1. Implementing Security for Electronic Commerce

2. Protecting Electronic Commerce Assets
You cannot hope to produce secure commerce systems unless there is a written security policy
What assets are to be protected
What is needed to protect those assets
Analysis of the likelihood of threats
Rules to be enforced to protect those assets

3. Protecting Electronic Commerce Assets
Both defense and commercial security guidelines state that you must protect assets from
Unauthorized disclosure
Modification
Destruction
Typical security policy concerning confidential company information
Do not reveal company confidential information to anyone outside the company

4. Minimum Requirements for Secure Electronic Commerce
Figure 6-1

5. Protecting Intellectual Property
The dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works

6. Companies Providing Intellectual Property Protection Software
ARIS Technologies (part of verance.com)
Digital audio watermarking systems
Embedded code in audio file uniquely identifying the intellectual property
Digimarc Corporation
Watermarking for various file formats
Controls software and playback devices

7. Companies Providing Intellectual Property Protection Software
SoftLock Services
Allows authors and publishers to lock files containing digital information for sale on the Web
Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing
Digitalgoods.com
infrastructure and integrated services necessary to securely market and distribute multimedia digital content to its maximum audience

8. Protecting Client Computers
Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers
Threats can hide in
Web pages
Downloaded graphics and plug-ins
attachments

9. Protecting Client Computers
Cookies
Small pieces of text stored on your computer and contain sensitive information that is not encrypted
Anyone can read and interpret cookie data
Do not harm client machines directly, but potentially could still cause damage
Misplaced trust
Web sites that aren’t really what they seem and trick the user into revealing sensitive data

10. Digital Certificates Also known as a digital ID
An attachment to an message
Embedded in a Web page
Serves as proof that the holder is the person or company identified by the certificate
Encoded so that others cannot read or duplicate it

11. VeriSign -- A Certification Authority
Figure 6-3

12. VeriSign Oldest and best-known Certification Authority (CA)
Offers several classes of certificates
Class 1 (lowest level)
Bind address and associated public keys
Class 4 (highest level)
Apply to servers and their organizations
Offers assurance of an individual’s identity and relationship to a specified organization

13. Structure of a VeriSign Certificate
Figure 6-4

14. Microsoft Internet Explorer
Provides client-side protection right inside the browser
Reacts to ActiveX and Java-based content
Authenticode verifies the identity of downloaded content
The user decides to ‘trust’ code from individual companies

15. Security Warning and Certificate Validation
Figure 6-5

16. Internet Explorer Zones and Security Levels
Figure 6-6

17. Internet Explorer Security Zone Default Settings
Figure 6-7

18. Netscape Navigator
User can decide to allow Navigator to download active content
User can view the signature attached to Java and JavaSript
Security is set in the Preferences dialog box
Cookie options are also set in the Preferences dialog box

19. Setting Netscape Navigator
Preferences

20. A Typical Netscape Navigator
Java Security Alert
Figure 6-9

21. Viewing a Content Provider’s Certificate
Figure 6-10

22. Dealing with Cookies Can be set to expire within 10, 20, or 30 days
Retrievable only by the site that created them
Collect information so that the user doesn’t have to continually enter usernames and passwords to access Web sites
Earlier browsers simply stored cookies without comment
Today’s browsers allow the user to
Store cookies without permission or warning
Receive a warning that a cookie is about to be stored
Unconditionally disallow cookies altogether

23. Protecting Electronic Commerce Channels
Protecting assets while they are in transit between client computers and remote servers
Providing channel security includes
Channel secrecy
Guaranteeing message integrity
Ensuring channel availability
Authentication

24. Providing Transaction Privacy
Encryption
The coding of information by using a mathematically based program and secret key to produce unintelligible characters
Steganography
Makes text invisible to the naked eye
Cryptography
Converts text to strings that appear to have no meaning

25. Encryption 40-bit keys are considered minimal,128-bit keys provide
much more secure encryption
Encryption can be subdivided into three functions
Hash Coding
Calculates a number from any length string
Asymmetric (Public-key) Encryption
Encodes by using two mathematically related keys
Symmetric (Private-key) Encryption
Encodes by using one key, both sender and receiver must know

26. Hash Coding, Private-key, and Public-key Encryption
Figure 6-11

27. Significant Encryption Algorithms and Standards
Figure 6-12

28. Guaranteeing Transaction Delivery
Neither encryption nor digital signatures protect packets from theft or slowdown
Transmission Control Protocol (TCP) is responsible for end-to-end control of packets
TCP requests that the client computer resend data when packets appear to be missing

29. Protecting the Commerce Server
Access control and authentication
Controlling who and what has access to the server
Requests that the client send a certificate as part of authentication
Server checks the timestamp on the certificate to ensure that it hasn’t expired
Can use a callback system in which the client computer address and name are checked against a list

30. Protecting the Commerce Server
Usernames and passwords are the most common method of providing protection for the server
Usernames are stored in clear text, while passwords are encrypted
The password entered by the user is encrypted and compared to the one on file

31. Logging On With A Username And Password
Figure 6-16

32. Operating System Controls
Most operating systems employ username and password authentication
A common defense is a firewall
All traffic from inside to outside and outside to inside must pass through it
Only authorized traffic is allowed
The firewall itself must be immune to penetration

33. Firewalls Should be stripped of any unnecessary software
Categories of firewalls include
Packet filters
Examine all packets flowing through the firewall
Gateway servers
Filter traffic based on the requested application
Proxy servers
Communicate on behalf of the private network
Serve as a huge cache for Web pages

34. Firewalls ftp: 21 OSI ftp: 21 telnet: 23 smtp: 25 http: 80 Site 1
Traffic Cop
Internet
Site 1
ftp: 21
Site 2
OSI
ftp: 21
Application
telnet: 23
Presentation
Session
smtp: 25
Transport
Network
Data Link
http: 80
Physical

35. Check Point Software’s Firewall-1 Web Page
Figure 6-17