Unit-2 Security Threats To E-Business-15 May 2011

Instructor: Dr.
Subodh Kesharwani
subodhkesharwani@gmail.com
Note: Material Is meant merely for learners of GGSIP MBA [W] and is restricted for commercial use.
Unit-2: Security Threats to e-business
This is the second unit consist of following 11 topics mentioned below
2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8
Security Overview Electronic Commerce Threats Encryption, Cryptography, Public Key and Private Key Cryptography Digital Signatures Digital Certificates, Security Protocols over Public Networks: 2.8.1 HTTP 2.8.2 SSL 2.9 Firewall as Security Control, 2.10 Public Key Infrastructure (PKI) for Security, 2.11 Prominent Cryptographic Applications.

MBA [Weekend] E-Commerce Page 39
Instructor: Dr. Subodh Kesharwani
2.1 Security Overview

Information has been valuable since the dawn of mankind: e.g. where to find food, how to build shelter, etc. As access to computer stored data has increased, information security has become correspondingly important. In the past, most corporate assets were "hard" or physical, such as factories, buildings, land and raw materials. Today far more assets are computer-stored information such as customer lists, proprietary formulas, marketing and sales information, and financial data. Some financial assets only exist as bits stored in various computers. Many businesses are solely based on information -- the data IS the business. 2.1.1 Information Security is a Process: Information Security is very simply the process of protecting information availability, data integrity, and privacy. No collection of products or technologies alone can solve every information security problem faced by an organization. Effective information security requires the successful integration of: security products such as firewalls, intrusion detection systems, and vulnerability scanners technologies such as authentication and encryption security policies and procedures
Security is Everyone's Responsibility: Although some individuals may have "Security" in their title or may deal directly with security on a daily basis, security is everyone's responsibility. As the old saying goes, a chain is only as strong as its weakest link. A workplace may have otherwise excellent security, but if a help desk worker readily gives out or resets lost passwords, or employees let others tailgate on their opening secure doors with their keycard, security can be horribly compromised. Despite the robustness of a firewall, if a single user has hardware (e.g. a modem) or software (e.g. some file sharing software) that allows bypassing the firewall, a hacker may gain access with catastrophic results. There are examples where a single firewall, misconfigured for only a few minutes, allowed a hacker to gain entrance with disastrous results. Security is an issue during an application's entire lifecycle. Applications must be designed to be secure, they must be developed with security issues in mind, and they must be deployed securely. Security cannot be an afterthought and be effective. System analysts, architects, and programmers must all understand the information security issues and techniques that are germane to their work. For example: programmers must understand how to avoid race conditions and how to implement proper input filtering system architects must understand concepts such as defense in depth and security through obscurity shortcomings.
Computer user awareness is critical, as hackers often directly target them. Users should be familiar with security policies and should know where the most recent copies can be obtained. Users must know what is expected and required of them. Typically this information should be imparted to users initially as part of the new hire process and refreshed as needed. Information Protection Involves a Tradeoff between Security and Usability: There is no such thing as a totally secure system -- except perhaps one that is entirely unusable by anyone!

Corporate information security's goal is to provide an appropriate level of protection, based on the value of an organization's information and its business needs. The more secure a system is, the more inconvenience legitimate users experience in accessing it.
Security Policy and Integrated Security: Specific elements of a security policy address the following points: Authentication: Who is trying to access the electronic commerce site? Access control: Who is allowed to log on to and access the electronic commerce site? Secrecy: Who is permitted to view selected information? Data integrity: Who is allowed to change data, and who is not? Audit: Who or what causes selected events to occur and when?
2.2 Electronic Commerce Threats
A lot has been said of the threats posed by e-commerce and the risks associated with using telecommunications infrastructure for business. It would be remiss not to mention that it is the business models and stock trading decisions that land many in serious financial trouble. As recent reports about the corrections in the technology sector across the world's stock markets suggest, certain business models were not as robust as suggested by all of the hype. Several thousand dotcom businesses (worth several billion dollars of cumulative investment) went bust, and in general, IT and telecommunications stocks took a major drubbing. The biggest threat ecommerce presents is probably the hype onslaught prepared and presented by an armada of 'experts' and marketers, who understand very little about either the technology or people, or sometimes both.
eCommerce has forever revolutionized the way business is done. Retail has now a long way from the days of physical transactions that were time consuming and prone to errors. However, eCommerce has unavoidably invited its share of trouble makers. As much as eCommerce simplifies transactions, it is occasionally plagued by serious concerns that jeopardize its security as a medium of exchanging money and information. 2.2.1 Virus:
A virus is software that attaches itself to another program and can cause damage when the host program is activated. Worm viruses replicate themselves on other machines. A macro virus is coded as a small program and is embedded in a file. The term steganography describes information that is hidden within another piece of information.

