ITC 311: E-Commerce
For:
Bachelor of Business Management(BBM)
7th Semester
By: Shayak Raj Giri
shayakraj@ioe.edu.np
Unit 4
Network Security
2
Outline
Introduction
Data and message Security
Reasons for data and message security
Firewalls and its Types
Antivirus
Data and Message Security (Secret Key
Cryptography, Public Key Cryptography)
• Digital Signature, Digital Certificate, Certificate
Authority, Third Party Authentication, SSL, VPN, SET
•
•
•
•
•
•
3
What is Security?
• “The quality or state of being secure—to be free from
danger”
• Policies, procedures and technical measures used to
prevent unauthorized access, alteration, theft, or
physical damage to the systems.
• Types of Security
Physical Security
Personal Security
Operation Security
Communication Security
Network Security
Data and message Security
Network security
• Network security is the process of taking
preventative measures to protect the underlying
networking infrastructure from unauthorized access,
misuse, malfunction, modification, destruction or
improper disclosure.
• Network security involves different policies and
practices adopted to prevent any unauthorized
access or misuse of computer network and related
resources and authorized access to data in a
network, which is controlled by the network
administrator.
5
Data and message Security
• Data security refers to the process of protecting data
from unauthorized access and data corruption
throughout its lifecycle.
• Data security is both the practice and the technology
of protecting valuable and sensitive company and
customer data, such as personal or financial
information.
• Message security is the practice of encrypting
messages so that only intended recipient can read the
content of message.
6
Data and Message Security Challenges
The architecture of a Web-based application typically includes a Web client,
a server, and corporate information systems linked to databases.
Each of these components presents security challenges at any point in the
network.
Reasons for data and message security
• Data is an important asset to any organization and
thereby, it is essential to safeguard.
• Some of the reasons for data and message security are:
• Ensure business continuity
• Avoid data breaches
• Prevent unauthorized access
• Retain data integrity
• Protect company’s reputation
• It helps in the prevention of revenue loss.
• It assists in the protection of client privacy.
• Cont..
8
Reasons for data and message security
• To maintain and improve brand value.
• To provide competitive advantage over competitors.
• Helps to keep sensitive data out of the hands of
competitors.
• Enables easy access to data wherever and whenever
it’s required for business operations.
• Reduce the risk associated with data storage and
handling.
• Other……….??
9
Security in E-Commerce
• The discussion of security concerns in e-commerce can be
divided into two broad types:
• Client/server security:
• Uses various authorization methods to make sure that
only valid user and programs have access to information
resources such as databases.
• Access control mechanisms must be set up to ensure that
properly authenticated users are allowed access only to
those resources that they are entitled to use.
• Such mechanisms include password protection, encrypted
smart cards, biometrics, and firewalls.
10
Security in E-Commerce
• Data and transaction security:
• Ensures the privacy and confidentiality in electronic
messages and data packets, including the
authentication of remote users in network
transactions for activities such as on-line payments.
• The goal is to defeat any attempt to assume another
identity while involved with electronic mail or other
forms of data communication.
• Preventive measures include data encryption using
various cryptographic methods.
11
12
13
14
Dimensions to e-commerce security
or Security services
• There are six key dimensions to e-commerce
security:
1) Confidentiality
2) Integrity
3) Availability
4) Nonrepudiation
5) Authenticity
6) Privacy
15
Cont..
• Confidentiality
 The ability to ensure that messages and data are available
only to those who are authorized to view them.
 Only authorized users and processes should be able to
access or modify data.
• Integrity
 Data should be maintained in a correct state and nobody
should be able to improperly modify it, either accidentally
or maliciously.
 Integrity means that changes should be done only by
authorized users and through authorized mechanisms.
 The ability to ensure that information being displayed on a
Web site or transmitted or received over the Internet has
not bee altered in any way by an unauthorized party.
16
Cont..
• Availability
 Authorized users should be able to access data
whenever they need to do so.
 It refers to the actual availability of data.
 Authentication mechanisms, access channels and
systems all have to work properly for the
information they protect and ensure it's available
when it is needed.
 Ability to ensure that an e-commerce site
continues to function as intended.
17
Example
• To understand how the CIA triad works in practice, consider
the example of a bank ATM, which can offer users access to
bank balances and other information.
• An ATM has tools that cover all three principles of the triad:
 It provides confidentiality by requiring two-factor
authentication (both a physical card and a PIN code) before
allowing access to data.
 The ATM and bank software enforce data integrity by
ensuring that any transfers or withdrawals made via the
machine are reflected in the accounting for the user's bank
account.
 The machine provides availability because it's in a public
place and is accessible even when the bank branch is
closed.
18
Cont..
• Nonrepudiation
• Nonrepudiation does not allow the sender or
receiver of a message to refuse the claim of not
sending or receiving that message.
