270 likes | 283 Views
This article explores the various security and authentication issues in e-commerce, including unauthorized changes to websites, theft of data, interception of transmissions, and more. It also discusses encryption solutions, dual-key authentication, and the use of digital certificates for identity verification.
E N D
E-Commerce Security and Authentication Details Jerry Post Westgate Management Development Center Eberhardt School of Business University of the Pacific
Merchant Perspective Assurance of payment Validity of orders, non-repudiation Accounting and auditing Customer relationship management (CRM) Government Perspective Financial statements Taxable transactions Identify and track fraud Track money (drugs, terrorists, etc.) Customer Perspective Assurance of delivery Product specification Price Quantity Accounting and auditing Anonymity (occasional) Privacy E-Commerce Transaction Issues
E-Commerce Security Issues • Unauthorized changes to site • Unauthorized theft of data (e.g., credit cards) • Interception of transmission • Stolen credit cards: identity of consumer • Fraudulent sites, spoofing: identity of merchant • Physical site threats (fire, etc.) • Employee/Insider threats
E-Commerce Threat Points Intercept or change data False Site Fraudulent merchant False consumer Stolen card Purchase choice Credit Card data Merchant Server Outside attack on server Insider fraud on purchases or sales Customer Stolen shipments Products
Single key encryption Data Encryption Standard (DES) IBM 1960s 56-bit Brute force attack RSA contest: < 24 hours in 1999 Key management and distribution is a major problem Algorithm is fast Encrypted transmissions are always slower—more random data Encryption Plain text message DES Key: 9837362 Encrypted text Single key: e.g., DES Encrypted text DES Key: 9837362 Plain text message
Dual-key Encryption Message Message Encrypted Alice Bob Public Keys Alice 29 Bob 17 Private Key 13 Use Bob’s Private key Private Key 37 Use Bob’s Public key Alice sends message to Bob that only he can read. Brute force attack prevented by length of key: 40 digits is too small, standard is 128 digits.
Dual key: Authentication Message Transmission Message Encrypt+T+M Alice Encrypt+M Encrypt+T Private Key 13 Bob Use Alice’s Private key Public Keys Alice 29 Bob 17 Private Key 37 Use Bob’s Private key Use Alice’s Public key Use Bob’s Public key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message.
Message hash (CRC check bytes) Digital signature Encrypt hash with private key Signature is unique to document, cannot be reused Can be time-stamped Encrypt order with merchant’s public key Transmit It cannot be read or changed It can be lost or deleted Recipient decrypts document and verifies authenticity Digital Signature Hash Plain Text Order 5983 Simple hash: 5+9+8+3 = 25 Better: row hash And column hash Best: Cyclic Redundancy Check: polynomial
Rivest-Shamir-Adelman (RSA: company) U.S. patent on common dual-key method (expires soon) Used by browsers and most security systems Correctly implemented, it solves most problems Transmission cannot be intercepted or changed Customer is authenticated Order cannot be repudiated or altered If merchant re-encrypts and stores data, it cannot be stolen Encryption Solutions
Dual-Key Authentication Issues • How distribute and verify the public keys? • People are authenticated based on public key. • How stop someone from registering public key in your name? • How validate the public key server? Spoofing: false server or key list Alice 13 Bob 17 Impersonation
Digital Certificates • Almost any server can generate digital keys • Can use it “in-house” to reduce costs • But how do you know which servers to trust? • Some government agencies generate certificates, but not for commercial use. • Now, one commercial company: Verisign • Merchant certificate is “required” for encryption • Consumers can purchase certificates • Verify identity • Merchants: DUNS number and some options • Consumers: levels, Notary public; but no one registers
User Identification • Merchant authentication • Merchants generally register with Verisign • Merchants almost always register with credit card, merchant bank • Consumers are protected by credit card rules • Consumer authentication • No one registers with Verisign • All authentication is handled by credit card • Can verify card number, expiration date, address online • Can get online test of cards reported stolen or invalid
Consumer Authentication • Purchases • Credit card is the best we can do right now • Merchant is still at risk • International sales are dangerous, so most merchants will not accept them
