UNIT II E-Commerce Vs Internet

What is E-Commerce ? E-Commerce can be defined as business activities conducted using electronic data transmission via the Internet and World Wide Web.

What is Internet ? International network of networks Universal technology platform: Any computer can communicate with any other computer World Wide Web and Web sites

Why internet is insecure?? Theft of Personal information facing grave danger as your personal information Spamming unwanted e-mails in bulk Virus threat Virus is nothing but a program which disrupts the normal function Pornography

How to secure e-Commerce? Identify involved parties using Public Key Infrastructure Establish mutual trust with Certification Authority Secures e-Commerce transactions with Cryptographic technologies Notarized transaction date and time with reliable time source

DATA MISSING Internet security holes Emergence of Cyber Crime Outside Attacks Unauthorized Intrusion Service Denial Malicious Downloads Inside Attacks Threats Due to Lack of Security

End Users The Five Worst Security Mistakes Opening unsolicited e-mail attachments from unreliable sources Forgetting to install security patches, including ones for Microsoft Office, Microsoft Internet Explorer, and Netscape Downloading screen savers or games from unreliable sources Not creating or testing backups Using a modem while connected through a local area network

Corporate Management The Seven Top Errors That Lead to Computer Security Vulnerabilities Not providing training to the assigned people who maintain security within the company Only acknowledging physical security issues while neglecting the need to secure information Making a few fixes to security problems and not taking the necessary measures to ensure the problems are fixed Relying mainly on a firewall Failing to realize how much money intellectual property and business reputations are worth Authorizing only short-term fixes so problems remerge rapidly Pretending the problem will go away if ignored

IT Professionals The Ten Worst Security Mistakes Connecting systems to the Internet before hardening them Connecting test systems to the Internet with default accounts/passwords Failing to update systems when security holes are found Using unencrypted protocols for managing systems, routers, firewalls, and PKI Giving users passwords over the phone or changing them when the requester is not authenticated Failing to maintain and test backups Running unnecessary services Implementing firewalls with rules that do not prevent dangerous incoming or outgoing traffic Failing to implement or update virus detection software Failing to educate users on what to do when they see a potential security problem

What is Cryptography? A process associated with scrambling plaintext (ordinary text, or clear text) into cipher text (a process called encryption), then back again (known as decryption). • Cryptography concerns itself with four objectives: 1) Confidentiality (the information cannot be understood by anyone for whom it was unintended) 2) Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected) 3) Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information) 4) Authentication (the sender and receiver can confirm each other’s identity and the origin/destination of the information) Procedures and protocols that meet some or all of the above criteria are known as cryptosystems.

Two kinds of Cryptography Symmetric or secret key: there is a unique key, and Alice and Bob must somehow arrange to share it so they but only they know it. In practice, very fast encrypt & decrypt Only kind of crypto prior to 1976. Asymmetric or public key: Each user has 2 keys: secret one to decrypt; public key that anybody can use to send her messages. Medium speed in practice.

Symmetric encryption Symmetric encryption is also referred to as secret-key encryption since there is one key for both encrypting and decrypting: Mathematically: E(M) = C and D(C) = M and D(E(M)) = C Security resides on how well the key is protected, and not in keeping the algorithm secret In fact the most secure algorithms are the public ones Security is usually a function of length of the key (in bits)

More on symmetric encryption Symmetric encryption algorithms: Digital Encryption Standard (DES), Blowfish, Rijndael (winner of AES) Confidentiality and authentication: - Alice encrypts a message using her key and sends it to Bob - Bob uses Alice’s key to decrypt the message - Bob is assured that whomever send the message knew Alice’s key - But Alice can claim that she did not send the message since Bob shared it with others (repudiation) More problems of symmetric encryption: - Need of a different key for every private conversion - How can Alice transmit a key to Bob without Eve intercepting it?

Symmetric Cryptography

Symmetric Cryptography

Pros and Cons of Symmetric Cryptography – Message integrity – Confidentiality Cons – security depends on security level of the secret key – secret key must be agreed upon in advance – secret key exchange is necessary – not scaleable – sender could deny sending the signed message – difficulties in initiating secure communication between previously unknown parties

Asymmetric encryption Asymmetric encryption is also called public-key cryptography One has two keys: a private key and a public key One can encrypt messages with the public key, and decrypt them with the private key: Example of confidentiality using public-key cryptography: - Bob sends to Alice his public key - Alice encrypts a message with Bob’s public key and sends it to him - Bob decrypts the message using his private key

More on asymmetric encryption Although asymmetric encryption allows secure communication between strangers, it suffers from man-in-the-middle attacks: - Bob sends to Alice his public key - Mallory intercepts this key and sends to Alice his own public key - When Alice sends a message to Bob, encrypted in “Bob’s” public key, Mallory intercepts it, and since it is really encrypted with his own public key, decrypts it with his private key and reads it Of course the above attack works in both sides of the communication of Alice and Bob This man-in-the-middle attack works because Alice and Bob have no way to verify that they are talking to each other In theory any protocol that does not involve some kind of a secret is vulnerable to man-in-the-middle attacks

