E-Commerce: Security

Challenges and Solutions

Modified by: Usman Tariq

Made by: Dr. Khalid Al-Tawil

1
Outline of the Presentation
 Internet Security
 Cryptography
 Firewalls
 E-Commerce Challenges
 E-Commerce Security
 Global & Local Issues

2
Challenges to Security
 Internet was never designed with security in mind.

 Many companies fail to take adequate measures to

protect their internal systems from attacks.

 Security precautions are expensive [firewalls, secure

web servers, encryption mechanisms].

 Security is difficult to achieve.

3
Introduction
Two Major Developments During the Past Decade:
1. Widespread Computerization
2. Growing Networking and Internetworking
 The Internet
 Need for Automated Tools for Protecting Files and
Other Information.
 Network and Internetwork Security refer to measures
needed to protect data during its transmission from
one computer to another in a network or from one
network to another in an internetwork.

4
…Continue
security is complex. Some reasons are:
 Requirements for security services are:
 Confidentiality
 Authentication
 Integrity

 Key Management is difficult.

Creation, Distribution, and Protection of Key
information calls for the need for secure services, the
same services that they are trying to provide.

5
Cyber terrorists
 In 1996 the Pentagon revealed that in the previous
year it had suffered some two hundred fifty thousand
attempted intrusions into its computers by hackers on
the Internet
 Nearly a hundred sixty of the break-ins were
successful.

6
…Continue
 Security Attacks:
1. Interruption
2. Interceptor
3. Modification
4. Fabrication
5. Viruses
 Passive Attacks:
1. Interception confidentiality
1. Release of message contents
2. Traffic Analysis

7
…Continue
 Active Attacks:
 Interruption (availability)
 Modification (integrity)
 Fabrication (integrity)

8
Security Threats
1. Unauthorized access
2. Loss of message confidentiality or integrity
3. User Identification
4. Access Control
5. Players:
 User community
 Network Administration
6. The bigger the system, the safer it is
 MVS mainframe users (5%)
 UNIX users (25%)
 Desktop users (50%)

9
 Introduction to Security Risks
Hackers and crackers

The Internet: “$$”

open

Your network: data!

virus

10
The Main Security Risks
1. Data being stolen
 Electronic mail can be intercepted and read
 Customer’s credit card numbers may be read
2. Login/password and other access information
stolen
3. Operating system shutdown
4. File system corruption
5. User login information can be captured

11
Viruses
 Unauthorized software being run
 Games

 Widely distributed software

 Shareware
 Freeware
 Distributed software

12
Possible Security “Holes”
 Passwords
 Transmitted in plain text
 Could be temporarily stored in unsafe files
 Could be easy to guess

 Directory structure
 Access to system directories could be a threat

 In the operating system software

 Some operating system software is not designed for secure
operation
 Security system manager should subscribe to
 comp.security.unix
 comp.security.misc
 alt.security
13
Security Strategies
 Use a separate host
1. Permanently connected to the Internet, not to your
network.
2. Users dial in to a separate host and get onto the Internet
through it.

 Passwords
1. Most important protection
2. Should be at least eight characters long
3. Use a mixture of alpha and numeric
4. Should not be able to be found in dictionary
 should not be associated with you!
5. Change regularly

14
…Continue
 Every transaction generates record in a security log
file
1. Might slow traffic and host computer

2. Keeps a permanent record on how your machine is accessed

 Tracks
1. Generates alarms when someone attempts to access secure
area

2. Separate the directories that anonymous users can access

3. Enforce user account logon for internal users

4. Read web server logs regularly

15
Cryptography
 The Science of Secret writing.
 Encryption: Data is transformed into unreadable form.
 Decryption: Transforming the encrypted data back into its
original form.

Encryption
Plaintext Ciphertext
Decryption

16
Types of Cryptosystems
 Conventional Cryptosystems
 Secret key Cryptosystems.
 One secret key for Encryption and Decryption.
 Example: DES

 Public key cryptosystems

 Two Keys for each user
 Public key (encryptions)
 Private key (decryptions)
 Example: RSA

17
Firewalls
1. A firewall is a barrier placed between the private network and
the outside world.

2. All incoming and outgoing traffic must pass through it.

3. Can be used to separate address domains.
4. Control network traffic.
5. Cost: ranges from no-cost (available on the Internet) to $
100,000 hardware/software system.
6. Types:
 Router-Based
 Host Based
 Circuit Gateways

18
Firewall

Filter Filter

Inside Gateway(s) Outside

Schematic of a firewall

19
Firewall Types
(Router-Based)
1. Use programmable routers
2. Control traffic based on IP addresses or port
information.
Examples:
 Bastion Configuration
 Diode Configuration
To improve security:
1. Never allow in-band programming via Telnet to a
firewall router.
2. Firewall routers should never advertise their
presence to outside users.

20
 Bastion Firewalls

External Secured
Router Router

Host PC

Internet Private
Internal
Network

21
Firewall Types
(Host-Based)
1. Use a computer instead of router.
2. More flexible (ability to log all activities)
3. Works at application level
4. Use specialized software applications and service
proxies.
5. Need specialized programs, only important services
will be supported.

22
…Continue
 Example: Proxies and Host-Based Firewalls

Proxies and
Host running only proxy v
Host-Based ersions of FTP,Telnet and
Firewalls so on.

