Chapter 6 Implementing Security for Electronic Commerce Electronic Commerce Objectives Security measures that can reduce or eliminate intellectual property theft ◆ Securing client computers from attack by viruses and by ill-intentioned programs and scripts downloaded in Web pages ◆ Authenticate users to servers and authenticate servers ◆ Objectives Available protection mechanisms to secure information sent between a client and a server ◆ Message integrity security, preventing another program from altering information as it travels across the Internet ◆ Objectives ◆ ◆ ◆ Safeguards that are available so commerce servers can authenticate users Protecting intranets with firewalls and corporate servers against being attacked through the Internet The role Secure Socket Layer, Secure HTTP and secure electronic transaction protocols play in protecting e-commerce Protecting Electronic Commerce Assets ◆ You cannot hope to produce secure commerce systems unless there is a written security policy ● What assets are to be protected ● What is needed to protect those assets ● Analysis of the likelihood of threats ● Rules to be enforced to protect those assets Protecting Electronic Commerce Assets ◆ Both defense and commercial security guidelines state that you must protect assets from ● ● ● ◆ Unauthorized disclosure Modification Destruction Typical security policy concerning confidential company information ● Do not reveal company confidential information to anyone outside the company Minimum Requirements for Secure Electronic Commerce Figure 6-1 Protecting Intellectual Property The dilemma for digital property is how to display and make available intellectual property on the Web while protecting those copyrighted works ◆ Intellectual Property Protection in Cyberspace recommends: ◆ ● Host name blocking ● Packet filtering ● Proxy servers Companies Providing Intellectual Property Protection Software ◆ ARIS Technologies ● Digital ◆ ◆ audio watermarking systems Embedded code in audio file uniquely identifying the intellectual property Digimarc Corporation ● Watermarking for various file formats ● Controls software and playback devices Companies Providing Intellectual Property Protection Software ◆ SoftLock Services ● Allows authors and publishers to lock files containing digital information for sale on the Web ● Posts files to the Web that must be unlocked with a purchased ‘key’ before viewing 10 Hash Coding, Private-key, and Public-key Encryption Figure 6-11 32 Significant Encryption Algorithms and Standards Figure 6-12 33 Secure Sockets Layer (SSL) Protocol Secures connections between two computers ◆ Provides a security handshake in which the client and server computers exchange the level of security to be used, certificates, among other things ◆ Secures many different types of communications between computers ◆ 34 Secure Sockets Layer (SSL) Protocol Provides either 40-bit or 128-bit encryption ◆ Session keys are used to create the cipher text from plain text during the session ◆ The longer the key, the more resistant to attack ◆ 35 Establishing an SSL Session Figure 6-13 36 SSL Web Server Information Figure 6-14 37 Secure HTTP (S-HTTP) Protocol ◆ Extension to HTTP that provides numerous security features ● Client and server authentication ● Spontaneous encryption ● Request/response nonrepudiation ◆ Provides symmetric and public-key encryption, and message digests (summaries of messages as integers) 38 Ensuring Transaction Integrity Figure 6-15 39 Guaranteeing Transaction Delivery Neither encryption nor digital signatures protect packets from theft or slowdown ◆ Transmission Control Protocol (TCP) is responsible for end-to-end control of packets ◆ TCP requests that the client computer resend data when packets appear to be missing ◆ 40 Protecting the Commerce Server ◆ Access control and authentication ● Controlling who and what has access to the server ● Requests that the client send a certificate as part of authentication ● Server checks the timestamp on the certificate to ensure that it hasn’t expired ● Can use a callback system in which the client computer address and name are checked against a list 41 Protecting the Commerce Server Usernames and passwords are the most common method of providing protection for the server ◆ Usernames are stored in clear text, while passwords are encrypted ◆ The password entered by the user is encrypted and compared to the one on file ◆ 42 Logging On With A Username And Password Figure 6-16 43 Operating System Controls Most operating systems employ username and password authentication ◆ A common defense is a firewall ◆ ● All traffic from inside to outside and outside to inside must pass through it ● Only authorized traffic is allowed ● The firewall itself must be immune to penetration 44 Firewalls Should be stripped of any unnecessary software ◆ Categories of firewalls include ◆ ● Packet ◆ filters Examine all packets flowing through the firewall ● Gateway ◆ servers Filter traffic based on the requested application ● Proxy servers Communicate on behalf of the private network ◆ Serve as a huge cache for Web pages ◆ 45 Check Point Software’s Firewall-1 Web Page Figure 6-17 46 ... Layer, Secure HTTP and secure electronic transaction protocols play in protecting e -commerce Protecting Electronic Commerce Assets ◆ You cannot hope to produce secure commerce systems unless there... Analysis of the likelihood of threats ● Rules to be enforced to protect those assets Protecting Electronic Commerce Assets ◆ Both defense and commercial security guidelines state that you must protect... company confidential information to anyone outside the company Minimum Requirements for Secure Electronic Commerce Figure 6-1 Protecting Intellectual Property The dilemma for digital property is how