SlideShare a Scribd company logo

E comm jatin

Download as PPTX, PDF
Jatin Mandhyan, profile picture
Jatin Mandhyan

The document discusses various security threats in e-commerce. It begins by defining a threat as any person, object, or entity that poses a constant danger to an asset. It then categorizes different types of threats including acts of human error, espionage/trespassing, and network security goals of confidentiality, integrity, authentication, and availability. The document also discusses encryption techniques like symmetric, asymmetric, and digital signatures. It provides examples of symmetric algorithms such as DES, AES, and RSA for asymmetric encryption. Finally, it summarizes various cryptography-based protocols and applications used for e-commerce security.

Technology
1 of 60
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
SECURITY IN ECOMMERCE Jatin Mandhyan (06)
threats    A threat is an object, person, or other entity that represents a constant danger to an asset. Management must be informed of the various kinds of threats facing the organization. By examining each threat category, management effectively protects information through policy, education, training, and technology controls
Threats to information security   A threat is an object, person, or other entity that represents a constant danger to an assest. Management must be informed of the various kinds of thrats facing the organization.
Acts of Human Error or failure   Include acts done with no malicious intent. Caused by:         Inexperience Improper training Incorrect assumption Other circumstances Employees are greatest threats to information security- they are closest to organization data. Employee mistakes can easily lead to the following:     Revealing classified data Entry of erroneous data Accidental deletion or modification of data Storage of data in unprotected areas Failure to protect information Many of threats can prevented with controls. be
Espionage/Trespass    Broad category of activities that breach confidentiality  Unauthorized accessing of information  Competitive intelligence vs. espionage  Shoulder surfing can occur any place a person is accessing confidential information Controls implemented to mark the boundaries of an organization’s virtual territory giving notice to trespassers that they are encroaching on the organization’s cyberspace Hackers uses skill, guile, or fraud to steal the property of someone else
Network Security Goals  Confidentiality : only sender, intended receiver should understand message contents - sender encrypts the message - Receiver decrypts the message - Privacy     Integrity: sender and receiver want to make sure that the message are not altered without detection Availability : service must be available to user ( instead of “Nonrepudiation” in security service) Authentication : sender and receiver want to confirm the identify of each other access control: service must be accessible to users
Some key factors for success in Ecommerce         Providing value to customers Providing service and performance Look Advertising Personal attention Providing a sense of community Providing reliability and security Providing a 360-degree view of the customer relationship
The EC Security Environment: The Scope of the Problem       In 2002 Computer Security Institute survey of 503 security personnel in U.S. corporations and government 80% of respondents had detected breaches of computer security within last 12 months and suffered financial loss as a result Only 44% were willing or able to quantify loss, which totaled $456 million in aggregate 40% experienced denial of service attacks 40% reported attacks from outside the organization 85% detected virus attacks
Dimensions of E-commerce Security       Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party Non-repudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet Confidentiality: ability to ensure that messages and data are available only to those authorized to view them Privacy: ability to control use of information a customer provides about himself or herself to merchant Availability: ability to ensure that an e-commerce site continues to function as intended
Dimensions of E-commerce Security
Security Threats in the E-commerce Environment   Three key points of vulnerability:  Client  Server  Communications channel Most common threats:  Malicious code  Hacking and cyber vandalism  Credit card fraud/theft  Spoofing  Denial of service attacks  Sniffing  Insider jobs
Denial Of Service(DOS) HACKER UNWITTIN G HOST “ZOMBIE” OTHER NETWORK COMPUTERS VICTIM’S SERVER USER PCs
Cryptography
E-commerce Security Requirement  1. 2. 3. 4. 5. 6. 7. commerce over open networks (such as internet) can secure if the following happen: Server Security Message Privacy (or confidentiality) Message integrity Authentication Authorization Audit mechanism and non-repudiation Payment and settlement
E-commerce Security Requirement(cont.) 1. Server Security:    Use firewalls and proxy servers Every packet going from the firms computer to the internet or voice versa will be checked “Security” against ”attack” such as viruses, unauthorized access of hackers, trojan horse can be provided.
E-commerce Security Requirement(cont.) 2. Message Privacy   A key requirement for E-commerce it assures that the communication between trading parties are not revealed to other, therefore unauthorized party can not read or understand the message 3. Message integrity   another key requirement for e-commerce it assures that the communication between trading parties are not alerted by an enemy.
E-commerce Security Requirement(cont.) 4. Authentication     Assures that the “sender” of the message is actually the person he/she claims. Paper message The term “authentication” determines the user of the computer is actually who he/she claims. The term “authentication of the receiver”: allows the sender to be sure that the party he/she intend to get the message is the one who is receives it.
E-commerce Security Requirement(cont) 5. Authorization Ensures that the trading party has the authority of transaction  It prevents the risks that employees transactions create economic damage Authentication vs Authorization • Once the system knows who the user is through authentication, Authorization is how the system decides what the user can do 
E-commerce Security Requirement(cont.) 6.Audit mechanism and non-repudiation   Enables exchanging parties to maintain and revisit the history/sequence of events during a period of transaction In e-commerce, these could be computer time stamps, or records of different computer of different stage of transactions 7. Payment and settlements   Vital to widespread e-commerce Secure e-payment ensures that “commitment” to pay for goods/services over media are met
