ELC 200ELC 200Day 11Day 11

Agenda Questions? Assignment 3 is Not Corrected

Missing assignments

Assignment 4 is posted Due March 7 @ 9:30 AM Assignment4.pdf

Quiz 2 on March 7 Chap 3-5 Same format as before Extra credit question on Hackers convicted in Maine

Finish discussion on E-Commerce Security and Payment systems

Chapter 5Chapter 5E-commerce Security and E-commerce Security and

Payment SystemsPayment Systems

Copyright © 2014 Pearson Education, Inc.

Learning Objectives Understand the scope of e-commerce crime and security problems. Describe the key dimensions of e-commerce security. Identify the key security threats in the e-commerce environment. Describe how technology helps protect the security of messages sent over

the Internet. Identify the tools used to establish secure Internet communications

channels, and protect networks, servers, and clients. Identify the major e-commerce payment systems in use today. Describe the features and functionality of electronic billing presentment and

payment systems.

The E-commerce Security Environment

Figure 5.1, Page 168

Copyright © 2014 Pearson Education, Inc. Slide 5-5

Copyright © 2014 Pearson Education, Inc. Slide 1-6

Technology Solutions Protecting Internet communications

Encryption

Securing channels of communicationSSL, VPNs

Protecting networksFirewalls

Protecting servers and clients

Copyright © 2014 Pearson Education, Inc. Slide 5-7

Tools Available to Achieve Site Security

Figure 5.4, Page 181

Copyright © 2014 Pearson Education, Inc. Slide 5-8

Encryption Encryption

Transforms data into cipher text readable only by sender and receiver

Secures stored information and information transmission

Provides 4 of 6 key dimensions of e-commerce security Message integrity Nonrepudiation Authentication Confidentiality

Copyright © 2014 Pearson Education, Inc. Slide 5-9

Symmetric Key Encryption Sender and receiver use same digital key to encrypt

and decrypt message Requires different set of keys for each transaction Strength of encryption

Length of binary key used to encrypt data

Advanced Encryption Standard (AES) Most widely used symmetric key encryption Uses 128-, 192-, and 256-bit encryption keys

Other standards use keys with up to 2,048 bits

Copyright © 2014 Pearson Education, Inc. Slide 5-10

12-11© 2007 Prentice-Hall, Inc

What Is Encryption? A way to transform a message so that only the sender and recipient can

read, see, or understand it

Plaintext (cleartext): the message that is being protected

Encrypt (encipher): transform a plaintext into ciphertext

Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message

Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines

Plaintext + key = Ciphertext

Ciphertext – key = Plaintext

12-12© 2007 Prentice-Hall, Inc

Symmetric Key Encryption

Message“Hello”

EncryptionMethod &

Key

SymmetricKey

Party A

Party B

InterceptorNetwork

Encrypted Message

Encryption uses anon-secret encryption method and

a secret key

12-13© 2007 Prentice-Hall, Inc

Simple example (encrypt) Every letter is converted to a two digit number

A=1, Z = 26 ANTHONY 01 14 20 08 15 14 25 Produce any 4 digit key 3654 (10N-1 choices =

9,999) Add together in blocks of 4 digits 0114 + 3654 = 3768 2008 + 3654 = 5662 1514 + 3654 = 5168 2500 + 3654 = 6154 (pad with 00 to make even)

Send 3768566251686154 to fellow Spy

12-14© 2007 Prentice-Hall, Inc

Simple example (Decrypt) Received 3768566251686154 from fellow Spy

Break down in 4 digits groupings 3768 5662 5168 6154

Get right Key 3654 Subtract key from blocks of 4 digits 3768 - 3654 = 114 5662 - 3654 = 2008 5168 - 3654 = 1514 6154 - 3654 = 2500 If result is negative add 10000

Break down to 2 digits and decode 01 = A, 14 =N, 20 = T, 08 = H

Copyright © 2011 Pearson Education, Inc.

Public Key Encryption

Uses two mathematically related digital keys Public key (widely disseminated)

Private key (kept secret by owner)

Both keys used to encrypt and decrypt message

Once key used to encrypt message, same key cannot be used to decrypt message

Sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it

Slide 5-15

Copyright © 2010 Pearson Education, Inc. Slide 1-16

12-17© 2007 Prentice-Hall, Inc

Public Key EncryptionPublic Key Encryption for Confidentiality

EncryptedMessage

EncryptedMessage

Party A Party B

Encrypt withParty B’s Public Key

Decrypt withParty B’s Private Key

Decrypt withParty A’s Private Key

Encrypt withParty A’s Public Key

Note:Four keys are used to encryptand decrypt in both directions

Copyright © 2011 Pearson Education, Inc.

Public Key Cryptography – A Simple Case

Figure 5.8, Page 289

Slide 5-18

Public Key Encryption Using Digital Signatures and Hash Digests

Hash function: Mathematical algorithm that produces fixed-length number called

message or hash digest

Hash digest of message sent to recipient along with message to verify integrity

Hash digest and message encrypted with recipient’s public key

Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation

Copyright © 2014 Pearson Education, Inc. Slide 5-19

12-20© 2007 Prentice-Hall, Inc

Digital Signature: Sender

DS

Plaintext

MD

Hash

Sign (Encrypt) MD withSender’s Private Key

To Create the Digital Signature:

1. Hash the plaintext to create

a brief message digest; This is

NOT the digital signature

2. Sign (encrypt) the message

digest with the sender’s private

key to create the digital

Signature

12-21© 2007 Prentice-Hall, Inc

Digital Signature

SenderReceiver

DS Plaintext

Add Digital Signature to Each MessageProvides Message-by-Message Authentication

Encrypted for Confidentiality

12-22© 2007 Prentice-Hall, Inc

Digital Signature

SenderEncrypts Receiver

Decrypts

Send Plaintext plus Digital SignatureEncrypted with Public key of receiver

DS Plaintext

Transmission

12-23© 2007 Prentice-Hall, Inc

Digital Signature: Receiver

DSReceived Plaintext

MDMD

1.Hash

2.Decrypt withTrue Party’sPublic Key

3.Are they Equal?

