CIS 243 Stratford University E Commerce Website Security Discussion

Description

Security
in E-commerce is very important. Customer will not trust any
E-Commerce Site without a proven good IT security in place .Review
slides posted in week 4 related to security as “E-Commerce Security”
and “Security presentation Slides”, prepare and post a 1.5 – 2 pages of
document of your understanding of topics covered in these slides and how
to implement those in building a safe, well secured and trusted
E-Commerce site as Lesson # 4. Use the provided link to submit your results. The
goal is to make sure you have reviewed slides posted in week 4 and
understood importance of building secure E-Commerce Web Sites.

2 attachmentsSlide 1 of 2attachment_1attachment_1attachment_2attachment_2.slider-slide > img { width: 100%; display: block; }
.slider-slide > img:focus { margin: auto; }

Unformatted Attachment Preview

Electronic Commerce Security
Objectives:
• What security risks arise in e-commerce environments and how to manage
them?
• What is a security policy?
• How to create security policy
• How to implement security policy on client devices
• How to implement secure channels in communication between devices
• How to implement security on Web server
• What organizations promote for Internet security
Introduction
• Government and business Web sites constantly under attack from
intruders for many reason.
• Several incidents in 2014:
• Target
• HomeDepot
• SONY
• Attacks are changing and becoming more sophisticated
• What type of information can be stolen
• Identity theft
• Fraudulent Tax Return
• Unauthorized Purchases with Credit Card
Online Security
• Who should be concerned:
• Business
• Individuals
• Concerns increasing with sales increasing and users doing all
types of financial transactions
• Internet now is a communication tool
• Is it safe?
Solutions
four questions for members of an organization/users:
• Who can help in fighting malicious computer activity?
• Where are security policies located? How do I access them
• What are my responsibilities in relation to the security policies?
• What security controls must I use?
Computer Security and Risk Management
• What is a Computer security
• Protecting assets from unauthorized access
• What is a Physical security
• Includes physical defense devices
• Alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings
• What is a Logical security
• nonphysical assets
Continued
• Risk
• Any action or entity posing danger to computer assets
• Countermeasure
– Process(physical or logical)
• Identifies, decreases, and removes threat
– Extent and expense of countermeasures
• Differ contingent on asset significance
Security Issue Management
• Issues must be rated with objective criteria in order to determine
deadlines for compliance or correction:
– Low – Low risk security exposure problem or exposure on low value
systems
– Medium – Medium risk security exposure problem or exposure on
medium value systems
– High – High risk security exposure problem or exposure on high value
systems
Web Security for Network and System Administrators
8
Security Issue Management
• There are three general outcomes to the issue management
process:
– Fix the problem
– Mitigate the exposure (e.g., install a firewall in front of a system with a
lingering exposure)
– Accept the risk of the exposure
Web Security for Network and System Administrators
9
Security Risk Management
• Risks should be:
• Evaluated using qualitative and/or quantitative methods
• Approved by the appropriate management chain
• Reviewed regularly
Web Security for Network and System Administrators
10
Security Risk Management
Web Security for Network and System Administrators
11
Risk Management
• Risk management model
– Four general organizational actions
• Impact (cost) and probability of physical threat
– Also applicable for protecting Internet and electronic commerce assets
from physical and electronic threats
• Electronic threat examples
– Impostors, eavesdroppers, thieves
• Eavesdropper (person or device)
– Listens in on and copies Internet transmissions
Risk Management (Cont’d)
• Crackers or hackers (people)
– Write programs; manipulate technologies
• Obtain unauthorized access to computers and networks
• White hat hacker and black hat hacker
– Distinction between good hackers and bad hackers
• Good security scheme implementation
– Identify risks
– Determine how to protect threatened assets
– Calculate costs to protect assets
Security Incident Management
• Incident management is the overall system in
place to respond to computer attacks. It consists
of three major phases:
– Preparation
– Reaction
– Assessment
Web Security for Network and System Administrators
14
Security Incident Management
• To respond in a timely and efficient manner:
