E-Commerce

Internet

• It is a network that follows the TCP/IP protocol.– Transmission Control Protocol – handles

communications between applications.• A message is divided into pieces called packets.• Packets are numbered and may be transmitted by different

routes.

– Internet Protocol – handles communications between network addresses.

• A computer on the internet is assigned an unique address, IP address, which consists of 4 numbers (each number is less than 256) separated by period. Example, 158.104.1.10

E-Commerce

• Buying and selling, and marketing and servicing of products and services, and information via computer networks.

CISCO Internet Value Matrix

The Four Quadrants• New Fundamentals: These companies are taking the low risk road.

They use the Internet as a new channel for doing old things, for example streamline operations, to achieve cost saving.

• Operational Excellence: Business in this section, are using the Internet technologies to improve management of customer services and for value innovation.

• Breakthrough strategies (Early Movers): These are the bold players venturing into new markets, new channels and new products. Their focus is on competitive advantage through new ways of managing relationships and doing business.

• Experimentation: These businesses want to become learning organizations. They are exploring the Internet and Intranet and funding small scale experiments. They experiment with new market segments, sources of revenue and ways of doing business but not in a way, which can compromise the main business activities.

E-Commerce Models• B2C: Storefront model

– E-tailing (electronic retailing)– Shopping cart, on-line shopping mall

• B2B: – Electronic Data Interchange (EDI)– Electronic Exchange: An electronic forum where manufacturers,

suppliers, and competitors buy and sell goods.• Example: WorldWide Retail Exchange (WWRE) • http://www.worldwideretailexchange.org/cs/en/index.htm

• C2C:– Auction model: e-Bay

• Etc.

B2C System Model

E-Payment

• Online credit card transaction:– Card-not-present transaction

• Prepaid card:– Visa Reloadable Prepaid card

• E-Wallet: Online wallets try to make Internet shopping easier by letting consumers register once to shop at multiple retail outlets.

• PayPal: https://www.paypal.com/– Click Merchants/demo

M-Business

• E-Business enabled by wireless communication.– Cell phone, PDA

• WI-FI: Wireless local area network (WLAN) based on the IEEE802.11 specifications.

• Hotspot: A person with a Wi-Fi device, such as a computer, cell telephone, or personal digital assistant (PDA) can connect to the Internet when in proximity of an Access Point. The region covered by one or several access points is called a hotspot.

Location Based Services

• Location-Identification Technologies:– Geocode: Longitude, latitude

• Global Positioning System (GPS)• Cell phone

– Angle of Arrival (AOA)

• Location Based Services:– B2E (Employee)– B2C

Internet Security

• Authenticity: Is the sender of a message who they claim to be?

• Privacy: Are the contents of a message secret and only known to the sender and receiver?

• Integrity: Have the contents of a message been modified during transmission?

• Nonrepudiation: Can the sender of a message deny that they actually sent the message?

Encryption (Cryptography)

• Plain text: the original message in human-readable form.

• Ciphertext:the encrypted message

• Encryption algorithm: the mathematical formula used to encrypt the plain text.

• Key: the secret key used to encrypt and decrypt a message.

Encryption Example

• Digits: 0-9, • Encryptor:

– Replace each digit by Mod(Digit + Key, 10)• Key’s value is from 0 to 9

– If Key = 7, then:• 0 -> 7, 1->8, 2->9, 3->0, 4->1, 5->2

• Decryptor:– Replace each digit byMod(Digit + (10-Key),

10)– If key=7, then

• 7->0, 8->1, 9->2, 0->3

Encryption Algorithms

• Private key encryption– symmetric cryptography

• Public key encryption– asymmetric cryptography

• Digital signature

• Digital certificate

Private Key (secret Key) Encryption

• The same key is used by a sender (for encryption) and a receiver (for decryption)

• The key must be transmitted to the receiver.

• Example: – DES (Data Encryption Standard) algorithm

with 56-bit key

Public Key Encryption

• Uses two different keys: a public and a private key.• Receiver’s public key must be delivered in advance.• Sender uses receiver’s public key to encrypt the

message and receiver uses private key to decrypt the message (Sender can be sure the receiver is the true receiver)

• Example:– RSA (Rivest, Shamir, and Adelman) algorithm with 512-bit to

1024-bit key.

