Chapter5 PDF

CHAPTER 5
Security and Encryption

Created by, David Zolzer, Northwestern State University— Louisiana
Copyright © 2002 Pearson Education, Inc. Slide 5-1 Copyright © 2002 Pearson Education, Inc. Slide 5-2
Learning Objectives Learning Objectives

§ Understand the scope of e -commerce § Describe how various forms of encryption
crime and security problems technology help protect the security of
messages sent over the Internet
§ Describe the key dimensions of e -
§ Identify the tools used to establish secure
commerce security
Internet communications channels
§ Understand the tension between security
§ Identify the tools used to protect
and other values networks, servers, and clients
§ Identify the key security threats in the e - § Appreciate the importance of policies,
commerce environment procedures, and laws in creating security
The E-commerce Security The E-commerce Security

Environment Environment
§ Recent survey of 538 security § Most serious losses involved theft of

practitioners in U.S. corporations and proprietary information or financial fraud
government agencies reported:
§ 40% reported attacks from outside the
§ 85% detected breaches of computer security
within the last 12 months organization
§ 64% acknowledged financial loss as a result § 38% experienced denial of service attacks
§ 35% quantified their financial loss to total $337 § 94% detected virus attacks
million in aggregate
1
Internet Fraud Complaints Reported The E-commerce Security
to the IFCC Environment
Page 232, Figure 5.1 Page 234, Figure 5.2
Dimensions of Dimensions of
E-commerce Security E-commerce Security
§ Integrity refers to the ability to ensure that § Authenticity refers to the ability to identify
information being displayed on a Web site the identity of a person or entity with
or transmitted or received over the whom you are dealing on the Internet
Internet, has not been altered in any way § Confidentiality refers to the ability to
by an unauthorized party ensure that messages and data are
§ Nonrepudiation refers to the ability to available only to those who are authorized
ensure that e -commerce participants do to view them
not deny (I.e., repudiate) their online
actions
Dimensions of Dimensions of
E-commerce Security E-commerce Security
Page 235, Table 5.1
§ Privacy refers to the ability to ensure the

use of information about oneself
§ Availability refers to the ability to ensure
that an e -commerce site continues to
function as intended
2
The Tension Between Security and The Tension Between Security and
Other Values Other Values
§ Ease of use § Public Safety and the Criminal Uses of

§ The more security measures that are added to Security
an e-commerce site, the more difficult it is to
§ There is tension between the claims of
use and the slower the site becomes,
individuals to act anonymously and the needs
hampering ease of use. Security is purchased
at the price of slowing down processors and of the public officials to maintain public safety
that can be threatened by criminals or
adding significantly to data storage demands.
Too much security can harm profitability, while terrorists .
not enough can potentially put a business out
of business.
Security Threats in the A Typical E-commerce

E-commerce Environment Transaction
Page 238, Figure 5.3
§ Three key points of vulnerability

§ the client
§ the server
§ communications pipeline
Vulnerable Points in an Seven Security Threats to E-

E-commerce Environment commerce Sites
§ Malicious code
§ includes a variety of threats such as viruses,
worms, Trojan horses, and “bad applets”
§ virus is a computer program that has the
ability to replicate or make copies of itself, and
spread to other files
§ worm is designed to spread from computer to
computer
§ Trojan horse appears to be benign, but then
does something other than expected
3
Examples of Malicious Seven Security Threats to E-
Code commerce Sites
Page 241
Table 5.2 § Hacking and cybervandalism
§ hacker is an individual who intends to gain
unauthorized access to a computer system
§ cracker is the term typically used within the
hacking community to demote a hacker with
criminal intent
§ cybervandalism is intentionally disrupting,
defacing, or even destroying a site
Seven Security Threats to E- Seven Security Threats to E-

