1

E-Commerce: Security E-Commerce: Security Challenges and SolutionsChallenges and Solutions

Modified by: Usman Tariq

Made by: Dr. Khalid Al-Tawil

2

Outline of the PresentationOutline of the Presentation

Internet Security

Cryptography

Firewalls

E-Commerce Challenges

E-Commerce Security

Global & Local Issues

3

Challenges to SecurityChallenges to Security

Internet was never designed with security in mind.

Many companies fail to take adequate measures to protect their internal systems from attacks.

Security precautions are expensive [firewalls, secure web servers, encryption mechanisms].

Security is difficult to achieve.

4

IntroductionIntroductionTwo Major Developments During the Past

Decade:1. Widespread Computerization2. Growing Networking and Internetworking

The Internet Need for Automated Tools for Protecting Files

and Other Information.

Network and Internetwork Security refer to measures needed to protect data during its transmission from one computer to another in a network or from one network to another in an internetwork.

5

security is complex. Some reasons are: Requirements for security services are:

Confidentiality Authentication Integrity

Key Management is difficult. Creation, Distribution, and Protection of Key

information calls for the need for secure services, the same services that they are trying to provide.

…Continue

6

Cyber terroristsCyber terrorists

In 1996 the Pentagon revealed that in the

previous

year it had suffered some two hundred fifty

thousand attempted intrusions into its computers

by hackers on the Internet

Nearly a hundred sixty of the break-ins were

successful.

7

……ContinueContinue Security Attacks:

1. Interruption2. Interceptor3. Modification4. Fabrication5. Viruses

Passive Attacks:1. Interception confidentiality

1. Release of message contents2. Traffic Analysis

8

……ContinueContinue

Active Attacks:

Interruption (availability)

Modification (integrity)

Fabrication (integrity)

9

Security ThreatsSecurity Threats1. Unauthorized access2. Loss of message confidentiality or integrity3. User Identification4. Access Control5. Players:

User community Network Administration

6. The bigger the system, the safer it is MVS mainframe users (5%) UNIX users (25%) Desktop users (50%)

10

Introduction to Security Introduction to Security RisksRisks

“$$”The Internet:open

Your network: data!virus

Hackers and crackers

11

The Main Security RisksThe Main Security Risks

1. Data being stolen Electronic mail can be intercepted and read

Customer’s credit card numbers may be read

2. Login/password and other access information stolen

3. Operating system shutdown

4. File system corruption

5. User login information can be captured

12

VirusesViruses

Unauthorized software being run

Games

Widely distributed software

Shareware

Freeware

Distributed software

13

Possible Security “Holes”Possible Security “Holes” Passwords

Transmitted in plain text Could be temporarily stored in unsafe files Could be easy to guess

Directory structure Access to system directories could be a threat

In the operating system software Some operating system software is not designed for secure oper

ation Security system manager should subscribe to

comp.security.unix comp.security.misc alt.security

14

Security StrategiesSecurity Strategies Use a separate host

1. Permanently connected to the Internet, not to your network.

2. Users dial in to a separate host and get onto the Internet through it.

Passwords1. Most important protection2. Should be at least eight characters long3. Use a mixture of alpha and numeric4. Should not be able to be found in dictionary

should not be associated with you!5. Change regularly

15

……ContinueContinue Every transaction generates record in a security

log file1. Might slow traffic and host computer

2. Keeps a permanent record on how your machine is accessed

Tracks1. Generates alarms when someone attempts to access

secure area

2. Separate the directories that anonymous users can access

3. Enforce user account logon for internal users

4. Read web server logs regularly

16

CryptographyCryptography The Science of Secret writing.

Encryption: Data is transformed into unreadable form.

Decryption: Transforming the encrypted data back into its original form.

Encryption

Decryption

CiphertextPlaintext

17

Types of CryptosystemsTypes of Cryptosystems

Conventional Cryptosystems Secret key Cryptosystems.