• Note: Although the two keys are mathematically related, deriving one from the other is “computationally infeasible”.

Digital Signature• It is used for the authentication and nonrepudiation of

senders by applying public key encryption in reverse, and ensures the integrity of the message.

• How digital signature works:– Sender:

• Create message digest: Hash(original message)• Digital signature: Encrypt(Message digest, Sender’s private key)• Encrypted message: Encrypt(Original message, Receiver’s public

key)• Send the hash function, digital signature, and the encrypted message

to receiver.– Receiver:

• Use receiver’s private key to decrypt the encrypted message to reveal the original message.

• Use the sender’s public key to decrypt digital signature and reveal the message digest.

• Apply the hash function to the original message. If the hash value matches the message digest in the digital signature, the message is intact.

Certificate

• A certificate is a digital document issued by a trusted third-party certificate authority (CA).

• A certificate contains records such as a serial number, user’s name, owner’s public key, name of CA, etc.

• Example of CA: VeriSign, U.S. Postal Service.

Online Transaction Security Protocol

• Secure Sockets Layer (SSL)– Developed by Netscape– SSL implements public key technology using

the RSA algorithm and digital certificate to authenticate the server in a transaction and protect private information.

• 1. A client sends a message to a server.

• 2. The server sends its digital certificate to the client for authentication (authenticate the server)

• 3. The client and server negotiate session keys to continue the transaction and use session keys and digital certificate for encryption.

Cookies

• Designed to hold information about a user.• Created by a web site and saved on the

visitor’s machine.• It contains:

– Web site that sets the cookie.– One or more pieces of data.– Expiration date for this cookie.

• Cookies directory:• Browser sends cookie with the URL when you

visit the site that issued the cookie.

Excel’s Security

• Use password to protect spreadsheet file:– Tools/Option/Security

• Password to open• Password to modify

• Protect spreadsheet content:– Tools/Protection

• Protect sheet• Allow user to edit range

• Hide data:– Format/Cells/Number/Custom

• Enter ;;; (three semicolons)

Database Security

Database Security

• Database Security: Protection of the data against accidental or intentional loss, destruction, or misuse

• Increased difficulty due to Internet access and client/server technologies

Threats to Data Security• Accidental losses attributable to:

– People• Users: using another person’s means of access, viewing

unauthorized data, introduction of viruses• Programmers/Operators• Database administrator: Inadequate security policy

– Software failure• DBMS: security mechanism, privilege• Application software: program alteration

– Hardware failure• Theft and fraud• Improper data access:

– Loss of privacy (personal data)– Loss of confidentiality (corporate data)

• Loss of availability (through, e.g. sabotage)

Possible locations of data security threats

Countermeasures to Threats

• Authorization– Authentication

• Access controls: privileges• Database views• BackUp and Recovery• Enforcing integrity rules• Encryption

– Symmetric encryption:use same key for encryption and decryption

– Asymmetric encryption:• Public key: for encryption• Private key: decryption

• RAID

Authorization Rules• Controls incorporated in the data management

systemRestrict:

– access to data– actions that people can take on data

Authorization matrix for:– Subjects– Objects– Actions– Constraints

Authorization matrix

SQL Injection

• "SQL Injection" is an unverified/unsanitized user input vulnerability, and the idea is to convince the application to run SQL code that was not intended.

• Exploits applications that use external input for database commands.

SQL Injection Demo

• On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data.

• In the textbox, enter:‘ OR 1=1 OR CID = ‘

SQLInjectionDemo

Other SQL injection examples:

Demo

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select * from customer where cid = '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) Try objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() GridView1.DataSource = objDataReader GridView1.DataBind() Catch except As SystemException Response.Write(except.Message) End Try End Sub

Access security

• Database Password:– Must open the database exclusively

• In the File/Open window, click Open button’s dropdown list and select: Open Exclusive

– Tools/Security/Set database password

• Tools/Security/Encode Decode

• User group/User level security