commerce Sites commerce Sites
§ Hacking and cybervandalism § Credit card fraud

§ white hats are “good” hackers that help § Different from traditional commerce
organizations locate and fix security flaws
§ Hackers target files on merchant server
§ black hats are hackers who act with the
intention of causing harm § Spoofing
§ grey hats are hackers who believe they are § Misrepresenting oneself by using fake email
pursuing some greater good by breaking in addresses or masquerading as someone else
and revealing system flaws
Seven Security Threats to E- Seven Security Threats to E-

commerce Sites commerce Sites
§ Denial of Service Attacks § Sniffing

§ Flooding a Web site with useless traffic to § A type of eavesdropping program that
inundate and overwhelm the network monitors information traveling over a network
§ Distributed Denial of Service attack uses § Insider Jobs
numerous computers to attack the target § Employees with access to sensitive
network from numerous launch points information
§ Sloppy internal security procedures
§ Able to roam throughout an organization’s
system without leaving a trace
4
Tools Available to Achieve Site
Security Encryption
§ The process of transforming plain text or

data into cipher text that cannot be read
by anyone outside of the sender and the
receiver. The purpose of encryption is (a)
to secure stored information and (b) to
secure information transmission.
§ Cipher text is text that has been encrypted
and thus cannot be read by anyone
besides the sender and the receiver
Encryption Encryption
§ Key or cipher is any method for § Symmetric key encryption (secret key
transforming plain text to cipher text encryption) the sender and the receiver
§ Substitution cipher is where every use the same key to encrypt and decrypt
occurrence of a given letter is the message
systematically replaced by another letter § Data Encryption Standard (DES) is the
§ Transposition cipher changes the ordering most widely used symmetric key
of the letters in each word in some encryption, developed by the National
systematic way Security Agency (NSA) and IBM. Uses a
56-bit encryption key
Public Key Cryptography -

Encryption A Simple Case
§ Public key cryptography uses two mathematically

related digital keys are used: a public key and a
private key.
§ The private key is kept secret by the owner, and
the public key is widely disseminated.
§ Both keys can be used to encrypt and decrypt a
message.
§ However, once the keys are used to encrypt a
message, the same key cannot be used to
unencrypt the message
5
Public Key Cryptography with
Digital Signatures Encryption
§ Digital signature is a “signed” cipher text

that can be sent over the Internet
§ Hash function uses an algorithm that
produces a fixed-length number called a
hash or message digest
§ Digital envelop is a technique that uses
symmetric encryption for large
documents, but public key encryption to
encrypt and send the symmetric key
Public Key Cryptography: Creating Digital Certificates and Public Key

a Digital Envelope Infrastructure
Page 254, Figure 5.8 Page 255, Figure 5.9
Encryption Encryption
§ Digital certificate is a digital document § Public Key Infrastructure (PKI) are

issued by a certification authority that certification authorities and digital
contains the name of the subject or certificate procedures that are accepted
company, the subject’s public key, a by all parties
digital certificate serial number, an
expiration date, the digital signature of the § Pretty Good Privacy (PGP) is a widely
certification authority, and other used email public key encryption software
identifying information program
§ Certification Authority (CS) is a trusted
third party that issues digital certificates
6
Securing Channels of Secure Negotiated Sessions Using
Communications SSL
§ Secure Sockets Layer (SSL) is the most

common form of securing channels
§ Secure negotiated session is a client-
server session in which the URL of the
requested document, along with the
contents, the contents of forms, and the
cookies exchanged, are encrypted.
§ Session key is a unique symmetric
encryption key chosen for a single secure
session
Securing Channels of
Communications Protecting Networks
§ Secure Hypertext Transfer Protocol (S-HTTP) is a § Firewalls are software applications that
secure message -oriented communications
protocol designed for use in conjunction with act as a filter between a company’s private
HTTP. Cannot be used to secure non-HTTP network and the Internet itself
messages § Proxy server is a software server that
§ Virtual Private Networks (VPN) allow remote handles all communications originating
users to securely access internal networks via
the Internet, using Point-to-Point Tunneling from or being sent to the Internet, acting
Protocol (PPTP) as a spokesperson or bodyguard for the
§ PPTP is an encoding mechanism that allows one organization
local network to connect to another using the
Internet as a conduit
Firewalls and Proxy Servers Protecting Servers and Clients

