Tools or Technology Solution of E-commerce
Technology Solutions
- A great deal of progress has been made by private security firms, corporate and home users, network administrators, technology firms, and government agencies.
- Protecting Internet communications (encryption)
- Securing channels of communication (SSL (secure sockets layer), S-HTTP, VPNs) URL changes from HTTP to HTTPS
SSL: Protocol that provides secure communications between client and server
- Protecting networks (firewalls)
- Protecting servers and clients
Protecting Internet Communication
ENCRYPTION:
- The process of transforming plain text or data into ciphertext that cannot be read by anyone other than the sender and the receiver.
- The purpose of encryption is a) to secure stored information and b) to secure information transmission.
- Encryption can provide four of the six key dimensions of e-commerce security
- Message integrity: provides assurance that the message has not been altered
- Nonrepudiation: prevents the user from denying he or she sent the message
- Authentication: provides verification of the identity of the person (or computer) sending the message
- Confidentiality: gives assurance that the message was not read by others
- The transformation of plain text into ciphertext is accomplished by using a key or cipher.
- A key or cipher is any method for transforming plain text into ciphertext
- Ancient Egyptian commercial records were encrypted using substitution and transposition ciphers.
- Substitution cipher: every occurrence of a given letter is replaced systematically by another letter
- Transposition cipher: the ordering of the letters in each word is changed in some systematic way
SYMMETRIC KEY ENCRYPTION:
- To decipher the messages, the receiver would have to know the secret cipher (key) that was used to encrypt the plain text.
- Both the sender and the receiver use the same key to encrypt and decrypt the message. This is also called secret key encryption.
- The sender and receiver have to have the same key; they need to send the key over some communication media or exchange in person.
- Common flaws:
- Also known as the secret key encryption
- Both the sender and receiver use the same digital key to encrypt and decrypt the message
- Requires a different set of keys for each transaction
- Data Encryption Standard (DES): Most widely used symmetric-key encryption today; uses 56-bit encryption key; other types use 128-bit keys up through 2048 bits
PUBLIC KEY ENCRYPTION
- This solves the problem of exchanging keys.
- Two mathematically related digital keys are used: a public key and a private key.
- The private key is kept secret by the owner, and the public key is widely disseminated.
- E.g.: When Mr. A wants to send a secure message to Mr.B, he uses B's public key to encrypt the message. Mr.B then uses his private key to decrypt it.
- Once the keys are used to encrypt a message, that same key cannot be used to unencrypt the message.
or,
- Public key cryptography solves the symmetric key encryption problem of having to exchange a secret key
- Uses two mathematically related digital keys – public key (widely disseminated) and private key (kept secret by owner)
- Both keys are used to encrypt and decrypt the message
- Once the key is used to encrypt a message, the same key cannot be used to decrypt the message
- For example, the sender uses the recipient’s public key to encrypt a message; the recipient uses his/her private key to decrypt it
Public Key Encryption using Digital Signatures and Hash Digests
- Application of hash function (mathematical algorithm) by the sender before encryption produces hash digest that recipient can use to verify the integrity of data
- Double encryption with the sender’s private key (digital signature) helps ensure authenticity and nonrepudiation
DIGITAL ENVELOPES:
- If one uses 128 or 256-bit keys to encode large documents the public key encryption becomes computationally slow and more time will be needed to process.
- Symmetric key encryption is computationally faster but has a weakness; the key must be sent over an insecure medium.
- Solutions are – Digital Envelope: a technique that uses symmetric encryption for large documents, but public-key encryption to encrypt and send the symmetric key. So we will have a key within a key (digital envelope).
- Eg: an encrypted report and digital envelope are sent across the web. The recipient first uses his/her private key to decrypt the symmetric key and uses that key to decrypt the report.
- Addresses weaknesses of public-key encryption (computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but more secure)
- Uses symmetric key encryption to encrypt documents but public-key encryption to encrypt and send asymmetric key
PROTECTING INTERNET COMMUNICATIONS
Digital Certificates and Public Key Infrastructure (PKI)
- A solution to address misrepresentation online. How do we know that people or institutions are who they claim to be?