Asymmetric Cryptography

Asymmetric Cryptography

Pros and Cons of Asymmetric Cryptography – solved secret key distribution problem – Authentication – Message integrity – Confidentiality – Non-repudiation Cons – requires exchanges of public key – considered to be slower than symmetric cryptography when processing large body of data

Difference between Symmetric and Asymmetric Cryptography Symmetric encryption requires a shared secret key to encrypt and decrypt a message. Asymmetric encryption requires a public key to encrypt a message and the use of a corresponding private key to decrypt the message. Asymmetric cryptography is considered to be slower than symmetric cryptography. Asymmetric key provides non-repudiation service.

Hybrid cryptosystems Public-key encryption is slow, symmetric encryption is at least 1000 times faster than public-key encryption In the real world, public-key encryption is not a substitute for symmetric encryption Public-key encryption is not used to encrypt messages, is used to encrypt keys of symmetric encryption A hybrid cryptosystem: - Bob sends Alice his public key - Alice generates a session key, encrypts it using Bob’s public key, and sends it to Bob - Bob decrypts Alice’s message using his private key to get the session key - Both encrypt their messages using the same session key and symmetric encryption

Hybrid Cryptography

Digital signatures A digital signature is a way to prove that you are really the person that sent a message: - Alice signs a message with her private key and sends it to Bob - Bob checks the signature of Alice with her public key - Bob is sure that the sender had Alice’s private key Digital signatures offer: - Message integrity: Bob is sure that the message was not corrupted during transmission, otherwise the check of the signature would have failed - Sender authentication: Bob is sure that the sender owns the private key that corresponds to the public key he has (Alice’s)

Objective: (P-K) Authentication / Integrity “Sender Authenticated” Digital Signature (1/2) Objective: (P-K) Authentication / Integrity S E N D R Hash Function Message Digest Message:Plain Text Encrypt (Sender Private Key) “Sender Authenticated” Encrypt (Receiver Public Key) Message: Cipher Text Electronic Signature + Message:Plain Text Message: Cipher Text Decrypt (Sender Public Key) Decrypt (Receiver Private Key) Receiver Hash Function Message Digest Message Digest “Message Integrity”

Handwritten Signature: “Digital Signature Algorithm” Document Independent (same for all documents) Authentication Only Digital Signature: Document Dependent (based on message contents) Authentication & Integration Use: US DSA: “Digital Signature Algorithm” Problem (Digital Signature): Non-repudiation (proof that the message has been sent)

Digital certificates Nothing prevents Mallory from creating a key pair, send the public key to Bob, and masquerading as Alice When Bob receives future messages from Mallory (pretending to be Alice), Bob can verify that is Alice (when it is really Mallory) A digital certificate binds a public key to a person Purpose: to convince a person who does not know Alice that Alice owns a particular public key When Alice signs a message with her private key, this authenticates Alice to the receiver of the message Certification authority: generates, distributes, and manages digital certificates, essential component of secure e-commerce You must completely trust a certification authority to authenticate Alice when Alice applies for her certificate

Digital certificates Certificate - a guarantee of the identity of the owner of a public key Certification Authority – an organization that certifies public keys and identifies the holder of the certificate X.509 – a specification for the format of the binary file that constitutes a certificate

Digital certificates Certificate - a guarantee of the identity of the owner of a public key Certification Authority – an organization that certifies public keys and identifies the holder of the certificate X.509 – a specification for the format of the binary file that constitutes a certificate

Data Encryption Standard (DES) Explanation: The Data Encryption Standard (DES) specifies a FIPS approved cryptographic algorithm as required by FIPS 140-1. Qualifications. The cryptographic algorithm specified in this standard transforms a 64-bit binary value into a unique 64-bit binary value based on a 56-bit variable. As there are over 70,000,000,000,000,000 (seventy quadrillion) possible keys of 56 bits, the feasibility of deriving a particular key in this way is extremely unlikely in typical threat environments.

Data Encryption Standard (DES) The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control of a 64-bit key A block to be enciphered is subjected to an initial permutation IP and then to a complex key- dependent computation and finally to a permutation which is the inverse of the initial permutation IP-1. Permutation is an operation performed by a function, which moves an element at place j to the place k. The key-dependent computation can be simply defined in terms of a function f, called the cipher function, and a function KS, called the key schedule.

Data Encryption Standard (DES) First, a description of the computation. Next, the use of the algorithm for decipherment. Finally, a definition of the cipher function f that is given in terms of selection function Si and permutation function P. LR denotes the block consisting of the bits of L followed by the bits of R.