Transcript Judul - Binus Repository

Matakuliah
Tahun
Versi
: M0284/Teknologi & Infrastruktur E-Business
: 2005
: <<versi/revisi>>
Pertemuan 12
Authentication, Encryption,
Digital Payments, and Digital
Money
1
Learning Objectives
• Determine how and why encryption is
important for e-commerce.
• Understand how security applies to e-mail,
the Web, the intranet, and the extranet.
• Appreciate how virtual private networks
are relevant to the future of e-commerce.
• Plan for strategies to fend-off security
threats.
• List and understand various e-commerce
modes of payment.
2
Confidentiality
• Confidentiality has two aims:
– To use the digital signature or encrypted hash
function to authenticate the identity of the
sender.
– To protect the content of the message from
eyes other than those of the intended
recipient.
• Cryptography is used to implement privacy
– Encoded message has no apparent meaning
3
Confidentiality
• Two steps involved:
– In the first step, a clear message is encrypted.
– The reverse aspect is the deciphering by the
recipient.
• Secure Socket Layer (SSL)
– Developed by Netscape for transmitting
private documents via the Internet
4
Confidentiality
• Organizations
– Government
– Industry Self-Regulation
• Platform for Privacy Preferences Project
(P3P).
• TRUSTe
• Better Business Bureau Online
5
Authentication
“Authentication is the process of
identifying an individual or a message
usually based on a user name and
password or a file signature.”
Authentication is distinct from Authorization
6
Authentication
• Log-in Passwords
• Weak method with short passwords
7
Authentication
• Features commonly used to identify and
authenticate an user:
– Something the user knows (e.g. password).
– Something the user has (e.g. token,
smartcard).
– Something that is part of the user (e.g.
fingerprint).
8
Authentication
Digital Signature
“A digital signature is a code attached to
an electronically transmitted message
to identify the sender.”
9
Authentication
Digital Signature
1. The sender composes the document.
2. The sender uses a hash algorithm to
create a “one-way” hash.
3. The user uses his or her private part of a
public key system to encrypt the one-way
hash to create the digital signature.
4. The sender then combines the original
document with the digital signature to
create a new signed document and send
it to the receiver
10
Authentication
Digital Signature
1. The receiver separates the document
from its signature.
2. The receiver decrypts the digital
signature using the sender public key.
3. The receiver applies the hashing
algorithm to the original electronic
document to produce a new one-wayhash.
11
Authentication
Digital Signature
12
Authorization
“Gives someone permission to do or
have something.”
•
•
Role or privileges based system.
Access lists to hardware, programs, data
13
Integrity
•
•
•
Control Redundancy Check (CRC)
Secure Hash Algorithm (SHA-1)
RSA’s Message Digest (MD5)
14
Auditing
“As no system will ever be completely
secure, policies need to be devised
where unauthorized usage will not
occur.”
15
Non-repudiation
“Nonrepudiation is a proof that a
message has been sent or received.”
“Nonrepudiation is specially important
for the secure completion of online
transactions.”
16
Non-repudiation
•
•
Digital Certificates can be used to verify
the identity of a person, website or
JavaScript/ Java applet.
The certificate always include:
–
–
–
–
–
Public key.
The name of the entity.
Expiration date.
The name of the certification authority (CA).
The digital signature of the CA.
17
Non-repudiation
18
Non-repudiation - PKI
19
E-mail and Internet Security
•
•
•
•
•
•
Secure Sockets Layer (SSL).
Secure Electronic Transactions (SET).
Password Authentication Protocol/
Challenge Handshake Authentication
Protocol (PAP/CHAP).
Private Communications Technology
(PCT).
S/MIME
Pretty Good Privacy (PGP).
20
E-mail and Internet Security
•
Secure Sockets Layer (SSL).
–
–
–
–
–
–
Created by Netscape
Widely used
Uses RSA’s encryption system.
Uses temporary keys
Implement Certificate Authorities (CA)
Client and server certificates
21
E-mail and Internet Security
•
Secure Electronic Transactions (SET)
– Enables the use of electronic payment
methods and provides assurance about the
identification of customers, merchants and
banks.
– Industry protocol.
22
E-mail and Internet Security
•
PAP/CHAP
– Commonly used with PPP connections.
– With PAP the password is sent as open text,
with CHAP is encrypted.
– With CHAP the authentication is repeated
every 10 minutes, with PAP only at
connection time.
23
E-mail and Internet Security
•
Private Communications Technology.
– Microsoft Initiative.
– Symmetric encryption.
– Authenticates of server to client via
certificate or CA.
– Verifies message integrity with hash function
message digests
– Can be implemented with HTTP and FTP.
– Allows a stronger encryption
24
E-mail and Internet Security
•
Secure MIME.
– Secure method of sending e-mails.
– An IETF standard – RFC 1521
25
E-mail and Internet Security
•
Pretty Good Privacy (PGP)
– World’s de facto standard.
– Freeware (There is also a commercial
version).
26
Virtual Private Network
“A virtual private network (VPN) is a
network available when the user
needs it.”
•
•
•
IP Security Protocol (IPSec)
Layer Two Tunneling Protocol (L2TP)
Transport Layer Security (TLS)
27
Virtual Private Network – L2TP
28
Encryption Export Policy
•
•
•
Regulations affect the global use of
encryption techniques.
Companies are allowed to export
encryption items (but with weak
encryption)
Encryption classified as a weapon
29
Payment Systems
•
•
•
•
Cash
Checks
Money Orders
ORDER/INVOICE – bank transfer
– (feasible for B2B)
•
Credit Card Payments
– (used most for B2C e-commerce)
30
Electronic Money
• Not widely adopted
•
•
•
•
Cybercash
VeriFone
Stored-Value Smart Cards.
Digital Cash
– Visa Cash
– Mondex
– Digicash
•
Micropayment
31