CS 898N - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

CS 898N

Description:

... card information and your shipping and billing addresses in a secure, online ... The first and most familiar form of digital cash is credit cards. ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 43
Provided by: Kindy
Category:

less

Transcript and Presenter's Notes

Title: CS 898N


1
CS 898N Advanced World Wide Web Technologies
Lecture 17 Security and
E-Commerce
  • Chin-Chih Changchang_at_cs.twsu.edu

2
SSL
  • SSL (Secure Socket Layer) is a client/server
    security scheme.
  • SSL runs in a layer between HTTP and TCP/IP. This
    means two things
  • HTTP data will continue to go back and forth but
    at some point it will become encrypted.
  • The SSL protocol protocol will perform the
    encryption and decryption in a manner completely
    transparent to the user.

3
SSL in E-commerce
Browser (Client)
Server
Client-Hello includes cipher list
Server-Hello includes cipher list
Server Data
Client Data Pre-master key
Pre-master key generation
encrypted
PRE-MASTER KEY
Master key generation
Master key generation
Session key generation
Session key generation
encrypted
Secure session begins
Secure session begins
4
SSL
  • Documentation on the SSL protocol can be found in
    many places, specifically on the Netscape,
    Microsoft, and RSA sites.
  • The first thing is the client issues a
    Client-Hello message. This includes a list of
    ciphers supported by the client.
  • The server responds with a Server-Hello message,
    sending back a list of ciphers compatible with
    the client and the servers digital certificate
    which contains the servers public key.

5
SSL
  • At this time, the client may take steps of
    validating the servers certificate. Later the
    server may apply the same validating procedure.
  • As part of the Server-Hello the client accepts
    the information from the server, which includes a
    piece of random data to be used in the process of
    creating a pre-master key.

6
SSL
  • The piece of data used is in cryptographic terms
    called the nonce (the number n used only once)
    and is typically the session ID number sent by
    the server.
  • The client computes the pre-master key and sends
    this to the server encoded to the public key in
    the servers digital certificate.
  • The server and client then separately go through
    a standard key generation process to create a
    pair of session keys.

7
SSL
  • Because these keys are generated in secret and
    are valid only for the current session, and
    because symmetric ciphering is faster, the
    symmetric keys are used.
  • Once this process is completed, the secure
    session can now get underway. If anything goes
    wrong, the client and server go out of
    communication.
  • To configure security for an e-commerce site, you
    have to choose the level of security.

8
Encryption Options
  • There are two types of algorithms at work those
    for key generation and those for encryption.
  • Key generation algorithms work differently for
    Public Key and Secret Key Cryptography.
  • The two popular algorithms implemented by PGP in
    Public/Private key pair generation are RSA and
    Diffie-Hellman.

9
Encryption Options
  • In Secret Key generation, RC2, RC4, DES, and
    Triple-DES are used.
  • Encryption algorithms implemented by PGP include
    CAST, IDEA, and Triple-DES.
  • Secret key encryption algorithms are combined
    with their key generation methods.
  • The common algorithm that Public and Secret Key
    Cryptography uses is Triple-DES.

10
Encryption Options
  • Public Key Cryptography algorithms are used for
    e-mail, digital signatures, and digital
    certificate authentication.
  • Public Key Cryptography algorithms are not really
    used for e-commerce security.
  • Secret Key Cryptography algorithms have very
    specific parameters that are totally relevant to
    e-commerce.

11
Encryption Options
  • RSA is a public key cryptosystem that defines
    both key pair generation and message encryption.
  • RSA was invented by Ron Rivest, Adi Shamir, and
    Leonard Adleman. RSA is a patented and licensed
    technology.
  • RC2, RC4, and RC5 were designed to be faster,
    more secure, and an exportable replacement for
    DES.

12
Encryption Options
  • RC means either Rivests Cipher or Rons Code.
  • DES stands for Data Encryption Standard and came
    out of IBM.
  • DES became a U.S. Department of Defense standard
    and export of the technology was severely
    restricted.
  • DES is scheduled to be replaced by a more
    sophisticated algorithm - AES.

13
Encryption Options
  • One of the interim solutions to the weaken status
    of DES is an enhanced version of DES -
    Triple-DES.
  • DES is patented by IBM but IBM has placed it in
    the public domain.
  • Diffe-Hellman was invented by Diffie and Hellman
    and is a key agreement protocol. It only defines
    how users can exchange secret keys over a public
    medium.

