Chapter 3

Mohammad Fozlul Haque BhuiyanAssistant Professor

CITI Jahangirnagar University

Security Issues in E-commerceA computer system composing of bare hardware and an OS

responsible for safe guarding its data and applications resident in primary and secondary storage, proper management of other resources and establishing connection to other computer systems via the network.

When the system is not hooked to the outside world, the computer system is only vulnerable to its bad users who abuse it with bad applications like virus, Trojan horses, etc.

However, when it is open to outside world through networking, this becomes a major threat to the system.

Security Issues

Is E-commerce Secure?

Cryptography

Web security

Security Issues

Operating System SecurityNetwork SecurityInternet SecurityMiddleware SecurityDatabase SecurityOthers Fields of Computer System security

Operating System Security

The security models are classified into two major groups:

•Mandatory security model:– Control the access to information by individuals on the basis of

classification of subjects (active element) and objects (data). Bell Lapadula model, Biba model, and Dion model.

•Discretionary security model:– Control user access on the basis of user identity and some rules guiding

what type of access relationship can be established between the user (subject) and object. Access matrix model, take-grant model, ant action entity model.

•Lattice model:– Based on flow control

Operating System Security

Network Security

Network Security (Cont…)

As the network makes a computer system open to the world, communication becomes easy with the outside world at the cost of security. One of the major successes in tackling the distributed system security problem is Kerberos.

Kerberos uses encryption to enable secure communication. To be able to connect to the computers, users have to use programs that can use Kerberos. In order to authenticate to Kerberos, one needs to get ‘tickets’.

A ticket grants the user the right to use a service, such as accessing his/her files. A ‘ticket granting ticket’ is a ticket used to get other tickets.

Internet Security

Middleware Security

• OSF’s DCE

• OMG’s CORBA

Database Security

Figure: Distributed Database Model

Other Fields of Computer System Security

• E-cash

When viewing digital information from the network perspective, information security contains the following characteristics:

Confidentiality or message transmission security.

Integrity of data content

Authentication of sender and receiver

Non-repudiation by the sender and receiver

Anonymity or secrecy

Availability

Is E-commerce Secure ?

Single Key (Symmetric) Cryptography

Public Key (Asymmetric) Cryptography

Digital Signature

Certification Authority

Digital Certificates

Cryptography

Single Key (Symmetric) Cryptography

Public Key (Asymmetric) Cryptography

Public Key (Asymmetric) Cryptography (Cont..)

Certification Authority

Digital Certificate

The digital certificate is basically the digitally signed triple:

• Identity of user

• Public key of user

• Other attributes

Digital Certificate (cont..)

In addition to the signature, the public key certificate contains the following items:

• subject

• subjectPublicKeyInfo

• issuerUniqueidentifier

• extensions

• version

• serialNumber

• signature

• Issuer

• validity

What is Digital Signature?•Hash value of a message when encrypted with the private key of a person is his digital signature on that e-Document–Digital Signature of a person therefore varies from document to document thus ensuring authenticity of each word of that document.–As the public key of the signer is known, anybody can verify the message and the digital signature

Why Digital Signatures?To provide Authenticity, Integrity and Non-repudiation to electronic documentsTo use the Internet as the safe and secure medium for e-Commerce and e-Governance

Digital Signatures

Digital Signatures

Each individual generates his own key pair[Public key known to everyone & Private key only to the owner]

Private Key – Used for making digital signature

Public Key – Used to verify the digital signature

Digital Signature: An application of public key cryptography

Web security

Secure Socket Layer (SSL)

Secure Electronic Transaction

(SET)

Secure Socket Layer (SSL)

The SSL protocol provides connection security that has three basic properties:

The connection is private, Symmetric cryptography is used for data encryption (e.g. EDS, RC4, etc.)

Secure Socket Layer (SSL) (cont…)

The peer’s identity can be authenticated using asymmetric, or public key, cryptography (e.g. RSA, DSS, etc.)

The connection is reliable. Message transport includes a message integrity check using a keyed MAC. Secure hash function (e.g. SHA, MD5, etc.)

Secure Socket Layer (SSL) (cont..)

Figure: SSL 3.0 information exchange between a client and a server

Secure Electronic Transaction (SET)

The SET specification is designed to meet three main objectives.

First, it will enable payment security for involved, authenticate card holders and merchants, provide confidentiality of payment data, and define protocols for potential electronic security service providers.

Secure Electronic Transaction (SET) (Cont…)

Second, it will enable interoperability among applications developed by various vendors and among different operating systems and platforms.

Third, it will strive to achieve market acceptance on a global scale.

Thank You