Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 6 Chapter 6 Implementing Security for Electronic Commerce.

Published byClarissa Blake Modified over 9 years ago

Similar presentations

Presentation on theme: "1 6 Chapter 6 Implementing Security for Electronic Commerce."— Presentation transcript:

1 1 6 Chapter 6 Implementing Security for Electronic Commerce

2 2 6 Secure Socket Layer (SSL) Protocol u Introduction l An average user of the Internet can not deal with the complex nature of encryption, digital certificates, and digital signatures that are used for secure transaction on a regular basis. l These are handled transparently by Web browsers and Web servers through a protocol called secure socket layer. l All secured transactions between a client and a commerce server is considered as a session. A private key is generated by the browser for each session, which is shared by the client and the server to exchange encrypted messages. It is discarded after the session. l SSL comes in two strengths: 40-bit and 128-bit. The longer the key, the better the security.

3 3 6 SSL and S-HTTP u The Secure socket layer (SSL) from Netscape Communications and Secure HyperText Transfer Protocol (S-HTTP) from CommerceNet are two protocols that provide secure information transfer over the Internet, although S-HTTP is almost dead now. u Both Microsoft and Netcape adapted secure socket layer in their browsers. u SSL works at the transport layer of the TCP/IP protocol suite and S-HTTP works at the application layer- the top layer. u They have different goals: SSL secures connections between two computers and S-HTTP sends individual messages securely. u SSL can secure sessions of HTTP and FTP transmissions. u The protocol for secured HTTP is HTTPS. u Try https://www.microsoft.com on the browser address line.https://www.microsoft.com

4 4 6 SSL Transmission (How it works) u Security Handshake: l Before a transmission can occur, SSL provides a security handshake in which the client and server computers exchange a brief burst of messages to discuss the level of security to be used, exchange digital certificates, and so on. l When a client browser first lands on a server’s secure Web site, the server sends a hello request to the client (browser) l The browser asks the server for a digital certificate for verification. The server sends the certificate. l The browser checks the digital signature on the server certificate against the public key of the Certificate Authority stored within the browser. This authenticates the server. l After the handshake is over, the SSL then encrypts and decrypts information flowing between two computers.

5 5 6 SSL Transmission (continued..) u Session key: l To implement secrecy during transmission, SSL uses both public and private-key encryption. l The browser generates a private key (called the session key) to share it between the browser and the Web server during a transmission session. l Then the browser encrypts this session key using the server’s public key (that was sent by the server during the handshake). l The browser then sends the encrypted session key as a message to the server. The server decrypts the message with it’s public key and obtains the session key. l For all further transactions between the client and the server, this session key is used for encryption. l When the session ends, the session key is discarded.

6 6 6 Establishing an SSL Session

7 7 6 SSL Web Server Information u Depending on the browser and the server, there are various encryption algorithms that might be supported by each such as DES, triple DES, or the RSA. See figure next page. u RSA, named after its inventors Ronald Rivest, Adi Shamir, and Leonard Adelman, is the widely used algorithm for encrypting Web and e-mail messages using a public key. It uses a key of length which varies from 512 to 1,024 bits. u Because of the longer key size, public key encryption is slower than the private key encryption. Typically, a shorter key is used in private encryption. u Thus a combination of both private- and public-key encryption is used in e-commerce transmissions. u The combination of public- and private-key encryption is known as digital envelope.

8 8 6 SSL Web Server Information

9 9 6 Secure HTTP (S-HTTP) Protocol u It is an extension to HTTP protocol that provides numerous security features such as l Client and server authentication l Spontaneous encryption l Request/response nonrepudiation u It provides symmetric and public-key encryption like the SSL. u It also uses a message digest (hash number or summaries of messages as integers) to be transmitted with the message for message integrity. So, if the message is changed during transmission, it will be detected. u A secure digital envelope encapsulates a message and provides secrecy, integrity, and client/server authentication.

