E-Commerce: Security Challenges

and Solutions
 Outline of the Presentation
• Internet Security

• Cryptography
» Public key

» Private key

• Firewalls

• Safety of business transactions on web

• Security threats
 Introduction
Two Major Developments During the Past Decade:
1. Widespread Computerization
2. Growing Networking and Internetworking
 The Internet
• Need for Automated Tools for Protecting Files and
Other Information.
• Network and Internetwork Security refer to
measures needed to protect data during its
transmission from one computer to another in a
network or from one network to another in an
internetwork.
 …Continue
Network security is complex. Some reasons are:
• Requirements for security services are:
– Confidentiality
– Authentication
– Integrity
• Key Management is difficult.
Creation, Distribution, and Protection of Key
information calls for the need for secure services, the
same services that they are trying to provide.
 Security Threats
• Unauthorized access
• Loss of message confidentiality or integrity
• User Identification
• Access Control
• Players:
– User community
– Network Administration
– Introducers/Haclers
• The bigger the system, the safer it is
– MVS mainframe users (5%)
– UNIX users (25%)
– Desktop users (50%)
• Transactional risk
» Default on order
» Default on delivery
» Default on payment

• Data storage and transaction risk

» Virus(vital information and resource)
» Hacking
» Setting up a special crime cell
» Ecryption
» Digital signatures

• Risk of threat intellectual property and privacy

» The information available over the internet may be copied
by other online vendors.
 Introduction to Security Risks

Hackers and crackers

The Internet: “$$”

open

Your network: data!

virus
 The Main Security Risks
• Data being stolen
– Electronic mail can be intercepted and read
– Customer’s credit card numbers may be read
• Login/password and other access information stolen
• Operating system shutdown
• Filesystem corruption
• User login information can be captured
 Viruses
• Unauthorized software being run
– Games

• Widely distributed software

– Shareware

– Freeware

– Distributed software
 Possible Security “Holes”
• Passwords
– Transmitted in plain text
– Could be temporarily stored in unsafe files
– Could be easy to guess
• Directory structure
– Access to system directories could be a threat
• In the operating system software
– Some operating system software is not designed for secure
operation
– Security system manager should subscribe to
• comp.security.unix
• comp.security.misc
• alt.security
 Security Strategies
• Use a separate host
– Permanently connected to the Internet, not to your
network.
– Users dial in to a separate host and get onto the Internet
through it.
• Passwords
– Most important protection
– Should be at least eight characters long
– Use a mixture of alpha and numeric
– Should not be able to be found in dictionary
• should not be associated with you!
– Change regularly
 …Continue
• Every transaction generates record in a security log
file
– Might slow traffic and host computer
– Keeps a permanent record on how your machine is
accessed
• Tracks
– Generates alarms when someone attempts to access
secure area
– Separate the directories that anonymous users can access
– Enforce user account logon for internal users
– Read web server logs regularly
 Cryptography

• The Science of Secret writing.

• Encryption: Data is transformed into
unreadable form.
• Decryption: Transforming the encrypted data
back into its original form.
Encryption
Plaintext Ciphertext
Decryption
 Types of Cryptosystems
• Conventional Cryptosystems
– Secret key Cryptosystems.
– One secret key for Encryption and Decryption.
– Example: DES
• Public key cryptosystems
– Two Keys for each user
• Public key (encryptions)
• Private key (decryptions)
– Example: RSA
 Types of Cryptosystems
(Secret Key)
• Both the encryption and decryption keys are kept
secret.
Example:
– To encrypt, map each letter into the third letter forward
in the alphabet order;
– To decrypt, map each letter into the third letter back.
• Problems with Secret Key Cryptosystems:
– Key transfer
– Too many keys
 Types of Cryptosystems
(Public Key)
• Only the decryption key is kept secret. The
encryption key is made public.
• Each user has two keys, one secret and one public.
• Public keys are maintained in a public directory.
• To send a message M to user B, encrypt using the
public key of B.
• B decrypts using his secret key.
• Signing Messages
• For a user Y to send a signed message M to user X.
– Y encrypts M using his secret key.
– X decrypts the message using Y’s public key.
 Public Key

A Public key of B
B
M Private
encryption Key of B
Ciphertext C
C
Insecure
C communications or decryption
storage.
Territory of the M
Intruder

A wants to send M in a secure manner to B

 Firewalls
• A firewall is a barrier placed between the private
network and the outside world.
• All incoming and outgoing traffic must pass through
it.
• Can be used to separate address domains.
• Control network traffic.
• Cost: ranges from no-cost (available on the Internet)
to $ 100,000 hardware/software system.
• Types:
– Router-Based
– Host Based
– Circuit Gateways
 Firewall Types
(Router-Based)
• Use programmable routers
• Control traffic based on IP addresses or port
information.
Examples:
– Bastion Configuration
– Diode Configuration
To improve security:
• Never allow in-band programming via Telnet to a
firewall router.
• Firewall routers should never advertise their
presence to outside users.
 Firewall Types
(Host-Based)
• Use a computer instead of router.
• More flexible (ability to log all activities)
• Works at application level
• Use specialized software applications and service
proxies.
• Need specialized programs, only important services
will be supported.
 …Continue
• Example: Proxies and Host-Based Firewalls

Proxies and
Host running only proxy
Host-Based versions of FTP,Telnet and
Firewalls so on.

