elc 200 day 25. awad –electronic commerce 2/e © 2004 pearson prentice hall 2 agenda student...
Post on 21-Dec-2015
217 views
TRANSCRIPT
![Page 1: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/1.jpg)
WWWWWW
ELC 200
Day 25
![Page 2: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/2.jpg)
2WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
Agenda
• Student Evaluations
• Quiz 4 (last) will be April 30• Chap 13, 14, & 15
• Assignment 8 (last) will be assigned next week
• Should be progressing on Framework
• Lecture/Discuss E-security & Encryption
![Page 3: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/3.jpg)
3WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
ANTI-VIRUS STRATEGY
• Establish a set of simple enforceable rules
• Educate & train users
• Inform users of the existing & potential threats to the company’s systems
• Update the latest anti-virus software periodically
E-Security: Virus – Computer Enemy #1
![Page 4: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/4.jpg)
4WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
BASIC INTERNET SECURITY PRACTICES
• Password– http://www.crackpassword.com/
– Alpha-numeric
– Mix with upper and lower cases
– Change frequently
– No dictionary names
• Encryption– Coding of messages in traffic between the customer
placing an order and the merchant’s network processing the order
E-Security: Security Protection & Recovery
![Page 5: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/5.jpg)
5WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
SECURITY RECOVERY
• Attack Detection
• Damage Assessment
• Correction & Recovery
• Corrective Feedback
E-Security: Security Protection & Recovery
![Page 6: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/6.jpg)
6WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
FIREWALL & SECURITY
• Firewall– Enforces an access control policy between two
networks– Detects intruders, blocks them from entry,
keeps track what they did & notifies the system administrator
E-Security: Firewall & Security
![Page 7: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/7.jpg)
7WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
WHAT FIREWALL CAN PROTECT
• Email services known to be problems
• Unauthorized external logins
• Undesirable material, e.g. pornography
• Unauthorized sensitive information
E-Security: Firewall & Security
![Page 8: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/8.jpg)
8WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
WHAT FIREWALL CAN’T PROTECT
• Attacks without going through the firewall
• Weak security policy
• ‘Traitors’ or disgruntled employees
• Viruses via floppy disks
• Data-driven attack
E-Security: Firewall & Security
![Page 9: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/9.jpg)
9WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
SPECIFIC FIREWALL FEATURES
• Security Policy
• Deny Capability
• Filtering Ability
• Scalability
• Authentication
• Recognizing Dangerous Services
• Effective Audit Logs
E-Security: Firewall & Security
![Page 10: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/10.jpg)
WWWWWW
Chapter 14
Encryption: A Matter Of Trust
![Page 11: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/11.jpg)
11WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
OBJECTIVES
• What is Encryption?• Basic Cryptographic Algorithm• Digital Signatures• Major Attacks on Cryptosystems• Digital Certificates• Key Management• Internet Security Protocols and Standards• Government Regulations
![Page 12: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/12.jpg)
12WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
WHAT IS ENCRYPTION?
• Based on use of mathematical procedures to scramble data to make it extremely difficult to recover the original message
• Converts the data into an encoded message using a key for decoding the message
![Page 13: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/13.jpg)
13WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
WHAT DOES ENCRYPTION SATISFY?
• Authentication
• Integrity
• Nonrepudiation
• Privacy
![Page 14: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/14.jpg)
14WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
BASIC CRYPTOGRAPHIC ALGORITHM
• Secret Key– The sender and recipient possess the same single
key
• Public Key– One public key anyone can know to encrypt– One private key only the owner knows to decrypt– Provide message confidentiality– Prove authenticity of the message of originator
![Page 15: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/15.jpg)
15WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
COMMON CRYPTOSYSTEMS
• RSA Algorithm– Most commonly used but vulnerable
• Data Encryption Standards (DES)– Turns a message into a mess of unintelligible
characters
• 3DES• RC4• International Data Encryption Algorithm (IDEA)
![Page 16: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/16.jpg)
16WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
RSA HACK
• Source: E-Week July 14, 2002 took 1,757 days (almost 5 years)• A worldwide team of volunteers, using spare computing power, found the secret
key for a message encrypted with the RC5-64 cipher, winning a $10,000 prize and, they say, casting some doubt on the security of messages protected by the cipher. Distributed.net, a collection of more than 331,000 volunteers who lent their machines' idle processing power to the effort, solved the challenge posed in 1997 by RSA Laboratories, the research arm of RSA Security Inc. It took nearly four years, a search through 15,769,938,165,961,326,592 keys and processing power roughly equivalent to nearly 46,000 2GHz AMD Athlon machines for the team to find the correct key. The plaintext message that the key unlocked was: "Some things are better left unread." A 450MHz Pentium III machine in Japan found the key on July 14, but a technical glitch prevented the Distributed.net team from realizing they had the correct key until Aug. 12. The team's organizers said their effort should not only prove the effectiveness of distributed computing efforts in solving large problems but also cause people to think twice before using the 64-bit RC5 cipher to encrypt some data. "While it's debatable that the duration of this project does much to devalue the security of a 64-bit RC5 key…we can say with confidence that RC5 is not an appropriate algorithm to use for data that will still be sensitive in more than several years' time," the team said in a statement.
