330 likes | 467 Views
CS 898N – Advanced World Wide Web Technologies Lecture 16: Security and E-Commerce. Chin-Chih Chang chang@cs.twsu.edu. Security and E-Commerce. Several things are noticeable on online store services: Combined shopping cart and electronic payment services are very popular.
E N D
CS 898N – Advanced World Wide Web Technologies Lecture 16: Security and E-Commerce Chin-Chih Changchang@cs.twsu.edu
Security and E-Commerce • Several things are noticeable on online store services: • Combined shopping cart and electronic payment services are very popular. • Security is a tremendous concern, especially regarding credit card and bank account numbers. • An alternative for smaller business to avoid having to buy expensive storefront software is for Web hosting services to provide this for a monthly fee.
Security and E-Commerce • There are two kinds of e-commerce: business to business (B2B) and business to consumer (B2C). • E-commerce breaks down into four basic actions: • Building a list of products the consumer wants to buy. • Transmitting the list of products to the seller. • Accepting payment information from the consumer.
E-Commerce • Transmitting the payment information to the seller. • These can all be done in a single HTML form as you’ve learned how to do, or they can be done using a fancy combination of all the tools shown in this book. • The difference is in the scope of the number of products on the site, the security level of the transmissions, and the degree of sophistication of the funds processing.
E-Commerce and Internet Security • The last step – delivering the goods to the consumer, is not yet a part of e-commerce. • It is known that transmissions can be intercepted, and if they are in plain text their content is free for the taking. • The primary definition of security is “freedom from danger”. But the word secure is also defined as “confident”.
The Importance of Internet Security • So we put these together to get the real purpose of Internet security in today’s world: confidence in a freedom from danger. • The point is that computer security involves winning the confidence of the browsing public by assuring them that their information is only going to be seen by those intended.
The Importance of Internet Security • A large portion of the browsing public currently has one or both of these misconceptions: • They are afraid that anything they send is susceptible to being intercepted and decoded. • They don’t have a clue as to how security works or as to their browser’s security features.
How does Internet Security Work? • There are three communication lines alone that secure documents travel, and each one has a different set of security options: • Browser to server • Server to server • E-mail • There are also three issues involved in any of these security situations.
How does Internet Security Work? • Together, these ensure that a communication goes from sender to receiver without being intercepted, forged, or altered. Each of these steps is accomplished by a different security technology. • Security issue 1: The secure encryption and decryption data. • Security issue 2: Verification that data was sent by the stated sender.
How does Internet Security Work? • Security issue 3: Validation that data was received unaltered. • Cipher has several definitions, including (a) a method of encoding, (b) a message that has been encoded, and (c) the key to decoding the message. The first and last are the most relevant definitions for the e-commerce.
How does Internet Security Work? • Cipher has a strange word origin. Cipher comes from the Arabic sifr meaning empty, or zero, and in fact, the primary definition of cipher is zero. This implies that to cipher is to create a message that means nothing. • Cryptography is the science of secret writing and symbols, specifically how to prepare encoded information.
How does Internet Security Work? • Cryptoanalysis is the reverse of cryptography, as the science of the analysis and deciphering of encrypted writing and symbols. Cracking the code. Breaking the cipher. • Cryptology comes from two Greek root words kryptos, meaning hidden, and logos, meaning word. Cryptology is the study of hidden words, and so the study of cryptography and cryptoanalysis.
Encryption and Decrypting Data on the Internet • Those responsible for Internet security have come to a combination of two technologies using both traditional secret keys and a newer technology called public key cryptography. • In simple ciphers of secret key cryptography, the same key is used to encode and decode information. This is called symmetric encryption.
Encryption and Decrypting Data on the Internet • Public key cryptography uses two keys, one to encode and another to decode. This is called asymmetric encryption and is based on mathematics involving prime numbers. • The key used to encode is called the public key because it is freely distributed. The key used to decode is called the private key because it is kept in a secure place by the owner.
Encryption and Decrypting Data on the Internet • Someone wishing to send an encoded message uses the recipient’s public key to encode the data. This ensures that no matter who intercepts the message, only the person who possess the private key can decode it. • An example of symmetric key-based encryption is shown in below: The message “The secret to success is to buy IPO stocks now” plus the key
Encryption and Decrypting Data on the Internet “It dont mean a thing if it aint got that swing” gives the encrypted text “Cbedhswrryahoasoklszsiosinoakis pei mbpwklwwmd” • This encryption uses a simple string as a key to encode a text message.
Encryption and Decrypting Data on the Internet • This cipher uses the numerical position of each letter in the alphabet to add the value of the key and the value of the message to come up with the encrypted text. • If the message were longer than the key, the key would simply be repeated. • The key can be any string, and the longer it is, the harder it will be deciphered.
