Transcript ISS6 Secur for web

Information Systems
Security
Information Security for Webbased Applications
The full picture
Securing web sites






Reduce the attack surface of the web
server
Prevent unauthorized access to web sites
and applications
Isolate web sites and applications
Configure user authentication
Encrypt confidential data exchanged with
clients
Maintain web sites and application
security
Securing web sites

Reduce the attack surface of the web
server
 Enable only essential OS components
and services
 Enable only web server components and
services
 Enable only MIME types
 Configure OS security settings
Securing web sites

Prevent unauthorized access to web
sites and applications
 Store content on a dedicated disk
volume
 Set web site permissions
 Set IP address and domain name
restrictions
 Set NTFS file system permissions
Securing web sites

Isolate web sites and applications
 To prevent multiple web sites and
applications from adversely affect with
one another
 Have to create application pool, assign
web sites and applications to them, and
assign proper service account and
permission
 Complicated procedure
Securing web sites

Configure user authentication
 Select appropriate authentication
method
 Digest
 Advanced digest
 Integrated windows
 Client certificates
 MS .NET passport
Securing web sites

Encrypt confidential data exchanged
with clients
 Use of Secure Socket Layer (SSL)
 Install server certificate
 https instead of http
 Use IPSec or VPN for remote
administration
Securing web sites

Maintain web sites and application
security
 Obtain up-to-date security updates
 Enable server security logs
 Enable web server application logs
 Review security policies, processes and
procedures
Reading
Microsoft: Improving Web Application
Security: Threats and Countermeasures
 Chapter 1 “Web Application Security
Fundamentals”
 Chapter 4 “Design Guidelines for
Secure Web Applications” is good but a
bit too advanced for most students
Problem in e-Commerce

The transaction is done online. The
customer and the company cannot see
each other. How can they trust each other?
 Who are you?
 Can I trust you?
 What if I cannot receive my goods?
 What if I cannot receive the payment?
Certificate Authority



Now the CA comes in. It give a digital
identity to all concerned party. It verifies
the company is okay to do business with,
and the customer is also okay
This is not done by the government but by
some commercial organizations
PKI is used as the technology to provide
the digital identification
What is PKI

The set of hardware, software, people and
procedures need to create, store,
distribute, revoke key/certificates based on
public key cryptography
PKI infrastructure and
software development

PKI uses of public key cryptography for
authentication and access control of a
user, guaranteeing the integrity and nonrepudiation of documents signed by the
user, and confidentiality of data.
PKI infrastructure and
software development



Certificate Authority
Registration Authority
Certificate





Name
Issuing CA
Expiration date
Public key
Certificate Revocation List
X.509 Certificate structure
PKI

PKI employs a pair of keys for each user:
a private key which is known only to the
user himself, and a public key which is
published by some authority, in the form of
a digital certificate (certificate for short).
PKI

In signing a document or an e-mail, a user
signs using his own private key so that
others can use the signer's public key to
verify the authenticity and non-repudiation
of documents or e-mail. Since only the
user has his own private key to sign, nonrepudiation is established
PKI

The use of PKI saves the trouble of
maintaining and distributing the same
encryption/decryption key between the
sender and the receiver
Authentication using
certificates
Secure online payment





Credit card payment
Secure Socket Layer
Secure Electronic Transaction (SET)
PayPal
E-purse
Credit Card


Invented in 1950s
Only becomes profitable after 20 years
when the customers reach a critical mass
Credit Card Payment


This is the usual payment method used in
eCommerce
4 parties are involved:
 Cardholder (payer)
 Merchant (payee)
 Issuing Bank
 Acquiring Bank
Measures to stop fraud






Hot card lists
Merchant floor limits – authorization
required when a certain amount is
exceeded
Expiry date used as password
Delivered to cardholder’s address
Card verification value (MAC)
Intrusion detection (anomaly detection)
SSL: Secure Socket Layer


Developed by Netscape to secure HTTP
sessions
Provides





Data encryption
Server authentication
Message integrity
Optional client authentication
NOT a payment system in itself
SSL: Secure Socket Layer



Authentication of server by use of digital
certificate
Use public key technology to exchange a
session key (symmetric) between server
and client used only for that session
After the buyer sends information thro the
secure channel, the merchant processes
the transaction in the usual manner
SSL

Client to Server


Server to Client


Name C, transaction serial no. C#, nonce Nc
Name S, transaction serial no. S#, nonce Ns,
public key KS
Client to Server


Pre-mastered secret key encrypted by KS
{Ko}KS
SSL

Client to Server



Server


Finished message, MAC for all messages to
date
{finished, MAC(K1, everything_to_date)}Kcs
Compute k1=h(Ko, Nc, Ns)
Server to Client

