CS 898N – Advanced World Wide Web Technologies

Lecture 17: Security and E-Commerce

Chin-Chih Changchang@cs.twsu.edu

SSL• SSL (Secure Socket Layer) is a client/server

security scheme.• SSL runs in a layer between HTTP and

TCP/IP. This means two things:– HTTP data will continue to go back and forth

but at some point it will become encrypted.– The SSL protocol protocol will perform the

encryption and decryption in a manner completely transparent to the user.

SSL in E-commerce

Client-Helloincludes cipher list

Server Data

Pre-master key generation

Master key generation

PRE-MASTER KEY

Session key generation

Secure session begins

Server-Helloincludes cipher list

Client Data + Pre-master key

Master key generation

Session key generation

Secure session begins

Browser (Client) Server

encrypted

encrypted

SSL• Documentation on the SSL protocol can be

found in many places, specifically on the Netscape, Microsoft, and RSA sites.

• The first thing is the client issues a Client-Hello message. This includes a list of ciphers supported by the client.

• The server responds with a Server-Hello message, sending back a list of ciphers compatible with the client and the server’s digital certificate which contains the server’s public key.

SSL• At this time, the client may take steps of

validating the server’s certificate. Later the server may apply the same validating procedure.

• As part of the Server-Hello the client accepts the information from the server, which includes a piece of random data to be used in the process of creating a pre-master key.

SSL• The piece of data used is in cryptographic

terms called the nonce (“the number n used only once”) and is typically the session ID number sent by the server.

• The client computes the pre-master key and sends this to the server encoded to the public key in the server’s digital certificate.

• The server and client then separately go through a standard key generation process to create a pair of session keys.

SSL• Because these keys are generated in secret

and are valid only for the current session, and because symmetric ciphering is faster, the symmetric keys are used.

• Once this process is completed, the secure session can now get underway. If anything goes wrong, the client and server go out of communication.

• To configure security for an e-commerce site, you have to choose the level of security.

Encryption Options• There are two types of algorithms at work:

those for key generation and those for encryption.

• Key generation algorithms work differently for Public Key and Secret Key Cryptography.

• The two popular algorithms implemented by PGP in Public/Private key pair generation are RSA and Diffie-Hellman.

Encryption Options• In Secret Key generation, RC2, RC4, DES, and

Triple-DES are used.• Encryption algorithms implemented by PGP

include CAST, IDEA, and Triple-DES.• Secret key encryption algorithms are

combined with their key generation methods.

• The common algorithm that Public and Secret Key Cryptography uses is Triple-DES.

Encryption Options• Public Key Cryptography algorithms are

used for e-mail, digital signatures, and digital certificate authentication.

• Public Key Cryptography algorithms are not really used for e-commerce security.

• Secret Key Cryptography algorithms have very specific parameters that are totally relevant to e-commerce.

Encryption Options• RSA is a “public key cryptosystem” that

defines both key pair generation and message encryption.

• RSA was invented by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA is a patented and licensed technology.

• RC2, RC4, and RC5 were designed to be faster, more secure, and an exportable replacement for DES.

Encryption Options• RC means either Rivest’s Cipher or Ron’s

Code.• DES stands for Data Encryption Standard

and came out of IBM.• DES became a U.S. Department of Defense

standard and export of the technology was severely restricted.

• DES is scheduled to be replaced by a more sophisticated algorithm - AES.

Encryption Options• One of the interim solutions to the weaken

status of DES is an enhanced version of DES - Triple-DES.

• DES is patented by IBM but IBM has placed it in the public domain.

• Diffe-Hellman was invented by Diffie and Hellman and is a key agreement protocol. It only defines how users can exchange secret keys over a public medium.

Encryption Options• IDEA (International Data Encryption

Algorithm), SAFER (Secure and Fast Encryption Routines), CAST (Carlisle Adams and Stafford Tavares), and Blowfish are all newer encryption algorithms of the 1990s.

• For more information, check these sites:www.rsa.com

Message Authentication Options• Message authentication is the task of

verifying that the message has not been altered and uses a hash algorithm to produce a digital signature.

