Lecturer: Ellis E' Confer - PowerPoint PPT Presentation


PPT – Lecturer: Ellis E' Confer PowerPoint presentation | free to view - id: 12f515-MzU1Y


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Lecturer: Ellis E' Confer


Session Topics: Introduction to Secure e-Commerce. ECT 582 Course ... Customer impersonation. Exposure of confidential information. False or malicious websites ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 29
Provided by: ellise


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Lecturer: Ellis E' Confer

Secure Electronic Commerce ECT 582 Spring 2006
  • Lecturer Ellis E. Confer
  • E-mail econfer_at_cs.depaul.edu
  • Office Hours Tuesday 430 600 pm

Session Number 1
  • Session Date March 28, 2006
  • Session Objectives
  • Introductions Administrative Items
  • Course Overview
  • Session Topics Introduction to Secure e-Commerce

ECT 582 Course Objectives
  • This course discusses extensions to notions of
    traditional computer security to include current
    advancements and issues related to commerce and
    business conducted over nonproprietary networks.
    We will specifically concentrate on the Internet
    as the medium of choice. We will discuss issues
    of secrecy, integrity and availability threats,
    vulnerability, control and attacks hypertext
    transfer protocols encryption and decryption
    digital certificates and signatures
    non-repudiation and legal differences between
    e-commerce and traditional commerce. This course
    will address e-commerce as well as the
    architectural differences that determine
    particular security solutions.

Prerequisites Text and Supplementary Reading
  • Prerequisites DS 425 Distributed Systems
    Fundamental is considered a prerequisite. CSC
    390 Fundamentals of Information Assurance is also
    considered a prerequisite. .
  • Texts
  • Secure Electronic Commerce, 2nd edition, by
    Warwick Ford Michael S. Baum's, Prentice Hall,
    ISBN 0-13-027276-0.
  • Other articles and selected web references.

Grading Procedure
  • The students final grade will be based on a
    weighted average of the homework assignments,
    exams, and class participation. Weights are as
  • Weight
  • Homework Assignments 40
  • Exams 50
  • Participation 10
  • Class attendance and participation in class
    discussion represent 10 of overall grade and is
    highly considered.
  • Grades will be determined as follows

Procedures and policies
  • 1. No makeup exams will be given.
  • 2. Homework assignments must be turned in on
  • Late homework assignments will not be accepted.
  • Turning in a hard copy version of an
    assignment is the most reliable way to ensure
    that assignments are received on time. When
    transmitting a soft copy of an assignment via
    email, make sure to give yourself adequate time
    for the mail to be delivered by no later than the
    day when the assignment is due. Email delivery
    problems do occur, please ask for a receipt of

ECT 582 Tentative Schedule of Discussions
  • Week 1 Introduction to
    secure e-commerce
  • Week 2 Cryptography (or
    Overview of Cryptography)
  • Week 3 Digital
  • Week 4 Public key
  • Week 5 Midterm Exam (no lecture)
  • Week 6 Non-repudiation,
    Electronic Signature Law
  • Week 7 Electronic Payment
  • Week 8 Internet security
  • Week 9 Web services
    security issues
  • Week 10 Password security

  • Who am I?
  • Who are you?
  • The introduction will be written down so that I
    may collect them when we are done.
  • What is your name?
  • Where are you in your graduate/underground
  • Why are you taking this course?
  • What do you hope to learn from this course?
  • Anything else you feel is interesting and

Instructor background
  • Professional experience
  • 20 years experience as consultant and
  • Stints with Accenture, IBM, Sybase, Tandem, CNA
  • Presently senior executive with consultancy
    software development firms
  • Educational training
  • BSEE from University of Michigan
  • MBA from Indiana University
  • Concentration in finance operations research

Class Info
  • ECT 582 homepage
  • http//facweb.cs.depaul.edu/econfer/ect582
  • Class starts 615 PM
  • Class break 730 PM (15 minutes)
  • Lecture material and discussions
  • Discussions encouraged
  • Topics e.g.
  • Your e-commerce experiences related to security
  • Reports on security published as the course
  • Goal Have fun while learning about security
  • Web site will contain breaking news etc.
  • Each student should check it at least once a week

Introduction To Secure E-Commerce
Introduction to Secure e-Commerce
  • What is Security?
  • What are we securing in e-commerce?
  • Security is heterogeneous concept in general.
  • All security, including e-commerce, deals with
    these 2 KEY concepts
  • Risk
  • Trust
  • Business risk management
  • Risk analysis
  • Risk mitigation
  • Risk transfer

Security Risks to E-commerce
  • Direct financial loss resulting from fraud
  • Payment account abuse
  • Transfer funds without authorization
  • Destroy or hide financial records
  • Customer impersonation
  • Exposure of confidential information
  • False or malicious websites
  • Customer Data Exposures
  • Ex. HR block erroneously import customers' data
    into others' tax returns (February 2000)
  • Data theft

2005 CSI/FBI Computer Crime and Security Survey
  • Highlights of the 2005 Computer Crime and
    Security Survey include
  • The total dollar amount of financial losses
    resulting from security breaches is decreasing,
    with an average loss of 204,000 per
    respondent-down 61 percent from last year's
    average loss of 526,000.
  • Virus attacks continue as the source of the
    greatest financial losses, accounting for 32
    percent of the overall losses reported.
  • Unauthorized access showed a dramatic increase
    and replaced denial of service as the second most
    significant contributor to computer crime losses,
    accounting for 24 percent of overall reported
    losses, and showing a significant increase in
    average dollar loss.
  • Theft of proprietary information also showed a
    significant increase in average loss per
    respondent, more than double that of last year.
  • The percentage of organizations reporting
    computer intrusions to law enforcement has
    continued its multi-year decline. The key reason
    cited for not reporting intrusions to law
    enforcement is the concern for negative

Based on responses from 700 computer security
practitioners in U.S. corporations, government
agencies, financial institutions, medical
institutions and universities
Security Risks to E-commerce (continued)
  • Damage to relations with customer or business
  • An organization that suffers a security-related
    attack or failure may not publicize it
  • Unforeseen cost
  • Legal, public relations, or business resumption
  • Recovering from a security compromise
  • Public relations damage
  • Masquerading
  • Manipulation of web content
  • Malicious rumor
  • Uptake failure due to lack of confidence

Security is an essential ingredient of any
e-commerce solution.
Security Attacks
  • Any actions that compromises the security of
    information systems
  • Normal flow
  • Interruption attack on availability

Info source
Info destination
Security Attacks (continued)
Info source
Info destination
Interception Attack on confidentiality
Modification Attack on Integrity
Info source
Info destination
Fabrication Attack on authenticity
Info source
Info destination
Passive and Active Attacks
  • Passive attacks eavesdropping on, or monitoring
    of, information transmission
  • Release of message contents
  • Traffic analysis
  • Active Attacks modification or creation of false
  • Masquerade one entity pretends to be a different
  • Ex. Session Hijacking taking over an existing
    active session. It can bypass the authentication
    process and gain access to a machine
  • Session Hijacking tool Hunt

Passive and Active Attacks (continued)
  • Replay passive capture of a data, retransmission
    to produce an unauthorized effect
  • Modification of message some portion of a
    legitimate message is altered, or that message
    are delayed or reordered, to produce an
    unauthorized effect
  • Denial of service (DoS) prevents or inhibits the
    normal use or management of communication
  • SYN flooding
  • Winnuke (Perl code of Winnuke)
  • Unfortunately, there are NO security mechanisms
    to counter DoS

Security Services Basic Principles
  • Enhances the security of information systems of
    an organization
  • Confidentiality
  • Ensures that info are accessible only for reading
    by authorized parties
  • Authentication
  • Ensures that the origin of a message or
    electronic document is correctly identified, with
    assurance that the identity is not false
  • Integrity
  • Ensures that only authorized parties are able to
    modify an electronic document

Security Services Basic Principles
  • Non-repudiation
  • Require that neither the sender nor the receiver
    of a message be able to deny the transmission
  • Auditing
  • Requires logging of all system activities at
    levels sufficient for the reconstruction of
  • Access control
  • Requires that access to information recourses may
    be controlled or for the target system
  • Availability
  • Requires that computer system asset be available
    to authorized parties when needed

Security Mechanisms
  • Detect, prevent, or recover from a security
  • Encipherment
  • the process of enciphering or converting plain
    language, indicators, etc. into cipher.
  • Digital signature mechanisms
  • Access control mechanisms
  • Data integrity mechanisms
  • Authentication exchange mechanisms
  • Traffic padding mechanisms
  • Routing control mechanisms
  • Notarization mechanisms

E-commerce v.s. Paper-based Commerce
  • Security attributes of signed paper document
  • Semi-permanence of ink embedded in paper fibers
  • Particular printing process
  • such as letterhead
  • Watermarks
  • Biometrics of signature
  • Time stamp
  • Obviousness of modifications, interlineations,
    and deletions

E-commerce v.s. Paper-based Commerce
  • Computer-based document do not have such security
  • Computer-based records can be modified freely and
    without detection
  • Certain supplemental control mechanisms must be
    applied to achieve a level of trustworthiness
    comparable to that on paper
  • Paper-based and computer-based documents may not
    perform equal or exactly analogous function in
    business and law
  • Ex. negotiable document of title

E-commerce Security Framework
  • Business requirements for security
  • Security Strategy
  • Threats
  • Vulnerabilities
  • Defenses
  • Legal
  • Security Architecture
  • Procedures
  • Technology
  • People (training, monitoring, audits)
  • Security Technology
  • Main focus of this course
  • Cryptography, Certificates, PKI, SSL

Model for Network Security
Security Service Design Basics
  • Basic tasks in designing a particular security
  • Design an algorithm for performing the
    security-related transformation
  • Generate secret information to be used with the
  • Develop methods for the distribution and sharing
    of the secret information
  • Specify a protocol to be used by the two
    principals to achieve a particular security

Next Session Highlights
  • Chapter 4 of Ford and Baum
  • Complete Assignment 1
About PowerShow.com