ECommerce CMM503 Lecture 7

1
E-CommerceCMM503 Lecture 7

• Stuart Watt
• S.N.K.Watt_at_rgu.ac.uk
• Room C2

2
Summary of this week

• Learning outcomes
• A basic understanding of the Internet and how it
  works
• Able to briefly describe how web sites are hosted
  on web servers
• A basic understanding of the main security issues
  and techniques involved in e-commerce

3
Part 1

• An overview of the Internet

4
1. What is the Internet?

• It is a network of networks
• Computers connected through the TCP/IP protocol
• You can think of it as like a huge set of pipes
  between computers
• The Internet itself doesnt store anything,
  computers do that

5
1.1 DoD and OSI network models
Application
Process Telnet, FTP, SMTP
Presentation
Session
Host-to-host TCP, UDP
Transport
Internet IP
Network
Network access Ethernet, ARP, FDDI
Data link
Physical
OSI Seven Layer model
DoD Internet model
6
1.2 Internet protocol stack

• Application supporting network applications
• FTP, SMTP, HTTP
• Transport host-host data transfer
• TCP, UDP
• Network routing of datagrams from source to
  destination
• IP, routing protocols
• Link data transfer between neighbouring network
  elements
• PPP, Ethernet
• Physical bits on the wire

7
1.3 Internet gateways and routing
8
2.0 An aside TCP versus UDP

• The Internet supports
• Stream connections TCP the Transmission
  Control Protocol
• Connections need to be set up before data can be
  exchanged
• Datagram packets UDP the User Datagram
  Protocol
• Connectionless packets can be sent directly as
  datagrams
• The common foundation is IP the Internet
  Protocol
• IP is a packet-level protocol, like a postal
  system

9
2.1 TCP and UDP ports

• Ports are logical ends to a connection
• Ports are usually associated with a particular
  protocol
• The protocol governs how data is interpreted
• E.g. the same data on ports 7 and 80 behaves
  differently
• Server software listens on particular ports
• E.g., Web servers listen for incoming
  connections on port 80
• Ports below 1024 are usually reserved

10
2.2 TCP Protocols

• Port 7, ECHO
• Ports 20 and 21, FTP (data and control)
• Port 23, Telnet
• Port 37, Time
• Port 53, the Domain Name Service
• Port 80, the HyperText Transfer Protocol
• Port 118, SQL services
• Port 119, Newsgroups (NNTP)
• Port 443, Secure HTTP (HTTPS)

11
2.3 Internet addresses

• IP address
• 32 bits, usually written as four 8 bit numbers
• i.e., 193.63.235.40
• Contains routing information as well as address
  information
• Consists of a
• Network part
• Host part

12
2.3.1 Internet address types

• Class A (these begin with 0 in binary)
• 126 networks, millions of nodes
• Class B (these begin with 10 in binary)
• A few thousand networks, approx 65K nodes each
• Class C (these begin with 110 in binary)
• Approx 2 million networks, approx 200 nodes each
• Class D (these begin with 1110 in binary)
• Used for multicasting
• Class E (these begin with 11110 in binary)
• Experimental

13
2.3.2 Internet and machine addresses

• Computers have two addresses
• Internet address (IP address)
• Physical machine address (MAC address)
• So, how do you find the right computer?
• ARP the Address Resolution Protocol
• Turns IP addresses into physical addresses
• Uses gateways and special routing packets
• RARP the Reverse Address Resolution Protocol
• Turns physical addresses into IP addresses
• Uses special RARP servers

14
2.4 The domain name system

• DNS is a readable interface to IP addresses
• A name maps to one (or several) IP addresses
• Built into most networking systems
• In UNIX / Winsock gethostbyname

• C\gtnslookup
• Default Server ebbe.comp.rgu.ac.uk
• Address 10.52.1.2
• gt www.comp.rgu.ac.uk
• Server ebbe.comp.rgu.ac.uk
• Address 10.52.1.2
• Name www.comp.rgu.ac.uk
• Addresses 193.63.235.41, 193.63.235.40

15
2.4.1 The domain name hierarchy

• Administered by IANA
• The Internet Assigned Numbers Authority
• Three kinds of top-level domains
• Top-level domains are delegated to other
  authorities
• Country code domains
• .uk (UK), .fr (France), .ws (Samoa), etc.
• Two-letter codes
• Generic domains
• .com, .edu, .gov, .mil, .org, .biz
• Intrastructure domain
• .arpa
• Exclusively managed by IANA
• Within each domain, DNS is managed by these
  authorities

16
2.4.2 How does DNS work?