2.2.2 Major threats to present day eCommerce include Breach of Security: 1. Money Thefts: eCommerce services are about transactions, and transactions are very largely driven by money. This attracts hackers, crackers and everyone with the knowledge of exploiting loopholes in a system. Once a kink in the armor is discovered, they feed the system(and users) with numerous bits of dubious information to extract confidential data(phishing). This is particularly dangerous as the data extracted may be that of credit card numbers, security passwords, transaction details etc. Also, Payment gateways are vulnerable to interception by unethical users. Cleverly crafted strategies can sift a part or the entire amount being transferred from the user to the online vendor. 2. Identity thefts: Hackers often gain access to sensitive information like user accounts, user details, addresses, confidential personal information etc. It is a significant threat in view of the privileges one can avail with a false identity. For instance, one can effortlessly login to an online shopping mart under a stolen identity and make purchases worth thousands of dollars. He/she can then have the order delivered to an address other than the one listed on the records. One can easily see how those orders could be received by the impostor without arousing suspicion. While the fraudsters gains, the original account holder continues to pay the price until the offender is nabbed. 3. Threats to the system: Viruses, worms, Trojans are very deceptive methods of stealing information. Unless a sound virus-protection strategy is used by the eCommere Solutions firm, these malicious agents can compromise the credibility of all eCommerce web solution services. Often planted by individuals for reasons known best to them alone, viruses breed within the systems and multiply at astonishing speeds. Unchecked, they can potentially cripple the entire system. 4. Other Programming Threats o Another serious Web server attack can come from programs executed by the server. o Buffer overflows can have moderate to very serious security consequences. o A mail bomb occurs when thousands of people send a message to a particular address.
Threats to the Physical Security of Servers Web servers are key physical resources and therefore the computers and related equipment must be physically protected by businesses. Many companies maintain backup copies of server content at a remote location. Examples of mission-critical Web servers that warrant comprehensive security are airline reservations systems, stock brokerage firm trading systems, and bank account clearing systems. 2.2.3 Solutions: There is but one solution to all issues that at times dent the security of eCommerce services. Strict vigil on malicious intruders. Easier said than done? So is every preventive measure. However, with online transactions, progress in security has been overwhelming. 2.2.4 Authentication: Most notable are the advances in identification and elimination of non-genuine users. Ecommerce service designers now use multi-level identification protocols like security questions, encrypted passwords(Encryption), biometrics and others to confirm the identity of their customers. These steps have found wide favor all around due to their effectiveness in weeding out unwelcome access.
5.

2.2.5 Intrusion Check: The issue of tackling viruses and their like has also seen rapid development with anti-virus vendors releasing strong antiviruses. These are developed by expert programmers who are a notch above the hackers and crackers themselves. Firewalls are another common way of implementing security measures. These programs restrict access to and from the system to pre-checked users/access points.
2.3 Encryption
In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. software for encryption can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted). Encryption has long been used by militaries and governments to facilitate secret communication. Encryption is now commonly used in protecting information within many kinds of civilian systems. For example, the Computer Security Institute reported that in 2007, 71% of companies surveyed utilized encryption for some of their data in transit, and 53% utilized encryption for some of their data in storage.[1] Encryption can be used to protect data "at rest", such as files on computers and storage devices (e.g. USB flash drives). In recent years there have been numerous reports of confidential data such as customers' personal records being exposed through loss or theft of laptops or backup drives. Encrypting such files at rest helps protect them should physical security measures fail. Digital rights management systems which prevent unauthorized use or reproduction of copyrighted material and protect software against reverse engineering (see also copy protection) are another somewhat different example of using encryption on data at rest.
Encryption is also used to protect data in transit, for example data being transferred via networks (e.g. the Internet, e-commerce), mobile telephones, wireless microphones, wireless intercom systems, Bluetooth devices and bank automatic teller machines. There have been numerous reports of data in transit being intercepted in recent years. Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks.

Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a message authentication code (MAC) or a digital signature. Standards and cryptographic software and hardware to perform encryption are widely available, but successfully using encryption to ensure security may be a challenging problem. A single slip-up in system design or execution can allow successful attacks. Sometimes an adversary can obtain unencrypted information without directly undoing the encryption. See, e.g., traffic analysis, TEMPEST, or Trojan horse. One of the earliest public key encryption applications was called Pretty Good Privacy (PGP). It was written in 1991 by Phil Zimmermann and was purchased by Network Associates (now PGP Corporation) in 1997. There are a number of reasons why an encryption product may not be suitable in all cases. First, e-mail must be digitally signed at the point it was created to provide non-repudiation for some legal purposes, otherwise the sender could argue that it was tampered with after it left their computer but before it was encrypted at a gateway. An encryption product may also not be practical when mobile users need to send e-mail from outside the corporate network.
2.4 Cryptography
Cryptography can be defined as the conversion of data into a scrambled code that can be deciphered and sent across a public or private network. Cryptography uses two main styles or forms of encrypting data; symmetrical and asymmetrical. Symmetric encryptions, or algorithms, use the same key for encryption as they do for decryption. Other names for this type of encryption are secret-key, shared-key, and private-key. The encryption key can be loosely related to the decryption key; it does not necessarily need to be an exact copy. Symmetric cryptography is susceptible to plain text attacks and linear cryptanalysis meaning that they are hackable and at times simple to decode. With careful planning of the coding and functions of the cryptographic process these threats can be greatly reduced. Asymmetric cryptography uses different encryption keys for encryption and decryption. In this case an end user on a network, public or private, has a pair of keys; one for encryption and one for decryption. These keys are labeled or known as a public and a private key; in this instance the private key cannot be derived from the public key.

The asymmetrical cryptography method has been proven to be secure against computationally limited intruders. The security is a mathematical definition based upon the application of said encryption. Essentially, asymmetric encryption is as good as its applied use; this is defined by the method in which the data is encrypted and for what use. The most common form of asymmetrical encryption is in the application of sending messages where the sender encodes and the receiving party decodes the message by using a random key generated by the public key of the sender. 2.4.1 THE PURPOSE OF CRYPTOGRAPHY
Cryptography is where security engineering meets mathematics. It provides us with the tools that underlie most modern security protocols. It is probably the key enabling technology for protecting distributed systems, yet it is surprisingly hard to do right. Cryptography (or cryptology; derived from Greek krpto hidden and the verb grfo to write or legein to speak) is the practice and study of hiding information. In modern times, cryptography is considered a branch of both mathematics and computer science, and is affiliated closely with information theory, computer security, and engineering. Cryptography is used in applications present in technologically advanced societies; examples include the security of ATM cards, computer passwords, and electronic commerce, which all depend on cryptography. Cryptography is the science of writing in secret code and is an ancient art; the first documented use of cryptography in writing dates back to circa 1900 B.C. when an Egyptian scribe used non-standard hieroglyphs in an inscription. Some experts argue that cryptography appeared spontaneously sometime after writing was invented, with applications ranging from diplomatic missives to war-time battle plans. It is no surprise, then, that new forms of cryptography came soon after the widespread development of computer communications. In data and telecommunications, cryptography is necessary when communicating over any untrusted medium, which includes just about any network, particularly the Internet. Within the context of any application-to-application communication, there are some specific security requirements, including:
Authentication: The process of proving one's identity. (The primary forms of host-to-host authentication on the Internet today are namebased or address-based, both of which are notoriously weak.) Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver. Integrity: Assuring the receiver that the received message has not been altered in any way from the original. Non-repudiation: A mechanism to prove that the sender really sent this message.
Cryptography, then, not only protects data from theft or alteration, but can also be used for user authentication. There are, in general, three types of cryptographic schemes typically used to accomplish these goals: secret key (or symmetric) cryptography, public-key (or asymmetric) cryptography, and hash functions, each of which is described below. In all cases, the initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext. In many of the descriptions below, two communicating parties will be referred to as Alice and Bob; this is the common nomenclature in the crypto field and literature to make it easier to identify the communicating parties. If there is a third or fourth party to the communication, they will be referred to as Carol and Dave. Mallory is a malicious party, Eve is an eavesdropper, and Trent is a trusted third party.
2.4.2 TYPES OF CRYPTOGRAPHIC ALGORITHMS There are several ways of classifying cryptographic algorithms. For purposes of this paper, they will be categorized based on the number of keys that are employed for encryption and decryption, and further defined by their application and use. The three types of algorithms that will be discussed are (Figure 1): Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption Public Key Cryptography (PKC): Uses one key for encryption and another for decryption

Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information
FIGURE 1: Three types of cryptography: secret-key, public key, and hash function.
2.5 Public Key and Private Key Cryptography

2.5.1 Public Key Cryptography
Public key cryptography is a fundamental and widely used technology around the world. It is the approach which is employed by many cryptographic algorithms and cryptosystems. It underpins such Internet standards as Transport Layer Security (TLS) (successor to SSL), PGP, and GPG. The purpose of a digital signature is to provide a means for an entity to bind its identity to a piece of information. Digital signatures use PKC, which employs an algorithm using two different but mathematically related keys: one to create a digital signature and another to verify a digital signature. Unlike conventional symmetric-key cryptography, which uses the same secret key for encryption and decryption, PKC uses a key pair, a private and a public key, for encryption and decryption operations (see Figure 1). The public key is freely available to anyone, but the private key is protected and never shared. Each key pair shares a mathematical relationship that ties the two keys exclusively to one another, and they are related to no other keys. Public-key cryptography refers to a widely used set of methods for transforming a written message into a form that can be read only by the intended recipient. This cryptographic approach involves the use of asymmetric key algorithms that is, the non-message information (the public key) needed to transform the message to a secure form is different from the information needed to reverse the process (the private key). The person who anticipates receiving messages first creates both a public key and an associated private key, and publishes the public key. When someone wants to send a secure message to the creator of these keys, the sender encrypts it (transforms it to secure form) using the intended recipient's public key; to decrypt the message, the recipient uses the private key.

Thus, unlike symmetric key algorithms, a public key algorithm does not require a secure initial exchange of one or more secre keys between the secret sender and receiver. The particular algorithm used for encrypting and decrypting was designed in such a way that, while it is easy for the intended recipient to generate the public and private keys and to decrypt the message using the private key, and while it is easy for the sender to encrypt the message using the public key, it is extremely difficult for anyone to figure out the private key based on their knowledge of the publ key. public
Figure-1
Figure-2 Figure
The use of these keys also allows protection of the authenticity of a message by creating a digital signature of a message using the private key, which can be verified using the public key. Pros and cons of public-key systems key Public-key systems have a clear advantage over symmetric algorithms: there is no need to agree on a common key for both the sender and the receiver. As seen in the previous example, if someone wants to receive an encrypted message, the sender only needs to know th receiver's public the key (which the receiver will provide; publishing the public key in no way compromises the secure transmission). As long as the receiver keeps the iver private key secret, no one but the receiver will be able to decrypt the messages encrypted with the corresponding public key. This is due to the fact that, in public-key systems, it is relatively easy to compute the public key from the private key, but very hard to compute the private key from the key public key (which is the one everyone knows). In fact, some algorithms need several months (and even years) of constant computation to obtain the private key from the public key.
Figure 9.5. Public key generation
Unit-2: Security Threats to e 2: e-business