- Before you place an order on Amazon, you want to be sure that it is really Amazon.com you have on the computer screen, and not a spoofer misrepresenting as Amazon.
- Digital certificates solve this problem of digital identity. A digital document is issued by a trusted third-party institution known as a certification authority (CA) such as VeriSign.
- Public key infrastructure (PKI) refers to the CAs and digital certificate procedures accepted by all parties.
- The electronic document containing key-value and identifying information about the entity that controls the key.
- Digital signature attached to certificate’s container file to certify file is from the entity it claims to be from
- A certificate authority (CA) is an agency that manages the issuance of certificates and serves as the electronic notary public to verify their worth and integrity.
- Digital document that includes:
- Name of subject or company
- Subject’s public key
- Digital certificate serial number
- Expiration date
- Issuance date
- Digital signature of the certification authority (trusted third party (institution) that issues a certificate
- Other identifying information
Public Key Infrastructure (PKI):
- It refers to the CAs and digital certificate procedures that are accepted by all parties
- Public Key Infrastructure (PKI) is an integrated software system, encryption methodologies, protocols, legal agreements, and third-party services that enable users to communicate securely.
- PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities (CAs).
- PKI Protects Information Assets in Several Ways:
Authentication:- Digital certificates in a PKI system permit parties to validate the identity of other parties in an Internet transaction.
Integrity:- A digital certificate demonstrates that the content signed by the certificate has not been altered while being moved from server to client.
Privacy:-Digital certificates keep information from being intercepted during transmission over the Internet.
Authorization:-Digital certificates issued in a PKI environment can replace user IDs and passwords, enhance security, and reduce some of the overhead required for authorization processes and controlling access privileges.
Nonrepudiation:- Digital certificates can validate actions, making it less likely that customers or partners can later repudiate a digitally signed transaction.
SECURING CHANNELS OF COMMUNICATION
SECURE SOCKETS LAYER (SSL) AND TRANSPORT LAYER SECURITY:
- The most common form of securing channels is through SSL and TLS protocols.
- When you communicate with a web server through a secure channel, it means you are using SSL/TLS to establish a secure session.
- Secure Session is a client-server session in which the URL of the requested document and contents are encrypted.
- You can notice that the HTTP changes to HTTPS.
- SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.
- Transport Layer Security (TLS) is an improved version of SSL
Secure HTTP (S-HTTP) Protocol
- It is an extension to the HTTP protocol that provides numerous security features such as Client and server authentication, Spontaneous encryption, Request/response nonrepudiation
- It provides symmetric and public-key encryption like the SSL.
- It also uses a message digest (hash number or summaries of messages as integers) to be transmitted with the message for message integrity. So, if the message is changed during transmission, it will be detected.
- A secure digital envelope encapsulates a message and provides secrecy, integrity, and client/server authentication.
VIRTUAL PRIVATE NETWORKS (VPN):
- VPN is a network that is constructed by using public wires — usually the Internet — to connect to a private network, such as a company's internal network.
- This allows remote users to securely access internal networks via the Internet, using the Point-to-Point Tunneling Protocol (PPTP).
- VPNs use both authentication and encryption to secure information from unauthorized persons.
- Authentication prevents spoofing and misrepresentation of identities.
PROTECTING NETWORKS
FIREWALLS: refers to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy.
PROXY SERVERS: Software server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization.
PROTECTING SERVERS AND CLIENTS
OPERATING SYSTEMS SECURITY ENHANCEMENTS: Windows/Apple computers’ security upgrades, password protection, etc.
Anti-virus software: Easiest and least expensive way to prevent threats to system integrity
OR,
1) Protecting Intellectual Property
- Digital intellectual properties, including art, logos, and music posted on Web sites, are protected by laws.
- Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice provides information on cybercrime prosecutions.
- The World Intellectual Property Organization (WIPO) oversees digital copyright issues internationally.
