Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/4/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 7: Implementing Security Insup Lee Department of Computer and Information Science University of Pennsylvania.

Similar presentations

Presentation on theme: "5/4/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 7: Implementing Security Insup Lee Department of Computer and Information Science University of Pennsylvania."— Presentation transcript:

1 5/4/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 7: Implementing Security Insup Lee Department of Computer and Information Science University of Pennsylvania

2 5/4/00EMTM 5532 Protecting Electronic Commerce Assets You cannot hope to produce secure commerce systems unless there is a written security policy –What assets are to be protected –What is needed to protect those assets –Analysis of the likelihood of threats –Rules to be enforced to protect those assets

3 5/4/00EMTM 5533 Protecting Electronic Commerce Assets Both defense and commercial security guidelines state that you must protect assets from –Unauthorized disclosure –Modification –Destruction Typical security policy concerning confidential company information –Do not reveal company confidential information to anyone outside the company

4 5/4/00EMTM 5534 Minimum Requirements for Secure Electronic Commerce Figure 6-1

5 5/4/00EMTM 5535 Protecting Intellectual Property The dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works

6 5/4/00EMTM 5536 Companies Providing Intellectual Property Protection Software ARIS Technologies (part of –Digital audio watermarking systems oEmbedded code in audio file uniquely identifying the intellectual property Digimarc Corporation –Watermarking for various file formats –Controls software and playback devices

7 5/4/00EMTM 5537 Companies Providing Intellectual Property Protection Software SoftLock Services –Allows authors and publishers to lock files containing digital information for sale on the Web –Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing –infrastructure and integrated services necessary to securely market and distribute multimedia digital content to its maximum audience

8 5/4/00EMTM 5538 Protecting Client Computers Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers Threats can hide in –Web pages –Downloaded graphics and plug-ins –E-mail attachments Misplaced trust –Web sites that aren’t really what they seem and trick the user into revealing sensitive data

9 5/4/00EMTM 5539 Protecting Client Privacy Cookies –Small pieces of text stored on your computer and contain sensitive information that is not encrypted –Anyone can read and interpret cookie data –Do not harm client machines directly, but potentially could still cause damage –Two types: session cookie and persistent cookie

10 5/4/00EMTM 55310 Dealing with Cookies Can be set to expire within 10, 20, or 30 days Retrievable only by the site that created them Collect information so that the user doesn’t have to continually enter usernames and passwords to access Web sites Earlier browsers simply stored cookies without comment Today’s browsers allow the user to –Store cookies without permission or warning –Receive a warning that a cookie is about to be stored –Unconditionally disallow cookies altogether

11 5/4/00EMTM 55311 Monitoring Active Content Netscape Navigator and Microsoft Internet Explorer browsers are equipped to allow the user to monitor active content before allowing it to download Digital certificates provide assurance to clients and servers that the participant is authenticated

12 5/4/00EMTM 55312 Digital Certificates Also known as a digital ID An attachment to an e-mail message Embedded in a Web page Serves as proof that the holder is the person or company identified by the certificate Encoded so that others cannot read or duplicate it Ex: visit and click on a

13 5/4/00EMTM 55313 VeriSign Oldest and best-known Certification Authority (CA) Offers several classes of certificates –Class 1 (lowest level) oBind e-mail address and associated public keys –Class 4 (highest level) oApply to servers and their organizations oOffers assurance of an individual’s identity and relationship to a specified organization Visit

14 5/4/00EMTM 55314 Structure of a VeriSign Certificate Figure 6-4

15 5/4/00EMTM 55315 Microsoft Internet Explorer Provides client-side protection right inside the browser Reacts to ActiveX and Java-based content Authenticode verifies the identity of downloaded content The user decides to ‘trust’ code from individual companies

16 5/4/00EMTM 55316 Security Warning and Certificate Validation Figure 6-5

17 5/4/00EMTM 55317 Internet Explorer Zones and Security Levels Figure 6-6

18 5/4/00EMTM 55318 Internet Explorer Security Zone Default Settings Figure 6-7

19 5/4/00EMTM 55319 Netscape Navigator User can decide to allow Navigator to download active content User can view the signature attached to Java and JavaSript Security is set in the Preferences dialog box Cookie options are also set in the Preferences dialog box

