EC and the Virtual Corporation

1
EC and the Virtual Corporation Session 4
2
Session Outline

• Administrivia - any Issues?
• Electronic Commerce in the News
• Student Notes online?
• Case - Kodak
• Review
• Network Infrastructure
• Introduction to Security
• Security Electronic Commerce
• Privacy issues in Electronic Commerce

3
A Framework for Electronic Commerce
4
A Model for E-business
Internal
Business Partners
Supply Chain Mgt
Enterprise Resource Planning
External
Knowledge Applications
Enterprise App Integration
Management Control
Administration Control
Customer Relationship Mgt
Selling Chain Mgt
Figure 4.11 page 103
Customers, Resellers
5
Approaching the Web
Processes
Kodak
Fulfillment Settlement Workflow
Transactions
Database Queries Payments Funds Transfers
Interactivity
Increasing Functionality
Registration Games Forms
Publishing
Advertising Marketing Information
Time or Maturity
David Kosiur, Understanding Electronic
Commerce, p. 107, Microsoft Press 1997
6
Kodak and the Web
What was the business problem?
What was their web strategy? How did they
arrive at the strategy? How did the web strategy
evolve? What lessons for other? Web should
follow business strategy Be ready to change -
apply resources as necessary
7
Understanding the Infrastructure
8
The BIG Picture
9
Internet End-End
How do we move data from one machine to another
on the Internet?
OSI 7-Layer Model
10
Why Layers?
We only have to worry about adjoining
layers when we program
User Interactions
Unreliable
Reliable
Provides data flow
Every device has an IP address
How should data get to its destination - point by
point?
Puts the data on the wire
11
Sockets and Ports

• A socket is a combination of an IP address and a
  port
• 147.26.222.4523
• http//www.fecrc.ctc.com80
• A Port is an address of an application - Many
  ports are
• designed for well known applications
• FTP Port 21
• Telnet Port 23
• SSL Port 443
• HTTP Port 80
• Ports below 1024 are reserved for these type of
  apps
• Applications listen on ports for instructions

Once weve found a machine - how do we identify
a particular service?
12
HTTP

• Hypertext Transfer Protocol
• Request/Response protocol for the web
• Stateless or connectionless (1 operation)
• Determines document format automatically

13
HTTP - 4 Step Transaction
Step 1 Client and Server establish tcp/ip
connection
Step 2 Client issues a request which includes a
URL
Step 3 Server issues a response
Step 4 Server terminates the connection
14
URLs
Actual Syntax is http//lthostgtltportgt/ltpathgt?lts
earch_partgt
URLs not unique to the web - used in ftp, gopher,
and other applications
15
URL Example
Specifies hyptertext transfer protocol. (Method
Web browser uses to read pages on Web)
Look in this directory
http//www.fecrc.ctc.com/et/schedule.html
Connect to this computer
Get this document
16
HTML

• Hypertext Markup Language - developed by Tim
  Berners-Lee at CERN
• Simple document formatting language
• Embedding of control codes tags that browser
  interpret
• HTML 1.0 circa 1989
• HTML with additional features circa 1993
  tables, imagemaps
• Netscape extensions 19941995 colors, frames,
  plugins
• HTML 3.2 1997
• HTML 4.0

17
Four Basic HTML Tags
lthtmlgt lt/htmlgt
ltheadgt lt/headgt
lttitlegt lt/titlegt
ltbodygt lt/bodygt
18
HTML Tag Syntax
End of tag marker
The beginning of the tag
lt
gt
Meta
name"keywords" content"electronic commerce, ec"
Attributes that modify the behavior of a tag
The tag identifier
19
HTML
HTML has become extremely versatile
ltInputgt Forms control ltIMGgt Insert
Images ltEmbedgt Word docs and files ltAppletgt JAVA
applets ltTablegt Tables for formatting ltScriptgt
For program control ltAgt Linking
20
Internet Application Architecture
We wish to move beyond static web pages to
providing dynamic content based on user input
CGI Limitations Scalability Issues
Spawns new process for each event
Common Gateway Interface (CGI)
Script must format and return results with HTML
21
Internet Application Architecture
A language that offers much promise is
JAVA Developed by Sun - not just for the
web Object Oriented like C Create Applets
that run inside a browser Applets loaded from
the web server
22
Internet Application Architecture
Compiled code that is platform neutral Compiler
creates bytecodes Bytecode interpreted by JVM on
any platform Key benefit over CGI?
Moves processing from server to client
23
Internet Application Architecture
Javascript

• Interpreted language
• Embedded into html pages
• Executes when an event is triggered button,
  mouseover
• Supported by Netscape and IE
• Not related to Java at all
• Moves processing from Server to Client
• Not the all purpose tool that JAVA can be

