By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security

Main Points Web Security Threats Cryptography Encryption and Decryption SSL Digital Certificates

Introduction Even though online shopping has become largely accepted by most segments of the public, many people are wary of the security of the Internet. The explosive growth of the Internet has attracted countless thieves seeking to take advantages of weakness in the retail realm. Stolen customer data is extremely valuable to thieves and very costly to e-business that fail to protect their shopper's personal information.

Server Client Intranet Internet Extranet Communication Channels

BrowserRouter Server Router Hacker Sniffer Web Security Threats

BrowserRouter Server Router Hacker FAKE Server Cont.

Bank Katie sends Order Form Katie’s Bank CD Store Merchant’s Bank ISP Online CD Store CD Warehouse Web Server Internet Payment Network Katie’s order Order printed at CD warehouse CD arrives 2-3 days after order is received Typical B2C Transaction

ISP Online CD Store CD Warehouse Web Server Katie A Tapping line B Sniffer at ISP C Sniffer on Internet backbone E Breaking into store database D Internet Backbone Web Security Threats in B2C

What are the threats in E-commerce Security threats A to D can be handled by providing secure transmission - cryptographic methods Threat E and similar types managed by access control methods

Security Issues E-business security issues from customer (user) side: Is the web site owned and operated by trusted company? (Authentication) Is the form and the page contain malicious codes? (Privacy) Will the web site share my information to others? (Privacy) E-business security issues from the merchant (company) side: Will the customer attempt to break into the web site (server) or alter it? (Authorization, Integrity) Will the customer attempt to disrupt the web site so it will not be available to others? (Availability)

Cont. E-business issues from customer and merchant: Is network connection free from sniffers? (Privacy) Is the information sent back and forth between website and customer modified? (Integrity)

Cryptography To secure a house, keys are used to lock the doors It is assumed that an intruder can not easily obtain a copy of the key and enter the house o The intruder could search for all the keys in the world and try them one at a time, but this would take a long time Computer security uses a similar system ( symmetric key and public key cryptography) to secure messages passed between computers

Cryptography What is cryptography? It is the lock and key combination that prevents a non-key holder from decrypting a secret message What is most important is the strength of the lock and the number of possible keys

Cryptography To describe these cryptographic systems the following terms must first be defined: o A key is used in conjunction with a cipher to encrypt or decrypt a message. A key is simply a number (usually a binary number)‏ o A cipher is an algorithm used to encrypt a message o Ciphertext is the encrypted message o Plaintext is the unencrypted message

Cryptography Since a key is a binary number, a 56 bit key has about a quadrillion different key combinations Traditionally, a key length of 56 bits was considered secure since: o If one million keys were tried each second then it would take 1000 years to break the ciphertext However, due to increases in computing power a 56 bit key can now be broken in just 24 hours As a result key lengths of 128 bits or more are typical

Encryption and Decryption Encryption Overview o Plain text is converted to cipher text by use of an algorithm and key.  Algorithm is publicly known  Key is held private Two main categories of cryptography: 1.Symmetric key encryption single key is used to encrypt and decrypt information 2.Public Key encryption two keys are used: one for encryption (public key) and one for decryption (private key)‏

Encryption “The quick brown fox jumps over the lazy dog” “AxCv;5bmEseTfid3)f GsmWe#4^,sdgfMwir3 “The quick brown fox jumps over the lazy dog” Decryption Plain-text inputPlain-text output Cipher-text Same key (shared secret) Symmetric Key Encryption

“The quick brown fox jumps over the lazy dog” “Py75c%bn&*)9|fDe^b dFg$5knvMd’rkvegMs ” “The quick brown fox jumps over the lazy dog” Clear-text inputClear-text output Cipher-text Different keys Recipient’s public key Recipient’s private key private public EncryptionDecryption Public key Encryption

Technologies Technologies used to solve E-Business Security issues: Security Socket Layer (SSL) IPSec VPN Firewall Intrusion Detection Systems (IDS)

Network Security SSL provides a secure way for client and server to transmit confidential information.

Secure Socket Layer (SSL) advantages 1.Confidentiality  provides privacy for messages and stored data by hiding(encrypted)‏ 2.Message Integrity  provides assurance to all parties that a message remains unchanged 3.Authentication  Identifies the sender and receiver of a message  identifies the origin of a message  verifies the identity of person using a computer system

Cont. Digital Certificates (for authentication) One way of verifying the source of information is through a digital certificate A digital certificate is an attachment to a message which verifies the sender of the message It contains an encrypted message that o identifies the author o Indicates whether the certificate is valid or not

Cont. Other information on the digital certificate is: o The certificate’s owner’s identifying information, such as name, organization and address o The certificate owner’s public key o Dates between which the certificate is valid o Serial number of the certificate o Name of the certificate issuer o Digital signature of the certificate issuer

Cont. Digital certificates are issued by a certification authority (CA)‏ o To individuals or organizations o Appropriate proof of identity must be provided One of the oldest and best know certification authority is VeriSign