E-Commerce/Web Security

Similar documents
e-commerce Study Guide Test 2. Security Chapter 10

Computers and Security

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Wireless Network Security Fundamentals and Technologies

Systems and Network Security (NETW-1002)

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

14. Internet Security (J. Kurose)

Most Common Security Threats (cont.)

CTS2134 Introduction to Networking. Module 08: Network Security


CPET 581 E-Commerce & Business Technologies. References

Network Security and Cryptography. 2 September Marking Scheme

Network Security and Cryptography. December Sample Exam Marking Scheme

Define information security Define security as process, not point product.

Security: Focus of Control. Authentication

Introduction. Ahmet Burak Can Hacettepe University. Information Security

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Internet Quick Start Guide. Get the most out of your Midco internet service with these handy instructions.

Security: Focus of Control

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

6 Vulnerabilities of the Retail Payment Ecosystem

Main area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation

Ref:

The Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes

KALASALINGAM UNIVERSITY

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

BEST PRACTICES FOR PERSONAL Security

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Chapter 8 Web Security

Octopus Online Service Safety Guide

Overview. SSL Cryptography Overview CHAPTER 1

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

WPA SECURITY (Wi-Fi Protected Access) Presentation. Douglas Cheathem (csc Spring 2007)

WHITE PAPER. Secure communication. - Security functions of i-pro system s

Children s Health System. Remote User Policy

E-commerce security: SSL/TLS, SET and others. 4.2

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

How Secured2 Uses Beyond Encryption Security to Protect Your Data

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Wireless LAN Security (RM12/2002)

SRM ARTS AND SCIENCE COLLEGE SRM NAGAR, KATTANKULATHUR

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

NGN: Carriers and Vendors Must Take Security Seriously

Welcome to the new BC Bid!

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

2. INTRUDER DETECTION SYSTEMS

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

E-commerce security: SSL/TLS, SET and others. 4.1

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

A Review Paper on Network Security Attacks and Defences

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

Certificate-based authentication for data security

Distributed Systems. Lecture 14: Security. 5 March,

Simple and Powerful Security for PCI DSS

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Application of Cryptographic Systems. Securing Networks. Chapter 3 Part 4 of 4 CA M S Mehta, FCA

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Lecture III : Communication Security Mechanisms

Cryptography (Overview)

(2½ hours) Total Marks: 75

SECURING YOUR BUSINESS INFRASTRUCTURE Today s Security Challenges & What You Can Do About Them

Service Managed Gateway TM. Configuring IPSec VPN

SYSTEM THREAT ANALYSIS FOR HIGH ASSURANCE SOFTWARE DEFINED RADIOS

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Viability of Cryptography FINAL PROJECT

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Secure Network Design Document

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

RES Version 3.2 Service Pack 7 Hotfix 5 with Transaction Vault Electronic Payment Driver Version 4.3 PCI Data Security Standard Adherence

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Internet and Intranet Protocols and Applications

19.1. Security must consider external environment of the system, and protect it from:

Renovating our security management: New ways to protect your infrastructure

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Chapter 8 Network Security

Cryptography and Network Security. Saint Leo University. COM 450- Network Defense and Security. Instructor: Dr. Omar.

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Verteilte Systeme (Distributed Systems)

CISCO IT DEPARTMENT DEPLOYS INNOVATIVE CISCO APPLICATION- ORIENTED NETWORKING SOLUTION

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Introduction to Computer Security

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

PCI DSS Compliance. White Paper Parallels Remote Application Server

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Textbook: Ahmet Burak Can Hacettepe University. Supplementary books:

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Introduction to Cryptography in Blockchain Technology. December 23, 2018

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Ruijie Anti-ARP Spoofing

10EC832: NETWORK SECURITY

Transcription:

E-Commerce/Web Security Prepared For: Software Engineering 4C03 Kartik Sivaramakrishnan McMaster University 2005 Prepared by James Allin 9902847

1.0 - Introduction... 3 2.0 - E-Commerce Transaction Overview... 3 3.0 - Security Measures... 3 4.0 - Data Interception... 3 5.0 Data Encryption... 4 6.0 - Conclusion... 5 References... 6

1.0 - Introduction As the internet rapidly transforms communication it is also transforming the way in which everyone performs day to day tasks from keeping in touch with friends to commerce. Making purchases with a credit card where security measures were easily handled in person by a responsible retailer are now done between two computers that are large distances apart. Preventing data interception is widely acknowledged to be impossible and yet secure data between parties is a necessity. This paper will examine E- commerce transaction security as it is today. An overview of the typical e-commerce transaction is given below and a discussion of inherent security issues regarding the transaction follows. Interception and privacy will be the focus. 2.0 - E-Commerce Transaction Overview According to E-Commerce Digest (n.d.), there are three main communication procedures typically required in an e-commerce transaction: 1. The customer s credit card details must be delivered to the merchant or the payment gateway and are handled by the web servers SSL and merchant s digital certificates. 2. The credit card details must be then passed from the merchant to the bank for credit card processing. This process is handled by the banks payment gateway. 3. The customer order and details must be passed onto the merchant using SSL and digital certificates if it hasn t already been done in step 1. Each communication outlined must have the appropriate measures taken to ensure security. The security of the system is only as good as the weakest link and all parties involved must understand the risks involved with E-Commerce. 3.0 - Security Measures To ensure security over the internet, there are two things that we must consider: data interception, and data decryption. Information can be intercepted on the internet in many different ways. When you transmit data over the web you are using a public network and as such, anyone can connect to that network and monitor data being transferred over it. There are however many safety precautions that you can take to help ensure and make it very difficult for your communications to be intercepted and decrypted. Of course, this can be compared to putting an alarm system on your house. No matter what you do to protect yourself, somebody will always find a new way to break in and you are never guaranteed to be safe. 4.0 - Data Interception At the lowest level, malicious computer users who want to intercept your information can do so by intercepting the electronic signal through the air if wireless technology is being used or through the wire (E-Commerce Digest, n.d.) if traditional networking technologies are used. Placing a computer on the same network is the most common method since Ethernet devices already know how to interpret the electronic signals sent