14
Encryption Options
  • IDEA (International Data Encryption Algorithm),
    SAFER (Secure and Fast Encryption Routines), CAST
    (Carlisle Adams and Stafford Tavares), and
    Blowfish are all newer encryption algorithms of
    the 1990s.
  • For more information, check these sites
  • www.rsa.com

15
Message Authentication Options
  • Message authentication is the task of verifying
    that the message has not been altered and uses a
    hash algorithm to produce a digital signature.
  • There are two of these algorithms used in the SSL
    protocol MD5 (Message Digest 5) by Ron Rivest
    and SHA (Secure Hash Algorithm) by NIST (National
    Institute of Standards and Technology), a
    division of the U.S. Department of Commerce.

16
Security Options in SSL
  • When we look at security options we are looking
    at defining how hard it will be to crack a
    certain code.
  • The longer the key is, the harder the code will
    be to crack. This is a central theme in Internet
    security for two reasons
  • Keys used in Public Key Cryptography must be
    longer than those used in Secret Key Cryptography.

17
Security Options in SSL
  • The restrictions that U.S. Government export
    laws put on cryptographic software force servers
    processing secure transactions for clients to
    support a dual standard.
  • The new Internet Engineering Task Force (IETF)
    standard called Transport Layer Security (TLS) is
    based on SSL. This was recently published as an
    IETF Internet-Draft, The TLS Protocol Version
    1.0. Netscape products will fully support TLS.

18
Cracking a Cipher
  • The argument as to which cipher to use depends on
    statistics, experience, and periodic attempts by
    cryptoanalysis to break certain codes.
  • Statistically, a 40-bit key gives 2 , or a
    little more than 1 trillion possible combination.
    A 56-bit key gives 72 quadrillion. A 128-bit key
    gives 3 x 10 possible keys.
  • A 128-bit key is considered adequate for
    commercial security.

40
38
19
Cracking a Cipher
  • In early 1997 RSA labs offered a challenge
    Anyone who could break the 56-bit DES code would
    receive a 10,000 prize.
  • A group of Internet users responded to the
    challenge and broke a DES code in three months.
  • They did this by writing a client program that
    participants could download. During the project,
    over 78,000 computers participated in the project.

20
Cracking a Cipher
  • In the three months of testing, a total of less
    than half of all the possible 72 quadrillion key
    combinations were tested before someone came up
    with the winning number.
  • This type of attempt, trying all possible
    combinations, is called an exhaustive key search
    or brute-force attack.
  • Using improved techniques, the 56-bit DES code
    can be broken in shorter time.

21
Cracking a Cipher
  • It is concluded that 40-bit keys are worthless.
  • To break a 128-bit key would put us off
    effectively forever.
  • As a rough comparison, a 40-bit secret key is
    considered equal to a 512-bit public key. This is
    main reason public key processing takes much
    longer.
  • This is some informative site www.eff.org

22
SET (Secure Electronic Transaction)
  • SET (Secure Electronic Transaction) was developed
    by Visa and MasterCard as a method to increase
    security specifically for e-commerce purposes.
  • SET uses all the tools SSL does public and
    secret key encryption, digital signatures, and
    digital certificates.
  • SET relies on cryptography and digital
    certificates to ensure message confidentiality
    and security.

23
SET (Secure Electronic Transaction)
  • Message data is encrypted using a randomly
    generated key that is further encrypted using the
    recipient's public key.
  • This is referred to as the "digital envelope" of
    the message and is sent to the recipient with the
    encrypted message.
  • The recipient decrypts the digital envelope using
    a private key and then uses the symmetric key to
    unlock the original message.

24
SET (Secure Electronic Transaction)
  • Software developed to the Specification must
    perform at least the following functions
  • Create a digital signature using distinct key
    pairs
  • Generate a dual signature used to link an order
    message to another component
  • Verify the digital signature.
  • For more information about SET, check
    www.setco.org.

25
Navigator Security
  • To get the Navigator security screen, select the
    Communicator menu, Tools item, Security Info tab
    or just click on the Security icon on the
    toolbar.
  • Navigator supports a standard cryptography
    package called PKCS 11.
  • PKCS stands for Public Key Cryptography Standard
    which is published by RSA Laboratories.

26
Navigator Security
  • PKC11 is a specification for an API for
    cryptography and is also called Cryptoki, which
    is pronouced crypto-key. Crypto-key is short
    for cryptographic token interface.
  • Cryptoki supports all the current cryptographic
    standards.

27
Explorer Security
  • To view security information for the Web page
    currently loaded in Explorer, click the File
    menu, Properties item, and Certificates button.
  • The advanced security settings for Explorer show
    that it supports SSL 2.0 and 3.0, and TLS 1.0.
  • A document in the Microsoft library states that
    Explorer and Navigator both support PKCS7.