24
Internet Application Architecture
Third party development tools

• Examples Cold Fusion, Net Objects, Net Magic
• Offer a more complete development environment
• Require software components on the web server
• Offer faster development life-cycle
• Strength is in integration with database products

25
Virtual Private Networks
Key selling point for a VPN is COST
26
Introduction to Security
Business Transaction
Internal Threat
Firewall
Firewall
Internet
3rd Party Threat
External Threat
27
Cyber Terrorism?
China and Falun Dafa - WSJ 9/9/99
Jan. 22, 1999 President Clinton added 10 billion
to his 1999 budget to address just type of
problem "We must be ready -- ready if
our adversaries try to use computers to disable
power grids, banking, communications and
transportation networks, police, fire and health
services -- or military assets. More and
more, these critical systems are driven by, and
linked together with, computers, making
them more vulnerable to disruption."
-http//www.abcnews.go.com/sections/tech/DailyNew
s/cyberterrorism_dp_990128.html
28
Internal Threats

• Physical break-ins
• Unattended computers
• Privileged Individuals
• SYSOPs or SYSADMINs
• Internet Service or Access Providers
• Disgruntled employees
• Backdoors / Trapdoors

Nearly half of all computer crimes committed by
employees! -Computer Security Institute/FBI
Study 1998
29
External Threats

• Hackers
• Crackers
• Espionage
• Software bugs
• Viruses
• Worms
• Holes

• Logic bombs
• Trojan horses - aol jpeg
• Forgery
• Impersonation
• Piggybacking
• Software bugs or application faults

30
How Does this Happen?
One of MANY possible Scenarios
1. Hacker gains access to an account gt
Guessing gt Social Engineering gt Defaults gt SATAN

2. He looks for an encrypted password file
3. He runs a password cracker program -This is
why a password should be a combination of
letters numbers and gt 6 characters in length
4. He logs in as a legitimate user
5. He exploits the privileges of his new
account
31
Other Techniques
Exploit holes is software - OS, email
Buffer overflow
Port Scanners
Modem attack
32
End-to-End Threats

• Spoofing
• Sniffing
• Misrouting
• Interception
• Eavesdropping
• Data Theft
• Breach of privacy

33
Why is Security such a Problem?
TCP/IP was not developed with security in
mind It was developed to enable open sharing of
data
34
TCP/IP - Good News/Bad News

• Good News - It Works!

• Bad News - It Works!

35
Security Principles

• Mutual authentication
• Message privacy
• Message integrity
• Non-repudiation

If our solutions implement these principles - we
can conduct reasonably secure commerce over the
Internet
36
Internet Security Tools and Techniques
37
Security Tools and Techniques

• Anti-Virus Software
• Cryptography
• Digital Signatures
• Digital Certificates
• Web Security
• Firewalls
• Browser Preferences
• Secure E-Mail

38
Anti-Virus Software Protection
How do we protect ourselves from virus
attacks? What does anti-virus software do? How
does it work? We need to understand the nature
of a virus first A virus requires a host
39
Cryptography

• Cryptography is the art or science of keeping
  messages secret
• The process by which a message (plaintext) is
  garbled/scrambled (ciphertext) is called
  Encryption
• The process by which the message is
  ungarbled/unscrambled is called Decryption
• A key is used to encrypt and decrypt messages

Cryptography is a cornerstone of Internet Security
40
Conventional Encryption

• Symmetric key encryption
• Uses the same key to both encrypt and decrypt a
  message
• Literally ancient
• technology
• An important part
• of Internet security

41
Symmetric Key Encryption

• Issues
• How do we share the key?
• How do we control who has the key
• once shared?

42
Public Key Encryption

• First Introduced by Whitfield Diffie and Martin
  Helman
• at Stanford University in 1976
• Extended by Rivest, Shamir, and Adleman (RSA)
  in 1978
• Based on using two mathematically related keys
  (i.e. key pair)
• used in the encryption process
• One key is kept private and is known only to the
  owner
• One key is shared publicly and distributed
  widely

43
Private Public Key Relationship

• Data encrypted by the private key can only
• be decrypted using the public key
• Date encrypted by the public key can only
• be decrypted using the private key

This is an extremely powerful relationship
44
Public Key Encryption

• Most algorithms provide for 128-bit key lengths
• The odds of guessing a 128-bit key are
• 1 in 18,446,744,073,709,551,616

45
Encryption Scenario

• Bob wants to send a secure message to Jane
• Bob uses his Private key to encrypt his
  message
• and sends it to Jane