across the network. Ethernet is programmed to ignore data packets not destined for the particular host that the device is installed on. There are many applications out there, especially for network professionals that allow you to sniff or intercept data packets on the network. These applications allow network professionals to monitor and maintain the network, however, there is nothing preventing a malicious computer user from using this technology negatively. An interception technique that goes a step further is called spoofing where a malicious user puts a device on the network that pretends to be the destination machine. It then intercepts all communications and then turns around and forwards the data on to the real host destination. In this fashion it is very difficult for the two hosts communicating to detect that they are being intercepted. Luckily, the internet relies on routers to direct data across multiple networks. Routers filter data packets depending on their destination as they are passed over the net which restricts a malicious user and requires them to be attached to the same network as the machine they are trying to break into. Interception is inevitable and a fact that we must acknowledge when securing our systems. This leads us to focus on the physical security and access to individual machines and the networks themselves. A number of techniques noted in the E- commerce digest (n.d.) that we can use to limit interception are to: 1. Setup each machine in the transaction, both on the client and server side, with the proper authority and user levels necessary to prevent unauthorized use and access to machines and programs. 2. Ensure proper virus protection software is installed to prevent against computer viruses from making machines vulnerable to security loop holes. 3. Ensure that a firewall has properly been setup to ensure remote users are unable to access and exploit services and system weaknesses. 4. Limit the use of wireless networking technology and ensure that access to server rooms and sensitive computers is restricted. 5.0 Data Encryption The second part of data security in e-commerce relates to securing the data content which is being transmitted. Data encryption comes in many forms and methods. It is used to mask the data being transmitted so that any malicious user who intercepts the data will be unable to interpret and use it. The backbone of data encryption in e-commerce today is SSL. SSL stands for secure socket layer and is a technology initially invented by Netscape (Arizona State University, n.d.) to encrypt data being used with web browsers. Version 2 and 3 of the SSL protocol are in use today and contain features for handling the basic security issues, including: Privacy Integrity Authentication Non-repudiation

Other less common, but similar protocols used in e-commerce are PCT(Private Communications Technology) introduced by Microsoft as their own implementation of SSL version 2, as well as TLS(Transport Layer Security), a protocol developed by the IETF (Kaufman, 2002) in an attempt to standardize the other protocols. SSL operates on the basic principle of cryptography where the client and server require a private key to encrypt and decrypt messages. However, the manner in which the protocol allows the two machines to privately tell each other which private key to use and how each machine verifies the others authenticity is unique due to the use of the public key infrastructure. Public key infrastructure explained in class, works based on mathematical principles of modulo arithmetic and allows any person to encrypt a message using the other parties public key; however, only the holder of the private key can then decrypt this message. It also works in the opposite fashion like a digital signature, allowing the private key holder to encrypt messages, that then anybody using the public key can decrypt (NCTU, n.d.). These properties of the public key infrastructure allow for private communication with authenticity. In SSL, each time a secure communication channel is opened between a client and a server, 3 keys are generated and used by each machine to authenticate each other. The process is highlighted in Figure 1 from Kauffman (2002). The client initially wishes to communicate with the server securely and sends message one. This message contains a list of cryptography algorithms that the system supports as well as a random number generated that will be used to encrypt future messages. The server then responds, with a selected cipher algorithm based on the list sent in message one, along with the server s certificate stating who he is and a random number. The client then uses this information to generate a message of random data which is encrypted and sent to the server. The server is then the only one able to decrypt this information, and then uses it to generate a master key which is communicated back to the client and used to encrypt the rest of the communication(nctu, n.d.). Figure 1 - (SSL Authentication) 6.0 - Conclusion It is apparent that E-commerce is not going anywhere. For both business s and E- retailers to protect themselves, it is necessary to educate themselves on the methods for preventing access to their physical systems and networks to prevent against interception of data. However, most importantly they should understand and implement SSL on their machines to encrypt and ensure privacy of personal and customer information during transactions.

References Arizona State University.(n.d.).SSL Web Encryption. Retrieved March 21, 2005 from http://www.west.asu.edu/it/network/servers/ssl.html E-Commerce Digest. (n.d.). Ecommerce Security Issues. Retrieved March 20, 2005 from http://www.ecommerce-digest.com/ecommerce-security-issues.html Kaufman, C., Perlman, R. & Speciner, M. (2002). Private Communication in a Public World, 2nd Edition. New York: Prentice Hall National Chiao-Tung University (NCTU).(n.d.). SSL Protocol Overview. Retrieved March 21, 2005 from http://www.csie.nctu.edu.tw/document/cie/topics/121.htm

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback