secrity project keyvan
DESCRIPTION
security in ecommerceTRANSCRIPT
1
Security in Electronic Commerce
Keyvan vahidy
Graduate student
Collage nooretouba
Stno:8861097
1389
Security in e-commerce a subset of the overall security suite security issues surrounding the transfer, storage, data recovery
Security in e-commerce issues such as threats, risks facing
Network and Internetwork Security refer to measures needed to protect data during its transmission from one computer to another in a network or from one network to another in an internetwork.
abstract
Cryptography Principles of encryption, the encryption
Privacy Authenticity
Determines who canread the message
Determines who canwrite the message
• Prevent forgery• Prevent alteration
• Prevent eavesdropping• Prevent tracing
Goals of Cryptography
mechanismsCryptography
Mechanisms Cryptography types
Type Method Symmetric
Cryptography Symmetric Key to encrypt, decrypt equal
Method Symmetric two type:
Stream cipher
Block cipher
Type Method Symmetric
Block cipher
Stream cipher
Type Method Symmetric
Stream cipher a string of data to continuously receive the encrypted
Stream advantages: Diffusion Immunity insertations &
modifications Stream disadvantages.: Slow encryption
Error propagation
Type Method Symmetric
Block cipher Into every block of data to which the blocks are individually password
Block advantages: Speed of
transformation Low error propagation Block disadvantages.: Low diffusion
Malicious insertations & modifications possible
Encryption algorithms for security
AES
Two kinds of widely known Encryption algorithms : DES
Released by NBS in 1976, based on ‘Lucifer’
Combination of substitution and transposition
16 iterations with 56-bit key (64) Based on diffusion and confusion
(Shannon) Supported then adopted by NSA Can be broken (in 22 hours, parallel
attack) Key length dilemma, new algorithm to
be AES
Data Encryption Standard (DES)
Data Encryption Standard (DES)
Firstly the IP (explained below) is applied to the 64 bit plaintext. The result is then divided into two 32 bit halves, named L0 and R0. Then, the following happens 16 times:
Key transformation number i (a permutation, but dropping 8 bits off - defined in the specification) is applied to the key to produce 48 bits.
Apply the function f(Ri,Ki+1) (explained below) to produce a 32 bit output.
Exclusive OR Li and f(Ri,Ki+1), and call this Ri+1.
Make Li+1 = Ri
Data Encryption Standard (DES)
1978. By Rivest-Shamir-Adelman ) is a popular asymmetric key encryption standard.
Difficulty of determinating prime factors It is based on number theory (more
specifically the difficulty in factorizing a large number).
The key size ranges between 512 and 2048 bits.
It is used in many e-commerce applications such as the Secure Electronic Transaction (SET) protocol for credit card payment.
RSA Encryption
Picks two large prime numbers p and q
Multiplies p and q to obtain n Chooses d, such that d and
w=(p-1)(q-1) are relatively prime (no common factor).
Chooses e such that 1 = d x e mod w
Public key is: <e, n> Private key is: <d, n> Message code m, secret
code c c = me mod n m = cd mod n
RSA Encryption
Public Key
Only the decryption key is kept secret. The encryption key is made public.
Each user has two keys, one secret and one public. Public keys are maintained in a public directory. To send a message M to user B, encrypt using the
public key of B. B decrypts using his secret key. Signing Messages For a user Y to send a signed message M to user X. Y encrypts M using his secret key.
X decrypts the message using Y’s public key.
Public Key
Public Key Infrastructure(PKI)
A set of technologies and procedures to enable electronic authentication
Uses public key cryptography and digital certificates
Certificate life-cycle management
Many products from many vendors are available for certificate issuance and some management functions
Interoperability is a big issue -- especially when it comes to policies
Enabling the use of PKI in applications is limited today
Building and managing policies is the least understood issue
Public Key Infrastructure(PKI)
Public Key Infrastructure(PKI)
Authentication and registration of certificate applicants
System administration and access to signing keys
Application use and interfacing Trust between hierarchies Trust decisions to be made at different points
within the application need different views Certificate fields, authorization and allowed
use is really the hardest issue Authorization policies for management of CAs
and RAs
Public Key Infrastructure(PKI)
RA Zone
DMZ (DM Zone)
CA Zone
Internet
InternetApplications
CertificateRequest
Web Servers
CertificateDirectory
RAStations
CAStations
RA DB
Switchedsegment
StatusQuery
CertificateRequest
Store new certificate,CRL Update
CA DB
FIGURE 1: PKI SYSTEM BLOCK DIAGRAM[Numeric labels correspond to list above]
1 2 3
4
7
5
8
RAO Zone
RAO Stations(Operators at Consoles)
6
Basic idea (using symmetric key
encryption):•Suppose that the sender and receiver share a large random number (i.e. a secret).•The secret is attached to the message for finding the message digest.•The message (without the secret) together with the message digest is sent.
