1 / 24

Lecture 6 Title: E-Business Security

By: Mr Hashem Alaidaros MIS 326. Lecture 6 Title: E-Business Security. Main Points. Web Security Threats Cryptography Encryption and Decryption SSL Digital Certificates. Introduction.

Download Presentation

Lecture 6 Title: E-Business Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security

  2. Main Points • Web Security Threats • Cryptography • Encryption and Decryption • SSL • Digital Certificates

  3. Introduction • Even though online shopping has become largely accepted by most segments of the public, many people are wary of the security of the Internet. • The explosive growth of the Internet has attracted countless thieves seeking to take advantages of weakness in the retail realm. • Stolen customer data is extremely valuable to thieves and very costly to e-business that fail to protect their shopper's personal information.

  4. Communication Channels Internet Client Server Intranet Extranet

  5. Web Security Threats Browser Router Router Router Router Router Router Hacker Sniffer Server

  6. Cont. Browser Router Router Router Router Router Router Hacker FAKE Server Server

  7. Typical B2C Transaction Bank Bank CD Store Merchant’s Bank Katie’s Bank Internet Payment Network Online CD Store Katie’s order Web Server ISP CD Warehouse Order printed at CD warehouse Katie sends Order Form CD arrives 2-3 days after order is received

  8. Web Security Threats in B2C Internet Backbone E Breaking into store database D Online CD Store Web Server ISP B Sniffer at ISP C Sniffer on Internet backbone CD Warehouse A Tapping line Katie

  9. What are the threats in E-commerce • Security threats A to D can be handled by providing secure transmission - cryptographic methods • Threat E and similar types managed by access control methods

  10. Security Issues • E-business security issues from customer (user) side: • Is the web site owned and operated by trusted company? (Authentication) • Is the form and the page contain malicious codes? (Privacy) • Will the web site share my information to others? (Privacy) • E-business security issues from the merchant (company) side: • Will the customer attempt to break into the web site (server) or alter it? (Authorization, Integrity) • Will the customer attempt to disrupt the web site so it will not be available to others? (Availability)

  11. Cont. • E-business issues from customer and merchant: • Is network connection free from sniffers? (Privacy) • Is the information sent back and forth between website and customer modified? (Integrity)

  12. Cryptography • To secure a house, keys are used to lock the doors • It is assumed that an intruder can not easily obtain a copy of the key and enter the house • The intruder could search for all the keys in the world and try them one at a time, but this would take a long time • Computer security uses a similar system ( symmetric key and public key cryptography) to secure messages passed between computers

  13. Cryptography • What is cryptography? • It is the lock and key combination that prevents a non-key holder from decrypting a secret message • What is most important is the strength of the lock and the number of possible keys

  14. Cryptography • To describe these cryptographic systems the following terms must first be defined: • A key is used in conjunction with a cipher to encrypt or decrypt a message. A key is simply a number (usually a binary number)‏ • A cipher is an algorithm used to encrypt a message • Ciphertext is the encrypted message • Plaintext is the unencrypted message

  15. Cryptography • Since a key is a binary number, a 56 bit key has about a quadrillion different key combinations • Traditionally, a key length of 56 bits was considered secure since: • If one million keys were tried each second then it would take 1000 years to break the ciphertext • However, due to increases in computing power a 56 bit key can now be broken in just 24 hours • As a result key lengths of 128 bits or more are typical

  16. Encryption and Decryption • Encryption Overview • Plain text is converted to cipher text by use of an algorithm and key. • Algorithm is publicly known • Key is held private • Two main categories of cryptography: • Symmetric key encryption • single key is used to encrypt and decrypt information • Public Key encryption • two keys are used: one for encryption (public key) and one for decryption (private key)‏

  17. Symmetric Key Encryption Plain-text input Plain-text output Cipher-text “The quick brown fox jumps over the lazy dog” “The quick brown fox jumps over the lazy dog” “AxCv;5bmEseTfid3)fGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!q3%” Encryption Decryption Same key (shared secret)

  18. Public key Encryption Clear-text input Clear-text output Cipher-text “The quick brown fox jumps over the lazy dog” “The quick brown fox jumps over the lazy dog” “Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Encryption Decryption Different keys public private Recipient’s public key Recipient’s private key

  19. Technologies • Technologies used to solve E-Business Security issues: • Security Socket Layer (SSL) • IPSec • VPN • Firewall • Intrusion Detection Systems (IDS)

  20. Network Security • SSL provides a secure way for client and server to transmit confidential information.

  21. Secure Socket Layer (SSL) advantages • Confidentiality • provides privacy for messages and stored data by hiding(encrypted)‏ • Message Integrity • provides assurance to all parties that a message remains unchanged • Authentication • Identifies the sender and receiver of a message • identifies the origin of a message • verifies the identity of person using a computer system

  22. Cont. • Digital Certificates (for authentication) • One way of verifying the source of information is through a digital certificate • A digital certificate is an attachment to a message which verifies the sender of the message • It contains an encrypted message that • identifies the author • Indicates whether the certificate is valid or not

  23. Cont. • Other information on the digital certificate is: • The certificate’s owner’s identifying information, such as name, organization and address • The certificate owner’s public key • Dates between which the certificate is valid • Serial number of the certificate • Name of the certificate issuer • Digital signature of the certificate issuer

  24. Cont. • Digital certificates are issued by a certification authority (CA)‏ • To individuals or organizations • Appropriate proof of identity must be provided • One of the oldest and best know certification authority is VeriSign

More Related