1. electronic commerce comp3210 session 11: securing an e-commerce initiative dr. paul walcott...
TRANSCRIPT
1
Electronic Commerce COMP3210
Session 11: Securing an E-Commerce InitiativeDr. Paul Walcott Department of Computer Science, Mathematics and PhysicsUniversity of the West Indies, Cave Hill CampusBarbados
The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave Hill Campus, Barbados
© 2007 Dr. Paul Walcott
3
Session Objectives After completing this session you will be
able to: Describe the requirements of a secure e-
commerce Web site Analyse a given Web site’s security and
provide improvement recommendations
4
Introduction E-commerce allows
anonymous global users to access company Web sites 24 hours a day, 365 days a year
Along with this convenience are associated risk
http://www.stpt.usf.edu/computing/images/security.jpghttp://www.stpt.usf.edu/computing/images/security.jpg
5
Introduction Cont’d The risks of running an e-commerce site includes:
Fraud Anonymous users logging on to companies Web site and
making purchases using other people’s credit information The transfer of funds from/or to accounts that do not belong
to the user
The unauthorised disclosure of company confidential information or the revealing of confidential financial records
6
Introduction Cont’d Unforeseen costs due to operating system
patches, virus attacks, employee sabotage and server failures
The loss of consumer confidence due to masquerading; e.g. a hacker defacing a Web site, or advertising competitors products on the Web site
7
Introduction Cont’d To mitigate possible risks a good security
scheme is required, which First identifies the risks Determines how to protect the assets at risk Calculates the amount of money that should
be spent protecting the assets at risk
8
Introduction Cont’d One such scheme is a security policy
which is a document that describes: The assets requiring protection and why The people responsible for protecting these
assets Which behaviours are permissible and which
are not
9
Introduction Cont’d The security policy, which should be updated
regularly, typically addresses: Physical security Computer and network security Access authorisation, and Disaster recovery
In the sections that follow the above topics will be discussed, however the subject of cryptography will be discussed first
10
CryptographyWhat is cryptography? It is the lock and key
combination that prevents a non-key holder from deciphering a secret message
What is most important is the strength of the lock and the number of possible keys
11
Cryptography Cont’d To secure a house keys are used to lock the doors It is assumed that an intruder can not easily obtain
a copy of the the key and enter the house The intruder could search for all the keys in the world
and try them one at a time, but this would take a long time
Computer security uses a similar system (public/private key and secret key cryptography) to secure messages passed between computers
12
Cryptography Cont’d To describe these cryptographic systems
the following terms must first be defined: A key is used in conjunction with a cipher to
encrypt or decrypt a message. A key is simply a number (usually a binary number)
A cipher is an algorithm used to encrypt a message
Ciphertext is the encrypted message Plaintext is the unencrypted message
13
Cryptography Cont’d Since a key is a binary number, a 56 bit key has
about a quadrillion different key combinations Traditionally, a key length of 56 bits was
considered secure since: If one million keys were tried each second then it
would take 1000 years to break the ciphertext However, due to increases in computing power a
56 bit key can now be broken in just 24 hours As a result key lengths of 128 bits or more are
typical
14
Cryptography Cont’d There are two main types of cryptography
Secret key cryptography Public/private key cryptography
Secret Key Cryptography uses a symmetric key to secure a message the same key is used to encrypt and decrypt
the message
15
Cryptography Cont’d
http://www.uic.edu/depts/accc/newsletter/adn26/symmetric.jpg
16
Cryptography Cont’d Public/Private Key Cryptography uses
two keys (asymmetric key) The public key, which is distributed to
everyone (the public), is used to encrypt the message, while
The private key, which must be kept secret, is used to decrypt the message
17
Cryptography Cont’d
http://www.uic.edu/depts/accc/newsletter/adn26/asymmetric.jpg
18
Cryptography Cont’dSecret Key Cryptography In secret key cryptography the key must be kept
secret by both parties that are communicating therefore the key must be communicated in a secure
fashion to protect against unauthorised access
The advantage of secret key cryptography is that messages can be encrypted quickly
19
Cryptography Cont’dPublic/Private Key Cryptography Is much slower than secret key cryptography The individual or organisation that wants to
receive messages keeps the private key The public key is distributed to everyone else (the
public) One advantage of public/private key
cryptography is that it is easier to distribute the encryption key (the public key), since it does not have to be kept secret
20
Cryptography Cont’d Public/Private key cryptography is based
on the principle of inverse number To gain insight into the principle of inverse
numbers consider the multiplication function
Clearly in practice the multiplication function can not be used since it is too easy to determine the inverse number
21
Cryptography Cont’d
Private/Public key cryptography actually uses prime numbers and addition in modular arithmetic
656
1390
390665
Plaintext Public key
Ciphertext
Private key
Encryption
Decryption
22
Physical Security 50 years ago computer
security was primarily about physical security
Security guards/guard dogs were employed to protect the companies’ assets
To enter the building you needed a security badge
Surveillance systems were used to monitor activity and alarm systems warned against security breaches
http://www.hits.astcorp.com/security/images/physical.jpghttp://www.hits.astcorp.com/security/images/physical.jpg