• DNS is a massive distributed database of IP
  address domain name pairs
• Local DNS servers contain local knowledge
• Global hierarchy of DNS servers

• Browser queries domain name
• Local DNS queries hierarchy
• Hierarchy returns IP address
• Local DNS returns IP address to browser
• Browser uses IP address to make (e.g.) http
  request

17
2.4.3 Buying a domain name

• Often managed through a hosting service
• Often bundled with hosting itself
• The Internet Gold Rush
• Good domain names
• Avoid puns
• Dont tail-gate off someone else (especially a
  trademark!)
• Get the right name for a user or investor

18
2.4.4 What is a Cyber Squatter?

• Someone who buys someone elses domain name
  e.g., www.gwbush.com

19
3. Combining addresses and protocols URLs

• URL
• Stands for Uniform Resource Locator
• URLs are written as text strings
• E.g., http//www.comp.rgu.ac.uk/staff/sw/
• URLs break down as follows
• Scheme http
• Scheme-specific part //www.comp.rgu.ac.uk/staff/
  sw/
• A colon separates the scheme from the rest of the
  URL
• Most scheme-specific parts contain a DNS host name

20
3.1 Absolute and relative URLs

• Absolute URLs
• Like a complete street address, e.g., 52,
  Festive Road, Rosemount, Aberdeen, UK
• E.g., http//www.comp.rgu.ac.uk/staff/
• Usually used to link pages between sites
• Relative URLs
• Like directions, e.g., down the street and turn
  left at the traffic lights
• E.g., pages/resources.htm
• Usually used to link pages within a site

21
3.1.1 Absolute and relative URLs

• Relative URL use
• Always based on a base URL, equivalent to the
  current directory
• Base URLs are either
• Set in a ltbasegt tag
• Taken from the referring page
• An example
• pages/resources.htm
• with a base of http//www.comp.rgu.ac.uk/staff/
• Becomes http//www.comp.rgu.ac.uk/staff/pages/res
  ources.htm

22
3.2 URL schemes

• Common schemes
• http e.g., http//www.meetomatic.com
• The scheme-specific stuff is a host name and link
  to a file
• ftp e.g., ftp//www.comp.rgu.ac.uk
• Very like HTTP URLs, except that you can also
  have a user name and password, e.g.,
  ftp//userpass_at_server/...
• file e.g., file//localhost/C/sample.htm
• The scheme part is usually a mangled version of
  the absolute directory and filename, with /s in
  it. The server is assumed to be localhost, but
  can be something else.
• news / nntp e.g., news//adobeforums.com/
  
• The scheme part is a reference to a host, and
  possibly a newsgroup

23
3.2.1 URL schemes

• mailto e.g., mailtoS.N.K.Watt_at_rgu.ac.uk
• Scheme-specific part is an email address
• telnet e.g., telnetwww.comp.rgu.ac.uk
• The scheme part is a host name
• gopher e.g., gopher//gopher.ch.ic.ac.uk/
• The scheme part is a host name, and the rest is
  interpreted by Gopher, which was a kind of
  precursor to the web
• javascript e.g., javascriptadd()
• The scheme-specific stuff is JavaScript code
  which is run when the link is clicked

24
3.2.2 HTTP URLs, the (almost) full story

• http//serverport/path/namelabel?query
• server a DNS host name
• port a port number for HTTP
• Assumed to be 80 if not specified
• path a path to the URL, UNIX-like directory
• name the name of the file
• label a named anchor within the file
• E.g., lta namelabelgtAnchored textlt/agt
• query for dynamic pages (e.g., CGI and ASP
  scripts) a reference to the form data or search
  terms

25
4. Hosting your site

• Internet Service Providers
• E.g., BT Open World, Freeserve
• Big banks of modems
• Prices vary from 0 - 200 per month
• Internet Hosting Services
• E.g., AlterCom
• Big banks of web servers
• Prices vary from 20 - 200 per month
• Both frequently offer site hosting

26
4.1 Web servers

• Common servers include
• Apache
• Open source, free
• Runs on UNIX, Windows
• Internet Information Services
• Light version free with Windows 2000 or XP
• Runs on Windows
• iPlanet
• Sun web server
• Runs on UNIX
• NCSA
• The original httpd
• Runs on UNIX

27
4.2 Getting your files into the site

• Shared directories
• E.g., your H drive
• Only effective on an Intranet
• FTP
• Common client software
• Works anywhere, except
• blocked by some firewalls (e.g., RGUs)
• WebDAV
• Need special client software
• Uses port 80 (so not blocked by firewalls)
• Support built into some web editors (e.g.,
  Dreamweaver)
• Partly supported by FrontPage (also need server
  extensions!)

