Download presentation
Presentation is loading. Please wait.
Published byJaida Bodin Modified over 9 years ago
1
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Non Technical Security Systems The user (client) can be given the possibility of placing an order without credit card details and the Internet merchant then simply contacts the user by telephone to obtain the details. The user can be given the possibility of placing an order without credit card details and the user prints the order form and after printing, fills out the credit card details and faxes the order to the Internet merchant.
2
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 The Parties to an E-Commerce Transaction The Parties to an E-Commerce Transaction The User/Card Holder : the person wishing to purchase on-line The Merchant : the company wishing to sell on-line The Acquirer : the merchants financial institution, usually their Bank The Issuer : the credit card company that issued the users card The Certification Authority : a neutral third party authority that issues certificates to the merchant, the issuer and in some cases the cardholder
3
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Areas of Internet Security It is important before considering the issue of Internet security to be clear as what particular security issue is being discussed. 1. Communications Security 2. Server Security 3. Transactional Security
4
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Communications Security One aspect is security in the transfer of information over the Internet and to insure that sensitive information such as credit card details cannot be intercepted. Such interception can give rise to the following: 1. Third parties can obtain credit card details for use elsewhere 2. Third parties can modify communication for example to have goods shipped to another address 3. Third parties can obtain confidential commercial information with regard to transactions, for example the identity of customers and the amount purchased of a particular product
5
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Server Security The server (the machine that contains the commerce site) can be subject to being ‘cracked’ by third party and this can lead to the following: 1. The possibility that third parties can obtain confidential commercial information with regard to transactions that have taken place, for example the identity of customers and the amount purchased of a particular product 2. That the service can be disrupted 3. That the information held on the server can be destroyed 4. In the case of an integrated Internet/Intranet that users can breach the companies firewall
6
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Transactional Security Here the concern is: 1. Third parties can impersonate a user/cardholder to send spurious fraudulent orders 2. Dispatched goods are not paid for 3. The Merchant can take payment but not ship the goods
7
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Security Solutions The Internet specific dangers can be divided into three classes, one class attacks the connection between the user and the merchant where the attacke either monitors the network traffic or modifies the network traffic. The second class of attacks targets the merchant’s server itself. The third are the transactional dangers, as in is the card valid is the user really the card holder, etc.
8
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Communications Security It is technically possible to obtain credit card information interactively from the Internet in a similar manner to bugging a phone but it is extremely difficult to do. Some time ago a group of French students using a mainframe University computer managed to acquire credit card details from the Internet after a number of days. However it should be born in mind that had they gone to their local supermarket and looked in the wastepaper bin they could obtain the same information. The dangers are in fact more perceived than real. However whether or not these fears are well founded they have to be addressed if e-commerce is to realize its potential. There are a number of encryption systems in use at present to insure that information transversing the Internet is not accessible to third parties. The most common system presently in use is SSL.
9
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Server Security Whatever type of server used the merchant should adopt a procedure program to minimize the damage should the servers security be compromised or indeed should the servers hard disk be destroyed. –The merchant should backup the information held on the server regularly to an off-line machine or to tape. In this way any disaster can be quickly overcome. –The merchant should insure that the server holds no unnecessary information such as customer lists or sales records. In this way in the unlikely event that the server security is breached the damage that can be done can be quickly repaired and there is no confidential information available to the attacker.
10
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Transactional Security There are a number of systems currently available to address this issue. These solutions are often referred to as payment gateways. This involves the e-commerce system sending a request to an outside source to obtain confirmation that the credit card details of the user are correct and that the funds are available. When the goods are shipped the e-commerce system sends a further request to the payment gateway for the funds to be credited to the merchants account. In this way the merchant's concerns and the acquirers concerns are largely addressed. SET (Secure Electronic Transactions) is a new payment protocol which can be expected to become more popular in the next year. SET cannot be considered as an application it is rather a protocol that developers will use in developing payment gateways.
11
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Security & The Web Server Authentication Client are confident about servers they are communicating with. Privacy Using Encryption Client conversation with the server is private. Data Integrity Clients’ conversations cannot be tampered or interfered with.
12
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Categories of Internet Data and Transactions Public Data No security restrictions and can be read by anyone. Such data should be protected from unauthorized tampering or modification, however, because a reader may perform damaging actions on its content. Copyright Data Copyrighted but not secret. The owner of data is willing to provide it but wishes to ensure that the user has paid for it. The objective is to maximize revenue and security. Confidential Data Secret but whose existence is not a secret. Such data include bank account statements, personal files, and the like. Such material may be referenced by public or copyright data. Secret Data Such data might include algorithms. It is necessary to monitor and log all access to secret data.
13
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 WWW-Based Security Schemes Secure HTTP [S-HTTP] A revision of HTTP that will enable the incorporation of various cryptographic message formats, such as DSA and RSA standards, into both the web client and the server; most of the security implementation will take place at the protocol Security Socket Layer [SSL] Uses RSA security to wrap security information around TCP/IP-based protocols. This implementation, while different from S-HTTP, accomplishes the same task. The benefit of SSL over S-HTTP is that SSL is not restricted to HTTP, but can also be used for security for FTP and TELNET, among other Internet services Shen (sponsored by W3 consortium) A non-commercial security. Similar to S-HTTP.
14
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Basic Authentication Features Programs that allow a sender and a receiver to communicate in a way that does not allow third parties to read them and that certify that senders are really who they claim to be For e-commerce application, strong authentication and message integrity are necessary
15
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Secure Socket Layer [SSL] Main champion: Netscape Communications Netscape Commerce Server Provides data encryption server authentication message integrity client authentication for TCP/IP (optional) Fully encrypts HTTP request HTTP response URL requested submitted form contents HTTP authorization information data returned from server to client
16
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 Secure HTTP [S-HTTP] Proposed by CommerceNet (a coalition of businesses interested in developing Internet- based EC) Only works with HTTP Ensures message protection by providing signature methods authentication methods integrity methods encryption methods
17
Magister Manajemen Sistem Informasi Transactions Security Non Technical Slides prepared by Tb. Maulana Kusuma, Universitas Gunadarma Communications Server Transactional The Parties Universitas Gunadarma Back to Master Slide Areas Security Solutions Security & The Web Communications Server Transactional Categories Security Schemes Authentication Secure Socket S-HTTP Shen Internet dan Jaringan Komputer - Universitas Gunadarma 2006 ShenShen Proposed by CERN High level replacement for existing HTTP Not currently implemented by any browser or server vendor Indications are that the proposal may be, for all purposes, dead
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.