MBA [Weekend] E E-Commerce Page 47
Another important advantage is that, unlike symmetric algorithms, public key systems can guarantee integrity and authentication, not only privacy. public-key authenticatio The basic communication seen above only guarantees privacy. We will shortly see how integrity and authentication fit into pub public-key systems. The main disadvantage of using public-key systems is that they are not as fast as symmetric a key algorithms. What is a digital public key? The combination of standards, protocols, and software that support digital certificates is called a public key infrastructure, or PKI. The software that supports this infrastructure generates sets of public-private key pairs. Public-private key pairs are codes that are related to one another private through a complex mathematical algorithm. The key pairs can reside on ones computer or on hardware devices such as smart cards or floppy disks
2.5.2 Private Key Cryptography

Symmetric encryption (also called private-key encryption or secret-key encryption) involves using the same key for encryption and decryption. key a
Encryption involves applying an operation (an algorithm) to the data to be encrypted using the private key to make them unint unintelligible. The slightest algorithm (such as an exclusive OR) can make the system nearly tamper proof (there being so such thing as absolute security). However, in the 1940s, Claude Shannon proved that to be completely secure, private key systems need to use keys that are at least as long as the private-key message to be encrypted. Moreover, symmetric encryption requires that a secure channel be used to exchange the key, which seriously diminishes secure the usefulness of this kind of encryption system. The main disadvantage of a secret-key cryptosystem is related to the exchange of keys. Symmetric encryption is based on the exchange of a secret key (keys). The problem of key distribution therefore arises: Moreover, a user wanting to communicate with several people while ensuring separate confidentiality levels has to use as many private keys as there are people. For a group of N people using a secret key cryptosystem, it is necessary to distribute a number of keys equal to N * (N-1) / 2. secret-key In the 1920s, Gilbert Vernam and Joseph Mauborgne developed the One-Time Pad method (sometimes called "One-Time Password" and "One abbreviated OTP), based on a randomly generated private key that is used only once and is then destroyed. During the same period, the Kremlin and the White House were connected by the famous red telephone, that is, a telephone where calls were encrypted thanks to a private key according to telephone, accordi the one-time pad method. The private key was exchanged thanks to the diplomatic bag (playing the role of secure channel).

2.5.3 Public VS. Private Key
2.6 Digital Signatures

A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later. A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.
How It Works
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you. 1. 2. 3. 4. 1. 2. 3. You copy-and-paste the contract (it's a short one!) into an e-mail note. Using special software, you obtain a message hash (mathematical summary) of the contract. You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash. The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.) At the other end, your lawyer receives the message. To make sure it's intact and from you, your lawyer makes a hash of the received message. Your lawyer then uses your public key to decrypt the message hash or summary. If the hashes match, the received message is valid.
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures. In some countries, including the United States, India, and members of the European Union, electronic signatures have legal significance. However, laws concerning electronic signatures do not always make clear whether they are digital cryptographic signatures in the sense used here, leaving the legal definition, and so their importance, somewhat confused.

Digital signatures employ a type of asymmetric cryptography. For messages sent through a non secure channel, a properly implemented digital non-secure di signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital than signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digit signatures can Digital also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key repudiation, remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the repudiation signature is valid nonetheless. Digitally signed messages may be anything represent able as a bitstring: examples include electronic mail, contracts, y or a message sent via some other cryptographic protocol.
Digital signatures: Integrity in public-key systems key Integrity is guaranteed in public-key systems by using digital signatures. A digital signature is a piece of data which is attached to a message and y which can be used to find out if the message was tampered with during the conversation (e.g. through the intervention of a ma malicious user) Figure 9.6. Digital signatures
The digital signature for a message is generated in two steps: 1. A message digest is generated. A message digest is a 'summary' of the message we are going to transmit, and has two important properties: (1) It is always smaller than the message itself and (2) Even the slightest change in the message produces a different digest. The message digest is generated using a set of hashing algorithms. The message digest is encrypted using the sender's private key. The resulting encrypted message digest is the digital signature.
2.
The digital signature is attached to the message, and sent to the receiver. The receiver then does the following: 1. 2. 3. Using the sender's public key, decrypts the digital signature to obtain the message digest generated by the sender. generated Uses the same message digest algorithm used by the sender to generate a message digest of the received message. Compares both message digests (the one sent by the sender as a digital signature, and the one generated by the receiver) If they are receiver). not exactly the same, the message has been tampered with by a third party. We can be sure that the digital signature was sent by the sender (and not by a malicious user) because only the sender's public key can decrypt the digital signature (which was encrypted by the which