- Methods of protecting digital works:
- Organizations/Companies for Intellectual Property
- Protecting Privacy
2) Protecting Client Computers
- Client computers must be protected from threats.
- Active content can be one of the most serious threats to client computers.
- Another threat to client computers is a malevolent server site masquerading as a legitimate Web site.
a) Digital Certificates
- A digital certificate verifies that a user or Web site is who it claims to be.
- The digital certificate contains a means to send an encrypted message to the entity that sent the original Web page or message.
- A Web site’s digital certificate is a shopper’s assurance that the Web site is the real store.
b) Certification Authority (CA)
- A certification authority issues a digital certificate to an organization or individual.
- A key is usually a long binary number to be used with the encryption algorithm.
- Longer keys provide significantly better protection than shorter keys.
- The CA guarantees that the individual or organization that presents the certificate is who it claims to be.
c) Microsoft Internet Explorer
- Internet Explorer provides client-side protection right inside the browser.
- Internet Explorer uses Microsoft Authenticode technology.
- Authenticode technology verifies that the program has a valid certificate.
d) Netscape Navigator
- Netscape Navigator allows you to control whether active content is downloaded to your computer.
- If you allow Java or JavaScript active content, you will always receive an alert from Netscape Navigator.
e) Using Antivirus Software
- Antivirus software is a defense strategy.
- One of the most likely places to find viruses is in electronic mail attachments.
- Application service providers (ASPs), such as Critical Path and MessageClick, supply services to companies to eliminate virus problems.
f) Computer Forensics Experts
- A small group of firms whose job is to break into client computers.
- Computer forensics experts are hired to probe PCs.
- The field of computer forensics is for the collection, preservation, and analysis of computer-related evidence.
3) Protecting Electronic Commerce Channels
Providing commerce channel security means:
- Providing channel secrecy
- Guaranteeing message integrity
- Ensuring channel availability
- A complete security plan includes authentication
- Businesses must prevent eavesdroppers from reading Internet messages that they intercept.
a) Encryption
- Encryption is the coding of information by a mathematically based program and a secret key to produce an unintelligible string of characters.
- The program that transforms text into ciphertext is called an encryption program.
- Upon arrival, each message is decrypted using a decryption program.
Three Types of Encryption
- “Hash coding” is a process that uses a hash algorithm to calculate a hash value from a message.
- “Asymmetric encryption” or public-key encryption, encodes messages by using two mathematically related numeric keys: a public key and a private key.
- “Symmetric encryption” or private-key encryption, encodes a message by using a single numeric key to encode and decode data.
Encryption Standards
- The Data Encryption Standard (DES) is an encryption standard adopted by the U.S. government.
- DES is the most widely used private-key encryption system.
- Triple Data Encryption Standard (3DES) is a more robust version of DES.
- The U.S. government’s National Institute of Standards and Technology (NIST) has been developing a new encryption standard.
Public-Key Encryption
- Public-key systems provide several advantages over private-key systems:
- The combination of keys required to provide private messages between enormous numbers of people is small
- Key distribution is not a problem
- Public-key systems make the implementation of digital signatures possible
Encryption Algorithms and Standards
- A list of significant encryption algorithms and standards are shown in Figure 6-16.
- Different algorithms have different strengths.
- Digest algorithms are hash code algorithm.
- MD2, MD4, and MD5 are message digest algorithms.
b) Secure Sockets Layer (SSL)Protocol
- The SSL system from Netscape provides secure information transfer through the Internet.
- The SSL works at the transport layer of Internet protocol.
- The SSL encrypts and decrypts information flowing between the two computers.
- All communication between SSL-enabled clients and servers is encoded.
- The protocol that implements SSL is HTTPS.
- A session key is a key used by an encryption algorithm during a single secure session.
- The longer the session key, the more resistant the encryption is to attack.
- The client and server can use 40-bit encryption or 128-bit encryption.
- The algorithm may be DES, Triple DES, or the RAS encryption algorithm.
