Implementing Security for Electronic Commerce

Protecting Electronic Commerce Assets You cannot hope to produce secure commerce systems unless there is a written security policy What assets are to be protected What is needed to protect those assets Analysis of the likelihood of threats Rules to be enforced to protect those assets

Protecting Electronic Commerce Assets Both defense and commercial security guidelines state that you must protect assets from Unauthorized disclosure Modification Destruction Typical security policy concerning confidential company information Do not reveal company confidential information to anyone outside the company

Minimum Requirements for Secure Electronic Commerce Figure 6-1

Protecting Intellectual Property The dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works

Companies Providing Intellectual Property Protection Software ARIS Technologies (part of verance.com) Digital audio watermarking systems Embedded code in audio file uniquely identifying the intellectual property Digimarc Corporation Watermarking for various file formats Controls software and playback devices

Companies Providing Intellectual Property Protection Software SoftLock Services Allows authors and publishers to lock files containing digital information for sale on the Web Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing Digitalgoods.com infrastructure and integrated services necessary to securely market and distribute multimedia digital content to its maximum audience

Protecting Client Computers Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers Threats can hide in Web pages Downloaded graphics and plug-ins E-mail attachments

Protecting Client Computers Cookies Small pieces of text stored on your computer and contain sensitive information that is not encrypted Anyone can read and interpret cookie data Do not harm client machines directly, but potentially could still cause damage Misplaced trust Web sites that aren’t really what they seem and trick the user into revealing sensitive data

Digital Certificates Also known as a digital ID An attachment to an e-mail message Embedded in a Web page Serves as proof that the holder is the person or company identified by the certificate Encoded so that others cannot read or duplicate it

VeriSign -- A Certification Authority Figure 6-3

VeriSign Oldest and best-known Certification Authority (CA) Offers several classes of certificates Class 1 (lowest level) Bind e-mail address and associated public keys Class 4 (highest level) Apply to servers and their organizations Offers assurance of an individual’s identity and relationship to a specified organization

Structure of a VeriSign Certificate Figure 6-4

Microsoft Internet Explorer Provides client-side protection right inside the browser Reacts to ActiveX and Java-based content Authenticode verifies the identity of downloaded content The user decides to ‘trust’ code from individual companies

Security Warning and Certificate Validation Figure 6-5

Internet Explorer Zones and Security Levels Figure 6-6

Internet Explorer Security Zone Default Settings Figure 6-7

Netscape Navigator User can decide to allow Navigator to download active content User can view the signature attached to Java and JavaSript Security is set in the Preferences dialog box Cookie options are also set in the Preferences dialog box

Setting Netscape Navigator Preferences

A Typical Netscape Navigator Java Security Alert Figure 6-9

Viewing a Content Provider’s Certificate Figure 6-10

Dealing with Cookies Can be set to expire within 10, 20, or 30 days Retrievable only by the site that created them Collect information so that the user doesn’t have to continually enter usernames and passwords to access Web sites Earlier browsers simply stored cookies without comment Today’s browsers allow the user to Store cookies without permission or warning Receive a warning that a cookie is about to be stored Unconditionally disallow cookies altogether

Protecting Electronic Commerce Channels Protecting assets while they are in transit between client computers and remote servers Providing channel security includes Channel secrecy Guaranteeing message integrity Ensuring channel availability Authentication

Providing Transaction Privacy Encryption The coding of information by using a mathematically based program and secret key to produce unintelligible characters Steganography Makes text invisible to the naked eye Cryptography Converts text to strings that appear to have no meaning

Encryption 40-bit keys are considered minimal,128-bit keys provide much more secure encryption Encryption can be subdivided into three functions Hash Coding Calculates a number from any length string Asymmetric (Public-key) Encryption Encodes by using two mathematically related keys Symmetric (Private-key) Encryption Encodes by using one key, both sender and receiver must know

Hash Coding, Private-key, and Public-key Encryption Figure 6-11

Significant Encryption Algorithms and Standards Figure 6-12

Guaranteeing Transaction Delivery Neither encryption nor digital signatures protect packets from theft or slowdown Transmission Control Protocol (TCP) is responsible for end-to-end control of packets TCP requests that the client computer resend data when packets appear to be missing

Protecting the Commerce Server Access control and authentication Controlling who and what has access to the server Requests that the client send a certificate as part of authentication Server checks the timestamp on the certificate to ensure that it hasn’t expired Can use a callback system in which the client computer address and name are checked against a list

Protecting the Commerce Server Usernames and passwords are the most common method of providing protection for the server Usernames are stored in clear text, while passwords are encrypted The password entered by the user is encrypted and compared to the one on file

Logging On With A Username And Password Figure 6-16

Operating System Controls Most operating systems employ username and password authentication A common defense is a firewall All traffic from inside to outside and outside to inside must pass through it Only authorized traffic is allowed The firewall itself must be immune to penetration

Firewalls Should be stripped of any unnecessary software Categories of firewalls include Packet filters Examine all packets flowing through the firewall Gateway servers Filter traffic based on the requested application Proxy servers Communicate on behalf of the private network Serve as a huge cache for Web pages

Firewalls ftp: 21 OSI ftp: 21 telnet: 23 smtp: 25 http: 80 Site 1 Traffic Cop Internet Site 1 ftp: 21 Site 2 OSI ftp: 21 Application telnet: 23 Presentation Session smtp: 25 Transport Network Data Link http: 80 Physical

Check Point Software’s Firewall-1 Web Page Figure 6-17