Post on 16-Jan-2016
Electronic CommerceCOMP3210
Session 10: Securing E-Commerce Web sites
Dr. Paul Walcott28/10/05
Dr. Paul Walcott - Department of Computer Science, Mathematics and Physics, University of the West Indies, Cave Hill Campus, Barbados, W.I.; email pwalcott@uwichill.edu.bb; © 2005
2
Session Objectives
• After completing this session you will be able to:– Describe the requirements of a secure e-
commerce Web site– Analyse a given Web site’s security and
provide improvement recommendations
3
Introduction
• E-commerce allows anonymous global users to access company Web sites 24 hours a day, 365 days a year
• Along with this convenience are associated risk
http://www.stpt.usf.edu/computing/images/security.jpghttp://www.stpt.usf.edu/computing/images/security.jpg
4
Introduction Cont’d
• The risks of running an e-commerce site includes:– Fraud
• Anonymous users logging on to companies Web site and making purchases using other people’s credit information
• The transfer of funds from/or to accounts that do not belong to the user
– The unauthorised disclosure of company confidential information or the revealing of confidential financial records
5
Introduction Cont’d
– Unforeseen costs due to operating system patches, virus attacks, employee sabotage and server failures
– The loss of consumer confidence due to masquerading; e.g. a hacker defacing a Web site, or advertising competitors products on the Web site
6
Introduction Cont’d
• It does not make economic sense protecting against threats that are deemed low risk – especially if the cost to protect the asset exceeds the cost of the asset– Example: it would be sensible to protect a
network from a hurricane in Barbados, but not to protect it from low (below 0 degrees) temperatures
7
Introduction Cont’d
Contain and control
I
III
Ignore
Prevent
II
IV
Insurance or backup plan
High probability
Low probability
Low impact (cost)
High impact (cost)
8
Introduction Cont’d
• The risk management model on the previous slide illustrates four actions an organisation can take depending on the cost and probability of the physical threat
• In this model– The threat posed by a hurricane in Barbados
would be in quadrant II– The threat posed by temperatures dropping
below freezing would be in quadrant IV
9
Introduction Cont’d
• To mitigate possible risks a good security scheme is required, which– First identifies the risks– Determines how to protect the assets at risk– Calculates the amount of money that should
be spent protecting the assets at risk
10
Introduction Cont’d
• One such scheme is a security policy which is a document that describes:– The assets requiring protection and why– The people responsible for protecting these
assets– Which behaviours are permissible and which
are not
11
Introduction Cont’d
• The security policy, which should be updated regularly, typically addresses:– Physical security– Computer and network security– Access authorisation, and– Disaster recovery
• In the sections that follow the above topics will be discussed, however the subject of cryptography will be discussed first
12
Cryptography
What is cryptography?• It is the lock and key
combination that prevents a non-key holder from deciphering a secret message
• What is most important is the strength of the lock and the number of possible keys
13
Cryptography Cont’d
• To secure a house keys are used to lock the doors• It is assumed that an intruder can not easily obtain a
copy of the the key and enter the house– The intruder could search for all the keys in the world and try
them one at a time, but this would take a long time
• Computer security uses a similar system (public/private key and secret key cryptography) to secure messages passed between computers
14
Cryptography Cont’d
• To describe these cryptographic systems the following terms must first be defined:– A key is used in conjunction with a cipher to
encrypt or decrypt a message. A key is simply a number (usually a binary number)
– A cipher is an algorithm used to encrypt a message
– Ciphertext is the encrypted message– Plaintext is the unencrypted message
15
Cryptography Cont’d
• Since a key is a binary number, a 56 bit key has about a quadrillion different key combinations
• Traditionally, a key length of 56 bits was considered secure since:– If one million keys were tried each second then it
would take 1000 years to break the ciphertext
• However, due to increases in computing power a 56 bit key can now be broken in just 24 hours
• As a result key lengths of 128 bits or more are typical
16
Cryptography Cont’d
