1. 1 6 Chapter 6 Implementing Security for Electronic Commerce

2. 2 6 Objectives u Security measures that can reduce or eliminate intellectual property theft u Securing client computers from attack by viruses and by ill-intentioned programs and scripts downloaded in Web pages u Authenticate users to servers and authenticate servers

3. 3 6 Objectives u Available protection mechanisms to secure information sent between a client and a server u Message integrity security, preventing another program from altering information as it travels across the Internet

4. 4 6 Objectives u Safeguards that are available so commerce servers can authenticate users u Protecting intranets with firewalls and corporate servers against being attacked through the Internet u The role Secure Socket Layer, Secure HTTP and secure electronic transaction protocols play in protecting e-commerce

5. 5 6 Protecting Electronic Commerce Assets u You cannot hope to produce secure commerce systems unless there is a written security policy l What assets are to be protected l What is needed to protect those assets l Analysis of the likelihood of threats l Rules to be enforced to protect those assets

6. 6 6 Protecting Electronic Commerce Assets u Both defense and commercial security guidelines state that you must protect assets from l Unauthorized disclosure l Modification l Destruction u Typical security policy concerning confidential company information l Do not reveal company confidential information to anyone outside the company

7. 7 6 Minimum Requirements for Secure Electronic Commerce Figure 6-1

8. 8 6 Protecting Intellectual Property u The dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works u Intellectual Property Protection in Cyberspace recommends: l Host name blocking l Packet filtering l Proxy servers

9. 9 6 Companies Providing Intellectual Property Protection Software u ARIS Technologies l Digital audio watermarking systems u Embedded code in audio file uniquely identifying the intellectual property u Digimarc Corporation l Watermarking for various file formats l Controls software and playback devices

10. 10 6 Companies Providing Intellectual Property Protection Software u SoftLock Services l Allows authors and publishers to lock files containing digital information for sale on the Web l Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing

11. 11 6 SoftLock Services Home Page Figure 6-2

12. 12 6 Protecting Client Computers u Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers u Threats can hide in l Web pages l Downloaded graphics and plug-ins l E-mail attachments

13. 13 6 Protecting Client Computers u Cookies l Small pieces of text stored on your computer and contain sensitive information that is not encrypted l Anyone can read and interpret cookie data l Do not harm client machines directly, but potentially could still cause damage u Misplaced trust l Web sites that aren’t really what they seem and trick the user into revealing sensitive data

14. 14 6 Monitoring Active Content u Netscape Navigator and Microsoft Internet Explorer browsers are equipped to allow the user to monitor active content before allowing it to download u Digital certificates provide assurance to clients and servers that the participant is authenticated

15. 15 6 Digital Certificates u Also known as a digital ID u An attachment to an e-mail message u Embedded in a Web page u Serves as proof that the holder is the person or company identified by the certificate u Encoded so that others cannot read or duplicate it

16. 16 6 VeriSign -- A Certification Authority Figure 6-3

17. 17 6 VeriSign u Oldest and best-known Certification Authority (CA) u Offers several classes of certificates l Class 1 (lowest level) u Bind e-mail address and associated public keys l Class 4 (highest level) u Apply to servers and their organizations u Offers assurance of an individual’s identity and relationship to a specified organization

18. 18 6 Structure of a VeriSign Certificate Figure 6-4

19. 19 6 Microsoft Internet Explorer u Provides client-side protection right inside the browser u Reacts to ActiveX and Java-based content u Authenticode verifies the identity of downloaded content u The user decides to ‘trust’ code from individual companies

20. 20 6 Security Warning and Certificate Validation Figure 6-5

21. 21 6 Internet Explorer Zones and Security Levels Figure 6-6

22. 22 6 Internet Explorer Security Zone Default Settings Figure 6-7

23. 23 6 Netscape Navigator u User can decide to allow Navigator to download active content u User can view the signature attached to Java and JavaSript u Security is set in the Preferences dialog box u Cookie options are also set in the Preferences dialog box