Introduction to “Cryptography”      Plaintext= means the message Encryption=encoding(hiding the contents from outsiders) the message Ciphertext= the encrypted message Decryption=the process of retrieving the plaintext from the ciphertext “Encryption” and “Decryption” makes use of a “key and a coding method”.
Concept of Encryption and Decryption
Goals of Cryptography  Security goals:  privacy • (secrecy, confidentiality) only the intended recipient can see the communication  authenticity • (integrity) the communication is generated by the alleged sender
Encryption techniques  There are three important techniques now in use: encryption or “private key” encryption  Asymmetric or “public key” encryption  Digital signature, which are based on a variation of public key encryption.  Symmetric
Encryption techniques
Symmetric algorithm   Data Encryption Standard(DES) is a symmetric algorithm developed by IBM and maintained by the National Institute of Standard and Technology. It is base on encryption multiple times with different keys. A 56-bit version of DES is commonly used, but can be broken by brute force. Other Symmetric encryption techniques include:    RC4 uses a 40 bit key, but can use up to 256 bits. Triple DES(3DES) used DES three times, effectively giving it a 168 bit key. Advance Encryption Standard(AES), design to replace DES uses 128,192, and 256 bit keys.
Symmetric algorithm-RC4  RC4 (Rivest Codes 4) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer(SSL) to protect: • •   Internet traffic secure wireless networks Remarkable for its simplicity and speed in software RC4 has weaknesses that argue against its use in new systems. it is especially vulnerable when    The beginning of the output keystream is not discarded, Nonrandom or related keys are used, Or a single keystream is used twice;
Symmetric algorithm-3DES      3DES is a minor version of DES Breaking 3DES is much more difficult than DES It defines 3 keys (k1,k2,k3) of 168 bits(3*56bit) Ciphertext(C) is generated from encryption of plaintext (P) by the: C=Ek3 (Dk2(Ek1(P))) Decryption of the cipherext is produced by: P=Dk1 (Ek2(Dk3(C)))
Symmetric algorithm-3DES    Security can be increased by encryption multiple times with different keys. Double DES is not much more secure than single DES because of a “meet-in-the-middle” attack. 3DES (168 bit of keys) can be cracked by trying 112 bits of keys.
Symmetric algorithm-AES  Advance Encryption characteristics: • • • • • • Standard(AES) Private key symmetric block cipher 128-bit data, 128/192/256-bit keys Stronger & faster than triple-DES Provide full specification & design details Both C & java implementations NIST have released all submissions & unclassified
Symmetric algorithm-AES  Initial Criteria:     Security- effort for practical cryptanalysis Cost- in term of computational efficiency Algorithm & Implementation characteristics Final Criteria:     General security Ease of software & hardware Implementation Implementation attacks flexibility
Symmetric algorithm-AES  after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin  RC6 (USA) - v. simple, v. fast, low security margin  Rijndael (Belgium) - clean, fast, good security margin  Serpent (Euro) - slow, clean, v. high security margin  Twofish (USA) - complex, v. fast, high security margin   then subject to further analysis & comment
Symmetric algorithm-IDEA       International Data Encryption algorithm(IDEA) is a 64-bit block cipher with a 128-bit key. Reputation of quality and strength. Some algorithm for both encryption and decryption (i.e. symmetric cryptography)with 8 main iteration. It is based on mixing operations from different algebraic groups(XOR, addition module 2 to the power of 16, Multiplication module 2 the power of 16 plus1) It runs much faster than DES. The main drawback is that it is patented and requires license for all but non-commerical use.
S-box      In cryptography, an S-Box (Substitution-box) is a basic component of Symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext In many cases, the S-Box are carefully chosen to resist cryptanalysis. In general, an S-Box takes some number of input bits,m, and transforms them into some number of output bits, n: an m*n Sbox can be implemented as a lookup table with 2m words of n bit each. . Fixed tables are normally used, as in the (DES), but in some cipher the tables are generated dynamically from the key.
DES vs AES DES AES Date 1976 1999 Block size 64 128 Key length 56 128, 192, 256 Number of rounds 16 9,11,13 Encryption primitives Substitution, permutation Substitution, shift, bit mixing Cryptographic primitives Confusion, diffusion Confusion, diffusion Design Open Open Design rationale Closed Open Selection process Secret Secret, but accept open public comment Source IBM, enhanced by NSA Independent cryptographers
Asymmetric algorithm The second type of key-based algorithms: - Use different key for decryption (or the decryption key cannot be derived from encryption key) - Permits the encryption key to be public(anyone can encrypt with the sites public key), whereas only the right recipient or site can decrypt the message. - The encryption key is also called public key and the decryption key is called secret key or private key. Public-key Cryptography  Encryption key Plaintext Bob Ciphertext Encryption Decryption key Original plaintext Decryption Alice
Public-key cryptosystem-authentication mode
Public-key cryptosystem-encryption mode
Public key Encryption  While many public key cryptographic systems introduced so far only the following three proved to be secure and efficient: Integer factorization systems(e.g. RSA)  Logarithm System (e.g. Digital Signature Algorithm or DSA)  Elliptic curve cryptosystem(also defined as the elliptic curve discrete logarithm system. 
Message Authentication  Protection against active attacks     Falsification of data Eavesdropping Message is authentic if it genuine and comes from the alleged source. Authentication allows received to verify that message is authentic    Message has not altered Message is from authentic source Message timeline
Authentication Using Encryption   Assumes sender and receiver are only entities that know key Message includes: Error detection code Sequence number Time stamp
Message Authentication Code  Generate authentication code based on shared key and message  Command key shared between A and B  If only sender and receiver know key and code matches: Receiver assured message has not altered  Receiver assured message is from alleged sender  If message has sequence number, receiver assured of proper sequence 
Authentication Without Encryption    Authentication tag generated and appended to each message Message not encrypted Useful for:  One side heavily loaded    Message broadcast to multiple destinations   Encryption adds to worked Can authentication random message Have one destination responsible for authentication Program authentication without encryption and can be executed ( without decoding)
Message Authentication Using Message Authentication Code
Cryptography-based protocols, applications & solutions         Secure Socket Layer (SSL/TLS) Digital Signatures Digital Certificates Secure Electronic Transaction (SET) Authentication POP (APOP) Pretty Good Privacy (PGP/GPG) Kerberos Secure shell (SSH)
Pretty Good Privacy (PGP/GPG)     An application for encryption, digitally signing, decryption, and verifying the integrity and authenticity of messages. Allows user to encrypt/decrypt whole message using a veriety of public key encryption algorithms. Allow user to create and verify digital signatures. Now available, in a variety of ports and re-writes, for all popular operating systems.
Kerberos       A network authentication protocol, developed by MIT. Designed provide strong authentication in multi-server, multi-client environments, using symmetric (secretkey) encryption. Available in commerical and Open Source implementations Provider both secure authentication and (optional) encryption of all communications. Based on centralised Authentication Server. Kerberos version 5 has been proposed as an internet standard.
Authentication POP (APOP) Pop is “Post Office Protocol”, a standard Internet protocol for downloading received email on a mail server to workstation’s mail reader.  Pop    Send user ID and password over network as plain text Almost universal APOP    Encrypts password Used MD5 algorithm Only available to mail client that support APOP
Secure Electronic Transaction (SET)   An open encryption and security specification for protecting payment card transaction on the internet Feature: 1) 2) 3) 4)  Protects privacy of transmitted payment and ordering Ensures integrity of all transmitted data Provides authentication that a payment card holder is a legitimate Allows payment card holder to verify that the merchant has a relationship whit an institution that allow it to accept payment cards. Implemented by large e-commerce vendors for large finantial institutions….
SET – Sample Transaction 1. 2. 3. 4. 5. 6. 7. 8. 9. Customer opens account with a bank that support e-payment and SET. Customer receives her own X.509 digital certificate, signed by the bank. Merchants maintain their own X.509 digital certificates. Customer places e-commerce order identifying items and total. Merchant sends his certificate for verification by customer. Payment info(and customer’s certificate)send by customer. Merchant requests credit authorisation from bank. Merchant confirms order to customer. Merchant provides goods/services.
Digital Signatures  An electronic and Digital Signatures    Digital Signatures features:     Authenticates the identity of the sender of a message, or the signer of a document, Or ensures that the contents of a message are intact. Are easily transportable, Cannot be imitated by someone else, And can be automatically time-stamped. The ability to ensure that the original signed message arrived means that : • the sender can not easily repudiate it later.
Digital Signatures  Encryption o o o o Symmetric Systems – same key to encrypt & decrypt-DES Asymmetric System- also known as public key encryption Different key to decrypt-RSA Digital Signatures- utilise the public key of organizations
Digital Signatures     Sender encrypts message with their private key Receiver can decrypt using sender public key The authenticates sender, who is only person who has the matching key. Does not give “privacy” of data
Digital Signatures    Digital Signatures are a cryptographic technique and are one of the most important application of asymmetric public-key cryptography. They are electronic or digital signature that can be used to authentication the identity of the sender of the message or the signer of the document(to ensure that content of the sent message unchange) . A “Signature” is a pair of functions (Sig , Ver) of a key pair and a bit stream M.
Digital Signatures  The Digital Signature, is a small part of message, and includes:      The name of the sender Other key contents The Digital Signature in the outgoing message is encrypted using the sender’s private key. The Digital Signature is then decrypted using the sender’s public key thus providing evidence that the message originate from the sender. Digital Signature and public key encryption combine to provide secure and authentication message transmission.
Digital Signatures-How? sender 1. 2. 3. 4. 5. Create a message Hash the message to product a message digest Encryption the message digest with sender’s private key Append the encrypted digest to the message Send message recipient 1. 2. 3. 4. 5. Receive message Decrypt the message digest whit the sender’s public key If this work’s the sender is authenticated Hash the message to produce another message digest Compare message digest in step 2 with step 4. if the same , the message has been changed.
Digital Signatures
Digital Signatures-Algorithms  Diffe-Hellman    E1 Gamal     Signature scheme base on Diffe-Hellman DSA(Digital Signature Algorithm)   Oldest public key cryptography system still in use Intended to allow sender and recipient to share a secret key Based on E1 Gamal Primarily performance improvements, eg. ,for smart cards SHA (Secure Hash Algorithm) MD5 (Message Digest 5)  Create message digest of fixed length
Some Type of Digital Signatures 1. Blind Digital Signature Schemes 2. Undeniable Signature Schemes 3. Fail-stop Signature Schemes 4. Proxy Signature Schemes 5. Group Signature Schemes
Bibliography    http://cyber.law.harvard.edu/olds/ecommerce/pri vacytext.html http://www.techmaish.com/online-storeoptimization-through-enhanced-securitymeasures/ http://www.shopping-cartdiagnostics.com/uncategorized/online-storeoptimization-through-enhanced-security-
    http://www.quora.com/What-are-the-mainsecurity-issues-with-e-commerce-and-how-toprevent-them# http://econ.ucsb.edu/~doug/245a/Papers/ECom merce%20Privacy.pdf http://en.wikipedia.org/wiki/Ecommerce_security_2 http://webscience.ie/blog/2010/security-issues-