23
Physical Security Cont’d Physical security worked because users accessed
mainframe computers through dumb terminals Provided that the mainframe computer and
terminals were secure, it made it difficult for individuals to penetrate these systems
Several mainframe computers may have been connected together through dedicated links or telephone lines, yet infiltration was not easy
With the advent of the Internet new forms of security threats have surfaced (i.e. cyber crime)
24
Physical Security Cont’d Physical security is no less important today that
50 years ago With the advent of terrorists, who are quite happy
to blow up any infrastructure, it is just as important now to have physical security
All Web servers and associated machines require physical protection Backup servers and storage at remote locations to
prevent losses
25
Physical Security Cont’d Today the use of fingerprint readers, and
biometric security help provide improved physical security
Physical security methods that are now utilised include: Writing pads that measure the pressure and form of
hand writing Eye scanners Palm scanners (entire palm rather than single finger)
26
Computer/Network Security In the computer and
network security section, the protection of client and server machines, as well as the actual communication line will be discussed
http://www.wizbit.net/theme_images/10_r_barbed_wire.jpghttp://www.wizbit.net/theme_images/10_r_barbed_wire.jpg
27
Computer/Network Security Cont’d
Before discussing computer and network security the assurances that will be given to the user about the safety of their data must be defined
There are four important assurances that must be given when securing an e-commerce site, these are: confidentially, authentication, integrity and nonrepudiation
28
Computer/Network Security Cont’d
Confidentiality ensures that only owners of the shared key can decrypt the message
Authentication ensures the identity of the person at either end of a communication line are who they say they are
Integrity ensures the message is not changed during transit
Nonrepudiation ensures that the sender can not deny sending the message
29
Computer/Network Security Cont’d In addition two other assurances should be
provided: Availability. Providing delivery assurance for each
message so that a loss will not go undetected Key Management. Ensuring that the distributing and
management of keys is done securely (note that the distribution of public keys is often done by third parties called certification authorities, e.g. Verisign)
30
Computer/Network Security Cont’d
These assurances are provided through the following methods: Public/Private keys ensure confidentiality Digital signatures ensure non-repudiation and
authentication Message authentication codes ensure data integrity
These methods will be discussed in a later section
31
Client Computer Security This section outlines
security threats that may occur on client computers
how they work and how to protect against them
32
Client Computer Security Cont’d Active content refers to programs that are
embedded transparently in Web pages that cause actions to occur E.g. displaying moving graphics and
downloading and playing audio In e-commerce it is used to place items in a
shopping cart and compute total invoice amounts
33
Client Computer Security Cont’d Active content also
extends HTML functionality Since these programs run on the client’s
computer they pose a security risk Examples include:
Cookies Java applets JavaScript
However, other examples include graphics, Web browser plug-ins and email attachments
34
Client Computer Security Cont’d Since active content is embedded in Web
pages (e.g. scripting languages) they can be transparent to the browsers of the Web page
Crackers for example can include a Trojan horse in a Web page A Trojan horse is a program hidden inside
another program or Web page that masks its true purpose
35
Client Computer Security Cont’d A Trojan horse can
Send private information on the client’s computer back to a server (a secrecy violation)
Could alter or erase information on the client’s computer (an integrity violation)
A Cracker might also place a zombie (a program that takes over a computer to launch an attack on other computers) on your system through a trojan horse
36
Client Computer Security Cont’d To avoid Trojan horses do not download
and install software from sources that you do not trust; also make use of firewalls to block illegitimate ingoing/outgoing traffic
37
Client Computer Security Cont’d Cookies were designed to solve the problem of
the stateless nature of the HTTP protocol To save information between one session and another
For example, in the design of the EveryMart Web site product page some people choose to open a new window to allow users to enter item quantities The question then was “how do you pass information
back to the previous page?” Cookies could have been used here
38
Client Computer Security Cont’d Allowing active content to be added to
Web pages used for e-commerce can be dangerous since: Cookies (files) frequently store credit card
numbers, usernames and passwords Information stored in cookies can be read by
the Server computer that stored them there
39
Client Computer Security Cont’d To protect yourself against cookies:
Disable cookies altogether, however this will stop some sites from functioning correctly Users would have to re-enter information every
time they visit the Web site
Disable third-party cookies Or use a third-party cookie blocker program
that stores cookies selectively
40
Client Computer Security Cont’d “An (Java) applet is a program written in the
JavaTM programming language that can be included in an HTML page, much in the same way an image is included.”2
“When you use a Java technology-enabled browser to view a page … the applet's code is transferred to your system and executed by the browser's Java Virtual Machine (JVM).”2
Java applets are included into Web pages using the <applet> or <object> tags.