• There are two main types of cryptography– Secret key cryptography– Public/private key cryptography
• Secret Key Cryptography uses a symmetric key to secure a message– the same key is used to encrypt and decrypt
the message
17
Cryptography Cont’d
http://www.uic.edu/depts/accc/newsletter/adn26/symmetric.jpg
18
Cryptography Cont’d
• Public/Private Key Cryptography uses two keys (asymmetric key)– The public key, which is distributed to
everyone (the public), is used to encrypt the message, while
– The private key, which must be kept secret, is used to decrypt the message
19
Cryptography Cont’d
http://www.uic.edu/depts/accc/newsletter/adn26/asymmetric.jpg
20
Cryptography Cont’d
Secret Key Cryptography• In secret key cryptography the key must be kept
secret by both parties that are communicating– therefore the key must be communicated in a secure
fashion to protect against unauthorised access
• The advantage of secret key cryptography is that messages can be encrypted quickly
21
Cryptography Cont’d
Public/Private Key Cryptography• Is much slower than secret key cryptography• The individual or organisation that wants to
receive messages keeps the private key• The public key is distributed to everyone else
(the public)• One advantage of public/private key
cryptography is that it is easier to distribute the encryption key (the public key), since it does not have to be kept secret
22
Cryptography Cont’d
• Public/Private key cryptography is based on the principle of inverse number
• To gain insight into the principle of inverse numbers consider the multiplication function
• Clearly in practice the multiplication function can not be used since it is too easy to determine the inverse number
23
Cryptography Cont’d
• Private/Public key cryptography actually uses prime numbers and addition in modular arithmetic
656
1390
390665
Plaintext Public key
Ciphertext
Private key
Encryption
Decryption
24
Physical Security
• 50 years ago computer security was primarily about physical security
• Security guards/guard dogs were employed to protect the companies’ assets
• To enter the building you needed a security badge
• Surveillance systems were used to monitor activity and alarm systems warned against security breaches
http://www.hits.astcorp.com/security/images/physical.jpghttp://www.hits.astcorp.com/security/images/physical.jpg
25
Physical Security Cont’d
• Physical security worked because users accessed mainframe computers through dumb terminals
• Provided that the mainframe computer and terminals were secure, it made it difficult for individuals to penetrate these systems
• Several mainframe computers may have been connected together through dedicated links or telephone lines, yet infiltration was not easy
• With the advent of the Internet new forms of security threats have surfaced (i.e. cyber crime)
26
Physical Security Cont’d
• Physical security is no less important today that 50 years ago
• With the advent of terrorists, who are quite happy to blow up any infrastructure, it is just as important now to have physical security
• All Web servers and associated machines require physical protection– Backup servers and storage at remote locations to
prevent losses
27
Physical Security Cont’d
• Today the use of fingerprint readers, and biometric security help provide improved physical security
• Physical security methods that are now utilised include:– Writing pads that measure the pressure and form of
hand writing– Eye scanners– Palm scanners (entire palm rather than single finger)
28
Computer/Network Security
• In the computer and network security section, the protection of client and server machines, as well as the actual communication line will be discussed
http://www.wizbit.net/theme_images/10_r_barbed_wire.jpghttp://www.wizbit.net/theme_images/10_r_barbed_wire.jpg
29
Computer/Network Security Cont’d• Before discussing computer and network
security the assurances that will be given to the user about the safety of their data must be defined
• There are four important assurances that must be given when securing an e-commerce site, these are: confidentially, authentication, integrity and nonrepudiation
30
Computer/Network Security Cont’d• Confidentiality ensures that only owners of the
shared key can decrypt the message• Authentication ensures the identity of the
person at either end of a communication line are who they say they are
• Integrity ensures the message is not changed during transit
• Nonrepudiation ensures that the sender can not deny sending the message
31
Computer/Network Security Cont’d• In addition two other assurances should be