More Related Content

PPTX
Security in E-commerce
m8817
 
PDF
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
PPT
Security environment
Jay Choudhary
 
PPT
6 e commerce security
Naveed Ahmed Siddiqui
 
PPT
E commerce security
Shakti Singh
 
PDF
E-Commerce security
Tawhid Rahman
 
PDF
Ch19 E Commerce Security
phanleson
 
PPSX
Web security for e-commerce
Nishant Pahad
 
Security in E-commerce
m8817
 
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Security environment
Jay Choudhary
 
6 e commerce security
Naveed Ahmed Siddiqui
 
E commerce security
Shakti Singh
 
E-Commerce security
Tawhid Rahman
 
Ch19 E Commerce Security
phanleson
 
Web security for e-commerce
Nishant Pahad
 

What's hot (20)

PPT
E-Commerce Security
Syed Maniruzzaman Pabel
 
PPTX
Security in e commerce
akhand Akhandenator
 
PDF
E Commerce security
Mayank Kashyap
 
PDF
E commerce Security
Wisnu Dewobroto
 
PPTX
E-commerce- Security & Encryption
Biroja
 
PDF
3 f6 security
op205
 
PPT
Security@ecommerce
Om Vikram Thapa
 
PDF
Protecting Your POS System from PoSeidon and Other Malware Attacks
Netop
 
PPSX
E commerce security
mmousavi
 
DOCX
Cryptography summary
Ni
 
PPT
Online security & encryption
Qamar Farooq
 
PDF
Casestudy us army military, Mile2
Rafael Seg
 
PPTX
Digital signatures and e-Commerce
Naveen Jakhar, I.T.S
 
DOCX
INFORMATION SECURITY MANAGEMENT
Ni
 
PPTX
Strategies to Combat New, Innovative Cyber Threats - 2017
PaladionNetworks01
 
PDF
Two factor authentication
Hai Nguyen
 
PPT
21 security and_trust
Majong DevJfu
 
PDF
Module 3-cyber security
Sweta Kumari Barnwal
 
PPTX
Computer security 7.pptx
Khappiyo
 
PDF
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
E-Commerce Security
Syed Maniruzzaman Pabel
 
Security in e commerce
akhand Akhandenator
 
E Commerce security
Mayank Kashyap
 
E commerce Security
Wisnu Dewobroto
 
E-commerce- Security & Encryption
Biroja
 
3 f6 security
op205
 
Security@ecommerce
Om Vikram Thapa
 
Protecting Your POS System from PoSeidon and Other Malware Attacks
Netop
 
E commerce security
mmousavi
 
Cryptography summary
Ni
 
Online security & encryption
Qamar Farooq
 
Casestudy us army military, Mile2
Rafael Seg
 
Digital signatures and e-Commerce
Naveen Jakhar, I.T.S
 
INFORMATION SECURITY MANAGEMENT
Ni
 
Strategies to Combat New, Innovative Cyber Threats - 2017
PaladionNetworks01
 
Two factor authentication
Hai Nguyen
 
21 security and_trust
Majong DevJfu
 
Module 3-cyber security
Sweta Kumari Barnwal
 
Computer security 7.pptx
Khappiyo
 
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Ad

Viewers also liked (15)

PPTX
Ecommerce security
politegcuf
 
PPTX
DigiCash
David Evans
 
PPT
Personality enhancement
Puja Mishra
 
PPTX
Secured algorithm for gsm encryption & decryption
Tharindu Weerasinghe
 
PPTX
ASIC Implementation of Triple Data Encryption Algorithm (3DES)
Kevin Xiao Xiao
 