• Nonrepudiation refers to the ability to ensure
that e-commerce participants do not deny (i.e.,
repudiate/reject) their online actions.
• Non-repudiation is “a security service that
provides protection against false denial of
involvement in a communication”.
19
Cont..
• Authenticity
• Authenticity refers to the ability to identify the
identity of a person or entity with whom you are
dealing on the Internet.
• Authenticity assumes confirmation of a user's
identity before user attempts to access information
stored on a network.
• How does the customer know that the Web site
operator is who it claims to be?
• How can the merchant be assured that the customer
is really who she says she is?
20
Cont..
• Privacy
• Privacy refers to the ability to control the use of
information about oneself.
• The transmitted message should be sent only to the
intended receiver while the message should be
opaque for other users.
• Only the sender and receiver should be able to
understand the transmitted message.
21
Most Common Security Threats in the
E-commerce Environment
• Malicious Software (malware)/Malicious code
 Viruses
 Worms
 Trojan horses
 Ransomware
 Backdoors
 Bots, botnets
 Drive-by downloads
22
Security Threats Cont..
• Malicious code (malware) is harmful computer
programming scripts designed to create or exploit
system vulnerabilities.
• Malicious code includes a variety of threats such as
viruses, worms, Trojan horses, Ransomware, bots etc.
• Some malicious code, sometimes referred to as an
exploit, is designed to take advantage of software
vulnerabilities in a computer’s operating system, Web
browser, applications, or other software components.
• Exploit kit:
• Collection of exploits bundled together and rented or
sold as a commercial product.
23
Malicious code can:
• Modify data — unpermitted encryption, weaken
security, etc.
• Delete or corrupt data — website servers, etc.
• Obtain data — account credentials, personal
information, etc.
• Access to restricted systems — private networks,
email accounts, etc.
• Executing actions — replicating itself, spreading
malicious code, remote device control, etc.
24
How does malicious code spread?
• Online networks — intranets, P2P file-sharing,
public internet websites, etc.
• Social communications — email, SMS, push
content, mobile messaging apps, etc.
• Wireless connectivity — Bluetooth, etc.
• Direct device interfaces — USB, etc.
25
Security Threats cont..
• Virus:
• Virus is a harmful computer program(malicious code)
that has ability to replicate or make copies of itself,
and spread to other files.
• Once the virus executes, it can self-propagate and
spread through the system and connected networks.
26
Security Threats cont..
• Worms:
• Worm does not harm or corrupt any files but
still they are much dangerous then virus.
• They spread rapidly and their replicating
nature create unnecessary spaces, files,
shortcuts etc; consumes hard drive , thus,
slowing down the machine.
27
Security Threats cont..
• Trojan horses
• Trojans are not like viruses or worms, and they are
not meant to damage or delete files on your system.
• Their principal task is to provide to a backdoor
gateway for malicious programs or malicious users to
enter your system and steal your valuable data
without your knowledge and permission.
• Unlike viruses, Trojans don’t self-replicate. Instead, a
Trojan horse spreads by pretending to be legitimate
software, but it has malicious coding inside.
28
Security Threats cont..
• Ransomware
• Ransomware(scareware) is a type of malware that
can alter the normal operation of your machine.
• It encrypts the data and prevents you from using
your computer partially or wholly.
• Ransomware programs also display warning
messages asking for money to get your device back
to normal working condition.
29
Security Threats cont..
• In 2013, a new type of ransomware named
CryptoLocker emerged.
• CryptoLocker encrypts victims’ files with a virtually
unbreakable asymmetric encryption and demands a
ransom to decrypt them, often in Bitcoins.
• If the victim does not comply within the time
allowed, the files will not ever be able to be
decrypted.
30
Security Threats cont..
• Backdoors
• A backdoor is a feature of viruses, worms, and Trojans that
allows an attacker to remotely access a compromised computer.
• Bots
• Bots (short for robots) are a type of malicious code that can be
secretly installed on your computer when connected to the
Internet.
• Once installed, the bot responds to external commands sent by
the attacker.
• Botnets
• Botnets are collections of captured computers used for
malicious activities such as sending spam, participating in a
DDoS attack, stealing information from computers, and storing
network traffic for later analysis.
31
Security Threats cont..
• Drive-by download
• A drive-by download is malware that comes
with a downloaded file that a user
intentionally or unintentionally requests.
• Drive-by is now one of the most common
methods of infecting computers.
32
Security Threats cont..
• Potentially unwanted programs (PUPs)
• In addition to malicious code, the e-commerce security
environment is further challenged by potentially
unwanted programs (PUPs) such as adware, browser
parasites, spyware, and other applications that install
themselves on a computer, typically without the user’s
informed consent.
