EC & WE Lecture 08

Download as pdf or txt
Download as pdf or txt
You are on page 1of 24

CSE-409

E-Commerce & Web Engineering

Lecture -08

Sahab Uddin Rana


Lecturer, Dept. of CSE, DIU

1
Dimensions of e-commerce security
There are six key dimensions to e-commerce security:
1.Integrity: The ability to ensure that information being displayed on a
website or transmitted or received over the internet has not been
altered in any way by an unauthorized party.
2.Nonrepudiation: The ability to ensure that e-commerce participants do
not deny (i.e., repudiate) their online actions.
3.Authenticity: The ability to identify the identity of a person or entity
with whom you are dealing on the Internet.

2
Dimensions of e-commerce security (Cont.)

4. Confidentiality: The ability to ensure that messages and data are


available only to those who are authorized to view them.
5. Privacy: the ability to control the use of information about
oneself.
6. Availability: The ability to ensure that an e-commerce site
continues to function as intended.

3
4
A Typical E-commerce Transaction with a consumer using a credit
card to purchase a product

5
Security Threats in the E-commerce Environment

Three key points of vulnerability in e-commerce environment:


1. Client
2. Server
3. Communications pipeline (Internet communications channels)

6
7
Most common and most damaging forms of security threats
to e-commerce consumers and site operators:
▪ Malicious code (malware, exploits):
◦Drive-by downloads: malware that comes with a downloaded file that a
user requests.
◦Viruses: a computer program that has the ability to replicate or make
copies of itself, and spread to other files.
◦Worms: malware that is designed to spread from computer to computer.
◦Ransomware: is a type of malware that locks your computer or files to
stop you from accessing them.
◦Trojan horses
◦Backdoors
◦Bots, botnets
◦Threats at both client and server levels

8
▪ Potentially unwanted programs (PUPs)
◦Browser parasites: a program that can monitor and change the settings of a
user’s browser.
◦Adware: A PUP that serves pop-up ads to your computer.
◦Spyware: a program used to obtain information such as a user’s keystrokes,
e-mail, instant messages, and so on.
▪ Phishing
◦Social engineering
◦E-mail scams
◦Spear-phishing
◦Identity fraud/theft

9
▪ Hacking
◦Hackers vs. crackers
◦Types of hackers: White, black, grey hats
◦Hacktivism
▪ Cyber vandalism:
◦Disrupting, defacing, destroying Web site
▪ Data breach
◦Losing control over corporate information to outsiders

10
▪ Credit card fraud/theft
▪ Spoofing and pharming
▪ Spam (junk) Web sites (link farms)
▪ Identity fraud/theft
▪ Denial of service (DoS) attack
◦Hackers flood sites with useless traffic to overwhelm the network
▪ Distributed denial of service (DDoS) attack
▪ Poorly designed server and client software
◦ SQL injection attacks

11
Tools Available to Achieve Site
Security

12
Technology Solutions
▪ Protecting Internet communications
◦Encryption
▪ Securing channels of communication
◦SSL, VPNs
▪ Protecting networks
◦Firewalls
▪ Protecting servers and clients

13
Encryption
◦Transforms data into ciphertext readable only by sender and receiver.
◦Secures stored information and information transmission.
◦Provides 4 of 6 key dimensions of e-commerce security:
◦Message integrity: provides assurance that the message has not been altered.
◦Nonrepudiation: prevents the user from denying he or she sent the message.
◦Authentication: provides verification of the identity of the person (or computer)
sending the message
◦Confidentiality: gives assurance that the message was not read by others.

14
Symmetric/secret Key Encryption
▪ Sender and receiver use the same digital key to encrypt and decrypt
the message
▪ Requires a different set of keys for each transaction
▪ Strength of encryption
◦ Length of the binary key used to encrypt data

▪ Data Encryption Standard (DES)


▪ Advanced Encryption Standard (AES)
◦ The most widely used symmetric key encryption
◦ Uses 128-, 192-, and 256-bit encryption keys

▪ Other standards use keys with up to 2,048 bits

15
Public Key Encryption
▪ Uses two mathematically related digital keys
◦ Public key (widely disseminated)
◦ Private key (kept secret by owner)

▪ Both keys used to encrypt and decrypt the message


▪ Once key is used to encrypt the message, the same key cannot be
used to decrypt the message
▪ Sender uses recipient’s public key to encrypt the message; recipient
uses the private key to decrypt it.

16
Public Key Cryptography: A Simple
Case

17
18
Public Key Encryption using Digital Signatures and Hash
Digests
▪ Hash function:
◦Mathematical algorithm that produces a fixed-length number called message or hash
digest.
▪ Hash digest of the message sent to the recipient along with a message to
verify the integrity.
▪ Hash digest and message encrypted with recipient’s public key
▪ Entire ciphertext then encrypted with recipient’s private key—creating
digital signature—for authenticity, nonrepudiation
▪ Digital signature (e-signature) “signed” ciphertext that can be sent over the
internet.

19
Public Key Cryptography with Digital Signatures

20
21
Digital Envelopes
▪ A technique that uses symmetric encryption for large documents, but public-key
encryption to encrypt and send the symmetric key
▪Address weaknesses of:
•Public key encryption
◦Computationally slow, decreased transmission speed, increased processing time
•Symmetric key encryption
◦Insecure transmission lines
▪ Uses symmetric key encryption to encrypt the document
▪ Uses public key encryption to encrypt and send asymmetric key

22
Creating a Digital
Envelope

23
Thank you!

24

You might also like