Security mechanisms in e-commerce (this answer is according to syllabus)

-

 Security mechanisms: 

The different security mechanisms of e-commerce are:

-1)Cryptography, 2) Hash Functions,  3)DIGITAL SIGNATURES, 4)Authentication and Acess Control, 5) Intrusion Detection System(IDS)    ,6) Secured Socket Layer 


1)Cryptography

It is the art and science of making a cryptosystem that is capable of providing information security. Cryptography deals with the actual securing of digital data. It refers to the design of mechanisms based on mathematical algorithms that provide fundamental information security services. You can think of cryptography as the establishment of a large toolkit containing different techniques in security applications.

                                         OR,

 Cryptography 

  • The science of coding and decoding messages is to keep these messages secure. 
  • Coding (see encryption) takes place using a key that ideally is known only by the sender and intended recipient of the message


Encryption Techniques for Data and Message Security (Private and Public Key Cryptography)

  •  The success or failure of an e-commerce operation depends on different key factors, including but not limited to the business model, the team, the customers, the investors, the product, and the security of data transmissions and storage.
  •  Data security has taken on heightened importance since a series of high-profile "cracker" attacks have humbled popular Web sites, resulting in the impersonation of employees for the purposes of digital certification, and the misuse of credit card numbers of customers at business-to-consumer e-commerce destinations. 
  • Technologists are building new security measures while others are working to crack the security systems. One of the most effective means of ensuring data security and integrity is encryption.
  •  Cryptography is the method of encrypting messages so that unauthorized parties wouldn’t get them.
  • Cryptography is everywhere
  •  Secure communication:
- web traffic: HTTPS
- wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth

  •  Encrypting files on disk: EFS, TrueCrypt 
  • Content protection (e.g. DVD, Blu-ray): CSS, AACS 
  • User authentication and much much more... 

  •  In cryptography, a cipher is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment.

 Encryption

  •   Encryption is a generic term that refers to the act of encoding data, in this context so that those data can be securely transmitted via the Internet. 
  • Encryption can protect the data at the simplest level by preventing other people from reading the data. 
Encryption technologies can help in other ways as well: 
 1. establishing the identity of users (or abusers); 
 2. control the unauthorized transmission or forwarding of data; 
3. verify the integrity of the data (i.e., that it has not been altered in any way); 
4. and ensure that users take responsibility for the data that they have transmitted.
  • Encryption can therefore be used either to keep communications secret (defensively) or to identify people involved in communications (offensively). 
  •  Encryption Provides the Following Security: 

- Message Integrity: provides assurance that the message has not been altered.
- No repudiation: prevents the users from denying he/she sent the message 
- Authentication: verify the identity of the person (or machine) sending the message. 
- Confidentiality: give assurance that the message was not read by others. 

  • There are two types of encryption:
1. symmetric key encryption and 
2. asymmetric key encryption.

  •   Symmetric key and asymmetric key encryption are used, often in conjunction, to provide a variety of security functions for data and message security in the e-commerce


2) Hash Functions

  •  Hash algorithms are one-way functions.
  • A hash algorithm has these characteristics:
  • It uses no secret key
  • The message digest it produces cannot be inverted to produce the original information
  • The algorithm and information about how it works are publicly available
  • Hash collision are nearly impossible
  • MD5 is an example of a hash algorithm.



3)DIGITAL SIGNATURES

  •  It is a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form. 
  • It is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged.
  • Digital signature schemes normally give two algorithms, one for signing which involves the user's secret or private key, and one for verifying signatures which involves the user's public key. The output of the signature process is called the "digital signature.“
  •  Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. 
  • The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.

4)Authentication and Acess Control

  • The process of identifying an individual is usually based on a username and password. In insecurity systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. 
  • Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
  • Authentication provides the identification of the originator. It confirms to the receiver that the data received has been sent only by an identified and verified sender.
  • Access control and authentication refer to controlling who and what has access to the commerce server.
  • Authentication is principally through digital certificates.
  • Web servers often provide access control list security to restrict file access to selected users.
  • The server can authenticate a user in several ways:
  • First, the certificate represents the user’s admittance voucher
  • Second, the sever checks the timestamp on the certificate to ensure that the certificate has not expired.
  • Third, a sever can use a callback system to check the user’s client computer address and name.
  • An access control list (ACL) is a list or database of people who can access the files and resources.
       