Dear Jane, Here is my message. Bob
29mdjjf jdjdj ki988
Bobs PRIVATE key
46
Encryption Scenario
Jane uses Bobs Public key to decrypt the
message
Dear Jane, Here is my message. Bob
29mdjjf jdjdj ki988
Bobs PUBLIC key
47
Encryption Scenario
We can enhance the exchange - Bob sends a copy of
the clear text along with the encrypted message.
Dear Jane, Here is my message. Bob
29mdjjf jdjdj ki988 Dear Jane, Here is my
message. Bob
Bobs PRIVATE key
48
Encryption Scenario
Jane uses Bobs public key to decrypt the
message. She compares against the clear text to
verify that the message has not be altered.
Dear Jane, Here is my message. Bob
29mdjjf jdjdj ki988 Dear Jane, Here is my
message. Bob
Bobs PUBLIC key
This technique is known as a digital signature
49
Encryption Scenario

• We can further enhance the exchange
• It turns out that it is more convenient to have
  a
• fixed length signature regardless of message
  length
• We use a one-way hashing function to produce
  a
• digest or hash of the message
• Hashing function is an algorithm that produces
  a
• fingerprint that is
• Difficult to reverse
• Changing the message results in a different
  digest

50
Encryption Scenario
Dear Jane, Here is my message. Bob
Hashing Function
Encrypted Digest
Bobs PRIVATE key
Message Digest
Hash
Bob then sends the encrypted digest (digital
signature) and message to Jane
Encrypted Digest
Digital Signature
To Jane
Dear Jane, Here is my message. Bob
51
Encryption Scenario
Now, lets look at what Jane can do
1.
Jane decrypts the digest using Bobs Public key
Bobs PUBLIC key
Message Digest
Encrypted Digest
Hash
Jane compares If hashes equal then this really
is Bob
3.
Dear Jane, Here is my message. Bob
Hashing Function
Message Digest
Hash
Jane runs the clear text message through the
same hashing function used by Bob
2.
52
Encryption Scenario
Finally - Now that Jane is sure of Bobs
identity, she can send Bob a secret key encrypted
with Bobs public key
Secret Key
12k9jdukdddbet
Bobs PUBLIC key
Bob is the only one who can decrypt the Secret Key
This symmetric key is now known only to Bob and
Jane
53
Digital Certificates

• We still need a way to share public keys
• The solution is a Digital Certificate
• A Digital Certificate verifies that a public
  key belongs to
• a particular individual
• Digital Certificates are the equivalent of a
  passport

54
Certificate Authorities

• Digital Certificates are issued by Certificate
  Authorities
• Certificate Authorities are responsible for
  authenticating
• a certificate holders identity
• The Network of Certificate Authorities is
  called the
• Public Key Infrastructure
• X.509 is the leading security architecture
  standard

55
The Four Security Objectives

• Mutual authentication
• Message integrity
• Non-repudiation
• Message privacy

Digital Signature
Encryption
56
Web Security Techniques

• Secure Socket Layer (SSL)
• Secure Electronic Transactions (SET)
• Browser Security Configurations
• Security Icon
• Cookies
• Smart Cards
• Biometrics

57
Secure Socket Layer (SSL)

• Secure Sockets Layer (SSL), a security protocol
  designed by Netscape Communications that
  provides
• data encryption
• server authentication
• message integrity
• optional client authentication for a TCP/IP
  connection
• Web pages that have a SSL connection start with
  https instead of http

58
Secure Socket Layer (SSL)

• Widely implemented - Amazon others
• Secures at the channel layer
• Fairly transparent to the user

59
Web Credit Card Security
Travelocity has conducted over 1 million credit
card transactions since 1996 without a single
case of Internet fraud reported - Jim Marsicano
VP of Travelocity
Source - Electronic Payments Newsletter 45,
August 28, 1998
60
Secure Electronic Transactions

• Secure Electronic Transactions (SET) is a
  standardized, protocol for the safe transmission
  of sensitive bank card information over public
  networks
• SET specifically focuses on credit and payment
  card purchases via the Internet
• SET uses cryptography, digital signatures and
  message digests to ensure secure and safe message
  transmission

61
Secure Electronic Transactions

• SET only allows parties to see information they
  need to know
• SET requires all parties to the transaction to
  have digital
• certificates
• SET is endorsed by both VISA and Mastercard
• SET is only slowly becoming a reality -
  consumer resistance

62
Browser Security Configuration

• An icon in the bottom left corner of each browser
  window indicates the security feature
• Newer versions of browsers allow users to view
  security information about web documents and
  customize security options

Demo with Netscape
63
Browser Security ConfigurationDefining Cookies

• Cookies are bits of information saved on your PC
  while you browse
• Your browser saves the domain and path of the
  location you visited
• The next time you request the URL, your cookie
  information is sent to that sites server
• The site will now be able to recognize your PC
  and statistics related to your previous visits to
  that site