Encryption and Decrypting Data on the Internet • The primary problem in using symmetric ciphers is not that they are easily decoded, but that the key are not secure. • This technology is not up to the task of establishing secure Internet transactions because encoding-side keys need to be universally available. • If an online bookstore used the symmetric keys, it would give every buyer the same key.
Encryption and Decrypting Data on the Internet • In public key cryptography the first thing that is needed is a program that will generate pairs of keys. • The task to be addressed is first to put the public key in a place where anyone can get to it, and second, to keep the private key secure. • Public keys can be sent to those who specifically need them or can be generally published on key servers.
Encryption and Decrypting Data on the Internet • Secret key cryptography depends entirely on the keys being kept absolutely secret as well as the messages. • The secrecy of the key is weakened every time a message is intercepted, and if enough messages are intercepted the key eventually be broken. • The cipher becomes completely useless if the codebreaker has the ability to create a message and intercept the encoded version.
PGP • PGP (Pretty Good Privacy) is a specific implementation of public key cryptography. • PGP was created in 1991 by a programmer named Phil Zimmerman as a way to encrypt e-mail. • PGP is also a company, but PGP, Inc. was not founded until 1996. • PGP is also a product you can buy at any computer store, or download.
PGP • The PGP product has utilities that enable any user to create a key pair and publish the public key on a PGP key server. • This solves the first security issue of ensuring that encrypted messages can only be decrypted by the recipient, but leaves the second security issue unaddressed, verification that data was sent by the stated sender.
PGP • The following shows how PGP-encrypted e-mail works: message from Dave’s computer-> e-mail encoder (Jamie’s public key) -> Internet -> e-mail decoder (Jamie’s private key) on Jamie’s computer -> message • Most popular e-mail programs support PGP messaging, although you still need PGP to create your own key.
PGP • These include Microsoft Outlook, Netscape Messenger, and Eudora. • One trick in PGP is to encrypt any message you send with two public keys, the recipients and your own. • This same PGP e-mail scheme is used in e-commerce transactions to transmit purchase information from the server to the seller, and payment information from the server to the bank.
PGP • This practice is all right for a really small operation, but for high-volume, big-money sales it does not provide enough certainty that the buyer is being honest. • Though PGP gives pretty good privacy, verification of the identity of the sender needs to be added to PGP. • These are some informative sites: www.pgp.com
Digital Certification • Digital certificates are used by e-commerce vendors so you can be sure you’re buying from a legitimate company that won’t steal your money or misuse your payment information. • A digital certificate is two things: • It’s an electronic document issued by a Certificate Authority, or CA. A CA is a trusted source who has verified the identity of the person or organization applying for the certificate.
Digital Certification • It’s a piece of data that is transmitted to instantaneously validate your identity in electronic transactions. This is an electronic verification that is accepted without question on the basis of trust of the CA. • To see a list of recognized Certificate Authorities: • In Explorer, select the Tools menu, Internet options item, Content tab, Publishers button.
Digital Certification • In Navigator, click the Security button, Certificates menu, Signers selection. • Two of the major CAs in e-commerce are Verisign (www.verisign.com) and Thawte (www.thawte.com). • A digital certificate contains the following six pieces of information: • The owner’s public key • The owner’s identity
Digital Certification • The issuer’s identity • A serial number • The issuing and expiration dates • The issuer’s digital signature • The bottom line on a digital certificate is that it is used to prove that a public key belongs to the owner and is genuine, so that a transmission can be initiated with the trust that the party on that end is who they are.
Digital Certification • In a secure transaction, digital certificates go both ways. Both in browser-to-server and server-to-server transactions, each party validates the other’s certificate before allowing the transaction to proceed. • The browser creates one on the fly. The invisibility of server-side digital certificate validation leaves a wide gap in Internet security.
Digital Signature • Digital signatures are the solution to security issue #3, validation that the data was received unaltered. • Digital signature is nothing more than a hash function run on the message to be sent with the result, which is then encrypted. • The digital signature is included with the message so that decoding program can put is aside, run the same function on the same original message, and compare results.
Digital Signature • It is not only possible to encrypt with a public key and decrypt with a private key, it is also possible to encrypt with a private key and decrypt with a public key. • The result of running the hash function on the message creates what is called the message digest, and an encrypted message digest is a digital signature.
Digital Signature • Digital signatures are encoded to the sender’s private key, because the signature is not a secret, and the signature really belongs to the sender, not the receiver. • Digital signatures combined with public/private key pairs and digital certificates round out the three-point security scheme used in Internet Public Key Cryptography, but there is more to this called Internet Security.