provided:– Availability. Providing delivery assurance for each
message so that a loss will not go undetected– Key Management. Ensuring that the distributing and
management of keys is done securely (note that the distribution of public keys is often done by third parties called certification authorities, e.g. Verisign)
32
Computer/Network Security Cont’d• These assurances are provided through the
following methods:– Public/Private keys ensure confidentiality – Digital signatures ensure non-repudiation and
authentication– Message authentication codes ensure data integrity
• These methods will be discussed in a later section
33
Client Computer Security
• This section outlines – security threats that may occur on client
computers– how they work – and how to protect against them
34
Client Computer Security Cont’d
• Active content refers to programs that are embedded transparently in Web pages that cause actions to occur– E.g. displaying moving graphics and
downloading and playing audio– In e-commerce it is used to place items in a
shopping cart and compute total invoice amounts
35
Client Computer Security Cont’d
• Active content also– extends HTML functionality
• Since these programs run on the client’s computer they pose a security risk
• Examples include:– Cookies– Java applets– JavaScript
• However, other examples include graphics, Web browser plug-ins and email attachments
36
Client Computer Security Cont’d
• Since active content is embedded in Web pages (e.g. scripting languages) they can be transparent to the browsers of the Web page
• Crackers for example can include a Trojan horse in a Web page– A Trojan horse is a program hidden inside
another program or Web page that masks its true purpose
37
Client Computer Security Cont’d
• A Trojan horse can– Send private information on the client’s computer
back to a server (a secrecy violation)– Could alter or erase information on the client’s
computer (an integrity violation)
• A Cracker might also place a zombie (a program that takes over a computer to launch an attack on other computers) on your system through a trojan horse
38
Client Computer Security Cont’d
• To avoid Trojan horses do not download and install software from sources that you do not trust; also make use of firewalls to block illegitimate ingoing/outgoing traffic
39
Client Computer Security Cont’d
• Cookies were designed to solve the problem of the stateless nature of the HTTP protocol– To save information between one session and
another
• For example, when a user logs into a Web site their name and membership information could be stored in a cookie and be used in other pages on the Web site.
40
Client Computer Security Cont’d
• Allowing active content to be added to Web pages used for e-commerce can be dangerous since:– Cookies (files) frequently store credit card
numbers, usernames and passwords– Information stored in cookies can be read by
the Server computer that stored them there
41
Client Computer Security Cont’d
• There are two types of time duration cookies– Session cookies
• These exist until the Web client ends the session (or connection)
– Persistent cookies• These remain on the client’s computer indefinitely
• E-commerce uses both types of these cookies
42
Client Computer Security Cont’d
• Cookies can also be categorised by source:– First-party cookies are cookies put on the
client computer by the Web server– Third-party cookies are cookies put on the
client computer by some other Web site
• The third-party Web site usually provides some content on the Web site being viewed
43
Client Computer Security Cont’d
• These third party Web site can then track visitors from one site to the next (because they have ads and cookies set up on many of these sites)
44
Client Computer Security Cont’d
• To protect yourself against cookies:– Disable cookies altogether, however this will
stop some sites from functioning correctly• Users would have to re-enter information every
time they visit the Web site
– Disable third-party cookies– Or use a third-party cookie blocker program
that stores cookies selectively
45
Client Computer Security Cont’d
• “An (Java) applet is a program written in the JavaTM programming language that can be included in an HTML page, much in the same way an image is included.”2
• “When you use a Java technology-enabled browser to view a page … the applet's code is transferred to your system and executed by the browser's Java Virtual Machine (JVM).”2
• Java applets are included into Web pages using the <applet> or <object> tags.
