1 6 Chapter 6 Implementing Security for Electronic Commerce.

1

6

Chapter 6

Implementing Security

for

Electronic Commerce

Electronic Commerce

2

6

Objectives

Security measures that can reduce or eliminate intellectual property theft

Securing client computers from attack by viruses and by ill-intentioned programs and scripts downloaded in Web pages

Authenticate users to servers and authenticate servers

3

6

Objectives

Available protection mechanisms to secure information sent between a client and a server

Message integrity security, preventing another program from altering information as it travels across the Internet

4

6

Objectives

Safeguards that are available so commerce servers can authenticate users

Protecting intranets with firewalls and corporate servers against being attacked through the Internet

The role Secure Socket Layer, Secure HTTP and secure electronic transaction protocols play in protecting e-commerce

5

6

Minimum Requirements for Secure Electronic Commerce

6

6

Protecting Intellectual Property

The dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works

Intellectual Property Protection in Cyberspace recommends: Host name blocking Packet filtering Proxy servers

7

6

Companies Providing Intellectual Property Protection Software

ARIS Technologies Digital audio watermarking systems

Embedded code in audio file uniquely identifying the intellectual property

Digimarc Corporation Watermarking for various file formats Controls software and playback devices

8

6

Companies Providing Intellectual Property Protection Software

SoftLock Services Allows authors and publishers to lock files

containing digital information for sale on the Web

Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing

9

6

Protecting Client Computers

Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers

Threats can hide in Web pages Downloaded graphics and plug-ins E-mail attachments

10

6

Protecting Client Computers

Cookies Small pieces of text stored on your computer and

contain sensitive information that is not encrypted Anyone can read and interpret cookie data Do not harm client machines directly, but

potentially could still cause damage

Misplaced trust Web sites that aren’t really what they seem and

trick the user into revealing sensitive data

11

6

Monitoring Active Content

Netscape Navigator and Microsoft Internet Explorer browsers are equipped to allow the user to monitor active content before allowing it to download

Digital certificates provide assurance to clients and servers that the participant is authenticated

12

6

Digital Certificates

Also known as a digital ID Is an attachment to an e-mail message or a

program embedded in a Web page It serves as a proof that the holder is the

person or company identified by the certificate

A means to send encrypted message -encoded, so that others cannot read or duplicate it

13

6

Digital Certificates

IN case of downloaded software containing a digital ID, it identifies the software publisher, i.e., it assures that the holder of the software is a trusted name.

A certification authority (CA) issues a digital certificate to an organization or an individual when provided with required information.

A certificate authority also signs the certificate in the form of a public encrypted key, which unlocks the certificate for anyone who receives the certificate attached to the publisher’s code.

CA guarantees the authenticity of the organization or individual.

14

6

Digital Certificates

Key: A key is simply a number - a long binary

number (1s and 0s) - which is used with the encryption algorithm to “lock” the characters of the message that is to be protected.

Longer keys provide significantly better protection than shorter keys.

15

6

VeriSign -- A Certification Authority

16

6

VeriSign

Is the Oldest and best-known Certification Authority (CA) Offers several classes of certificates

Class 1 (lowest level) Bind e-mail address and associated public keys

Class 2 Issued by an organization such as a bank to identify its

customers. The certificate is still issued by a CA. Class 4 (highest level)

Apply to servers and their organizations Offers assurance of an individual’s identity and

relationship to a specified organization

17

6

Structure of a VeriSign CertificateFigure 6-4

18

6

Microsoft Internet Explorer

Provides client-side protection right inside the browser

Reacts to ActiveX and Java-based content

Authenticode verifies the identity of downloaded content

The user decides to ‘trust’ code from individual companies

19

6

Security Warning and Certificate ValidationFigure 6-5

20

6

Internet Explorer Zones and Security LevelsFigure 6-6

21

6

Internet Explorer Security Zone Default SettingsFigure 6-7

22

6

Netscape Navigator

User can decide to allow Navigator to download active content

User can view the signature attached to Java and JavaSript

Security is set in the Preferences dialog box

Cookie options are also set in the Preferences dialog box

23

6

Setting Netscape Navigator PreferencesFigure 6-8

24

6

A Typical Netscape Navigator Java Security Alert

Figure 6-9

25

6

Viewing a Content Provider’s CertificateFigure 6-10

26

6

Dealing with Cookies

Can be set to expire within 10, 20, or 30 days

Retrievable only by the site that created them

Collect information so that the user doesn’t have to continually enter usernames and passwords to access Web sites

27

6

Dealing with Cookies

Earlier browsers simply stored cookies without comment

Today’s browsers allow options to: Store cookies without permission or

warning Receive a warning that a cookie is about

to be stored Unconditionally disallow cookies

altogether

28

6

Protecting Electronic Commerce Channels: Communication Path

Protecting assets while they are in transit between client computers and remote servers

Providing channel security includes Channel secrecy Guaranteeing message integrity Ensuring channel availability Authentication

29

6

Providing Transaction Privacy

Encryption The coding of information by using a

mathematically based program and secret key to produce unintelligible characters. Original information is changed.

Steganography Makes text invisible to the naked eye

Cryptography Converts text to strings that appear to have no

meaning

30

6

Encryption

40-bit keys are considered minimal,128-bit keys provide much more secure encryption

Encryption can be subdivided into three functions Hash Coding

Uses a hash algorithm to calculate a number called “hash value” from the original message string.

Asymmetric (Public-key) Encryption Encodes by using two mathematically related keys

Symmetric (Private-key) Encryption Encodes by using one key, both sender and receiver must

know

31

6

Hash Coding

Uses a hash algorithm to calculate a number called hash value from the original message string.

Typically, the algorithm uses all 1s and 0s that comprise a message, and come up with a value. Thus two messages should never have the same hash value.

Comparing the hash value before and after transmission of a message, can determine whether the message has been changed or not.

32

6

Asymmetric (or Public-key) Encryption

Encodes messages by using two mathematically-related numeric keys: a public key and a private key.

The public key is freely available to anyone (public) who wants to communicate with the holder of both

keys. It is used to encrypt messages. The private key belongs to the key owner in secret,

and is used to decrypt an encrypted message. If Jack wants to send a message to Jill, then Jack

obtains Jill’s public key, encrypts the message with it, and sends it. Only Jill can decrypt this message with her private key.

33

6

Symmetric (or Private-key) Encryption

Encodes a message using a single numeric key (private key) to encode and decode data.

Because same key is used, both the sender and the receiver must know the key.

Thus it is not suitable for public communication over the Internet.

But, it might be suitable for highly secured communication such as that in defense sector or between two business partners.

34

6

Hash Coding, Private-key, and Public-key Encryption

35

6

Significant Encryption Algorithms and Standards