41
Client Computer Security Cont’d Once an applet is downloaded Java code runs on
the clients computer which introduces a security hole
To counteract this Java has a security model called the Java sandbox which prevents applets from performing certain functions, e.g. file input, output, or delete operations
This scheme provides secrecy and integrity
42
Client Computer Security Cont’d JavaScript is a scripting language developed by
Netscape When a Web page is downloaded and contains
embedded JavaScript code, it runs on the user’s (client) computer
Javascript can be used to attack the client’s computer destroy the hard disk Disclose email stored in mailboxes Capture information stored in Web forms (e.g. credit card
information)
43
Client Computer Security Cont’d Try the following
JavaScript code which through the use of a recursive routine locks up your Web browser
<html> <body> <script type="text/javascript"> askmeagain(); function askmeagain() { alert("Ouch!"); askmeagain(); } </script> </body> </html>
44
Client Computer Security Cont’d Graphics, browser plug-ins and email
attachments can include executable content Some graphic file formats contain special
instructions on how to render the graphic The embedded code can be used to attack
your computer Plug-ins enhance your browser’s
capabilities but can also pose a threat
45
Client Computer Security Cont’d A virus is software that attaches itself to another
program A macro virus is a type of virus that is coded as a
macro A worm is a type of virus that replicates itself on the
computer it affects Email attachments may include word processing files,
spreadsheets, databases, images which may contain viruses Viruses within Word and Excel macros (Visual Basic for
Applications) can damage your computer
46
Client Computer Security Cont’d Viruses tend to prey on operating system
(or Web server) vulnerabilities To counteract viruses
Ensure you have installed the latest security patches
Also ensure that you are running the latest Antivirus software with the latest virus updates
47
Client Computer Security Cont’dDigital Certificates One way of verifying the source of information is
through a digital certificate A digital certificate is an attachment to a
message which verifies the sender of the message It contains an encrypted message that
identifies the author Indicates whether the certificate is valid or not
48
Client Computer Security Cont’d The creator of the digital certificate proclaims:
That they have attached Mr. X public key and signed (a hash of) it with their private key
These digital certificates must be created by someone you trust
A digital certificate has two parts: Plaintext
States who the certificate is created for and that the public key is attached
The plaintext hashed and signed (using a message authentication code and a digital signature)
49
Client Computer Security Cont’d Other information on the digital certificate is:
The certificate’s owner’s identifying information, such as name, organisation and address
The certificate owner’s public key Dates between which the certificate is valid Serial number of the certificate Name of the certificate issuer Digital signature of the certificate issuer
50
Client Computer Security Cont’d Digital certificates are issued by a
certification authority (CA) To individuals or organisations Appropriate proof of identity must be
provided One of the oldest and best know
certification authority is VeriSign
51
Communication Channel Security Communication channel threats come from
various sources including: Sniffer Programs Backdoors CyberVandalism Masquerading or Spoofing Denial-of-Service
52
Comm. Channel Security Cont’dSniffer Programs These programs provide a means of recording
packets passing through a computer or router It is similar to telephone line tapping
Sniffer programs can Read email messages Read user logins and passwords Read credit card numbers
53
Comm. Channel Security Cont’dBackdoors Some e-commerce programs contain backdoors These backdoors are left intentionally or
unintentionally by software developers Backdoors provide a way for an unauthorised
user to gain access to protected information including: Credit card information Proprietary company information (which could be
sold for millions to competitors)
54
Comm. Channel Security Cont’dCyberVandalism This is the electronic defacing of Web site
pages By replacing regular content
It is parallel to the spraying of graffiti on public property
55
Comm. Channel Security Cont’dMasquerading or Spoofing This is when a person impersonates someone else
E.g. pretending that a Web site belongs to someone else, when it does not
On a domain name server a perpetrator might use a security hole in order to change the IP address of a given Web page Any order entered on this new page could then be
modified (e.g. change the shipping address of the goods) and sent to the original Web site.