46
Client Computer Security Cont’d
• Once an applet is downloaded Java code runs on the clients computer which introduces a security hole
• To counteract this Java has a security model called the Java sandbox which prevents applets from performing certain functions, e.g.– file input, output, or– delete operations
• This scheme provides secrecy and integrity
47
Client Computer Security Cont’d
• JavaScript is a scripting language developed by Netscape
• When a Web page is downloaded and contains embedded JavaScript code, it runs on the user’s (client) computer
• Javascript can be used to attack the client’s computer– destroy the hard disk– Disclose email stored in mailboxes– Capture information stored in Web forms (e.g. credit
card information)
48
Client Computer Security Cont’d
• Try the following JavaScript code which through the use of a recursive routine locks up your Web browser
<html> <body> <script type="text/javascript"> askmeagain(); function askmeagain() { alert("Ouch!"); askmeagain(); } </script> </body> </html>
49
Client Computer Security Cont’d
• An ActiveX control is an object that contains programs
• And only runs on the Windows operating system• When downloaded the control is run on the
client’s computer like any other program– They have full access to system resources
• Can reformat hard disk• Rename or delete files• Shut down the computer
50
Client Computer Security Cont’d
• Execution of ActiveX controls can not be halted once started
• Web browsers can be configured to warn users when ActiveX controls are about to be downloaded
51
Client Computer Security Cont’d
• Graphics, browser plug-ins and email attachments can include executable content
• Some graphic file formats contain special instructions on how to render the graphic– The embedded code can be used to attack your
computer
• Plug-ins enhance your browser’s capabilities but can also pose a threat
52
Client Computer Security Cont’d
• A virus is software that attaches itself to another program
• A macro virus is a type of virus that is coded as a macro
• A worm is a type of virus that replicates itself on the computer it affects
• Email attachments may include word processing files, spreadsheets, databases, images which may contain viruses– Viruses within Word and Excel macros (Visual Basic
for Applications) can damage your computer
53
Client Computer Security Cont’d
• Viruses tend to prey on operating system (or Web server) vulnerabilities
• To counteract viruses– Ensure you have installed the latest security
patches– Also ensure that you are running the latest
Antivirus software with the latest virus updates
54
Client Computer Security Cont’d
Digital Certificates• One way of verifying the source of information is
through a digital certificate• A digital certificate is an attachment to a
message which verifies the sender of the message
• It contains an encrypted message that – identifies the author– Indicates whether the certificate is valid or not
55
Client Computer Security Cont’d
• The creator of the digital certificate proclaims:– That they have attached Mr. X public key– and signed (a hash of) it with their private key
• These digital certificates must be created by someone you trust
• A digital certificate has two parts:– Plaintext
• States who the certificate is created for and that the public key is attached
– The plaintext hashed and signed (using a message authentication code and a digital signature)
56
Client Computer Security Cont’d
• Other information on the digital certificate is:– The certificate’s owner’s identifying information, such
as name, organisation and address– The certificate owner’s public key– Dates between which the certificate is valid– Serial number of the certificate– Name of the certificate issuer– Digital signature of the certificate issuer
57
Client Computer Security Cont’d
• Digital certificates are issued by a certification authority (CA)– To individuals or organisations– Appropriate proof of identity must be provided
• One of the oldest and best know certification authority is VeriSign
58
Communication Channel Security
• Communication channel threats come from various sources including:– Sniffer Programs– Backdoors– CyberVandalism– Masquerading or Spoofing– Denial-of-Service– Man-in-the-middle exploit
59
Comm. Channel Security Cont’d
Sniffer Programs• These programs provide a means of recording
packets passing through a computer or router– It is similar to telephone line tapping
• Sniffer programs can– Read email messages– Read user logins and passwords– Read credit card numbers
60
Comm. Channel Security Cont’d
Backdoors• Some e-commerce programs contain backdoors• These backdoors are left intentionally or
unintentionally by software developers• Backdoors provide a way for an unauthorised
user to gain access to protected information including:– Credit card information– Proprietary company information (which could be sold
for millions to competitors)
61
Comm. Channel Security Cont’d
CyberVandalism
• This is the electronic defacing of Web site pages– By replacing regular content
• It is parallel to the spraying of graffiti on public property
62
Comm. Channel Security Cont’d
Masquerading or Spoofing• This is when a person impersonates someone
else– E.g. pretending that a Web site belongs to someone
else, when it does not
• On a domain name server a perpetrator might use a security hole in order to change the IP address of a given Web page– Any order entered on this new page could then be
modified (e.g. change the shipping address of the goods) and sent to the original Web site.