5) Intrusion Detection System(IDS)    

  • An intrusion detection system (IDS) is a tool or software that works with your network to keep it secure and flag when somebody is trying to break into your system. 
  • Intrusion detection systems are usually a part of other security systems or software, together with intended to protect information systems
  •  IDS security works in combination with authentication and authorization access control measures, as a double line of defense against intrusion.
  • Firewalls and anti-malware software alone is not enough to protect an entire network from attack. Using a fully-fledged IDS as part of your security system is vital and is intended to apply across your entire network in different ways.
  • An IDS is either a hardware device or software application that uses known intrusion signatures to detect and analyze both inbound and outbound network traffic for abnormal activities.
  • This is done through:
1. System file comparisons against malware signatures. 
2. Scanning processes that detect signs of harmful patterns.
3. Monitoring user behavior to detect malicious intent.
4. Monitoring system settings and configurations.
5. Upon detecting a security policy violation, virus or configuration error, an IDS is able to kick an offending user off the network and send an alert to security personnel.
  • Despite its benefits, including in-depth network traffic analysis and attack detection, an IDS has inherent drawbacks. Because it uses previously known intrusion signatures to locate attacks, newly discovered (i.e., zero-day) threats can remain undetected.
  • Furthermore, an IDS only detects ongoing attacks, not incoming assaults. To block these, an intrusion prevention system is required.

                              
Types of Intrusion Detection systems

You might be wondering: what are the different ways to classify an IDS? There are three main types of intrusion detection software, or three main “parts,” depending on if you view these all as part of one system:

Network Intrusion Detection System
1. Network Node Intrusion Detection System
2. Host Intrusion Detection System

At the most basic level, Network Intrusion Detection Systems and Network Node Intrusion Detection Systems look at network traffic, while Host Intrusion Detection Systems look at actions and files on the host devices.

 a)Network Intrusion Detection System
A Network Intrusion Detection System (NIDS) is generally deployed or placed at strategic points throughout the network, intended to cover those places where traffic is most likely to be vulnerable to attack. Generally, it’s applied to entire subnets, and it attempts to match any traffic passing by to a library of known attacks. It passively looks at the network traffic coming through the points on the network on which it’s deployed. They can be relatively easy to secure and can be made difficult for intruders to detect. This means an intruder may not realize their potential attack is being detected by the NIDS.

Network-based intrusion detection system software analyzes a large amount of network traffic, which means they sometimes have low specificity. 


b)Host Intrusion Detection System
  • The Host Intrusion Detection System (HIDS) runs on all the devices in the network with access to the internet and other parts of the enterprise network. HIDS have some advantages over NIDS, due to their ability to look more closely at internal traffic, as well as working as a second line of defense against malicious packets a NIDS has failed to detect.
  • There are also two main approaches to detecting intrusion: signature-based IDS and anomaly-based IDS.


Signature-Based IDS
  • This type of IDS is focused on searching for a “signature,” patterns, or a known identity, of an intrusion or specific intrusion event. Most IDS are of this type.
  •  It needs regular updates of what signatures or identities are common at the moment to ensure its database of intruders is current. This means signature-based IDS is only as good as how up-to-date its database is at a given moment.

Anomaly-Based IDS
  • In contrast to signature-based IDS, anomaly-based IDS looks for the kinds of unknown attacks signature-based IDS finds hard to detect. 
  • Due to the rapid growth in malware and attack types, anomaly-based IDS uses machine learning approaches to compare models of trustworthy behavior with new behavior. As a result, strange- or unusual-looking anomalies or behavior will be flagged. 
  • However, previously unknown, but legitimate, behavior can be accidentally flagged as well, and depending on the response, this can cause some problems
  • .However, anomaly-based IDS is good for determining when someone is probing or sweeping a network before the attack taking place. 

                                  OR,

Intrusion Detection System(IDS)    
  • An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. 
  • Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. 
  • A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.
  • IDS types range in scope from single computers to large networks. The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS).
  •  A system that monitors important operating system files is an example of a HIDS, while a system that analyzes incoming network traffic is an example of a NIDS. 
  • It is also possible to classify IDS by the detection approach. The most well-known variants are signature-based detection (recognizing bad patterns, such as malware) and anomaly-based detection (detecting deviations from a model of "good" traffic, which often relies on machine learning). 
  • Another common variant is reputation-based detection (recognizing the potential threat according to the reputation scores). 
  • Some IDS products have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as intrusion prevention systems.
  • Intrusion detection systems can also serve specific purposes by augmenting them with custom tools, such as using a honeypot to attract and characterize malicious traffic.(Wikipedia)
                                 
                                                 OR,

Intrusion Detection System(IDS)    
                           
