12 December 2010 - E-Commerce Security Challenges and Solutions
Transcript of 12 December 2010 - E-Commerce Security Challenges and Solutions
1
E-Commerce: Security E-Commerce: Security Challenges and SolutionsChallenges and Solutions
Modified by: Usman Tariq
Made by: Dr. Khalid Al-Tawil
2
Outline of the PresentationOutline of the Presentation
Internet Security
Cryptography
Firewalls
E-Commerce Challenges
E-Commerce Security
Global & Local Issues
3
Challenges to SecurityChallenges to Security
Internet was never designed with security in mind.
Many companies fail to take adequate measures to protect their internal systems from attacks.
Security precautions are expensive [firewalls, secure web servers, encryption mechanisms].
Security is difficult to achieve.
4
IntroductionIntroductionTwo Major Developments During the Past
Decade:1. Widespread Computerization2. Growing Networking and Internetworking
The Internet Need for Automated Tools for Protecting Files
and Other Information.
Network and Internetwork Security refer to measures needed to protect data during its transmission from one computer to another in a network or from one network to another in an internetwork.
5
security is complex. Some reasons are: Requirements for security services are:
Confidentiality Authentication Integrity
Key Management is difficult. Creation, Distribution, and Protection of Key
information calls for the need for secure services, the same services that they are trying to provide.
…Continue
6
Cyber terroristsCyber terrorists
In 1996 the Pentagon revealed that in the
previous
year it had suffered some two hundred fifty
thousand attempted intrusions into its computers
by hackers on the Internet
Nearly a hundred sixty of the break-ins were
successful.
7
……ContinueContinue Security Attacks:
1. Interruption2. Interceptor3. Modification4. Fabrication5. Viruses
Passive Attacks:1. Interception confidentiality
1. Release of message contents2. Traffic Analysis
8
……ContinueContinue
Active Attacks:
Interruption (availability)
Modification (integrity)
Fabrication (integrity)
9
Security ThreatsSecurity Threats1. Unauthorized access2. Loss of message confidentiality or integrity3. User Identification4. Access Control5. Players:
User community Network Administration
6. The bigger the system, the safer it is MVS mainframe users (5%) UNIX users (25%) Desktop users (50%)
10
Introduction to Security Introduction to Security RisksRisks
“$$”The Internet:open
Your network: data!virus
Hackers and crackers
11
The Main Security RisksThe Main Security Risks
1. Data being stolen Electronic mail can be intercepted and read
Customer’s credit card numbers may be read
2. Login/password and other access information stolen
3. Operating system shutdown
4. File system corruption
5. User login information can be captured
12
VirusesViruses
Unauthorized software being run
Games
Widely distributed software
Shareware
Freeware
Distributed software
13
Possible Security “Holes”Possible Security “Holes” Passwords
Transmitted in plain text Could be temporarily stored in unsafe files Could be easy to guess
Directory structure Access to system directories could be a threat
In the operating system software Some operating system software is not designed for secure oper
ation Security system manager should subscribe to
comp.security.unix comp.security.misc alt.security
14
Security StrategiesSecurity Strategies Use a separate host
1. Permanently connected to the Internet, not to your network.
2. Users dial in to a separate host and get onto the Internet through it.
Passwords1. Most important protection2. Should be at least eight characters long3. Use a mixture of alpha and numeric4. Should not be able to be found in dictionary
should not be associated with you!5. Change regularly
15
……ContinueContinue Every transaction generates record in a security
log file1. Might slow traffic and host computer
2. Keeps a permanent record on how your machine is accessed
Tracks1. Generates alarms when someone attempts to access
secure area
2. Separate the directories that anonymous users can access
3. Enforce user account logon for internal users
4. Read web server logs regularly
16
CryptographyCryptography The Science of Secret writing.
Encryption: Data is transformed into unreadable form.
Decryption: Transforming the encrypted data back into its original form.
Encryption
Decryption
CiphertextPlaintext
17
Types of CryptosystemsTypes of Cryptosystems
Conventional Cryptosystems Secret key Cryptosystems.
