ELC 200 Day 11 Introduction to E-Commerce 1 Copyright, Tony Gauvin, UMFK, 2011.

ELC 200ELC 200Day 11Day 11

Introduction to E-Commerce

1Copyright, Tony Gauvin, UMFK, 2011

Agenda Questions? Assignment 2 corrected

10 A’s, 1 B, 1 C, 1 D and 2 non-submits

Assignment 3 PAST Due Will be graded by next class

Assignment 4 Posted Due March 14 Assignment4.pdf

Quiz 1 will be March 11 (next Class) Chap 1-5, Open Book, Open Notes, On Blackboard, 85 Min 20 M/C @ 4 points each 4 short essays @ 5 points each 1 extra credit question on Web Browswers worth 5 points

Finish Chap 5, Ecommerce Security and Payment systems

e-commerce

Kenneth C. LaudonCarol Guercio Traver

business. technology. society.

eighth edition

Copyright © 2012 Pearson Education, Inc.

Chapter 5E-commerce Security and Payment Systems


Learning Objectives. Describe how technology helps protect the security of messages sent

over the Internet. Identify the tools used to establish secure Internet communications

channels and protect networks, servers, and clients. Discuss the importance of policies, procedures, and laws in creating

security. Describe the features of traditional payment systems. Explain the major e-commerce payment mechanisms. Describe the features and functionality of electronic billing presentment

and payment systems.

Insight on Technology: Class Discussion

Think Your Smartphone Is Secure? What types of threats do smartphones face? Are there any particular vulnerabilities to this

type of device? What did Nicolas Seriot’s “Spyphone” prove?

http://www.spyphone.com/ Are apps more or less likely to be subject to

threats than traditional PC software programs?

Copyright © 2012 Pearson Education, Inc. Slide 5-6


Technology Solutions

Protecting Internet communications (encryption)

Securing channels of communication (SSL, S-HTTP, VPNs)

Protecting networks (firewalls)

Protecting servers and clients

Slide 5-7


Tools Available to Achieve Site Security

Figure 5.7, Page 287

Slide 5-8


Encryption

EncryptionTransforms data into cipher text readable only

by sender and receiverSecures stored information and information

transmissionProvides 4 of 6 key dimensions of e-commerce

security: 1. Message integrity2. Nonrepudiation3. Authentication4. Confidentiality

Slide 5-9

12-10© 2007 Prentice-Hall, Inc

What Is Encryption? A way to transform a message so that only the sender and recipient can

read, see, or understand it

Plaintext (cleartext): the message that is being protected

Encrypt (encipher): transform a plaintext into ciphertext

Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message

Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines

Plaintext + key = Ciphertext

Ciphertext – key = Plaintext


Symmetric Key Encryption

Message“Hello”

EncryptionMethod &

Key

SymmetricKey

Party A

Party B

InterceptorNetwork

Encrypted Message

Encryption uses anon-secret encryption method and

a secret key


Simple example (encrypt) Every letter is converted to a two digit number

A=1, Z = 26 ANTHONY 01 14 20 08 15 14 25 Produce any 4 digit key 3654 (10N-1 choices = 9,999) Add together in blocks of 4 digits 0114 + 3654 = 3768 2008 + 3654 = 5662 1514 + 3654 = 5168 2500 + 3654 = 6154 (pad with 00 to make even)

Send 3768566251686154 to fellow Spy


Simple example (Decrypt) Received 3768566251686154 from fellow Spy

Break down in 4 digits blocks 3768 /5662 /5168 /6154

Get right Key 3654 Subtract key from blocks of 4 digits 3768 - 3654 = 114 5662 - 3654 = 2008 5168 - 3654 = 1514 6154 - 3654 = 2500 If result is negative add 10000

Break down to 2 digits and decode 01 = A, 14 =N, 20 = T, 08 = H


Symmetric Key Encryption

Sender and receiver use same digital key to encrypt and decrypt message

Requires different set of keys for each transaction

Strength of encryption Length of binary key used to encrypt data

2N-1 possible keys to guess

Advanced Encryption Standard (AES) Most widely used symmetric key encryption

Uses 128-, 192-, and 256-bit encryption keys

Other standards use keys with up to 2,048 bits

Slide 5-14


Public Key Encryption

Uses two mathematically related digital keys Public key (widely disseminated)

Private key (kept secret by owner)