One secret key for Encryption and Decryption. Example: DES

Public key cryptosystems Two Keys for each user

Public key (encryptions) Private key (decryptions)

Example: RSA

18

FirewallsFirewalls1. A firewall is a barrier placed between the private network

and the outside world.

2. All incoming and outgoing traffic must pass through it.

3. Can be used to separate address domains.

4. Control network traffic.

5. Cost: ranges from no-cost (available on the Internet) to $ 100,000 hardware/software system.

6. Types: Router-Based Host Based Circuit Gateways

19

FirewallFirewall

Outside

Inside

FilterFilter

Gateway(s)

Schematic of a firewall

20

Firewall TypesFirewall Types((Router-BasedRouter-Based))1. Use programmable routers2. Control traffic based on IP addresses or port

information.Examples:

Bastion Configuration Diode Configuration

To improve security:1. Never allow in-band programming via Telnet to

a firewall router.2. Firewall routers should never advertise their

presence to outside users.

21

Bastion FirewallsBastion Firewalls

SecuredRouter

ExternalRouter

Private Internal Network

Host PC

Internet

SecuredRouter

SecuredRouter

SecuredRouter

SecuredRouter

22

Firewall TypesFirewall Types((Host-BasedHost-Based))

1. Use a computer instead of router.

2. More flexible (ability to log all activities)

3. Works at application level

4. Use specialized software applications and

service proxies.

5. Need specialized programs, only important

services will be supported.

23

……ContinueContinue Example: Proxies and Host-Based Firewalls

Proxies and

Host-Based Firewalls

Internet

Filtering Router

(Optimal)

Host running only proxy versions of FTP,Telnet and

so on.

Internal

Network

24

Electronic Mail SecurityElectronic Mail Security E-mail is the most widely used application in the

Internet. Who wants to read your mail ?

1. Business competitors

2. Reporters, Criminals

3. Friends and Family

Two approaches are used:1. PGP: Pretty Good Privacy

2. PEM: Privacy-Enhanced Mail

25

E-mail SecurityE-mail Security(PGP)(PGP) Available free worldwide in versions running on:

DOS/Windows Unix Macintosh

Based on: RSA IDEA MD5

26

……ContinueContinue Where to get PGP

Free from FTP site on the Internet Licensed version from ViaCrypt in USA

27

E-mail SecurityE-mail Security((PEMPEM))

Used with SMTP.

Implemented at application layer.

Provides:

1. Disclosure protection

2. Originator authenticity

3. Message integrity

28

Summary of PGP ServicesSummary of PGP Services

Function Algorithms used Description

Message IDEA, RSA A message is encrypted encryption using IDEA . The session key

is encrypted using RSA recipient’s public key.

Digital RSA, MD5 A hash code of a

messagesignature is created using MD5. This

is encrypted using RSA with the sender’s private key.

Compression ZIP A message may be

compressed using ZIP.

E-mail Radix 64 conversion To provide transparency compatibility for e-mail applications.

29

E-Commerce: E-Commerce: ChallengesChallenges

Trusting others electronically E-Commerce infrastructure

Security threats – the real threats and the perceptions

Network connectivity and availability issues Better architecture and planning

Global economy issues Flexible solutions

30

E-Commerce: ChallengesE-Commerce: Challenges

Trusting others electronically

1. Authentication

2. Handling of private information

3. Message integrity

4. Digital signatures and non-repudiation

5. Access to timely information

31

E-Commerce: ChallengesE-Commerce: ChallengesTrusting OthersTrusting Others Trusting the medium

1. Am I connected to the correct web site?

2. Is the right person using the other computer?

3. Did the appropriate party send the last email?

4. Did the last message get there in time, correctly?

32

E-Commerce: SolutionsE-Commerce: SolutionsTrusting OthersTrusting Others

Public-Key Infrastructure (PKI)

1. Distribute key pairs to all interested entities

2. Certify public keys in a “trusted” fashion The Certificate Authority

3. Secure protocols between entities

4. Digital Signatures, trusted records and non-

repudiation

33

E-Commerce: ChallengesE-Commerce: ChallengesSecurity ThreatsSecurity Threats

1. Authentication

problems

Impersonation attacks

2. Privacy problems

Hacking and similar

attacks

3. Integrity problems

4. Repudiation problems

34

Secure ProtocolsSecure Protocols

How to communicate securely:

1. SSL – “the web security protocols”

2. IPSEC – “the IP layer security protocol”

3. SMIME – “the email security protocol”

4. SET – “credit card transaction security protocol”

5. Others …

35

Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)

Platform and Application Independent Operates between application and transport

layers

TCP/IPSSLSSL

HTTP NNTP

Web Applications

FTP TelnetFutureApps

Etc.

