Lecture 9: Ecommerce

1
Lecture 9 E-commerce Business

• E-Commerce
• Security Issues
• Secure Transaction
• Secure Network

2
1. E-Commerce

• refers to all commercial transactions conducted
  over the Internet, may include
• Banking
• Sending orders
• Investing
• E-Business Models
• Store Front
• Shopping-Cart Technology
• Auction Model

3
1. E-Commerce Models

• Storefront
• What many people would think when they hear
  e-commerce.
• Enable merchant to
• sell products online
• Organize product catalogs through their websites
• Take orders through the web
• Accept payment
• Manage customer information
• Shopping-cart
• Allows customers to accumulate items they wish to
  buy as they browse the website.
• Eg, Amazon.com
• Auction Model
• Web offers a wide variety of auction sites that
  act as forums for Internet to assume the role of
  sellers and buyers.
• Eg, eBay

4
(No Transcript)
5
(No Transcript)
6
1. E-Commerce security

• Security Made E-Commerce Possible
• The most common form of e-commerce transaction
  consists of a retail purchase from a catalog.
• Provides a way for user to
• Purchase the item
• Manipulate a shopping cart
• Select a payment method

7
1. Secure Sockets

• A browser keeps messages private by using
  encryption technology.
• Encryption process is entirely hidden from users.
• Browser handles the details
• Encrypts the message before sending it
• Technology used SSL (Secure Socket Layer)
• With SSL, a browser can encrypt messages so that
  the content remain private

8
2. Cryptography

• 2 categories of cryptography based on key used
• symmetric key crypto sender, receiver keys
  identical
• public-key crypto encrypt key different from
  decrypt key

9
2. Cryptography Concepts

• Cryptography
• process data into unintelligible form
• idea of encryption

10
2. Cryptographic Algorithms

• Secret key algorithms
• DES (Data Encryption Standard)
• IDEA (International Data Encryption Algorithm)
• Public key algorithms
• RSA (Rivest, Shamir, and Adlerman)
• Message Digest (cryptographic checksum)
• MD5

11
2.1 Secret (Symmetric) Key

• Encrypting and decrypting a message using the
  same key
• Sender sends message and key to receiver
• Problems
• Key must be transmitted to receiver
• Different key for every receiver
• Key distribution centers used to reduce these
  problems
• Generates session key and sends it to sender and
  receiver encrypted with the unique key
• Example of encryption algorithms
• Dunn Encryption Standard (DES), Triple DES,
  Advanced Encryption Standard (AES)

12
2.1 Secret Key (DES)
13
2.2 Public (Asymmetric) Key

• Encrypting and decrypting a message using
  different keys
• Asymmetric two inversely related keys
• Private key
• Public key
• Each party has both a public and a private key
• Either the public key or the private key can be
  used to encrypt a message
• If public key encrypts only private can decrypt
  and vice versa
• Encrypted with private key
• Proves identity while maintaining security
• Example RSA public key algorithm

14
2.2 Public Key (RSA)
15
2.3 Message Digest

• Although secret codes cannot be decrypted,
  hackers can intercept it, add a few bits and
  change the message completely
• How to prevent this to happen?
• Send a message digest together with the message
• What is a message digest?
• a hashed message and has very few bits
  (typically between 128 - 256 bits)

16
2.3 Message Digest

• Message Digest
• MD5 (cryptographic checksum)
• Hash algorithm (one-way function)
• input variable length message (or a document)
• output fixed length cryptographic checksum (eg
  128 bits)
• result also called the hash or message digest
• protect message integrity (eg, against deliberate
  and accidental tampering)

17
2.3 Message Digest

• A simple example of hashing function using
  remainder
• e.g. Let a 1, b 2, . . ., z 26
• to hash apple into a number between 0-9
• add up the letters
• apple 1 16 16 12 5 50
• divide the sum by 10
• the remainder is the hashed value ( 50/10 0)
• send apple together with the hash value 0
• if apple is changed to opple, you can detect it
  because the hash code is different
• o15, opple 64, hash code 4

18
2.4 Security Services Cryptography
Security
Cryptography
Security
algorithms
services
Public
Secret
Message
Authentication
Privacy
Message
key
key
digest
integrity
(e.g., RSA)
(e.g., DES)
(e.g., MD5)
19
2.4 Security Services Cryptography

• Security services
• Privacy preventing unauthorized release of
  information
• Authentication verifying identity of the remote
  participant
• Integrity making sure message has not been
  altered
• Functions provided by cryptography
• Privacy only those who know the (private
  public) keys can encrypt and decrypt the message
• Authentication Use a digital signature (a code
  that can be generated only by a participant, eg
  using his/her private key)
• Integrity A message integrity code (MIC) is
  added to the message MIC as a kind of checksum

20
2.5 Digital Signatures

• Digital signature
• The electronic equivalent of written signatures.
• Authenticates senders identity
• Sender (Bob) digitally signs document,
  establishing he is document owner/creator.
• Verifiable, nonforgeable recipient (Alice) can
  verify that Bob, and no one else, signed
  document.
• Digital signature combines public-key algorithm
  with message digest.
• Digital signature signed message digest
• Sender used its private key to sign the message.

21
2.5 Digital Signatures

• Bob sends digitally signed message

• Alice verifies signature and integrity of
  digitally signed message

22
2.6 Transaction Security Protocols

• Secure Sockets Layer (SSL)
• Uses public-key technology and digital
  certificates to authenticate the server in a
  transaction
• Protects information as it travels over Internet

Without using SSL
When using SSL
23
2.6 Transaction vs. Network Security

• Transaction security protocols protects
  information as it travels over Internet
• It does not protect once stored on receiver
  servers
• Need to protect the servers
• protect the network - network security
• protect the building where the servers are
  located
• Network security
• Allow authorized users access
• Prevent unauthorized users from obtaining access
• Example firewall

24
3. Firewalls

• A specially programmed router between a site and
  the rest of the Internet
• connects to 2 or more networks
• forward and filter packets
• Denial-of-service
• filters packets based on source IP address
• protect hosts within a site from unwanted
  flooding of external packets
• 2 categories
• filter-based
• proxy-based

25
3. Firewalls

• Filter-Based Solution
• table of entries (source IP addr, source port,
  dest. Ip addr., dest. Port)
• example
• filter all packets from port 1234 on host
  192.12.13.14 addressed to well-known port 80 on
  host 128.7.6.5
• ( 192.12.13.14, 1234, 128.7.6.5, 80 )
• Filter all packets addressed to port 80 on
  128.7.6.5
• (,, 128.7.6.5, 80 )
• only allow access to port 25 (eg mail server)
• (,, 128.19.20.21, 25)
• how dynamic?
• Install new filters as firewall is running
• patterns extended to include new ports as new TCP
  connections are established (may not know port
  number in advance)

26
3. Firewalls

• Problem complex policy
• Example to make certain pages of a web server
  available to all external users
• unable to express policy as filters

27
3. Firewalls

• Solution put HTTP proxy on firewall
• proxy a process between a client a server
• remote user establish connection to proxy
• If requested page is allowed
• establish connection to server
• else
• return error
• Policy embodied in application specific proxy

28
Further Readings

• Reading assignment chp 30, text book
• This lecture is intended to provide a brief
  introduction of network and transactional
  security, students who wish to invest more time
  on studying security issues are referred to the
  following resources
• Security Issues
• Davis Chapter 8.
• A master-level course IEG 7006 System
  Administration and Network Security, explore
  in-depth issues of security