INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.

6: Privacy and Security Issues 1INE1020: Introduction to Internet

Engineering

Lecture 9: E-commerce & Business

E-Commerce Security Issues

Secure Transaction Secure Network


Engineering

1. E-Commerce

refers to all commercial transactions conducted over the Internet, may include: Banking Sending orders Investing

E-Business Models• Store Front • Shopping-Cart Technology• Auction Model


Engineering

1. E-Commerce Models Storefront

What many people would think when they hear “e-commerce.”

Enable merchant to • sell products online• Organize product catalogs through their websites• Take orders through the web• Accept payment • Manage customer information

Shopping-cart Allows customers to accumulate items they wish to buy as

they browse the website. Eg, Amazon.com

Auction Model Web offers a wide variety of auction sites that act as forums for

Internet to assume the role of sellers and buyers. Eg, eBay


Engineering


Engineering


Engineering

1. E-Commerce & security

Security Made E-Commerce Possible The most common form of e-commerce transaction

consists of a retail purchase from a catalog. Provides a way for user to:

• Purchase the item• Manipulate a shopping cart• Select a payment method


Engineering

1. Secure Sockets

A browser keeps messages private by using encryption technology. Encryption process is entirely hidden from

users. Browser handles the details Encrypts the message before sending it Technology used: SSL (Secure Socket Layer) With SSL, a browser can encrypt messages so

that the content remain private


Engineering

2. Cryptography

2 categories of cryptography based on key used: symmetric key crypto: sender, receiver keys identical public-key crypto: encrypt key different from decrypt

key

plaintext plaintext

ciphertext

KA

KB


Engineering

2. Cryptography Concepts

plaintext ciphertext

Encryption

Decryption

Cryptosystem

Secret KeySystem

Public KeySystem

This is a plaintext

xMa%@1gH*lbz

Cryptography• process data into unintelligible form• idea of encryption


Engineering

2. Cryptographic Algorithms

Secret key algorithms DES (Data Encryption Standard) IDEA (International Data Encryption Algorithm)

Public key algorithms RSA (Rivest, Shamir, and Adlerman)

Message Digest (cryptographic checksum) MD5


Engineering

2.1 Secret (Symmetric) Key

Encrypting and decrypting a message using the same key Sender sends message and key to receiver

Problems: Key must be transmitted to receiver Different key for every receiver Key distribution centers used to reduce these problems

• Generates session key and sends it to sender and receiver encrypted with the unique key

Example of encryption algorithms: Dunn Encryption Standard (DES), Triple DES, Advanced

Encryption Standard (AES)


Engineering

2.1 Secret Key (DES)

Symmetric

plaintext ciphertextEncrypt

This is a plaintext xMa

%@1gH*lbz

Decrypt plaintext

This is a plaintext

secret keysecret key


Engineering

2.2 Public (Asymmetric) Key

Encrypting and decrypting a message using different keys Asymmetric – two inversely related keys

• Private key• Public key

Each party has both a public and a private key Either the public key or the private key can be used to

encrypt a message If public key encrypts only private can decrypt and vice

versa Encrypted with private key

• Proves identity while maintaining security

Example: RSA public key algorithm


Engineering

2.2 Public Key (RSA)

plaintext ciphertextEncrypt

This is a plaintext xMa

%@1gH*lbz

Decrypt plaintext

This is a plaintext

Asymmetric

private keypublic key


Engineering

2.3 Message Digest

Although secret codes cannot be decrypted, hackers can intercept it, add a few bits and change the message completely

How to prevent this to happen? Send a message digest together with the message

What is a message digest? a hashed message and has very few bits (typically

between 128 - 256 bits)Document One-way hashing function Message

digest


Engineering

2.3 Message Digest

Message Digest MD5 (cryptographic checksum) Hash algorithm (one-way function) input: variable length message (or a

document) output: fixed length cryptographic

checksum (eg 128 bits) result also called the hash or message digest protect message integrity (eg, against

deliberate and accidental tampering)