One secret key for Encryption and Decryption. Example: DES
Public key cryptosystems Two Keys for each user
Public key (encryptions) Private key (decryptions)
Example: RSA
18
FirewallsFirewalls1. A firewall is a barrier placed between the private network
and the outside world.
2. All incoming and outgoing traffic must pass through it.
3. Can be used to separate address domains.
4. Control network traffic.
5. Cost: ranges from no-cost (available on the Internet) to $ 100,000 hardware/software system.
6. Types: Router-Based Host Based Circuit Gateways
19
FirewallFirewall
Outside
Inside
FilterFilter
Gateway(s)
Schematic of a firewall
20
Firewall TypesFirewall Types((Router-BasedRouter-Based))1. Use programmable routers2. Control traffic based on IP addresses or port
information.Examples:
Bastion Configuration Diode Configuration
To improve security:1. Never allow in-band programming via Telnet to
a firewall router.2. Firewall routers should never advertise their
presence to outside users.
21
Bastion FirewallsBastion Firewalls
SecuredRouter
ExternalRouter
Private Internal Network
Host PC
Internet
SecuredRouter
SecuredRouter
SecuredRouter
SecuredRouter
22
Firewall TypesFirewall Types((Host-BasedHost-Based))
1. Use a computer instead of router.
2. More flexible (ability to log all activities)
3. Works at application level
4. Use specialized software applications and
service proxies.
5. Need specialized programs, only important
services will be supported.
23
……ContinueContinue Example: Proxies and Host-Based Firewalls
Proxies and
Host-Based Firewalls
Internet
Filtering Router
(Optimal)
Host running only proxy versions of FTP,Telnet and
so on.
Internal
Network
24
Electronic Mail SecurityElectronic Mail Security E-mail is the most widely used application in the
Internet. Who wants to read your mail ?
1. Business competitors
2. Reporters, Criminals
3. Friends and Family
Two approaches are used:1. PGP: Pretty Good Privacy
2. PEM: Privacy-Enhanced Mail
25
E-mail SecurityE-mail Security(PGP)(PGP) Available free worldwide in versions running on:
DOS/Windows Unix Macintosh
Based on: RSA IDEA MD5
26
……ContinueContinue Where to get PGP
Free from FTP site on the Internet Licensed version from ViaCrypt in USA
27
E-mail SecurityE-mail Security((PEMPEM))
Used with SMTP.
Implemented at application layer.
Provides:
1. Disclosure protection
2. Originator authenticity
3. Message integrity
28
Summary of PGP ServicesSummary of PGP Services
Function Algorithms used Description
Message IDEA, RSA A message is encrypted encryption using IDEA . The session key
is encrypted using RSA recipient’s public key.
Digital RSA, MD5 A hash code of a
messagesignature is created using MD5. This
is encrypted using RSA with the sender’s private key.
Compression ZIP A message may be
compressed using ZIP.
E-mail Radix 64 conversion To provide transparency compatibility for e-mail applications.
29
E-Commerce: E-Commerce: ChallengesChallenges
Trusting others electronically E-Commerce infrastructure
Security threats – the real threats and the perceptions
Network connectivity and availability issues Better architecture and planning
Global economy issues Flexible solutions
30
E-Commerce: ChallengesE-Commerce: Challenges
Trusting others electronically
1. Authentication
2. Handling of private information
3. Message integrity
4. Digital signatures and non-repudiation
5. Access to timely information
31
E-Commerce: ChallengesE-Commerce: ChallengesTrusting OthersTrusting Others Trusting the medium
