1

E-Commerce and Security

revised 3/21/2000

2

Myths about Business Risksin the Information Age

Security is only about protecting “things” We don’t have any information anyone would

want Security problems have never happened here. Firewalls provide enough security Technology will solve the security problem The “enemy” is outside Our people won’t tolerate tight security My PC is secure, so I’m secure The Internet can’t be used for secure

communications

The Economist and Arthur Andersen

3

Electronic Commerce Threats

Client Threats Active Content

Java applets, Active X controls, JavaScript, and VBScript

Programs that interpret or execute instructions embedded in downloaded objects

Malicious active content can be embedded into seemingly innocuous Web pages

Cookies remember user names, passwords, and other commonly referenced information

4

Communication Channel Threats

Secrecy Threats Secrecy is the prevention of unauthorized

information disclosure Privacy is the protection of individual

rights to nondisclosure Theft of sensitive or personal information

is a significant danger Your IP address and browser you use are

continually revealed while on the web

5

Communication Channel Threats

Anonymizer A Web site that provides a measure of

secrecy as long as it’s used as the portal to the Internet

http://www.anonymizer.comIntegrity Threats

Also known as active wiretapping Unauthorized party can alter data

Change the amount of a deposit or withdrawal

6

Communication Channel Threats

Necessity Threats Also known as delay or denial threats Disrupt normal computer processing

Deny processing entirelySlow processing to intolerably slow speedsRemove file entirely, or delete information

from a transmission or fileDivert money from one bank account to

another

7

Protecting Client Computers

Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers

Threats can hide in Web pages Downloaded graphics and plug-ins E-mail attachments

8

Protecting Client Computers

Cookies Small pieces of text stored on your computer

and contain sensitive information that is not encrypted

Anyone can read and interpret cookie data Do not harm client machines directly, but

potentially could still cause damage

Misplaced trust Web sites that aren’t really what they seem

and trick the user into revealing sensitive data

9

Monitoring Active ContentNetscape Navigator and Microsoft Internet

Explorer browsers are equipped to allow the user to monitor active content before allowing it to download Netscape - Edit/Preference Internet Explorer - Tools/Internet Options

Digital certificates provide assurance to clients and servers that the participant is authenticated Authenticated by digital signature of CA Public key in certificate verifies digital signature

10

Protecting Electronic Commerce Channels

Protecting assets while they are in transit between client computers and remote servers

Providing channel security includes Channel secrecy Guaranteeing message integrity Ensuring channel availability Authentication

11

Providing Transaction Privacy

Encryption The coding of information by using a

mathematically based program and secret key to produce unintelligible characters

SteganographyMakes text invisible to the naked eye

CryptographyConverts text to strings that appear to have no

meaningScience that studies encryption

12

Secure Sockets Layer (SSL) Protocol

Secures many types of connections between two computers on Internet

Developed by NetscapeHad backing of AppleSoft, DEC,

MasterCard InternationalProvides a security handshake in

which the client and server computers exchange the level of security to be used, certificates, among other things

13

Secure Sockets Layer (SSL) Protocol

Provides either 40-bit or 128-bit encryptionSecures data packets at network layerSecures connections between two

computers; checks certificatesSession keys are used to create the cipher

text from plain text during the sessionCan secure communications in addition to

HTTP (i.e., FTP)Uses public and private key encryption

14

Secure HTTP (S-HTTP) ProtocolExtension to HTTP that provides numerous

security features Client and server authentication Spontaneous encryption Request/response nonrepudiation

Provides symmetric and public-key encryption, and message digests (summaries of messages as integers)

Open protocol designed to secure web transactions using special packet headers

15

Secure Electronic TransactionBacked by MasterCard, Visa, IBM, Netscape and

MicrosoftSecures credit card transactionsUses digital certificate

consumer’s name few digits of consumer’s credit card name of bank that issued card

Merchant uses public key cryptography to verify consumer’s identity

Provides confidentiality of payment infoProvides merchant authentication

16

Firewalls

Control damage to your data and computer systems

Protect against spoofingImplement access controls based on

contents of the packets of data transmitted between two parties or devices on a network

Single point of control for security on network