PPT
Appearance grooming
waseem sajjad
 
PDF
Triple Data Encryption Standard (t-DES)
Hardik Manocha
 
PPTX
Trible data encryption standard (3DES)
Ahmed Mohamed Mahmoud
 
ODP
Network Security Topic 3 cryptography
Khawar Nehal khawar.nehal@atrc.net.pk
 
PPT
Chapter 3: Block Ciphers and the Data Encryption Standard
Shafaan Khaliq Bhatti
 
PPTX
Communication in automatic teller machine (atm)
Ruksin Sangrugee
 
PPTX
Security threats
Qamar Farooq
 
PPT
DES
Naga Srimanyu Timmaraju
 
DOC
E-commerce Security and Threats
BPalmer13
 
PPTX
Symmetric and asymmetric key
Triad Square InfoSec
 
Ecommerce security
politegcuf
 
DigiCash
David Evans
 
Personality enhancement
Puja Mishra
 
Secured algorithm for gsm encryption & decryption
Tharindu Weerasinghe
 
ASIC Implementation of Triple Data Encryption Algorithm (3DES)
Kevin Xiao Xiao
 
Appearance grooming
waseem sajjad
 
Triple Data Encryption Standard (t-DES)
Hardik Manocha
 
Trible data encryption standard (3DES)
Ahmed Mohamed Mahmoud
 
Network Security Topic 3 cryptography
Khawar Nehal khawar.nehal@atrc.net.pk
 
Chapter 3: Block Ciphers and the Data Encryption Standard
Shafaan Khaliq Bhatti
 
Communication in automatic teller machine (atm)
Ruksin Sangrugee
 
Security threats
Qamar Farooq
 
DES
Naga Srimanyu Timmaraju
 
E-commerce Security and Threats
BPalmer13
 
Symmetric and asymmetric key
Triad Square InfoSec
 
Ad

Similar to E comm jatin (20)

PPTX
Security for e commerce
Mohsin Ahmad
 
PPT
E-commerce security.ppt
Susan130641
 
PPT
Ecommerce Security
Rebecca Jones
 
PPTX
protection & security of e-commerce ...
Rishav Gupta
 
PPT
Unit 2aa
Sheetal Verma
 
PPTX
securityenvironment.pptx
rehamrere
 
PPT
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
Shandy Aditya
 
PPT
E-COMMERCE SECURITY (2).ppt
Hemlata Gangwar
 
PPT
E-COMMERCE SECURITY (1).ppt VI6R7UTGT6T5FRKDLKUTY
subhamkumar56644
 
PPT
E-COMMERCE SECURITY , e bussines nvjfffbjurgrujgkmdgnfblguisrljkfbbjsreio[q3g...
subhamkumar56644
 
PPT
Electronic commerce security seventh annual edition
pathanaazim
 
PPT
Chapter three e-security
Marya Sholevar
 
PDF
Design and Development of an E-Commerce Security Using RSA Cryptosystem
AM Publications,India
 
PPTX
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
PDF
E-Commerce Privacy and Security System
IJERA Editor
 
PDF
E-Commerce Privacy and Security System
IJERA Editor
 
PPT
Technical seminar on Security
STS
 
PPTX
Chapter 5
Nada G.Youssef
 
PDF
2
ttttttttttttt23
 
PPTX
Risks & secutiry in e commerce
Arti Parab Academics
 
Security for e commerce
Mohsin Ahmad
 
E-commerce security.ppt
Susan130641
 
Ecommerce Security
Rebecca Jones
 
protection & security of e-commerce ...
Rishav Gupta
 
Unit 2aa
Sheetal Verma
 
securityenvironment.pptx
rehamrere
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
Shandy Aditya
 
E-COMMERCE SECURITY (2).ppt
Hemlata Gangwar
 
E-COMMERCE SECURITY (1).ppt VI6R7UTGT6T5FRKDLKUTY
subhamkumar56644
 
E-COMMERCE SECURITY , e bussines nvjfffbjurgrujgkmdgnfblguisrljkfbbjsreio[q3g...
subhamkumar56644
 
Electronic commerce security seventh annual edition
pathanaazim
 
Chapter three e-security
Marya Sholevar
 
Design and Development of an E-Commerce Security Using RSA Cryptosystem
AM Publications,India
 
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
E-Commerce Privacy and Security System
IJERA Editor
 
E-Commerce Privacy and Security System
IJERA Editor
 
Technical seminar on Security
STS
 
Chapter 5
Nada G.Youssef
 
2
ttttttttttttt23
 
Risks & secutiry in e commerce
Arti Parab Academics
 

Recently uploaded (20)

PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Encapsulation theory and applications.pdf
gurumoop
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
A Presentation on Artificial Intelligence
memembruh336
 