Both keys used to encrypt and decrypt message

Once key used to encrypt message, same key cannot be used to decrypt message

Sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it

Slide 5-15


Public Key Cryptography – A Simple Case


Slide 5-17


Public Key EncryptionPublic Key Encryption for Confidentiality

EncryptedMessage

EncryptedMessage

Party A Party B

Encrypt withParty B’s Public Key

Decrypt withParty B’s Private Key

Decrypt withParty A’s Private Key

Encrypt withParty A’s Public Key

Note:Four keys are used to encryptand decrypt in both directions


Public Key Encryption Using Digital Signatures and Hash Digests

Hash function: Mathematical algorithm that produces fixed-length number called

message or hash digest

Hash digest of message sent to recipient along with message to verify integrity

Hash digest and message encrypted with recipient’s public key

Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation

Slide 5-19


Digital Signature: Sender

DS

Plaintext

MD

Hash

Sign (Encrypt) MD withSender’s Private Key

To Create the Digital Signature:

1. Hash the plaintext to createa brief message digest; This isNOT the digital signature

2. Sign (encrypt) the messagedigest with the sender’s privatekey to create the digitalSignature


Digital Signature

SenderReceiver

DS Plaintext

Add Digital Signature to Each MessageProvides Message-by-Message Authentication

Encrypted for Confidentiality


Digital Signature

SenderEncrypts Receiver

Decrypts

Send Plaintext plus Digital SignatureEncrypted with Public key of receiver

DS Plaintext

Transmission


Digital Signature: Receiver

DSReceived Plaintext

MDMD

1.Hash

2.Decrypt withTrue Party’sPublic Key

3.Are they Equal?

1. Hash the receivedplaintext with the samehashing algorithm the

sender used. This givesthe message digest

2. Decrypt the digitalsignature with the sender’spublic key. This also shouldgive the message digest.

3. If the two match, the message is authenticated;The sender has the true

Party’s private key


Public Key Cryptography with Digital

Signatures


Slide 5-24


Digital Envelopes

Address weaknesses of: Public key encryption

Computationally slow, decreased transmission speed, increased processing time

Symmetric key encryption Insecure transmission lines

Uses symmetric key encryption to encrypt document

Uses public key encryption to encrypt and send symmetric key

Slide 5-25


Creating a Digital Envelope


Slide 5-26

Man in the Middle Attack



Public Key Deception Impostor

“I am the True Person.”

“Here is TP’s public key.” (Sends Impostor’s public key)

“Here is authenticationbased on TP’s private key.”

(Really Impostor’s private key)

Decryption of message from Verifierencrypted with Impostor’s public key,

so Impostor can decrypt it

Verifier

Must authenticate True Person.

Believes now has TP’s public key

Believes True Personis authenticatedbased on Impostor’s public key

“True Person,here is a message encryptedwith your public key.”

CriticalDeceptio

n


http://swiki.fromdev.com/2009/11/ssl-is-not-secure-anymore-serious.html


Digital Signatures and Digital Certificates

Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature

DS Plaintext

Applicant

Verifier

Certificate Authority

DigitalCertificate:True Party’sPublic Key


Digital Certificates and Public Key Infrastructure (PKI)

Digital certificate includes: Name of subject/company Subject’s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA

Public Key Infrastructure (PKI): CAs and digital certificate procedures PGP http://www.pgpi.org/

Slide 5-31


Digital Certificates and Certification

Authorities


Slide 5-32


Limits to Encryption Solutions

Doesn’t protect storage of private keyPKI not effective against insiders, employeesProtection of private keys by individuals may be

haphazard

No guarantee that verifying computer of merchant is secure

CAs are unregulated, self-selecting organizations

Slide 5-33

Insight on Society: Class Discussion

Web Dogs and Anonymity

What are some of the benefits of continuing the anonymity of the Internet?

What are the disadvantages of an identity system?

Are there advantages to an identity system beyond security?

Who should control a central identity system?


