Trusting others electronically E-Commerce infrastructure

Security threats – the real threats and the perceptions

Network connectivity and availability issues Better architecture and planning

Global economy issues Flexible solutions

Trusting others electronically

Authentication

Handling of private information

Message integrity

Digital signatures and non-repudiation

Access to timely information

Trusting the medium Am I connected to the correct web site? Is the right person using the other computer? Did the appropriate party send the last email? Did the last message get there in time,

correctly?

Public-Key Infrastructure (PKI) Distribute key pairs to all interested entities

Certify public keys in a “trusted” fashion

The Certificate Authority

Secure protocols between entities

Digital Signatures, trusted records and non-

repudiation

Authentication problems

Impersonation attacks

Privacy problems

Hacking and similar attacks

Integrity problems

Repudiation problems

How to communicate securely:

SSL – “the web security protocols”

IPSEC – “the IP layer security protocol”

SMIME – “the email security protocol”

SET – “credit card transaction security

protocol”

Issues with variable response during peak time

Guaranteed delivery, response and receipts

Spoofing attacks Attract users to other sites

Denial of service attacks Prevent users from accessing the site

Tracking and monitoring networks

Variable connectivity levels and cost

Variable economies and cultures

Taxation and intellectual property issues

Interoperability between different

economies

Networking Products Firewalls Remote access and Virtual Private

Networks (VPNs) Encryption technologies Public Key Infrastructure Scanners, monitors and filters Web products and applications

Support for peak access

Replication and mirroring, round robin

schemes – avoid denial of service

Security of web pages through

certificates and network architecture to

avoid spoofing attacks

Identity-based certificate to identify all

users of an application

Determine rightful users for resources

“Role-based” certificates to identify the

authorization rights for a user

12

What is EDI?

Exchange of electronic data between companies using precisely defined transactions

Set of hardware, software, and standards that accommodate the EDI process

13

Figure 11.2 Benefits of EDI

14

Figure 11.3 Suppliers, manufacturers, and retailers cooperate in some of the most successful applications of EDI.

15

Figure 11.4

16

EDI on the WebAdvantages of Web EDI

Lower cost More familiar software Worldwide connectivity

Disadvantages of Web EDI Low speed Poor security

17

The Importance of EDI Need for timely, reliable data exchange in

response to rapidly changing markets Emergence of standards and guidelines Spread of information into many organizational

units Greater reliability of information technology Globalization of organizations

18

Message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution)

Three alternative functions used: message encryption message authentication code (MAC) hash function

19

Message encryption by itself also provides a measure of authentication

If symmetric encryption is used then: receiver know sender must have created it since only sender and receiver now key used know content cannot of been altered Provides both: sender authentication and

message authenticity.

20

If public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if

sender signs message using his private-key then encrypts with recipients public key have both secrecy and authentication

but at cost of two public-key uses on message

21

A small fixed-sized block of data: Depends on both message and a secret key Like encryption though need not be reversible

Appended to message as a signature Receiver performs same computation on

message and checks it matches the MAC Provides assurance that message is

unaltered and comes from sender

22

MAC provides authentication Message can be encrypted for secrecy

generally use separate keys for each can compute MAC either before or after

encryption is generally regarded as better done before

why use a MAC? sometimes only authentication is needed sometimes need authentication to persist

longer than the encryption (e.g., archival use) note that a MAC is not a digital signature

23

A hash function is like a MAC condenses arbitrary message to fixed

sizeh = H(M)

usually assume that the hash function is public and not keyed-note that a MAC is keyed

hash used to detect changes to message can use in various ways with message most often to create a digital signature

Spyware Adware Embedded Programs Trojan Horse Browser Hijackers Dialers Malware

Profit A challenge Malice Boredom Business

Computer is running slower than normal Popups (on or off the internet) New toolbars Home page changes Search results look different Error messages when accessing the web

Be conscious of what you are clicking on/downloading

Some pop-ups have what appears to be a close button, but will actually try to install spyware when you click on it. Always look for the topmost right red X.

Remember that things on the internet are rarely free. “Free” Screensavers etc. generally contain ads or worse that pay the programmer for their time.

Download.com – All programs are adware/spyware free

Freesaver.com – Screensavers from this site are safe DO NOT click on ads

KFOR or News9 Cleansoftware.org

Sits between two networks Used to protect one from the other Places a bottleneck between the networks

All communications must pass through the bottleneck – this gives us a single point of control

Packet Filtering Rejects TCP/IP packets from unauthorized hosts and/or

connection attempts bt unauthorized hosts Network Address Translation (NAT)

Translates the addresses of internal hosts so as to hide them from the outside world

Also known as IP masquerading Proxy Services

Makes high level application level connections to external hosts on behalf of internal hosts to completely break the network connection between internal and external hosts

Encrypted Authentication Allows users on the external network to authenticate to

the Firewall to gain access to the private network Virtual Private Networking

Establishes a secure connection between two private networks over a public network This allows the use of the Internet as a connection medium

rather than the use of an expensive leased line

Virus Scanning Searches incoming data streams for virus signatures so

theey may be blocked Done by subscription to stay current

McAfee / Norton

Content Filtering Allows the blocking of internal users from certain types

of content. Usually an add-on to a proxy server Usually a separate subscription service as it is too hard and

time consuming to keep current

Part of an overall Firewall strategy Sits between the local network and the external network

Originally used primarily as a caching strategy to minimize outgoing URL requests and increase perceived browser performance

Primary mission is now to insure anonymity of internal users Still used for caching of frequently requested files Also used for content filtering

Acts as a go-between, submitting your requests to the external network Requests are translated from your IP address to the Proxy’s IP

address E-mail addresses of internal users are removed from request

headers Cause an actual break in the flow of communications

Terminates the TCP connection before relaying to target host (in and out)

Hide internal clients from external network

Blocking of dangerous URLs

Filter dangerous content

Check consistency of retrieved content

Eliminate need for transport layer routing between networks

Single point of access, control and logging