Post on 25-Dec-2015
6: Privacy and Security Issues 1INE1020: Introduction to Internet
Engineering
Lecture 9: E-commerce & Business
E-Commerce Security Issues
Secure Transaction Secure Network
6: Privacy and Security Issues 2INE1020: Introduction to Internet
Engineering
1. E-Commerce
refers to all commercial transactions conducted over the Internet, may include: Banking Sending orders Investing
E-Business Models• Store Front • Shopping-Cart Technology• Auction Model
6: Privacy and Security Issues 3INE1020: Introduction to Internet
Engineering
1. E-Commerce Models Storefront
What many people would think when they hear “e-commerce.”
Enable merchant to • sell products online• Organize product catalogs through their websites• Take orders through the web• Accept payment • Manage customer information
Shopping-cart Allows customers to accumulate items they wish to buy as
they browse the website. Eg, Amazon.com
Auction Model Web offers a wide variety of auction sites that act as forums for
Internet to assume the role of sellers and buyers. Eg, eBay
6: Privacy and Security Issues 4INE1020: Introduction to Internet
Engineering
6: Privacy and Security Issues 5INE1020: Introduction to Internet
Engineering
6: Privacy and Security Issues 6INE1020: Introduction to Internet
Engineering
1. E-Commerce & security
Security Made E-Commerce Possible The most common form of e-commerce transaction
consists of a retail purchase from a catalog. Provides a way for user to:
• Purchase the item• Manipulate a shopping cart• Select a payment method
6: Privacy and Security Issues 7INE1020: Introduction to Internet
Engineering
1. Secure Sockets
A browser keeps messages private by using encryption technology. Encryption process is entirely hidden from
users. Browser handles the details Encrypts the message before sending it Technology used: SSL (Secure Socket Layer) With SSL, a browser can encrypt messages so
that the content remain private
6: Privacy and Security Issues 8INE1020: Introduction to Internet
Engineering
2. Cryptography
2 categories of cryptography based on key used: symmetric key crypto: sender, receiver keys identical public-key crypto: encrypt key different from decrypt
key
plaintext plaintext
ciphertext
KA
KB
6: Privacy and Security Issues 9INE1020: Introduction to Internet
Engineering
2. Cryptography Concepts
plaintext ciphertext
Encryption
Decryption
Cryptosystem
Secret KeySystem
Public KeySystem
This is a plaintext
xMa%@1gH*lbz
Cryptography• process data into unintelligible form• idea of encryption
6: Privacy and Security Issues 10INE1020: Introduction to Internet
Engineering
2. Cryptographic Algorithms
Secret key algorithms DES (Data Encryption Standard) IDEA (International Data Encryption Algorithm)
Public key algorithms RSA (Rivest, Shamir, and Adlerman)
Message Digest (cryptographic checksum) MD5
6: Privacy and Security Issues 11INE1020: Introduction to Internet
Engineering
2.1 Secret (Symmetric) Key
Encrypting and decrypting a message using the same key Sender sends message and key to receiver
Problems: Key must be transmitted to receiver Different key for every receiver Key distribution centers used to reduce these problems
• Generates session key and sends it to sender and receiver encrypted with the unique key
Example of encryption algorithms: Dunn Encryption Standard (DES), Triple DES, Advanced
Encryption Standard (AES)
6: Privacy and Security Issues 12INE1020: Introduction to Internet
Engineering
2.1 Secret Key (DES)
Symmetric
plaintext ciphertextEncrypt
This is a plaintext xMa
%@1gH*lbz
Decrypt plaintext
This is a plaintext
secret keysecret key
6: Privacy and Security Issues 13INE1020: Introduction to Internet
Engineering
2.2 Public (Asymmetric) Key
Encrypting and decrypting a message using different keys Asymmetric – two inversely related keys
• Private key• Public key
Each party has both a public and a private key Either the public key or the private key can be used to
encrypt a message If public key encrypts only private can decrypt and vice
versa Encrypted with private key
• Proves identity while maintaining security
Example: RSA public key algorithm
6: Privacy and Security Issues 14INE1020: Introduction to Internet
Engineering
2.2 Public Key (RSA)
plaintext ciphertextEncrypt
This is a plaintext xMa
%@1gH*lbz
Decrypt plaintext
This is a plaintext
Asymmetric
private keypublic key
6: Privacy and Security Issues 15INE1020: Introduction to Internet
Engineering
2.3 Message Digest
Although secret codes cannot be decrypted, hackers can intercept it, add a few bits and change the message completely
How to prevent this to happen? Send a message digest together with the message
What is a message digest? a hashed message and has very few bits (typically
between 128 - 256 bits)Document One-way hashing function Message
digest
6: Privacy and Security Issues 16INE1020: Introduction to Internet
Engineering
2.3 Message Digest
Message Digest MD5 (cryptographic checksum) Hash algorithm (one-way function) input: variable length message (or a
document) output: fixed length cryptographic
checksum (eg 128 bits) result also called the hash or message digest protect message integrity (eg, against
deliberate and accidental tampering)
6: Privacy and Security Issues 17INE1020: Introduction to Internet