• Such programs are increasingly found on social network
and web sites where users are fooled into downloading
them.
• Once installed, these applications are usually exceedingly
difficult to remove from the computer.
33
PUPs Cont..
• Spyware
• Spyware programs also come attached with
freeware.
• They track your browsing habits and other personal
details and send it to a remote user.
• Spyware can obtain information such as a user’s
keystrokes, copies of e-mail and instant messages,
and even take screenshots (and thereby capture
passwords or other confidential data).
• They can also facilitate installation of unwanted
software from the Internet.
34
PUPs Cont..
• Adware
• Adware is typically used to call for pop-up ads to
display when the user visits certain sites.
• They generally come attached with free-to-use
software.
• Browser parasite
• A browser parasite is a program that can monitor and
change the settings of a user’s browser, for instance,
changing the browser’s home page, or sending
information about the sites visited to a remote
computer.
• Browser parasites are often a component of adware.
35
Security Threats cont..
• Phishing
• Social engineering
• E-mail scams
36
Phishing
• Phishing is any deceptive, online attempt by a third party to
obtain confidential information for financial gain.
• Phishing attacks typically do not involve malicious code but
instead rely on straightforward misrepresentation and fraud,
so-called “social engineering” techniques.
• One of the most popular phishing attacks is the e-mail scam
letter.
• The scam begins with an e-mail: a rich former oil minister of
Nigeria is seeking a bank account to stash millions of dollars
for a short period of time, and requests your bank account
number where the money can be deposited. In return, you
will receive a million dollars.
• This type of e-mail scam is popularly known as a “Nigerian
letter” scam.
37
Phishing Cont..
38
Phishing Cont..
39
Phishing Cont..
40
Security Threats cont..
•
•
•
•
•
•
Hacking, Cybervandalism and Hacktivism
Hacking
Hackers vs. crackers
Types of hackers: White, black, grey hats
Hacktivism
Cybervandalism
41
Security Threats cont..
• Hacking
• Hacking is an attempt to exploit a computer system or a
private network inside a computer.
• Hacking refers to activities that seek to compromise digital
devices, such as computers, smartphones, tablets, and
even entire networks.
• Hacking might not always be for malicious purposes,
nowadays most references to hacking, and hackers,
characterize it/them as unlawful activity by
cybercriminals—motivated by financial gain, protest,
information gathering (spying), and even just for the “fun”
of the challenge.
• Ethical hacking??
42
Ethical Hacking
• Ethical Hacking sometimes called as Penetration Testing is an
act of intruding/penetrating into system or networks to find
out threats, vulnerabilities in those systems which a
malicious attacker may find and exploit causing loss of data,
financial loss or other major damages.
• The purpose of ethical hacking is to improve the security of
the network or systems by fixing the vulnerabilities found
during testing.
• Ethical hackers may use the same methods and tools used by
the malicious hackers but with the permission of the
authorized person for the purpose of improving the security
and defending the systems from attacks by malicious users.
43
Hacking cont..
• Hacker
• A hacker is an individual who intends to gain
unauthorized access to a computer system.
• Within the hacking community, the term cracker is
typically used to denote a hacker with criminal
intent, although in the public press, the terms hacker
and cracker tend to be used interchangeably.
• Hackers and crackers gain unauthorized access by
finding weaknesses in the security procedures of
Web sites and computer systems.
44
Hacking cont..
• Cybervandalism
• Malicious intentions to disrupt, deface, or
destroy sites or to steal personal or corporate
information they can use for financial gain.
• Hacktivism
• Hacktivism refers to the cybervandalism and
data theft for political purposes.
45
Hacking cont..
• White hats
• Groups of hackers called tiger teams are sometimes used
by corporate security departments to test their own
security measures.
• By hiring hackers to break into the system from the
outside, the company can identify weaknesses in the
computer system.
• These “good hackers” became known as white hats
because of their role in helping organizations to locate and
fix security flaws.
• White hats do their work under contract, with agreement
from clients that they will not be prosecuted for their
efforts to break in.
46
Hacking cont..
• Black hats
• In contrast, black hats are hackers who engage
in the same kinds of activities but without pay
or any buy-in from the targeted organization,
and with the intention of causing harm.
• They break into Web sites and reveal the
confidential or proprietary information they
find.
47
Hacking cont..
• Grey hats
• Somewhere in the middle are the grey hats, hackers
who believe they are pursuing some greater good by
breaking in and revealing system flaws.
• Grey hats discover weaknesses in a system’s security,
and then publish the weakness without disrupting the
site or attempting to profit from their finds.
• Their only reward is the prestige of discovering the
weakness.
• Grey hat actions are suspect, however, especially when
the hackers reveal security flaws that make it easier for
other criminals to gain access to a system.
