1 chapter 8: security in electronic commerce it357 electronic commerce
TRANSCRIPT
![Page 1: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/1.jpg)
1
Chapter 8: Security in Electronic Commerce
IT357 Electronic Commerce
![Page 2: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/2.jpg)
4 July 2008 IT 357 - Chapter 7 2
Security in Electronic Commerce
• Security concerns• Secure commerce requirements• Security facilities in the EC environment
– Secure file/information transfers– Secure Transactions– Security on web servers and enterprise networks.
![Page 3: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/3.jpg)
4 July 2008 IT 357 - Chapter 7 3
Security Concerns
• Accessing unauthorized network resources• Destroying information and network resources• Altering, inserting and modifying information• Disclosing information to unauthorized people• Causing network service disruption• Stealing information and resources• Denying services received or information sent or
received.• Claiming to have provided services that have not
been given.
![Page 4: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/4.jpg)
4 July 2008 IT 357 - Chapter 7 4
Secure commerce requirements
• Authentication– Involves the ability of individual organization or computer to prove
its identity.– Based on:
• Passwords• Keys/cards• Finger prints• Trusted third party authentication • PIN
• Authorization– Control of access to particular information once the identity has
been verified.– Meant to limit the actions that authenticated parties can perform.– ACL example: screens shown to a user will only show links or
buttons that a person is authorized to access.
![Page 5: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/5.jpg)
4 July 2008 IT 357 - Chapter 7 5
Cont’d: Secure commerce requirements
• Confidentiality
– Involves the secrecy of data and the protection of data from unauthorized access.
– Must ensure:• Information cannot be read copied or modified without
authorization
• Communication cannot be intercepted
– Encryption techniques are used
In the news !!! June 23, 2008, 07:46 PM CNET employees notified after data breach
Source: http://www.itworld.com/news/53276/cnet-employees-notified-after-data-breach
![Page 6: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/6.jpg)
4 July 2008 IT 357 - Chapter 7 6
Cont’d: Secure commerce requirements
• Integrity– Protection of data from modification either while in transit or
in storage.– Integrity services must protect against additions, deletions
and reordering of data.
• Non repudiation of origin– Protection against a party in a transaction or communication
activity in which one of the parties later denies that such an activity occurred.
![Page 7: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/7.jpg)
4 July 2008 IT 357 - Chapter 7 7
Security Facilities in an EC environment
• Secure file/ information transfers• Secure transactions• Secure enterprise networks• Secure File Transfer
– Popular protocols:• HTTPS is the de facto standard
• Secure HyperText Transfer Protocol is an alternative but not widely used
![Page 8: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/8.jpg)
4 July 2008 IT 357 - Chapter 7 8
Cont’d: Security Facilities: Secure file/ information transfers
Symmetric encryption
• Uses a shared key for both encryption and decryption.• All parties must trust each other.• Eavesdropping might pose problems.• Distribution of the keys pose problems.• DES (Data Encryption Standard)
– Mostly used in e-mails and exchanges that do not require tight security
– DES Cracker, managed to break DES in less than 3 days
• Triple DES– Has the advantage of proven reliability and a longer key length
• AES (Advanced Encryption Standard)– adopted as an encryption standard by the U.S. government
Sources: http://www.tropsoft.com/strongenc/des3.htm
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
![Page 9: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/9.jpg)
4 July 2008 IT 357 - Chapter 7 9
Cont’d: Security Facilities: Secure file/ information transfers
Asymmetric encryption / PKI (Public Key Infrastructure)
• Uses two keys - one to encrypt and a different one to decrypt
• The two keys are mathematically related• Data encrypted by one can only be decrypted by the
other• One of the pair of keys (public key) is made known to
other parties .• The other is secretly held by the individual (private
key)• RSA - the best known public key encryption
algorithm.
![Page 10: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/10.jpg)
4 July 2008 IT 357 - Chapter 7 10
Cont’d: Security Facilities: Secure file/ information transfers
Public key encryption
Public Key - example
![Page 11: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/11.jpg)
4 July 2008 IT 357 - Chapter 7 11
Cont’d: Security Facilities: Secure file/ information transfers
Digital Certificate
• An electronic “credit card” or “wallet”• Establishes the credentials of an entity on the web.• Issued by a certification authority (CA) - E.g.
