ACS 3907 E-Commerce · public key (obtained from the server's certificate, sent in step 2), and...

©Bowen Hui, Beyond the Cube Consulting Services Ltd.

ACS 3907E-Commerce

Lecture 11-2

Instructor: Kerry Augustine


Technology Solutions


Protecting Message Communication

• Encryption = process of transforming plain text (data) into cipher text that is only understood by sender and receiver

• Key = method of transforming a message– Also called cipher

• Purpose:– Secure stored information

– Secure information in transit

3


Substitution Cipher Example

• What is the cipher text for:

REMEMBRANCE DAY

KTDTDWKQFET RQN

4


Encryption (cont.)

• Substitution cipher = every occurrence of a letter replaced by another

• Transposition cipher = ordering of letters in words changed systematically

• Symmetric (secret) key encryption = both sender and receiver use the same key to en/decrypt messages

• Problems:– Computers can try all combinations to break codes quickly

– Secret key is lost/stolen

– Need a new key per pair of users in transaction

5


The Problem of Key Distribution

• Sender and receiver must agree on the same key

• In EC, sender and receiver are in different locations

• Must send secret key via some secure channel

How do you get the key to the receiver

without it being intercepted?

6


Public Key Encryption

7

Recipient's Recipient's

Sender encrypts the message using the Recipient's public key

Recipient decrypts the message using the Recipient's private key

Symmetric Key Encryption

Asymmetric Key Encryption


Public Key Encryption

• Asymmetric encryption scheme in 1970’s– Public key – widely disseminated

– Private key – kept secret by owner

• Anyone with your public key can encrypt information that only you can read

• Both keys can be used to en/decrypt– Computationally infeasible to derive private key from public key

– Pick keys of the right size

• Benefits:– Allows messages to be exchanged securely between two parties

without prior arrangement

– No need to establish symmetric keys via secure channel

– Never need to transmit private key

• Common examples: RSA, DSA8


More Powerful Public Key Encryption (cont.)

• Public key infrastructure (PKI) = certification procedures accepted by all parties

• Steps to create digital certificate:– Generate public/private key pair from user

– Send to certification authority with user’s public key

– Certification authority verifies identity

– Certification authority issues signed certificate = message digest from certificate and certification authority’s private key

• Types of certificates:– Personal

– Institutional

– Web servers

– Software publishers

– Certification authorities

9

Certificate Providers:– Symantec (which owns VeriSign, Thawte

and Geotrust) with 42.9% market share

– Comodo Group with 26%

– Go Daddy with 14%

– GlobalSign with 7.7%

http://www.symantec.com/index.jsp

https://www.comodo.com/

https://ca.godaddy.com/

https://www.globalsign.com/


Digital Certificates and Certification Authorities

Figure 5.9, Page 295

Copyright © 2013 Pearson Education, Inc. Slide 5-10


Trust Services

• Can you trust a business on the Web and in what areas, to what degree?

• See Access Controls and Web Trust

http://www.acs.uwinnipeg.ca/3907/ACS%201803SUPPLEMENTARY%20NOTES%20Audit-Control.pdf

http://www.webtrust.org/


Trust Services Principles

• Security: The system is protected against unauthorized access (both physical and logical).

• Availability: The system is available for operation and use as committed or agreed.

• Processing integrity: System processing is complete, accurate, timely, and authorized.

• Confidentiality: Information designated as confidential is protected as committed or agreed.

• Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.

12


Protecting Communication Channels

• SSL = Secure Sockets Layer (2.0/ 3.0 Deprecated 2011/15)

• TLS = Transport Layer Security

• most common method of securing communication channel

• Create secure connection between client and server

• HTTPS = Hyper Text Transfer Protocol Secure

• Secured negotiated session = a client-server session in which the URL of the requested document (contents, form contents, cookies exchanged) are encrypted

• Browser and server establish “trust” via– Digital certificates (not the same as a digital signature)

– Shared form of encryption

– Shared session key = unique symmetric encryption key chosen for a single secure session

13



• SSL is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

• It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.

• Both SSL 2.0 and 3.0 have been deprecated by the Internet Engineering Task Force (ETF) in 2011 and 2015, respectively. Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL protocols (e.g. HEART BLEED, POODLE, DROWN).

• TLS is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL you are actually buying the most up to date TLS certificates.

• HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.

14https://www.websecurity.symantec.com/security-topics/what-is-ssl-tls-https

https://www.websecurity.symantec.com/security-topics/what-is-ssl-tls-https



15



16


Secure Negotiated Sessions Using SSL

Figure 5.10, Page 300

Copyright © 2013 Pearson Education, Inc. Slide 5-17


Detail Overview of an SSL Session• Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.

Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

• Once the client and server have decided to use SSL they negotiate a secure connection by using an electronic handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection's security.

