elc 200 day 11. agenda questions? assignment 3 is not corrected missing assignments assignment 4 is...
TRANSCRIPT
ELC 200ELC 200Day 11Day 11
Agenda Questions? Assignment 3 is Not Corrected
Missing assignments
Assignment 4 is posted Due March 7 @ 9:30 AM Assignment4.pdf
Quiz 2 on March 7 Chap 3-5 Same format as before Extra credit question on Hackers convicted in Maine
Finish discussion on E-Commerce Security and Payment systems
Chapter 5Chapter 5E-commerce Security and E-commerce Security and
Payment SystemsPayment Systems
Copyright © 2014 Pearson Education, Inc.
Learning Objectives Understand the scope of e-commerce crime and security problems. Describe the key dimensions of e-commerce security. Identify the key security threats in the e-commerce environment. Describe how technology helps protect the security of messages sent over
the Internet. Identify the tools used to establish secure Internet communications
channels, and protect networks, servers, and clients. Identify the major e-commerce payment systems in use today. Describe the features and functionality of electronic billing presentment and
payment systems.
The E-commerce Security Environment
Figure 5.1, Page 168
Copyright © 2014 Pearson Education, Inc. Slide 5-5
Copyright © 2014 Pearson Education, Inc. Slide 1-6
Technology Solutions Protecting Internet communications
Encryption
Securing channels of communicationSSL, VPNs
Protecting networksFirewalls
Protecting servers and clients
Copyright © 2014 Pearson Education, Inc. Slide 5-7
Tools Available to Achieve Site Security
Figure 5.4, Page 181
Copyright © 2014 Pearson Education, Inc. Slide 5-8
Encryption Encryption
Transforms data into cipher text readable only by sender and receiver
Secures stored information and information transmission
Provides 4 of 6 key dimensions of e-commerce security Message integrity Nonrepudiation Authentication Confidentiality
Copyright © 2014 Pearson Education, Inc. Slide 5-9
Symmetric Key Encryption Sender and receiver use same digital key to encrypt
and decrypt message Requires different set of keys for each transaction Strength of encryption
Length of binary key used to encrypt data
Advanced Encryption Standard (AES) Most widely used symmetric key encryption Uses 128-, 192-, and 256-bit encryption keys
Other standards use keys with up to 2,048 bits
Copyright © 2014 Pearson Education, Inc. Slide 5-10
12-11© 2007 Prentice-Hall, Inc
What Is Encryption? A way to transform a message so that only the sender and recipient can
read, see, or understand it
Plaintext (cleartext): the message that is being protected
Encrypt (encipher): transform a plaintext into ciphertext
Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message
Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines
Plaintext + key = Ciphertext
Ciphertext – key = Plaintext
12-12© 2007 Prentice-Hall, Inc
Symmetric Key Encryption
Message“Hello”
EncryptionMethod &
Key
SymmetricKey
Party A
Party B
InterceptorNetwork
Encrypted Message
Encryption uses anon-secret encryption method and
a secret key
12-13© 2007 Prentice-Hall, Inc
Simple example (encrypt) Every letter is converted to a two digit number
A=1, Z = 26 ANTHONY 01 14 20 08 15 14 25 Produce any 4 digit key 3654 (10N-1 choices =
9,999) Add together in blocks of 4 digits 0114 + 3654 = 3768 2008 + 3654 = 5662 1514 + 3654 = 5168 2500 + 3654 = 6154 (pad with 00 to make even)
Send 3768566251686154 to fellow Spy
12-14© 2007 Prentice-Hall, Inc
Simple example (Decrypt) Received 3768566251686154 from fellow Spy
Break down in 4 digits groupings 3768 5662 5168 6154
Get right Key 3654 Subtract key from blocks of 4 digits 3768 - 3654 = 114 5662 - 3654 = 2008 5168 - 3654 = 1514 6154 - 3654 = 2500 If result is negative add 10000
Break down to 2 digits and decode 01 = A, 14 =N, 20 = T, 08 = H
Copyright © 2011 Pearson Education, Inc.
Public Key Encryption
Uses two mathematically related digital keys Public key (widely disseminated)
Private key (kept secret by owner)
Both keys used to encrypt and decrypt message
Once key used to encrypt message, same key cannot be used to decrypt message
Sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it
Slide 5-15
Copyright © 2010 Pearson Education, Inc. Slide 1-16
12-17© 2007 Prentice-Hall, Inc
Public Key EncryptionPublic Key Encryption for Confidentiality
EncryptedMessage
EncryptedMessage
Party A Party B
Encrypt withParty B’s Public Key
Decrypt withParty B’s Private Key
Decrypt withParty A’s Private Key
Encrypt withParty A’s Public Key
Note:Four keys are used to encryptand decrypt in both directions
Copyright © 2011 Pearson Education, Inc.
Public Key Cryptography – A Simple Case
Figure 5.8, Page 289
Slide 5-18
Public Key Encryption Using Digital Signatures and Hash Digests
Hash function: Mathematical algorithm that produces fixed-length number called
message or hash digest
Hash digest of message sent to recipient along with message to verify integrity
Hash digest and message encrypted with recipient’s public key
Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation
Copyright © 2014 Pearson Education, Inc. Slide 5-19
12-20© 2007 Prentice-Hall, Inc
Digital Signature: Sender
DS
Plaintext
MD
Hash
Sign (Encrypt) MD withSender’s Private Key
To Create the Digital Signature:
1. Hash the plaintext to create
a brief message digest; This is
NOT the digital signature
2. Sign (encrypt) the message
digest with the sender’s private
key to create the digital
Signature
12-21© 2007 Prentice-Hall, Inc
Digital Signature
SenderReceiver
DS Plaintext
Add Digital Signature to Each MessageProvides Message-by-Message Authentication
Encrypted for Confidentiality
12-22© 2007 Prentice-Hall, Inc
Digital Signature
SenderEncrypts Receiver
Decrypts
Send Plaintext plus Digital SignatureEncrypted with Public key of receiver
DS Plaintext
Transmission
12-23© 2007 Prentice-Hall, Inc
Digital Signature: Receiver
DSReceived Plaintext
MDMD
1.Hash
2.Decrypt withTrue Party’sPublic Key
3.Are they Equal?
