unit 2aa

Copyright © 2010 Pearson Education, Inc.Copyright © 2009 Pearson Education, Inc. Slide 5-1

Unit 2

Security Issues in E- Business

Copyright © 2010 Pearson Education, Inc.

Types of Attacks Against ComputerSystems (Cybercrime)

Slide 5-2

Figure 5.1, 67Source: Based on data from Computer

Security Institute, 2009.


What Is Good E-commerce Security?

To achieve highest degree of securityNew technologiesOrganizational policies and proceduresIndustry standards and government laws


The E-commerce Security Environment

Figure 5.2, Page 270

Slide 5-4


Dimension of E-Commerce Security

1.Integrity- the ability to ensure that information being displayed on a web site or transmitted or received over the internet has not been altered in any way by an unauthorized party.

2.Non-repudiation – the ability to ensure that e-commerce participants do not deny their online actions.


3. Authenticity- the ability to identify the identity of a person or entity with whom you are dealing on the internet.

4. Confidentiality – the ability to ensure that messages and data are available only to those who are authorized to view them.


5. Privacy- the ability to control the use of information about oneself.

6. Availability – the ability to ensure that an e- commerce site continues to function as intended.


Table 5.2, Page 271

Slide 5-8


The Tension Between Security and Other Values

Security vs. ease of use

The more security measures added, the more difficult a site is to use, and the slower it becomes

Security vs. desire of individuals to act anonymously

Use of technology by criminals to plan crimes or threaten nation-state

Slide 5-9


Security Threats in the E-commerce Environment

Three key points of vulnerability:

1. Client

2. Server

3. Communications pipeline

Slide 5-10


Most Common Security Threats in the E-commerce Environment

Malicious codeViruses (replicate, make copies of itself)Worms (spread from computer to computer)Trojan horses (appears to be benign, but

then does something other than expected)Bots (respond to external command sent by

the attacker)Botnets (collection of bot computers)

Slide 5-11


Unwanted programs Browser parasites (a browser that can monitor and

change the settings of a user’s browser)Spyware ( a program used to obtain information

such as user emails, IM and so on.) Phishing

Deceptive online attempt by a third party to obtain confidential information for Financial gain

Use information to commit fraudulent acts (access checking accounts), steal identity

Slide 5-12


Hacking and cybervandalismHackers (individual who intends to gain

unauthorized access to a computer system)Crackers (term used to denote hacker with

criminal intent)Cybervandalism: intentionally disrupting,

defacing, destroying a Web siteTypes of hackers:

white hats (good hackers), black hats (intention of causing harm), grey hats (discover the weakness and publish it)


Credit card fraud/theftFear of stolen credit card information deters

online purchasesOnline companies at higher risk than offline

Spoofing: misrepresenting self by using fake e-mail address

Pharming: spoofing a Web siteRedirecting a Web link to a new, fake Web

site Spam/junk Web sites

Slide 5-14


Denial of service (DoS) attackHackers flood site with useless traffic to

overwhelm network Distributed denial of service (DDoS) attack

Hackers use multiple computers to attack target network

Sniffing- Eavesdropping program that monitors information traveling over a network

Insider jobs - Single largest financial threat Poorly designed server and client software


Technology Solutions Protecting Internet communications

(encryption) Securing channels of communication (SSL, S-

HTTP, VPNs) Protecting networks (firewalls) Protecting servers and clients

Slide 5-16


Tools Available to Achieve Site Security


Slide 5-17


Encryption is the coding of information by using a mathematically based program and a secret key to produce a string of characters that is unintelligible.

Science that studies encryption is called cryptography (secret writing).

Science of creating messages that only the sender and receiver can read.


EncryptionTransforms data (plain text) into cipher text

readable only by sender and receiverSecures stored information and information

transmissionProvides 4 of 6 key dimensions of e-

commerce security: 1. Message integrity (unaltered)2. Nonrepudiation (can’t deny the action)3. Authentication (verify identity)4. Confidentiality (message not read by

others)Slide 5-19


Plaintext- An unencrypted message in human-readable form

Ciphertext- A plaintext message after it has been encrypted into a machine-readable form

Substitution Cipher - Cipher is letter plus two

So Hello will replace by letter two places forward

Transposition Cipher – Change in order in a symmetric way eg. Hello- reverse it Olleh.


Symmetric Key Encryption (Secret/private Key Encryp.)

