inc
Public Key Deception Impostor
“I am the True Person.”
“Here is TP’s public key.” (Sends Impostor’s public key)
“Here is authenticationbased on TP’s private key.”
(Really Impostor’s private key)
Decryption of message from Verifierencrypted with Impostor’s public key,
so Impostor can decrypt it
Verifier
Must authenticate True Person.
Believes now has TP’s public key
Believes True Personis authenticatedbased on Impostor’s public key
“True Person,here is a message encryptedwith your public key.”
CriticalDeceptio
n
Copyright © 2010 Pearson Education, Inc. Slide 5-29
http://swiki.fromdev.com/2009/11/ssl-is-not-secure-anymore-serious.html
12-30© 2007 Prentice-Hall, Inc
Digital Signatures and Digital Certificates
Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature
DS Plaintext
Applicant
Verifier
Certificate Authority
DigitalCertificate:True Party’sPublic Key
Copyright © 2011 Pearson Education, Inc.
Digital Certificates and Public Key Infrastructure (PKI)
Digital certificate includes: Name of subject/company Subject’s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA
Public Key Infrastructure (PKI): CAs and digital certificate procedures PGP http://www.pgpi.org/
Slide 5-31
Copyright © 2011 Pearson Education, Inc.
Digital Certificates and Certification
Authorities
Figure 5.11, Page 294
Slide 5-32
Copyright © 2011 Pearson Education, Inc.
Limits to Encryption Solutions
Doesn’t protect storage of private keyPKI not effective against insiders, employeesProtection of private keys by individuals may be
haphazard
No guarantee that verifying computer of merchant is secure
CAs are unregulated, self-selecting organizations
Slide 5-33
Insight on Society: Class Discussion
Web Dogs and Anonymity
What are some of the benefits of continuing the anonymity of the Internet?
What are the disadvantages of an identity system?
Are there advantages to an identity system beyond security?
Who should control a central identity system?
Copyright © 2012 Pearson Education, Inc. Slide 5-35
Securing Channels of Communication Secure Sockets Layer (SSL):
Establishes a secure, negotiated client-server session in which URL of requested document, along with contents, is encrypted
Virtual Private Network (VPN): Allows remote users to securely access internal
network via the Internet
Copyright © 2012 Pearson Education, Inc. Slide 5-36
Secure Negotiated Sessions Using SSL
Figure 5.12, Page 303
Copyright © 2012 Pearson Education, Inc. Slide 5-37
Protecting Networks Firewall (Guarded Gate)
Hardware or softwareUses security policy to filter packetsTwo main methods:
Packet filters Application gateways
Proxy servers (proxies)Software servers that handle all communications
originating from or being sent to the Internet
Copyright © 2012 Pearson Education, Inc. Slide 5-38
Firewalls and Proxy Servers
Figure 5.13, Page 306
Copyright © 2012 Pearson Education, Inc. Slide 5-39
Copyright © 2011 Pearson Education, Inc.
Protecting Servers and Clients
Operating system security enhancements Upgrades, patches
Zero Day attacks
Anti-virus software: Easiest and least expensive way to prevent threats to system
integrity
Requires daily updates
http://www.umfk.edu/it/downloads.cfm
Slide 5-40
Management Policies, Business Procedures, and Public Laws
U.S. firms and organizations spend 14% of IT budget on security hardware, software, services ($35 billion in 2010)
Managing risk includesTechnologyEffective management policiesPublic laws and active enforcement
Copyright © 2012 Pearson Education, Inc. Slide 5-41
A Security Plan: Management Policies Risk assessment Security policy Implementation plan
Security organization Access controls Authentication procedures, including biometrics Authorization policies, authorization management
systems
Security audit
Copyright © 2012 Pearson Education, Inc. Slide 5-42
Developing an E-commerce Security Plan
Figure 5.14, Page 308
Copyright © 2012 Pearson Education, Inc. Slide 5-43
Copyright © 2011 Pearson Education, Inc.
The Role of Laws and Public Policy
Laws that give authorities tools for identifying, tracing, prosecuting cybercriminals: National Information Infrastructure Protection Act of 1996 USA Patriot Act Homeland Security Act
Private and private-public cooperation CERT Coordination Center http://www.cert.org/ US-CERT http://www.us-cert.gov/ncas/current-activity/
Government policies and controls on encryption software
OECD guidelines OECD_Cyber_Security.pdf
Slide 5-44
Types of Payment Systems Cash
Most common form of payment Instantly convertible into other forms of value
Checking transfer Second most common payment form in United States
Credit card Credit card associations Issuing banks Processing centers
Copyright © 2012 Pearson Education, Inc. Slide 5-47
Types of Payment Systems (cont.)
Stored valueFunds deposited into account, from which funds are
paid out or withdrawn as needed, e.g., debit cards, gift certificates
Peer-to-peer payment systems
Accumulating balanceAccounts that accumulate expenditures and to
which consumers make period paymentse.g., utility, phone, American Express accounts
Copyright © 2012 Pearson Education, Inc. Slide 5-48
Payment System Stakeholders’ Priorities Consumers
Low-risk, low-cost, refutable, convenience, reliability
Merchants Low-risk, low-cost, irrefutable, secure, reliable
Financial intermediaries Secure, low-risk, maximizing profit
Government regulators Security, trust, protecting participants and enforcing
reporting
Copyright © 2012 Pearson Education, Inc. Slide 5-51
E-commerce Payment Systems
Credit cards45% of online payments in 2011 (U.S.)
Debit cards28% online payments in 2011 (U.S.)
Limitations of online credit card paymentSecurity, merchant riskCostSocial equity
Copyright © 2012 Pearson Education, Inc. Slide 5-53
How an Online Credit Transaction Works
Figure 5.16, Page 319
Copyright © 2012 Pearson Education, Inc. Slide 5-54
E-commerce Payment Systems (cont.)
Digital wallets Emulates functionality of wallet by authenticating
consumer, storing and transferring value, and securing payment process from consumer to merchant
Early efforts to popularize failed Latest effort: Google Checkout
Digital cash (David Chaum) Value storage and exchange using tokens Most early examples have disappeared; protocols and
practices too complex
Copyright © 2012 Pearson Education, Inc. Slide 5-55
E-commerce Payment Systems (cont.)
Online stored value systemsBased on value stored in a consumer’s bank,
checking, or credit card accountPayPalSmart cards
Contact—use card reader Contactless
e.g., EZPass, Octopus card (Hong Kong) Radio Frequency ID (RFID) Near Field Communications (NFC)
Copyright © 2012 Pearson Education, Inc. Slide 5-56
E-commerce Payment Systems (cont.)
Digital accumulated balance payment:Users accumulate a debit balance for which they
are billed at the end of the monthPaymentsPlus, BillMeLater
Digital checking:Extends functionality of existing checking
accounts for use onlinePayByCheck, EBillMe
Copyright © 2012 Pearson Education, Inc. Slide 5-57
Mobile Payment Systems Use of mobile handsets as payment devices
well-established in Europe, Japan, South Korea Japanese mobile payment systems
E-money (stored value) Mobile debit cards Mobile credit cards
Not as well established yet in United States Infrastructure still developing Apple, Google, RIM developing separate NFC systems
Copyright © 2012 Pearson Education, Inc. Slide 5-58
Electronic Billing Presentment and Payment (EBPP)
Online payment systems for monthly bills 30% + of households in 2010 used some
EBPP; expected to continue to grow Two competing EBPP business models:
Biller-direct (dominant model) Consolidator
Both models are supported by EBPP infrastructure providers
Copyright © 2012 Pearson Education, Inc. Slide 5-59