  • The idea of an intrusion detection management system to enhance the security of eCommerce systems. An Intrusion Management System applies different Intrusion Detection Systems (IDS) to not only detect a threat but also to analyze it and propose countermeasures to avoid compromising the guarded system. 
  • Numerous intrusion detection systems, using different techniques are linked to an attack analyzer. The attack analyzer gathers the information from n different IDS within the system and diagnoses a treatment plan. 
  • The system administrator or a response planning module aiding the administrator can also query the analyzer for information about the attacking character, possible goals, and the impending threat level
l. For the treatment plan, depending on the analysis, a multitude of countermeasures is identified and ranked. The countermeasure identification is done using data mining techniques on a countermeasure repository, the final ranking through sorting algorithms. A feasibility study has shown that an analyzer can match a problem against a solution repository and find the optimal treatment suggestions, applied with a ranking, in an acceptable short period of time.


6) Secured Socket Layer

  • SSL is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Gmail).
  •  It is a TCP-based transport layer security service developed by Netscape. 
  • Two important SSL concepts are 1. SSL Connection and 2. SSL session.
  • The session is an association between the Client and a server created by using handshake Protocol i.e. TCP. 
  • Connection is a type of transport service that is transient, peer-to-peer, and associated with one session. 
  • Version 3.1 of SSL Protocol was designed with the public review & industry inputs and it subsequently became internet standard known as TLS (Transport Layer Security). 
  • TLS is the standardized (on the Internet Engineering Task Force—IETF— level) version of SSL. TLS is also referred to as SSL version 3.1, whereas the most commonly used SSL version is 3.0.
  •  Both protocols can provide the following basic security services: 
  • Mutual authentication: Verifies the identities of both the server and client through exchange and validation of their digital certificates. 
  • Communication privacy: Encrypts information exchanged between secure servers and secure clients using a secure channel. 
  • Communication integrity: Verifies the integrity of the contents of messages exchanged between client and server, which ensures that messages haven’t been altered en route.


    •  


Comments

Post a Comment

Popular posts from this blog

Suppose that a data warehouse for Big-University consists of the following four dimensions: student, course, semester, and instructor, and two measures count and avg_grade. When at the lowest conceptual level (e.g., for a given student, course, semester, and instructor combination), the avg_grade measure stores the actual course grade of the student. At higher conceptual levels, avg_grade stores the average grade for the given combination. a) Draw a snowflake schema diagram for the data warehouse. b) Starting with the base cuboid [student, course, semester, instructor], what specific OLAP operations (e.g., roll-up from semester to year) should one perform in order to list the average grade of CS courses for each BigUniversity student. c) If each dimension has five levels (including all), such as “student < major < status < university < all”, how many cuboids will this cube contain (including the base and apex cuboids)?

-
Image
a) A Snowflake Shema is shown in figure below: b) The specific OLAP operations to be performed: 1. Roll-up on course from course_id to department. 2. Roll-up on a student from student_id to university. 3. Dice on course, student with department ="CS" and university = "biguniversity" 4. Drill-down on a student from the university to student_name. c) N = 4 dimensions The cube will contain 54 = 625 cuboids.
Read more

Pure Versus Partial EC

-
Image
Pure Versus Partial EC EC takes several forms depending on the degree of digitization (the transformation from physical to digital). Companies utilizing pure EC conduct all of their business online. Businesses utilizing partial EC conduct a portion of their business online and a portion of their business off-line OR,    Pure E-electronic commerce refers to a situation where a business transacts its business activities PURELY online. that is, the goods or services sold do not have any physical presence. take a business that sells software, for example, you just pay and download, or one that sells music files online. Partial E-Commerce on the other hand refers to a slightly opposite situation where a business has an online presence, but still has a physical location for the goods and services it sells. For example, Amazon, Walmart, and any other you can think of. you buy the goods online but receive them physically.                   ...
Read more

Discuss classification or taxonomy of virtualization at different levels.

-
Image
Taxonomy of virtualization Virtualization is mainly used to emulate the execution environment, storage, and networks. The execution environment is classified into two: – Process-level – implemented on top of an existing operating system.  – System-level – implemented directly on hardware and does not or minimum requirement of the existing operating system. OR,  Virtualization covers a wide range of emulation techniques that are applied to different areas of computing. A classification of these techniques helps us better understand their characteristics and use  V irtualization is mainly used to emulate  ● Execution Environments: To provide support for the execution of the programs eg. OS, and Application.  ○ Process Level: Implemented on top of an existing OS that has full control of the hardware  ○ System Level: Implemented directly on Hardware and do not require support from existing OS.  ● Storage: Storage vi...
Read more