- S-HTTP provides several security features, including:
- -Client and server authentication
- Spontaneous encryption
- Request/response nonrepudiation
- This protocol operates at the topmost layer of the protocol suite – the application layer.
- S-HTTP provides:
- The headers define the type of security techniques, including:
e) Ensuring Transaction Integrity
- Integrity violation may occur whenever a message is altered while transiting between the sender and receiver.
- Ensuring transaction integrity, two separate algorithms are applied to a message:
- Hash function- Digital signature
Hash Functions
- Hash algorithms are one-way functions.
- A hash algorithm has these characteristics:
- It uses no secret key
- The message digest it produces cannot be inverted to produce the original information
- The algorithm and information about how it works are publicly available
- Hash collision are nearly impossible
- MD5 is an example of a hash algorithm.
Digital Signature
- An encrypted message digest is called a digital signature.
- A purchase order accompanied by the digital signature provides the merchant positive identification of the sender and assures the merchant that the message was not altered.
- Used together, public-key encryption, message digests, and digital signatures provide quality security for Internet transactions.
f) Ensuring Transaction Integrity
- Electronic commerce activities typically involve a client browser sending payment information, order information, and payment instructions to the commerce server and the commerce server responding to the browser with the electronic confirmation of the order details.
- SSL provides security for message transmission, but an Internet interloper can still alter a message.
- A combination of techniques is used to create messages that are tamperproof and authenticated.
- First, a hash algorithm is applied to the message to obtain a hash value (message digest). This hash value is appended to the message and sent to the receiver. The receiver recalculates the hash value and compares it with the original one.
- But, a hash algorithm is public and anyone can intercept the message -- recalculate the hash value and retransmit the message. The receiver will calculate the same hash value.
- To prevent this type of fraud, the sender encrypts his/her message with a private key. An encrypted message digest is called a digital signature.
g) Guaranteeing Transaction Delivery
- Denial or delay of service attack removes or absorbs resources.
- One way to deny service is to flood the Internet with a large number of packets.
- No special computer security protocol beyond TCP/IP is required as a countermeasure against denial attacks.
or,
g) Guaranteeing Transaction Delivery
- Neither encryption nor digital signatures protect packets from theft or slowdown.
- Transmission Control Protocol (TCP) is responsible for end-to-end control of packets.
- When it reassembles packets at the destination in the correct order, it handles all the details when the packets do not appear.
- Every data packet sent by a TCP/IP client is confirmed by the TCP/IP receiver along with the size of the data packet.
- If a data packet seems to be lost, the TCP server requests that the client computer resend the particular data packet.
4) Protecting the Commerce Server
- The commerce server and the Web server respond to requests from Web browsers through the HTTP protocol and CGI scripts.
- Security solutions for commerce servers:
- Access control and authentication
- Operating system controls
- Firewall
- Access control and authentication refer to controlling who and what has access to the commerce server.
- Authentication is principally through digital certificates.
- Web servers often provide access control list security to restrict file access to selected users.
- The server can authenticate a user in several ways:
- First, the certificate represents the user’s admittance voucher
- Second, the sever checks the timestamp on the certificate to ensure that the certificate has not expired.
- Third, a sever can use a callback system to check the user’s client computer address and name.
- An access control list (ACL) is a list or database of people who can access the files and resources.
b) Operating System Controls
- Most operating systems have a username and password user authentication system in place.
- Access control lists and username/password protections are probably the best known of the UNIX security features.
c) Firewalls
- A firewall is a computer and software combination that is installed at the entry point of a networked system.
- The firewall provides the first line of defense to networks that could pose a threat.
- Acting as a filter, firewalls permit selected messages to flow into and out of the protected network.
- Types of Firewalls
a) Packet-filter firewalls examine all data flowing back and forth between the trusted network.b) Gateway servers are firewalls that filter traffic based on the application they request.c) Proxy severs are firewalls that communicate with the Internet on the private network’s behalf.
Comments
Post a Comment