Internal
Network

Filtering
Router
Internet (Optimal)
23
Electronic Mail Security
 E-mail is the most widely used application in the
Internet.
 Who wants to read your mail ?
1. Business competitors
2. Reporters, Criminals
3. Friends and Family

 Two approaches are used:

1. PGP: Pretty Good Privacy
2. PEM: Privacy-Enhanced Mail

24
E-mail Security
(PGP)
 Available free worldwide in versions running on:
 DOS/Windows
 Unix
 Macintosh
 Based on:
 RSA
 IDEA
 MD5

25
…Continue
 Where to get PGP
 Free from FTP site on the Internet
 Licensed version from ViaCrypt in USA

26
E-mail Security
(PEM)
 Used with SMTP.
 Implemented at application layer.
 Provides:
1. Disclosure protection
2. Originator authenticity
3. Message integrity

27
Summary of PGP Services
Function Algorithms used Description
Message IDEA, RSA A message is encrypted
encryption using IDEA . The session key
is encrypted using RSA
recipient’s public key.

Digital RSA, MD5 A hash code of a message

signature is created using MD5. This
is encrypted using RSA with
the sender’s private key.
Compression ZIP A message may be
compressed using ZIP.
E-mail Radix 64 conversion To provide transparency
compatibility for e-mail applications.

28
E-Commerce: Challenges
 Trusting others electronically
 E-Commerce infrastructure

 Security threats – the real threats and the perceptions

 Network connectivity and availability issues

 Better architecture and planning

 Global economy issues

 Flexible solutions
29
E-Commerce: Challenges
 Trusting others electronically
1. Authentication
2. Handling of private information
3. Message integrity
4. Digital signatures and non-repudiation
5. Access to timely information

30
E-Commerce: Challenges
Trusting Others
 Trusting the medium
1. Am I connected to the correct web site?
2. Is the right person using the other computer?
3. Did the appropriate party send the last email?
4. Did the last message get there in time, correctly?

31
E-Commerce: Solutions
Trusting Others

 Public-Key Infrastructure (PKI)

1. Distribute key pairs to all interested entities
2. Certify public keys in a “trusted” fashion
 The Certificate Authority

3. Secure protocols between entities

4. Digital Signatures, trusted records and non-
repudiation

32
 E-Commerce: Challenges
Security Threats

1. Authentication problems
 Impersonation attacks

2. Privacy problems
 Hacking and similar
attacks

3. Integrity problems

4. Repudiation problems
33
Secure Protocols

 How to communicate securely:

1. SSL – “the web security protocols”

2. IPSEC – “the IP layer security protocol”

3. SMIME – “the email security protocol”

4. SET – “credit card transaction security protocol”

5. Others …

34
Secure Sockets Layer (SSL)
 Platform and Application Independent
 Operates between application and transport layers

Web Applications
Future
HTTP NNTP FTP Telnet Etc.
Apps

SSL
TCP/IP
35
Secure Sockets Layer (SSL)
 Negotiates and employs essential functions for

secure transactions
1. Mutual Authentication

2. Data Encryption

3. Data Integrity

 As simple and transparent as possible

36
SSL 3.0 Layers

 Record Layer
 Fragmentation, Compression, Message Authentication (MA

C), Encryption

 Alert Layer
 close errors, message sequence errors, bad MACs, certificat

e errors

37
SSL Handshake

38
Why did SSL Succeed
 Simple solution with many applications – e-business
and e-commerce

 No change in operating systems or network stacks –

very low overhead for deployment

 Focuses on the weak link – the open wire, not trying

to do everything to everyone
 Solution to authentication, privacy and integrity
problems and avoiding classes of attacks

39
E-Commerce:
Challenges Connectivity and availability

 Issues with variable response during peak time

 Guaranteed delivery, response and receipts

 Spoofing attacks
 Attract users to other sites

 Denial of service attacks Denial of service attacks

 Prevent users from accessing the site

 Tracking and monitoring networks

40
Existing Technologies Overview

1. Networking Products
2. Firewalls
3. Remote access and Virtual Private Networks (VPNs)
4. Encryption technologies
5. Public Key Infrastructure
6. Scanners, monitors and filters
7. Web products and applications

41
Encryption Technologies
 Hardware assist to speed up performance

 Encryption at different network layers; Layer2 through

application layers

 Provide both public-key systems as well as bulk

encryption using symmetric-key methods

 Stored data encryption and recovery

43
PKI

 A set of technologies and procedures to enable

electronic authentication

 Uses public key cryptography and digital

certificates

 Certificate life-cycle management

44
PKI Architecture

Switched FIGURE 1: PKI SYSTEM BLOCK DIAGRAM

segment Internet [Numeric labels correspond to list above]

DMZ ( DM Zone)

1 2 3
Cer tificate
Internet Certificate
Request
Applications Directory
Web Ser vers

Certificate
RA Zone Request
RAO Zone Status
Query 4
RA
RA DB Stations Store new
5
certificate,
6 CRL Update
RAO Stations CA Zone
(Operators at Consoles)
7
CA
CA DB Stations
8

47
What is Missing??
1. Solid architecture practices

2. Policy-based proactive security management

3. Quantitative risk management measures especially r

egarding e-commerce or e-business implementatio

ns

48
E-Commerce Architecture
 Support for peak access

 Replication and mirroring, round robin schemes –

avoid denial of service

 Security of web pages through certificates and

network architecture to avoid spoofing attacks

49
Proactive Security Design
1. Decide on what is permissible and what is right
2. Design a central policy, and enforce it everywhere
3. Enforce user identities and the use of credentials to
access resources
4. Monitor the network to evaluate the results

50
PKI and E-Commerce

1. Identity-based certificate to identify all users of an

application

2. Determine rightful users for resources

3. “Role-based” certificates to identify the

authorization rights for a user

51
E-Commerce: Are We Ready?

 Infrastructure?

 Security?

 Policies & legal issues?

 Arabic content?

52
E-Commerce: Future
 Was expected to reach 37,500 (million US $) in 2002.
It reached 50,000 (million US $) in 1998

 Expected to reach 8 million company in 2000. (40%

of total commerce)

 Arab word, about 100 million US $

53