E-Commerce Security

Download Report

Transcript E-Commerce Security

E-Commerce
Internet
• It is a network that follows the TCP/IP protocol.
– Transmission Control Protocol – handles
communications between applications.
• A message is divided into pieces called packets.
• Packets are numbered and may be transmitted by different
routes.
– Internet Protocol – handles communications between
network addresses.
• A computer on the internet is assigned an unique address, IP
address, which consists of 4 numbers (each number is less
than 256) separated by period. Example, 158.104.1.10
E-Commerce
• Buying and selling, and marketing and
servicing of products and services, and
information via computer networks.
CISCO Internet Value Matrix
The Four Quadrants
• New Fundamentals: These companies are taking the low risk road.
They use the Internet as a new channel for doing old things, for
example streamline operations, to achieve cost saving.
• Operational Excellence: Business in this section, are using the Internet
technologies to improve management of customer services and for
value innovation.
• Breakthrough strategies (Early Movers): These are the bold players
venturing into new markets, new channels and new products. Their
focus is on competitive advantage through new ways of managing
relationships and doing business.
• Experimentation: These businesses want to become learning
organizations. They are exploring the Internet and Intranet and funding
small scale experiments. They experiment with new market segments,
sources of revenue and ways of doing business but not in a way,
which can compromise the main business activities.
E-Commerce Models
• B2C: Storefront model
– E-tailing (electronic retailing)
– Shopping cart, on-line shopping mall
• B2B:
– Electronic Data Interchange (EDI)
– Electronic Exchange: An electronic forum where manufacturers,
suppliers, and competitors buy and sell goods.
• Example: WorldWide Retail Exchange (WWRE)
• http://www.worldwideretailexchange.org/cs/en/index.htm
• C2C:
– Auction model: e-Bay
• Etc.
B2C System Model
E-Payment
• Online credit card transaction:
– Card-not-present transaction
• Prepaid card:
– Visa Reloadable Prepaid card
• E-Wallet: Online wallets try to make Internet
shopping easier by letting consumers register
once to shop at multiple retail outlets.
• PayPal: https://www.paypal.com/
– Click Merchants/demo
M-Business
• E-Business enabled by wireless communication.
– Cell phone, PDA
• WI-FI: Wireless local area network (WLAN)
based on the IEEE802.11 specifications.
• Hotspot: A person with a Wi-Fi device, such as a
computer, cell telephone, or personal digital
assistant (PDA) can connect to the Internet
when in proximity of an Access Point. The region
covered by one or several access points is
called a hotspot.
Location Based Services
• Location-Identification Technologies:
– Geocode: Longitude, latitude
• Global Positioning System (GPS)
• Cell phone
– Angle of Arrival (AOA)
• Location Based Services:
– B2E (Employee)
– B2C
Internet Security
• Authenticity: Is the sender of a message
who they claim to be?
• Privacy: Are the contents of a message
secret and only known to the sender and
receiver?
• Integrity: Have the contents of a message
been modified during transmission?
• Nonrepudiation: Can the sender of a
message deny that they actually sent the
message?
Encryption (Cryptography)
• Plain text: the original message in humanreadable form.
• Ciphertext:the encrypted message
• Encryption algorithm: the mathematical
formula used to encrypt the plain text.
• Key: the secret key used to encrypt and
decrypt a message.
Encryption Example
• Digits: 0-9,
• Encryptor:
– Replace each digit by Mod(Digit + Key, 10)
• Key’s value is from 0 to 9
– If Key = 7, then:
• 0 -> 7, 1->8, 2->9, 3->0, 4->1, 5->2
• Decryptor:
– Replace each digit byMod(Digit + (10-Key),
10)
– If key=7, then
• 7->0, 8->1, 9->2, 0->3
Encryption Algorithms
• Private key encryption
– symmetric cryptography
• Public key encryption
– asymmetric cryptography
• Digital signature
• Digital certificate
Private Key (secret Key) Encryption
• The same key is used by a sender (for
encryption) and a receiver (for decryption)
• The key must be transmitted to the
receiver.
• Example:
– DES (Data Encryption Standard) algorithm
with 56-bit key
Public Key Encryption
• Uses two different keys: a public and a private key.
• Receiver’s public key must be delivered in advance.
• Sender uses receiver’s public key to encrypt the
message and receiver uses private key to decrypt the
message (Sender can be sure the receiver is the true
receiver)
• Example:
– RSA (Rivest, Shamir, and Adelman) algorithm with 512-bit to
1024-bit key.
• Note: Although the two keys are mathematically related,
deriving one from the other is “computationally
infeasible”.
Digital Signature