§ Operating system controls allow for the

authentication of the user and access
controls to files, directories, and network
paths
§ Anti-virus software is the easiest and least
expensive way to prevent threats to
system integrity
7
Developing an
Policies, Procedures, and Laws E-commerce Security Plan
§ Developing an e -commerce security plan

§ perform a risk assessment
§ develop a security policy
§ develop an implementation plan
§ create a security organization
§ perform a security audit
A Security Plan: Management A Security Plan: Management

Policies Policies
§ Risk assessment is the assessment of § Security organization educations and

risks and points of vulnerability trains users, keeps management aware of
§ Security policy is a set of statements security threats and breakdowns, and
prioritizing the information risks, maintains the tools chosen to implement
identifying acceptable risk targets, and security
identifying the mechanisms for achieving § Access controls determine who can gain
these targets legitimate access to a network
§ Implementation plan is the action steps § Authentication procedures include the use
you will take to achieve the security plan of digital signatures, certificates of
goals authority, and public key infrastructure
A Security Plan: Management A Security Plan: Management

Policies Policies
§ Biometrics is the study of measurable § Security audit involves the routine review
biological or physical characteristics that of access logs identifying how outsiders
can be used for access controls are using the site as well as how insiders
§ Authorization policies determine differing are accessing the site’s assets
levels of access to information assets for § Tiger team is a group whose sole job
differing levels of users activity is attempting to break into a site
§ Authorization management system § CERT Coordination Center monitors and
establishes where and when a user is tracks criminal activity reported to it by
permitted to access certain parts of a Web private corporations and government
site agencies that seek out its help
8
Role of of Laws and
Public Policy E-commerce Security Legislation
Page 268, Table 5.3
§ National Infrastructure Protection Center

is a unit within the FBI whose sole mission
is to identify and combat threats against
the United States’ technology and
telecommunications infrastructure
§ DCS100 (Carnivore) an email sniffing
software program developed by the FBI
that can copy and filter all data sent from a
user’s computer to a local ISP
Government Efforts to Regulate

and Control Encryption
Page 269, Table 5.4
Copyright © 2002 Pearson Education, Inc. Slide 5-51

Chapter5 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Chapter5 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

CHAPTER 5

Security and Encryption

Learning Objectives Learning Objectives

The E-commerce Security The E-commerce Security

§ Recent survey of 538 security § Most serious losses involved theft of

§ Privacy refers to the ability to ensure the

§ Ease of use § Public Safety and the Criminal Uses of

Security Threats in the A Typical E-commerce

§ Three key points of vulnerability

Vulnerable Points in an Seven Security Threats to E-

Seven Security Threats to E- Seven Security Threats to E-

§ Hacking and cybervandalism § Credit card fraud

Seven Security Threats to E- Seven Security Threats to E-

§ Denial of Service Attacks § Sniffing

§ The process of transforming plain text or

Public Key Cryptography -

§ Public key cryptography uses two mathematically

§ Digital signature is a “signed” cipher text

Public Key Cryptography: Creating Digital Certificates and Public Key

§ Digital certificate is a digital document § Public Key Infrastructure (PKI) are

§ Secure Sockets Layer (SSL) is the most

Firewalls and Proxy Servers Protecting Servers and Clients

§ Operating system controls allow for the

§ Developing an e -commerce security plan

A Security Plan: Management A Security Plan: Management

§ Risk assessment is the assessment of § Security organization educations and

A Security Plan: Management A Security Plan: Management

§ National Infrastructure Protection Center

Government Efforts to Regulate

Copyright © 2002 Pearson Education, Inc. Slide 5-51

S-ar putea să vă placă și