e commerce

profileatgkd153
Lct10Chp10ImplementationOfECommerceSecurity1.ppt
Home>Information Systems homework help>e commerce

Lecture 10
Chapter 10

Implementing

E-commerce Security

Implementing E-commerce Security

A tool to manage e-commerce security

*

Implementing E-commerce Security

Tools for Assignment2-1

  • SWOT (business analysis)
  • Competitive environment (commerce/society)
  • Technology
  • Audience analysis (market segmentation)
  • Needs of potential customers
  • Marketing strategy
  • Risk analysis (revision of Assignment2-1)
  • Security risks & decisions to manage risks
  • Concept map
  • Aim-objective-solution for system analysis
  • Story board
  • Customer-centric design (web pages)

*

Implementing E-commerce Security

1. Security of Communication Channel

  • Cryptography
  • Cryptography is the science to create a message that only the sender and designated receiver can interpret.
  • Encryption is a ‘locking’ process of coding data to produce an unintelligible string of characters (cipher text) with

a program that implement an encryption algorithm

a secret key (a parameter)

  • Decryption is the unlocking process.

*

Implementing E-commerce Security

1. Security of Communication Channel

  • Metaphor
  • Cryptography
  • technology of a safe

  • Algorithm
  • design of a safe

  • Program
  • safe product

  • Keys
  • keys

*

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

symmetric key

asymmetric keys

Red dot indicates private key

*

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Cryptography (Ctd)
  • Symmetric key
  • Message sender encodes data and the receiver decodes the data with the same key.

1-to-1 interactive data transmission

A symmetric key has 2 copies.

1234 5678 S

1234 5678 S

$^@$#^$&+*

*

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Cryptography (Ctd)
  • Asymmetric keys
  • Key owner distributes the public keys to its partners, but keeps the only private key with itself.
  • Public key encryption for secrecy

A partner encrypts a message with a public key and sends it to the key owner.

M->1 data transmission

Key owner decrypts the message with the private key.

  • Private key encryption for identity (digital signature)

Key owner encrypts a message with the private key and sends it to its partners.

1->M data transmission

A partner decrypts the message with a public key.

*

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Cryptography (Ctd)
  • Comparison of the 3 methods
  • Symmetric key encryption/decryption

1-to-1 interactive data transmission

As the owner, you should keep 1 copy and send 1 copy to only one partner. You should have N different symmetric keys for N partners.

The owner and the user should authenticate each other. (how to send a key?)

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Cryptography (Ctd)
  • Comparison of the 3 methods
  • Public key encryption & private key decryption

M->1 data transmission. Many people send you (owner) cipher texts with your public key and only you can decrypt them with the private key.

It is a kind of digital envelop to ensure secrecy.

As the owner, you should keep the only private key and distribute the M copies of the public key.

The public key or the owner should be authenticated or verified (how to send public keys?).

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Cryptography (Ctd)
  • Comparison of the 3 methods
  • Private key encryption & public key decryption

1->M data transmission. You (only you) send a cipher text with private key to M people, who can decrypt it with the public key.

It is a method for digital signature (integrity).

As the owner, you should keep the only private key and distribute the M copies of the public key.

The public key or the owner should be authenticated (how to send public keys?).

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Digital signature for integrity
  • Sam uses a hash algorithm to calculate a hash value (digest) from a message (hash coding)
  • A unique digest is calculated from a message.
  • The message can’t be recovered from the digest (1 1).
  • Sam encrypts the digest with his private key (signature) to produce a cipher text, and sends the message, cipher text and algorithm to Ruth.
  • Ruth decrypts the cipher text with Sam’s public key to produce the sent digest, and calculate a digest from the message with the algorithm.
  • If the calculated digest = the sent digest, the message has not been altered;
  • Otherwise, the message has been altered.

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

As a website, you may need to sign for data or active content

A digital signature indicates

  • the message is from authenticated sender; and
  • the message has not been changed in communication channel.

active content

owner

website

security program with browser

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

public

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Digital signature for integrity
  • Discussion
  • Can hash coding alone ensure integrity?
  • Can hash coding alone be used for password protection on a server?
  • Can private key encryption ensure integrity?
  • Why is hash coding used for digital signature?
  • Can private key encryption ensure secrecy?
  • Can digital signature be used to authenticate the sender?

*

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

CA

A

B

A distributes its public key to B

Certificate Authority

*

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Digital Certificate for authentication
  • Company A (A) applies for a digital certificate from Certificate Authority (CA).
  • CA issues a digital certificate containing A's public key and ID encrypted with CA’s private key.
  • A sends the digital certificate (containing A’s public key) to Company B (B).
  • B decrypts the digital certificate with CA's public key to verify A (A’s public key).

