Security in E-business

8/8/2019 Security in E-business

1/31

Security in E-business


2/31

Security on InternetComputer Emergency Response Team (CERT): G roup of three teams at Carnegie Mellon University that monitorsincidence of cyber attacks, analyze vulnerabilities, and

provide guidance on protecting against attacksA ccording to the statistics reported (CERT/CC2002) The number of cyber attacks skyrocketed from

approximately 22,000 in 2000 to over 82,000 in 2002 First quarter of 2003 the number was already over

43,000


3/31

Security Threats on Internet

Denial of Service (DOS)IP Spoofing / Web defacement/Email

defacement/PhishingCyber squatting: misuse of domain namePacket Sniffing

Keystroke Logging (spyware)


4/31

CybersquattingCybersquatting illegal use of domain name which is atrademark or brand of a reknown company for personal

benefitSome companies facing cybersquatting: Tata, Rediff,Yahoo etc.World Intellectual Property Organisation(WIPO) settlesdomain name disputesC ase: N ashik-based IT company, Cyber World Infotechvs A cqua Minerals Ltd for bisleri.com.

The company had a site cyberworld.com,A cqua Minerals, Bisleri mineral water companytoo has another domain name bislerimineralwater.com

Case was ruled in favour of A cqua Minerals


5/31

Cybersquatting: Porsche casePorsche german sports car manufacturer www.porsche.com Vs. porsche-buy.com> and


6/31

Security Issues

From the users perspective: I s the Web server owned and operated by a

legitimate company? Does the Web page and form contain some

malicious or dangerous code or content? Will the Web server distribute unauthorized

information the user provides to some otherparty?


7/31


8/31

Security Issues (cont.)

From both parties perspectives: I s the network connection free from

eavesdropping by a third party listeningon the line? Has the information sent back and forth

between the server and the users browser

been altered?


9/31


10/31

Security Requirements

Authentication: The process by which oneentity verifies that another entity is who theyclaim to beMethods: Digital signatures, passwords, PI N numbers, Biometric devices, smart cards

Authorization: The process that ensures that a person has the right to access certain resourcesMethods : Passwords, Firewalls,


11/31

Security Requirements (cont.)

Auditing : The process of collectinginformation about attempts to access

particular resources, use particular privileges, or perform other security actionsMethods: Webserver Logs, Firewall logs,server logs, Timestamps


12/31


C onfidentiality : Keeping private or sensitive information from being disclosed

to unauthorized individuals, entities, or processesMethod: Encryption


13/31


I ntegrity: A s applied to data, the ability to protect data from being altered or destroyed in anunauthorized or accidental manner

Method : Encryption with hashing/ message digest


14/31

Security Issues (cont.)

N onrepudiation: The ability to limit partiesfrom refuting that a legitimate transactiontook place, usually by means of a signatureMethods : Encryption, Digital signature,Time stamps and confirmation services


15/31

Security methods in Electroniccommerce

EncryptionHashing/Message digest

Digital signaturesDigital certificatesTimestamps

Onetime passwordsFirewalls


16/31


17/31


18/31

Encryption

Coding a message into unreadable formComponents in Encryption

Plaintext A lgorithm/Mathematical formula Key combination of bits required to code and

uncode


19/31

G eneral Principles of Encryption

Longer keys make better ciphers

Random keys make better ciphersG ood ciphers produce random ciphertextBest keys are used once and thrown away


20/31

Encryption types

Symmetrical /Private Key encryption Uses single key for encrypting and decrypting Requires a separate key for each sender-receiver pair DES (Data Encryption Standard), R ijndael


21/31

A symmetrical/ Public KeyEncryption

Has a key pair public key and private key Encrypting can be done with any one key and

decrypting should be done with the other key Slower compared to symmetric encryption Eg: RS A (R onald Rivest, A di S hamir, Leonard

A delman )


22/31

A pplications of Encryption

Digital Envelope Message encrypted with a key (symmetrical

encryption)

Key sent through public key encryption Used to encrypt transactions in B2C electronic

commerce In B2C, Random key generated by the customers

browser which is used for encrypting message. Bothencrypted message and random key(encrypted with

public key of merchant) sent to merchant


23/31

A pplications of Encryption

Digital Signature sender information (known as message digest)

is encoded with senders private key this istreated as signature of the sender

Message along with the signature is encryptedusing receivers public key and sent

The receiver uses his private key to unlock themessage

The receiver uses senders public key to readthe signature


24/31


25/31


26/31

Digital Certificate

Digital certificate are computer files that are usedto authenticate the user Issued by certifying authority like Verisign,A merican Express C A , Digital Signature TrustCo. etcContains holders name, serial number, expiry

date, certificate holders public key, digitalsignature of C A


27/31

Format of Digital Certificate

X.509 Digital Certificate Version

Serial number Signature algorithm identifier Issuer Validity period Subject Subject public key information Issuer unique identifier Subject unique identifier Extension fields Digital signature


28/31


29/31

Message Digest

Message Digest is a technique used toensure data integrity.It can be used even when it may not benecessary to encrypt all messages.A message digest algorithm can generate analmost unique message digest (looks like a

fingerprint) for a message.A popular message digest algorithm isMD5.


30/31

Public Key Infrastructure (PKI)

The P ublic Key I nfrastructure (P K I ) is aset of hardware, software, people, policies,

and procedures needed to create, manage,distribute, use, store, and revoke digitalcertificates.


31/31

Security for E-commerce:Summary

Security Infrastructure is key to buildcustomer trust on the internet

Digital certificates is a must for shoppingsites.Other certificates such as TrustE can

address privacy related issues on the site.PKI can be implemented for internal use(employees) or external use (in websites for customers)

Documents

Security in E-business