Message authentication code (MAC)
Viruses
Trojan h
computer worms
And,….
Malicious programs
Unauthorized software being run
Games Widely distributed
software Shareware Freeware Distributed software
Viruses
Trojan horse
A Trojan horse, or Trojan, is that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system
a computer worm is a self-replicating. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwith, whereas viruses almost always corrupt or modify files on a targeted computer
computer worm
Firewalls
A firewall is a barrier placed between the private network and the outside world.
All incoming and outgoing traffic must pass through it.
Can be used to separate address domains. Control network traffic. Cost: ranges from no-cost (available on the
Internet) to $ 100,000 hardware/software system.
Types: Router-Based Host Based
Circuit Gateways
View of a Firewall
Use programmable routers
Control traffic based on IP
addresses or port
information.
Never allow in-
band programming via Telnet to a firewall router.
Firewall routers should never
advertise their
presence to
outside users.
Firewall Types(Router-Based)
Use a computer instead of router.
More flexible (ability to log all activities)
Works at application level
Use specialized software applications and service proxies.
Need specialized programs, only important services will be supported.
Firewall Types(Host-Based)
How to communicate securely:
SSL – “the web security protocols”
IPSEC – “the IP layer security protocol”
SMIME – “the email security protocol”
SET – “credit card transaction security protocol”
S-HTTP – “Secure Hypertext Transfer Protocol”
Others …
Secure Protocols
Negotiates and employs essential functions for secure transactions
Mutual Authentication Data Encryption Data Integrity
Operates between application and transport layers
SSL
HTTP NNTP
Web Applications
FTP TelnetFutureApps
Etc.
TCP/IP
SSL
Man in the middle
Spoofing attacks
Replay attacks and transaction freshness
Negotiation attacks
Snooping attacks
SSL and Security Attacks
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network),
IP SEC
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard public key encryption and signing of mime data. S/MIME is on an IETF Standard Track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data security Inc.
Change control to S/MIME has since been vested in the IETF and the specification is now layered on cryptography Message Syntax, an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern e-mail software and interoperates between them.
SMIME
SET standard two companies by VISA, Master card with the aim of ensuring security in the credit transaction year 1997 was introduced
Privacy information: credit card numbers of buyers see the seller remains hidden (using DES)
Cardholder authentication: digital signatures with certificates X.509v3
Authentication vendor: Digital signature certificate X.509v3
SET
Maintain confidentiality and purchase order payment information
Owner authentication Azaynrvkh cardholder authentication of a legitimate user is using a credit card account
Maintain the integrity of data transferred kidney
Ensure the safety of data transferred all Seller to provide authentication for the
transaction Ensure the best security techniques and
systems designed to protect all existing laws on electronic commerce transactions
Goal SET
Dual Signature(SET)
Security on application layer
Protection mechanism:
Digital Signature Message
authentication Message encryption Support private &
public key cryptograph Enhanced HTTP data
exchange
S-HTTP
Operate on application layer Encryption and digital signature Work only with (HTTP) Application dependant More secure than SSL at end point
even after data transfer No particular cryptographic system Multiple times encryption
S-HTTP
E-mail is the most widely used application in the Internet.
Who wants to read your mail ?
Business competitors Reporters,Criminals Friends and Family Two approaches are
used: PGP: Pretty Good Privacy PEM: Privacy-Enhanced
Electronic Mail Security
E-mail Security(PGP)
Available free worldwide in versions running on: DOS/Windows Unix Macintosh
Based on: RSA IDEA MD5
E-mail Security(PEM)
A draft Internet Standard (1993). Used with SMTP. Implemented at application layer. Provides:
Disclosure protection Originator authenticity Message integrity
Transaction Security
Card holder (Card
Holder): user
owns a credit card
Vendor (Mercha
nt): person
or organiza
tion intending
to sell their
goods through
the Internet
Card issuer
(Issuer): financial institutions such
as banks that
issue cards to
users and
does pay the user charge against him is buying
Agents participating in a Transaction
Agents participating in a Transaction
Financial Audit Institute (Acquirer): A financial institution required with the following tasks:
Open an Account for Sellers Ceiling set and enabled them credit cards Deposit amount received by the card vendor
account Payment Gateway (Payment Gateway):
processing messages and vendor payments by the Acquirer or the third person
Reference Certification (CA): X509 certificate issuer for cards owners, sellers, and payment gateway
Verify all certificates Decrypt the digital
license to obtain and decrypt the symmetric key block
Verify the sign vendor Decrypt digital pay to
obtain and decrypt the symmetric key block
Verify the signature block double payment
Requested and received permission Sender
Payment Gatway
Authorization response message
Related License Information
Recording information signs
Certificate
Customer Account
Order Buying(Customer)
Order Customer(Merchant)
Thank you for your attention dear