Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 330 E-Commerce Teacher Ahmed Mumtaz Mustehsan Ahmed Mumtaz Mustehsan GM-IT CIIT Islamabad GM-IT CIIT Islamabad CIIT Virtual Campus, CIIT COMSATS Institute.

Similar presentations


Presentation on theme: "CSC 330 E-Commerce Teacher Ahmed Mumtaz Mustehsan Ahmed Mumtaz Mustehsan GM-IT CIIT Islamabad GM-IT CIIT Islamabad CIIT Virtual Campus, CIIT COMSATS Institute."— Presentation transcript:

1 CSC 330 E-Commerce Teacher Ahmed Mumtaz Mustehsan Ahmed Mumtaz Mustehsan GM-IT CIIT Islamabad GM-IT CIIT Islamabad CIIT Virtual Campus, CIIT COMSATS Institute of Information TechnologyT1-Lecture-10

2 T1-Lecture-10 E Commerce Technology Solution, Management policies and Payment Systems Chapter-04Part-II For Lecture Material/Slides Thanks to: Copyright © 2010 Pearson Education, Inc

3 Objectives Describe how various forms of encryption technology help protect the security of messages sent over the Internet. Identify the tools used to establish secure Internet communications channels. Identify the tools used to protect networks, servers, and clients. Appreciate the importance of policies, procedures, and laws in creating security. T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-3

4 Tools Available to Achieve Site Security Figure 5.7, Page 287 T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-4

5 Encryption Transforms data into cipher text readable only by sender and receiver Secures stored information and information transmission Provides 4 of 6 key dimensions of e-commerce security: 1.Message integrity 2.Nonrepudiation 3.Authentication 4.Confidentiality T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-5

6 Dimensions of E-commerce Security T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-6

7 Symmetric Key Encryption Sender and receiver use same digital key to encrypt and decrypt message Requires different set of keys for each transaction Strength of encryption ◦ Length of binary key used to encrypt data Advanced Encryption Standard (AES) ◦ Most widely used symmetric key encryption ◦ Uses 128-, 192-, and 256-bit encryption keys Other standards use keys with up to 2,048 bits T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-7

8 Public Key Encryption Uses two mathematically related digital keys 1.Public key (widely disseminated) 2.Private key (kept secret by owner) Both keys used to encrypt and decrypt message Once key used to encrypt message, same key cannot be used to decrypt message Sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-8

9 Public Key Cryptography—A Simple Case T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-9

10 Public Key Encryption Using Digital Signatures and Hash Digests Hash function: ◦ Mathematical algorithm that produces fixed-length number called message or hash digest Hash digest of message sent to recipient along with message to verify integrity Hash digest and message encrypted with recipient’s public key Entire cipher text then encrypted with sender’s private key—creating digital signature—for authenticity, nonrepudiation T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 10

11 Public Key Cryptography with Digital Signatures Figure 5.9, Page 291 T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 11

12 Digital Envelopes Addresses weaknesses of: ◦ Public key encryption  Computationally slow, decreased transmission speed, increased processing time ◦ Symmetric key encryption  Insecure transmission lines Uses symmetric key encryption to encrypt document Uses public key encryption to encrypt and send symmetric key T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 12

13 Creating a Digital Envelope Figure 5.10, Page 293 T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 13

14 Digital Certificates and Public Key Infrastructure (PKI) Digital certificate includes: Name of subject/company Subject’s public key Digital certificate serial number Expiration date, issuance date Digital signature of certification authority (trusted third party institution) that issues certificate Public Key Infrastructure (PKI): CAs and digital certificate procedures that are accepted by all parties T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 14

15 Digital Certificates and Certification Authorities Figure 5.11, Page 294 T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 15

16 Limits to Encryption Solutions Doesn’t protect storage of private key ◦ PKI not effective against insiders, employees ◦ Protection of private keys by individuals may be haphazard (may be stolen from Laptop/Desktop) No guarantee that verifying computer of merchant is secure CAs are unregulated, self-selecting organizations T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 16

17 Securing Channels of Communication Secure Sockets Layer (SSL): Establishes a secure, negotiated client-server session in which URL of requested document, along with contents, are encrypted S-HTTP: Provides a secure message-oriented communications protocol designed for use in conjunction with HTTP Virtual Private Network (VPN): Allows remote users to securely access internal network via the Internet, using Point-to-Point Tunneling Protocol (PPTP) T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 17

18 Secure Negotiated Sessions Using SSL T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 18

19 Protecting Networks Firewall Hardware or software that filters packets Prevents some packets from entering the network based on security policy Two main methods: 1.Packet filters 2.Application gateways Proxy servers (proxies) Software servers that handle all communications originating from or being sent to the Internet T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 19

20 Firewalls and Proxy Servers T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 20

21 Protecting Servers and Clients Operating system security enhancements Upgrades, patches Anti-virus software Easiest and least expensive way to prevent threats to system integrity Requires daily updates T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 21

22 Management Policies, Business Procedures, and Public Laws Managing risk includes ◦ Technology ◦ Effective management policies ◦ Public laws and active enforcement U.S. firms and organizations spend 12% of IT budget on security hardware, software, services ($120 billion in 2009) T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 22