36

Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)

Negotiates and employs essential functions for

secure transactions

1. Mutual Authentication

2. Data Encryption

3. Data Integrity

As simple and transparent as possible

37

SSL 3.0 LayersSSL 3.0 Layers

Record Layer

Fragmentation, Compression, Message Authentication (MAC), En

cryption

Alert Layer

close errors, message sequence errors, bad MACs, certificate err

ors

38

SSL Handshake

39

Why did SSL SucceedWhy did SSL Succeed

Simple solution with many applications – e-business and e-commerce

No change in operating systems or network stacks – very low overhead for deployment

Focuses on the weak link – the open wire, not trying to do everything to everyone

Solution to authentication, privacy and integrity problems and avoiding classes of attacks

40

E-Commerce: E-Commerce: Challenges Connectivity and availability

Issues with variable response during peak time

Guaranteed delivery, response and receipts

Spoofing attacks Attract users to other sites

Denial of service attacks Denial of service attacks Prevent users from accessing the site

Tracking and monitoring networks

41

Existing Technologies OverviewExisting Technologies Overview

1. Networking Products2. Firewalls3. Remote access and Virtual Private Networks (VPNs)4. Encryption technologies5. Public Key Infrastructure6. Scanners, monitors and filters7. Web products and applications

43

Encryption TechnologiesEncryption Technologies

Hardware assist to speed up performance

Encryption at different network layers; Layer2

through application layers

Provide both public-key systems as well as bulk

encryption using symmetric-key methods

Stored data encryption and recovery

44

PKIPKI

A set of technologies and procedures to enable

electronic authentication

Uses public key cryptography and digital

certificates

Certificate life-cycle management

47

PKI Architecture PKI Architecture

RA Zone

DMZ (DM Zone)

CA Zone

Internet

InternetApplications

CertificateRequest

Web Servers

CertificateDirectory

RAStations

CAStations

RA DB

Switchedsegment

StatusQuery

CertificateRequest

Store new certificate,CRL Update

CA DB

FIGURE 1: PKI SYSTEM BLOCK DIAGRAM[Numeric labels correspond to list above]

1 2 3

4

7

5

8

RAO Zone

RAO Stations(Operators at Consoles)

6

48

What is Missing??What is Missing??

1. Solid architecture practices

2. Policy-based proactive security management

3. Quantitative risk management measures especially rega

rding e-commerce or e-business implementations

49

E-Commerce ArchitectureE-Commerce Architecture

Support for peak access

Replication and mirroring, round robin schemes –

avoid denial of service

Security of web pages through certificates and

network architecture to avoid spoofing attacks

50

Proactive Security DesignProactive Security Design

1. Decide on what is permissible and what is right

2. Design a central policy, and enforce it

everywhere

3. Enforce user identities and the use of

credentials to access resources

4. Monitor the network to evaluate the results

51

PKI and E-CommercePKI and E-Commerce

1. Identity-based certificate to identify all users of

an application

2. Determine rightful users for resources

3. “Role-based” certificates to identify the

authorization rights for a user

52

E-Commerce: Are We E-Commerce: Are We Ready?Ready?

Infrastructure?

Security?

Policies & legal issues?

Arabic content?

53

E-Commerce: FutureE-Commerce: Future

Was expected to reach 37,500 (million US $) in

2002. It reached 50,000 (million US $) in 1998

Expected to reach 8 million company in 2000.

(40% of total commerce)

Arab word, about 100 million US $