electronic commerce security. full implementation of electronic commerce security requires security...
DESCRIPTION
Security policyTRANSCRIPT
![Page 1: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/1.jpg)
Electronic Commerce Security
![Page 2: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/2.jpg)
Electronic Commerce Security
Full implementation of electronic commercesecurity requires• Security policy• Authentication• Assurance(Encryption)• Web site security• Secured payment methods
![Page 3: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/3.jpg)
Security policy
![Page 4: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/4.jpg)
Security Policies
• A security policy defines what is considered valuable and specifies what steps are to be taken to protect those assets.
• It makes clear what is being protected and why.
• It clearly states the responsibility for that protection.
![Page 5: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/5.jpg)
• It provides a ground on which to interpret and resolve conflicts that arise.
• It should be general and changes slowly over time.
Security Policies
![Page 6: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/6.jpg)
Security Policies
• Standards– Standards are intended to codify successful
practice of security in an organization.– They should change slowly over time.– They should be general.– They change more often than standards.– They may be violated, if necessary.
![Page 7: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/7.jpg)
• Guidelines– Guidelines interpret standards for a particular
environment.– They are specific to particular machines or
situations.
Security Policies
![Page 8: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/8.jpg)
Risk Assessment
• Before making security policies, we must determine the following:– What to protect– What to protect from– How to protect it
![Page 9: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/9.jpg)
• Basic goals of security:– Availability: Service not denied to rightful user– Confidentiality: Information not accessible to
unauthorized users– Integrity: Data not tempered with
• Elements of risk analysis:– Identifying assets– Identifying threats
Risk Assessment
![Page 10: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/10.jpg)
Risk Assessment
• Cost of loss– cost of repairing and replacements– cost of company reputation
• Cost of prevention– cost of buying/installing additional software– cost of additional employee training
Cost-Benefit Analysis
![Page 11: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/11.jpg)
• Adding up the numbers– Know the cost of predicted loss, cost of
prevention and the probability of event occurrence.
– Multiply each cost by its probability and determine the priority of their importance.
Risk Assessment
![Page 12: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/12.jpg)
Identifying Assets
Use the CISTM site as an example• Network
– In the Beckman Institute domain– Connected through Ethernet Fiber Optic
![Page 13: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/13.jpg)
• Hardware– Dell PowerEdge 6300 server– IBM RS/6000 server
• Software– Operating system: Windows NT 5.0 Server on
the Dell computer/AIX 4.3 on the IBM computer
Identifying Assets
![Page 14: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/14.jpg)
– Web server: Microsoft Internet Information Server/Lotus Domino server
• Data– Web content– Course material– Research material
Identifying Assets
![Page 15: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/15.jpg)
• People– Administrators– Privileged users: researchers from the center– Ordinary users: students from classes
Identifying Assets
![Page 16: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/16.jpg)
Identifying Threats
Typical threats include:• Unauthorized access• Disclosure of information• Denial of service
![Page 17: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/17.jpg)
Unauthorized Access
• Intruders gain access as administrators• They will be able to change content, delete
files/users, etc• It is the highest security breach
![Page 18: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/18.jpg)
Disclosure of Information
• Materials not published on the public WWW are disclosed. Achieved by breaking into the host machine
• Interception of network data sent from browser to server or vice versa. Achieved through network eavesdropping.
![Page 19: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/19.jpg)
• Eavesdroppers can operate from any point on the pathway between browser and server including: – The network on the browser's side of the
connection. – The network on the server's side of the
connection (including intranets).
Disclosure of Information
![Page 20: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/20.jpg)
– The end-user's Internet service provider (ISP). – The server's ISP. – Either ISPs' regional access provider.
Disclosure of Information
![Page 21: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/21.jpg)
Denial of service
• Attackers cripple the system by jamming or sending virus
• Users that reply on the system to perform their jobs are denied service
![Page 22: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/22.jpg)
Access Control• Access control refers to the regulation of
access to the system to prevent unauthorized or unwanted access.
• Software programs such as firewall provide an effective means to control access by setting up a filter through which incoming and outgoing packets must pass.
![Page 23: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/23.jpg)
• A policy must be made stating what resource is available to whom.
• Each user is assigned appropriate level of read/write/execute access..
