Download Chapter 6

Chapter 6
Implementing Security for Electronic
Commerce
1
Learning Objectives
After this chapter, you will learn about:
• What security measures can reduce or eliminate
intellectual property theft
• How to secure client computers from attack by
viruses
• How to authenticate users to servers and
authenticate servers
• What protection mechanisms are available to
secure information sent between a client and serve
2
Learning Objectives
• How to secure message integrity
• What safeguards are available to enable commerce
servers to authenticate users
• How firewalls can protect intranets and corporate
servers
• What role the Secure Socket Layer, Secure HTTP,
and secure electronic transaction protocols play in
protecting electronic commerce
3
Protecting Electronic Commerce
Assets
• The transmission of valuable information
through the Internet needs automatic
methods to deal with security threats.
• The security policy must be regularly
revised as threat conditions change.
• A security policy must protect a system’s
privacy, integrity, and availability and
authenticate users.
Click to see Figure 6-1:
4
5
Protecting Intellectual Property
• Digital intellectual properties, including art,
logos, and music posted on Web sites, are
protected by laws.
• Computer Crime and Intellectual Property
Section (CCIPS) of the U.S. Department of
Justice provides information on cyber crime
prosecutions.
Click to see Figure 6-2:
6
7
Protecting Intellectual Property
• The World Intellectual Property
Organization (WIPO) oversees digital
copyright issues internationally.
• Methods of protecting digital works:
– Software metering
– Digital watermarks
– Digital envelopes
8
Organizations/Companies for
Intellectual Property
•
•
•
•
•
Verance Corporation
Blue Spike
Secure Digital Music Initiative
Digimarc Corporation
SoftLock.com
Click to see Figure 6-3:
9
10
Protecting Privacy
• Cookies contain private information
includes credit card data, passwords, and
login information.
• The privacy problems exists because the
existence of cookies.
• The best way to protect your privacy is to
disable cookies entirely.
Click to see Figure 6-4:
11
12
Protecting Client Computers
• Client computers must be protected from
threats.
• Active contents can be one of the most
serious threats to client computers.
• Another threat to client computers is a
malevolent server site masquerading as a
legitimate Web site.
13
Digital Certificates
• A digital certificate verifies that a user or Web site
is who it claims to be.
• The digital certificate contains a means to send an
encrypted message to the entity that sent the
original Web page or e-mail message.
• A Web site’s digital certificate is a shopper’s
assurance that the Web site is the real store.
Click to see Figure 6-5:
Click to see Figure 6-6:
14
15
16
Certification Authority (CA)
• A certification authority issues a digital certificate
to an organization or individual.
• A key is usually a long binary number to be used
with the encryption algorithm.
• Longer keys provide significantly better protection
than shorter keys.
• The CA guarantees that the individual or
organization that presents the certificate is who it
claims to be.
Click to see Figure 6-7:
17
18
Microsoft Internet Explorer
• Internet Explorer provides client-side
protection right inside the browser.
• Internet Explorer uses Microsoft
Authenticode technology.
• Authenticode technology verifies that the
program has a valid certificate.
Click to see Figure 6-8:
Click to see Figure 6-9:
Click to see Figure 6-10:
19
20
21
22
Netscape Navigator
• Netscape Navigator allows you to control
whether active content is downloaded to
your computer.
• If you allow Java or JavaScript active
content, you will always receive an alert
from Netscape Navigator.
23
Using Antivirus Software
• The antivirus software is a defense strategy.
• One of the most likely place to find virus is
in electronic mail attachments.
• Application service providers (ASPs), such
as Critical Path and MessageClick, supply
e-mail services to companies to eliminate email virus problems.
24
Computer Forensics Experts
• A small group of firms whose job is to
break into client computers.
• Computer forensics experts are hired to
probe PCs.
• The field of computer forensics is for the
collection, preservation, and analysis of
computer-related evidence.
Click to see Figure 6-14:
25
26
Protecting Electronic Commerce
Channels
• Providing commerce channel security means:
–
–
–
–
Providing channel secrecy
Guaranteeing message integrity
Ensuring channel availability
A complete security plan includes authentication
• Businesses must prevent eavesdroppers from
reading Internet messages that they intercept.
27
Encryption
• Encryption is the coding of information by a
mathematically based program and a secret
key to produce a string of characters that is
unintelligible.
• The program that transforms text into cipher
text is called an encryption program.
• Upon arrival, each message is decrypted
using a decryption program.
28
Three Types of Encryption
• “Hash coding” is a process that uses a hash
algorithm to calculate a hash value from a
message.
• “Asymmetric encryption” or public-key
encryption, encodes messages by using two
mathematically related numeric keys: a public key
and a private key.
• “Symmetric encryption” or private-key
encryption, encodes a message by using a single
numeric key to encode and decode data.
Click to see Figure 6-15:
29
30
Encryption Standards
• The Data Encryption Standard (DES) is an
encryption standard adopted by the U.S.
government.
• DES is the most widely used private-key
encryption system.
