Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-Commerce Security and Authentication Details Jerry Post

Published byFerdinand Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "E-Commerce Security and Authentication Details Jerry Post"— Presentation transcript:

1 E-Commerce Security and Authentication Details Jerry Post
Westgate Management Development Center Eberhardt School of Business University of the Pacific

2 E-Commerce Transaction Issues
Customer Perspective Assurance of delivery Product specification Price Quantity Accounting and auditing Anonymity (occasional) Privacy Merchant Perspective Assurance of payment Validity of orders, non-repudiation Accounting and auditing Customer relationship management (CRM) Government Perspective Financial statements Taxable transactions Identify and track fraud Track money (drugs, terrorists, etc.)

3 E-Commerce Security Issues
Unauthorized changes to site Unauthorized theft of data (e.g., credit cards) Interception of transmission Stolen credit cards: identity of consumer Fraudulent sites, spoofing: identity of merchant Physical site threats (fire, etc.) Employee/Insider threats

4 E-Commerce Threat Points
Intercept or change data False Site Fraudulent merchant False consumer Stolen card Purchase choice Credit Card data Merchant Server Outside attack on server Insider fraud on purchases or sales Customer Stolen shipments Products

5 Encryption Single key encryption Data Encryption Standard (DES) DES
Plain text message Single key encryption Data Encryption Standard (DES) IBM 1960s 56-bit Brute force attack RSA contest: < 24 hours in 1999 Key management and distribution is a major problem Algorithm is fast Encrypted transmissions are always slower—more random data DES Key: Encrypted text Single key: e.g., DES Encrypted text DES Key: Plain text message

6 Dual-key Encryption Alice Bob Message Message Encrypted Public Keys
Private Key 13 Use Bob’s Private key Private Key 37 Use Bob’s Public key Alice sends message to Bob that only he can read. Brute force attack prevented by length of key: 40 digits is too small, standard is 128 digits.

7 Dual key: Authentication
Message Transmission Message Encrypt+T+M Alice Encrypt+M Encrypt+T Private Key 13 Bob Use Alice’s Private key Public Keys Alice 29 Bob 17 Private Key 37 Use Bob’s Private key Use Alice’s Public key Use Bob’s Public key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message.

8 Digital Signature 5983 Plain Text Order Message hash (CRC check bytes)
Encrypt hash with private key Signature is unique to document, cannot be reused Can be time-stamped Encrypt order with merchant’s public key Transmit It cannot be read or changed It can be lost or deleted Recipient decrypts document and verifies authenticity 5983 Simple hash: = 25 Better: row hash And column hash Best: Cyclic Redundancy Check: polynomial

9 Encryption Solutions Rivest-Shamir-Adelman (RSA: company)
U.S. patent on common dual-key method (expires soon) Used by browsers and most security systems Correctly implemented, it solves most problems Transmission cannot be intercepted or changed Customer is authenticated Order cannot be repudiated or altered If merchant re-encrypts and stores data, it cannot be stolen

10 Dual-Key Authentication Issues
How distribute and verify the public keys? People are authenticated based on public key. How stop someone from registering public key in your name? How validate the public key server? Spoofing: false server or key list Alice 13 Bob 17 Impersonation

11 Digital Certificates Almost any server can generate digital keys
Can use it “in-house” to reduce costs But how do you know which servers to trust? Some government agencies generate certificates, but not for commercial use. Now, one commercial company: Verisign Merchant certificate is “required” for encryption Consumers can purchase certificates Verify identity Merchants: DUNS number and some options Consumers: levels, Notary public; but no one registers

12 User Identification Merchant authentication Consumer authentication
Merchants generally register with Verisign Merchants almost always register with credit card, merchant bank Consumers are protected by credit card rules Consumer authentication No one registers with Verisign All authentication is handled by credit card Can verify card number, expiration date, address online Can get online test of cards reported stolen or invalid

13 Consumer Authentication
Purchases Credit card is the best we can do right now Merchant is still at risk International sales are dangerous, so most merchants will not accept them

