Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce.

Published byMarylou Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce."— Presentation transcript:

1 1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce

2 4 July 2008IT 357 - Chapter 72 Security in Electronic Commerce Security concerns Secure commerce requirements Security facilities in the EC environment –Secure file/information transfers –Secure Transactions –Security on web servers and enterprise networks.

3 4 July 2008IT 357 - Chapter 73 Security Concerns Accessing unauthorized network resources Destroying information and network resources Altering, inserting and modifying information Disclosing information to unauthorized people Causing network service disruption Stealing information and resources Denying services received or information sent or received. Claiming to have provided services that have not been given.

4 4 July 2008IT 357 - Chapter 74 Secure commerce requirements Authentication –Involves the ability of individual organization or computer to prove its identity. –Based on: Passwords Keys/cards Finger prints Trusted third party authentication PIN Authorization –Control of access to particular information once the identity has been verified. –Meant to limit the actions that authenticated parties can perform. –ACL example: screens shown to a user will only show links or buttons that a person is authorized to access.

5 4 July 2008IT 357 - Chapter 75 Cont’d: Secure commerce requirements Confidentiality –Involves the secrecy of data and the protection of data from unauthorized access. –Must ensure: Information cannot be read copied or modified without authorization Communication cannot be intercepted –Encryption techniques are used In the news !!! June 23, 2008, 07:46 PM CNET employees notified after data breach Source: http://www.itworld.com/news/53276/cnet-employees-notified-after-data-breach

6 4 July 2008IT 357 - Chapter 76 Cont’d: Secure commerce requirements Integrity –Protection of data from modification either while in transit or in storage. –Integrity services must protect against additions, deletions and reordering of data. Non repudiation of origin –Protection against a party in a transaction or communication activity in which one of the parties later denies that such an activity occurred.

7 4 July 2008IT 357 - Chapter 77 Security Facilities in an EC environment Secure file/ information transfers Secure transactions Secure enterprise networks Secure File Transfer –Popular protocols: HTTPS is the de facto standardde facto Secure HyperText Transfer Protocol is an alternative but not widely used

8 4 July 2008IT 357 - Chapter 78 Cont’d: Security Facilities: Secure file/ information transfers Symmetric encryption Uses a shared key for both encryption and decryption. All parties must trust each other. Eavesdropping might pose problems. Distribution of the keys pose problems. DES (Data Encryption Standard) –Mostly used in e-mails and exchanges that do not require tight security –DES Cracker, managed to break DES in less than 3 days Triple DES –Has the advantage of proven reliability and a longer key length AES (Advanced Encryption Standard) –adopted as an encryption standard by the U.S. governmentencryptionU.S. government Sources: http://www.tropsoft.com/strongenc/des3.htmhttp://www.tropsoft.com/strongenc/des3.htm http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

9 4 July 2008IT 357 - Chapter 79 Cont’d: Security Facilities: Secure file/ information transfers Asymmetric encryption / PKI (Public Key Infrastructure) Uses two keys - one to encrypt and a different one to decrypt The two keys are mathematically related Data encrypted by one can only be decrypted by the other One of the pair of keys (public key) is made known to other parties. The other is secretly held by the individual (private key) RSA - the best known public key encryption algorithm.

10 4 July 2008IT 357 - Chapter 710 Cont’d: Security Facilities: Secure file/ information transfers Public key encryption Public Key - example

11 4 July 2008IT 357 - Chapter 711 Cont’d: Security Facilities: Secure file/ information transfers Digital Certificate An electronic “credit card” or “wallet” Establishes the credentials of an entity on the web. Issued by a certification authority (CA) - E.g. VeriSign. Contains Name A serial number Expiry date A copy of the certificate holder’s public key - for encryption and decryption Digital signature of the certification authority - to verify that the certificate is real.

12 4 July 2008IT 357 - Chapter 712 Cont’d: Security Facilities: Secure file/ information transfers Digital Signature An electronic signature to authenticate the identity of the sender. Also ensures that the original content of the message is unchanged. Example: An e-Will –You copy and paste the will into an e-mail. –A special software obtains a message hash - a mathematical summary. –You use your private key to encrypt the hash –The encrypted hash becomes your digital signature. –Different for different messages sent by you. –The lawyer receives the message. –He makes a hash of the received message. –He uses your public key to decrypt the signature to a hash. –If the hashes match the message is valid. A hash function is any well-defined procedure or mathematical function for turning some kind of data into a relatively small integer, that may serve as an index into an array.well-defined procedure mathematical functiondatainteger index array Source: http://en.wikipedia.org/wi ki/Hash_function

13 4 July 2008IT 357 - Chapter 713 Cont’d: Security Facilities: Secure file/ information transfers SHTTP vs. SSL Both provide encryption techniques using RSA ( Ron Rivest, Adi Shamir, and Leonard Adleman) algorithm. Ron RivestAdi ShamirLeonard Adleman SSL works at the transport layer while SHTTP works at the application layer. SSL is simpler than SHTTP. SHTTP –supports more services such as firewalls and digital signatures –A secure extension of HTTP developed by CommerceNet consortium –Offers security techniques and encryption with RSA methods. –Incorporates cryptography at the application level. –Uses public key private key encryption or asymmetric encryption. SSL –Developed by Netscape. –Works at the transport layer. –All servers are authenticated –Clients are optionally authenticated. –Application independent. –HTTP FTP and Telnet can be placed on top of SSL. –Provides channel security through a message integrity check with hash functions.

14 4 July 2008IT 357 - Chapter 714 Cont’d: Security Facilities: Secure file/ information transfers SSL Three part process –Information is encrypted to prevent unauthorized access. –Information is authenticated to ensure that it is sent by the right parties. –Integrity checks to ensure that data is not altered from source to sink. –SSL illustration Customer requests to purchase. Company responds with its public key. The customer’s browser uses the public key to encrypt sensitive information. The data is decrypted by the company browser using its private key. Process transparent to the users as it is handled by the browser. SSL/TLS –SSL was developed by Netscape and soon after the Internet Engineering Task Force (IETF) developed SSL 3.0 SSL/TLS Drawback –Increased processor load: most significant drawback to implementing SSL/TLS. –Administrative overhead: An SSL/TLS environment is complex and requires maintenance; the system administrator needs to configure the system and manage certificates. Source: http://technet2.microsoft.com/windowsserver/en/library/1b6b0dfa-a7a0-4cc2-adc6-f9dda2bd7e601033.mspx?mfr=true

15 4 July 2008IT 357 - Chapter 715 Security Facilities Secure transactions Secure transaction protocols are narrowly focused. Popular protocols: Secure Electronic Payment Protocol Secure Transaction Technology Secure Electronic Transaction SET –Shares a lot in common with SEPP. –Touted as the protocol of the future. –A combination of an application level protocol and recommended procedures for handling credit card transactions over the net. –Designed for cardholders, merchants and banks/card processors. –Covers certification of all parties as well as encryption and authentication. –Requires an individual to possess a digital certificate for each credit card he/she plans to use. –Requirements: SET enabled browser for the customer SET enabled server for the transaction provider.

16 4 July 2008IT 357 - Chapter 716 Security Facilities Secure transactions SET Drawbacks SET Critical mass of credit card users for SET usage required. Digital certificates distribution is time consuming. Issues in certification such as revocations, cancellations and handling of PIN losses not sorted out. Full text encryption makes the process slower.

Download ppt "1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CP3397 ECommerce.

CP3397 ECommerce.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google