20 5/4/00EMTM 55320 Setting Netscape Navigator Preferences Figure 6-8

21 5/4/00EMTM 55321 A Typical Netscape Navigator Java Security Alert Figure 6-9

22 5/4/00EMTM 55322 Viewing a Content Provider’s Certificate Figure 6-10

23 5/4/00EMTM 55323 Protecting Electronic Commerce Channels Protecting assets while they are in transit between client computers and remote servers Providing channel security includes –Channel secrecy –Guaranteeing message integrity –Ensuring channel availability –Authentication Cannot prevent eavesdropping through snooping in general

24 5/4/00EMTM 55324 Providing Transaction Privacy Encryption –The coding of information by using a mathematically based program and secret key to produce unintelligible characters –Steganography oMakes text invisible to the naked eye –Cryptography oConverts text to strings that appear to have no meaning

25 5/4/00EMTM 55325 Encryption 40-bit keys are considered minimal,128-bit keys provide much more secure encryption Encryption can be subdivided into three functions –Hash Coding oCalculates a number from any length string –Asymmetric (Public-key) Encryption oEncodes by using two mathematically related keys –Symmetric (Private-key) Encryption oEncodes by using one key, both sender and receiver must know

26 5/4/00EMTM 55326 Hash Coding, Private-key, and Public-key Encryption Figure 6-11

27 5/4/00EMTM 55327 Significant Encryption Algorithms and Standards Figure 6-12

28 5/4/00EMTM 55328 Secure Sockets Layer (SSL) Protocol Developed by Netscape Communications Secures connections between two computers Provides a security handshake in which the client and server computers exchange the level of security to be used, certificates, among other things Secures many different types of communications between computers

29 5/4/00EMTM 55329 Secure Sockets Layer (SSL) Protocol Provides either 40-bit or 128-bit encryption Session keys are used to create the cipher text from plain text during the session The longer the key, the more resistant to attack Protocol is called https –Ex:

30 5/4/00EMTM 55330 SSL Handshake The SSL handshake consists of nine steps that authenticate the two parties and create a shared session key. [Stein]

31 5/4/00EMTM 55331 SSL Web Server Information Figure 6-14

32 5/4/00EMTM 55332 Secure HTTP (S-HTTP) Protocol Developed by CommerceNet Consortium Extension to HTTP that provides numerous security features –Client and server authentication –Spontaneous encryption –Request/response nonrepudiation Provides symmetric and public-key encryption, and message digests (summaries of messages as integers) Whereas SSL is designed to establish a secure connection between two computers, S-HTTP is designed to send individual messages securely.

33 5/4/00EMTM 55333 Ensuring Transaction Integrity Figure 6-15

34 5/4/00EMTM 55334 Guaranteeing Transaction Delivery Neither encryption nor digital signatures protect packets from theft or slowdown Transmission Control Protocol (TCP) is responsible for end-to-end control of packets TCP requests that the client computer resend data when packets appear to be missing

35 5/4/00EMTM 55335 Protecting the Commerce Server Access control and authentication –Controlling who and what has access to the server –Requests that the client send a certificate as part of authentication –Server checks the timestamp on the certificate to ensure that it hasn’t expired –Can use a callback system in which the client computer address and name are checked against a list

36 5/4/00EMTM 55336 Protecting the Commerce Server Usernames and passwords are the most common method of providing protection for the server Usernames are stored in clear text, while passwords are encrypted The password entered by the user is encrypted and compared to the one on file

37 5/4/00EMTM 55337 Logging On With A Username And Password Figure 6-16

38 5/4/00EMTM 55338 Operating System Controls Most operating systems employ username and password authentication A common defense is a firewall –All traffic from inside to outside and outside to inside must pass through it –Only authorized traffic is allowed –The firewall itself must be immune to penetration

39 5/4/00EMTM 55339 Application Firewalls smtp: 25 ftp: 21 telnet: 23 http: 80 ftp: 21 Presentation Session Transport Network Data Link Physical OSI Site 2 Site 1 Internet Traffic Cop

40 5/4/00EMTM 55340 Check Point Software’s Firewall-1 Web Page Figure 6-17

Download ppt "5/4/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 7: Implementing Security Insup Lee Department of Computer and Information Science University of Pennsylvania."

Similar presentations

Ads by Google