VeriSign.• Contains
• Name• A serial number • Expiry date• A copy of the certificate holder’s public key - for encryption and
decryption• Digital signature of the certification authority - to verify that the
certificate is real.
![Page 12: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/12.jpg)
4 July 2008 IT 357 - Chapter 7 12
Cont’d: Security Facilities: Secure file/ information transfers
Digital Signature
• An electronic signature to authenticate the identity of the sender.
• Also ensures that the original content of the message is unchanged.
• Example: An e-Will– You copy and paste the will into an e-mail.– A special software obtains a message hash - a mathematical
summary.– You use your private key to encrypt the hash– The encrypted hash becomes your digital signature.– Different for different messages sent by you.– The lawyer receives the message.– He makes a hash of the received message.– He uses your public key to decrypt the signature to a hash.– If the hashes match the message is valid.
A hash function is any well-defined procedure or mathematical function for turning some kind of data into a relatively small integer, that may serve as an index into an array.
Source: http://en.wikipedia.org/wiki/Hash_function
![Page 13: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/13.jpg)
4 July 2008 IT 357 - Chapter 7 13
Cont’d: Security Facilities: Secure file/ information transfers
SHTTP vs. SSL
• Both provide encryption techniques using RSA (Ron Rivest, Adi Shamir, and Leonard
Adleman) algorithm.• SSL works at the transport layer while SHTTP works at the application layer.• SSL is simpler than SHTTP. • SHTTP
– supports more services such as firewalls and digital signatures– A secure extension of HTTP developed by CommerceNet consortium– Offers security techniques and encryption with RSA methods.– Incorporates cryptography at the application level.– Uses public key private key encryption or asymmetric encryption.
• SSL– Developed by Netscape.– Works at the transport layer.– All servers are authenticated – Clients are optionally authenticated.– Application independent.– HTTP FTP and Telnet can be placed on top of SSL.– Provides channel security through a message integrity check with hash functions.
![Page 14: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/14.jpg)
4 July 2008 IT 357 - Chapter 7 14
Cont’d: Security Facilities: Secure file/ information transfers
SSL
• Three part process – Information is encrypted to prevent unauthorized access.– Information is authenticated to ensure that it is sent by the right parties.– Integrity checks to ensure that data is not altered from source to sink.– SSL illustration
• Customer requests to purchase.• Company responds with its public key.• The customer’s browser uses the public key to encrypt sensitive information.• The data is decrypted by the company browser using its private key.• Process transparent to the users as it is handled by the browser.
• SSL/TLS– SSL was developed by Netscape and soon after the Internet Engineering Task Force
(IETF) developed SSL 3.0• SSL/TLS Drawback
– Increased processor load: most significant drawback to implementing SSL/TLS. – Administrative overhead: An SSL/TLS environment is complex and requires
maintenance; the system administrator needs to configure the system and manage certificates.
Source: http://technet2.microsoft.com/windowsserver/en/library/1b6b0dfa-a7a0-4cc2-adc6-f9dda2bd7e601033.mspx?mfr=true
![Page 15: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/15.jpg)
4 July 2008 IT 357 - Chapter 7 15
Security Facilities Secure transactions
• Secure transaction protocols are narrowly focused.• Popular protocols:
• Secure Electronic Payment Protocol• Secure Transaction Technology• Secure Electronic Transaction
• SET– Shares a lot in common with SEPP.– Touted as the protocol of the future.– A combination of an application level protocol and recommended
procedures for handling credit card transactions over the net.– Designed for cardholders, merchants and banks/card processors.– Covers certification of all parties as well as encryption and authentication.– Requires an individual to possess a digital certificate for each credit card
he/she plans to use.– Requirements:
• SET enabled browser for the customer• SET enabled server for the transaction provider.
![Page 16: 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce](https://reader036.vdocuments.net/reader036/viewer/2022082517/56649e175503460f94b03327/html5/thumbnails/16.jpg)
4 July 2008 IT 357 - Chapter 7 16
Security Facilities Secure transactions
• SET Drawbacks• SET Critical mass of credit card users for SET usage required.
• Digital certificates distribution is time consuming.
• Issues in certification such as revocations, cancellations and handling of PIN losses not sorted out.
• Full text encryption makes the process slower.