ECommerce Infrastructure

1
E-CommerceInfrastructure Security

• Lecture 4
• Hosting Business Models

2
An Interesting Story

• Managing large-scale courses
• System in use designed 10 years ago
• Has evolved into a scalable system
• Manages over 3000 students
• Over 200 TAs
• Many different courses

3
Entropy Kicks In

• Entropy states that everything moves from a
  complex system to breakdown
• Interesting to think how this coincides with the
  theory evolution
• System is plagued by entropy!

4
Current Problems

• Assignments lost
• Grades lost
• Inordinate amount of time spent hacking the
  system
• Dedicated, much-needed person required
• Stability of personnel!

5
Silver Lining?

• Wheres the fix?
• The existing system has been patched so much that
• Its not stable
• Its not viable to continue its upkeep
• Its not the Universitys mission to develop
  maintain software!

6
The Classic Problem

• Build (internal)
• vs.
• Buy (another company)

7
Societys Complexity

• More and more, companies (and individuals) are
• Specializing in skills
• Increasingly reliant upon each other
• Have no idea how to do things other than their
  specialization
• Example making pies
• Cost effective, but with drawbacks

8
The Least Common Denominator

• Companies are interested in increasing sales
• Thus they will want to maximize their market
  potential
• This often comes at the price of specialization
  lost

9
Our Solution

• We had to find an outside vendor
• Manage the courses and the students
• Allow for an easier interface
• Reliability a must!

10
Enter WebCT

• New functionality made it an option
• The vendor seemed reasonable
• The interface was much better than ours
• It was free USG licenses already

11
The Stuff Hits the Fan

• Deployment delayed
• Reliant upon others now
• Additional functionality came months/years late

12
But!

• We dont have to maintain the code
• Its better for the earlier reasons
• We can focus on teaching (right! ?)

13
Whats the Point?

• Should we develop in-house?
• Should we outsource?
• Pros and cons either way!
• Stay Tuned!!!

14
Agenda

• Essentials of an E-Commerce Site
• Build vs. Buy Models
• Outsourcing Options
• Issues to Consider
• Encryption PGP

15
E-Commerce Essentials

• Web Presence
• Catalog Display
• Shopping Cart
• Transaction Processing
• Hooks

16
Web Presence

• Obviously we need a Web site!
• Clean interface is a must
• Style reflects the company
• Make the purchase easy!

17
Catalogs

• Small stores can get away with simple static Web
  pages
• But what issues are present with a large store?
• What might Best Buy want to have?

18
Complex Catalog Features

• Search
• By name, brand, upc-code, model number
• Categories for organization
• Pictures
• Features list
• Never stand in the way

19
Implementing the Catalog

• Wanna keep updating Web pages each time the
  catalog changes?
• Whats a better approach?

20
DB Backend to Catalogs

• Database manages catalog content
• Tracks
• Availability
• Price
• All consumer info (features, etc.)
• Pictures

21
Shopping Cart

• Replace legacy on-line forms
• NUTS!
• Preview order
• Add/Remove
• View total cost
• Allow customer to proceed to checkout

22
Storing Information

• Browsers are stateless
• So how do you remember who has what in their
  shopping cart?
• How do you remember customer info from
  transaction to transaction

23
Transaction Processing

• What the cashier would do
• Add sales tax (if applicable)
• Discounts
• Special Promotions
• Coupons
• Gift wrapping
• Shipping
• Order Tracking (typically outsourced)

24
Hooks

• Other services are typicallycoupled with
  E-commerce sites
• Credit card processing
• Legacy systems
• Database systems

25
Buy vs. Build

• Is the company in the Web design/upkeep
  business?
• Stores are interested in selling their products
• Should someone else run the site?

26
Costs?

• What might some of the costs be in running your
  own E-commerce site?

27
Cost Analysis Essential

• What does it cost to
• Purchase hardware
• Purchase software
• Network the office
• Purchase Net connection
• Build the site
• Maintain the site
• Hire full-time, 24-7 support
• Etc.

28
Got Website?

• Why might you not want to outsource the whole
  enchilada?

WEB
29
Why Not Outsource?

• Giving up some (all?) control
• Limited somewhat in offerings
• Service providers might be overselling
• Locking yourself into one-vendor solutions -
  YIKES!

30
Outsourcing Options

• Use an ISP for connection
• Run the content off of your machines
• Web Hosting
• Put it all on their machines

31
Pricing

• What can you afford?
• Micro stores
• Moms Pops
• Midrange
• Enterprise

32
Micro Stores

• Less than 100 items in store
• Startup Cost 2,000
• Monthly Cost 0 - 100

33
Small-Scale Development

• Smaller companies
• Want to test the water
• Gross sales 100,000
• Startup Cost 2,000
• Monthly Cost 3 of sales

34
Mid-Range Stores

• Hosted on merchants machines
• Must pay for setup 30,000
• Setup machines
• Setup Web site
• Purchase connectivity
• Monthly Cost 12,000-20,000

35
Monthly Expenses?

• No less that two full time people
• 60,000/yr minimum salary benefits
• 2,000 for co-location of machine(s)
• Machine upgrades, maintenance, etc.

