Chapter 6 6 Implementing Security for Electronic Commerce Electronic Commerce 1 Objectives Security 6 measures that can reduce or eliminate intellectual property theft Securing client computers from attack by viruses and by ill-intentioned programs and scripts downloaded in Web pages Authenticate users to servers and authenticate servers 2 Objectives Available 6 protection mechanisms to secure information sent between a client and a server Message integrity security, preventing another program from altering information as it travels across the Internet 3 Objectives Safeguards 6 that are available so commerce servers can authenticate users Protecting intranets with firewalls and corporate servers against being attacked through the Internet The role Secure Socket Layer, Secure HTTP and secure electronic transaction protocols play in protecting e-commerce 4 Minimum Requirements for Secure Electronic Commerce 6 5 Protecting Intellectual Property The 6 dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works Intellectual Property Protection in Cyberspace recommends: Host name blocking Packet filtering Proxy servers 6 Companies Providing Intellectual Property Protection Software ARIS 6 Technologies Digital audio watermarking systems Embedded code in audio file uniquely identifying the intellectual property Digimarc Corporation Watermarking for various file formats Controls software and playback devices 7 Companies Providing Intellectual Property Protection Software SoftLock Services Allows authors and publishers to lock files containing digital information for sale on the Web Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing 6 8 Protecting Client Computers Active 6 content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers Threats can hide in Web pages Downloaded graphics and plug-ins E-mail attachments 9 Protecting Client Computers Cookies 6 Small pieces of text stored on your computer and contain sensitive information that is not encrypted Anyone can read and interpret cookie data Do not harm client machines directly, but potentially could still cause damage Misplaced trust Web sites that aren’t really what they seem and trick the user into revealing sensitive data 10 Monitoring Active Content Netscape 6 Navigator and Microsoft Internet Explorer browsers are equipped to allow the user to monitor active content before allowing it to download Digital certificates provide assurance to clients and servers that the participant is authenticated 11 Digital Certificates Also 6 known as a digital ID Is an attachment to an e-mail message or a program embedded in a Web page It serves as a proof that the holder is the person or company identified by the certificate A means to send encrypted message encoded, so that others cannot read or duplicate it 12 Digital Certificates 6 IN case of downloaded software containing a digital ID, it identifies the software publisher, i.e., it assures that the holder of the software is a trusted name. A certification authority (CA) issues a digital certificate to an organization or an individual when provided with required information. A certificate authority also signs the certificate in the form of a public encrypted key, which unlocks the certificate for anyone who receives the certificate attached to the publisher’s code. CA guarantees the authenticity of the organization or individual. 13 Digital Certificates Key: A key is simply a number - a long binary number (1s and 0s) - which is used with the encryption algorithm to “lock” the characters of the message that is to be protected. Longer keys provide significantly better protection than shorter keys. 6 14 VeriSign -- A Certification Authority 6 15 VeriSign 6 Is the Oldest and best-known Certification Authority (CA) Offers several classes of certificates Class 1 (lowest level) Bind e-mail address and associated public keys Class 2 Issued by an organization such as a bank to identify its customers. The certificate is still issued by a CA. Class 4 (highest level) Apply to servers and their organizations Offers assurance of an individual’s identity and relationship to a specified organization 16 Structure of a VeriSign Certificate Figure 6-4 6 17 Microsoft Internet Explorer Provides 6 client-side protection right inside the browser Reacts to ActiveX and Java-based content Authenticode verifies the identity of downloaded content The user decides to ‘trust’ code from individual companies 18 Security Warning and Certificate Validation Figure 6-5 6 19 Internet Explorer Zones and Security Levels Figure 6-6 6 20 Internet Explorer Security Zone Default Settings Figure 6-7 6 21 Netscape Navigator User 6 can decide to allow Navigator to download active content User can view the signature attached to Java and JavaSript Security is set in the Preferences dialog box Cookie options are also set in the Preferences dialog box 22 Setting Netscape Navigator Preferences Figure 6-8 6 23 A Typical Netscape Navigator Java Security Alert Figure 6-9 6 24 Viewing a Content Provider’s Certificate Figure 6-10 6 25 Dealing with Cookies Can 6 be set to expire within 10, 20, or 30 days Retrievable only by the site that created them Collect information so that the user doesn’t have to continually enter usernames and passwords to access Web sites 26 Dealing with Cookies Earlier 6 browsers simply stored cookies without comment Today’s browsers allow options to: Store cookies without permission or warning Receive a warning that a cookie is about to be stored Unconditionally disallow cookies altogether 27 Protecting Electronic Commerce Channels: Communication Path Protecting 6 assets while they are in transit between client computers and remote servers Providing channel security includes Channel secrecy Guaranteeing message integrity Ensuring channel availability Authentication 28 Providing Transaction Privacy Encryption 6 The coding of information by using a mathematically based program and secret key to produce unintelligible characters. Original information is changed. Steganography Makes text invisible to the naked eye Cryptography Converts text to strings that appear to have no meaning 29 Encryption 6 40-bit keys are considered minimal,128-bit keys provide much more secure encryption Encryption can be subdivided into three functions Hash Coding Asymmetric (Public-key) Encryption Uses a hash algorithm to calculate a number called “hash value” from the original message string. Encodes by using two mathematically related keys Symmetric (Private-key) Encryption Encodes by using one key, both sender and receiver must know 30 Hash Coding 6 Uses a hash algorithm to calculate a number called hash value from the original message string. Typically, the algorithm uses all 1s and 0s that comprise a message, and come up with a value. Thus two messages should never have the same hash value. Comparing the hash value before and after transmission of a message, can determine whether the message has been changed or not. 31 Asymmetric (or Public-key) Encryption 6 Encodes messages by using two mathematicallyrelated numeric keys: a public key and a private key. The public key is freely available to anyone (public) who wants to communicate with the holder of both keys. It is used to encrypt messages. The private key belongs to the key owner in secret, and is used to decrypt an encrypted message. If Jack wants to send a message to Jill, then Jack obtains Jill’s public key, encrypts the message with it, and sends it. Only Jill can decrypt this message with her private key. 32 Symmetric (or Private-key) Encryption 6 Encodes a message using a single numeric key (private key) to encode and decode data. Because same key is used, both the sender and the receiver must know the key. Thus it is not suitable for public communication over the Internet. But, it might be suitable for highly secured communication such as that in defense sector or between two business partners. 33 Hash Coding, Private-key, and Public-key Encryption 6 34 Significant Encryption Algorithms and Standards 6 35