Sender and receiver use same digital key to encrypt and decrypt message

Requires different set of keys for each transaction

-Data Encryption Standard (DES) developed by National Security Agency (NSA) and IBM in 1950s.Uses 56- bit encryption key. U.S. Gov. uses 3DES

Advanced Encryption Standard (AES)

-Most widely used symmetric key encryption

Uses 128-, 192-, and 256-bit encryption keys

-Other standards use keys with up to 2,048 bits


Public Key Encryption (Asymmetric encryption)

Uses two mathematically related digital keys

1. Public key (widely disseminated)

2. Private key (kept secret by owner)

Both keys used to encrypt and decrypt message

Once key used to encrypt message, same key cannot be used to decrypt message

Sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it


Public Key Cryptography—A Simple Case


Slide 5-23


Public Key Encryption Using Digital Signatures and Hash Digests

Hash function:Mathematical algorithm that produces fixed-

length number called message or hash digest Hash digest of message sent to recipient along with

message to verify integrity Property of hash function –any change in the

original message will cause the message digest to be different

Slide 5-24


Digital Signature (e- signature)

- To verify authenticity of message and message integrity.

- signed Cipher text that can be sent over the internet

- With hash document, it is unique for the document, and changes for every document.


Public Key Cryptography with Digital Signatures


Slide 5-26


Public Key Encryption Using Digital Signatures and Hash Digests

1.The sender creates an original message2.The sender applies a hash function, producing a 128-bit

hash result.3.The sender encrypts the message and hash result using

recipient’s public key.4.The sender encrypts the result ,again his or her private key.5.The result of this double encryption is sent over the internet.6.The receiver uses the sender’s public key to authenticate

the message.7.The receiver uses his /her private key to decrypt the hash

function and the original message. The receiver checks to ensure the original message and the hash function results conform to one another.


Digital Envelopes (key within a key) Addresses weaknesses of:

- Public key encryption: Computationally slow, decreased transmission speed, increased processing time

- Symmetric key encryption: Insecure transmission lines

Uses symmetric key encryption to encrypt document

Uses public key encryption to encrypt and send symmetric key

Slide 5-28


Creating a Digital Envelope

Figure 5.10, 3

Slide 5-29


What are Digital Certificates?

A digital certificate (DC) is a digital file that certifies the identity of an individual or institution, or even a router seeking access to computer- based information. It is issued by a Certification Authority (CA), and serves the same purpose as a driver’s license or a passport.


Digital Certificates Digital certificate is a digital document issued by a

certification authority. It includes:Name of subject/companySubject’s public keyDigital certificate serial numberExpiration date, issuance dateDigital signature of certification authority (trusted

third party institution) that issues certificate

Other identifying information

Certification authority (CA): A trusted third party that issues digital certificates

Slide 5-31


What are Certification Authorities?

Certification Authorities are the digital world’s equivalent to passport offices. They issue digital certificates and validate holders’ identity and authority.

They embed an individual or institution’s public key along with other identifying information into each digital certificate and then cryptographically sign it as a tamper-proof seal verifying the integrity of the data within it, and validating its use.


Public Key Infrastructure (PKI)

It is a comprehensive system which is required to provide public key encryption and digital signature services.

PKI is the combination of software, encryption technologies and services that enables enterprises to protect the security of their communications and business transaction on networks.

It integrates CAs, digital certificate, public key cryptography into total, enterprise wide security architecture.

The purpose of PKI is to manage keys and certificates.


PKI involves the following

a) Subscriber- individual or entity identified by the certificate

b) Certifying authority- issuer of the certificate

c) Relying party- company, agency, or individual relying on the certificate.

Role of CA

1)To issue digital certificate to the subscriber

2) Identify and authenticate the subscriber’s information contained in the certificate for the benefit of the relying party.


A PKI infrastructure is expected to offer its users the following benefits:

certainty of the quality of information sent and received electronically

certainty of the source and destination of that information

assurance of the time and timing of that information (providing the source of time is known)

certainty of the privacy of that information assurance that the information may be introduced

as evidence in a court or law


Who Provides the Infrastructure- Among PKI leaders are: RSA, which has developed the main algorithms used by PKI

vendors Verisign, which acts as a certificate authority and sells

software that allows a company to create its own certificate authorities

GTE CyberTrust, which provides a PKI implementation methodology and consultation service that it plans to vend to other companies for a fixed price

Xcert, whose Web Sentry product that checks the revocation status of certificates on a server, using the Online Certificate Status Protocol (OCSP)

Netscape, whose Directory Server product is said to support 50 million objects and process 5,000 queries a second; Secure E-Commerce, which allows a company orextranet manager to manage digital certificates; and Meta-Directory, which can connect all corporate directories into a single directory for security management


Some Indian Websites that uses digital signature

- Rediff, Sify-mall, Bazee,All major airlines ,ICICI,HDFC

Some Certifying Authorities in India- Safe Scrypt(A sify- verisign venture) was the

first CA in India- National Informatics Centre- Tata Consultancy Services


Digital Certificates and Certification Authorities


Slide 5-38


Limits to Encryption Solutions

Doesn’t protect storage of private keyPKI not effective against insiders, employeesProtection of private keys by individuals may be

haphazard No guarantee that verifying computer of

merchant is secure CAs are unregulated, self-selecting

organizations

Slide 5-39


Securing Channels of Communication Secure Sockets Layer (SSL developed by netscape

communication): Establishes a secure, negotiated client-server

session in which URL of requested document, along with contents, is encrypted (secure comm. b/w two computers)

It is a protocol that operates between the transport and application layers of TCP/IP and secures communications between the clients and server (by using encryption, digital signature technique).