28
4.3 The web server market
Apache
Microsoft

• Web server survey courtesy of Netcraft
• See http//www.netcraft.com/survey/

29
Part 2

• An overview of security

30
5. Security threats

• Six main areas
• Exposure of confidential data
• Loss or destruction of important data
• Modification of data
• Denial of service
• Software and hardware errors
• Repudiation

31
5.1 Exposure of confidential data

• Poor design of servers
• Dont store confidential information on your web
  server
• Use partial card numbers, e.g.,
  ---1234
• Eavesdropping at routers and gateways
• TCP/IP is not secure
• Use the command traceroute on UNIX
• Removing unnecessary services from your server
• E.g., FTP, SMTP, etc.

32
5.2 Loss of destruction of data

• Crackers
• This is where security comes in
• Careless programmers or administrators
• Be careful
• Keep backups of important data and configurations
• Especially when going through an upgrade

33
5.2.1 Loss of destruction of data

• Hardware failure
• Disk drives, especially, are vulnerable
• Remember, they spin at 7200rpm and more
• Use good quality server hardware
• Use RAID drives, these increase speed and
  reliability
• Make sure your data is backed up
• Store your backups away from the site

34
5.3 Modification of data

• What if Cracker Stuart could
• Gain access to your site
• To graffiti it
• To protect files
• Use file protection
• Use web server protection

35
5.3.1 File protection compared
36
5.4 Denial of service (DoS attacks)

• Very hard to guard against
• Many ways of carrying out DoS attacks
• Examples
• Installing programs that soak processor time
• Flooding the target with network traffic
• E.g., uploading 100Mb files through web pages
• May be done in a distributed and coordinated way
• Reverse spamming
• Sending out spam, listing the target as sender

37
5.5 Errors in software

• These can lead to
• Service unavailability, poor service, security
  breaches, financial losses, etc.
• Three main causes
• Assumptions made by developers
• E.g., Do Switch cards have issue number zero?
• Poor specifications
• E.g., Should orders be sent if a card is
  declined?
• Poor testing
• The solution to these problems a well planned
  test plan

38
5.6 Repudiation

• Customers who order goods, and then deny having
  done so
• Authentication may help
• Messages need to be tamper-proof
• Secure Electronic Transaction (SET) standard
• VISA, banks, software companies
• Cardholders can obtain digital certificates from
  card issuers
• Little incentive to encourage SET

39
6. Security and encryption

• Two main strategies
• Authentication
• Making documents tamper-proof
• Solutions to both
• Cryptographic systems
• To enable identity to be verified
• To enable authorship of documents to be verified

40
6.1 Simple encryption
Plain text
Encryption Algorithm
Cipher text
41
6.2 Two way encryption
Key
Plain text
Encryption Algorithm
Cipher text
Plain text
Decryption Algorithm
42
6.3 Public key encryption
Public Key
Private Key
Plain text
Encryption Algorithm
Cipher text
Plain text
Decryption Algorithm
43
6.4 Digital signatures

• Used to verify who wrote a particular digital
  document
• Use a hash function to generate a digest of
  the document
• This digest is then encrypted using the senders
  private key
• On receipt, it can be decrypted using the
  senders public key, and the document checked for
  tampering
• Advantages of digital signatures
• Can be used to detect tampering
• Often used to sign software, e.g., drivers

44
6.5 Digital certificates

• Digital certificates include
• A public key
• An individual or organisations details
• A digital signature from a certifying authority
  (CA)
• This states that the CA has seen proof of
  identity
• Common certifying authorities
• VeriSign, Thawte, Equifax Secure, British Telecom
• CAs are themselves certified by other CAs
• A few root CAs are usually trusted

45
6.5.1 Digital certificates
46
6.5.2 Digital certificates
47
6.6 Approaches to authentication

• Digital signatures
• Biometric measures
• Fingerprint scans (built into some PDAs)
• Hardware solutions
• Smart cards
• Digital key fobs
• VPN tokens

48
6.6.1 Authentication
49
6.6.2 Implementing authentication
50
7. Security

• Three principal kinds
• Physical security
• Network security
• Software security
• Prepare a security policy document
• Like setting functional requirements
• Goals rather than specific implementations
• General principles
• Reduce access to the computer to the minimum
• Make sure software is up-to-date and minimal

51
7.1 Network security firewalls

• Protection by network routing
• Allow selected protocols to be blocked
• Allow selected hosts to be blocked
• Allow connections to trusted hosts

52
7.2 A typical firewall
Firewall
DMZ
Internet
Router
Router
Database server
Web server
User