Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 E-Commerce Security Part II – Security Techniques.

Published byLetitia Bell Modified over 8 years ago

Similar presentations

Presentation on theme: "1 E-Commerce Security Part II – Security Techniques."— Presentation transcript:

1

2 1 E-Commerce Security Part II – Security Techniques

3 2 Objectives Specific security objectives for protecting –Web business assets and customer privacy –client computers from security threats –information as it travels through the Internet communication channel –the security of Web server computers Organizations that promote computer, network, and Internet security

4 3 Security in Computer IS Customers engaging in electronic commerce need to feel confident that their transactions are secure from prying eyes and safe from alteration. The security policy must be regularly revised as threat conditions change. A security policy must protect a system’s privacy, integrity, and availability and authenticate users.

5 4 Protecting Electronic Commerce Assets

6 5 Protecting Privacy Cookies contain private information that can include credit card data, passwords, and login information. The best way to protect your privacy is to disable cookies entirely.

7 6

8 7 Protecting Client Computers Client computers must be protected from threats. Active content can be one of the most serious threats to client computers.

9 8 Monitoring Active Content Netscape Navigator and Microsoft Internet Explorer browsers are equipped to recognize when they are about to download Web page containing active content. When a user downloads Web pages and runs programs that are embedded in them, it gives the user a chance to confirm that the programs are from a known and trusted source.

10 9 Microsoft Internet Explorer

11 10 Digital Certificates A digital certificate verifies that a user or Web site is who it claims to be. The digital certificate contains a means for sending an encrypted message to the entity that sent the original Web page or message. A Web site’s digital certificate is a shopper’s assurance that the Web site is the real store.

12 11 Digital Certificates

13 12 Using Antivirus Software Antivirus software is a defense strategy. One of the most likely places to find a virus is in an electronic mail attachment. Some Web e-mail systems let users scan attachments using antivirus software before downloading e-mail.

14 13 Communication Channel Security Integrity violations can occur whenever a message is altered while in transit between the sender and receiver. Ensuring transaction integrity, two separate algorithms are applied to a message: Hash function Digital signature

15 14 Hash Functions A hash function creates a fixed length number – often 128 bits (16 characters) long – that summarizes the message content. Hash algorithms are one-way functions. A hash algorithm has these characteristics: It uses no secret key. The message digest cannot be inverted to produce the original information. The algorithm and information about how it works are publicly available.

16 15 Digital Signature A message’s computed number is called a message digest. An encrypted message digest is called a digital signature. A purchase order accompanied by the digital signature provides the merchant positive identification of the sender and assures the merchant that the message was not altered. Used together, public-key encryption, message digests, and digital signatures provide quality security for Internet transactions.

17 16 Digital Signatures

18 17 Encryption Encryption is the coding of information by a mathematically based program and a secret key to produce a string of characters that is unintelligible. The science that studies the encryption is called cryptography (krupto and grafh) The program that transforms text into cipher text is called an encryption program. Upon arrival, each message is decrypted using a decryption program.

19 18 Three Types of Encryption “Hash coding” is a process that uses a hash algorithm to calculate a hash value from a message. “Asymmetric encryption,” or public-key encryption, encodes messages by using two mathematically related numeric keys: a public key and a private key. “Symmetric encryption,” or private-key encryption, encodes a message using a single numeric key to encode and decode data.

20 19 Encryption Methods

21 20 Encryption: Symmetric Makiko Takao Message Public Keys Makiko 29 Takao 17 Message Encrypted Private Key 13 Private Key 37 Use Takao’s Public key Use Takao’s Private key Makiko sends message to Takao that only he can read.

22 21 Asymmetric: Authentication Makiko Takao Public Keys Makiko 29 Takao 17 Private Key 13 Private Key 37 Use Takao’s Public key Use Takao’s Private key Takao sends message to Makiko: His key guarantees it came from him. Her key prevents anyone else from reading message. Message Encrypt+T Encrypt+T+M Encrypt+M Use Makiko’s Public key Use Makiko’s Private key Transmission

23 22 Encryption Standards The Data Encryption Standard (DES) is an encryption standard adopted by the U.S. government. DES is the most widely used private-key encryption system. Triple Data Encryption Standard (3DES) is a more robust version of DES. The U.S. government’s National Institute of Standards and Technology (NIST) has developed a new encryption standard.