Internal
Network

Filtering
Router
Internet (Optimal)
 Electronic Mail Security
• E-mail is the most widely used application in the
Internet.
• Who wants to read your mail ?
– Business competitors
– Reporters,Criminals
– Friends and Family
• Two approaches are used:
– PGP: Pretty Good Privacy
– PEM: Privacy-Enhanced Mail
 Summary of PGP Services
Function Algorithms used Description
Message IDEA, RSA A message is encrypted
encryption using IDEA . The session key
is encrypted using RSA
recipient’s public key.

Digital RSA, MD5 A hash code of a message

signature is created using MD5. This
is encrypted using RSA with
the sender’s private key.
Compression ZIP A message may be
compressed using ZIP.
E-mail Radix 64 conversion To provide transparency
compatibility for e-mail applications.
 Summary of PEM Services

Function Algorithms used Description

Message DES A message is encrypted using
encryption DES-CBC. The session key
is encrypted using RSA
with the recipient’s public key.

Authentication RSA with A hash code of a message

and Digital sig- MD2 or MD5 is created using MD2 or MD5.
nature(asymmetric This is encrypted using RSA
encryption) with the sender’s private key.

E-mail Radix 64 conversion To provide transparency for

compatibility e-mail applications.
 E-Commerce: Challenges
• Trusting others electronically
– E-Commerce infrastructure
• Security threats – the real threats and the
perceptions
• Network connectivity and availability issues
– Better architecture and planning
• Global economy issues
– Flexible solutions
 E-Commerce: Challenges

• Trusting others electronically

– Authentication
– Handling of private information
– Message integrity
– Digital signatures and non-repudiation
– Access to timely information
 E-Commerce: Solutions
Trusting Others
• Public-Key Infrastructure (PKI)
– Distribute key pairs to all interested entities
– Certify public keys in a “trusted” fashion
• The Certificate Authority

– Secure protocols between entities

– Digital Signatures, trusted records and non-
repudiation
 Secure Protocols

• How to communicate securely:

– SSL – “the web security protocols”

– IPSEC – “the IP layer security protocol”

– SMIME – “the email security protocol”

– SET – “credit card transaction security protocol”

– Others …
 Secure Sockets Layer (SSL)
• Platform and Application Independent
– Operates between application and transport
layers

Web Applications
Future
HTTP NNTP FTP Telnet Etc.
Apps

SSL
TCP/IP
 Secure Sockets Layer (SSL)

• Negotiates and employs essential functions for

secure transactions

– Mutual Authentication

– Data Encryption

– Data Integrity

• As simple and transparent as possible

 Why did SSL Succeed
• Simple solution with many applications – e-business
and e-commerce
• No change in operating systems or network stacks –
very low overhead for deployment
• Focuses on the weak link – the open wire, not trying
to do everything to everyone
• Solution to authentication, privacy and integrity
problems and avoiding classes of attacks
 Secured Electronic Transactions (SET)
• Developed by VISA & MasterCard
• SET Specifications:
– Digital Certificates (Identification)
– Public Key (Privacy)
• On-Line Shopping Steps:
– C.H. Obtain Digital Wallets
– C.H. Obtain Digital Certificates
– C.H. & Merchants conduct Shopping Dialog
– Authentication & Settlement Process
 Existing Technologies Overview
• Networking Products
• Firewalls
• Remote access and Virtual Private Networks (VPNs)
• Encryption technologies
• Public Key Infrastructure
• Scanners, monitors and filters
• Web products and applications
 PKI

• A set of technologies and procedures to enable

electronic authentication

• Uses public key cryptography and digital

certificates

• Certificate life-cycle management

 Web Products
• Secure web servers – SSL enabled
• Application servers – generally lacking any security
support
• A number of toolkits to enable applications to utilize
security functions
• Integration into existing (legacy) infrastructure is
difficult
 PKI and E-Commerce

• Identity-based certificate to identify all users of an

application

• Determine rightful users for resources

• “Role-based” certificates to identify the

authorization rights for a user

 Safety of business transaction
• Authentication n ‘cookies’
– In order to confirm that the customer has correctly entered his
details in the registration form, the online vendor may verify the
same from the ‘cookies’.
• Antivirus program
• Encryption
• Digital signatures
– used to authenticate the sender of the message and to check the
integrity of the message, e. it has not been altered in transit. The
authentication element requires a digital ID, also known as a
digital certificate, that is issued by a third-party certification
authority.
• Cyber crime cell