• Triple Data Encryption Standard (3DES) is a more
robust version of DES.
• The U.S. government’s National Institute of
Standards and Technology (NIST) has been
developing a new encryption standard.
31
Public-Key Encryption
• Public-key systems provide several
advantages over private-key systems:
– The combination of keys required to provide
private messages between enormous numbers
of people is small
– Key distribution is not a problem
– Public-key systems make implementation of
digital signatures possible
32
Encryption Algorithms and
Standards
• A list of significant encryption algorithms
and standards are shown in Figure 6-16.
• Different algorithms have different
strengths.
• Digest algorithms are hash code algorithm.
• MD2, MD4, and MD5 are message digest
algorithms.
Click to see Figure 6-16:
33
34
Secure Sockets Layer
(SSL)Protocol
• The SSL system from Netscape that provides
secure information transfer through the Internet.
• The SSL works at the transport layer of Internet
protocol.
• The SSL encrypts and decrypts information
flowing between the two computers.
• All communication between SSL-enabled clients
and servers is encoded.
35
Secure Sockets Layer
(SSL)Protocol
• The protocol that implements SSL is HTTPS.
• A session key is a key used by an encryption
algorithm during a single secure session.
• The longer the session key, the more resistant the
encryption is to attack.
• The client and server can use a 40-bit encryption
or a 128-bit encryption.
• The algorithm may be DES, Triple DES, or the
RAS encryption algorithm.
Click to see Figure 6-17:
Click to see Figure 6-18:
36
37
38
Secure HTTP (S-HTTP) Protocol
• S-HTTP provides a number of security
features, including:
– Client and server authentication
– Spontaneous encryption
– Request/response nonrepudiation
• This protocol operates at the topmost layer
of the protocol suite – the application layer.
39
Secure HTTP (S-HTTP) Protocol
• S-HTTP provides:
– Symmetric encryption for maintaining secret
communications
– Public-key encryption to establish client/server
authentication
– Message digests for data integrity
• S-HTTP sets up security details with special
packet headers that are exchanged in S-HTTP.
40
Secure HTTP (S-HTTP) Protocol
• The headers define the type of security techniques,
including:
–
–
–
–
The use of private-key encryption
Sever authentication
Client authentication
Message integrity
• A secure envelope encapsulates a message and
provides secrecy, integrity, and client/server
authentication.
41
Ensuring Transaction Integrity
• Integrity violation may occur whenever a
message is altered while transit between the
sender and receiver.
• Ensuring transaction integrity, two separate
algorithms are applied to a message:
– Hash function
– Digital signature
42
Hash Functions
• Hash algorithms are one-way functions.
• A hash algorithm has these characteristics:
– It uses no secret key
– The message digest it produces cannot be inverted to
produce the original information
– The algorithm and information about how it works are
publicly available
– Hash collision are nearly impossible
• MD5 is an example of a hash algorithm.
43
Digital Signature
• An encrypted message digest is called a digital
signature.
• A purchase order accompanied by the digital
signature provides the merchant positive
identification of the sender and assures the
merchant that the message was not altered.
• Used together, public-key encryption, message
digests, and digital signatures provide quality
security for Internet transaction.
Click to see Figure 6-19:
44
45
Guaranteeing Transaction
Delivery
• A denial or delay of service attack removes
or absorbs resources.
• One way to deny service is to flood the
Internet with a large number of packets.
• No special computer security protocol
beyond TCP/IP is required as a
countermeasure against denial attacks.
46
Protecting the Commerce Server
• The commerce server, along with the Web
server, responds to requests from Web
browsers through the HTTP protocol and
CGI scripts.
• Security solutions for commerce servers:
– Access control and authentication
– Operating system controls
– Firewall
47
Access Control and
Authentication
• Access control and authentication refers to
controlling who and what has access to the
commerce server.
• Authentication is principally through digital
certificates.
• Web servers often provide access control
list security to restrict file access to selected
users.
48
Access Control and
Authentication
• The server can authenticate a user in several ways:
– First, the certificate represents the user’s admittance
voucher
– Second, the sever checks the timestamp on the
certificate to ensure that the certificate has not expired.
– Third, a sever can use a callback system to check the
user’s client computer address and name.
• An access control list (ACL) is a list or database
of people who can access the files and resources.
Click to see Figure 6-20:
49
50
Operating System Controls
• Most operating systems have a username
and password user authentication system in
place.
• Access control lists and username/password
protections are probably the best known of
the UNIX security features.
51
Firewalls
• A firewall is a computer and software
combination that is installed at the entry
point of a networked system.
• The firewall provides the first line of
defense to network that could pose a threat.
• Acting as a filter, firewalls permit selected
message to flow into and out of the
protected network.
52
Types of Firewalls
• Packet-filter firewalls examine all data
flowing back and forth between the trusted
network.
• Gateway servers are firewalls that filter
traffic based on the application they request.
• Proxy severs are firewalls that communicate
with the Internet on the private network’s
behalf.
Click to see Figure 6-21:
53
54