10 10 6 Ensuring Transaction Integrity u Electronic commerce activities typically involve a client browser sending payment information, order information, and payment instructions to the commerce server and the commerce server responding to the browser with the electronic confirmation of the order details. u SSL provides security for message transmission, but an Internet interloper can still alter a message. u A combination of techniques are used to create messages that are tamperproof and authenticated. u First, a hash algorithm is applied to the message to obtain a hash value (message digest). This hash value is appended to the message and sent to the receiver. The receiver recalculates the hash value and compares with the original one. u But, a hash algorithm is public and anyone can intercept the message -- recalculate the hash value, and retransmit the message. The receiver will calculate the same hash value. u To prevent this type of fraud, the sender encrypts his/her message with a private key. An encrypted message digest is called a digital signature.

11 11 6 Ensuring Transaction Integrity Figure 6-15

12 12 6 Guaranteeing Transaction Delivery u Neither encryption nor digital signatures protect packets from theft or slowdown. u Transmission Control Protocol (TCP) is responsible for end-to- end control of packets. u When it reassembles packets at the destination in the correct order, it handles all the details when the packets do not appear. u Every data packet sent by a TCP/IP client is confirmed by the TCP/IP receiver along with the size of the data packet. u If a data packet seem to be lost, TCP server requests that the client computer resend the particular data packet.

13 13 6 Protecting the Commerce Server u Security of electronic commerce also involves protection of electronic commerce server and associated servers. u These include the commerce server, Web server, FTP server, mail server, remote login server, and operating systems on the host machines. u An FTP server facilitates delivery of soft goods (software) to consumers. u E-mail servers service electronic mails sent by a merchant and received from the consumers. u The Web server manages Web requests from the consumers. u A remote login server allows field personnel to remotely log on to the corporate computer to perform a variety of tasks.

14 14 6 Access control and authentication l Controlling who and what has access to the server. l Requests that the client send a certificate as part of authentication. l Server checks the timestamp on the certificate to ensure that it hasn’t expired. The server will reject an expired certificate and provide no further service. l Can use a callback system in which the client computer address and name are checked against a list of usernames and assigned client computers.

15 15 6 Access control and authentication u Usernames and passwords are the most common method of providing protection for the server. u Usernames are stored in clear text, while passwords are encrypted. u The password entered by the user is encrypted and compared to the one on file.

16 16 6 Operating System Controls u Most operating systems employ username and password authentication. u The security of the Web server and other servers of electronic commerce application can be integrated with the operating system security.

17 17 6 Windows Integrated Security for Internet Information Server (IIS)

18 18 6 Firewall u A firewall provides a defense, sometimes the first line of defense, between a corporate network and the Internet. u All corporate access to and from the Internet flows through the firewall. u The network and computers being protected are inside the firewall, and any other network is outside. u The networks inside the firewall is called trusted, whereas networks outside the firewall are called untrusted. u In the TCP/IP protocol stack, firewall works in the application layer. Thus, it provides software solution. u Firewalls are computers that have the following characteristics: l All traffic from inside to outside and outside to inside must pass through it. l Only authorized traffic is allowed to pass through it. l The firewall itself must be immune to penetration.

19 19 6 Firewall Computer u A firewall computer should be stripped of any unnecessary software for security reason. u It should not be used for any other purpose. u Firewall computer should not be administered remotely.

20 20 6 Classification of Firewalls u Packet filters l Examine all packets flowing back and forth through the firewall u Gateway servers l Filter traffic based on the requested application such as Telnet, FTP, and HTTP. l A gateway might permit incoming FTP request, but not outgoing FTP requests. l A gateway might prevent employees inside a firewall from downloading any program outside the firewall. u Proxy servers l Communicate on behalf of the private network l Serve as a huge cache for Web pages

21 21 6 Check Point Software’s Firewall-1 Web Page

Download ppt "1 6 Chapter 6 Implementing Security for Electronic Commerce."

Similar presentations

Implementing Electronic Commerce Security Gary Schneider, 2003

Implementing Electronic Commerce Security Gary Schneider, 2003
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
5/4/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 7: Implementing Security Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 7: Implementing Security Insup Lee Department of Computer and Information Science University of Pennsylvania.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
Implementing Electronic Commerce Security

Implementing Electronic Commerce Security
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Implementing Security for Electronic Commerce

Implementing Security for Electronic Commerce
Implementing Security for Electronic Commerce

Implementing Security for Electronic Commerce
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Similar presentations

Ads by Google