E-Commerce Engineer - Security in E-Commerce

1

E-COMMERCE JOBS This project (Project number: HU/01/B/F/PP-136012) is carried out with the financial support of the Commssion of the European Communities under the Leonardo da Vinci Programme

Database ModelsVer: 1.0

E-Commerce Engineer - Security in E-Commerce

Encryption and Security Measures

2



Definition of Security problems

A security-system is correct, if it has the following parameters:

• Closeness• Holistic• Continuity• Venture proportion

3



General problems of the information-security

• Security problems of the design and the development procedure

• Information-security• Data-security• Dependable working

4



Security problems of the design and the development

• Documentation, documents– security classification– critical hardware and network items

5



The information-security

• Regulation of the data-access rights• Identification and validation• Information-security on the information-system

level• Virus defence

6



Data-manipulating rights control

• Scope of authority issue• Control• Data-access rights• Unauthorized data-access attempt• Firewall configuration

7



Identification and validation

• User identification• Validation• Secession• Multilevel identification and validation system• Misregistration

8



Information-security on the informatics-system level

• Information-security on the level of:– Operating system– Application defence– Menu-system – File system

9



Virus defence

• System-servers• Application servers• Data medium• New software• For a longer time unused software

10



The data-security

• Security of the data-recording• Security of the data-storage• Security of the data-access

11



Security of the data-recording

• Input-data accuracy• Data-transmission• Development of the data-recording policy• Logging of the data-recording events• Data-recording rights• Input warrants• Semantic and syntax monitoring of input data

12



Security of data-storage

• Development of data-storage policies• After-processing control• Redundant-storage• Data encryption

13



Security of data-access

• Development of data distribution policies• Development of the data-access rights• Data-integration

14



Dependable working 1

• Infrastructure– physical defence of storage and computer rooms– dependable power supply– bias control

• HRM- human resource management– staff trusty operation– viewpoints– personal factors

15




• Audition of reliability• Restart• Data medium– storage– security copies– archiving

16




• Hardware– physical defence– conditions of the dependable operation– floppy-drive disabling– service– bound of workstation– communication network

17




• Software– legality– virus defence– testing for fail-safe operation– documentation– source-code availability

18



IT security in the the running system

• Access regulation• Access control• Integration control• Data-security• Fail-spanning• Restart• Development and observance of operating

policies• Disaster-plan

19



Cryptographic-protocol of e-commerce 1

• Identification– partner-identification– server- identification– client- identification

• Message-authentication• Verifying digital signatures• Secret-sharing

20



Cryptographic-protocol of e-commerce 2

• Encryption-key maintenance– generation– allocation– authentication– revocation– key server

• Time-stamp

21



Developers and products of the cryptographic standards 1

• ANSI standards– DSA-based digital signature– RSA -based digital signature– Ellipse-curve based digital signature (ECDSA)

22




• FIPS (US) standards– Escrowed encryption standard (EES)– Data encryption standard (DES)– Advanced encryption standard (AES)– Hash standard for digital signature (SHS)– Digital signature standard (DDS) using a Digital

signature algorithm (DSA)

23




• RSA Laboratories specifications, PKCS (Public-Key Cryptography Standards)– RSA standard– Diffie-Helmann key standard– ITU (International Telecommunication Union)– X.509 authentication framework

24




• PEM (privacy-enchanted mail)• W3C commendations• ETSI (European Telecommunications Standards

Institute) standards

25



The RSA-based encryption 1

• Algorithm of the RSA– selection of parameters– encryption keys– message-handling

26



Message-handling

• The message encryption:Encoding the m (0<m<n, (m,n)=1) message:

c ≡ me mod n,

c - the encrypted message

• Decoding of c(0<c<n) encrypted message:m ≡ cd mod n,

m - the resolved message

The condition (m,n)=1 ensures the unambiguous coding

27




• The RSA attributes (algorithms)– the RSA algorithm can be easily computerized– its security is adequate– simple mathematical background– well known– typical parameters– applied acceleration– Wassenaar command– patent

28




• RSA attributes (offensives)– factorisation of n : full-hacking– selection small d : full-hacking– selection of small e : some of the messages can be

hacked

29




• Preparation of the RSA parameters– methods for selection of p and q and for the

factorisation of n– the prime-dissociation current highest efficiency– finding primes– selection of parameter d – selection of parameter e– the RSA summing up and evaluation

30



Functional encrypting

• Encrypting data files

• RSA SecurID method– advantages– disadvantages

31



The SHIELD-system 1

• Inventor and developer of the SHIELD-program is:Balogh Zoltán

• The SHIELD function– Operation– Attributes

• countermoves• signal• notes

32



The SHIELD-system 2

• Comparison with other defence systems

– with the DES

– with the RSA

33



Firewall and e-mail screening 1

• The structure of the security system of a local area networked organisation– Usually steps of building up the security system– Security-policy– E-mail– Outer connection from the Internet

34




• The firewall configuration– The network tools of the firewall – Risks you want to avoid using a firewall– Filtering options– Firewall types– Downloads– AVG FREE EDITION

35




• E-mail screening– Arrange of scope of the screening– User-level screening– Spam notification– The attachment-screening

36



Laws for data-security

• Current laws in Hungary• Current laws in the European Union

37



Other information

• MTA SZTAKI– Post Address: H-1518 Budapest, P.O. Box 63.– Phone: +36 (1) 279-6000– Telefax: +36 (1) 466-7503

• Éva Feuer– Post Address: H-1518 Budapest, P.O. Box 63.– Phone: +36 (1) 279-6285– Telefax: +36 (1) 466-7503

E-Commerce Engineer - Security in E-Commerce

Documents

Transcript of E-Commerce Engineer - Security in E-Commerce