48
Security Threats cont..
•
•
•
•
•
•
•
•
•
•
•
Other security threats:
Data breach
Credit card fraud/theft
Identity fraud
Spoofing, pharming and spam (junk) Web sites
Sniffing and man-in-the middle (MitM) attack
Denial of service (DoS) attack
Distributed denial of service (DDoS) attack
Insider attacks
Poorly designed software
SQL injection attack
49
Security Threats cont..
•
•
•
•
•
Other security issues :
Social network security issues
Mobile platform security issues
Cloud security issues
Internet of Things (IoT) security issues
50
Security Threats cont..
• Data breach
• A data breach occurs whenever organizations
lose control over corporate information to
outsiders.
• A data breach is an incident that involves the
unauthorized or illegal viewing, access or
retrieval of data by an individual, application or
service.
• It is a type of security breach specifically
designed to steal and/or publish data to an
unsecured or illegal location.
51
Security Threats cont..
• Credit card fraud/theft
• Credit card fraud is the unauthorized use of a credit
or debit card, or similar payment tool (ACH, EFT,
recurring charge, etc.), to fraudulently obtain money
or property.
• Credit and debit card numbers can be stolen from
unsecured websites or can be obtained in an identity
theft scheme.
52
Security Threats cont..
• Identity fraud
• Identity fraud involves the unauthorized use of another
person’s personal data, such as social security, driver’s
license, and/or credit card numbers, as well as user names
and passwords, for illegal financial benefit.
• Criminals can use such data to obtain loans, purchase
merchandise, or obtain other services, such as mobile
phone or other utility services.
• Cybercriminals employ many of the techniques described
previously, such as spyware, phishing, data breaches, and
credit card theft, for the purpose of identity fraud.
53
Security Threats cont..
• Spoofing
• Spoofing involves attempting to hide a true identity by
using someone else’s e-mail or IP address.
• For instance, a spoofed e-mail will have a fake sender
e-mail address designed to mislead the receiver about
who sent the e-mail.
• IP spoofing involves the creation of TCP/IP packets
that use someone else’s source IP address, indicating
that the packets are coming from a trusted host.
• Most current routers and firewalls can offer protection
against IP spoofing.
54
Security Threats cont..
• Pharming
• Pharming, automatically redirecting a Web link to an
address different from the intended one, with the site
masquerading as the intended destination.
• Links that are designed to lead to one site can be reset to
send users to a totally unrelated site—one that benefits the
hacker.
• Although spoofing and pharming do not directly damage
files or network servers, they threaten the integrity of a site.
• For example, if hackers redirect customers to a fake Web
site that looks almost exactly like the true site, they can
then collect and process orders, effectively stealing business
from the true site.
55
Security Threats cont..
• Spam (junk) Web sites
• Spam (junk) Web sites (also called link farms)
are a little different.
• These are sites that promise to offer some
product or service, but in fact are just a
collection of advertisements for other sites,
some of which contain malicious code.
56
Security Threats cont..
• Sniffing
• A sniffer is a type of eavesdropping program that monitors
information/data packets traveling over a network.
• When used legitimately, sniffers can help to identify potential
network trouble-spots, but when used for criminal purposes,
they can be damaging and very difficult to detect.
• Sniffers enable hackers to steal proprietary information from
anywhere on a network, including passwords, e-mail
messages, company files, and confidential reports.
57
Security Threats cont..
• Man-in-the middle (MitM) attack
• A man-in-the-middle (MitM) attack also involves
eavesdropping but is more active than a sniffing attack,
which typically involves passive monitoring.
• In a MitM attack, the attacker is able to interrupt
communications between two parties who believe they are
directly communicating with one another, when in fact the
attacker is controlling the communications.
58
Security Threats cont..
• Denial of service (DoS) attack
• In a Denial of Service (DoS) attack, hackers flood a
Web site with useless pings or page requests that
overwhelm the site’s Web servers.
59
Security Threats cont..
• Distributed Denial of Service (DDoS) attack
• A Distributed Denial of Service (DDoS) attack uses hundreds or
even thousands of computers to attack the target network
from numerous launch points.
• DoS and DDoS attacks are threats to a system’s operation
because they can shut it down indefinitely.
60
Security Threats cont..
• SQL injection attack
61
Technology Solution
1. Protecting Internet communication(Data and Message Security)
• Encryption
 Symmetric key cryptography(or Secret key cryptography)
 Public key cryptography
 Public key cryptography using Digital Signatures and hash digests
• Digital Envelopes
• Digital Certificates and Public Key Infrastructure (PKI)
2. Securing channels of communications
• Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
• Virtual Private Networks (VPNs)
• Wireless (Wi-Fi) Networks
3. Protecting Networks
• Firewalls
• Proxy Servers
• Intrusion Detection and Prevention Systems
4. Protecting servers and clients
• Anti-Virus Software
• Operating System Security Enhancements
62
Technology Solution
63
Cryptography
• Cryptography is a collection of mathematical techniques for
protecting and securing information.