23 A Security Plan: Management Policies Perform a risk assessment Develop a security policy Develop and Implementation plan Create Security organization ◦ Access controls ◦ Authentication procedures, including biometrics ◦ Authorization policies, authorization management systems Security audit T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 23

24 Developing an E-commerce Security Plan T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 24

25 The Role of Laws and Public Policy Laws that give authorities tools for identifying, tracing, prosecuting cybercriminals: The Ministry of Information Technology (MoIT) has finalized a draft proposal to make provision for the prevention of electronic crimes in the country. The Act is named as the Prevention of Electronic Crimes Act, 2014. IT Policy of Pakistan covers: ◦ Multimedia Convergence Act ◦ Electronic Government Act ◦ Electronic Commerce Act ◦ Protection of privacy, security, and confidentiality. ◦ Legislation and Regulations ◦ Digital Signature Act ◦ Computer Crimes Act T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 25

26 Types of Traditional Payment Systems Cash Most common form of payment in terms of number of transactions Instantly convertible into other forms of value without intermediation Payment through Check transfer Second most common payment form in the United States in terms of number of transactions Credit card Credit card associations (VISA & Master Cards) Issuing banks Processing centers T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 26

27 Types of Traditional Payment Systems Stored Value Funds deposited into account, from which funds are paid out or withdrawn as needed, e.g., debit cards, gift certificates, etc. Peer-to-peer payment systems e.g. prepaid cards Accumulating Balance Accounts that accumulate expenditures and to which consumers make period payments Examples: utility bills, phone, American Express accounts T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 27

28 Table 5.6, Page 312 Source: Adapted from MacKie-Mason and White, 1996. T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 28

29 E-commerce Payment Systems Credit cards 55% of online payments in 2009 Debit cards 28% of online payments in 2009 Limitations of online credit card payment Security : no security for both client and merchant Cost: ◦ almost no cost to customer if paid in time; ◦ Merchant needs to pay 3.5% to bank if used intermediaries like PAYPAL the additional charges 1 to 1.5% T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 29

30 How an Online Credit Transaction Works T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 30

31 E-commerce Payment Systems Digital wallets Emulates functionality of wallet by authenticating consumer, storing and transferring value, and securing payment process from consumer to merchant Early efforts to popularize failed Newest effort: Google Checkout Digital cash Value storage and exchange using tokens Most early examples have disappeared; protocols and practices too complex T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 31

32 E-commerce Payment Systems Online stored value systems Based on value stored in a consumer’s bank, checking, or credit card account PayPal, smart cards Digital accumulated balance payment Users accumulate a debit balance for which they are billed at the end of the month Digital checking: Extends functionality of existing checking accounts for use online T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 32

33 Wireless Payment Systems Use of mobile handsets as payment devices well-established in Europe, Japan, South Korea Japanese mobile payment systems ◦ E-money (stored value) ◦ Mobile debit cards ◦ Mobile credit cards Not as well established yet in the United States ◦ Majority of purchases are digital content for use on cell phone T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 33

34 Is your smart phone secure? All mobile users carry the privacy with them Many free applications are built to grab information from smart phones Theses applications work for hacking the pictures, passwords and bank account details etc. Smartphones are susceptible to browser-based malware T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 34

35 The Players: Hackers, Crackers, and Attackers Original hackers created the Unix operating system and helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and integrity of computer systems Over the time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks. Underground hackers: ◦ http://www.defcon.org/ http://www.defcon.org/ ◦ http://www.blackhat.com/ http://www.blackhat.com/ ◦ http://www.2600.com/ http://www.2600.com/ T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 35

36 The Players: Hackers, Crackers & Attackers … Uber Haxor ◦ Wizard Internet Hackers ◦ Highly capable attackers ◦ Responsible for writing most of the attacker tools Crackers People who engage in unlawful or damaging hacking short for “criminal hacking” cracking software keys and securities for piracy. Other attackers ◦ “Script kiddies” are ego-driven, unskilled crackers who use information and software (scripts) that they download from the Internet to inflict damage on targeted sites ◦ Scorned by both the Law enforcement and Hackers communities T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 36

37 Script Kiddies 1.[very common] The lowest form of cracker; script kiddies do mischief with scripts and rootkits written by others, often using tools without understanding. 2.People with limited technical expertise using easy- to-operate, pre-configured, and/or automated tools to conduct disruptive activities against networked systems. Since most of these tools are fairly well- known by the security community, the adverse impact of such actions is usually minimal. 3.People who cannot program themselves, but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages. More generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring to have a mental model of what the code does; Reference: http://www.catb.org/jargon/html/S/script-kiddies.html http://www.tamingthebeast.net/articles/scriptkiddies.htm T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 37

38 End of: T1-Lecture-10 E Commerce Technology Solution, Management policies and Payment Systems Chapter-04Part-II Thank You T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 38


Download ppt "CSC 330 E-Commerce Teacher Ahmed Mumtaz Mustehsan Ahmed Mumtaz Mustehsan GM-IT CIIT Islamabad GM-IT CIIT Islamabad CIIT Virtual Campus, CIIT COMSATS Institute."

Similar presentations


Ads by Google