–
–
–
–
–
–
–
–
–
Stay calm
Start a detailed log
Conduct thorough interviews
Coordinate communications
Determine the extent of the intrusion
Protect evidence
Contain the problem
Determine the root of the problem
Restore business operations
Web Security for Network and System Administrators
15
Security Policy
• Security policy fundamentals
–
–
–
–
What Assets to be protected and why
Protection responsibility
What is an Acceptable and unacceptable behaviors
Physical and network security, access authorizations, virus protection,
disaster recovery
• Corporate information arrangements
– Public, why
– Company confidential, why
Security Policy (Cont’d)
• Security policy objectives
– Authentication: Who is trying to access site?
– Access control: Who is permitted to log on to and access site?
– Secrecy: Who is permitted to view selected information?
– Data integrity: Who is allowed to change data?
– Audit: Who or what causes specific events to occur, and when?
• Threats to computers, smartphones, and tablets
– Originate in software and downloaded Internet data
– Malevolent server site masquerades as legitimate Web site
Digital Signatures
Electronic Record
1. Very easy to make copies
2. Very fast distribution
3. Easy archiving and retrieval
4. Copies are as good as original
5. Easily modifiable
6. Environmental Friendly
Because of 4 & 5 together, these lack authenticity
Why Digital Signatures?
•To provide Authenticity,
Integrity and Nonrepudiation to electronic
documents
•To use the Internet as the
safe and secure medium for
e-Commerce and eGovernance
Encryption
Caesar Cipher
3 changes
lcdjuhh
The shift is linear and equidistributed
I agree
i+3=l
Space=c [+3]
Key Cipher
The shift is linear (cyclic)
k.n.gupta 62
k+2=m
(dot)=e [+6]
n=w [+9]
269
mewam3rzjba
Char
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
. (Dot)
Space
1
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
a
2
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
a
b
3
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
4
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
a
a b
b c
c d
5
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
a
b
c
d
e
6
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
a
b
c
d
e
f
7
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
a
b
c
d
e
f
g
8
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
a
b
c
d
e
f
g
h
9
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
.
a
b
c
d
e
f
g
h
i
ENCRYPTION
DECRYPTION
Encrypted Message 1
Message 1
Central to the growth of e-commerce and egovernance is the issue of trust in electronic
environment.
9a46894335be49f0b9cab28d755aaa9cd98571b
275bbb0adb405e6931e856ca3e5e569edd13528
5482
9a46894335be49f0b9cab28d755aaa9cd985
71b275bbb0adb405e6931e856ca3e5e569e
dd135285482
Central to the growth of e-commerce and egovernance is the issue of trust in electronic
environment.
Encrypted Message 1
Message 2
Message 1
Same Key
SYMMETRIC
The Internet knows no geographical boundaries.
It has redefined time and space. Advances in
computer and telecommunication technologies
have led to the explosive growth of the Internet.
This in turn is affecting the methods of
communication,
work,
study,
education,
interaction, leisure, health, governance, trade
and commerce.
Encrypted Message 2
a520eecb61a770f947ca856cd675463f1c95
a9a2b8d4e6a71f80830c87f5715f5f5933497
8dd7e97da0707b48a1138d77ced56feba2b4
67c398683c7dbeb86b854f120606a7ae1ed9
34f5703672adab0d7be66dccde1a763c736c
b9001d0731d541106f50bb7e54240c40ba7
[Keys of a pair – Public and Private]
80b7a553bea570b99c9ab3df13d75f8ccfddd
eaaf3a749fd1411
Different Keys
ASYMMETRIC
[PKI]
Encrypted Message 2
a520eecb61a770f947ca856cd675463f1c95a9a2b
8d4e6a71f80830c87f5715f5f59334978dd7e97da
0707b48a1138d77ced56feba2b467c398683c7db
eb86b854f120606a7ae1ed934f5703672adab0d7
be66dccde1a763c736cb9001d0731d541106f50b
b7e54240c40ba780b7a553bea570b99c9ab3df13
d75f8ccfdddeaaf3a749fd1411
Message 2
The Internet knows no geographical boundaries. It has
redefined time and space. Advances in computer and
telecommunication technologies have led to the
explosive growth of the Internet.
This in turn is
affecting the methods of communication, work, study,
education, interaction, leisure, health, governance,
trade and commerce.
I agree
Digital Signatures
efcc61c1c03db8d8ea8569545c073c814a0ed755
My place of birth is at Gwalior.
fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25
I am 62 years old.
0e6d7d56c4520756f59235b6ae981cdb5f9820a0
I am an Engineer.
ea0ae29b3b2c20fc018aaca45c3746a057b893e7
I am a Engineer.
01f1d8abd9c2e6130870842055d97d315dff1ea3
• These are digital signatures of same person on different documents
• Digital Signatures are numbers
• They are document content dependent
Concepts
• A 1024 bits number is a very big number much