36
Enter the Big Dogs

• If youre doing B2B, youre going to pay
• Larger organizations
• More transactions
• More complete back-end features (hooks)

37
EnterpriseArchitecture
Catalog DB
Corporate Server
Web Server
Client
Payment Server
Banks
38
Naming Is Important!

• Which is better
• www.superstickers.com
• www.yahoo.com/superstickers

39
Credibility

• Users of the site must
• Feel they can trust the owner
• Find what they are looking for quickly
• Want to come back
• Enjoy the experience

40
Intermission
41
Encryption

• Project 2 Due on Thurs.
• Cryptography Basics
• Symmetric vs. Asymmetric Cryptography
• Attack Methods
• PGP

42
Crypto Basics

• Cryptography is thousands of years old
• Caesar Cipher based upon substitution
• AD, BE, etc.
• rot13 is a simple example of substitution
  cryptography
• V ybir vasbezngvba grpubaybtl

43
Weaknesses in Older Crypto

• Patterns are easily discovered
• Letters are not randomized
• Frequency of letters (esp. vowels)
• Strength of the crypto is insufficient given
  modern computers
• Cryptoquotes for example

44
Encryption Decryption
Encryption
Plaintext
Ciphertext
Crypto Algorithm
Decryption
45
Symmetric Crypto

• Also known as private key cryptography
• Both sender and receiver have same key
• Problems
• Securing the key
• Number of keys O(n2) so 100 people
  communicating privately would need 10000 keys!

46
Symmetric Key Infrastructure
47
Asymmetric Crypto

• Also known as public key cryptography
• Sender and receiver have different keys
• Each has a public key and a private key
• Public keys are distributed via a KDC
• This scheme requires O(n) key pairs

48
Asymmetric Key Infrastructure
KDC
49
Public Key Cyrpto
Plain text
Encryptionwith Public KeyReceiver
Cipher text
Plain text
Decryptionwith Private KeyReceiver
50
How Public Key Crypto Works

• You get my public key from the KDC
• You encode a message to me using my public key
• Only my private key can unlock this
• I receive the message
• I decode it using my private key (that only I
  have)
• I can then read the message

51
Public Key Infrastructure

• Requires validation of keys
• Thus certificate authorities
• Public key certificate contains
• ID
• Identifying information (name, e-mail)
• Date created
• Certifying authorities (their signatures)

52
Public Key Encryption
Encrypted with Bobs Public Key
Encrypted with Alices Public Key
Alice
Bob
Message is Garbageto Third Party
53
Attack Methods

• Brute Force
• Requires recognition of plaintext
• Key length determines strength
• Cryptanalysis
• Mathematical attack
• Faults in system
• Hack into creator of the key pair

54
Attack Methods (cont)

• Factoring Attacks
• Security of asymmetric crypto resides in large
  number theory
• Its easy to generate a large composite number
  (multiply two large primes)
• But its (thought) difficult to factor these

55
Mathematical Underpinnings

• Pick two large primes
• P Q
• Pick another large number (e) which does not have
  common factors with (P-1)(Q-1)
• Public key PxQ e
• Private key e-1 mod ((p-1)(q-1))

56
Trap Door Theory

• Easy to create private key
• Difficult to reconstruct it
• Its easy to create the large number N
• But its difficult to factor it into P Q

57
An Example

• Took seconds to generate N 114,381,625,757,888,8
  67,669,235,779,976,146,612,010,218,296,721,242,362
  ,562,561,842,935,706,935,245,733,897,830,597,123,5
  63,958,705,058,989,075,147,599,290,026,879,543,541
  (RSA-129, 1977)
• But can you find the two primes P Q such that
  PxQN?

58
In Case You are Wondering

• After 17 years, it took 8 computer months and
  over 1600 computers working worldwide
• P3,490,529,510,847,650,949,147,849,619,903,898,13
  3,417,764,638,493,387,843,990,820,577
• Q32,769,132,993,266,709,549,961,988,190,834,461,4
  13,177,642,967,992,942,539,798,288,533
• And this was only a 429-bit key youll be using
  a key which is 2048 bits long (5 times as long)
  which would require MUCH more time to decrypt
  (about a million times more)

59
Publish or Perish?

• Should crypto algorithms be made public?
• Isnt the secrecy of the algorithm beneficial to
  security?
• How about a peer review process?

60
False Encryption
Falsely Encrypted
Falsely Encrypted
Alice
Bob
Carol
61
Current Technologies

• S/Mime - encrypted e-mail
• SSL - secure sockets layer for bi-directional
  communication (web)
• SET - secure credit card purchasing such that
  merchant doesnt see card
• SSH - secure shell like Telnet (putty)

62
PKI Digital Signatures
Plain text
Encryption of MDFwith Private KeySender
Plain text
Decryption of MDFwith Public KeySender
63
PGP

• Invented by Phil Zimmerman
• Originally released in 1991
• Used the RSA algorithm w/ legal issues
• Now it uses IDEA, CAST, and TripleDES
• Allows for variable crypto strengths

64
Key Strength

• Presumably, the larger the key, the harder the
  crypto is to crack
• Why not just make the key 100,000 bits or more?

65
Do Project 2 PGPHave a Great (Safe) Holiday!
FIN
66
Have a Nice Long Weekend!
FIN