A session key is a unique symmetric encryption key chosen just for single secure session.

Slide 5-40


Secure Negotiated Sessions Using SSL


Slide 5-41


S-HTTP (developed by commercenet): Provides a secure message-oriented

communications protocol designed for use in conjunction with HTTP (secure individual message)

It includes encrypting web communications carried over HTTP.

SSL is designed to establish a secure connection between two computers whereas S- HTTP is designed to send individual messages securely.

http://en.wikipedia.org/wiki/Encryption

http://en.wikipedia.org/wiki/World_Wide_Web

http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol


Firewalls

Firewall a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Hardware or software that filters packets Prevents some packets from entering the

network based on security policy Network inside the firewall is called trusted,

and outside the firewall is called untrusted

Slide 5-43


Three main methods:

1.Packet filters (examine all data flowing back and forth b/w the trusted n/w (within the firewall) and the Internet.

2.Application gateways (firewalls that filter traffic based on the application requested. Eg. permits incoming FTP request and blocks outgoing FTP request)

3.Proxy Server (firewall that communicate with the internet on the private network’s behalf, it is a Software servers that handle all communications originating from or being sent to the Internet).


Firewalls and Proxy Servers


Slide 5-45


Personal Firewalls A personal firewall is an application which controls

network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall.

A personal firewall will usually protect only the computer on which it is installed, as compared to a conventional firewall which is normally installed on a designated interface between two or more networks, such as a router or proxy server. Hence, personal firewalls allow a security policy to be defined for individual computers, whereas a conventional firewall controls the policy between the networks that it connects.

Personal firewalls may also provide some level of intrusion detection, allowing the software to terminate or block connectivity where it suspects an intrusion is being attempted.


Features of personal firewalls -Protects the user from unwanted incoming connection attempts

Allows the user to control which programs can and cannot access the local network and/or Internet and provide the user with information about an application that makes a connection attempt

Block or alert the user about outgoing connection attempts Hide the computer from port scans by not responding to

unsolicited network traffic Monitor applications that are listening for incoming

connections Monitor and regulate all incoming and outgoing Internet users Prevent unwanted network traffic from locally installed

applications Provide information about the destination server with which

an application is attempting to communicate


Virtual Private Network (VPN) Allows remote users to securely access internal

network via the Internet, using Point-to-Point Tunneling Protocol (PPTP)

It enables a host computer to send and receive data across shared or public networks as if it were a private network with all the functionality, security and management policies of the private network.[1]This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.


- The VPN connection across the Internet is technically a wide area network (WAN) link between the sites but appears to the user as a private network link—hence the name "virtual private network".

- Point-to-Point Tunneling Protocol (PPTP) is an encoding mechanism that allows one local network to connect to another using the internet as the conduit.

- - VPN is a temporary secure line and it reduces the cost of secure connection.


Four Protocols used in VPN- PPTP -- Point-to-Point Tunneling Protocol- L2TP -- Layer 2 Tunneling Protocol- IPsec -- Internet Protocol Security- SOCKS – is not used as much as the ones

above Tunneling- A virtual point-to-point connection made through a public network. The process

of connecting one protocol (PPTP) through another (IP) is called tunneling.


A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.


Eliminating the need for expensive long-distance leased lines

Reducing the long-distance telephone charges for remote access.

Transferring the support burden to the service providers

Operational costs Advantages: Scalability Flexibility of growth

Efficiency with broadband technology

Advantages: Cost Savings


- VPNs require an in-depth understanding of public network security issues and proper deployment of precautions

- Availability and performance depends on factors largely outside of their control

- Immature standards - VPNs need to accommodate protocols other

than IP and existing internal network technology

Disadvantages


Definitions - Intrusion Detection Systems Intrusion

A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing

and networking resource

Intrusion detectionThe process of identifying and responding to

intrusion activities Intrusion prevention

Extension of ID with exercises of access control to protect computers from exploitation


Intrusion Detection Systems

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.


Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies.

Types of IDS


Network intrusion detection system (NIDS) is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch

Host-based intrusion detection system (HIDS) It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications and other host activities and state.

Stack-based intrusion detection system (SIDS) in this,the packets are examined as they go through the TCP/IP stack and, therefore, it is not necessary for them to work with the network interface in promiscuous mode.


Link for Digital signature explanation.

http://www.developer.com/java/ent/article.php/3092771/How-Digital-Signatures-Work-Digitally-Signing-Messages.htm