• It is a branch of both computer science and mathematics and
is affiliated closely with information theory, computer security
and engineering.
• Cryptography, a word with Greek origin, means “secret
writing”.
64
Encryption
• Encryption is the process of transforming plain text into cipher text so
that it can be read or understood by the intended recipient only.
The purpose of encryption is:
a) To secure stored information
b) To secure information transmission
• Encryption can provide four of the six key dimensions of e-commerce
security as follows:
 Message integrity—provides assurance that the message has not
been altered.
 Nonrepudiation—prevents the user from denying he or she sent the
message.
 Authentication—provides verification of the identity of the person
(or computer) sending the message.
 Confidentiality—gives assurance that the message was not read by
others.
65
Secret Key/Symmetric Key/Private Key Cryptography
• The original message from Sender to Receiver is referred to as
plaintext; the message that is sent through the channel is
referred to as the ciphertext.
• Sender uses an encryption algorithm and a shared secret key.
• Receiver uses a decryption algorithm and the same secret key.
66
Secret Key Cryptography
• In Symmetric-key encryption, the same key (secret key) is used for
encryption and decryption.
• Symmetric key encryption employs following encryption techniques:
• Stream ciphers: It encrypts 1 bit of plaintext at a time. E.g. Rivest
Cipher 4(RC4)
• Block ciphers: It encrypts a fixed size of n-bits of data - known as a
block - at one time. The usual sizes of each block are 64 bits, 128 bits,
and 256 bits.
• E.g. the Advanced Encryption Standard (AES), Data Encryption
Standard (DES), 3DES are common encryption algorithms.
• Symmetric-key encryption technique is commonly used for bulk
encryption / encrypting massive volumes of data, such as database
encryption.
• Symmetric-key encryption is easy to use and fast technique but it
requires a safe method to transfer the key from one party to
another.
67
Secret Key/Symmetric Key/Private Key Cryptography
68
Simple Example
69
Secret Key.. Cont
• Traditional ciphers
• Traditional ciphers used two techniques: (i) Substitution (ii) Transposition.
• A substitution cipher replaces one symbol with another.
• The simplest substitution cipher is a shift cipher (additive cipher).
70
Secret Key.. Cont
• A transposition cipher does not substitute one
symbol for another, instead it changes the location
of the symbols.
• A symbol in the first position of the plaintext may
appear in the tenth position of the ciphertext,
while a symbol in the eighth position in the
plaintext may appear in the first position of the
ciphertext.
• In other words, a transposition cipher reorders
(transposes) the symbols.
71
Secret Key.. Cont
• Transposition Cipher: Example
72
Cont..
73
Cont..
• Modern symmetric-key ciphers
• Since traditional ciphers are no longer secure, modern
symmetric-key ciphers have been developed during the
last few decades.
• Modern ciphers normally use a combination of
substitution, transposition and some other complex
transformations to create a ciphertext from a plaintext.
• Modern ciphers are bit-oriented (instead character
oriented).
• The plaintext, ciphertext and the key are strings of bits.
• In this section we briefly discuss two examples of modern
symmetric-key ciphers: DES and AES.
74
Data Encryption Standard (DES)
• The DES (Data Encryption Standard) algorithm is a
symmetric-key block cipher created in the early 1970s by an
IBM team and adopted by the National Institute of
Standards and Technology (NIST).
• The algorithm takes the plain text in 64-bit blocks and
converts them into ciphertext using 56-bit keys.
75
Advanced Encryption Standard (AES)
• The AES is a symmetrical block cipher algorithm that
takes plain text in blocks of 128 bits and converts
them to ciphertext using keys of 128, 192, and 256
bits.
76
Public Key/Asymmetric Key Cryptography
• Asymmetric cryptography is a process that uses a pair of related keys one
public key and one private key to encrypt and decrypt a message and
protect it from unauthorized access or use.
• The public key method is used to encrypt the sender’s message starts with
the receiver, not the sender.
• Let us observe following scenario:
• Asymmetric encryption can be likened to a mailbox on the street.
• The mailbox is completely public—anyone who knows its location could go
to it and drop in a letter.
• However, only the owner of the mailbox has a key which allows him to
access it and read the letters.
77
Public Key.. Cont
• Examples of asymmetric encryption include:
 Rivest Shamir Adleman (RSA)
 The Digital Signature Standard (DSS), which incorporates the Digital
Signature Algorithm (DSA)
 Elliptical Curve Cryptography (ECC)
 The Diffie-Hellman exchange method
 TLS/SSL protocol
• Published in 1977, RSA is one of the widely used asymmetric encryption.