E comm jatin

  • 2. threats    A threat is an object, person, or other entity that represents a constant danger to an asset. Management must be informed of the various kinds of threats facing the organization. By examining each threat category, management effectively protects information through policy, education, training, and technology controls
  • 3. Threats to information security   A threat is an object, person, or other entity that represents a constant danger to an assest. Management must be informed of the various kinds of thrats facing the organization.
  • 4. Acts of Human Error or failure   Include acts done with no malicious intent. Caused by:         Inexperience Improper training Incorrect assumption Other circumstances Employees are greatest threats to information security- they are closest to organization data. Employee mistakes can easily lead to the following:     Revealing classified data Entry of erroneous data Accidental deletion or modification of data Storage of data in unprotected areas Failure to protect information Many of threats can prevented with controls. be
  • 5. Espionage/Trespass    Broad category of activities that breach confidentiality  Unauthorized accessing of information  Competitive intelligence vs. espionage  Shoulder surfing can occur any place a person is accessing confidential information Controls implemented to mark the boundaries of an organization’s virtual territory giving notice to trespassers that they are encroaching on the organization’s cyberspace Hackers uses skill, guile, or fraud to steal the property of someone else
  • 6. Network Security Goals  Confidentiality : only sender, intended receiver should understand message contents - sender encrypts the message - Receiver decrypts the message - Privacy     Integrity: sender and receiver want to make sure that the message are not altered without detection Availability : service must be available to user ( instead of “Nonrepudiation” in security service) Authentication : sender and receiver want to confirm the identify of each other access control: service must be accessible to users
  • 7. Some key factors for success in Ecommerce         Providing value to customers Providing service and performance Look Advertising Personal attention Providing a sense of community Providing reliability and security Providing a 360-degree view of the customer relationship
  • 8. The EC Security Environment: The Scope of the Problem       In 2002 Computer Security Institute survey of 503 security personnel in U.S. corporations and government 80% of respondents had detected breaches of computer security within last 12 months and suffered financial loss as a result Only 44% were willing or able to quantify loss, which totaled $456 million in aggregate 40% experienced denial of service attacks 40% reported attacks from outside the organization 85% detected virus attacks
  • 9. Dimensions of E-commerce Security       Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party Non-repudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet Confidentiality: ability to ensure that messages and data are available only to those authorized to view them Privacy: ability to control use of information a customer provides about himself or herself to merchant Availability: ability to ensure that an e-commerce site continues to function as intended
  • 11. Security Threats in the E-commerce Environment   Three key points of vulnerability:  Client  Server  Communications channel Most common threats:  Malicious code  Hacking and cyber vandalism  Credit card fraud/theft  Spoofing  Denial of service attacks  Sniffing  Insider jobs
  • 14. E-commerce Security Requirement  1. 2. 3. 4. 5. 6. 7. commerce over open networks (such as internet) can secure if the following happen: Server Security Message Privacy (or confidentiality) Message integrity Authentication Authorization Audit mechanism and non-repudiation Payment and settlement
  • 15. E-commerce Security Requirement(cont.) 1. Server Security:    Use firewalls and proxy servers Every packet going from the firms computer to the internet or voice versa will be checked “Security” against ”attack” such as viruses, unauthorized access of hackers, trojan horse can be provided.
  • 16. E-commerce Security Requirement(cont.) 2. Message Privacy   A key requirement for E-commerce it assures that the communication between trading parties are not revealed to other, therefore unauthorized party can not read or understand the message 3. Message integrity   another key requirement for e-commerce it assures that the communication between trading parties are not alerted by an enemy.
  • 17. E-commerce Security Requirement(cont.) 4. Authentication     Assures that the “sender” of the message is actually the person he/she claims. Paper message The term “authentication” determines the user of the computer is actually who he/she claims. The term “authentication of the receiver”: allows the sender to be sure that the party he/she intend to get the message is the one who is receives it.
  • 18. E-commerce Security Requirement(cont) 5. Authorization Ensures that the trading party has the authority of transaction  It prevents the risks that employees transactions create economic damage Authentication vs Authorization • Once the system knows who the user is through authentication, Authorization is how the system decides what the user can do 
  • 19. E-commerce Security Requirement(cont.) 6.Audit mechanism and non-repudiation   Enables exchanging parties to maintain and revisit the history/sequence of events during a period of transaction In e-commerce, these could be computer time stamps, or records of different computer of different stage of transactions 7. Payment and settlements   Vital to widespread e-commerce Secure e-payment ensures that “commitment” to pay for goods/services over media are met
  • 20. Introduction to “Cryptography”      Plaintext= means the message Encryption=encoding(hiding the contents from outsiders) the message Ciphertext= the encrypted message Decryption=the process of retrieving the plaintext from the ciphertext “Encryption” and “Decryption” makes use of a “key and a coding method”.