• It is used for the authentication and nonrepudiation of
senders by applying public key encryption in reverse, and
ensures the integrity of the message.
• How digital signature works:
– Sender:
•
•
•
•
Create message digest: Hash(original message)
Digital signature: Encrypt(Message digest, Sender’s private key)
Encrypted message: Encrypt(Original message, Receiver’s public key)
Send the hash function, digital signature, and the encrypted message
to receiver.
– Receiver:
• Use receiver’s private key to decrypt the encrypted message to
reveal the original message.
• Use the sender’s public key to decrypt digital signature and reveal the
message digest.
• Apply the hash function to the original message. If the hash value
matches the message digest in the digital signature, the message is
intact.
Certificate
• A certificate is a digital document issued
by a trusted third-party certificate authority
(CA).
• A certificate contains records such as a
serial number, user’s name, owner’s public
key, name of CA, etc.
• Example of CA: VeriSign, U.S. Postal
Service.
Online Transaction Security Protocol
• Secure Sockets Layer (SSL)
– Developed by Netscape
– SSL implements public key technology using
the RSA algorithm and digital certificate to
authenticate the server in a transaction and
protect private information.
• 1. A client sends a message to a server.
• 2. The server sends its digital certificate to
the client for authentication (authenticate
the server)
• 3. The client and server negotiate session
keys to continue the transaction and use
session keys and digital certificate for
encryption.
Cookies
• Designed to hold information about a user.
• Created by a web site and saved on the
visitor’s machine.
• It contains:
– Web site that sets the cookie.
– One or more pieces of data.
– Expiration date for this cookie.
• Cookies directory:
• Browser sends cookie with the URL when you
visit the site that issued the cookie.
Excel’s Security
• Use password to protect spreadsheet file:
– Tools/Option/Security
• Password to open
• Password to modify
• Protect spreadsheet content:
– Tools/Protection
• Protect sheet
• Allow user to edit range
• Hide data:
– Format/Cells/Number/Custom
• Enter ;;; (three semicolons)
Database Security
Database Security
• Database Security: Protection of the
data against accidental or intentional
loss, destruction, or misuse
• Increased difficulty due to Internet
access and client/server technologies
Threats to Data Security
• Accidental losses attributable to:
– People
• Users: using another person’s means of access, viewing
unauthorized data, introduction of viruses
• Programmers/Operators
• Database administrator: Inadequate security policy
– Software failure
• DBMS: security mechanism, privilege
• Application software: program alteration
– Hardware failure
• Theft and fraud
• Improper data access:
– Loss of privacy (personal data)
– Loss of confidentiality (corporate data)
• Loss of availability (through, e.g. sabotage)
Possible locations of data security threats
Countermeasures to Threats
• Authorization
– Authentication
•
•
•
•
•
Access controls: privileges
Database views
BackUp and Recovery
Enforcing integrity rules
Encryption
– Symmetric encryption:use same key for encryption and
decryption
– Asymmetric encryption:
• Public key: for encryption
• Private key: decryption
• RAID
Authorization Rules
• Controls incorporated in the data management
system
• Restrict:
– access to data
– actions that people can take on data
• Authorization matrix for:
–
–
–
–
Subjects
Objects
Actions
Constraints
Authorization matrix
SQL Injection
• "SQL Injection" is an
unverified/unsanitized user input
vulnerability, and the idea is to convince
the application to run SQL code that was
not intended.
• Exploits applications that use external
input for database commands.
SQL Injection Demo
• On a web page that takes customer ID entered
in a textbox as input, then displays the
customer’s data.
• In the textbox, enter:
‘ OR 1=1 OR CID = ‘
SQLInjectionDemo
Other SQL injection examples:
Demo
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Button1.Click
Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source = c:\salesDB.mdb"
Dim objConn As New OleDbConnection(strConn)
Dim strSQL As String = "select * from customer where cid = '" &
TextBox1.Text & "'"
Dim objComm As New OleDbCommand(strSQL, objConn)
Try
objConn.Open()
Dim objDataReader As OleDbDataReader
objDataReader = objComm.ExecuteReader()
GridView1.DataSource = objDataReader
GridView1.DataBind()
Catch except As SystemException
Response.Write(except.Message)
End Try
End Sub
Access security
• Database Password:
– Must open the database exclusively
• In the File/Open window, click Open button’s
dropdown list and select: Open Exclusive
– Tools/Security/Set database password
• Tools/Security/Encode Decode
• User group/User level security