• There are two of these algorithms used in the SSL protocol: MD5 (Message Digest 5) by Ron Rivest and SHA (Secure Hash Algorithm) by NIST (National Institute of Standards and Technology), a division of the U.S. Department of Commerce.

Security Options in SSL• When we look at security options we are

looking at defining how hard it will be to crack a certain code.

• The longer the key is, the harder the code will be to crack. This is a central theme in Internet security for two reasons:– Keys used in Public Key Cryptography must

be longer than those used in Secret Key Cryptography.

Security Options in SSL– The restrictions that U.S. Government export

laws put on cryptographic software force servers processing secure transactions for clients to support a dual standard.

• The new Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL. This was recently published as an IETF Internet-Draft, The TLS Protocol Version 1.0. Netscape products will fully support TLS.

Cracking a Cipher• The argument as to which cipher to use

depends on statistics, experience, and periodic attempts by cryptoanalysis to break certain codes.

• Statistically, a 40-bit key gives 2 , or a little more than 1 trillion possible combination. A 56-bit key gives 72 quadrillion. A 128-bit key gives 3 x 10 possible keys.

• A 128-bit key is considered adequate for commercial security.

40

38

Cracking a Cipher• In early 1997 RSA labs offered a challenge:

Anyone who could break the 56-bit DES code would receive a $10,000 prize.

• A group of Internet users responded to the challenge and broke a DES code in three months.

• They did this by writing a client program that participants could download. During the project, over 78,000 computers participated in the project.

Cracking a Cipher• In the three months of testing, a total of less

than half of all the possible 72 quadrillion key combinations were tested before someone came up with the winning number.

• This type of attempt, trying all possible combinations, is called an exhaustive key search or brute-force attack.

• Using improved techniques, the 56-bit DES code can be broken in shorter time.

Cracking a Cipher• It is concluded that 40-bit keys are

worthless.• To break a 128-bit key would put us off

effectively forever.• As a rough comparison, a 40-bit secret key

is considered equal to a 512-bit public key. This is main reason public key processing takes much longer.

• This is some informative site: www.eff.org

SET (Secure Electronic Transaction)

• SET (Secure Electronic Transaction) was developed by Visa and MasterCard as a method to increase security specifically for e-commerce purposes.

• SET uses all the tools SSL does: public and secret key encryption, digital signatures, and digital certificates.

• SET™ relies on cryptography and digital certificates to ensure message confidentiality and security.

SET (Secure Electronic Transaction)

• Message data is encrypted using a randomly generated key that is further encrypted using the recipient's public key.

• This is referred to as the "digital envelope" of the message and is sent to the recipient with the encrypted message.

• The recipient decrypts the digital envelope using a private key and then uses the symmetric key to unlock the original message.

SET (Secure Electronic Transaction)

• Software developed to the Specification must perform at least the following functions:– Create a digital signature using distinct key

pairs;– Generate a dual signature used to link an order

message to another component;– Verify the digital signature.

• For more information about SET, check www.setco.org.

Navigator Security• To get the Navigator security screen, select

the Communicator menu, Tools item, Security Info tab or just click on the Security icon on the toolbar.

• Navigator supports a standard cryptography package called PKCS #11.

• PKCS stands for Public Key Cryptography Standard which is published by RSA Laboratories.

Navigator Security• PKC#11 is a specification for an API for

cryptography and is also called Cryptoki, which is pronouced “crypto-key”. Crypto-key is short for cryptographic token interface.

• Cryptoki supports all the current cryptographic standards.

Explorer Security• To view security information for the Web

page currently loaded in Explorer, click the File menu, Properties item, and Certificates button.

• The advanced security settings for Explorer show that it supports SSL 2.0 and 3.0, and TLS 1.0.

• A document in the Microsoft library states that Explorer and Navigator both support PKCS#7.

Explorer Security

• PKCS#7, according to RSA, is a general syntax for cryptographic enhancements.

• Microsoft also offers PCT security, its own version of SSL called Private Communications Technology.