63
Comm. Channel Security Cont’d
Denial-of-Service Threat• This threat disrupts normal computer
processing• For example a zombie computer could be
used to flood a Web site with packets• This prevented legitimate users from using
the Web site• This also may lead to a loss in business
64
Comm. Channel Security Cont’d
Man-in-The-Middle Exploit• Imagine sending an important message
containing valuable information to a colleague• A person intercepts this email and changes its
contents• The intended recipient receives the email and
acts on the wrong information.• This is called the man-in-the-middle exploit
65
Comm. Channel Security Cont’d
• Solutions for communication channel threats include:– Symmetric Encryption (discussed earlier)– Asymmetric Encryption (discussed earlier)– Digital Signatures– Message Hashing– Digital Certificates (discussed earlier)– Secure Socket Layer
66
Comm. Channel Security Cont’d
Digital Signatures• Are an electronic version of a written signature• When creating a digital signature a private key is
used to encrypt and the public key to decrypt• Since the process of signing is slow (because it
utilises public/private key cryptography), messages are compressed before they are signed
• Alternatively, a hash is created from the message and signed which improves speed
67
Comm. Channel Security Cont’d
Message Authentication Codes (MACs)• Ensure the integrity of data• MACs work in the following way
– The sender creates the MAC using the message to be transmitted and a publicly available MAC formula
– Both the MAC and the message are transmitted– The receiver creates a MAC from the received
message, and– Compares the two MACs. If they are the same the
message has not been tampered with
68
Comm. Channel Security Cont’d
• MACs are important since– A MAC is very small (a number of bytes) compared
with the size of most messages– Messages are often long– Encryption and decryption is time-consuming– It ensures message integrity– It is not the same as compression since you can not
recover the original message from the MAC– It is similar to a checksum
69
Comm. Channel Security Cont’d
Hashing• MAC and hashing are extremely similar• A hash value is generated using a hash
algorithm• Hash values act as a fingerprints for messages• Hash values are almost always unique (very low
probability of same hash value)• A hash provides message integrity
70
Comm. Channel Security Cont’d
Secure Sockets Layer• This provides a secure way for client and
server to transmit confidential information• A session key is a secret key created (for
the purpose of encrypted communication) for the duration of an SSL session
• Public/Private key cryptography is used to transmit the session key
71
Comm. Channel Security Cont’d
• Secret key encryption is used for all subsequent communication– Secret key encryption is between 100 – 1000
times faster than Public/Private Key encryption
• The following diagram describes the handshaking done by the client and server
72
Comm. Channel Security Cont’d
Client sends “hello” message
Send encryption algorithms
and key length
Server responsewith “hello”
message
Client sends response
Session SessionSend data between client and
Server using private, shared key
Send client certificate andEncrypted private session key
Send server certificatecontaining server’s
Public keyServer receives client response
and initiatessession
73
Server Computer Security
• Server vulnerabilities come from – Web servers and their software– Backend programs such as
• Database programs
74
Server Computer Security
Web Server Threats• The more complex the software the more
likely it contains errors which might lead to vulnerabilities
• A Web server can compromise secrecy if it allows automatic directory listings
• Passwords users select could be a threat since a dictionary attack might reveal them
75
Server Computer Security
Database Threats
• These databases store confidential information
• Some databases store username/passwords in unencrypted tables, or do not enforce security at all
76
Server Computer Security
Other Threats• Threats may arise when programs are
executed by the server– E.g. buffer overrun or buffer overflow
• Buffers can overflow into critical memory locations causing the Web server to run an attacker’s program
– Mail bombs cause mail servers to malfunction by overloading them with email
77
Server Computer Security
Firewalls
• For a useful presentation on firewalls see: http://scitec.uwichill.edu.bb/cmp/online/comp3210/presentations/AntonioArthur.ppt
78
Access Authorisation
• Only allow authorised users to access services. This can be controlled through– Digital certificates:
• Ensure the digital signature is valid
• Check the time stamp on the digital certificate
– Usernames and passwords
http://www.axis.com/products/video/camera/about_cameras/img/password.jpghttp://www.axis.com/products/video/camera/about_cameras/img/password.jpg
79
Disaster Recovery
• Disaster recovery is concerned with how quickly a company can recover from machine failure, disk failures, software failure and power failures and surges
http://www.nationalgeographic.com/ngkids/0312/images/stories_volcano_image.jpg
80
References
[1] Schneider, Gary, P., “Electronic Commerce: The second wave”, Thomson Course Technology, Fifth Annual Edition, 2004
[2] Sun Microsystems, “Code Samples and Apps”, 2005. Available online at http://java.sun.com/applets/