24. 24 6 Setting Netscape Navigator Preferences Figure 6-8

25. 25 6 A Typical Netscape Navigator Java Security Alert Figure 6-9

26. 26 6 Viewing a Content Provider’s Certificate Figure 6-10

27. 27 6 Dealing with Cookies u Can be set to expire within 10, 20, or 30 days u Retrievable only by the site that created them u Collect information so that the user doesn’t have to continually enter usernames and passwords to access Web sites

28. 28 6 Dealing with Cookies u Earlier browsers simply stored cookies without comment u Today’s browsers allow the user to l Store cookies without permission or warning l Receive a warning that a cookie is about to be stored l Unconditionally disallow cookies altogether

29. 29 6 Protecting Electronic Commerce Channels u Protecting assets while they are in transit between client computers and remote servers u Providing channel security includes l Channel secrecy l Guaranteeing message integrity l Ensuring channel availability l Authentication

30. 30 6 Providing Transaction Privacy u Encryption l The coding of information by using a mathematically based program and secret key to produce unintelligible characters l Steganography u Makes text invisible to the naked eye l Cryptography u Converts text to strings that appear to have no meaning

31. 31 6 Encryption u 40-bit keys are considered minimal,128-bit keys provide much more secure encryption u Encryption can be subdivided into three functions l Hash Coding u Calculates a number from any length string l Asymmetric (Public-key) Encryption u Encodes by using two mathematically related keys l Symmetric (Private-key) Encryption u Encodes by using one key, both sender and receiver must know

32. 32 6 Hash Coding, Private-key, and Public-key Encryption Figure 6-11

33. 33 6 Significant Encryption Algorithms and Standards Figure 6-12

34. 34 6 Secure Sockets Layer (SSL) Protocol u Secures connections between two computers u Provides a security handshake in which the client and server computers exchange the level of security to be used, certificates, among other things u Secures many different types of communications between computers

35. 35 6 Secure Sockets Layer (SSL) Protocol u Provides either 40-bit or 128-bit encryption u Session keys are used to create the cipher text from plain text during the session u The longer the key, the more resistant to attack

36. 36 6 Establishing an SSL Session Figure 6-13

37. 37 6 SSL Web Server Information Figure 6-14

38. 38 6 Secure HTTP (S-HTTP) Protocol u Extension to HTTP that provides numerous security features l Client and server authentication l Spontaneous encryption l Request/response nonrepudiation u Provides symmetric and public-key encryption, and message digests (summaries of messages as integers)

39. 39 6 Ensuring Transaction Integrity Figure 6-15

40. 40 6 Guaranteeing Transaction Delivery u Neither encryption nor digital signatures protect packets from theft or slowdown u Transmission Control Protocol (TCP) is responsible for end-to-end control of packets u TCP requests that the client computer resend data when packets appear to be missing

41. 41 6 Protecting the Commerce Server u Access control and authentication l Controlling who and what has access to the server l Requests that the client send a certificate as part of authentication l Server checks the timestamp on the certificate to ensure that it hasn’t expired l Can use a callback system in which the client computer address and name are checked against a list

42. 42 6 Protecting the Commerce Server u Usernames and passwords are the most common method of providing protection for the server u Usernames are stored in clear text, while passwords are encrypted u The password entered by the user is encrypted and compared to the one on file

43. 43 6 Logging On With A Username And Password Figure 6-16

44. 44 6 Operating System Controls u Most operating systems employ username and password authentication u A common defense is a firewall l All traffic from inside to outside and outside to inside must pass through it l Only authorized traffic is allowed l The firewall itself must be immune to penetration

45. 45 6 Firewalls u Should be stripped of any unnecessary software u Categories of firewalls include l Packet filters u Examine all packets flowing through the firewall l Gateway servers u Filter traffic based on the requested application l Proxy servers u Communicate on behalf of the private network u Serve as a huge cache for Web pages

46. 46 6 Check Point Software’s Firewall-1 Web Page Figure 6-17