Access Control
![Page 24: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/24.jpg)
• Physical aspects of network security must also be considered.– Computers should be physically secured.– Physical access to devices should be regulated
Access Control
![Page 25: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/25.jpg)
Data Integrity
• Protection of the information from being altered without the permission of the owner of the information.
• The word information may include items such as financial account records, passwords, private documents, and credit card numbers.
![Page 26: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/26.jpg)
Data Integrity
• Prevention: – read-only file systems
• Detection of changes: – comparison copies– checksum– message digest
![Page 27: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/27.jpg)
Data Integrity• Data can be protected by using read-only
file systems.• Benefits
– Only need to do backup once.– No need to run periodic scan on these files as
their contents will not change.– No need to set disk quota since the file size
grows in a monitored way.
Prevention
![Page 28: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/28.jpg)
• Drawbacks– User data is too volatile for read-only media.– The entire disk must be read-only which can
cause waste of space.– A machine will need two disks, one for user-
files and one for the read-only files.
Data Integrity
![Page 29: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/29.jpg)
Data Integrity
• Comparison Copies: Keep a copy of the unaltered data and check periodically.
• Benefit of comparison copies: – It is the most certain method.– An altered version can be recovered simply by
a replacement of the stored copy.
Detection of Changes
![Page 30: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/30.jpg)
• Drawback of comparison copies:– Requires twice as much storage as the original
file.– It might involve the violation of copyright or
license of certain files that allow only one copy.
Data Integrity
![Page 31: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/31.jpg)
Data Integrity
• Checksum– Store the checksum of the files and check
periodically for possible alterations. – However, files can sometimes be altered with
the preservation of its checksum. – A stronger mechanism such as message digests
should be used to generate a checksum that is not easily spoofed.
Detection of Changes
![Page 32: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/32.jpg)
• Message digest– a special number produced by a function that is
very difficult to reverse. – The function is designed so that a small change
in input may result in large change in output– It can be used to verify whether the content of
file has been changed.
Data Integrity
![Page 33: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/33.jpg)
Privacy/Confidentiality
• Protect the data from being read or copied by unauthorized users.
• Items to be protected include credit card numbers, personal information, etc.
![Page 34: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/34.jpg)
• Common types of data piracy:– packet sniffing– eavesdropping
• Data encryption is an effective way to protect data privacy.
Privacy/Confidentiality
![Page 35: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/35.jpg)
Policy Issues
Who is allowed to use the resource• Researchers (professor, grad students in the
center)
![Page 36: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/36.jpg)
Who may have system administrationprivileges• Grant only enough privilege to accomplish
the necessary task• On the other hand, people must be given
admin rights to get their jobs done
Policy Issues
![Page 37: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/37.jpg)
Handling an Incident
• All security-related sites should have a policy for handling an incident made in advance. Otherwise the activities taken might lose focus.
![Page 38: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/38.jpg)
• Steps to be taken when handling an incident:– Notification and exchange of information– Protecting evidence and activity logs– Containment - limit the extent of an attack– Eradication– Recovery– Follow-up
Handling an Incident
![Page 39: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/39.jpg)
Other Resources• CERT(TM) Advisory
– Send mail to: [email protected]– Message Body: subscribe cert <FIRST NAME>
<LAST NAME>• VIRUS-L List
– Send mail to: listserv%[email protected]
– Message Body: subscribe virus-L FIRSTNAME LASTNAME
![Page 40: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/40.jpg)
• Internet Firewalls– Send mail to: [email protected]– Message Body: subscribe firewalls user@host
Other Resources
![Page 41: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/41.jpg)
Authentication
![Page 42: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/42.jpg)
Authentication
• Definition: The process of identifying a user.
• Three classical ways of proving an identity:– user provides some information, such as
passwords– user shows something, such as card key– measure something about the user, such as
fingerprint
![Page 43: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/43.jpg)
• Effective ways to enforce authentication:– One-time passwords: passwords are used only
once– Kerberos
Authentication
![Page 44: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/44.jpg)
Kerberos
• Created in MIT• Provides real-time authentication in an
insecure distributed environment
![Page 45: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/45.jpg)
How does Kerberos work?
