Upload
angel-jordan
View
223
Download
2
Tags:
Embed Size (px)
Citation preview
1
6
Chapter 6
Implementing Security
for
Electronic Commerce
Electronic Commerce
2
6
Objectives
Security measures that can reduce or eliminate intellectual property theft
Securing client computers from attack by viruses and by ill-intentioned programs and scripts downloaded in Web pages
Authenticate users to servers and authenticate servers
3
6
Objectives
Available protection mechanisms to secure information sent between a client and a server
Message integrity security, preventing another program from altering information as it travels across the Internet
4
6
Objectives
Safeguards that are available so commerce servers can authenticate users
Protecting intranets with firewalls and corporate servers against being attacked through the Internet
The role Secure Socket Layer, Secure HTTP and secure electronic transaction protocols play in protecting e-commerce
5
6
Minimum Requirements for Secure Electronic Commerce
6
6
Protecting Intellectual Property
The dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works
Intellectual Property Protection in Cyberspace recommends: Host name blocking Packet filtering Proxy servers
7
6
Companies Providing Intellectual Property Protection Software
ARIS Technologies Digital audio watermarking systems
Embedded code in audio file uniquely identifying the intellectual property
Digimarc Corporation Watermarking for various file formats Controls software and playback devices
8
6
Companies Providing Intellectual Property Protection Software
SoftLock Services Allows authors and publishers to lock files
containing digital information for sale on the Web
Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing
9
6
Protecting Client Computers
Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers
Threats can hide in Web pages Downloaded graphics and plug-ins E-mail attachments
10
6
Protecting Client Computers
Cookies Small pieces of text stored on your computer and
contain sensitive information that is not encrypted Anyone can read and interpret cookie data Do not harm client machines directly, but
potentially could still cause damage
Misplaced trust Web sites that aren’t really what they seem and
trick the user into revealing sensitive data
11
6
Monitoring Active Content
Netscape Navigator and Microsoft Internet Explorer browsers are equipped to allow the user to monitor active content before allowing it to download
Digital certificates provide assurance to clients and servers that the participant is authenticated
12
6
Digital Certificates
Also known as a digital ID Is an attachment to an e-mail message or a
program embedded in a Web page It serves as a proof that the holder is the
person or company identified by the certificate
A means to send encrypted message -encoded, so that others cannot read or duplicate it
13
6
Digital Certificates
IN case of downloaded software containing a digital ID, it identifies the software publisher, i.e., it assures that the holder of the software is a trusted name.
A certification authority (CA) issues a digital certificate to an organization or an individual when provided with required information.
A certificate authority also signs the certificate in the form of a public encrypted key, which unlocks the certificate for anyone who receives the certificate attached to the publisher’s code.
CA guarantees the authenticity of the organization or individual.
14
6
Digital Certificates
Key: A key is simply a number - a long binary
number (1s and 0s) - which is used with the encryption algorithm to “lock” the characters of the message that is to be protected.
Longer keys provide significantly better protection than shorter keys.
15
6
VeriSign -- A Certification Authority
16
6
VeriSign
Is the Oldest and best-known Certification Authority (CA) Offers several classes of certificates
Class 1 (lowest level) Bind e-mail address and associated public keys
Class 2 Issued by an organization such as a bank to identify its
customers. The certificate is still issued by a CA. Class 4 (highest level)
Apply to servers and their organizations Offers assurance of an individual’s identity and
relationship to a specified organization
17
6
Structure of a VeriSign CertificateFigure 6-4
18
6
Microsoft Internet Explorer
Provides client-side protection right inside the browser
Reacts to ActiveX and Java-based content
Authenticode verifies the identity of downloaded content
The user decides to ‘trust’ code from individual companies
19
6
Security Warning and Certificate ValidationFigure 6-5
20
6
Internet Explorer Zones and Security LevelsFigure 6-6
21
6
Internet Explorer Security Zone Default SettingsFigure 6-7
22
6
Netscape Navigator
User can decide to allow Navigator to download active content
User can view the signature attached to Java and JavaSript
Security is set in the Preferences dialog box
Cookie options are also set in the Preferences dialog box
23
6
Setting Netscape Navigator PreferencesFigure 6-8
24
6
A Typical Netscape Navigator Java Security Alert
Figure 6-9
25
6
Viewing a Content Provider’s CertificateFigure 6-10
26
6
Dealing with Cookies
Can be set to expire within 10, 20, or 30 days
Retrievable only by the site that created them
Collect information so that the user doesn’t have to continually enter usernames and passwords to access Web sites
27
6
Dealing with Cookies
Earlier browsers simply stored cookies without comment
Today’s browsers allow options to: Store cookies without permission or
warning Receive a warning that a cookie is about
to be stored Unconditionally disallow cookies
altogether
28
6
Protecting Electronic Commerce Channels: Communication Path
Protecting assets while they are in transit between client computers and remote servers
Providing channel security includes Channel secrecy Guaranteeing message integrity Ensuring channel availability Authentication
29
6
Providing Transaction Privacy
Encryption The coding of information by using a
mathematically based program and secret key to produce unintelligible characters. Original information is changed.
Steganography Makes text invisible to the naked eye
Cryptography Converts text to strings that appear to have no
meaning
30
6
Encryption
40-bit keys are considered minimal,128-bit keys provide much more secure encryption
Encryption can be subdivided into three functions Hash Coding
Uses a hash algorithm to calculate a number called “hash value” from the original message string.
Asymmetric (Public-key) Encryption Encodes by using two mathematically related keys
Symmetric (Private-key) Encryption Encodes by using one key, both sender and receiver must
know
31
6
Hash Coding
Uses a hash algorithm to calculate a number called hash value from the original message string.
Typically, the algorithm uses all 1s and 0s that comprise a message, and come up with a value. Thus two messages should never have the same hash value.
Comparing the hash value before and after transmission of a message, can determine whether the message has been changed or not.
32
6
Asymmetric (or Public-key) Encryption
Encodes messages by using two mathematically-related numeric keys: a public key and a private key.
The public key is freely available to anyone (public) who wants to communicate with the holder of both
keys. It is used to encrypt messages. The private key belongs to the key owner in secret,
and is used to decrypt an encrypted message. If Jack wants to send a message to Jill, then Jack
obtains Jill’s public key, encrypts the message with it, and sends it. Only Jill can decrypt this message with her private key.
33
6
Symmetric (or Private-key) Encryption
Encodes a message using a single numeric key (private key) to encode and decode data.
Because same key is used, both the sender and the receiver must know the key.
Thus it is not suitable for public communication over the Internet.
But, it might be suitable for highly secured communication such as that in defense sector or between two business partners.
34
6
Hash Coding, Private-key, and Public-key Encryption
35
6
Significant Encryption Algorithms and Standards