Security encompasses a set of measures and procedures to guard against theft, attack, crime, and sabotage.

The goal of computer security is to maintain the integrity, availability, and privacy of information entrusted to the system. Unauthorized access, revelation, or destruction of data can violate individual privacy. Corruption of business data can result in significant and potentially catastrophic losses to Companies. In order to build a secure e-Commerce system, we need to employ cryptographic techniques. Cryptography is originally about keeping messages secret.

1. 2. 3. 4. 5.

Unauthorized disclosure of information Unauthorized alteration or destruction of information Unauthorized use of service Denial of service to legitimate users Interruption & disruption in communications

A computer is secure if you can depend on it and its software to behave as you expect.

Logged-on Terminal Passwords Browsing Trap doors (secret points of entry without access authorization) Electronic eavesdropping (electromagnetic pickup of screen radiation) Mutual trust Trojan Horse (program may be written to steal user passwords) Computer Worms (programs can attack via a network and deny service) Computer Viruses Trial & Error

E-Security according to Consumers mean: Protection of Personal Information Protection of Assets E-Security according to Corporate, Government and Other Institutions mean: Protection of Information Protection of Systems (* The type of information and systems for corporate, Government and other institutions are different)

Banks Financial Companies Insurance companies Brokerage Houses Consultants Network Service Providers Textile Business Wholesale/ Retail Traders Government Contractors Government agencies Hospitals Medical Laboratories Utility Companies Universities, etc. (The list goes on as no firm is fully immune to e-threats)

Uncover confidentiality

Leak Authentication and Access Control

Conduct ID theft Hacking Virus Client based security threats Server based security threats Other threats

Worry 1: I transmit my credit card information over the internet. Can people other than the intended recipient read it? Worry 2: I agree to pay Rs 10000/- for the goods. Will this payment information be captured and changed by someone on the internet? Worry 3: This company claims itself to be company X. Is this the real company X? The aforementioned worries can be summarized into three security requirements namely : 1. Confidentiality 2. Integrity 3. Authentication

MESSAGE : 1. CONFIDENTIALITY (SENDER AND RECEIVER EXPECT PRIVACY) 2. INTEGRITY (DATA MUST ARRIVE AT THE RECEIVER EXACTLY AS SENT) 3. AUTHENTICATION (THE RECEIVER NEEDS TO BE SURE OF SENDERS IDENTITY) 4. NONREPUDIATION (A SENDER MUST NOT BE ABLE TO DENY SENDING A MESSAGE THAT HE SENT)

ENTITY : AUTHENTICATION (USER IDENTIFICATION)

Privacy and Confidentiality: Information must be kept away from unauthorized parties.

Security and Integrity: Message must not be altered or tampered with.

Authenticity: Sender and recipient must prove their identities to each other. Non-Repudiation: Proof is needed that the message was indeed received.

Use firewall Use virus protection software Use strong passwords Back up your files on a regular basis Do not keep a computer online when not in use Do not open e-mail attachments from strangers Disable scripts

Secure socket layer (SSL) Secure electronic transaction (SET) Secure access (password authentication) Secure interconnection Secure personal connection Secure networking (VPNs) Secure managed services Secure Hypertext Transfer Protocol (S-HTTP)

Secure/Multipurpose Internet mail Extensions (S/MIME)

Secure socket layer (SSL) A special communication protocol used by Web browsers and servers to encrypt all communications online. This protocol makes secure Web transmissions transparent to end users. Secure electronic transaction (SET) a set of cryptographic protocols jointly developed by Visa, Master card, Netscape, and Microsoft and designed to provide secure Web credit card transactions for both consumers and merchants. SET is established on top of SSL, understanding SSL Is understanding foundation of SET. The protocol SHTTP applies SSL between Web servers and browsers , which communicated by HTTP protocol. SSL protocol performs message exchanges.

CRYPTOGRAPHY
Cryptography is the science of using mathematics to encrypt and decrypt data.

It is of two categories Symmetric encryption/Secret Key cryptography (uses the same key for encryption and decryption) Asymmetric encryption/Public Key Cryptography (uses a public key and a private key)
Data Encryption Standard(DES): It is a symmetric algorithm Designed by IBM for the U.S. Government in 1977. It is based on a 56 bit key. It is reasonably secure since all possible keys are exhaustively tried to break the code and it takes a long time even with fast computers. It applies transformation on blocks of 64 bit corresponding to binary encoding

Data that can be read and understood without any special measures is called plain text or clear text. The method of disguising plaintext in such a way as to hide its substance is called encryption. Encrypting plaintext results in unreadable gibberish called cipher text. You use encryption to ensure that information is hidden from anyone for whom it is not intended, even those who can see the encrypted data. The process of reverting cipher text to its original plaintext is called decryption

Plain Text

Encryption

Cipher Text

Decryption Plain Text

The RSA Algorithm The RSA algorithm, named for its creators Ron Rivest, Adi Shamir, and Leonard Adleman, is currently one of the favorite public key encryption methods.

Example of how an encrypted message may look after using RSA Algorithm:
Recipient: Bob Key Encryption Algorithm: rsaEncryption Encrypted Key: 3D2AB25B1EB667A40F504CC4D778EC399A899C8790EDECEF062CD73 9492C9CE5 8B92B9ECF32AF4AAC7A61EAEC346449891F49A722378E008EFF0B0A8 DBC6E621 EDC90CEC64CF34C640F5B36C48EE9322808AF8F4A0212B28715C76F3 CB99AC7E 609787ADCE055839829E0142C44B676D218111FFE69F9D41424E177C BA3A435B Content Encryption Algorithm: aes128-cbc IV: 5732164B3ABB6C4969ABA381C1CA75BA Encrypted Content: 67290EF00818827C777929A56BC3305B

DIGITAL SIGNATURES
A digital signature is a cryptographic mechanism that performs a similar function like a written signature, used to verify the origin and contents of the message. It may be implemented with the use of RSA public key encryption in a way that provides both security and authentication of message. To make a DS, a sender encrypts a message with his private key. Assuming that B receives a message M signed by A the digital signature must satisfy the following requirements : 1. It must be possible for B to validate As signature on M

2. It must be impossible for anyone to forge As signature 3. It must be impossible for A to repudiate the message M

Secure transport stacks

Kerberos
Secure transactions over the internet UNIX security Password security systems - one time passwords - smart cards Electronic mail Server security

Network security

Australian Government Initiative

ICICI PRUDENTIAL

E-security can never be perfect because a better system will be broken into by a better cracker

Solutions? Better education of people using system Better system usage and monitoring Better enforcement and legislation without infringing on privacy
The price of freedom is eternal vigilance

Operating Systems By MILAN MILENKOVIC Data Communications & Networking By B. A. FOROUZAN Electronic Commerce By TURBAN,LEE,KING & CHUNG Electronic Commerce By CHAN,LEE,DILLON & CHANG