• Authentication– Users or services get “tickets” used to identify
themselves• Ticket, a sequence of a few hundred bytes,
can be imbedded or forwarded• Encryption
– Secret, cryptographic keys for secure communication with network resources
![Page 46: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/46.jpg)
Authentication Process
Step 1A client sends a request to the authentication server, requesting “credentials” for a given application server.The credentials can be directly for an application server or for a Ticket Granting Server
![Page 47: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/47.jpg)
Step 2The authentication server responds with these credentials, encrypted in the client’s key.The credentials consist of the following:– A “ticket” for the server– A temporary encryption key (session key)
Authentication Process
![Page 48: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/48.jpg)
Step 3If the ticket is for a Ticket Granting Server, client requests a ticket for the application server from the TGS
Authentication Process
![Page 49: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/49.jpg)
Step 4The Ticket Granting Server replies with a ticket for the application server
Authentication Process
![Page 50: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/50.jpg)
Step 5The client transmits the ticket (which contains client’s identity and a copy of session key)
Authentication Process
![Page 51: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/51.jpg)
Step 6The session key, now shared by client and application server, is used to authenticate the client, and can be used to authenticate the server
Authentication Process
![Page 52: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/52.jpg)
1 23
4
5
6
Kerberos Authentication Server
Kerberos Ticket Granting Server
Kerberos Client
Kerberos Application Server
![Page 53: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/53.jpg)
Assurance (Encryption)
![Page 54: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/54.jpg)
Encryption
• One Way Function• Private key• Public key• DES• RSA
![Page 55: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/55.jpg)
One way Function
• Traditional login: – User logs in with password– Host compares it with stored password– Drawback: host can be broken into and
password can be stolen
![Page 56: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/56.jpg)
• With one-way function– Host stores results from one-way functions of
the password– User logs in with password– Host performs one-way function on the entered
password– Host compares result of one-way function with
the value it stored
One way Function
![Page 57: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/57.jpg)
• Advantage of one-way function: – host does not need to know the password– So the password can not be stolen
• Why one-way function works:– Definition: easy to compute f(x) from x but
difficult to compute x from f(x)– Example: Smashing a plate is easy; hard to put
the pieces together
One way Function
![Page 58: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/58.jpg)
Private Key Encryption
• Also called symmetric key • The same key is used both for encryption
and decryption• Encryption will be broken if the key is
stolen
![Page 59: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/59.jpg)
Real World Example of Private key Encryption
Data Encryption Standard (DES)• A 64-bit block of plaintext foes in one end of
the algorithm• A 64-bit clock of ciphertext comes out the
other end• It is symmetric since same algorithm and key
are used for both encryption and decryption
![Page 60: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/60.jpg)
• Key length is usually 56 bits• DES is somewhat old fashioned and not so
secure any more
Real World Example of Private key Encryption
![Page 61: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/61.jpg)
Public Key Encryption
• Also called asymmetric key• Two different keys: public one and private
one• Computationally hard to deduce the private
key from the public key• Anyone with the public key can encrypt a
message but not decrypt it
![Page 62: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/62.jpg)
• Only the person with the private key can decrypt the message
Public Key Encryption
![Page 63: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/63.jpg)
Real World Example of Public Key encryption
RSA• The easiest and safest public key algorithm
today• Relies on the “presumed” difficulty of
factoring large numbers• RSA’s security is never proved or
disproved by mathematicians
![Page 64: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/64.jpg)
• How it works:– 1. Choose two random large prime numbers p
and q. n=p*q.– 2. Randomly choose encryption key e, such
that e and (p-1)(q-1) are relatively prime– 3. Calculate decryption key d=e-1mod((p-1)(q-
1))– 4. e and n are public key; d is private key
Real World Example of Public Key encryption
![Page 65: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/65.jpg)
Digital Signature
• Digital signature must have the following properties:– Authentic– Unforgeable– Not reusable– The signed document must be unalterable– can not be repudiated
![Page 66: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/66.jpg)
• How digital signatures work– The opposite of public key encryption– 1. Alice encrypts document with private key,
thereby signing the document– 2. Alice sends signed document– 3. Bob decrypts it with public key, thereby