sender's private key; remember that what one key encrypts, the other one decrypts, and vice versa). If decrypting using the public key renders a faulty message digest, this means that either the message or the message digest are not exactly what the sender sent. Using public-key cryptography in this manner ensures integrity, because we have a way of knowing if the message we received is exactly what was sent by the sender. However, notice how the above example guarantees only integrity. The message itself is sent unencrypted. This is not necessarily a bad thing: in some cases we might not be interested in keeping the data private, we simply want to make sure it isn't tampered with. To add privacy to this conversation, we would simply need to encrypt the message as explained in the first diagram.
2.7 Digital Certificates
In the electronic world, hand-written signatures can be replaced by digital signatures. Like written signatures, digital signatures may be used to establish the identity of a party or to make legal commitments. In addition, digital signatures can also be used to guarantee that the contents of a file or message have not been altered. The Electronic Transactions Act provides for the recognition of digital signatures under Singapore law. Digital ID also known as a digital certificate is a form of electronic credentials for the Internet. Digital certificate is issued by a trusted third party to establish the identity of the ID holder. The third party who issues certificates is known as a Certification Authority (CA). Digital certificate technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys, a public key and private key, which function only when they are placed together. The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA issues Digital IDs, it verifies that the owner is not claiming a false identity For digital signatures to work, a trusted third party known as a Certification Authority (CA) is needed to issue digital certificates that certify the electronic identities of users and organizations. Before issuing a digital certificate, the CA performs identity verification on the user or business entity. The CA acts like a trusted electronic notary, telling everyone who the valid users are and what their digital signatures should look like. With a certified electronic identity, an Internet user's digital signatures will then be recognized by parties involved in electronic transactions like Internet banking, online shopping and online information subscription services. The whole system of digital certificates, certificate servers and CAs is collectively known as a Public Key Infrastructure (PKI).
Digital signatures based on digital certificates issued by licensed CAs are automatically considered to be trustworthy and recognised by the law. Just like written signatures, they can be used to sign contracts or to purchase goods and services. To prevent forgery, digital signatures are created using a personal secret code, known as the signing key, which is usually stored in a secure device like a smart card. It is important that the signing key be kept private at all times so that no one else can forge your digital signatures. Loss of a signing key must be reported to the certification authority immediately.
2. What are digital certificates? What do they do? Digital certificates are digital files that certify the identity of an individual or institution seeking access to computer-based information. In enabling such access, they serve the same purpose as a drivers license or library card. The digital certificate links the identifier of an individual or institution to a digital public key.

2.8 Security Protocols over Public Networks: HTTP, SSL, 2.8.1: HTTP
The Hypertext Transfer Protocol (HTTP) is a networking protocol for distributed, collaborative, hypermedia information systems.[1] HTTP is the foundation of data communication for the World Wide Web. The standards development of HTTP has been coordinated by the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), culminating in the publication of a series of Requests for Comments (RFCs), most notably RFC 2616 (June 1999), which defines HTTP/1.1, the version of HTTP in common use. Short for HyperText Transfer Protocol, the underlying protocol used by theWorld Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when you enter a URL in your browser, this actually sends an HTTP command to the Web server directing it to fetch and transmit the requested Web page . The other main standard that controls how the World Wide Web works is HTML, which covers how Web pages are formatted and displayed. HTTP is called a stateless protocol because each command is executed independently, without any knowledge of the commands that came before it. This is the main reason that it is difficult to implement Web sites that react intelligently to user input. This shortcoming of HTTP is being addressed in a number of new technologies, including ActiveX, Java, JavaScript and cookies.
2.8.2 SSL
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate.
TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific Web pages can be identified as requiring SSL access. Any Web server can be enabled by using Netscape's SSLRef program library which can be downloaded for noncommercial use or licensed for commercial use.
TLS and SSL are not interoperable. However, a message sent with TLS can be handled by a client that handles SSL but not TLS.