• Developed by Ron Rivest, Adi Shamir, and Leonard Adleman.
• RSA encryption generates a public key by multiplying two large, random
prime numbers together, and using these same prime numbers, generates a
private key.
• From there, standard asymmetric encryption takes place: information is
encrypted using the public key and decrypted using the private key.
78
Public Key.. Cont
79
Public Key.. Cont
• Alice wants to send encrypted message to Bob.
• They agree to use public key encryption.
• Following are steps in the whole process:
1) Bob creates a pair of keys: one public key and one
private key. Bob puts the public key in a public key
server which anyone can access.
2) Bob informs Alice where she can get her public key.
3) Alice gets Bob’s public key.
4) Alice writes a message and uses Bob’s public key to
encrypt it.
5) Alice sends her encrypted message to Bob.
6) Bob uses his own private key to decrypt Alice’s
message.
80
Public Key.. Cont
• Although Bob’s private key can verify no one
read or change the document in transport, it
can not verify the sender.
• Because Bob’s public key is public, anyone can
use it to encrypt the document and send it to
Bob while pretending to be Alice.
• In order to prove the sender, they need
another technique: digital signature.
81
Tradeoffs Between Symmetric and Asymmetric Key
Cryptography
• The main differences between symmetric and asymmetric
encryption are speed and security preferences.
• Generally speaking, symmetric encryption is faster and
simpler but is often viewed as less secure than asymmetric
encryption.
• But encryption really boils down to two things: key size and
the security of the media storing encryption keys.
• Symmetric encryption is much faster to execute because of
its shorter key lengths.
• Asymmetric encryption has a tendency to bog down
networks because of its longer key lengths and complex
algorithms.
• These are the tradeoffs worth considering when deciding
which type of encryption to employ.
82
Digital Signature
• We are all familiar with the concept of a signature. A person
signs a document to show that it originated from him/her or
was approved by him/her.
• The signature is proof to the recipient that the document
comes from the correct entity.
• In other words, a signature on a document, when verified, is a
sign of authentication—the document is authentic.
• When Alice sends a message to Bob, Bob needs to check the
authenticity of the sender: he needs to be sure that the
message comes from Alice and not Eve.
• Bob can ask Alice to sign the message electronically.
• In other words, an electronic signature can prove the
authenticity of Alice as the sender of the message.
• We refer to this type of signature as a digital signature.
83
Digital Signature
• A digital signature is an electronic equivalent of a
handwritten signature used to verify the authenticity and
integrity of the message or any digital document.
• It is an electronic verification of the sender.
• A digital signature serves three purposes.
1) Authentication: A digital signature gives the receiver
reason to believe the message was created and sent
by the claimed sender.
2) Non-repudiation: With a digital signature, the sender
can not deny having sent the message later on.
3) Integrity: A digital signature ensures that the message
was not altered in transit.
84
Digital Signature
Following figure shows the digital signature process.
The sender uses a signing algorithm to sign the message.
The message and the signature are sent to the recipient.
The recipient receives the message and the signature and
applies the verifying algorithm to the combination.
• If the result is true, the message is accepted, otherwise it is
rejected.
•
•
•
•
85
Digital Certificate
• A digital certificate is a form of electronic identification used to establish
a digital identity of the sender and guarantees the authenticity of the
message received over the Internet.
• Digital certificates function similarly to identification cards such as
passports, drivers’ licenses.
• Digital certificates are issued by recognized certificate authority (CA).
• When someone requests a certificate, the authority verifies the identity
of the requester, certifies that the requester meets all requirements to
receive the certificate, and then issues it.
• Digital certificates are mainly used to secure online transactions. Some
of the typical applications of this public key cryptography method are:
 Secure Sockets Layer (SSL)
 Email Security
 Virtual Private Networks (VPNs)
 Secure Electronic Transaction (SET)
86
Digital Certificate
87
Digital Certificate
• When a digital certificate is presented to others, they can verify
the identity of its owner because the Digital certificate contains:
 Name of certificate holder.
 Serial number which is used to uniquely identify a certificate,
the individual or the entity identified by the certificate.
 Expiration dates.
 Copy of certificate holder’s public key.(used for decrypting
messages and digital signatures)
 Digital Signature of the certificate issuing authority.
• Digital certificate is also sent with the digital signature and the
message.
• Digital certificates are used to verify the trustworthiness of a
person (sender), while digital signatures are used to verify the
trustworthiness of the data being sent.
88
Certificate Authority (CA)
• Certificate authorities(CA) are trusted third-party
institutions that provide digital certificates.
• CAs provide the most basic security and business process
principles in a public key infrastructure by creating trust
relationships between enterprise and entities.