Engineering
2.3 Message Digest
A simple example of hashing function using remainder e.g. Let a = 1, b = 2, . . ., z = 26
to hash ‘apple’ into a number between 0-9 add up the letters apple = 1 + 16 + 16 + 12 + 5 = 50 divide the sum by 10 the remainder is the hashed value (= 50/10 = 0) send ‘apple’ together with the hash value 0
if apple is changed to opple, you can detect it because the hash code is different o=15, o+p+p+l+e = 64, hash code = 4
6: Privacy and Security Issues 18INE1020: Introduction to Internet
Engineering
2.4 Security Services & Cryptography
Security
Cryptographyalgorithms
Publickey
(e.g., RSA)
Secretkey
(e.g., DES)
Messagedigest
(e.g., MD5)
Securityservices
AuthenticationPrivacy Messageintegrity
6: Privacy and Security Issues 19INE1020: Introduction to Internet
Engineering
2.4 Security Services & Cryptography
Security services Privacy: preventing unauthorized release of
information Authentication: verifying identity of the remote
participant Integrity: making sure message has not been altered
Functions provided by cryptography Privacy: only those who know the (private & public)
keys can encrypt and decrypt the message Authentication: Use a digital signature (a code that
can be generated only by a participant, eg using his/her private key)
Integrity: A message integrity code (MIC) is added to the message; MIC as a kind of checksum
6: Privacy and Security Issues 20INE1020: Introduction to Internet
Engineering
2.5 Digital Signatures
Digital signature The electronic equivalent of written signatures. Authenticates sender’s identity
• Sender (Bob) digitally signs document, establishing he is document owner/creator.
• Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document.
Digital signature combines public-key algorithm with message digest.
• Digital signature = signed message digest• Sender used its private key to sign the message.
6: Privacy and Security Issues 21INE1020: Introduction to Internet
Engineering
2.5 Digital Signatures
Bob sends digitally signed message:
Alice verifies signature and integrity of digitally signed message:
6: Privacy and Security Issues 22INE1020: Introduction to Internet
Engineering
2.6 Transaction Security Protocols
Secure Sockets Layer (SSL) Uses public-key technology and digital
certificates to authenticate the server in a transaction
Protects information as it travels over InternetWithout using SSL When using SSL
6: Privacy and Security Issues 23INE1020: Introduction to Internet
Engineering
2.6 Transaction vs. Network Security
Transaction security protocols protects information as it travels over Internet It does not protect once stored on receiver servers Need to protect the servers:
• protect the network - network security• protect the building where the servers are located
Network security Allow authorized users access Prevent unauthorized users from obtaining access Example: firewall
6: Privacy and Security Issues 24INE1020: Introduction to Internet
Engineering
3. Firewalls A specially programmed router between a site and the rest of the
Internet connects to 2 or more networks forward and filter packets
Denial-of-service filters packets based on source IP address protect hosts within a site from unwanted flooding of external
packets 2 categories
filter-based proxy-based
Rest of the Internet Local siteFirewall
6: Privacy and Security Issues 25INE1020: Introduction to Internet
Engineering
3. Firewalls Filter-Based Solution
table of entries (source IP addr, source port, dest. Ip addr., dest. Port) example
• filter all packets from port 1234 on host 192.12.13.14 addressed to well-known port 80 on host 128.7.6.5
( 192.12.13.14, 1234, 128.7.6.5, 80 )• Filter all packets addressed to port 80 on 128.7.6.5(*,*, 128.7.6.5, 80 )• only allow access to port 25 (eg mail server)(*,*, 128.19.20.21, 25)
how dynamic?• Install new filters as firewall is running• patterns extended to include new ports as new TCP connections are
established (may not know port number in advance)
6: Privacy and Security Issues 26INE1020: Introduction to Internet
Engineering
3. Firewalls
Problem: complex policy Example: to make certain pages of a web server
available to all external users unable to express policy as filters
Company netFirewallWeb
server
Random
external
user
Remote
companyuser
Internet
6: Privacy and Security Issues 27INE1020: Introduction to Internet
Engineering
3. Firewalls
Solution: put HTTP proxy on firewall proxy: a process between a client & a server remote user establish connection to proxy If requested page is allowed
establish connection to server else
return error Policy embodied in application specific proxy
Externalclient
External HTTP/TCP connection
Proxy
Firewall
Internal HTTP/TCP connection
Localserver
6: Privacy and Security Issues 28INE1020: Introduction to Internet
Engineering
Further Readings
Reading assignment: chp 30, text book This lecture is intended to provide a brief
introduction of network and transactional security, students who wish to invest more time on studying security issues are referred to the following resources:
Security Issues: Davis Chapter 8.
A master-level course IEG 7006: System Administration and Network Security, explore in-depth issues of security