EC & WE Lecture 08
EC & WE Lecture 08
EC & WE Lecture 08
Lecture -08
1
Dimensions of e-commerce security
There are six key dimensions to e-commerce security:
1.Integrity: The ability to ensure that information being displayed on a
website or transmitted or received over the internet has not been
altered in any way by an unauthorized party.
2.Nonrepudiation: The ability to ensure that e-commerce participants do
not deny (i.e., repudiate) their online actions.
3.Authenticity: The ability to identify the identity of a person or entity
with whom you are dealing on the Internet.
2
Dimensions of e-commerce security (Cont.)
3
4
A Typical E-commerce Transaction with a consumer using a credit
card to purchase a product
5
Security Threats in the E-commerce Environment
6
7
Most common and most damaging forms of security threats
to e-commerce consumers and site operators:
▪ Malicious code (malware, exploits):
◦Drive-by downloads: malware that comes with a downloaded file that a
user requests.
◦Viruses: a computer program that has the ability to replicate or make
copies of itself, and spread to other files.
◦Worms: malware that is designed to spread from computer to computer.
◦Ransomware: is a type of malware that locks your computer or files to
stop you from accessing them.
◦Trojan horses
◦Backdoors
◦Bots, botnets
◦Threats at both client and server levels
8
▪ Potentially unwanted programs (PUPs)
◦Browser parasites: a program that can monitor and change the settings of a
user’s browser.
◦Adware: A PUP that serves pop-up ads to your computer.
◦Spyware: a program used to obtain information such as a user’s keystrokes,
e-mail, instant messages, and so on.
▪ Phishing
◦Social engineering
◦E-mail scams
◦Spear-phishing
◦Identity fraud/theft
9
▪ Hacking
◦Hackers vs. crackers
◦Types of hackers: White, black, grey hats
◦Hacktivism
▪ Cyber vandalism:
◦Disrupting, defacing, destroying Web site
▪ Data breach
◦Losing control over corporate information to outsiders
10
▪ Credit card fraud/theft
▪ Spoofing and pharming
▪ Spam (junk) Web sites (link farms)
▪ Identity fraud/theft
▪ Denial of service (DoS) attack
◦Hackers flood sites with useless traffic to overwhelm the network
▪ Distributed denial of service (DDoS) attack
▪ Poorly designed server and client software
◦ SQL injection attacks
11
Tools Available to Achieve Site
Security
12
Technology Solutions
▪ Protecting Internet communications
◦Encryption
▪ Securing channels of communication
◦SSL, VPNs
▪ Protecting networks
◦Firewalls
▪ Protecting servers and clients
13
Encryption
◦Transforms data into ciphertext readable only by sender and receiver.
◦Secures stored information and information transmission.
◦Provides 4 of 6 key dimensions of e-commerce security:
◦Message integrity: provides assurance that the message has not been altered.
◦Nonrepudiation: prevents the user from denying he or she sent the message.
◦Authentication: provides verification of the identity of the person (or computer)
sending the message
◦Confidentiality: gives assurance that the message was not read by others.
14
Symmetric/secret Key Encryption
▪ Sender and receiver use the same digital key to encrypt and decrypt
the message
▪ Requires a different set of keys for each transaction
▪ Strength of encryption
◦ Length of the binary key used to encrypt data
15
Public Key Encryption
▪ Uses two mathematically related digital keys
◦ Public key (widely disseminated)
◦ Private key (kept secret by owner)
16
Public Key Cryptography: A Simple
Case
17
18
Public Key Encryption using Digital Signatures and Hash
Digests
▪ Hash function:
◦Mathematical algorithm that produces a fixed-length number called message or hash
digest.
▪ Hash digest of the message sent to the recipient along with a message to
verify the integrity.
▪ Hash digest and message encrypted with recipient’s public key
▪ Entire ciphertext then encrypted with recipient’s private key—creating
digital signature—for authenticity, nonrepudiation
▪ Digital signature (e-signature) “signed” ciphertext that can be sent over the
internet.
19
Public Key Cryptography with Digital Signatures
20
21
Digital Envelopes
▪ A technique that uses symmetric encryption for large documents, but public-key
encryption to encrypt and send the symmetric key
▪Address weaknesses of:
•Public key encryption
◦Computationally slow, decreased transmission speed, increased processing time
•Symmetric key encryption
◦Insecure transmission lines
▪ Uses symmetric key encryption to encrypt the document
▪ Uses public key encryption to encrypt and send asymmetric key
22
Creating a Digital
Envelope
23
Thank you!
24