• PCT has been superseded by SSL 3.0 and TLS. It is there for backward compatibility.

Accepting Electronic Payments• A four-step Internet ordering scheme for

those with their own bank account is illustrated as below:– The customer submits the CGI form to the

merchant’s Web server, secure or not.– The CGI script generates an e-mail to the

merchant, with or without PGP encryption.– The CGI script transfers the customer to an

acknowledgement page.

Accepting Electronic Payments– The merchant processes the credit cards

offline, using a separate computer program, card reader with numeric keypad by filling out paper slips.

• The full-service e-commerce Web site, more commonly called a storefront, will have a sequence of several Web pages to process the customer’s order:– One or more pages for building the list of

goods to buy,

Accepting Electronic Payments– a different page to process each different type

of possible payment,– a thank you or acknowledgment page.

• If the product can be downloaded immediately, then the customer is routed the fulfillment area.

• A complete storefront work flow is shown below:

1. The customer submits the completed order form to merchant server.

Accepting Electronic Payments2. The merchant server encrypts the payment

information and sends it to a server run by an electronic payment processing company.

3. The payment processing server relays the encrypted payment information to a server that can verify the customer’s payment information.

4. The customer’s bank server accepts or declines the transaction.

Accepting Electronic Payments5. If accepted, the payment processing server

routes the payment information to a server that can deposit the electronic payment into the merchant’s bank account.

6. The payment processing server also relays the results of the payment request to the merchant’s Web server so the order can processed or declined.

7. The merchant’s Web server e-mails the results of a successful transaction to the merchant.

Accepting Electronic Payments8. The merchant’s Web server generates a page

that tells a page that tells the customer if his or her payment was accepted or declined.

• CyberCash is a digital payment processing service.

• To use Cybercash, you need a merchant account. You can establish an account with Cybercash.

• CyberCash's Internet payments business was recently acquired by VeriSign.

VeriSign/Cybercash• VeriSign's Payment Processing services

provide payment connectivity over the Internet between buyers, sellers, and the financial networks that move money between them.

• Their products include Payflow Link, Payflow Pro, Commerce Site, and Payflow Faud. For details, check www.verisign.com/products/payment.html

Wallets• A wallet is an application that keeps track of

the buyer’s payment information.• The idea of a wallet is that you enter all your

credit card information in the wallet, which can be automatically launched when it’s time to pay for something.

• Microsoft Passport Wallet is the product that makes it possible for you to store credit card information and your shipping and billing addresses in a secure, online location.

Wallets and Digital Cash• Only you have access to the information in

your Passport wallet.• The first and most familiar form of digital

cash is credit cards.• There are a lot of interesting issues about

how Digital Cash will work:– To buy digital cash, you’d have to download it

form the bank.– Like paper money, it would have to come in

unalterable denominations.

Digital Cash– You’d have to have a way to make change.– You’d have to either delete spent digital cash

from your computer or have a way to keep track of spent and unspent digital cash files.

• There are many issues and open questions in this field.

• For more information, refer towww.ex.ac.uk/~RDavies/arian/emoney.html

EDI• EDI (Electronic Data Interchange) is a

standard format for exchanging business data.

• The standard is ANSI X12 and it was developed by the Data Interchange Standards Association. ANSI X12 is either closely coordinated with or is being merged with an international standard, EDIFACT.

EDI• An EDI message contains a string of data

elements, each of which represents a singular fact, such as a price, product model number, and so forth, separated by delimiter.

• The entire string is called a data segment. One or more data segments framed by a header and trailer form a transaction set, which is the EDI unit of transmission (equivalent to a message).

EDI• A transaction set often consists of what

would usually be contained in a typical business document or form. The parties who exchange EDI transmissions are referred to as trading partners.

• EDI (Electronic Data Interchange) has been around since its start in the late 1980s and is a B2B e-commerce technology.

EDI

• EDI is a very complex, hard to support method of computerized business.

• XML/EDI development is under the way.• XML/EDI provides a standard framework

to exchange different types of data.• The information in a transaction is

exchanged via an Application Program Interface (API),