• Public key infrastructure (PKI) refers to the CAs and digital
certificate procedures that are accepted by all parties.
• Worldwide, thousands of organizations issue CAs.
• GlobalSign was the first certification authority created in
Europe.
89
Third Party Authentication
• In third-party authentication systems, the password or encryption key itself
never travels over the network. Rather, an "authentication server"
maintains a file of obscure facts about each registered user.
• At log-on time, the server demands the entry of a randomly chosen fact—
mother's maiden name is a traditional example—but this information is not
sent to the server.
• Instead, the server uses it (along with other data, such as the time of day)
to compute a token. The server then transmits an encrypted message
containing the token, which can be decoded with the user's key.
• If the key was properly computed, the user can decrypt the message. The
message contains an authentication token that allows users to log on to
network services.
• Kerberos is a computer network security protocol that authenticates
service requests between two or more trusted hosts across the Internet. It
uses secret-key cryptography and a trusted third party for authenticating
client-server applications and verifying users' identities.
90
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
• Secure sockets layer (SSL) is a networking protocol designed for securing
connections between clients and web servers over the network.
• The most common use of SSL is to provide protection for confidential data,
such as personal details or credit card information, entered into a website.
• HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a
website is secured by an SSL certificate.
• The details of the certificate, including the issuing authority and the
corporate name of the website owner, can be viewed by clicking on the lock
symbol on the browser bar.
• SSL/TLS provides data encryption, server authentication, optional client
authentication, and message integrity for TCP/IP connections.
91
SSL Certificate Example
92
Virtual Private Networks (VPNs)
• A virtual private network (VPN) allows remote users to securely access a
private internal networks via the Internet using Point-to-Point Tunneling
Protocol (PPTP).
• VPNs use both authentication and encryption to secure information from
unauthorized persons (providing confidentiality and integrity).
• A VPN is “virtual” in the sense that it appears to users as a dedicated secure
line when in fact it is a temporary secure line.
• The primary use of VPNs is to establish secure communications among
business partners- larger suppliers or customers, and employees working
remotely.
• A dedicated connection to a business partner can be very expensive. But use
of VPN connection significantly reduces the cost of secure communications.
93
Secure Electronic Transaction (SET)
•
•
•
•
•
•
•
•
•
•
Secure Electronic Transaction is an open-source encryption and security
specification designed to protect credit card transactions on the Internet.
The secure electronic transaction is not a payment system; it is a set of
security protocols and format that ensures online payment transaction on the
Internet is secure.
SET provides a secure environment for all the parties that are involved in the
e-commerce transaction.
It provides authentication that a cardholder is a legitimate user of a credit card
account.
It provides authentication that a merchant can accept credit card transactions
through its relationship with a financial institution.
It provides a secure communication channel in a transaction.
Protect credit card transaction on the Internet.
Companies involved: MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa
and Verisign.
Provides tust by the use of X.509v3 digital certificates.
Ensures privacy,integrity and provides confidentiality of payment and ordering
information.
94
SET Participants
• Cardholder (Customer): A cardholder is an authorized holder of the
payment card.
• Merchant: A merchant is any person or organization who wants to
sell its goods and services to cardholders. Note that a merchant must
have a relationship with the acquirer to accept the payment through
the Internet.
• Issuer (Customer’s Bank): An issuer is a financial organization such as
a bank that issues payment card e.g. Master card or visa to user or
cardholder.
• Acquirer (Merchant’s Bank): : This is a financial organization with a
relationship with the merchant for processing the card payment
authorization and all the payments. An acquirer is part of this
process because the merchant can accept credit cards of more than
one brand. It also provides an electronic fund transfer to the
merchant account.
95
SET Participants Cont..
• Payment Gateway: For payment authorization, the payment gateway acts
as an interface between secure electronic transactions and existing card
payment networks. The merchant exchanges the Secure Electronic
Transaction message with the payment gateway through the Internet. In
response to that, the payment gateway connects to the acquirer’s system
by using a dedicated network line.
• Certification Authority: It is a trusted authority that provides public-key
certificates to cardholders, payment gateways, and merchants.
96
SET Transactions Example:
Firewalls
• A firewall refers to either hardware or software that
filters communication packets and prevents some packets from
entering or exiting the network based on a security policy.
• The firewall controls traffic to and from servers and clients,
forbidding communications from untrustworthy sources, and
allowing other communications from trusted sources to proceed.
• Every message that is to be sent or received from the network is
processed by the firewall, which determines if the message meets
security guidelines established by the business.
• If it does, it is permitted to be distributed, and if it doesn’t, the
message is blocked.
• Firewalls can filter traffic based on packet attributes such as
source IP address, destination port or IP address, type of service
(such as WWW or HTTP), the domain name of the source, and
many other dimensions.