24 23 Encryption Algorithms and Standards

25 24 Secure Sockets Layer (SSL) Protocol The SSL system from Netscape is a system that provides secure information transfer through the Internet. The SSL encrypts and decrypts information flowing between the two computers. All communication between SSL-enabled clients and servers is encoded.

26 25 Secure Sockets Layer (SSL) Protocol The protocol that implements SSL is HTTPS. A session key is a key used by an encryption algorithm during a single secure session. The longer the session key, the more resistant the encryption is to attack. The algorithm may be DES, Triple DES, or the RAS encryption algorithm.

27 26 Secure HTTP (S-HTTP) Protocol The headers define the type of security techniques, including: The use of private-key encryption Server authentication Client authentication Message integrity A secure envelope encapsulates a message and provides secrecy, integrity, and client/server authentication.

28 27 Protecting the Web Server Security solutions for commerce servers: Access control and authentication Operating system controls Firewall

29 28 Access Control & Authentication Access control and authentication refers to controlling who and what has access to the commerce server. Authentication is performed using digital certificates. Web servers often provide access control list security to restrict file access to selected users.

30 29 Access Control & Authentication The server can authenticate a user in several ways: First, the certificate represents the user’s admittance voucher. Second, the sever checks the timestamp on the certificate to ensure that the certificate has not expired. Third, a server can use a callback system to check the user’s client computer address and name. An access control list (ACL) is a list or database of people who can access the files and resources.

31 30 Access Control and Authentication

32 31 Dial Back Modem phone company phone company 1 6 3 7 2 5 4 Jones 1111 Smith 2222 Olsen 3333 Araha 4444 1) User calls computer. 2) Modem answers. 3) User enters name and password. 4) Modem hangs up. 5) Modem dials phone number in database. 6) User machine answers. 7) User gets access. If hacker somehow gets name and password. Company modem will hang up and call back number in database, preventing hacker from accessing the computer.

33 32 Operating System Controls Most operating systems have a username and password as well as a user authentication system in place. Access control lists and username/password protections are probably the best known of the UNIX security features.

34 33 User Identification Passwords –Dial up service found 30% of people used same word –People choose obvious words Hints –Don’t use real words, personal names –Include non-alphabetic –Change often –Use at least 6 characters

35 34 Alternatives: Biometrics –Finger/hand print –Voice recognition –Retina/blood vessels –Thermal Biometrics Comments –Don’t have to remember –Reasonably accurate –Price is dropping –Nothing is perfect

36 35 Biometrics: Thermal Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.

37 36 Firewalls A firewall is a computer and software combination that is installed at the entry point of a networked system. The firewall provides the first line of defense between a network and the Internet or other network that could pose a threat. Acting as a filter, firewalls permit selected messages to flow into and out of the protected network.

38 37 Types of Firewalls Packet-filter firewalls examine all the data flowing back and forth between the trusted network. Gateway servers are firewalls that filter traffic based on the application they request. Proxy severs are firewalls that communicate with the Internet on the private network’s behalf.

39 38 Computer Forensics and Ethical Hacking A small group of firms whose job is to break into client computers. Computer forensics experts are hired to probe PCs. The field of computer forensics is for the collection, preservation, and analysis of computer-related evidence.

40 39 Computer Security Resources CERT SANS Institute Internet Storm Center Center for Internet Security Microsoft Research Security U.S. Dept. of Justice Cybercrime National Infrastructure Protection Center

Download ppt "1 E-Commerce Security Part II – Security Techniques."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Threats and Protection Mechanisms

Threats and Protection Mechanisms
Implementing Electronic Commerce Security Gary Schneider, 2003

Implementing Electronic Commerce Security Gary Schneider, 2003
Cryptography and Network Security

Cryptography and Network Security
5/4/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 7: Implementing Security Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 7: Implementing Security Insup Lee Department of Computer and Information Science University of Pennsylvania.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Electronic Commerce Security Presented by: Chris Brawley Chris Avery.

Electronic Commerce Security Presented by: Chris Brawley Chris Avery.
Implementing Electronic Commerce Security

Implementing Electronic Commerce Security
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Chapter 10: Electronic Commerce Security

Chapter 10: Electronic Commerce Security
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Implementing Security for Electronic Commerce

Implementing Security for Electronic Commerce
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Implementing Security for Electronic Commerce

Implementing Security for Electronic Commerce
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.

Similar presentations

Ads by Google