1. Hash the receivedplaintext with the samehashing algorithm the

sender used. This givesthe message digest

2. Decrypt the digitalsignature with the sender’spublic key. This also should

give the message digest.

3. If the two match, the message is authenticated;The sender has the true

Party’s private key

Copyright © 2011 Pearson Education, Inc.

Public Key Cryptography with Digital Signatures

Figure 5.9, Page 291

Slide 5-24

12-25© 2007 Prentice-Hall, Inc

Public Key Deception Impostor

“I am the True Person.”

“Here is TP’s public key.” (Sends Impostor’s public key)

“Here is authenticationbased on TP’s private key.”

(Really Impostor’s private key)

Decryption of message from Verifierencrypted with Impostor’s public key,

so Impostor can decrypt it

Verifier

Must authenticate True Person.

Believes now has TP’s public key

Believes True Personis authenticatedbased on Impostor’s public key

“True Person,here is a message encryptedwith your public key.”

CriticalDeception

Copyright © 2010 Pearson Education, Inc. Slide 5-26

http://swiki.fromdev.com/2009/11/ssl-is-not-secure-anymore-serious.html

Digital Certificates and Public Key Infrastructure (PKI)

Digital certificate includes: Name of subject/company Subject’s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA

Public Key Infrastructure (PKI): CAs and digital certificate procedures PGP

Copyright © 2014 Pearson Education, Inc. Slide 5-27

Digital Certificates and Certification Authorities

Figure 5.7, Page 187

Copyright © 2014 Pearson Education, Inc. Slide 5-28

Limits to Encryption Solutions Doesn’t protect storage of private key

PKI not effective against insiders, employeesProtection of private keys by individuals may be

haphazard

No guarantee that verifying computer of merchant is secure

Copyright © 2014 Pearson Education, Inc. Slide 5-29

Copyright © 2011 Pearson Education, Inc. Slide 5-30

Insight on Society: Class Discussion

Web Dogs and Anonymity: Identity 2.0 What are some of the benefits of continuing

the anonymity of the Internet? Who are the groups involved in creating an

identity system for the Internet? Who should control a central identity

system?

Copyright © 2014 Pearson Education, Inc. Slide 5-31

Securing Channels of Communication Secure Sockets Layer (SSL) and Transport

Layer Security (TLS) Establishes a secure, negotiated client-server

session in which URL of requested document, along with contents, is encrypted

Virtual Private Network (VPN) Allows remote users to securely access internal

network via the Internet

Copyright © 2014 Pearson Education, Inc. Slide 5-32

Secure Negotiated Sessions Using SSL/TLS

Figure 5.8, Page 189

Copyright © 2014 Pearson Education, Inc. Slide 5-33

Protecting Networks Firewall

Hardware or softwareUses security policy to filter packets

Proxy servers (proxies)Software servers that handle all

communications originating from or being sent to the Internet

Copyright © 2014 Pearson Education, Inc. Slide 5-34

Firewalls and Proxy Servers

Copyright © 2012 Pearson Education, Inc. Slide 5-35

Protecting Servers and Clients Operating system security enhancements

Upgrades, patches

Anti-virus software Easiest and least expensive way to prevent threats to

system integrity Requires daily updates http://anti-virus-software-review.toptenreviews.com/

Training of Personnel

Copyright © 2014 Pearson Education, Inc. Slide 5-36

A Security Plan: Management Policies Risk assessment Security policy Implementation plan

Security organization Access controls Authentication procedures, including biometrics Authorization policies, authorization management

systems

Security audit

Copyright © 2012 Pearson Education, Inc. Slide 5-37

Developing an E-commerce Security Plan

Copyright © 2012 Pearson Education, Inc. Slide 5-38

E-commerce Payment Systems Credit cards

Still the dominant online payment method in United States

Limitations of online credit card payment systemsSecurity, merchant riskCostSocial equity

Copyright © 2014 Pearson Education, Inc. Slide 5-39

How an Online Credit Transaction Works

Figure 5.10, Page 193

Copyright © 2014 Pearson Education, Inc. Slide 5-40

Alternative Online Payment Systems Online stored value systems

Based on value stored in a consumer’s bank, checking, or credit card account

e.g.: PayPal

Other alternatives Amazon PaymentsGoogle Checkout (Closed Nov. 20, 2013 )

Google Wallet

Copyright © 2014 Pearson Education, Inc. Slide 5-41

Mobile Payment Systems Use of mobile phones as payment devices

established in Europe, Japan, South Korea Near field communication (NFC)

Short-range (2”) wireless for sharing data between devices

Expanding in United States Google Wallet

Mobile app designed to work with NFC chips

PayPal Square

Copyright © 2014 Pearson Education, Inc. Slide 5-42

Digital Cash and Virtual Currencies Digital cash

Based on algorithm that generates unique tokens that can be used in “real” world

e.g.: Bitcoin

Virtual currenciesCirculate within internal virtual worlde.g.: Linden Dollars in Second Life, Facebook

Credits

Copyright © 2014 Pearson Education, Inc. Slide 5-43

Electronic Billing Presentment and Payment (EBPP)

Online payment systems for monthly bills 50% of all bill payments Two competing EBPP business models:

Biller-direct (dominant model) Consolidator

Both models are supported by EBPP infrastructure providers

Copyright © 2014 Pearson Education, Inc. Slide 5-44