![Page 17: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/17.jpg)
17WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
DIGITAL SIGNATURES
• Transform the message signed so that anyone who reads it can be sure of the real sender
• A block of data representing a private key
• Serve the purpose of authentication
![Page 18: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/18.jpg)
18WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
MAJOR ATTACKS ON CRYPTOSYSTEMS
• Chosen-plaintext Attack
• Known-plaintext Attack
• Ciphertext-only Attack
• Third-party Attack
![Page 19: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/19.jpg)
19WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
DIGITAL CERTIFICATES
• An electronic document issued by a certificate authority (CA) to establish a merchant’s identity by verifying its name and public key
• Includes holder’s name, name of CA, public key for cryptographic use, duration of certificate, the certificate’s class and ID
![Page 20: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/20.jpg)
20WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
CLASSES OF CERTIFICATES
• Class 1– Contains minimum checks on user’s background– Simplest and quickest
• Class 2– Checks for information e.g. names, SSN, date of
birth– Requires proof of physical address, etc.
![Page 21: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/21.jpg)
21WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
CLASSES OF CERTIFICATES (Cont’d)
• Class 3– You need to prove exactly who you are and you
are responsible– Strongest
• Class 4– Checks on things like user’s position in an
organization in addition to class 3 requirements
![Page 22: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/22.jpg)
22WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
KEY MANAGEMENT
• Key Generation and Registration
• Key Distribution
• Key Backup / Recovery
• Key Revocation and Destruction
![Page 23: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/23.jpg)
23WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
THIRD-PARTY SERVICES
• Public Key Infrastructure– Certification Authority– Registration Authority– Directory Services
• Notary Services
• Arbitration Services
![Page 24: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/24.jpg)
24WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
INTERNET SECURITY PROTOCOLS & STANDARDS
• Web Application– Secure Socket Layer (SSL)– Secure Hypertext Transfer Protocol (S-HTTP)
• E-Commerce– Secure Electronic Transaction (SET)
• E-Mail– PGP– S/MIME
![Page 25: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/25.jpg)
25WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
SSL
• Operates between application and transport layers
• Most widely used standard for online data encryption
• Provide services:– Server authentication– Client authentication– Encrypted SSL connection
![Page 26: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/26.jpg)
26WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
S-HTTP
• Secure Web transactions
• Provides transaction confidentiality, integrity and nonrepudiation of origin
• Able to integrate with HTTP applications
• Mainly used for intranet communications
• Does not require digital certificates / public keys
![Page 27: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/27.jpg)
27WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
SET
• One protocol used for handling funds transfer from credit card issuers to a merchant’s bank account
• Provide confidentiality, authentication and integrity of payment card transmissions
• Requires customers to have digital certificate and digital wallet
![Page 28: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/28.jpg)
28WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
PGP
• Encrypts the data with one-time algorithm, then encrypts the key to the algorithm using public-key cryptography
• Supports public-key encryption, symmetric-key encryption and digital signatures
• Supports other standards, e.g. SSL
![Page 29: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/29.jpg)
29WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
S/MIME
• Provides security for different data types and attachments to e-mails
• Two key attributes:– Digital signature– Digital envelope
• Performs authentication using x.509 digital certificates
![Page 30: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/30.jpg)
30WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall
GOVERNMENT REGULATIONS
• National Security Agency (NSA)
• National Computer Security Center (NCSC)
• National Institute of Standards and Technology (NIST)
• Office of Defense Trade Controls (DTC)
![Page 31: ELC 200 Day 25. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 Agenda Student Evaluations Quiz 4 (last) will be April 30 Chap 13, 14, &](https://reader035.vdocument.in/reader035/viewer/2022062320/56649d605503460f94a4202f/html5/thumbnails/31.jpg)
WWWWWW
Chapter 14
Encryption: A Matter Of Trust