* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Chapter 6
Access control wikipedia , lookup
Trusted Computing wikipedia , lookup
Information security wikipedia , lookup
Cryptanalysis wikipedia , lookup
Cryptographic hash function wikipedia , lookup
One-time pad wikipedia , lookup
Unix security wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Web of trust wikipedia , lookup
Diffie–Hellman key exchange wikipedia , lookup
Authentication wikipedia , lookup
Distributed firewall wikipedia , lookup
Secure multi-party computation wikipedia , lookup
Computer security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Security and safety features new to Windows Vista wikipedia , lookup
Wireless security wikipedia , lookup
Electronic authentication wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Certificate authority wikipedia , lookup
Mobile security wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Digital signature wikipedia , lookup
Cryptography wikipedia , lookup
Chapter 6 Implementing Security for Electronic Commerce 1 Learning Objectives After this chapter, you will learn about: • What security measures can reduce or eliminate intellectual property theft • How to secure client computers from attack by viruses • How to authenticate users to servers and authenticate servers • What protection mechanisms are available to secure information sent between a client and serve 2 Learning Objectives • How to secure message integrity • What safeguards are available to enable commerce servers to authenticate users • How firewalls can protect intranets and corporate servers • What role the Secure Socket Layer, Secure HTTP, and secure electronic transaction protocols play in protecting electronic commerce 3 Protecting Electronic Commerce Assets • The transmission of valuable information through the Internet needs automatic methods to deal with security threats. • The security policy must be regularly revised as threat conditions change. • A security policy must protect a system’s privacy, integrity, and availability and authenticate users. Click to see Figure 6-1: 4 5 Protecting Intellectual Property • Digital intellectual properties, including art, logos, and music posted on Web sites, are protected by laws. • Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice provides information on cyber crime prosecutions. Click to see Figure 6-2: 6 7 Protecting Intellectual Property • The World Intellectual Property Organization (WIPO) oversees digital copyright issues internationally. • Methods of protecting digital works: – Software metering – Digital watermarks – Digital envelopes 8 Organizations/Companies for Intellectual Property • • • • • Verance Corporation Blue Spike Secure Digital Music Initiative Digimarc Corporation SoftLock.com Click to see Figure 6-3: 9 10 Protecting Privacy • Cookies contain private information includes credit card data, passwords, and login information. • The privacy problems exists because the existence of cookies. • The best way to protect your privacy is to disable cookies entirely. Click to see Figure 6-4: 11 12 Protecting Client Computers • Client computers must be protected from threats. • Active contents can be one of the most serious threats to client computers. • Another threat to client computers is a malevolent server site masquerading as a legitimate Web site. 13 Digital Certificates • A digital certificate verifies that a user or Web site is who it claims to be. • The digital certificate contains a means to send an encrypted message to the entity that sent the original Web page or e-mail message. • A Web site’s digital certificate is a shopper’s assurance that the Web site is the real store. Click to see Figure 6-5: Click to see Figure 6-6: 14 15 16 Certification Authority (CA) • A certification authority issues a digital certificate to an organization or individual. • A key is usually a long binary number to be used with the encryption algorithm. • Longer keys provide significantly better protection than shorter keys. • The CA guarantees that the individual or organization that presents the certificate is who it claims to be. Click to see Figure 6-7: 17 18 Microsoft Internet Explorer • Internet Explorer provides client-side protection right inside the browser. • Internet Explorer uses Microsoft Authenticode technology. • Authenticode technology verifies that the program has a valid certificate. Click to see Figure 6-8: Click to see Figure 6-9: Click to see Figure 6-10: 19 20 21 22 Netscape Navigator • Netscape Navigator allows you to control whether active content is downloaded to your computer. • If you allow Java or JavaScript active content, you will always receive an alert from Netscape Navigator. 23 Using Antivirus Software • The antivirus software is a defense strategy. • One of the most likely place to find virus is in electronic mail attachments. • Application service providers (ASPs), such as Critical Path and MessageClick, supply e-mail services to companies to eliminate email virus problems. 24 Computer Forensics Experts • A small group of firms whose job is to break into client computers. • Computer forensics experts are hired to probe PCs. • The field of computer forensics is for the collection, preservation, and analysis of computer-related evidence. Click to see Figure 6-14: 25 26 Protecting Electronic Commerce Channels • Providing commerce channel security means: – – – – Providing channel secrecy Guaranteeing message integrity Ensuring channel availability A complete security plan includes authentication • Businesses must prevent eavesdroppers from reading Internet messages that they intercept. 27 Encryption • Encryption is the coding of information by a mathematically based program and a secret key to produce a string of characters that is unintelligible. • The program that transforms text into cipher text is called an encryption program. • Upon arrival, each message is decrypted using a decryption program. 