{finished, MAC{k1,every_to_date)}Ksc,
{data}Ksc
Secure Electronic Transaction


A joint effort of VISA and MasterCard to
develop a more secure internet payment
system in 1997 (credit card no not kept)
SET makes use of public key technology
and each participants are assigned public
key/private key pairs
Secure Electronic Transaction



Legal entity formed by MasterCard. Visa,
American Express and JCB in 12/97
A protocol designed for electronic payment
with credit card
Key idea
 Merchant does not need to know
payment details
 Bank does not need to know order
details
SET

Client to Server


Server to Client


C, Nc, CC(Cert of client)
S, S#, CS(merchant) CB(bank)
Client to Server

{Order}KS, {Payment}KB, SigKC{h(Order),
h(Payment)}
SET

Server to Bank


(Summary}KB, {Payment}KB
Bank to Server

Sig KS{Auth_response}
SET

Disgrace of SET
 Nothing for the credit card holders
 Huge cost in building PKI
 Benefits less than expected
EDI





Electronic Data Interchange
Used for B2B transactions
Build on Value-Added Networks
International and national message
standards
Expensive
EDI transactions


EDI, or Electronic Data Interchange, provides
trading partners with an efficient business
tool for the automatic transmission of
commercial data from one computer system
directly to another.
Through the use of EDI message standards
such as X.12, UN/EDIFACT, or EANCOM,
data may be communicated quickly,
efficiently and accurately irrespective of the
users' internal hardware and software
equipment.
EDI in Hong Kong




TRAXON for air-cargo
CargoNet for shipping
EZ*TRADE for retail, manufacturing and
trading
Tradelink for HK Government chiefly for the
Customs Department
EDI Infrastructure


VAN (Valued Added Networks) / VPN (Virtual
Private Networks)
i-EDI (Web Based EDI Systems)
EDI example: SWIFT
RGP = Regional General Processor
PayPal




Virtual bank in Internet
Cater for small merchants that cannot
open account with banks
Provides other services such as shopping
cart
Problem of jurisdiction
E-purse




Pre-paid debit cards that can work offline
Not many business successes
 Mondex
Most successful case
 Octopus
Pre-paid phone cards
The Internet Payment
Processing System






Acquiring bank
Credit card association
Customer issuing bank
Internet merchant accounts
Payment gateway
Processor
Parties to Internet transaction
Customer
Merchant
Payment
Gateway
Processor
Issuing Bank
Merchant’s Acquiring Bank
The transaction process
Credit Card NO.
Transaction info
OK
Request for payment
Authorization
Transaction initiation



Customer decides to make a purchase on
merchant’s web site, proceeds to check
out and inputs credit card information
Merchant’s web site receives customer
information and send transaction
information to Payment Gateway
Payment Gateway route information to
processor
Payment authorization




Processor send information to the
Merchant’s Acquiring Bank
Acquiring Bank sends transaction
information to the credit card holder’s
Issuing Bank
Issuing Bank sends transaction result
(authorization or decline) to Acquiring
Bank
Acquiring Bank send transaction result to
Processor
Payment authorization



Processor routes information to the
Payment Gateway
Payment Gateway passes result to the
Merchant
Merchant accepts and ships goods or
rejects transaction
The payment process
Request for payment
Debit
Consumer
A/C
Credit
Merchant
A/C
Payment settlement



Merchant requests Payment Gateway to
settle a payment
Payment Gateway sends all transactions
to be settled to the Processor
Processor send settlement payment
details to customer’s credit card Issuing
Bank , and to the Merchant’s Acquiring
Bank
Payment settlement

Issuing Bank includes the Merchant’s
charge on the customer’s credit card
statement while Acquiring Bank credits the
Merchant’s account
Payment Processing
PCI DSS


Payment Card Industry Data Security
Standard
It is developed by PCI Security Standards
Council, including American Express,
Discover Financial Services, JCB
International, MasterCard Worldwide and
Visa Inc. Inc. International
PCI DSS


It is a security standard that includes
requirements for security management,
policies, procedures, network architecture,
software design and other critical protective
measures.
This is intended to help organizations
proactively protect customer account data.
Requirements
Build and Maintain a Secure Network
 Install and maintain a firewall configuration to
protect cardholder data
 Do not use vendor-supplied defaults for
system passwords and other security
parameters
Requirements
Protect Cardholder Data
 Protect stored cardholder data
 Encrypt transmission of cardholder data
across open, public networks
Requirements
Maintain a Vulnerability Management
Program
 Use and regularly update anti-virus software
 Develop and maintain secure systems and
applications
Requirements
Implement Strong Access Control Measures
 Restrict access to cardholder data by
business need-to-know
 Assign a unique ID to each person with
computer access
 Restrict physical access to cardholder data
Requirements
Regularly Monitor and Test Networks
 Track and monitor all access to network
resources and cardholder data
 Regularly test security systems and
processes
Requirements
Maintain an Information Security Policy
 Maintain a policy that addresses information
security
Reading

Refer Verisign Online Payment Processing
Guide