Download

wanderooswarrenΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

81 εμφανίσεις

e
-
Commerce

Chapter
-
2

(
Updated on 6
-
4
-
2007)

Security and E
-
commerce

(Lecture4,5,6)


Lect
-
4

1.Overview of security:


1.2 ***Security may be of many kinds:



Physical



Personal



Operation



Technical



Network and Web***** Important for us



Special application securi
ty: e.g. JAVA has some built in security.



and many others



1.3
****
Network and Web Security


Some common security measures:



Username and Password for access control



Network Administrator



Firewall ( a software or hardware used to isolate and protect a priv
ate system or a
network from public network.



1.4 Message Security and its importance:



Messaging Security






Confidentiality





Integrity





Authentification





Non
-
Repudiation





Access Controls

are explained in detail in the Greenstein text from p
age 228
-
232. Along with this
explanation, you can find many examples on the Web were these same 5
principle are explained, and used.


below, we fine an example in a bank’s web site of how they adhere to the same
5 principles of IT security in communication
s


There are 5 key components of security in correspondence that business is trying
to establish in e
-
communications.





Confidentiality



the communication between two parties has not
been seen by a third party and the material of the communication
has r
emained secret.





Integrity



the communication has not been tampered with nor has
the message been edited ( or the amount of money been changed)
and there is must be a way of machine the copy held by the
receiver, to the original sent by the sender.





A
uthentification



the identity of the author/sender can be verified
so that the receiver knows the message/information did indeed
come from the proper source.





Non
-
repudiation
-

the sender cannot deny having sent the message
nor can they have means to cha
nge any of the content (including
currency amounts) within the message. This is critical to keeping
agreements when time lag (between sending and receiving) sees
market conditions change.





Access Control
-

only the authorized recipient can open the
messag
e. Usually to open it you need some sort of cyber key which
will be a large unbreakable number hopefully difficult to hack in to.




2. CRYPTOGRAPHY


Cryptography


Cryptography Comprises a family of Technology that includes the following :

Encryption

:


Transform data into some unreadable form to ensure privacy

Decryption

:

Is the reverse of encryption it transfers encrypted data back
into the original intelligible form

Authentication

:

identifies an entity such as am individual machine on the
n
etwork of organization . Digital Signifiers bind a document
to the possess of a particular key and are the equivalent of
paper signature.



What is cryptography ?


Cryptography Comprises a family of Technologies that include the following :


Cryptograph
y




Encryption

transforms data into some unreadable form to
ensure privacy. Internet communication is like sending
postcards in that anyone who is interested con read a
particular message; encryption offers the digital equivalent of
a sealed envelope.





De
cryption

is the reverse of encryption ; it transforms
encrypted data back into the oral intelligible form.





Authentication

identifies an entity such as an individual, a
machine on the network organization.





Digital Signatures
bind a documents of the po
ssessor of a
particular key and are the equivalent of paper signatures.
Signature verification is the inverse of a digital signature
verifies that a particular signature is valid .

When you are looking at the online version of Chpt 6 of hannon’s book, ma
ke sure
you real story of company that could break into the computer system of a Fortune
500 company.



3.

Digital Cryptography works on two levels


Digital Signatures


Digital signatures can be authenticated be there parties with credibility of the
send
er and receiver. In e
-
commerce, leading financial institutions and government
authorities are positioning themselves to be certification authorities When the
digital signature of the recipient is validated by a certification authority assurance
can be pro
vided that.






The sender of a message/transaction is who they claim to be





The sender has participated in the transaction, meaning the are
aware of the content and amounts if money is part of the message)





The information details, ( payee or payer) a
nd any statement of
money has not been changed in mid
-
transit.









Lect
-
5


e
-
Commerce

Chapter
-
2

Security and E
-
commerce

Lecture5


1.Review from last lecture


2. Encryption:







Encryption

transforms data into some unreadable form to
ensure privacy.
Internet communication is like sending
postcards in that anyone who is interested con read a
particular message; encryption offers the digital equivalent of
a sealed envelope.