1. The client sends the server the client's SSL version number, cipher settings, session-specific data, and other information that the server needs to communicate with the client using SSL.

2. The server sends the client the server's SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL.

3. The client uses the information sent by the server to authenticate the server. If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds.

4. The client creates a secret code and a private key for the session, encrypts the key with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the encrypted key to the server.

5. The server uses the private key to decrypt the secret code, and then performs a series of steps to secure the session.

6. Both the client and the server use the private key to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity.

7. When the session is complete, the client and the server exchange separate (encrypted) messages to terminate the session.

• The SSL handshake is now complete and the session ends.

18


Summary of SSL/TLS/HTTPS

• Standard for EC transaction security

• Provides:– Data encryption

– Server authentication

– Optional client authentication

– Message integrity for TCP/IP connections

• Designed to address threats toward authenticity

• But: once merchant receives encrypted info, that info could be stored in unencrypted format on some company server

• Does not guarantee non-repudiation

19



• A Digital Signature or Digital Signature Scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document.

• A valid digital signature gives a recipient reason to believe that the message was created by a known sender such that they cannot deny sending it (authentication and non-repudiation) and that the message was not altered in transit (integrity).

• Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.

20


Public Key Encryption using Digital Signatures and Hash Digests

• Hash function:– Mathematical algorithm that produces fixed-length number called

message or hash digest

• Hash digest of message sent to recipient along with message to verify integrity

• Hash digest and message encrypted with recipient’s public key

• Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, non-repudiation

21


23


See CGI’s Public Key Encryption and Digital Signature: How do they work?

http://www.cgi.com/files/white-papers/cgi_whpr_35_pki_e.pdf


24





25





26





27






• VPN = virtual private network– Allow remote users to securely access internal network via Internet

using PPTP

– Let users use a temporary secure line of communication

– Mainly for business partners to communicate

– Process referred to as “tunneling”

• PPTP = point-to-point tunneling protocol– Encoding mechanism that allows one local network to connect to

another

– Encrypts messages using wrappers so others cannot see message content

28


Protecting Networks• Firewall = filters communication packets and prevents some

packets from entering network based on security policy• Controls traffic between servers and clients• All messages are processed by firewall – determines if meet

security guidelines• Can filter based on packet attributes

– Source IP address– Destination port or destination IP address– Type of service (e.g., WWW)– Source DNS

• Most hardware firewalls in LANs have default settings that require little administration– Deny incoming packets from connection not originated from an internal

request

• Due to increase use of firewalls in businesses and homes, attackers largely turned to email attacks

29


Protecting Networks (cont.)

• Two major methods firewalls use to validate traffic:

• Packet filters – examine data packets to see if they go to prohibited port or come from prohibited IP address– Checks source/destination information, port, packet type

– Doesn’t authenticate

• Application gateway – filters communication based on application requested– Process requests at the application level

30


Protecting Networks (cont.)

• Proxy server = server that handles all communication originating from or being sent to the Internet

• Act as “gatekeeper” for the organization

• Also called proxies

• Usually run on a dedicated machine

• Everything goes through proxy server

• Can do filtering and authentication

• Can block off access to certain types of sites

• Can cache frequently visited sites

• Dual home systems:– To internal computers: proxy is a gateway

– To external computers: proxy is a mail server or an address

31


Firewalls and Proxy Servers

Figure 5.11, Page 289Copyright © 2014 Pearson Education, Inc.

Publishing as Prentice Hall32


Protecting Servers and Clients

• Add firewalls, anti-virus software and other layers of protection to your business servers and computers.

• Choose a web host that values your business security.

• Limit employee access to customer data.

• Lockdown all computers.

• Keep up with upgrades.

• Notify clients and customers when data has been compromised.

33https://nevadasmallbusiness.com/client-information-security/

https://nevadasmallbusiness.com/client-information-security/


Open SSL & Heartbleed• Heartbleed is a security bug in the OpenSSL cryptography

library. OpenSSL is a widely used implementation of theTransport Layer Security (TLS) protocol.

• Heartbleed may be exploited whether the party using avulnerable OpenSSL instance for TLS is a server or a client.

• On April 7, 2014, some 17 percent (around half a million) ofthe Internet's secure web servers certified by trustedauthorities were believed to be vulnerable to the attack,allowing theft of the servers' private keys and users' sessioncookies and passwords.

• On April 8, 2014, the Canada Revenue Agency reported thetheft of Social Insurance Numbers belonging to 900 taxpayers,and stated that they were accessed through an exploit of thebug during a 6-hour period.


Open SSL & Heartbleed

https://vimeo.com/91425662

ACS 3907 E-Commerce · public key (obtained from the server's certificate, sent in step 2), and...

Documents

Transcript of ACS 3907 E-Commerce · public key (obtained from the server's certificate, sent in step 2), and...