verifying it
Digital Signature
![Page 67: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/67.jpg)
• Combining digital signature with encryption– 1. Alice signs document with private key– 2. Alice encrypts signed message with Bob’s
public key and sends to Bob– 3. Bob decrypts with his private key– 4. Bob verifies with Alice’s public key
Digital Signature
![Page 68: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/68.jpg)
Web Site Security
![Page 69: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/69.jpg)
Type of Threats
From the part on “Security Policy”, we learned that typical threats include:• Unauthorized access• Disclosure of information• Denial of service
![Page 70: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/70.jpg)
Security Problems
Specific problems for web site administration• Access points to the web server can be
compromised:– Local area network links– Dialup telephone line– Internet
![Page 71: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/71.jpg)
• Misconfigured systems– Misconfigured systems form a large percentage
of security problems– Today’s operating system and software are too
complex for non-specialists to manage
Security Problems
![Page 72: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/72.jpg)
Protecting the System
• Through Controls – Once we Reconfigured the system, we added
controls• Through Network Connections:
– Firewall– Gateway
![Page 73: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/73.jpg)
• Through Encryption– Hardware and software– Communications
• Through Logging Activities– Recognize unauthorized activities through the
audit trail logging service provided by web servers
Protecting the System
![Page 74: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/74.jpg)
Audit Trails
Help system administrators track security violations and break-in attempts
![Page 75: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/75.jpg)
Firewall
• Definition: collection of components that is placed between two networks
• Properties:– All traffic in either direction must pass through
the firewall– Only traffic authorized by the local security
policy will be allowed to pass– The firewall itself is immune to penetration
![Page 76: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/76.jpg)
• CGI security• Java security
More concerns
![Page 77: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/77.jpg)
CGI Security
CGI (Common Gateway Interface) scripts:• Used to add interactivity and functionality
to a web site• Execute user command on user input data• Major source of security holes
![Page 78: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/78.jpg)
How to Make CGI secure
• Never trust a script from outside source• To write CGI, compiled languages such as
C are safer than interpreted languages like Perl and shell scripts
• Place CGI scripts in a “wrapper”
![Page 79: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/79.jpg)
Java Security• Applet is a Java program that is run from
inside a web browser• Applets loaded over the net are prevented
from – reading and writing files on the client file system– making network connections except to the
originating host– starting other programs on the client.
![Page 80: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/80.jpg)
Secured Payment Methods
![Page 81: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/81.jpg)
Payment methods
Payment methods and their security features• Online credit card• Internet payment system• Smart card application
![Page 82: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/82.jpg)
Credit card transaction flow
Merchant
Consumer
Acquiring Bank
Issuing Bank
Interchange Network
1. Purchase
2. Authorization and Settlement
3. Clearing
4. Billing and Payment
![Page 83: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/83.jpg)
Online Credit Card Security
Two ways to implement security for onlinecredit card transaction:• Secure communication: Secure HTTP and
Secure Socket Layer (SSL)
![Page 84: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/84.jpg)
• Secure Electronic Transactions (SET): – Jointly developed by Visa and MasterCard to
provide secure credit card transactions over open networks like the Internet
Online Credit Card Security
![Page 85: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/85.jpg)
Flow of a SET Transaction
Merchant
Buyer with SET Wallet
Obtain Cardholder Certificate
SET Payment Gateway
Issuing Bank
Interchange Network (Visa, MasterCard)
Acquiring Bank
Obtain Merchant Certificate
3.Authorization
5. Settlement1. Order Description
4. Receipt2. Payment Request
![Page 86: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/86.jpg)
Internet Payment Systems
• First Virtual: http://www.fv.com• CyberCash: http://www.cybercash.com
![Page 87: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/87.jpg)
Smart Cards
An object the size of a plastic credit card that contains a processor, and an interface to the outside world
Benefits:• Portable storage• Secure storage: Secure and tamperproof
storage for all information stored on it
![Page 88: Electronic Commerce Security. Full implementation of electronic commerce security requires Security policy Authentication Assurance(Encryption) Web site](https://reader035.vdocuments.us/reader035/viewer/2022081507/5a4d1b617f8b9ab0599ad964/html5/thumbnails/88.jpg)
• Trusted execution environment: Not vulnerable to viruses and intrusion risks that plague desktop computers
Smart Cards