1. Am I connected to the correct web site?
2. Is the right person using the other computer?
3. Did the appropriate party send the last email?
4. Did the last message get there in time, correctly?
32
E-Commerce: SolutionsE-Commerce: SolutionsTrusting OthersTrusting Others
Public-Key Infrastructure (PKI)
1. Distribute key pairs to all interested entities
2. Certify public keys in a “trusted” fashion The Certificate Authority
3. Secure protocols between entities
4. Digital Signatures, trusted records and non-
repudiation
33
E-Commerce: ChallengesE-Commerce: ChallengesSecurity ThreatsSecurity Threats
1. Authentication
problems
Impersonation attacks
2. Privacy problems
Hacking and similar
attacks
3. Integrity problems
4. Repudiation problems
34
Secure ProtocolsSecure Protocols
How to communicate securely:
1. SSL – “the web security protocols”
2. IPSEC – “the IP layer security protocol”
3. SMIME – “the email security protocol”
4. SET – “credit card transaction security protocol”
5. Others …
35
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Platform and Application Independent Operates between application and transport
layers
TCP/IPSSLSSL
HTTP NNTP
Web Applications
FTP TelnetFutureApps
Etc.
36
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Negotiates and employs essential functions for
secure transactions
1. Mutual Authentication
2. Data Encryption
3. Data Integrity
As simple and transparent as possible
37
SSL 3.0 LayersSSL 3.0 Layers
Record Layer
Fragmentation, Compression, Message Authentication (MAC), En
cryption
Alert Layer
close errors, message sequence errors, bad MACs, certificate err
ors
38
SSL Handshake
39
Why did SSL SucceedWhy did SSL Succeed
Simple solution with many applications – e-business and e-commerce
No change in operating systems or network stacks – very low overhead for deployment
Focuses on the weak link – the open wire, not trying to do everything to everyone
Solution to authentication, privacy and integrity problems and avoiding classes of attacks
40
E-Commerce: E-Commerce: Challenges Connectivity and availability
Issues with variable response during peak time
Guaranteed delivery, response and receipts
Spoofing attacks Attract users to other sites
Denial of service attacks Denial of service attacks Prevent users from accessing the site
Tracking and monitoring networks
41
Existing Technologies OverviewExisting Technologies Overview
1. Networking Products2. Firewalls3. Remote access and Virtual Private Networks (VPNs)4. Encryption technologies5. Public Key Infrastructure6. Scanners, monitors and filters7. Web products and applications
43
Encryption TechnologiesEncryption Technologies
Hardware assist to speed up performance
Encryption at different network layers; Layer2
through application layers
Provide both public-key systems as well as bulk
encryption using symmetric-key methods
Stored data encryption and recovery
44
PKIPKI
A set of technologies and procedures to enable
electronic authentication
Uses public key cryptography and digital
certificates
Certificate life-cycle management
47
PKI Architecture PKI Architecture
RA Zone
DMZ (DM Zone)
CA Zone
Internet
InternetApplications
CertificateRequest
Web Servers
CertificateDirectory
RAStations
CAStations
RA DB
Switchedsegment
StatusQuery
CertificateRequest
Store new certificate,CRL Update
CA DB
FIGURE 1: PKI SYSTEM BLOCK DIAGRAM[Numeric labels correspond to list above]
1 2 3
4
7
5
8
RAO Zone
RAO Stations(Operators at Consoles)
6
48
What is Missing??What is Missing??
1. Solid architecture practices
2. Policy-based proactive security management
3. Quantitative risk management measures especially rega
rding e-commerce or e-business implementations
49
E-Commerce ArchitectureE-Commerce Architecture
Support for peak access
Replication and mirroring, round robin schemes –
avoid denial of service
Security of web pages through certificates and
network architecture to avoid spoofing attacks
50
Proactive Security DesignProactive Security Design
1. Decide on what is permissible and what is right
2. Design a central policy, and enforce it
everywhere
3. Enforce user identities and the use of
credentials to access resources
4. Monitor the network to evaluate the results
51
PKI and E-CommercePKI and E-Commerce
1. Identity-based certificate to identify all users of
an application
2. Determine rightful users for resources
3. “Role-based” certificates to identify the
authorization rights for a user
52
E-Commerce: Are We E-Commerce: Are We Ready?Ready?
Infrastructure?
Security?
Policies & legal issues?
Arabic content?
53
E-Commerce: FutureE-Commerce: Future
Was expected to reach 37,500 (million US $) in
2002. It reached 50,000 (million US $) in 1998
Expected to reach 8 million company in 2000.
(40% of total commerce)
Arab word, about 100 million US $