  • 21. Concept of Encryption and Decryption
  • 22. Goals of Cryptography  Security goals:  privacy • (secrecy, confidentiality) only the intended recipient can see the communication  authenticity • (integrity) the communication is generated by the alleged sender
  • 23. Encryption techniques  There are three important techniques now in use: encryption or “private key” encryption  Asymmetric or “public key” encryption  Digital signature, which are based on a variation of public key encryption.  Symmetric
  • 25. Symmetric algorithm   Data Encryption Standard(DES) is a symmetric algorithm developed by IBM and maintained by the National Institute of Standard and Technology. It is base on encryption multiple times with different keys. A 56-bit version of DES is commonly used, but can be broken by brute force. Other Symmetric encryption techniques include:    RC4 uses a 40 bit key, but can use up to 256 bits. Triple DES(3DES) used DES three times, effectively giving it a 168 bit key. Advance Encryption Standard(AES), design to replace DES uses 128,192, and 256 bit keys.
  • 26. Symmetric algorithm-RC4  RC4 (Rivest Codes 4) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer(SSL) to protect: • •   Internet traffic secure wireless networks Remarkable for its simplicity and speed in software RC4 has weaknesses that argue against its use in new systems. it is especially vulnerable when    The beginning of the output keystream is not discarded, Nonrandom or related keys are used, Or a single keystream is used twice;
  • 27. Symmetric algorithm-3DES      3DES is a minor version of DES Breaking 3DES is much more difficult than DES It defines 3 keys (k1,k2,k3) of 168 bits(3*56bit) Ciphertext(C) is generated from encryption of plaintext (P) by the: C=Ek3 (Dk2(Ek1(P))) Decryption of the cipherext is produced by: P=Dk1 (Ek2(Dk3(C)))
  • 28. Symmetric algorithm-3DES    Security can be increased by encryption multiple times with different keys. Double DES is not much more secure than single DES because of a “meet-in-the-middle” attack. 3DES (168 bit of keys) can be cracked by trying 112 bits of keys.
  • 29. Symmetric algorithm-AES  Advance Encryption characteristics: • • • • • • Standard(AES) Private key symmetric block cipher 128-bit data, 128/192/256-bit keys Stronger & faster than triple-DES Provide full specification & design details Both C & java implementations NIST have released all submissions & unclassified
  • 30. Symmetric algorithm-AES  Initial Criteria:     Security- effort for practical cryptanalysis Cost- in term of computational efficiency Algorithm & Implementation characteristics Final Criteria:     General security Ease of software & hardware Implementation Implementation attacks flexibility
  • 31. Symmetric algorithm-AES  after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin  RC6 (USA) - v. simple, v. fast, low security margin  Rijndael (Belgium) - clean, fast, good security margin  Serpent (Euro) - slow, clean, v. high security margin  Twofish (USA) - complex, v. fast, high security margin   then subject to further analysis & comment
  • 32. Symmetric algorithm-IDEA       International Data Encryption algorithm(IDEA) is a 64-bit block cipher with a 128-bit key. Reputation of quality and strength. Some algorithm for both encryption and decryption (i.e. symmetric cryptography)with 8 main iteration. It is based on mixing operations from different algebraic groups(XOR, addition module 2 to the power of 16, Multiplication module 2 the power of 16 plus1) It runs much faster than DES. The main drawback is that it is patented and requires license for all but non-commerical use.
  • 33. S-box      In cryptography, an S-Box (Substitution-box) is a basic component of Symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext In many cases, the S-Box are carefully chosen to resist cryptanalysis. In general, an S-Box takes some number of input bits,m, and transforms them into some number of output bits, n: an m*n Sbox can be implemented as a lookup table with 2m words of n bit each. . Fixed tables are normally used, as in the (DES), but in some cipher the tables are generated dynamically from the key.
  • 34. DES vs AES DES AES Date 1976 1999 Block size 64 128 Key length 56 128, 192, 256 Number of rounds 16 9,11,13 Encryption primitives Substitution, permutation Substitution, shift, bit mixing Cryptographic primitives Confusion, diffusion Confusion, diffusion Design Open Open Design rationale Closed Open Selection process Secret Secret, but accept open public comment Source IBM, enhanced by NSA Independent cryptographers
  • 35. Asymmetric algorithm The second type of key-based algorithms: - Use different key for decryption (or the decryption key cannot be derived from encryption key) - Permits the encryption key to be public(anyone can encrypt with the sites public key), whereas only the right recipient or site can decrypt the message. - The encryption key is also called public key and the decryption key is called secret key or private key. Public-key Cryptography  Encryption key Plaintext Bob Ciphertext Encryption Decryption key Original plaintext Decryption Alice
  • 38. Public key Encryption  While many public key cryptographic systems introduced so far only the following three proved to be secure and efficient: Integer factorization systems(e.g. RSA)  Logarithm System (e.g. Digital Signature Algorithm or DSA)  Elliptic curve cryptosystem(also defined as the elliptic curve discrete logarithm system. 
  • 39. Message Authentication  Protection against active attacks     Falsification of data Eavesdropping Message is authentic if it genuine and comes from the alleged source. Authentication allows received to verify that message is authentic    Message has not altered Message is from authentic source Message timeline
  • 40. Authentication Using Encryption   Assumes sender and receiver are only entities that know key Message includes: Error detection code Sequence number Time stamp
