E-commerce
Security and
Cryptography
Slide 5-1
�The E-commerce
Security Environment
2
�Dimensions of E-commerce Security
■ Integrity: ability to ensure that information being
displayed on a Web site or transmitted/received over the
Internet has not been altered in any way by an
unauthorized party
■ Nonrepudiation: ability to ensure that e-commerce
participants do not deny (repudiate) online
actions
■ Authenticity: ability to identify the identity of a person or
entity with whom you are dealing on the Internet
■ Confidentiality: ability to ensure that messages and data
are available only to those authorized to view them
■ Privacy: ability to control use of information a customer
provides about himself or herself to merchant
■ Availability: ability to ensure that an e-commerce
site continues to function as intended Slide 5-3
�Customer and Merchant Perspectives on the
Different Dimensions of E-commerce
Security
Slide 5-4
�The Tension Between Security
and Other Values
■ Security vs. ease of use: the more security
measures that are added, the more difficult a
site is to use, and the slower it becomes
■ Security vs. desire of individuals to act
anonymously
Slide 5-5
�Security Threats in the E-commerce
Environment
■ Three key points of vulnerability:
▪ Client
▪ Server
▪ Communications channel
■ Most common threats:
▪ Malicious code
▪ Hacking and cybervandalism
▪ Credit card fraud/theft
▪ Spoofing
▪ Denial of service attacks
▪ Sniffing
▪ Insider jobs
Slide 5-7
�A Logical Design for a Simple Web Site
Slide 5-7
�A Typical E-commerce Transaction
Slide 5-8
�Vulnerable Points in an E-commerce
Environment
Slide 5-9
�Malicious Code
■ Viruses: computer program that has ability to
replicate and spread to other files; most also
deliver a “payload” of some sort (may be destructive
or benign); include macro viruses, file-infecting
viruses and script viruses
■ Worms: designed to spread from computer to
computer
■ Trojan horse: appears to be benign, but then does
something other than expected
■ Bad applets (malicious mobile code): malicious Java
applets or ActiveX controls that may be downloaded
onto client and activated merely by surfing to a Web
site
Slide 5-10
�Examples of Malicious Code
Slide 5-11
�Hacking and Cybervandalism
■ Hacker: Individual who intends to gain unauthorized
access to a computer systems
■ Cracker: Used to denote hacker with criminal intent
(two terms often used interchangeably)
■ Cybervandalism: Intentionally disrupting, defacing or
destroying a Web site
■ Types of hackers include:
▪ White hats – Members of “tiger teams” used by
corporate security departments to test their
own security measures
▪ Black hats – Act with the intention of causing
harm
▪ Grey hats – Believe they are pursuing some greater
good by breaking in and revealing system flaws
Slide 5-12
�Credit Card Fraud
■ Fear that credit card information will be stolen
prevents online purchases
■ Hackers target credit card files and other
customer information files on merchant
servers; use stolen data to establish credit
under false identity
■ One solution: New identity verification
mechanisms
Slide 5-13
�Spoofing, DoS and dDoS
Attacks, Sniffing, Insider Jobs
■ Spoofing: Misrepresenting oneself by using fake e-
mail addresses or masquerading as someone
else
■ Denial of service (DoS) attack: Hackers flood Web
site with useless traffic to overwhelm network
■ Distributed denial of service (dDoS) attack: hackers
use numerous computers to attack target network
from numerous launch points
■ Sniffing: type of overhearing program that monitors
information traveling over a network; enables
hackers to steal proprietary information from
anywhere on a network
■ Insider jobs: single largest financial threat
Slide 5-14
�Technology Solutions
■ Protecting Internet communications
(encryption)
■ Securing channels of communication (SSL
(secure sockets layer), S-HTTP, VPNs) URL
changes from HTTP to HTTPS
■ SSL: Protocol that provides secure
communications between client and server
■ Protecting networks (firewalls)
■ Protecting servers and clients
Slide 5-15
�Tools Available to Achieve Site Security
Slide 5-16
�Protecting Internet
Communications: Encryption
■ Encryption: The process of transforming plain text or
data into cipher text that cannot be read by anyone
other than the sender and receiver
■ Purpose:
▪ Secure stored information
▪ Secure information transmission
■ Provides:
▪ Message integrity:
▪ Nonrepudiation
▪ Authentication
▪ Confidentiality
Slide 5-17
�Encryption ensures:
▪ Message integrity: provides assurance that
message has been altered
▪ Nonrepudiation: prevents the user from
denying he or she sent the message
▪ Authentication: provides verification of the
identity of the person or machine sending
the message
▪ Confidentiality: gives assurance that the
message was not read by others
Slide 5-18
�Symmetric Key Encryption
■ Also known as secret key encryption
■ Both the sender and receiver use the
same digital key to encrypt and decrypt
message
■ Requires a different set of keys for each
transaction
■ Data Encryption Standard (DES): Most widely
used symmetric key encryption today; uses
56-bit encryption key; other types use 128-
bit keys up through 2048 bits
Slide 5-19
�Public Key Encryption
■ Public key cryptography solves symmetric key
encryption problem of having to exchange secret key
■ Uses two mathematically related digital keys –
public key (widely disseminated) and private key
(kept secret by owner)
■ Both keys are used to encrypt and decrypt message
■ Once key is used to encrypt message, same key
cannot be used to decrypt message
■ For example, sender uses recipient’s public key to
encrypt message; recipient uses his/her private key
to decrypt it
Slide 5-20
�Public Key Cryptography – A
Simple Case
Slide 5-21
�Public Key Encryption using Digital
Signatures and Hash Digests
■ Application of hash function (mathematical
algorithm) by sender prior to encryption
produces hash digest that recipient can use
to verify integrity of data
■ Double encryption with sender’s private key
(digital signature) helps ensure authenticity
and nonrepudiation
Slide 5-22
�Public Key Cryptography with
Digital Signatures
Slide 5-23
�Digital Envelopes
■ Addresses weaknesses of public key
encryption (computationally slow, decreases
transmission speed, increases processing
time) and symmetric key encryption (faster,
but more secure)
■ Uses symmetric key encryption to encrypt
document but public key encryption to
encrypt and send symmetric key
Slide 5-24
�Public Key Cryptography:
Creating a Digital Envelope
Slide 5-25
�Digital Certificates and Public Key
Infrastructure (PKI)
■ Digital certificate: Digital document that includes:
▪ Name of subject or company
▪ Subject’s public key
▪ Digital certificate serial number
▪ Expiration date
▪ Issuance date
▪ Digital signature of certification authority (trusted
third party (institution) that issues certificate
▪ Other identifying information
■ Public Key Infrastructure (PKI): refers to the CAs and
digital certificate procedures that are accepted by all
parties
Slide 5-26
�Secure Negotiated Sessions Using SSL
Slide 5-27
�Protecting Networks: Firewalls
and Proxy Servers
■ Firewall: Software application that acts as a filter
between a company’s private network and the
Internet
■ Firewall methods include:
▪ Packet filters
▪ Application gateways
■ Proxy servers: Software servers that handle all
communications originating from for being sent to the
Internet (act as “spokesperson” or “bodyguard” for
the organization)
Slide 5-28
�Firewalls and Proxy Servers
Slide 5-29
�Protecting Servers and Clients
■ Operating system controls: Authentication
and access control mechanisms
■ Anti-virus software: Easiest and least
expensive way to prevent threats to system
integrity
30
