Post on 25-Dec-2015
Chapter 3
Mohammad Fozlul Haque BhuiyanAssistant Professor
CITI Jahangirnagar University
Security Issues in E-commerceA computer system composing of bare hardware and an OS
responsible for safe guarding its data and applications resident in primary and secondary storage, proper management of other resources and establishing connection to other computer systems via the network.
When the system is not hooked to the outside world, the computer system is only vulnerable to its bad users who abuse it with bad applications like virus, Trojan horses, etc.
However, when it is open to outside world through networking, this becomes a major threat to the system.
Security Issues
Is E-commerce Secure?
Cryptography
Web security
Security Issues
Operating System SecurityNetwork SecurityInternet SecurityMiddleware SecurityDatabase SecurityOthers Fields of Computer System security
Operating System Security
The security models are classified into two major groups:
•Mandatory security model:– Control the access to information by individuals on the basis of
classification of subjects (active element) and objects (data). Bell Lapadula model, Biba model, and Dion model.
•Discretionary security model:– Control user access on the basis of user identity and some rules guiding
what type of access relationship can be established between the user (subject) and object. Access matrix model, take-grant model, ant action entity model.
•Lattice model:– Based on flow control
Operating System Security
Network Security
Network Security (Cont…)
As the network makes a computer system open to the world, communication becomes easy with the outside world at the cost of security. One of the major successes in tackling the distributed system security problem is Kerberos.
Kerberos uses encryption to enable secure communication. To be able to connect to the computers, users have to use programs that can use Kerberos. In order to authenticate to Kerberos, one needs to get ‘tickets’.
A ticket grants the user the right to use a service, such as accessing his/her files. A ‘ticket granting ticket’ is a ticket used to get other tickets.
Internet Security
Middleware Security
• OSF’s DCE
• OMG’s CORBA
Database Security
Figure: Distributed Database Model
Other Fields of Computer System Security
• E-cash
When viewing digital information from the network perspective, information security contains the following characteristics:
Confidentiality or message transmission security.
Integrity of data content
Authentication of sender and receiver
Non-repudiation by the sender and receiver
Anonymity or secrecy
Availability
Is E-commerce Secure ?
Single Key (Symmetric) Cryptography
Public Key (Asymmetric) Cryptography
Digital Signature
Certification Authority
Digital Certificates
Cryptography
Single Key (Symmetric) Cryptography
Public Key (Asymmetric) Cryptography
Public Key (Asymmetric) Cryptography (Cont..)
Certification Authority
Digital Certificate
The digital certificate is basically the digitally signed triple:
• Identity of user
• Public key of user
• Other attributes
Digital Certificate (cont..)
In addition to the signature, the public key certificate contains the following items:
• subject
• subjectPublicKeyInfo
• issuerUniqueidentifier
• extensions
• version
• serialNumber
• signature
• Issuer
• validity
What is Digital Signature?•Hash value of a message when encrypted with the private key of a person is his digital signature on that e-Document–Digital Signature of a person therefore varies from document to document thus ensuring authenticity of each word of that document.–As the public key of the signer is known, anybody can verify the message and the digital signature
Why Digital Signatures?To provide Authenticity, Integrity and Non-repudiation to electronic documentsTo use the Internet as the safe and secure medium for e-Commerce and e-Governance
Digital Signatures
Digital Signatures
Each individual generates his own key pair[Public key known to everyone & Private key only to the owner]
Private Key – Used for making digital signature
Public Key – Used to verify the digital signature
Digital Signature: An application of public key cryptography
Web security
Secure Socket Layer (SSL)
Secure Electronic Transaction
(SET)
Secure Socket Layer (SSL)
The SSL protocol provides connection security that has three basic properties:
The connection is private, Symmetric cryptography is used for data encryption (e.g. EDS, RC4, etc.)
Secure Socket Layer (SSL) (cont…)
The peer’s identity can be authenticated using asymmetric, or public key, cryptography (e.g. RSA, DSS, etc.)
The connection is reliable. Message transport includes a message integrity check using a keyed MAC. Secure hash function (e.g. SHA, MD5, etc.)
Secure Socket Layer (SSL) (cont..)
Figure: SSL 3.0 information exchange between a client and a server
Secure Electronic Transaction (SET)
The SET specification is designed to meet three main objectives.
First, it will enable payment security for involved, authenticate card holders and merchants, provide confidentiality of payment data, and define protocols for potential electronic security service providers.
Secure Electronic Transaction (SET) (Cont…)
Second, it will enable interoperability among applications developed by various vendors and among different operating systems and platforms.
Third, it will strive to achieve market acceptance on a global scale.
Thank You