  • 41. Message Authentication Code  Generate authentication code based on shared key and message  Command key shared between A and B  If only sender and receiver know key and code matches: Receiver assured message has not altered  Receiver assured message is from alleged sender  If message has sequence number, receiver assured of proper sequence 
  • 42. Authentication Without Encryption    Authentication tag generated and appended to each message Message not encrypted Useful for:  One side heavily loaded    Message broadcast to multiple destinations   Encryption adds to worked Can authentication random message Have one destination responsible for authentication Program authentication without encryption and can be executed ( without decoding)
  • 43. Message Authentication Using Message Authentication Code
  • 44. Cryptography-based protocols, applications & solutions         Secure Socket Layer (SSL/TLS) Digital Signatures Digital Certificates Secure Electronic Transaction (SET) Authentication POP (APOP) Pretty Good Privacy (PGP/GPG) Kerberos Secure shell (SSH)
  • 45. Pretty Good Privacy (PGP/GPG)     An application for encryption, digitally signing, decryption, and verifying the integrity and authenticity of messages. Allows user to encrypt/decrypt whole message using a veriety of public key encryption algorithms. Allow user to create and verify digital signatures. Now available, in a variety of ports and re-writes, for all popular operating systems.
  • 46. Kerberos       A network authentication protocol, developed by MIT. Designed provide strong authentication in multi-server, multi-client environments, using symmetric (secretkey) encryption. Available in commerical and Open Source implementations Provider both secure authentication and (optional) encryption of all communications. Based on centralised Authentication Server. Kerberos version 5 has been proposed as an internet standard.
  • 47. Authentication POP (APOP) Pop is “Post Office Protocol”, a standard Internet protocol for downloading received email on a mail server to workstation’s mail reader.  Pop    Send user ID and password over network as plain text Almost universal APOP    Encrypts password Used MD5 algorithm Only available to mail client that support APOP
  • 48. Secure Electronic Transaction (SET)   An open encryption and security specification for protecting payment card transaction on the internet Feature: 1) 2) 3) 4)  Protects privacy of transmitted payment and ordering Ensures integrity of all transmitted data Provides authentication that a payment card holder is a legitimate Allows payment card holder to verify that the merchant has a relationship whit an institution that allow it to accept payment cards. Implemented by large e-commerce vendors for large finantial institutions….
  • 49. SET – Sample Transaction 1. 2. 3. 4. 5. 6. 7. 8. 9. Customer opens account with a bank that support e-payment and SET. Customer receives her own X.509 digital certificate, signed by the bank. Merchants maintain their own X.509 digital certificates. Customer places e-commerce order identifying items and total. Merchant sends his certificate for verification by customer. Payment info(and customer’s certificate)send by customer. Merchant requests credit authorisation from bank. Merchant confirms order to customer. Merchant provides goods/services.
  • 50. Digital Signatures  An electronic and Digital Signatures    Digital Signatures features:     Authenticates the identity of the sender of a message, or the signer of a document, Or ensures that the contents of a message are intact. Are easily transportable, Cannot be imitated by someone else, And can be automatically time-stamped. The ability to ensure that the original signed message arrived means that : • the sender can not easily repudiate it later.
  • 51. Digital Signatures  Encryption o o o o Symmetric Systems – same key to encrypt & decrypt-DES Asymmetric System- also known as public key encryption Different key to decrypt-RSA Digital Signatures- utilise the public key of organizations
  • 52. Digital Signatures     Sender encrypts message with their private key Receiver can decrypt using sender public key The authenticates sender, who is only person who has the matching key. Does not give “privacy” of data
  • 53. Digital Signatures    Digital Signatures are a cryptographic technique and are one of the most important application of asymmetric public-key cryptography. They are electronic or digital signature that can be used to authentication the identity of the sender of the message or the signer of the document(to ensure that content of the sent message unchange) . A “Signature” is a pair of functions (Sig , Ver) of a key pair and a bit stream M.
  • 54. Digital Signatures  The Digital Signature, is a small part of message, and includes:      The name of the sender Other key contents The Digital Signature in the outgoing message is encrypted using the sender’s private key. The Digital Signature is then decrypted using the sender’s public key thus providing evidence that the message originate from the sender. Digital Signature and public key encryption combine to provide secure and authentication message transmission.
  • 55. Digital Signatures-How? sender 1. 2. 3. 4. 5. Create a message Hash the message to product a message digest Encryption the message digest with sender’s private key Append the encrypted digest to the message Send message recipient 1. 2. 3. 4. 5. Receive message Decrypt the message digest whit the sender’s public key If this work’s the sender is authenticated Hash the message to produce another message digest Compare message digest in step 2 with step 4. if the same , the message has been changed.
  • 57. Digital Signatures-Algorithms  Diffe-Hellman    E1 Gamal     Signature scheme base on Diffe-Hellman DSA(Digital Signature Algorithm)   Oldest public key cryptography system still in use Intended to allow sender and recipient to share a secret key Based on E1 Gamal Primarily performance improvements, eg. ,for smart cards SHA (Secure Hash Algorithm) MD5 (Message Digest 5)  Create message digest of fixed length
  • 58. Some Type of Digital Signatures 1. Blind Digital Signature Schemes 2. Undeniable Signature Schemes 3. Fail-stop Signature Schemes 4. Proxy Signature Schemes 5. Group Signature Schemes