Electronic commerce fundamentals ch6

Objectives ◆ Security measures that can reduce or eliminate intellectual property theft ◆ Securing client computers from attack by viruses and by ill-intentioned programs and scripts dow

Chapter 6

Implementing Security

for Electronic Commerce

Objectives

◆ Security measures that can reduce or eliminate intellectual property theft

◆ Securing client computers from attack

by viruses and by ill-intentioned programs and scripts downloaded in Web pages

◆ Authenticate users to servers and authenticate servers

Objectives

◆ Available protection mechanisms to secure information sent between a client and a server

◆ Message integrity security, preventing another program from altering

information as it travels across the Internet

◆ The role Secure Socket Layer, Secure HTTP and secure electronic transaction protocols play in protecting e-commerce

Protecting Electronic Commerce Assets

◆ You cannot hope to produce secure commerce systems unless there is a written security policy

● What assets are to be protected

● What is needed to protect those assets

● Analysis of the likelihood of threats

● Rules to be enforced to protect those assets

Protecting Electronic Commerce Assets

◆ Both defense and commercial security guidelines state that you must protect assets from

Minimum Requirements for Secure Electronic Commerce

Figure 6-1

Protecting Intellectual Property

◆ The dilemma for digital property is how

to display and make available intellectual property on the Web while protecting those copyrighted works

◆ Intellectual Property Protection in Cyberspace recommends:

● Host name blocking

● Packet filtering

● Proxy servers

Companies Providing Intellectual

Property Protection Software

◆ ARIS Technologies

● Digital audio watermarking systems

◆ Embedded code in audio file uniquely identifying the intellectual property

◆ Digimarc Corporation

● Watermarking for various file formats

● Controls software and playback devices

Companies Providing Intellectual

Property Protection Software

◆ SoftLock Services

● Allows authors and publishers to lock files containing digital information for sale on the Web

● Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing

SoftLock Services Home Page

Figure 6-2

Protecting Client Computers

◆ Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers

◆ Threats can hide in

● Downloaded graphics and plug-ins

● E-mail attachments

● Anyone can read and interpret cookie data

● Do not harm client machines directly, but potentially could still cause damage

◆ Misplaced trust

● Web sites that aren’t really what they seem and trick the user into revealing sensitive data

Monitoring Active Content

◆ Netscape Navigator and Microsoft Internet Explorer browsers are

equipped to allow the user to monitor active content before allowing it to

download

◆ Digital certificates provide assurance to clients and servers that the participant

is authenticated

Digital Certificates

◆ Also known as a digital ID

◆ An attachment to an e-mail message

◆ Embedded in a Web page

◆ Serves as proof that the holder is the person or company identified by the certificate

◆ Encoded so that others cannot read or

VeriSign A Certification Authority

Figure 6-3

VeriSign

◆ Oldest and best-known Certification Authority (CA)

◆ Offers several classes of certificates

● Class 1 (lowest level)

◆ Bind e-mail address and associated public keys

● Class 4 (highest level)

◆ Apply to servers and their organizations

◆ Offers assurance of an individual’s identity and

Structure of a VeriSign Certificate

Figure 6-4

Microsoft Internet Explorer

◆ Provides client-side protection right inside the browser

◆ Reacts to ActiveX and Java-based content

◆ Authenticode verifies the identity of downloaded content

◆ The user decides to ‘trust’ code from

Security Warning and Certificate Validation

Figure 6-5

Internet Explorer Zones and Security Levels

Figure 6-6

Internet Explorer Security Zone Default Settings

Figure 6-7

Setting Netscape Navigator Preferences

Figure 6-8

A Typical Netscape Navigator

Java Security Alert

Figure 6-9

Viewing a Content Provider’s Certificate

Figure 6-10

Dealing with Cookies

◆ Can be set to expire within 10, 20, or

Dealing with Cookies

◆ Earlier browsers simply stored cookies without comment

◆ Today’s browsers allow the user to

● Store cookies without permission or warning

● Receive a warning that a cookie is about

to be stored

● Unconditionally disallow cookies altogether

◆ Providing channel security includes

● Channel secrecy

● Guaranteeing message integrity

● Ensuring channel availability

◆ Calculates a number from any length string

● Asymmetric (Public-key) Encryption

◆ Encodes by using two mathematically related keys

● Symmetric (Private-key) Encryption

Hash Coding, Private-key, and Public-key Encryption

Figure 6-11

Significant Encryption Algorithms and Standards

Figure 6-12

Secure Sockets Layer (SSL) Protocol

◆ Secures connections between two computers

◆ Provides a security handshake in which the client and server computers

exchange the level of security to be used, certificates, among other things

◆ Secures many different types of communications between computers

Secure Sockets Layer (SSL) Protocol

◆ Provides either 40-bit or 128-bit encryption

◆ Session keys are used to create the cipher text from plain text during the session

◆ The longer the key, the more resistant

to attack

Establishing an SSL Session

Figure 6-13

SSL Web Server Information

Figure 6-14

Ensuring Transaction Integrity

Figure 6-15

Guaranteeing Transaction Delivery

◆ Neither encryption nor digital signatures protect packets from theft or slowdown

◆ Transmission Control Protocol (TCP) is responsible for end-to-end control of

packets

◆ TCP requests that the client computer resend data when packets appear to be missing

Protecting the Commerce Server

◆ Access control and authentication

● Controlling who and what has access to the server

● Requests that the client send a certificate

Protecting the Commerce Server

◆ Usernames and passwords are the most common method of providing protection for the server

◆ Usernames are stored in clear text, while passwords are encrypted

◆ The password entered by the user is encrypted and compared to the one on file

Logging On With A Username And Password

Figure 6-16

Operating System Controls

◆ Most operating systems employ username and password authentication

◆ A common defense is a firewall

● All traffic from inside to outside and outside to inside must pass through it

● Only authorized traffic is allowed

● The firewall itself must be immune to penetration

Check Point Software’s Firewall-1 Web Page

Figure 6-17