1. Hash the receivedplaintext with the samehashing algorithm the
sender used. This givesthe message digest
2. Decrypt the digitalsignature with the sender’spublic key. This also should
give the message digest.
3. If the two match, the message is authenticated;The sender has the true
Party’s private key
Copyright © 2011 Pearson Education, Inc.
Public Key Cryptography with Digital Signatures
Figure 5.9, Page 291
Slide 5-24
12-25© 2007 Prentice-Hall, Inc
Public Key Deception Impostor
“I am the True Person.”
“Here is TP’s public key.” (Sends Impostor’s public key)
“Here is authenticationbased on TP’s private key.”
(Really Impostor’s private key)
Decryption of message from Verifierencrypted with Impostor’s public key,
so Impostor can decrypt it
Verifier
Must authenticate True Person.
Believes now has TP’s public key
Believes True Personis authenticatedbased on Impostor’s public key
“True Person,here is a message encryptedwith your public key.”
CriticalDeception
Copyright © 2010 Pearson Education, Inc. Slide 5-26
http://swiki.fromdev.com/2009/11/ssl-is-not-secure-anymore-serious.html
Digital Certificates and Public Key Infrastructure (PKI)
Digital certificate includes: Name of subject/company Subject’s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA
Public Key Infrastructure (PKI): CAs and digital certificate procedures PGP
Copyright © 2014 Pearson Education, Inc. Slide 5-27
Digital Certificates and Certification Authorities
Figure 5.7, Page 187
Copyright © 2014 Pearson Education, Inc. Slide 5-28
Limits to Encryption Solutions Doesn’t protect storage of private key
PKI not effective against insiders, employeesProtection of private keys by individuals may be
haphazard
No guarantee that verifying computer of merchant is secure
Copyright © 2014 Pearson Education, Inc. Slide 5-29
Copyright © 2011 Pearson Education, Inc. Slide 5-30
Insight on Society: Class Discussion
Web Dogs and Anonymity: Identity 2.0 What are some of the benefits of continuing
the anonymity of the Internet? Who are the groups involved in creating an
identity system for the Internet? Who should control a central identity
system?
Copyright © 2014 Pearson Education, Inc. Slide 5-31
Securing Channels of Communication Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) Establishes a secure, negotiated client-server
session in which URL of requested document, along with contents, is encrypted
Virtual Private Network (VPN) Allows remote users to securely access internal
network via the Internet
Copyright © 2014 Pearson Education, Inc. Slide 5-32
Secure Negotiated Sessions Using SSL/TLS
Figure 5.8, Page 189
Copyright © 2014 Pearson Education, Inc. Slide 5-33
Protecting Networks Firewall
Hardware or softwareUses security policy to filter packets
Proxy servers (proxies)Software servers that handle all
communications originating from or being sent to the Internet
Copyright © 2014 Pearson Education, Inc. Slide 5-34
Firewalls and Proxy Servers
Copyright © 2012 Pearson Education, Inc. Slide 5-35
Protecting Servers and Clients Operating system security enhancements
Upgrades, patches
Anti-virus software Easiest and least expensive way to prevent threats to
system integrity Requires daily updates http://anti-virus-software-review.toptenreviews.com/
Training of Personnel
Copyright © 2014 Pearson Education, Inc. Slide 5-36
A Security Plan: Management Policies Risk assessment Security policy Implementation plan
Security organization Access controls Authentication procedures, including biometrics Authorization policies, authorization management
systems
Security audit
Copyright © 2012 Pearson Education, Inc. Slide 5-37
Developing an E-commerce Security Plan
Copyright © 2012 Pearson Education, Inc. Slide 5-38
E-commerce Payment Systems Credit cards
Still the dominant online payment method in United States
Limitations of online credit card payment systemsSecurity, merchant riskCostSocial equity
Copyright © 2014 Pearson Education, Inc. Slide 5-39
How an Online Credit Transaction Works
Figure 5.10, Page 193
Copyright © 2014 Pearson Education, Inc. Slide 5-40
Alternative Online Payment Systems Online stored value systems
Based on value stored in a consumer’s bank, checking, or credit card account
e.g.: PayPal
Other alternatives Amazon PaymentsGoogle Checkout (Closed Nov. 20, 2013 )
Google Wallet
Copyright © 2014 Pearson Education, Inc. Slide 5-41
Mobile Payment Systems Use of mobile phones as payment devices
established in Europe, Japan, South Korea Near field communication (NFC)
Short-range (2”) wireless for sharing data between devices
Expanding in United States Google Wallet
Mobile app designed to work with NFC chips
PayPal Square
Copyright © 2014 Pearson Education, Inc. Slide 5-42
Digital Cash and Virtual Currencies Digital cash
Based on algorithm that generates unique tokens that can be used in “real” world
e.g.: Bitcoin
Virtual currenciesCirculate within internal virtual worlde.g.: Linden Dollars in Second Life, Facebook
Credits
Copyright © 2014 Pearson Education, Inc. Slide 5-43
Electronic Billing Presentment and Payment (EBPP)
Online payment systems for monthly bills 50% of all bill payments Two competing EBPP business models:
Biller-direct (dominant model) Consolidator
Both models are supported by EBPP infrastructure providers
Copyright © 2014 Pearson Education, Inc. Slide 5-44