Securing Channels of Communication Secure Sockets Layer (SSL):

Establishes a secure, negotiated client-server session in which URL of requested document, along with contents, is encrypted

Virtual Private Network (VPN): Allows remote users to securely access internal

network via the Internet


Secure Negotiated Sessions Using SSL



Protecting Networks Firewall (Guarded Gate)

Hardware or softwareUses security policy to filter packetsTwo main methods:

Packet filters Application gateways

Proxy servers (proxies)Software servers that handle all communications

originating from or being sent to the Internet


Firewalls and Proxy Servers




Protecting Servers and Clients

Operating system security enhancements Upgrades, patches

Zero Day attacks

Anti-virus software: Easiest and least expensive way to prevent threats to system

integrity

Requires daily updates

http://www.umfk.edu/it/downloads.cfm

Slide 5-40

Management Policies, Business Procedures, and Public Laws

U.S. firms and organizations spend 14% of IT budget on security hardware, software, services ($35 billion in 2010)

Managing risk includesTechnologyEffective management policiesPublic laws and active enforcement


A Security Plan: Management Policies Risk assessment Security policy Implementation plan

Security organization Access controls Authentication procedures, including biometrics Authorization policies, authorization management

systems

Security audit


Developing an E-commerce Security Plan




The Role of Laws and Public Policy

Laws that give authorities tools for identifying, tracing, prosecuting cybercriminals: National Information Infrastructure Protection Act of 1996 USA Patriot Act Homeland Security Act

Private and private-public cooperation CERT Coordination Center http://www.cert.org/ US-CERT http://www.us-cert.gov/ncas/current-activity/

Government policies and controls on encryption software

OECD guidelines OECD_Cyber_Security.pdf

Slide 5-44

BRIEF HISTORY OF MONEY

Barter Medium of Exchange

TokensNotational MoneyCredit System

Types of Payment Systems Cash

Most common form of payment Instantly convertible into other forms of value

Checking transfer Second most common payment form in United States

Credit card Credit card associations Issuing banks Processing centers


Types of Payment Systems (cont.)

Stored valueFunds deposited into account, from which funds are

paid out or withdrawn as needed, e.g., debit cards, gift certificates

Peer-to-peer payment systems

Accumulating balanceAccounts that accumulate expenditures and to

which consumers make period paymentse.g., utility, phone, American Express accounts


Check Numbers

http://en.wikipedia.org/wiki/Demand_draft http://en.wikipedia.org/wiki/Qchex


Table 5.6, Page 312

Slide 5-50

Payment System Stakeholders’ Priorities Consumers

Low-risk, low-cost, refutable, convenience, reliability

Merchants Low-risk, low-cost, irrefutable, secure, reliable

Financial intermediaries Secure, low-risk, maximizing profit

Government regulators Security, trust, protecting participants and enforcing

reporting


E-commerce Payment Systems

Credit cards45% of online payments in 2011 (U.S.)

Debit cards28% online payments in 2011 (U.S.)

Limitations of online credit card paymentSecurity, merchant riskCostSocial equity


How an Online Credit Transaction Works



E-commerce Payment Systems (cont.)

Digital wallets Emulates functionality of wallet by authenticating

consumer, storing and transferring value, and securing payment process from consumer to merchant

Early efforts to popularize failed Latest effort: Google Checkout

Digital cash (David Chaum) Value storage and exchange using tokens Most early examples have disappeared; protocols and

practices too complex



Online stored value systemsBased on value stored in a consumer’s bank,

checking, or credit card accountPayPalSmart cards

Contact—use card reader Contactless

e.g., EZPass, Octopus card (Hong Kong) Radio Frequency ID (RFID) Near Field Communications (NFC)



Digital accumulated balance payment:Users accumulate a debit balance for which they

are billed at the end of the monthPaymentsPlus, BillMeLater

Digital checking:Extends functionality of existing checking

accounts for use onlinePayByCheck, EBillMe


Mobile Payment Systems Use of mobile handsets as payment devices

well-established in Europe, Japan, South Korea Japanese mobile payment systems

E-money (stored value) Mobile debit cards Mobile credit cards

Not as well established yet in United States Infrastructure still developing Apple, Google, RIM developing separate NFC systems


Electronic Billing Presentment and Payment (EBPP)

Online payment systems for monthly bills 30% + of households in 2010 used some

EBPP; expected to continue to grow Two competing EBPP business models:

Biller-direct (dominant model) Consolidator

Both models are supported by EBPP infrastructure providers


ELC 200 Day 11 Introduction to E-Commerce 1 Copyright, Tony Gauvin, UMFK, 2011.

Documents

Transcript of ELC 200 Day 11 Introduction to E-Commerce 1 Copyright, Tony Gauvin, UMFK, 2011.