information systems security information security for web- based applications
TRANSCRIPT
Information Systems Security
Information Security for Web-based Applications
The full picture
Securing web sites Reduce the attack surface of the web
server Prevent unauthorized access to web sites
and applications Isolate web sites and applications Configure user authentication Encrypt confidential data exchanged with
clients Maintain web sites and application
security
Securing web sites
Reduce the attack surface of the web server Enable only essential OS components
and services Enable only web server components and
services Enable only MIME types Configure OS security settings
Securing web sites
Prevent unauthorized access to web sites and applications Store content on a dedicated disk
volume Set web site permissions Set IP address and domain name
restrictions Set NTFS file system permissions
Securing web sites
Isolate web sites and applications To prevent multiple web sites and
applications from adversely affect with one another
Have to create application pool, assign web sites and applications to them, and assign proper service account and permission
Complicated procedure
Securing web sites
Configure user authentication Select appropriate authentication
methodDigestAdvanced digestIntegrated windowsClient certificatesMS .NET passport
Securing web sites
Encrypt confidential data exchanged with clients Use of Secure Socket Layer (SSL)
Install server certificatehttps instead of http
Use IPSec or VPN for remote administration
Securing web sites
Maintain web sites and application security Obtain up-to-date security updates Enable server security logs Enable web server application logs Review security policies, processes and
procedures
Reading
Microsoft: Improving Web Application Security: Threats and Countermeasures
Chapter 1 “Web Application Security Fundamentals”
Chapter 4 “Design Guidelines for Secure Web Applications” is good but a bit too advanced for most students
Problem in e-Commerce
The transaction is done online. The customer and the company cannot see each other. How can they trust each other? Who are you? Can I trust you? What if I cannot receive my goods? What if I cannot receive the payment?
Certificate Authority
Now the CA comes in. It give a digital identity to all concerned party. It verifies the company is okay to do business with, and the customer is also okay
This is not done by the government but by some commercial organizations
PKI is used as the technology to provide the digital identification
What is PKI
The set of hardware, software, people and procedures need to create, store, distribute, revoke key/certificates based on public key cryptography
PKI infrastructure and software development
PKI uses of public key cryptography for authentication and access control of a user, guaranteeing the integrity and non-repudiation of documents signed by the user, and confidentiality of data.
PKI infrastructure and software development
Certificate Authority Registration Authority Certificate
Name Issuing CA Expiration date Public key
Certificate Revocation List
X.509 Certificate structure
PKI
PKI employs a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by some authority, in the form of a digital certificate (certificate for short).
PKI
In signing a document or an e-mail, a user signs using his own private key so that others can use the signer's public key to verify the authenticity and non-repudiation of documents or e-mail. Since only the user has his own private key to sign, non-repudiation is established
PKI
The use of PKI saves the trouble of maintaining and distributing the same encryption/decryption key between the sender and the receiver
Authentication using certificates
Secure online payment
Credit card payment Secure Socket Layer Secure Electronic Transaction (SET) PayPal E-purse
Credit Card
Invented in 1950s Only becomes profitable after 20 years
when the customers reach a critical mass
Credit Card Payment
This is the usual payment method used in eCommerce
4 parties are involved: Cardholder (payer) Merchant (payee) Issuing Bank Acquiring Bank
Measures to stop fraud Hot card lists Merchant floor limits – authorization
required when a certain amount is exceeded
Expiry date used as password Delivered to cardholder’s address Card verification value (MAC) Intrusion detection (anomaly detection)
SSL: Secure Socket Layer
Developed by Netscape to secure HTTP sessions
Provides Data encryption Server authentication Message integrity Optional client authentication
NOT a payment system in itself
SSL: Secure Socket Layer
Authentication of server by use of digital certificate
Use public key technology to exchange a session key (symmetric) between server and client used only for that session
After the buyer sends information thro the secure channel, the merchant processes the transaction in the usual manner
SSL
Client to Server Name C, transaction serial no. C#, nonce Nc
Server to Client Name S, transaction serial no. S#, nonce Ns,
public key KS Client to Server
Pre-mastered secret key encrypted by KS
{Ko}KS
SSL Client to Server
Finished message, MAC for all messages to date
{finished, MAC(K1, everything_to_date)}Kcs Server
Compute k1=h(Ko, Nc, Ns) Server to Client
{finished, MAC{k1,every_to_date)}Ksc, {data}Ksc
Secure Electronic Transaction
A joint effort of VISA and MasterCard to develop a more secure internet payment system in 1997 (credit card no not kept)
SET makes use of public key technology and each participants are assigned public key/private key pairs
Secure Electronic Transaction
Legal entity formed by MasterCard. Visa, American Express and JCB in 12/97
A protocol designed for electronic payment with credit card
Key idea Merchant does not need to know
payment details Bank does not need to know order details
SET
Client to Server C, Nc, CC(Cert of client)
Server to Client S, S#, CS(merchant) CB(bank)
Client to Server {Order}KS, {Payment}KB, SigKC{h(Order),
h(Payment)}
SET
Server to Bank (Summary}KB, {Payment}KB
Bank to Server Sig KS{Auth_response}
SET
Disgrace of SET Nothing for the credit card holders Huge cost in building PKI Benefits less than expected
EDI
Electronic Data Interchange Used for B2B transactions Build on Value-Added Networks International and national message
standards Expensive
EDI transactions EDI, or Electronic Data Interchange, provides
trading partners with an efficient business tool for the automatic transmission of commercial data from one computer system directly to another.
