Security Controls and Systems in E-Commerce Prof. Mohamed Aly Aboul - Dahab Head of Electronic and...
-
Upload
caleb-ashby -
Category
Documents
-
view
216 -
download
0
Transcript of Security Controls and Systems in E-Commerce Prof. Mohamed Aly Aboul - Dahab Head of Electronic and...
Security Controls and Systems in E-Commerce
Prof. Mohamed Aly Aboul - DahabHead of Electronic and communications Engineering Department
Arab Academy for Science , Technology and Maritime Transport
ITU E - Commerce Conference for the Arab Region
Tunisia, May 2001
I. Introduction
– What is E - Commerce ?– Actors of E - Commerce:
– Product.– Player.– Process.
– Scope of E - Commerce:– Infrastructure.– Pillars.– Applications.
I. Introduction (Cont’d)
– Security of E - Commerce involves:
– Security control
– Security systems
II. Security Controls
1- Confidentiality.2- Access control.3- Integrity.4- Availability.5- Non repudiation.
II. Security Controls (Cont’d)
1- Confidentiality– it refers to the protection of
information from unauthorized agent or person.
– It can be guaranteed by encrypting the data.
II. Security Controls (Cont’d)
2- Access control– There should be some sort of
control of any entity (human or computer) trying to access the E - Commerce system.
– It includes two measures : authentication and authorization.
2- Access Control (Cont’d)
– Authentication : The sender of a document must be identified precisely and without any possibility of fraud.
– Authorization: not all the users can have access rights to the E- Commerce system.
II. Security Controls (Cont’d)
3- Integrity – It refers to protecting the data and /
or computer against any tampering [nationally or internationally).
– Measures are taken to ensure the accuracy and completeness of data.
II. Security Controls (Cont’d)
4- Availability– It refers to the continuity of the
processing and the availability of information.
5- Non repudiation– It ensures that users cannot deny
actions they undertake.
III. Security Technologies
The categories of security technologies are:-
1- Platform security.2- Network security.3- Encryption and certificate
authority.
III. Security Technologies (Cont’d)
1- Platform security– It refers to security of
information contained in the computers or servers.
– The objective is to ensure that information on the platform is secured from unauthorized users or other platforms.
III. Security Technologies (Cont’d)
1- Platform security It can be done on three levels:
• User access to operating system.• User access to the database.• User access to the business applications
and internal browser.
– This can be carried out by using passwords and ID numbers at each level.
III. Security Technologies (Cont’d)
2- Network Security It refers to the security of all traffic
at the network levels.– It involves two aspects:
•the two communicating platforms should authenticate each other.
•The information has to be preserved confidentially over the network.
III. Security Technologies (Cont’d)
2- Network Security– The techniques utilized are :
a) IP security protocol.b) Point to point tunneling protocol.c) Remote authentication Dial In user
service. d) Firewalls.
2- Network Security (Cont’d)
a) IP security protocol:• The two hosts ( or platforms ) establish
a security association between them.• A sequence of bits called “key” is
added to the information packets.• Checksum operations are made on the
entire packet (including the key). These operations follow certain rules or “algorithms”.
2- Network Security (Cont’d)
b) Point to point tunneling protocol – It is a protocol that allows establishing a
secure channel between the two hosts then communicating the information.
c) Remote Authentication Dial In user service– It is a protocol that enables a host to
authenticate dial in users before allowing them to convert to the internet service.
2- Network Security (Cont’d)
d) Firewalls– These are filters that control access to
the internal network of the system.– They examine the packet contents and
accept or reject the routing, of packets based upon the contents.
– They are “hardware” components that are implemented from a combination of routers, hosts. computers, servers,……. etc.
III. Security Technologies (Cont’d)
3- Encryption and Certificate Authority– This refers to encryption of information
itself.– The encryption process needs a sequence
of bits called “key” and a mathematical process called “algorithm”.