64
Browser Security ConfigurationCookie Awareness

• Your browser has the option of warning you before
  accepting a cookie
• You have the ability to delete cookies saved on
  your PC
• if you want to get rid of those cookies you were
  not aware of
• cookie file(s) can be found in browser directory

Examine Cookie File
65
Smart Cards

• Smart cards are mini-computers in all but name
• Contain memory, a cpu, and I/O facilities
• Typically packaged in a credit card sized
  plastic carrier
• Contain keys for use in crypto applications
• Provide a means of keeping a private key
  private - even
• from the owner

66
Smart Cards Tokens
Certain smart cards generate a token that is
used in the login process 1. Card generates a
number 2. This number is synchronized to the
remote computer 3. User must enter the number
and a PIN to logon 4. User must know the PIN
and have possession of the card
67
Biometrics

• A variety of techniques
• Fingerprint
• Retina
• Voice
• Future Will be used in combination with a
  smart card

An extremely effective authentication tool
68
Biometrics Smartcard
Allows us to become more secure as we base
security on
1. Something the user has
2. Something the user knows
3. Something unique about the user
69
Secure E-Mail

• Privacy Enhanced Mail (PEM)
• Secure MIME (S/MIME)
• Pretty Good Privacy (PGP)

70
Secure Multipurpose Internet Mail Extensions
(S/MIME)

• S/MIME was designed to add security to e-mail
  messages in MIME format
• S/MIME is now the most broadly supported e-mail
  security standard on the Net
• The security services offered are
  authentication (using digital signatures) and
  privacy (using encryption)

71
Firewalls

• Definition of Firewalls
• Common
• Configurations

72
Firewall Defined
A security system that prevents unauthorized
data flow to and from other networks. A
firewall is a combination of hardware and
software
73
Typical Firewall Proxy Server
The bastion host has two network boards and is
connected to two separate networks.
Routing between the two connections is turned
off.
74
Privacy
Patient records remained on a web site at the
University of Michigan Medical Center for 2
months - www.zdnet.anchordesk More than 500,000
people submitted personal information in an
attempt to win one of 10,000 free PCs - these PCs
will record their behavior online! -
www.zdnet.anchordesk Intel has designed a chip
that includes an identifying signature -
www.nytimes.com/library/tech/99/02/biztech/article
s/01priv.html
www.truste.org
75
Privacy
What information is revealed when you visit a
web site?
Demo at Anonymizer.com
76
Privacy
Under the proposed "Cyberspace Electronic
Security Act," investigators armed with a sealed
warrant could comb computers for passwords and
install devices that override encryption
programs, the Post reported, citing the Justice
memo.
http//www.zdnet.com/zdnn/stories/news/0,4586,2317
907,00.html
77
Privacy
The media buzz about morality and productivity
(and impending Presidential race in
1999) are ultimately driving a bigger
picture around content filtering and
personal privacy. The end result will
be that more users, more schools,
more organizations, and more companies will
implement some sort of filtering and
privacy protection software to
safeguard their users.
the need to label Web content is quickly
becoming a pressing concern
http//www.zdnet.com/devhead/stories/articles/0,44
13,1600798,00.html
78
Privacy
Two filtering proposals
Platform for Privacy Preferences (P3P)
Platform for Internet Content Selection (PICS).
79
PICS
PICS is divided up into two components
PICSRules (which are used to express a user's
preferences about the content that
should be accepted by their browser)
and PICS Labels (which are used to
rate information about a site's
content). The two work together to
determine whether your site's content is
filtered in -- or filtered out.
80
P3P
The primary focus of P3P is that it will enable
Web developers to craft sites which
can intelligently and openly handle
data (personal, financial and
otherwise) collected from and about
their users. And it will enable users to set
up preferences for how to relate to any
site's particular privacy practices
to create a digital agreement for how
and what kinds of information can be
exchanged, collected, and used.
81
P3P
A language for sites to express in
humanly and digital readable formats a
set of personal privacy policies for
how they intend to handle user's
data A mechanism for users to
set up their own personal
preferences for what kinds of
information they want to exchange and
how they want this information handled
A means for users and sites to come
to an digital agreement for how
data will be exchanged and used,
and a way to create the actual
electronic exchange.
82
Privacy
What about filtering? What is it and what
should our policy be?
83
Privacy
The Consumer Biometric Privacy Protection
Act will (if it passes) make it
illegal for anyone to steal or
misuse any data or information
which is used to identify you by
your finger, voice, retinal, or facial
prints (also known as "biometric
identification"). And the bill will prevent
companies from recording data for
biometric IDs without your consent.
84
(No Transcript)