E-Commerce Security and Authentication Details Jerry Post Westgate Management Development Center Eberhardt School of Business University of the Pacific
E-Commerce Transaction Issues Customer Perspective Assurance of delivery Product specification Price Quantity Accounting and auditing Anonymity (occasional) Privacy Merchant Perspective Assurance of payment Validity of orders, non-repudiation Accounting and auditing Customer relationship management (CRM) Government Perspective Financial statements Taxable transactions Identify and track fraud Track money (drugs, terrorists, etc.)
E-Commerce Security Issues Unauthorized changes to site Unauthorized theft of data (e.g., credit cards) Interception of transmission Stolen credit cards: identity of consumer Fraudulent sites, spoofing: identity of merchant Physical site threats (fire, etc.) Employee/Insider threats
E-Commerce Threat Points Intercept or change data False Site Fraudulent merchant False consumer Stolen card Purchase choice Credit Card data Merchant Server Outside attack on server Insider fraud on purchases or sales Customer Stolen shipments Products
Encryption Single key encryption Data Encryption Standard (DES) DES Plain text message Single key encryption Data Encryption Standard (DES) IBM 1960s 56-bit Brute force attack RSA contest: < 24 hours in 1999 Key management and distribution is a major problem Algorithm is fast Encrypted transmissions are always slower—more random data DES Key: 9837362 Encrypted text Single key: e.g., DES Encrypted text DES Key: 9837362 Plain text message
Dual-key Encryption Alice Bob Message Message Encrypted Public Keys Private Key 13 Use Bob’s Private key Private Key 37 Use Bob’s Public key Alice sends message to Bob that only he can read. Brute force attack prevented by length of key: 40 digits is too small, standard is 128 digits.
Dual key: Authentication Message Transmission Message Encrypt+T+M Alice Encrypt+M Encrypt+T Private Key 13 Bob Use Alice’s Private key Public Keys Alice 29 Bob 17 Private Key 37 Use Bob’s Private key Use Alice’s Public key Use Bob’s Public key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message.
Digital Signature 5983 Plain Text Order Message hash (CRC check bytes) Encrypt hash with private key Signature is unique to document, cannot be reused Can be time-stamped Encrypt order with merchant’s public key Transmit It cannot be read or changed It can be lost or deleted Recipient decrypts document and verifies authenticity 5983 Simple hash: 5+9+8+3 = 25 Better: row hash And column hash Best: Cyclic Redundancy Check: polynomial
Encryption Solutions Rivest-Shamir-Adelman (RSA: company) U.S. patent on common dual-key method (expires soon) Used by browsers and most security systems Correctly implemented, it solves most problems Transmission cannot be intercepted or changed Customer is authenticated Order cannot be repudiated or altered If merchant re-encrypts and stores data, it cannot be stolen
Dual-Key Authentication Issues How distribute and verify the public keys? People are authenticated based on public key. How stop someone from registering public key in your name? How validate the public key server? Spoofing: false server or key list Alice 13 Bob 17 Impersonation
Digital Certificates Almost any server can generate digital keys Can use it “in-house” to reduce costs But how do you know which servers to trust? Some government agencies generate certificates, but not for commercial use. Now, one commercial company: Verisign Merchant certificate is “required” for encryption Consumers can purchase certificates Verify identity Merchants: DUNS number and some options Consumers: levels, Notary public; but no one registers
User Identification Merchant authentication Consumer authentication Merchants generally register with Verisign Merchants almost always register with credit card, merchant bank Consumers are protected by credit card rules Consumer authentication No one registers with Verisign All authentication is handled by credit card Can verify card number, expiration date, address online Can get online test of cards reported stolen or invalid
Consumer Authentication Purchases Credit card is the best we can do right now Merchant is still at risk International sales are dangerous, so most merchants will not accept them
Individual Identification Username and password Have to find a way to get them to the correct person Have to handle forgotten passwords Could use a billing number, but need to randomize them Credit card Not everyone has a card Some are not willing to give the number SSN Too easily found or forged Restrictions on government use Digital certificate/signature Individuals unwilling to pay Need infrastructure IP Address Not always unique Can be spoofed
Biometrics Many new devices Cost is reasonable ($100-$500) Fingerprint, handprint readers Iris scanners Infrared scanners Cost is reasonable ($100-$500) Hard to use for external identification No standard devices No standard software, authentication scheme
Identity Solution? Determine the level of identification you need for each application Absolute identity (digital signature) Best test of documents (e.g., credit card) Reasonably certain (e.g., billing ID number) Open to public Examples Sales: Best test of documents Car registration (DMV): Absolute identity Check water bill: Reasonably certain
Escrow Keys: Government Developed by the NSA, the federal government tried to force the use of escrow keys for all encryption, but mostly for digital cell phones. Decrypted conversation Escrow keys Judicial or government office Intercept Encrypted conversation Clipper chip in phones
Encryption Issues Transmission speed drops enormously Encryption/decryption takes processor time—can purchase hardware solution: nCipher You must protect the private key, which is hard when someone steals a laptop In a civil suit, you will be forced to decrypt any data requested Federal government actively breaks encryption for criminal cases (when possible) You still have to trust your employees
Security Best Practices Limit access to hardware Physical locks Video monitoring Fire and environment monitors Employee logs / cards Monitor usage Hardware logs Access failures/attacks Software and data usage Background checks Employees Consultants Backups! Encrypt sensitive data Transmissions Storage Assign access rights Protect disposal of data Disaster planning Virus protection Backups Anti-virus software limited value Only run trusted software
Digital Cash Trusted Party Bank Vendor (data) Consumer Conversion to “real” money. Bank NetBill (1) Price, product decryption key, customer code are sent to third party. Digital Cash (A) Consumer purchases a cash value that can be used only once. NetBill (2) Accounts are debited and credited. Product key is sent to customer. Digital Cash (B) “Cash” amount is verified and added to vendor account. Customer chooses product, sends ID or digital cash number. Vendor (data) Consumer
Digital Cash Goals Requirements Lower transaction costs (affordable to $0.25?) Merchant and consumer protection Anonymity, non-traceable Requirements Conversion to/from real world cash Trusted third-party Customer uses digital wallet Some technologies in use today, but limited acceptance by consumers
Secure Electronic Transactions (SET) Current usage is known as Secure Sockets Layer (SSL) Vendor handles security using Verisign Encryption is one-way (consumer to vendor) No authentication SET specifies steps to ensure strong security in entire process SET requires consumers to obtain digital certificates, digital signatures Consumers show limited enthusiasm
Anonymity Computers all have an IP Address Every computer on the Internet must have an IP address (number) so that messages are sent/returned correctly. Many IP addresses can be traced back to a specific user. A few ISPs use dynamic IP assignment, so not always possible to identify exact person. Computer labs and libraries are often open to the public and do not track individual usage Anonymity Servers Church of Scientology dispute—forced server operator in Denmark to release records. Zero-Knowledge in Canada is new with a strong assurance of anonymity: http://www.zeroknowledge.com for $50/year.
Server and Network Monitoring Customer evaluation Web site usability evaluation Load evaluation (time of day, month, etc.) Network performance Security threats
Network & Server Stats: MRTG Free download: http://ee-staff.ethz.ch/~oetiker/
Web Log Analyzer: SurfStats Cost: $90 www.surfstat.com Site activity Clients File/Pages Browsers Referers Errors
Server Monitor (Win 2000) Free, continuous monitoring plus alerts, choose hundreds of variables. Particularly good for monitoring processor and memory.