14 Individual Identification
Username and password Have to find a way to get them to the correct person Have to handle forgotten passwords Could use a billing number, but need to randomize them Credit card Not everyone has a card Some are not willing to give the number SSN Too easily found or forged Restrictions on government use Digital certificate/signature Individuals unwilling to pay Need infrastructure IP Address Not always unique Can be spoofed

15 Biometrics Many new devices Cost is reasonable ($100-$500)
Fingerprint, handprint readers Iris scanners Infrared scanners Cost is reasonable ($100-$500) Hard to use for external identification No standard devices No standard software, authentication scheme

16 Identity Solution? Determine the level of identification you need for each application Absolute identity (digital signature) Best test of documents (e.g., credit card) Reasonably certain (e.g., billing ID number) Open to public Examples Sales: Best test of documents Car registration (DMV): Absolute identity Check water bill: Reasonably certain

17 Escrow Keys: Government
Developed by the NSA, the federal government tried to force the use of escrow keys for all encryption, but mostly for digital cell phones. Decrypted conversation Escrow keys Judicial or government office Intercept Encrypted conversation Clipper chip in phones

18 Encryption Issues Transmission speed drops enormously
Encryption/decryption takes processor time—can purchase hardware solution: nCipher You must protect the private key, which is hard when someone steals a laptop In a civil suit, you will be forced to decrypt any data requested Federal government actively breaks encryption for criminal cases (when possible) You still have to trust your employees

19 Security Best Practices
Limit access to hardware Physical locks Video monitoring Fire and environment monitors Employee logs / cards Monitor usage Hardware logs Access failures/attacks Software and data usage Background checks Employees Consultants Backups! Encrypt sensitive data Transmissions Storage Assign access rights Protect disposal of data Disaster planning Virus protection Backups Anti-virus software limited value Only run trusted software

20 Digital Cash Trusted Party Bank Vendor (data) Consumer Conversion to
“real” money. Bank NetBill (1) Price, product decryption key, customer code are sent to third party. Digital Cash (A) Consumer purchases a cash value that can be used only once. NetBill (2) Accounts are debited and credited. Product key is sent to customer. Digital Cash (B) “Cash” amount is verified and added to vendor account. Customer chooses product, sends ID or digital cash number. Vendor (data) Consumer

21 Digital Cash Goals Requirements
Lower transaction costs (affordable to $0.25?) Merchant and consumer protection Anonymity, non-traceable Requirements Conversion to/from real world cash Trusted third-party Customer uses digital wallet Some technologies in use today, but limited acceptance by consumers

22 Secure Electronic Transactions (SET)
Current usage is known as Secure Sockets Layer (SSL) Vendor handles security using Verisign Encryption is one-way (consumer to vendor) No authentication SET specifies steps to ensure strong security in entire process SET requires consumers to obtain digital certificates, digital signatures Consumers show limited enthusiasm

23 Anonymity Computers all have an IP Address
Every computer on the Internet must have an IP address (number) so that messages are sent/returned correctly. Many IP addresses can be traced back to a specific user. A few ISPs use dynamic IP assignment, so not always possible to identify exact person. Computer labs and libraries are often open to the public and do not track individual usage Anonymity Servers Church of Scientology dispute—forced server operator in Denmark to release records. Zero-Knowledge in Canada is new with a strong assurance of anonymity: for $50/year.

24 Server and Network Monitoring
Customer evaluation Web site usability evaluation Load evaluation (time of day, month, etc.) Network performance Security threats

25 Network & Server Stats: MRTG
Free download:

26 Web Log Analyzer: SurfStats
Cost: $90 Site activity Clients File/Pages Browsers Referers Errors

27 Server Monitor (Win 2000) Free, continuous monitoring plus alerts, choose hundreds of variables. Particularly good for monitoring processor and memory.

Download ppt "E-Commerce Security and Authentication Details Jerry Post"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
CP3397 ECommerce.

CP3397 ECommerce.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.

Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.

1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Similar presentations

Ads by Google