Decryption

is the reverse of encryption ; it transforms
encrypted data back i
nto the oral intelligible form.


3. Elements of an Encryption system



The plain text:

is the raw message or data that is to be encrypted



The cryptographic algorithm or cipher:

is mathematical set of rules that
defines how the plain text is to be combined w
ith a key



The key:
The key is a string of digits



The cipher text:
is the encrypted message


Example:


If we take the phrase web store and add 2 character to each letter the phrase becomes
“ygd uvqtg”

Here web store is the plain text

“Add x character to x l
etter is the cryptographic algorithm’

2 is the key


“ygd uvqtg” is the cipher text


4. Key and algorithm



Key:

A
----
C


B
-----
D



Algorithm:
the rules i.e. after 2 letter f(x)
---
f(x+2)




5. Public and Private key ( Review of public key and private k
ey every
option)


6. Types of encryption






Symmetric key encryption:

also known as single key, secret
-
key, private
-
key
encryption. It involves the use of a single key that is shared by both the sender
and receiver and only the sender and receiver knows th
e key. After creating a
message the sender encrypts it with the private key and passes it to the recipient
who then decrypts it by the same private key. Example: DES method


Plain text + Secret
-
key =Cipher text

























Internet





Cipher

text +Secret
-
key =Plain text
















Asymmetric key Encryption:

also known as public key encryption. It
involves the use of two keys, one that can be used to encrypt message( the public
key) and one that can be used to either encrypt them or decrypt

them (the private
key). These key pairs can be used in two different ways to provide privacy or
authentication:




In case of Privacy
:


Plain text + Public
-
key =Cipher text

























Internet





Cipher text +private
-
key =Plain text

In ca
se of authentication:




Plain text + private
-
key =Cipher text

























Internet





Cipher text +public
-
key =Plain text



7 Comparison between
Asymmetric key Encryption and Symmetric key
encryption:


Symmetric key encryption

Asymmetric k
ey encryption



Limitations with regard to key
distribution



Public key can be made widely
available and therefore there is no
distribution problem



Limitation in privacy maintaining



Disadvantage is that it is relatively
slow. So when it is being used only

for authentication it is not desirable
to encrypt the whole message
particularly if it is long one. To get
round this a digital signature is
used.



unable to support non
-
repudiation.
As both parties share the same key
it is possible for one party to cre
ate
a message with the shared secret
key and falsely claim that it had

been sent by the other party.










Lect
-
6


8.Digital signature and Digital certificate:



From web


see handout


8.1

Digital signature


see handout


8.2

Digital Certificates


see hando
ut


9.Overview of literate security systems:



10.The secure e
-
payment process method:

Secured payment transaction system is critical to e
-
commerce. Without a secured
payment transaction system e
-
commerce will be a castle built on sand. There are two
commo
n standards used for secure e
-
payments
-
SSL and SET.






SSL(Secured Socket Layer)
between HTTP and TCP on a web server. It is
transport layer security protocol. Use RSA public key cryptography.

Currently the fast growing Internet consumer commerce is mainly

based von
accepting credit card over SSL. SSL indeed provides the secured connection for
payment transaction between customers and merchants. But the security ends at
the merchant’s side. It does not keep the credit card number after the transaction
is c
ompleted.




SET(Secured Electronic Transaction):

Designed for Master card and VISA
card. Use RSA public key cryptograph
y.


SET

is a messaging protocol designed by VISA and MasterCard for securing
credit card transactions over open networks, such as the int
ernet.

In the
SET protocol a transaction has three players. The customer, the merchant
and the merchant’s bank. SET protocol has three principle features as listed in the
following:

1.

All sensitive information sent within the three parties are encrypted

2.

All
the three parties are required to authenticate themselves with certificate
from the SET certificate authority.

3.

The merchant’s never sees the customers card number in plain text.


The third feature actually makes internet commerce more secure than tradition
al
credit card transactions such as pay by credit card in
-
store, over phone or through
mail order form. It is also more secure than SSL.