56
Comm. Channel Security Cont’dDenial-of-Service Threat This threat disrupts normal computer
processing For example a zombie computer could be
used to flood a Web site with packets This prevented legitimate users from using
the Web site This also may lead to a loss in business
57
Comm. Channel Security Cont’d Solutions for communication channel
threats include: Symmetric Encryption (discussed earlier) Asymmetric Encryption (discussed earlier) Digital Signatures Message Hashing Digital Certificates (discussed earlier) Secure Socket Layer
58
Comm. Channel Security Cont’dDigital Signatures Are an electronic version of a written signature When creating a digital signature a private key is
used to encrypt and the public key to decrypt Since the process of signing is slow (because it
utilises public/private key cryptography), messages are compressed before they are signed
Alternatively, a hash is created from the message and signed which improves speed
59
Comm. Channel Security Cont’dMessage Authentication Codes (MACs) Ensure the integrity of data MACs work in the following way
The sender creates the MAC using the message to be transmitted and a publicly available MAC formula
Both the MAC and the message are transmitted The receiver creates a MAC from the received
message, and Compares the two MACs. If they are the same the
message has not been tampered with
60
Comm. Channel Security Cont’d MACs are important since
A MAC is very small (a number of bytes) compared with the size of most messages
Messages are often long Encryption and decryption is time-consuming It ensures message integrity It is not the same as compression since you can not
recover the original message from the MAC It is similar to a checksum
61
Comm. Channel Security Cont’dHashing MAC and hashing are extremely similar A hash value is generated using a hash algorithm Hash values act as a fingerprints for messages Hash values are almost always unique (very low
probability of same hash value) A hash provides message integrity
62
Comm. Channel Security Cont’dSecure Sockets Layer This provides a secure way for client and
server to transmit confidential information A session key is a secret key created (for
the purpose of encrypted communication) for the duration of an SSL session
Public/Private key cryptography is used to transmit the session key
63
Comm. Channel Security Cont’d Secret key encryption is used for all
subsequent communication Secret key encryption is between 100 – 1000
times faster than Public/Private Key encryption
The following diagram describes the handshaking done by the client and server
64
Comm. Channel Security Cont’dClient sends
“hello” messageSend encryption
algorithms and key length
Server responsewith “hello”
message
Client sends response
Session SessionSend data between client and
Server using private, shared key
Send client certificate andEncrypted private session key
Send server certificatecontaining server’s
Public keyServer receives client response
and initiatessession
65
Server Computer Security Server vulnerabilities come from
Web servers and their software Backend programs such as
Database programs
66
Server Computer SecurityWeb Server Threats The more complex the software the more
likely it contains errors which might lead to vulnerabilities
A Web server can compromise secrecy if it allows automatic directory listings
Passwords users select could be a threat since a dictionary attack might reveal them
67
Server Computer SecurityDatabase Threats These databases store confidential
information Some databases store username/passwords
in unencrypted tables, or do not enforce security at all
68
Server Computer SecurityOther Threats Threats may arise when programs are
executed by the server E.g. buffer overrun or buffer overflow
Buffers can overflow into critical memory locations causing the Web server to run an attacker’s program
Mail bombs cause mail servers to malfunction by overloading them with email
69
Server Computer SecurityFirewalls For a useful presentation on firewalls see:
http://scitec.uwichill.edu.bb/cmp/online/comp3210/presentations/AntonioArthur.ppt
70
Access Authorisation Only allow authorised
users to access services. This can be controlled through Digital certificates:
Ensure the digital signature is valid
Check the time stamp on the digital certificate
Usernames and passwordshttp://www.axis.com/products/video/camera/about_cameras/img/password.jpghttp://www.axis.com/products/video/camera/about_cameras/img/password.jpg
71
Disaster Recovery Disaster recovery is
concerned with how quickly a company can recover from machine failure, disk failures, software failure and power failures and surges
http://www.nationalgeographic.com/ngkids/0312/images/stories_volcano_image.jpg
72
References[1] Schneider, Gary, P., “Electronic Commerce: The second wave”, Thomson
Course Technology, Fifth Annual Edition, 2004
[2] Sun Microsystems, “Code Samples and Apps”, 2005. Available online at http://java.sun.com/applets/