bigger than the total number of electrons in whole
world.
• Trillions of Trillions of pairs of numbers exist in this
range with each pair having following property
– A message encrypted with one element of the
pair can be decrypted ONLY by the other element
of the same pair
• Two numbers of a pair are called keys, the Public
Key & the Private Key. User himself generates his
own key pair on his computer
• Any message irrespective of its length can be
compressed or abridged uniquely into a smaller
length message called the Digest or the Hash.
•
Smallest change in the message will change the
Hash value
Click for Hash Generation
What is Digital Signature?
• Hash value of a message when
encrypted with the private key of a
person is his digital signature on that
e-Document
– Digital Signature of a person
therefore varies from document to
document thus ensuring authenticity
of each word of that document.
– As the public key of the signer is
known, anybody can verify the
message and the digital signature
Digital Signatures
Each individual generates his own key pair
[Public key known to everyone & Private key only to the owner]
Private Key – Used for making digital signature
Public Key – Used to verify the digital signature
RSA Key pair
(including Algorithm identifier)
[2048 bit]
Private Key
3082
06d3
d854
463d
b35f
cf42
6c89
b4f8
04e3
010a
0d59
0aa5
1ef0
5a22
b2f0
2aca
cdf9
459e
0282
bd3e
2586
b92c
97ec
1cd5
da33
f400
a146
0101
c1ce
94ed
345f
199b
5ffb
1379
84b6
2840
00b1
4367
6356
8c7c
c105
6bed
c255
5742
8102
d311
018a
ff70
4c08
68fd
6856
8ced
859d
0301
e079
21a8
6ca3
299d
e6b7
7b39
9cbb
32a8
0001
5543
efbc
a119
4055
a991
2c72
f2cb
f92a
0708
ccd0
d278
eb3c
942c
38b0
5b10
54fb
4ccb
a2cc
be68
7d83
e478
ee93
f82e
ff78
0542
b055
2a44
deb5
4824
a9d3
6135
41bc
00e2
9653
5e2f
f0f7
1a25
7b77
c629
bd71
0d83
8466
cfcc
8a83
193a
3ceb
4c2a
28f4
Public Key
3082
0673
d8b4
463d
b35f
cf42
6c89
b4f8
04de
01e4
0d59
0aa5
1df0
5a22
b250
2aca
cdf9
45de
f267
bf3e
2586
b92c
97ec
1cd5
da33
f400
af46
0142
c1ce
94ed
345f
199b
5ffb
1379
84b6
2240
0f61
4367
6356
8c7c
c105
6bed
c255
5742
8410
dd12
012a
ff70
4c08
68fd
6856
8ced
859d
02f1
e089
11a8
6ca3
299d
e6b7
7b39
9cbb
32a8
0001
5547
efbc
a119
4055
a991
2c72
f2cb
f92a
0f08
ccd0
d278
eb3c
942c
38b0
5b10
54fb
4ccb
a2cc
be68
7d83
e478
ee93
f82e
ff78
0542
b055
2a44
deb5
4824
a9d3
6135
41bc
00e2
9653
5e2f
f0f7
1a25
7b77
c629
bd71
0d83
8466
cfcc
8a83
193a
3ceb
4c2a
28f4
463d
0500
185e
0ea1
eb95
7103
d02a
bb90
e493
da44
47bc
4cb4
9c39
a938
63d1
bcff
bab6
4980
3ab1
3aa5
0a8a
4a16
6559
9634
463d
0500
185e
0ea1
eb95
7103
d02a
bb90
e493
da44
47bc
4cb4
9c39
a938
63d1
bcff
bab6
4980
3ab1
3aa5
0a8a
4a16
6559
9634
Signed Messages
Message
Message
+
signature
Sent thru’ Internet
Calculated
Hash
Message
+
Signature
if
COMPARE
Hash
OK
Signatures
verified
SIGN hash
With Sender’s
Private key
Sender
Hash
Receiver
Decrypt
Signature
With Sender’s
Public Key
Paper signatures v/s Digital Signatures
Parameter
V/s
Paper
Electronic
Authenticity
May be forged
Can not be copied
Integrity
Signature
independent of the
document
Signature depends
on the contents of
the document
Nonrepudiation
a.
b.
Handwriting
a.
expert needed
Error prone
b.
Any computer
user
Error free
•
Key Generation
– Random Numbers
– RSA Key Pair [Private/Public Key]
•
Digital Signature
– Generate Message Digest
[SHA1]
– Encrypting Digest using Private
Key [Signatures]
– Attaching the Signatures to the
message.
•
Verification of Signatures
– Run the test for Authentication,
Integrity and Non repudiation.
•
Digital Signature Certificate
– ITU X.509 v3
Private key protection
•
The Private key generated is
to be protected and kept
secret. The responsibility of
the secrecy of the key lies
with the owner.
•
The key is secured using
– PIN Protected soft token
– Smart Cards
– Hardware Tokens
PIN protected soft tokens
•
•
The Private key is encrypted
and kept on the Hard Disk in
a file, this file is password
protected.
This forms the lowest level
of security in protecting the
key, as
– The key is highly reachable.
– PIN can be easily known or
cracked.
•
Soft tokens are also not
preferred because
– The key becomes static and
machine dependent.
– The key is in known file
format.
Smart Cards
•
•
•
•
The Private key is generated
in the crypto module
residing in the smart card.
The key is kept in the
memory of the smart card.
The key is highly secured as
it doesn’t leave the card, the
message digest is sent
inside the card for signing,
and the signatures leave the
card.
The card gives mobility to
the key and signing can be
done on any system. (Having
smart card reader)
Hardware Tokens
•
They are similar to smart
cards in functionality as
– Key is generated inside the
token.
– Key is highly secured as it
doesn’t leave the token.
– Highly portable.
– Machine Independent.
•