– There are several types of encryption, namelya) Private key encryptionc) Public key encryptiond) Digital signaturee) Certificate authority
3- Encryption and Certificate Authority (Cont’d)
a) Private key encryption– Same key is used to both encrypt
and decrypt the message.– It should be known to both sides.– Difficulties are:
• message is communicated between users that have never met.
• If so many users hold the same key, it will no longer be private.
3- Encryption and Certificate Authority (Cont’d)
b) Public key Encryption– Two keys are used : a public key to
encrypt the message and a private key to decrypt it.
– The public key is made available to anyone who wants to send a message.
– The only way to decrypt the message is to hold a private key.
3- Encryption and Certificate Authority (Cont’d)
e) Digital Signature– It is used to make sure that the
message is coming from the person you think sent it.
– It is also used to make sure that the person cannot deny he or she has sent the message.
e) Digital Signature (Cont’d)
– Digital signature is done as follows:•The sender has two keys : one “private” for
encryption and the other “public” for decryption.
•The sender creates a phrase and encrypt it with his private key.
•The phrase is attached to the message and both are encrypted by a public key.
•The phrase is decrypted with a public key, if it is successfully decrypted, then the sender himself has sent it.
3- Encryption and Certificate Authority (Cont’d)
d) Certificate Authority (CA)– It is a third party which ensures
that no body can steel the private key and send the message.
– The role of certificate authority is done as follows:
d) Certificate Authority (Cont’d)
– Individuals (or computers) apply for “Digital Certificate” from certificate authority by sending their public key and identification information.
– Certificate authority verifies information and creates a certificate that contains the applicant public key and identifying information.
d) Certificate Authority (Cont’d)
– The Certificate Authority uses its private key to encrypt the certificate and sends it to the applicant.
– The applicant uses the Certificate Authority public key to decrypt the certificate and sends it. He will use the embedded public key to send the message.
3- Encryption and Certificate Authority (Cont’d)
e) Biometrics– there are seven categories of
biometrics, namely finger scanning, face recognition, hand geometry, iris and retina scanning, voice recognition, palm-print recognition, and signature recognition.
– Special hardware should be used e.g. finger print scanners and camera- based iris recognition.
IV. Conclusion
– Security is an issue of prime importance to E- Commerce.
– Security controls for E-Commerce have to be laid down.
– Security technologies can be applied on three levels: platform, network and message encryption.
References:
1) Me Garr, M.S., “ Tuning in Biometrics to Reduce E-Commerce Risk”, EC-World magazine, Feb.2000.
2) Turbin, E, et.al, “Electronic Commerce- A perspective”, Prentice Hall Inc.,2000.
3)Rajpnt,W.E., ”E-Commerce systems Architecture and Applications”, Artech House,2000.
Sender
Network
Network
DistributionSites
Receivers
Multicast Dissemination Architecture
worldwide
developing countries
merchant
Web store front
Merchant’s bank
Secure web E- commerce server
Credit card processing company
Web customer
Customer bankEC-DC Model
Electronic Commerce Applications
Stocks, Jobs, Online Banking, Procurement and Purchasing Malls, Online Marketing and Advertising ,Customer Service, Auctions, Travel, Online Publishing
People Buyers, Sellers
IntermediariesServices, IS people
and Management
Public Policy Taxes,Legal,andPrivacy IssuesFree Speech
Domain names
Technical Standards
For DocumentsSecurity. And
Network Protocols,Payments.
Organizations Partners
Competitors AssociationsGovernment
Services
InfrastructureCommon Business
Services Messaging and
Information Distribution
Interfacing
Multimedia Content and Network Publishing
Network
MANAGEMENT
Framework for ElectronicCommerce
Applications
Pillars
Infrastructure
I. Introduction( Cont’d)
Applications
Pillars
Infrastructure
Services SecurityN
etworks
InterfacingLegality
PeopleEnterprises
Standards
Info
rmat
ion
Han
dlin
g
Online Banking Purchasing
Selling
Au
ctions
Marketing
AdvertisingMalls
Stock
Excha
nge
Cus
tom
er
Ser
vice
Onl
ine
Pu
blis
hing
I. Introduction( Cont’d)