28 Three Types of Encryption • “Hash coding” is a process that uses a hash algorithm to calculate a hash value from a message. • “Asymmetric encryption” or public-key encryption, encodes messages by using two mathematically related numeric keys: a public key and a private key. • “Symmetric encryption” or private-key encryption, encodes a message by using a single numeric key to encode and decode data. Click to see Figure 6-15: 29 30 Encryption Standards • The Data Encryption Standard (DES) is an encryption standard adopted by the U.S. government. • DES is the most widely used private-key encryption system. • Triple Data Encryption Standard (3DES) is a more robust version of DES. • The U.S. government’s National Institute of Standards and Technology (NIST) has been developing a new encryption standard. 31 Public-Key Encryption • Public-key systems provide several advantages over private-key systems: – The combination of keys required to provide private messages between enormous numbers of people is small – Key distribution is not a problem – Public-key systems make implementation of digital signatures possible 32 Encryption Algorithms and Standards • A list of significant encryption algorithms and standards are shown in Figure 6-16. • Different algorithms have different strengths. • Digest algorithms are hash code algorithm. • MD2, MD4, and MD5 are message digest algorithms. Click to see Figure 6-16: 33 34 Secure Sockets Layer (SSL)Protocol • The SSL system from Netscape that provides secure information transfer through the Internet. • The SSL works at the transport layer of Internet protocol. • The SSL encrypts and decrypts information flowing between the two computers. • All communication between SSL-enabled clients and servers is encoded. 35 Secure Sockets Layer (SSL)Protocol • The protocol that implements SSL is HTTPS. • A session key is a key used by an encryption algorithm during a single secure session. • The longer the session key, the more resistant the encryption is to attack. • The client and server can use a 40-bit encryption or a 128-bit encryption. • The algorithm may be DES, Triple DES, or the RAS encryption algorithm. Click to see Figure 6-17: Click to see Figure 6-18: 36 37 38 Secure HTTP (S-HTTP) Protocol • S-HTTP provides a number of security features, including: – Client and server authentication – Spontaneous encryption – Request/response nonrepudiation • This protocol operates at the topmost layer of the protocol suite – the application layer. 39 Secure HTTP (S-HTTP) Protocol • S-HTTP provides: – Symmetric encryption for maintaining secret communications – Public-key encryption to establish client/server authentication – Message digests for data integrity • S-HTTP sets up security details with special packet headers that are exchanged in S-HTTP. 40 Secure HTTP (S-HTTP) Protocol • The headers define the type of security techniques, including: – – – – The use of private-key encryption Sever authentication Client authentication Message integrity • A secure envelope encapsulates a message and provides secrecy, integrity, and client/server authentication. 41 Ensuring Transaction Integrity • Integrity violation may occur whenever a message is altered while transit between the sender and receiver. • Ensuring transaction integrity, two separate algorithms are applied to a message: – Hash function – Digital signature 42 Hash Functions • Hash algorithms are one-way functions. • A hash algorithm has these characteristics: – It uses no secret key – The message digest it produces cannot be inverted to produce the original information – The algorithm and information about how it works are publicly available – Hash collision are nearly impossible • MD5 is an example of a hash algorithm. 43 Digital Signature • An encrypted message digest is called a digital signature. • A purchase order accompanied by the digital signature provides the merchant positive identification of the sender and assures the merchant that the message was not altered. • Used together, public-key encryption, message digests, and digital signatures provide quality security for Internet transaction. Click to see Figure 6-19: 44 45 Guaranteeing Transaction Delivery • A denial or delay of service attack removes or absorbs resources. • One way to deny service is to flood the Internet with a large number of packets. • No special computer security protocol beyond TCP/IP is required as a countermeasure against denial attacks. 46 Protecting the Commerce Server • The commerce server, along with the Web server, responds to requests from Web browsers through the HTTP protocol and CGI scripts. • Security solutions for commerce servers: – Access control and authentication – Operating system controls – Firewall 47 Access Control and Authentication • Access control and authentication refers to controlling who and what has access to the commerce server. • Authentication is principally through digital certificates. • Web servers often provide access control list security to restrict file access to selected users. 48 Access Control and Authentication • The server can authenticate a user in several ways: – First, the certificate represents the user’s admittance voucher – Second, the sever checks the timestamp on the certificate to ensure that the certificate has not expired. – Third, a sever can use a callback system to check the user’s client computer address and name. • An access control list (ACL) is a list or database of people who can access the files and resources. Click to see Figure 6-20: 49 50 Operating System Controls • Most operating systems have a username and password user authentication system in place. • Access control lists and username/password protections are probably the best known of the UNIX security features. 51 Firewalls • A firewall is a computer and software combination that is installed at the entry point of a networked system. • The firewall provides the first line of defense to network that could pose a threat. • Acting as a filter, firewalls permit selected message to flow into and out of the protected network. 52 Types of Firewalls • Packet-filter firewalls examine all data flowing back and forth between the trusted network. • Gateway servers are firewalls that filter traffic based on the application they request. • Proxy severs are firewalls that communicate with the Internet on the private network’s behalf. Click to see Figure 6-21: 53 54