2.9 Firewall as Security Control

The term "fire wall" originally meant, and still means, a fireproof wall intended to prevent the spread of fire from one room or area of a building to another. The Internet is a volatile and unsafe environment when viewed from a computer-security perspective, therefore "firewall" is an excellent metaphor for network security. In computer networking, the term firewall is not merely descriptive of a general idea. It has come to mean some very precise things Firewall Control Panel Gives You Just ThatControl As always, we're available 24x7x365 to manage your firewalls. But for those who want more control and visibility over their environment's security, our Firewall Control Panel lets you manage your security in real-time via our customer portal. When you want to make a change in permit rules or view destination server IP addresses and static rules you can do it yourself in the time it takes to create a support ticket. It's simple and fastit's one more way Fanatical Support makes hosting better. The Firewall Control Panel is available for Cisco ASA 5505 and ASA 5510 Firewalls.
2.10 Public Key Infrastructure (PKI) for Security

Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.[1] In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA. The term trusted third party (TTP) may also be used for certificate authority (CA). The term PKI is sometimes erroneously used to denote public key algorithms, which do not require the use of a CA.
PKI methods for storing Public Keys and Private Keys
Digital certificates

Public keys are stored within digital certificates along with other relevant information (user information, expiration date, usage, who issued the certificate etc.). The CA enters the information contained within the certificate when it is issued and this information cannot be changed. Since the certificate is digitally signed and all the information in it is intended to be publicly available there is no need to prevent access to reading it, although you should prevent other users from corrupting, deleting or replacing it. Protection If someone gains access to your computer they could easily gain access to your private key(s). For this reason, access to a private key is generally protected with a password of your choice. Private key passwords should never be given to anyone else and should be long enough so that they are not easily guessed. This is the same as looking after your ATM CARD and its PIN. If someone manages to get hold of your card then the only thing that prevents him or her using it is the PIN (password) protecting it. If someone has your PIN then they can take your money and you can't stop them. Different vendors often use different and sometimes proprietary storage formats for storing keys. For example, Entrust uses the proprietary .epf format, while Verisign, GlobalSign, and Baltimore, to name a few, use the standard .p12 format.
2.11 Prominent Cryptographic Applications.

Application developers depend upon security protocols to establish security services (e.g., to establish a secure tunnel) using cryptography. In turn, these protocols rely on cryptographic infrastructures, such as Kerberos or Public Key Infrastructure (PKI), to manage and distribute cryptographic keys. The Cryptographic Technology Group develops and enhances standards, test methods, and guidelines for these critical building blocks in collaboration with international standards organizations, product developers, and Federal agencies. The Cryptographic Technology Group also is a key player in the U.S. Federal Governments PKI deployment activities. Selection of Cryptographic Applications The most important criteria of selection of cryptographic algorithms and their implementations for architectural analysis is the representativeness of a wider application class in the domain of interest. There are two such application domains: hash algorithms and private key ciphers, the latter of which includes block ciphers and stream ciphers. Cryptographic applications in these domains are all widely used in Internet applications.


Unit-2 Security Threats To E-Business-15 May 2011

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit-2 Security Threats To E-Business-15 May 2011

Uploaded by

Copyright:

Available Formats

Instructor: Dr.

Unit-2: Security Threats to e-business

This is the second unit consist of following 11 topics mentioned below

2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

2.1 Security Overview

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

2.2 Electronic Commerce Threats

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information

2.5 Public Key and Private Key Cryptography

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

Figure 9.5. Public key generation

Unit-2: Security Threats to e 2: e-business

Instructor: Dr. Subodh Kesharwani

2.5.2 Private Key Cryptography

Unit-2: Security Threats to e 2: e-business

Instructor: Dr. Subodh Kesharwani

2.5.3 Public VS. Private Key

2.6 Digital Signatures

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

Unit-2: Security Threats to e 2: e-business

Instructor: Dr. Subodh Kesharwani

2.7 Digital Certificates

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

2.9 Firewall as Security Control

2.10 Public Key Infrastructure (PKI) for Security

Unit-2: Security Threats to e-business

Instructor: Dr. Subodh Kesharwani

2.11 Prominent Cryptographic Applications.

Unit-2: Security Threats to e-business

You might also like