Individual Identification • Username and password • Have to find a way to get them to the correct person • Have to handle forgotten passwords • Could use a billing number, but need to randomize them • Credit card • Not everyone has a card • Some are not willing to give the number • SSN • Too easily found or forged • Restrictions on government use • Digital certificate/signature • Individuals unwilling to pay • Need infrastructure • IP Address • Not always unique • Can be spoofed
Biometrics • Many new devices • Fingerprint, handprint readers • Iris scanners • Infrared scanners • Cost is reasonable ($100-$500) • Hard to use for external identification • No standard devices • No standard software, authentication scheme
Identity Solution? • Determine the level of identification you need for each application • Absolute identity (digital signature) • Best test of documents (e.g., credit card) • Reasonably certain (e.g., billing ID number) • Open to public • Examples • Sales: Best test of documents • Car registration (DMV): Absolute identity • Check water bill: Reasonably certain
Escrow Keys: Government Developed by the NSA, the federal government tried to force the use of escrow keys for all encryption, but mostly for digital cell phones. Decrypted conversation Escrow keys Judicial or government office Intercept Encrypted conversation Clipper chip in phones
Encryption Issues • Transmission speed drops enormously • Encryption/decryption takes processor time—can purchase hardware solution: nCipher • You must protect the private key, which is hard when someone steals a laptop • In a civil suit, you will be forced to decrypt any data requested • Federal government actively breaks encryption for criminal cases (when possible) • You still have to trust your employees
Limit access to hardware Physical locks Video monitoring Fire and environment monitors Employee logs / cards Monitor usage Hardware logs Access failures/attacks Software and data usage Background checks Employees Consultants Backups! Encrypt sensitive data Transmissions Storage Assign access rights Protect disposal of data Disaster planning Virus protection Backups Anti-virus software limited value Only run trusted software Security Best Practices
Digital Cash Conversion to “real” money. Trusted Party Bank NetBill (1) Price, product decryption key, customer code are sent to third party. NetBill (2) Accounts are debited and credited. Product key is sent to customer. Digital Cash (A) Consumer purchases a cash value that can be used only once. Digital Cash (B) “Cash” amount is verified and added to vendor account. Customer chooses product, sends ID or digital cash number. Vendor (data) Consumer
Digital Cash • Goals • Lower transaction costs (affordable to $0.25?) • Merchant and consumer protection • Anonymity, non-traceable • Requirements • Conversion to/from real world cash • Trusted third-party • Customer uses digital wallet • Some technologies in use today, but limited acceptance by consumers
Secure Electronic Transactions (SET) • Current usage is known as Secure Sockets Layer (SSL) • Vendor handles security using Verisign • Encryption is one-way (consumer to vendor) • No authentication • SET specifies steps to ensure strong security in entire process • SET requires consumers to obtain digital certificates, digital signatures • Consumers show limited enthusiasm
Anonymity • Computers all have an IP Address • Every computer on the Internet must have an IP address (number) so that messages are sent/returned correctly. • Many IP addresses can be traced back to a specific user. • A few ISPs use dynamic IP assignment, so not always possible to identify exact person. • Computer labs and libraries are often open to the public and do not track individual usage • Anonymity Servers • Church of Scientology dispute—forced server operator in Denmark to release records. • Zero-Knowledge in Canada is new with a strong assurance of anonymity: http://www.zeroknowledge.com for $50/year.
Server and Network Monitoring • Customer evaluation • Web site usability evaluation • Load evaluation (time of day, month, etc.) • Network performance • Security threats
Network & Server Stats: MRTG Free download: http://ee-staff.ethz.ch/~oetiker/
Web Log Analyzer: SurfStats Cost: $90 www.surfstat.com • Site activity • Clients • File/Pages • Browsers • Referers • Errors
Server Monitor (Win 2000) Free, continuous monitoring plus alerts, choose hundreds of variables. Particularly good for monitoring processor and memory.