28
Explorer Security
  • PKCS7, according to RSA, is a general syntax for
    cryptographic enhancements.
  • Microsoft also offers PCT security, its own
    version of SSL called Private Communications
    Technology.
  • PCT has been superseded by SSL 3.0 and TLS. It is
    there for backward compatibility.

29
Accepting Electronic Payments
  • A four-step Internet ordering scheme for those
    with their own bank account is illustrated as
    below
  • The customer submits the CGI form to the
    merchants Web server, secure or not.
  • The CGI script generates an e-mail to the
    merchant, with or without PGP encryption.
  • The CGI script transfers the customer to an
    acknowledgement page.

30
Accepting Electronic Payments
  • The merchant processes the credit cards offline,
    using a separate computer program, card reader
    with numeric keypad by filling out paper slips.
  • The full-service e-commerce Web site, more
    commonly called a storefront, will have a
    sequence of several Web pages to process the
    customers order
  • One or more pages for building the list of goods
    to buy,

31
Accepting Electronic Payments
  • a different page to process each different type
    of possible payment,
  • a thank you or acknowledgment page.
  • If the product can be downloaded immediately,
    then the customer is routed the fulfillment area.
  • A complete storefront work flow is shown below
  • The customer submits the completed order form to
    merchant server.

32
Accepting Electronic Payments
  1. The merchant server encrypts the payment
    information and sends it to a server run by an
    electronic payment processing company.
  2. The payment processing server relays the
    encrypted payment information to a server that
    can verify the customers payment information.
  3. The customers bank server accepts or declines
    the transaction.

33
Accepting Electronic Payments
  1. If accepted, the payment processing server routes
    the payment information to a server that can
    deposit the electronic payment into the
    merchants bank account.
  2. The payment processing server also relays the
    results of the payment request to the merchants
    Web server so the order can processed or
    declined.
  3. The merchants Web server e-mails the results of
    a successful transaction to the merchant.

34
Accepting Electronic Payments
  • The merchants Web server generates a page that
    tells a page that tells the customer if his or
    her payment was accepted or declined.
  • CyberCash is a digital payment processing
    service.
  • To use Cybercash, you need a merchant account.
    You can establish an account with Cybercash.
  • CyberCash's Internet payments business was
    recently acquired by VeriSign.

35
VeriSign/Cybercash
  • VeriSign's Payment Processing services provide
    payment connectivity over the Internet between
    buyers, sellers, and the financial networks that
    move money between them.
  • Their products include Payflow Link, Payflow Pro,
    Commerce Site, and Payflow Faud. For details,
    check www.verisign.com/products/payment.html

36
Wallets
  • A wallet is an application that keeps track of
    the buyers payment information.
  • The idea of a wallet is that you enter all your
    credit card information in the wallet, which can
    be automatically launched when its time to pay
    for something.
  • Microsoft Passport Wallet is the product that
    makes it possible for you to store credit card
    information and your shipping and billing
    addresses in a secure, online location.

37
Wallets and Digital Cash
  • Only you have access to the information in your
    Passport wallet.
  • The first and most familiar form of digital cash
    is credit cards.
  • There are a lot of interesting issues about how
    Digital Cash will work
  • To buy digital cash, youd have to download it
    form the bank.
  • Like paper money, it would have to come in
    unalterable denominations.

38
Digital Cash
  • Youd have to have a way to make change.
  • Youd have to either delete spent digital cash
    from your computer or have a way to keep track of
    spent and unspent digital cash files.
  • There are many issues and open questions in this
    field.
  • For more information, refer to
  • www.ex.ac.uk/RDavies/arian/emoney.html

39
EDI
  • EDI (Electronic Data Interchange) is a standard
    format for exchanging business data.
  • The standard is ANSI X12 and it was developed by
    the Data Interchange Standards Association. ANSI
    X12 is either closely coordinated with or is
    being merged with an international standard,
    EDIFACT.

40
EDI
  • An EDI message contains a string of data
    elements, each of which represents a singular
    fact, such as a price, product model number, and
    so forth, separated by delimiter.
  • The entire string is called a data segment. One
    or more data segments framed by a header and
    trailer form a transaction set, which is the EDI
    unit of transmission (equivalent to a message).

41
EDI
  • A transaction set often consists of what would
    usually be contained in a typical business
    document or form. The parties who exchange EDI
    transmissions are referred to as trading
    partners.
  • EDI (Electronic Data Interchange) has been around
    since its start in the late 1980s and is a B2B
    e-commerce technology.

42
EDI
  • EDI is a very complex, hard to support method of
    computerized business.
  • XML/EDI development is under the way.
  • XML/EDI provides a standard framework to exchange
    different types of data.
  • The information in a transaction is exchanged via
    an Application Program Interface (API),
Write a Comment
User Comments (0)
About PowerShow.com