iKEY is one of the most
commonly used token as it
doesn’t need a special
reader and can be
connected to the system
using USB port.
Hardware Tokens
Smart Card
iKey
Biometrics – adds another level of security to these tokens
Public Key Infrastructure (PKI)
• Some Trusted Agency is required which
certifies the association of an individual with
the key pair.
Certifying Authority (CA)
• This association is done by issuing a
certificate to the user by the CA
Public key certificate (PKC)
• All public key certificates are digitally signed
by the CA
Certifying Authority
•• Must be widely known and trusted
•• Must have well defined Identification process before
issuing the
the certificate
certificate
issuing
•• Provides online access to all the certificates issued
•• Provides
Provides online
online access
access to
to the
the list
list of
of certificates
certificates
revoked
revoked
•• Displays
Displays online
online the
the license
license issued
issued by
by the
the Controller
Controller
•• Displays
Displays online
online approved
approved Certification
Certification Practice
Practice
Statement (CPS)
Statement (CPS)
•• Must
Must adhere
adhere to
to IT
IT Act/Rules/Regulations
Act/Rules/Regulations and
and
Guidelines
Guidelines
Paper
IDRBT Certificate
Electronic
Public-Key Certification
User Certificate
Serial No.
User
Name &
other
credentials
Certificate
Request
User’s
Public
key
Public
Private
Key pair
Generation
Public
Certificate
Database
User Name
Signed
by using
CA’s
private
key
User’s Email
Address
User’s
Public Key
Publis
h
License issued
by CCA
User 1 certificate
CA’s Name
Certificate
Class
Validity
Digital
Signature
of CA
User 2 certificate
.
Web site of CA
Private key of CA or CCA require highest level
of security
Hardware Security Module (HSM) is used for
storing the Private Key
More than one person are required for signing
HSM is housed in a strong room with video
surveillance on 24×7 basis.
Click for certificate generation demo
Trust Path
•Controller is the Root certifying authority
responsible for regulating Certifying
Authorities (CAs)
• Controller certifies the association of CA
with his public key
•Certifying Authority (CA) is the trusted
authority responsible for creating or
certifying identities.
•CA certifies the association of an
individual with his public key
Role of controller
Controller of Certifying Authorities
as the “Root” Authority certifies the
technologies,infrastructure and
practices of all the Certifying
Authorities licensed to issue Digital
Signature Certificates
Summary
• Each individual has a pair of keys
• Public key of each individual is certified
by a CA (Certifying Authority)
• Public keys of CAs are certified by the
Controller
• Public key of the Controller is self
certified
• Public keys of everyone are known to all
concerned and are also available on the
web
• Certification Practice Statement is
displayed on the web site
Applications in Judiciary
1. Instant posting of judgment on the web.
2. Secured electronic communications
within judiciary
3. Authentic archiving of Judicial records
4. Submission of affidavits
5. Giving certified copies of the Judgment
Applications in Telecommunications
A. Subscribers
? Subscriber’s services management
•
STD/ISD, Opening, Closing, Initializing Password
? Shifting of telephones, Accessories (Clip, Cordless)
? Small Payments through telephones bills
•
Books, gifts, Internet purchases
? Mobile Authentication of SMS
•
Share market trading, Intra/Inter office instructions
? Mobile Phones as Credit cards
•
Mobile operator can venture into credit card business
Applications in Telecommunications
(contd.)
B. Internal
? Intra/Inter offices authentic communications
• OBs, approvals, Instructions, requests
? Procurement of material
• Calling/Receiving bids, Purchase orders, Payment
instructions
? Network Management functions
• Change of configuration, Blocking/unblocking
routes
Public Key Cryptography
Encryption Technologies
Confidentiality
Document
Encrypted
Encrypted
Document
Document
Public Key of B
Document
Private Key of B
E-Governance
•
Empowering Citizens
a)
b)
c)
d)
Transparency
Accountability
Elimination of Intermediatory
Encouraging Citizens to exercise their Rights
Government Online
1. Issuing forms and licences
2. Filing tax returns online
3. Online Government orders/treasury
orders
4. Registration
5. Online file movement system
6. Public information records
7. E-voting
8. Railway reservations & ticketing
9. E-education
10. Online money orders
Thank You

Purchase answer to see full
attachment

Explanation & Answer:
1 Page

Tags:
security

Ecommerce

business entrepreneurs

credit card information

User generated content is uploaded by users for the purposes of learning and should be used following Studypool’s honor code & terms of service.