98
Importance of Firewall in an Organization
• Firewalls are designed to be an organization’s first line of
defense against cyber attacks. By limiting the traffic that
crosses the network boundary to only authorized traffic, a
firewall protects many potentially exploitable internal
programs from danger.
• A firewall is your first line of defence against hackers and
other unauthorized external users.
• A firewall lets you block access to unapproved websites.
• A firewall can protect your business from malicious code.
• You can use a firewall to meter bandwidth.
• Monitors network traffic.
• Firewalls greatly reduce the vulnerability of the system.
99
Types of Firewalls
1.
2.
3.
4.
5.
6.
Packet-Filtering Firewalls
Application-level Gateway
Stateful Inspection Firewalls
Proxy Firewalls
Next-Generation Firewalls
Cloud Firewalls
100
1. Packet-Filtering Firewalls
• Filters packets based on header information, packet is allowed or denied
as per firewall rules.
• Packet filters examine data packets to determine whether they are
destined for a prohibited port or originate from a prohibited IP address.
• The filter specifically looks at the source and destination information, as
well as the port and packet type, when determining whether the
information may be transmitted.
• Advantages:
 Fast and efficient way of filtering headers
 Low costs
 Uses less resources
• Disadvantages:
 Susceptible to IP Spoofing
 No user authentication
 Can’t filter application level protocols
101
2. Application-level Gateway
• Application gateways are a type of firewall that filters
based on the application being requested, rather than
the source or destination of the message.
• Such firewalls also process requests at the application
level, beyond from the client computer than packet
filters.
• By providing a central filtering point, application
gateways provide greater security than packet filters
but can compromise system performance.
102
3. Stateful Inspection Firewalls
• Third generation firewall technology, often referred to as
dynamic packet filtering.
• Understands data in packets from the network layer(IP
headers) up to the application layer.
• Tracks the state of communication session.
103
3. Stateful Cont..
104
4. Proxy Servers/Firewalls
• Proxy servers handle all communications originating from or being
sent to the Internet by local clients, acting as a spokesperson or
bodyguard for the organization.
• Proxies act primarily to limit access of internal clients to external
Internet servers, although some proxy servers act as firewalls as well,
called proxy firewalls.
• When a user on an internal network requests a Web page, the
request is routed first to the proxy server.
• The proxy server validates the user and the nature of the request,
and then sends the request onto the Internet.
• Proxy servers also improve Web performance by storing frequently
requested Web pages locally, reducing upload times, and hiding the
internal network’s address, thus making it more difficult for hackers
to monitor.
105
Proxy Cont..
106
5. Next-Generation Firewalls
• Next-generation firewalls use an application-centric
approach to firewall control.
• It has functions combined from other firewalls like
packet, stateful, and deep packet inspection.
• They are able to identify applications regardless of
the port, protocol, or security evasion tools used;
identify users regardless of device or IP address;
decrypt outbound SSL; and protect in real-time
against threats embedded in applications.
107
6. Cloud Firewalls
• A cloud firewall is a security product that, like traditional
firewall , filters out potentially malicious network traffic.
• Unlike traditional firewalls, cloud firewalls are hosted in the
cloud.
• This cloud-delivered model for firewalls is also called firewall-asa-service (FaaS).
108
Antivirus
• Software that is created specifically to help detect, prevent and remove
malware (malicious software).
• Antivirus is a kind of software used to prevent, scan, detect and delete
viruses from a computer.
• Once installed, most antivirus software runs automatically in the
background to provide real-time protection against virus attacks.
• Antivirus software looks at data -web pages, files, software, applicationstraveling over the network to your devices.
109
Assignment-1
1) Imagine you are the owner of an e-commerce Web
site. What are some of the signs that your site has
been hacked? Discuss the major types of attacks you
could expect to experience and the resulting damage
to your site. Prepare a brief summary presentation.
2) Given the shift toward m-commerce, do a search on
m-commerce (or mobile commerce) crime. Identify
and discuss the security threats this type of
technology creates. Prepare a presentation outlining
your vision of the new opportunities for cybercrime
that m-commerce may provide.
110
References
• Kenneth C. Loudon, Carol G. Trader, "E-Commerce Business,
Technology, Society", Pearson
• Andrew B. Whinston and Ravi Kalakota, "Frontiers of
Electronic Commerce", Pearson 1996
• https://www.csoonline.com/article/3519908/the-cia-triaddefinition-components-and-examples.html
• https://www.geeksforgeeks.org/digital-signaturescertificates/
• https://www.aeteurope.com/news/digital-signature-digitalcertificate/
• https://www.educba.com/secure-electronic-transaction/
111
Thank you
Next Class →
Electronic Payment System
112