Upload
mekalamanasa
View
221
Download
0
Embed Size (px)
Citation preview
8/8/2019 Security in E-business
1/31
Security in E-business
8/8/2019 Security in E-business
2/31
Security on InternetComputer Emergency Response Team (CERT): G roup of three teams at Carnegie Mellon University that monitorsincidence of cyber attacks, analyze vulnerabilities, and
provide guidance on protecting against attacksA ccording to the statistics reported (CERT/CC2002) The number of cyber attacks skyrocketed from
approximately 22,000 in 2000 to over 82,000 in 2002 First quarter of 2003 the number was already over
43,000
8/8/2019 Security in E-business
3/31
Security Threats on Internet
Denial of Service (DOS)IP Spoofing / Web defacement/Email
defacement/PhishingCyber squatting: misuse of domain namePacket Sniffing
Keystroke Logging (spyware)
8/8/2019 Security in E-business
4/31
CybersquattingCybersquatting illegal use of domain name which is atrademark or brand of a reknown company for personal
benefitSome companies facing cybersquatting: Tata, Rediff,Yahoo etc.World Intellectual Property Organisation(WIPO) settlesdomain name disputesC ase: N ashik-based IT company, Cyber World Infotechvs A cqua Minerals Ltd for bisleri.com.
The company had a site cyberworld.com,A cqua Minerals, Bisleri mineral water companytoo has another domain name bislerimineralwater.com
Case was ruled in favour of A cqua Minerals
8/8/2019 Security in E-business
5/31
Cybersquatting: Porsche casePorsche german sports car manufacturer www.porsche.com Vs. porsche-buy.com> and
8/8/2019 Security in E-business
6/31
Security Issues
From the users perspective: I s the Web server owned and operated by a
legitimate company? Does the Web page and form contain some
malicious or dangerous code or content? Will the Web server distribute unauthorized
information the user provides to some otherparty?
8/8/2019 Security in E-business
7/31
8/8/2019 Security in E-business
8/31
Security Issues (cont.)
From both parties perspectives: I s the network connection free from
eavesdropping by a third party listeningon the line? Has the information sent back and forth
between the server and the users browser
been altered?
8/8/2019 Security in E-business
9/31
8/8/2019 Security in E-business
10/31
Security Requirements
Authentication: The process by which oneentity verifies that another entity is who theyclaim to beMethods: Digital signatures, passwords, PI N numbers, Biometric devices, smart cards
Authorization: The process that ensures that a person has the right to access certain resourcesMethods : Passwords, Firewalls,
8/8/2019 Security in E-business
11/31
Security Requirements (cont.)
Auditing : The process of collectinginformation about attempts to access
particular resources, use particular privileges, or perform other security actionsMethods: Webserver Logs, Firewall logs,server logs, Timestamps
8/8/2019 Security in E-business
12/31
Security Requirements (cont.)
C onfidentiality : Keeping private or sensitive information from being disclosed
to unauthorized individuals, entities, or processesMethod: Encryption
8/8/2019 Security in E-business
13/31
Security Requirements (cont.)
I ntegrity: A s applied to data, the ability to protect data from being altered or destroyed in anunauthorized or accidental manner
Method : Encryption with hashing/ message digest
8/8/2019 Security in E-business
14/31
Security Issues (cont.)
N onrepudiation: The ability to limit partiesfrom refuting that a legitimate transactiontook place, usually by means of a signatureMethods : Encryption, Digital signature,Time stamps and confirmation services
8/8/2019 Security in E-business
15/31
Security methods in Electroniccommerce
EncryptionHashing/Message digest
Digital signaturesDigital certificatesTimestamps
Onetime passwordsFirewalls
8/8/2019 Security in E-business
16/31
8/8/2019 Security in E-business
17/31
8/8/2019 Security in E-business
18/31
Encryption
Coding a message into unreadable formComponents in Encryption
Plaintext A lgorithm/Mathematical formula Key combination of bits required to code and
uncode
8/8/2019 Security in E-business
19/31
G eneral Principles of Encryption
Longer keys make better ciphers
Random keys make better ciphersG ood ciphers produce random ciphertextBest keys are used once and thrown away
8/8/2019 Security in E-business
20/31
Encryption types
Symmetrical /Private Key encryption Uses single key for encrypting and decrypting Requires a separate key for each sender-receiver pair DES (Data Encryption Standard), R ijndael
8/8/2019 Security in E-business
21/31
A symmetrical/ Public KeyEncryption
Has a key pair public key and private key Encrypting can be done with any one key and
decrypting should be done with the other key Slower compared to symmetric encryption Eg: RS A (R onald Rivest, A di S hamir, Leonard
A delman )
8/8/2019 Security in E-business
22/31
A pplications of Encryption
Digital Envelope Message encrypted with a key (symmetrical
encryption)
Key sent through public key encryption Used to encrypt transactions in B2C electronic
commerce In B2C, Random key generated by the customers
browser which is used for encrypting message. Bothencrypted message and random key(encrypted with
public key of merchant) sent to merchant
8/8/2019 Security in E-business
23/31
A pplications of Encryption
Digital Signature sender information (known as message digest)
is encoded with senders private key this istreated as signature of the sender
Message along with the signature is encryptedusing receivers public key and sent
The receiver uses his private key to unlock themessage
The receiver uses senders public key to readthe signature
8/8/2019 Security in E-business
24/31
8/8/2019 Security in E-business
25/31
8/8/2019 Security in E-business
26/31
Digital Certificate
Digital certificate are computer files that are usedto authenticate the user Issued by certifying authority like Verisign,A merican Express C A , Digital Signature TrustCo. etcContains holders name, serial number, expiry
date, certificate holders public key, digitalsignature of C A
8/8/2019 Security in E-business
27/31
Format of Digital Certificate
X.509 Digital Certificate Version
Serial number Signature algorithm identifier Issuer Validity period Subject Subject public key information Issuer unique identifier Subject unique identifier Extension fields Digital signature
8/8/2019 Security in E-business
28/31
8/8/2019 Security in E-business
29/31
Message Digest
Message Digest is a technique used toensure data integrity.It can be used even when it may not benecessary to encrypt all messages.A message digest algorithm can generate analmost unique message digest (looks like a
fingerprint) for a message.A popular message digest algorithm isMD5.
8/8/2019 Security in E-business
30/31
Public Key Infrastructure (PKI)
The P ublic Key I nfrastructure (P K I ) is aset of hardware, software, people, policies,
and procedures needed to create, manage,distribute, use, store, and revoke digitalcertificates.
8/8/2019 Security in E-business
31/31
Security for E-commerce:Summary
Security Infrastructure is key to buildcustomer trust on the internet
Digital certificates is a must for shoppingsites.Other certificates such as TrustE can
address privacy related issues on the site.PKI can be implemented for internal use(employees) or external use (in websites for customers)