1 chapter 8: security in electronic commerce it357 electronic commerce

1

Chapter 8: Security in Electronic Commerce

IT357 Electronic Commerce

4 July 2008 IT 357 - Chapter 7 2

Security in Electronic Commerce

• Security concerns• Secure commerce requirements• Security facilities in the EC environment

– Secure file/information transfers– Secure Transactions– Security on web servers and enterprise networks.


Security Concerns

• Accessing unauthorized network resources• Destroying information and network resources• Altering, inserting and modifying information• Disclosing information to unauthorized people• Causing network service disruption• Stealing information and resources• Denying services received or information sent or

received.• Claiming to have provided services that have not

been given.


Secure commerce requirements

• Authentication– Involves the ability of individual organization or computer to prove

its identity.– Based on:

• Passwords• Keys/cards• Finger prints• Trusted third party authentication • PIN

• Authorization– Control of access to particular information once the identity has

been verified.– Meant to limit the actions that authenticated parties can perform.– ACL example: screens shown to a user will only show links or

buttons that a person is authorized to access.


Cont’d: Secure commerce requirements

• Confidentiality

– Involves the secrecy of data and the protection of data from unauthorized access.

– Must ensure:• Information cannot be read copied or modified without

authorization

• Communication cannot be intercepted

– Encryption techniques are used

In the news !!! June 23, 2008, 07:46 PM CNET employees notified after data breach

Source: http://www.itworld.com/news/53276/cnet-employees-notified-after-data-breach


Cont’d: Secure commerce requirements

• Integrity– Protection of data from modification either while in transit or

in storage.– Integrity services must protect against additions, deletions

and reordering of data.

• Non repudiation of origin– Protection against a party in a transaction or communication

activity in which one of the parties later denies that such an activity occurred.


Security Facilities in an EC environment

• Secure file/ information transfers• Secure transactions• Secure enterprise networks• Secure File Transfer

– Popular protocols:• HTTPS is the de facto standard

• Secure HyperText Transfer Protocol is an alternative but not widely used

http://en.wikipedia.org/wiki/De_facto


Cont’d: Security Facilities: Secure file/ information transfers

Symmetric encryption

• Uses a shared key for both encryption and decryption.• All parties must trust each other.• Eavesdropping might pose problems.• Distribution of the keys pose problems.• DES (Data Encryption Standard)

– Mostly used in e-mails and exchanges that do not require tight security

– DES Cracker, managed to break DES in less than 3 days

• Triple DES– Has the advantage of proven reliability and a longer key length

• AES (Advanced Encryption Standard)– adopted as an encryption standard by the U.S. government

Sources: http://www.tropsoft.com/strongenc/des3.htm

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

http://en.wikipedia.org/wiki/Encryption



Asymmetric encryption / PKI (Public Key Infrastructure)

• Uses two keys - one to encrypt and a different one to decrypt

• The two keys are mathematically related• Data encrypted by one can only be decrypted by the

other• One of the pair of keys (public key) is made known to

other parties .• The other is secretly held by the individual (private

key)• RSA - the best known public key encryption

algorithm.

4 July 2008 IT 357 - Chapter 7 10


Public key encryption

Public Key - example

4 July 2008 IT 357 - Chapter 7 11


Digital Certificate

• An electronic “credit card” or “wallet”• Establishes the credentials of an entity on the web.• Issued by a certification authority (CA) - E.g.

VeriSign.• Contains

• Name• A serial number • Expiry date• A copy of the certificate holder’s public key - for encryption and

decryption• Digital signature of the certification authority - to verify that the

certificate is real.

4 July 2008 IT 357 - Chapter 7 12


Digital Signature

• An electronic signature to authenticate the identity of the sender.

• Also ensures that the original content of the message is unchanged.

• Example: An e-Will– You copy and paste the will into an e-mail.– A special software obtains a message hash - a mathematical

summary.– You use your private key to encrypt the hash– The encrypted hash becomes your digital signature.– Different for different messages sent by you.– The lawyer receives the message.– He makes a hash of the received message.– He uses your public key to decrypt the signature to a hash.– If the hashes match the message is valid.

A hash function is any well-defined procedure or mathematical function for turning some kind of data into a relatively small integer, that may serve as an index into an array.

Source: http://en.wikipedia.org/wiki/Hash_function

4 July 2008 IT 357 - Chapter 7 13


SHTTP vs. SSL

• Both provide encryption techniques using RSA (Ron Rivest, Adi Shamir, and Leonard

Adleman) algorithm.• SSL works at the transport layer while SHTTP works at the application layer.• SSL is simpler than SHTTP. • SHTTP

– supports more services such as firewalls and digital signatures– A secure extension of HTTP developed by CommerceNet consortium– Offers security techniques and encryption with RSA methods.– Incorporates cryptography at the application level.– Uses public key private key encryption or asymmetric encryption.

• SSL– Developed by Netscape.– Works at the transport layer.– All servers are authenticated – Clients are optionally authenticated.– Application independent.– HTTP FTP and Telnet can be placed on top of SSL.– Provides channel security through a message integrity check with hash functions.

4 July 2008 IT 357 - Chapter 7 14


SSL

• Three part process – Information is encrypted to prevent unauthorized access.– Information is authenticated to ensure that it is sent by the right parties.– Integrity checks to ensure that data is not altered from source to sink.– SSL illustration

• Customer requests to purchase.• Company responds with its public key.• The customer’s browser uses the public key to encrypt sensitive information.• The data is decrypted by the company browser using its private key.• Process transparent to the users as it is handled by the browser.

• SSL/TLS– SSL was developed by Netscape and soon after the Internet Engineering Task Force

(IETF) developed SSL 3.0• SSL/TLS Drawback

– Increased processor load: most significant drawback to implementing SSL/TLS. – Administrative overhead: An SSL/TLS environment is complex and requires

maintenance; the system administrator needs to configure the system and manage certificates.

Source: http://technet2.microsoft.com/windowsserver/en/library/1b6b0dfa-a7a0-4cc2-adc6-f9dda2bd7e601033.mspx?mfr=true

4 July 2008 IT 357 - Chapter 7 15

Security Facilities Secure transactions

• Secure transaction protocols are narrowly focused.• Popular protocols:

• Secure Electronic Payment Protocol• Secure Transaction Technology• Secure Electronic Transaction

• SET– Shares a lot in common with SEPP.– Touted as the protocol of the future.– A combination of an application level protocol and recommended

procedures for handling credit card transactions over the net.– Designed for cardholders, merchants and banks/card processors.– Covers certification of all parties as well as encryption and authentication.– Requires an individual to possess a digital certificate for each credit card

he/she plans to use.– Requirements:

• SET enabled browser for the customer• SET enabled server for the transaction provider.

4 July 2008 IT 357 - Chapter 7 16

Security Facilities Secure transactions

• SET Drawbacks• SET Critical mass of credit card users for SET usage required.

• Digital certificates distribution is time consuming.

• Issues in certification such as revocations, cancellations and handling of PIN losses not sorted out.

• Full text encryption makes the process slower.

1 chapter 8: security in electronic commerce it357 electronic commerce

Documents