Engineering

2.3 Message Digest

A simple example of hashing function using remainder e.g. Let a = 1, b = 2, . . ., z = 26

to hash ‘apple’ into a number between 0-9 add up the letters apple = 1 + 16 + 16 + 12 + 5 = 50 divide the sum by 10 the remainder is the hashed value (= 50/10 = 0) send ‘apple’ together with the hash value 0

if apple is changed to opple, you can detect it because the hash code is different o=15, o+p+p+l+e = 64, hash code = 4


Engineering

2.4 Security Services & Cryptography

Security

Cryptographyalgorithms

Publickey

(e.g., RSA)

Secretkey

(e.g., DES)

Messagedigest

(e.g., MD5)

Securityservices

AuthenticationPrivacy Messageintegrity


Engineering

2.4 Security Services & Cryptography

Security services Privacy: preventing unauthorized release of

information Authentication: verifying identity of the remote

participant Integrity: making sure message has not been altered

Functions provided by cryptography Privacy: only those who know the (private & public)

keys can encrypt and decrypt the message Authentication: Use a digital signature (a code that

can be generated only by a participant, eg using his/her private key)

Integrity: A message integrity code (MIC) is added to the message; MIC as a kind of checksum


Engineering

2.5 Digital Signatures

Digital signature The electronic equivalent of written signatures. Authenticates sender’s identity

• Sender (Bob) digitally signs document, establishing he is document owner/creator.

• Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document.

Digital signature combines public-key algorithm with message digest.

• Digital signature = signed message digest• Sender used its private key to sign the message.


Engineering

2.5 Digital Signatures

Bob sends digitally signed message:

Alice verifies signature and integrity of digitally signed message:


Engineering

2.6 Transaction Security Protocols

Secure Sockets Layer (SSL) Uses public-key technology and digital

certificates to authenticate the server in a transaction

Protects information as it travels over InternetWithout using SSL When using SSL


Engineering

2.6 Transaction vs. Network Security

Transaction security protocols protects information as it travels over Internet It does not protect once stored on receiver servers Need to protect the servers:

• protect the network - network security• protect the building where the servers are located

Network security Allow authorized users access Prevent unauthorized users from obtaining access Example: firewall


Engineering

3. Firewalls A specially programmed router between a site and the rest of the

Internet connects to 2 or more networks forward and filter packets

Denial-of-service filters packets based on source IP address protect hosts within a site from unwanted flooding of external

packets 2 categories

filter-based proxy-based

Rest of the Internet Local siteFirewall


Engineering

3. Firewalls Filter-Based Solution

table of entries (source IP addr, source port, dest. Ip addr., dest. Port) example

• filter all packets from port 1234 on host 192.12.13.14 addressed to well-known port 80 on host 128.7.6.5

( 192.12.13.14, 1234, 128.7.6.5, 80 )• Filter all packets addressed to port 80 on 128.7.6.5(*,*, 128.7.6.5, 80 )• only allow access to port 25 (eg mail server)(*,*, 128.19.20.21, 25)

how dynamic?• Install new filters as firewall is running• patterns extended to include new ports as new TCP connections are

established (may not know port number in advance)


Engineering

3. Firewalls

Problem: complex policy Example: to make certain pages of a web server

available to all external users unable to express policy as filters

Company netFirewallWeb

server

Random

external

user

Remote

companyuser

Internet


Engineering

3. Firewalls

Solution: put HTTP proxy on firewall proxy: a process between a client & a server remote user establish connection to proxy If requested page is allowed

establish connection to server else

return error Policy embodied in application specific proxy

Externalclient

External HTTP/TCP connection

Proxy

Firewall

Internal HTTP/TCP connection

Localserver


Engineering

Further Readings

Reading assignment: chp 30, text book This lecture is intended to provide a brief

introduction of network and transactional security, students who wish to invest more time on studying security issues are referred to the following resources:

Security Issues: Davis Chapter 8.

A master-level course IEG 7006: System Administration and Network Security, explore in-depth issues of security

INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.

Documents

ecommerce security r

internet engineering

cryptography r

security issues4 slide

security issues5 slide

security issues11

security issues2

security issues3