Through the use of EDI message standards such as X.12, UN/EDIFACT, or EANCOM, data may be communicated quickly, efficiently and accurately irrespective of the users' internal hardware and software equipment.
EDI in Hong Kong
TRAXON for air-cargo CargoNet for shipping EZ*TRADE for retail, manufacturing and
trading Tradelink for HK Government chiefly for the
Customs Department
EDI Infrastructure
VAN (Valued Added Networks) / VPN (Virtual Private Networks)
i-EDI (Web Based EDI Systems)
EDI example: SWIFT
RGP = Regional General Processor
PayPal
Virtual bank in Internet Cater for small merchants that cannot
open account with banks Provides other services such as shopping
cart Problem of jurisdiction
E-purse
Pre-paid debit cards that can work offline Not many business successes
Mondex Most successful case
Octopus Pre-paid phone cards
The Internet Payment Processing System
Acquiring bank Credit card association Customer issuing bank Internet merchant accounts Payment gateway Processor
Parties to Internet transaction
Customer Merchant
Issuing Bank Merchant’s Acquiring Bank
Payment Gateway
Processor
The transaction process
Credit Card NO.
Transaction info
Request for payment
Authorization
OK
Transaction initiation
Customer decides to make a purchase on merchant’s web site, proceeds to check out and inputs credit card information
Merchant’s web site receives customer information and send transaction information to Payment Gateway
Payment Gateway route information to processor
Payment authorization Processor send information to the
Merchant’s Acquiring Bank Acquiring Bank sends transaction
information to the credit card holder’s Issuing Bank
Issuing Bank sends transaction result (authorization or decline) to Acquiring Bank
Acquiring Bank send transaction result to Processor
Payment authorization
Processor routes information to the Payment Gateway
Payment Gateway passes result to the Merchant
Merchant accepts and ships goods or rejects transaction
The payment process
Request for payment
CreditMerchantA/C
DebitConsumerA/C
Payment settlement
Merchant requests Payment Gateway to settle a payment
Payment Gateway sends all transactions to be settled to the Processor
Processor send settlement payment details to customer’s credit card Issuing Bank , and to the Merchant’s Acquiring Bank
Payment settlement
Issuing Bank includes the Merchant’s charge on the customer’s credit card statement while Acquiring Bank credits the Merchant’s account
Payment Processing
PCI DSS
Payment Card Industry Data Security Standard
It is developed by PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International
PCI DSS
It is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
This is intended to help organizations proactively protect customer account data.
Requirements
Build and Maintain a Secure Network Install and maintain a firewall configuration to
protect cardholder data Do not use vendor-supplied defaults for
system passwords and other security parameters
Requirements
Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data
across open, public networks
Requirements
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software Develop and maintain secure systems and
applications
Requirements
Implement Strong Access Control Measures Restrict access to cardholder data by
business need-to-know Assign a unique ID to each person with
computer access Restrict physical access to cardholder data
Requirements
Regularly Monitor and Test Networks Track and monitor all access to network
resources and cardholder data Regularly test security systems and
processes
Requirements
Maintain an Information Security Policy Maintain a policy that addresses information
security
Reading
Refer Verisign Online Payment Processing Guide