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Digital envelop for secrecy & integrity

Sam and Ruth exchange their public key certificates (for 3 and 6).

Sam uses his private key to encrypt the message to produce cipher text 1 (digital signature for Ruth to authenticate Sam).

Sam uses Ruth’s public key to encrypt cipher text 1 to produce cipher text 2 (for secrecy).

Sam sends cipher text 2 to Ruth.

Ruth uses her private key to decrypt cipher text 2 to get cipher text 1 (other people can’t do this).

Ruth uses Sam’s public key to decrypt cipher text 1 to get the original message (Ruth authenticates Sam, making sure the message is from Sam).

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Summary:
  • A digital certificate (or public key certificate) is a tool to send a public key to authenticate the key owner.
  • A digital signature is a tool to protect integrity, but not secrecy. The sender cannot deny a message that was digitally signed.
  • A digital envelope is a tool, using both parties’ asymmetric keys, to protect secrecy and integrity. It is also a method to send a symmetric key for a secure session.

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

symmetric

symmetric

Digital envelop Encrypt with

client private key

sever public key

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Secure Socket Layer (SSL) Protocol
  • SSL Protocol allows secure interactive transmissions between the client and server during a single session.
  • A digital envelop is used for a transmission in one direction.
  • The client determines the secure session
  • Determine key length;
  • Identify the server;
  • Provide symmetric session key;
  • Allow server to identify client

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Secure HTTP (S-HTTP) Protocol
  • S-HTTP a security technique competing SSL.
  • S-HTTP sends individual messages while SSL establishes a secure connection between 2 computers.
  • S-HTTP cannot be used to secure non-HTTP messages.
  • Not all browsers and not all Web sites support S-HTTP.
  • A supporting site’s URL starts with “SHTTP”.
  • https = HTTP over SSL – will you create an https site?

*

Implementing E-commerce Security

1. Security of Communication Channel (Ctd)

  • Guaranteeing Transaction Delivery
  • Packets in transaction can be stolen and slowed down.
  • Cryptography is NOT a solution
  • ‘Incomplete’ solutions
  • Transmission Control Protocol (TCP) requests the sender to resend data when packets seem to be missing.
  • Data mining to detect anomaly (widely used by banks)
  • Messaging (widely used by banks)

Implementing E-commerce Security

2. Security of Computers

  • 3 techniques to protect computers:
  • Operating system security enhancement
  • Microsoft or Apple automatically updates computer security countermeasures.
  • Access control and authentication
  • Login procedure for access control
  • Digital signature for authentication
  • Configuring browsers to determine security level or control access for client computers
  • Using access control list (ACL) to the control access privileges of different users for server computers.
  • Anti-virus software

Implementing E-commerce Security

2. Security of Computers (Ctd)

  • Firewalls to protect network
  • firewall - computer/software combination installed at the entry point of a networked system
  • 3 types of firewalls
  • Packet-filter

filter packet according to its source or destination IP address;

  • Gateway server

filter traffic according to application (e.g. FTP, Telnet)

  • Proxy server

communicate with the Internet on the private network’s behalf and filter requests

Implementing E-commerce Security

  • Security Policy
  • Security of a computer system is implemented according to a security policy.
  • A security policy must protect a system’s secrecy, integrity and availability (necessity), and authenticate users (e-commerce requirements).

3. Organisational policies, industry standards and public laws

*

Implementing E-commerce Security

  • Security Policy
  • concerns
  • physical security
  • network security
  • access control and authentication
  • virus protection
  • disaster recovery
  • identifies
  • assets to be protected;
  • reason of the protection (risk analysis);
  • responsible people for the protection;
  • accepted and unaccepted behaviours.

3. Organisational policies, industry standards and public laws

*

Implementing E-commerce Security

  • Public laws raise the costs of illegal behaviour and guard against corporate abuse of information.
  • Current laws are temporary and immature
  • Specific industries have released standards or guidelines about security.
  • Payment Card Industry Data Security Standard - Visa, MasterCard, American Express and Discover
  • Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security - The Organisation for Economic Cooperation and Development

3. Organisational policies, industry standards and public laws

*

Implementing E-commerce Security

Implementing E-commerce Security

Security of Communication Channel

Security of Computers

Organisational policies, industry standards and public laws

technicalorganisationallegal

secrecy

Prevent unauthorised reading or

deriving information

integrityDetect message alteration in transit

availability

Ensure that messages cannot be lost

undetectably

Nonrepudiation

Provide undeniable, end-to-end proof

of each message’s origin and recipient.

AuthenticationIdentify clients or servers

solutions

securityexplanation

threats

impact/probability