1. 1 6 Chapter 6 Implementing Security for Electronic Commerce

2. 2 6 Objectives u Security measures that can reduce or eliminate intellectual property theft u Securing client computers from attack by viruses and by ill-intentioned programs and scripts downloaded in Web pages u Authenticate users to servers and authenticate servers

3. 3 6 Objectives u Available protection mechanisms to secure information sent between a client and a server u Message integrity security, preventing another program from altering information as it travels across the Internet

4. 4 6 Objectives u Safeguards that are available so commerce servers can authenticate users u Protecting intranets with firewalls and corporate servers against being attacked through the Internet u The role Secure Socket Layer, Secure HTTP and secure electronic transaction protocols play in protecting e-commerce

5. 5 6 Minimum Requirements for Secure Electronic Commerce

6. 6 6 Protecting Intellectual Property u The dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works u Intellectual Property Protection in Cyberspace recommends: l Host name blocking l Packet filtering l Proxy servers

7. 7 6 Companies Providing Intellectual Property Protection Software u ARIS Technologies l Digital audio watermarking systems u Embedded code in audio file uniquely identifying the intellectual property u Digimarc Corporation l Watermarking for various file formats l Controls software and playback devices

8. 8 6 Companies Providing Intellectual Property Protection Software u SoftLock Services l Allows authors and publishers to lock files containing digital information for sale on the Web l Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing

9. 9 6 Protecting Client Computers u Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers u Threats can hide in l Web pages l Downloaded graphics and plug-ins l E-mail attachments

10. 10 6 Protecting Client Computers u Cookies l Small pieces of text stored on your computer and contain sensitive information that is not encrypted l Anyone can read and interpret cookie data l Do not harm client machines directly, but potentially could still cause damage u Misplaced trust l Web sites that aren’t really what they seem and trick the user into revealing sensitive data

11. 11 6 Monitoring Active Content u Netscape Navigator and Microsoft Internet Explorer browsers are equipped to allow the user to monitor active content before allowing it to download u Digital certificates provide assurance to clients and servers that the participant is authenticated

12. 12 6 Digital Certificates u Also known as a digital ID u Is an attachment to an e-mail message or a program embedded in a Web page u It serves as a proof that the holder is the person or company identified by the certificate u A means to send encrypted message - encoded, so that others cannot read or duplicate it

13. 13 6 Digital Certificates u IN case of downloaded software containing a digital ID, it identifies the software publisher, i.e., it assures that the holder of the software is a trusted name. u A certification authority (CA) issues a digital certificate to an organization or an individual when provided with required information. u A certificate authority also signs the certificate in the form of a public encrypted key, which unlocks the certificate for anyone who receives the certificate attached to the publisher’s code. u CA guarantees the authenticity of the organization or individual.

14. 14 6 Digital Certificates u Key: l A key is simply a number - a long binary number (1s and 0s) - which is used with the encryption algorithm to “lock” the characters of the message that is to be protected. l Longer keys provide significantly better protection than shorter keys.

15. 15 6 VeriSign -- A Certification Authority

16. 16 6 VeriSign u Is the Oldest and best-known Certification Authority (CA) u Offers several classes of certificates l Class 1 (lowest level) u Bind e-mail address and associated public keys l Class 2 u Issued by an organization such as a bank to identify its customers. The certificate is still issued by a CA. l Class 4 (highest level) u Apply to servers and their organizations u Offers assurance of an individual’s identity and relationship to a specified organization

17. 17 6 Structure of a VeriSign Certificate Figure 6-4

18. 18 6 Microsoft Internet Explorer u Provides client-side protection right inside the browser u Reacts to ActiveX and Java-based content u Authenticode verifies the identity of downloaded content u The user decides to ‘trust’ code from individual companies

19. 19 6 Security Warning and Certificate Validation Figure 6-5

20. 20 6 Internet Explorer Zones and Security Levels Figure 6-6

21. 21 6 Internet Explorer Security Zone Default Settings Figure 6-7

22. 22 6 Netscape Navigator u User can decide to allow Navigator to download active content u User can view the signature attached to Java and JavaSript u Security is set in the Preferences dialog box u Cookie options are also set in the Preferences dialog box

23. 23 6 Setting Netscape Navigator Preferences Figure 6-8

24. 24 6 A Typical Netscape Navigator Java Security Alert Figure 6-9

25. 25 6 Viewing a Content Provider’s Certificate Figure 6-10

26. 26 6 Dealing with Cookies u Can be set to expire within 10, 20, or 30 days u Retrievable only by the site that created them u Collect information so that the user doesn’t have to continually enter usernames and passwords to access Web sites

27. 27 6 Dealing with Cookies u Earlier browsers simply stored cookies without comment u Today’s browsers allow options to: l Store cookies without permission or warning l Receive a warning that a cookie is about to be stored l Unconditionally disallow cookies altogether

28. 28 6 Protecting Electronic Commerce Channels: Communication Path u Protecting assets while they are in transit between client computers and remote servers u Providing channel security includes l Channel secrecy l Guaranteeing message integrity l Ensuring channel availability l Authentication

29. 29 6 Providing Transaction Privacy u Encryption l The coding of information by using a mathematically based program and secret key to produce unintelligible characters. Original information is changed. l Steganography u Makes text invisible to the naked eye l Cryptography u Converts text to strings that appear to have no meaning

30. 30 6 Encryption u 40-bit keys are considered minimal,128-bit keys provide much more secure encryption u Encryption can be subdivided into three functions l Hash Coding u Uses a hash algorithm to calculate a number called “hash value” from the original message string. l Asymmetric (Public-key) Encryption u Encodes by using two mathematically related keys l Symmetric (Private-key) Encryption u Encodes by using one key, both sender and receiver must know

31. 31 6 Hash Coding u Uses a hash algorithm to calculate a number called hash value from the original message string. u Typically, the algorithm uses all 1s and 0s that comprise a message, and come up with a value. Thus two messages should never have the same hash value. u Comparing the hash value before and after transmission of a message, can determine whether the message has been changed or not.

32. 32 6 Asymmetric (or Public-key) Encryption u Encodes messages by using two mathematically- related numeric keys: a public key and a private key. u The public key is freely available to anyone (public) who wants to communicate with the holder of both keys. It is used to encrypt messages. u The private key belongs to the key owner in secret, and is used to decrypt an encrypted message. u If Jack wants to send a message to Jill, then Jack obtains Jill’s public key, encrypts the message with it, and sends it. Only Jill can decrypt this message with her private key.

33. 33 6 Symmetric (or Private-key) Encryption u Encodes a message using a single numeric key (private key) to encode and decode data. u Because same key is used, both the sender and the receiver must know the key. u Thus it is not suitable for public communication over the Internet. u But, it might be suitable for highly secured communication such as that in defense sector or between two business partners.

34. 34 6 Hash Coding, Private-key, and Public-key Encryption

35. 35 6 Significant Encryption Algorithms and Standards