Lecturer: Ellis E' Confer

1
Secure Electronic Commerce ECT 582 Spring 2006

• Lecturer Ellis E. Confer
• E-mail econfer_at_cs.depaul.edu
• Office Hours Tuesday 430 600 pm

2
Session Number 1

• Session Date March 28, 2006
• Session Objectives
• Introductions Administrative Items
• Course Overview
• Session Topics Introduction to Secure e-Commerce

3
ECT 582 Course Objectives

• This course discusses extensions to notions of
  traditional computer security to include current
  advancements and issues related to commerce and
  business conducted over nonproprietary networks.
  We will specifically concentrate on the Internet
  as the medium of choice. We will discuss issues
  of secrecy, integrity and availability threats,
  vulnerability, control and attacks hypertext
  transfer protocols encryption and decryption
  digital certificates and signatures
  non-repudiation and legal differences between
  e-commerce and traditional commerce. This course
  will address e-commerce as well as the
  architectural differences that determine
  particular security solutions.

4
Prerequisites Text and Supplementary Reading
Materials

• Prerequisites DS 425 Distributed Systems
  Fundamental is considered a prerequisite. CSC
  390 Fundamentals of Information Assurance is also
  considered a prerequisite. .
• Texts
• Secure Electronic Commerce, 2nd edition, by
  Warwick Ford Michael S. Baum's, Prentice Hall,
  ISBN 0-13-027276-0.
• Other articles and selected web references.

5
Grading Procedure

• The students final grade will be based on a
  weighted average of the homework assignments,
  exams, and class participation. Weights are as
  follows
• Weight
• Homework Assignments 40
• Exams 50
• Participation 10
• Class attendance and participation in class
  discussion represent 10 of overall grade and is
  highly considered.
• Grades will be determined as follows

6
Procedures and policies

• 1. No makeup exams will be given.
• 2. Homework assignments must be turned in on
  time.
• Late homework assignments will not be accepted.
• Turning in a hard copy version of an
  assignment is the most reliable way to ensure
  that assignments are received on time. When
  transmitting a soft copy of an assignment via
  email, make sure to give yourself adequate time
  for the mail to be delivered by no later than the
  day when the assignment is due. Email delivery
  problems do occur, please ask for a receipt of
  delivery.

7
ECT 582 Tentative Schedule of Discussions

• Week 1 Introduction to
  secure e-commerce
•  
• Week 2 Cryptography (or
  Overview of Cryptography)
•  
• Week 3 Digital
  certificates
•  
• Week 4 Public key
  infrastructure
•  
• Week 5 Midterm Exam (no lecture)
•  
• Week 6 Non-repudiation,
  Electronic Signature Law
•  
• Week 7 Electronic Payment
  Systems
•  
• Week 8 Internet security
•  
• Week 9 Web services
  security issues
•  
• Week 10 Password security

8
Introduction

• Who am I?
• Who are you?
• The introduction will be written down so that I
  may collect them when we are done.
• What is your name?
• Where are you in your graduate/underground
  program?
• Why are you taking this course?
• What do you hope to learn from this course?
• Anything else you feel is interesting and
  appropriate

9
Instructor background

• Professional experience
• 20 years experience as consultant and
  entrepreneur
• Stints with Accenture, IBM, Sybase, Tandem, CNA
  Financial
• Presently senior executive with consultancy
  software development firms
• Educational training
• BSEE from University of Michigan
• MBA from Indiana University
• Concentration in finance operations research

10
Class Info

• ECT 582 homepage
• http//facweb.cs.depaul.edu/econfer/ect582
• Class starts 615 PM
• Class break 730 PM (15 minutes)
• Lecture material and discussions
• Discussions encouraged
• Topics e.g.
• Your e-commerce experiences related to security
• Reports on security published as the course
  progresses
• Goal Have fun while learning about security
• Web site will contain breaking news etc.
• Each student should check it at least once a week

11
Introduction To Secure E-Commerce
12
Introduction to Secure e-Commerce

• What is Security?
• What are we securing in e-commerce?
• Security is heterogeneous concept in general.
• All security, including e-commerce, deals with
  these 2 KEY concepts
• Risk
• Trust
• Business risk management
• Risk analysis
• Risk mitigation
• Risk transfer

13
Security Risks to E-commerce

• Direct financial loss resulting from fraud
• Payment account abuse
• Transfer funds without authorization
• Destroy or hide financial records
• Customer impersonation
• Exposure of confidential information
• False or malicious websites
• Customer Data Exposures
• Ex. HR block erroneously import customers' data
  into others' tax returns (February 2000)
• Data theft

14
2005 CSI/FBI Computer Crime and Security Survey

• Highlights of the 2005 Computer Crime and
  Security Survey include
• The total dollar amount of financial losses
  resulting from security breaches is decreasing,
  with an average loss of 204,000 per
  respondent-down 61 percent from last year's
  average loss of 526,000.
• Virus attacks continue as the source of the
  greatest financial losses, accounting for 32
  percent of the overall losses reported.
• Unauthorized access showed a dramatic increase
  and replaced denial of service as the second most
  significant contributor to computer crime losses,
  accounting for 24 percent of overall reported
  losses, and showing a significant increase in
  average dollar loss.
• Theft of proprietary information also showed a
  significant increase in average loss per
  respondent, more than double that of last year.
• The percentage of organizations reporting
  computer intrusions to law enforcement has
  continued its multi-year decline. The key reason
  cited for not reporting intrusions to law
  enforcement is the concern for negative
  publicity.

Based on responses from 700 computer security
practitioners in U.S. corporations, government
agencies, financial institutions, medical
institutions and universities
15
Security Risks to E-commerce (continued)

• Damage to relations with customer or business
  partners
• An organization that suffers a security-related
  attack or failure may not publicize it
• Unforeseen cost
• Legal, public relations, or business resumption
  cost
• Recovering from a security compromise
• Public relations damage
• Masquerading
• Manipulation of web content
• Malicious rumor
• Uptake failure due to lack of confidence

Security is an essential ingredient of any
e-commerce solution.
16
Security Attacks

• Any actions that compromises the security of
  information systems
• Normal flow
• Interruption attack on availability

Info source
Info destination
17
Security Attacks (continued)
Info source
Info destination
Interception Attack on confidentiality
Modification Attack on Integrity
Info source
Info destination
Fabrication Attack on authenticity
Info source
Info destination
18
Passive and Active Attacks

• Passive attacks eavesdropping on, or monitoring
  of, information transmission
• Release of message contents
• Traffic analysis
• Active Attacks modification or creation of false
  information
• Masquerade one entity pretends to be a different
  entity
• Ex. Session Hijacking taking over an existing
  active session. It can bypass the authentication
  process and gain access to a machine
• Session Hijacking tool Hunt

19
Passive and Active Attacks (continued)

• Replay passive capture of a data, retransmission
  to produce an unauthorized effect
• Modification of message some portion of a
  legitimate message is altered, or that message
  are delayed or reordered, to produce an
  unauthorized effect
• Denial of service (DoS) prevents or inhibits the
  normal use or management of communication
  facilities
• SYN flooding
• Winnuke (Perl code of Winnuke)
• Unfortunately, there are NO security mechanisms
  to counter DoS

20
Security Services Basic Principles

• Enhances the security of information systems of
  an organization
• Confidentiality
• Ensures that info are accessible only for reading
  by authorized parties
• Authentication
• Ensures that the origin of a message or
  electronic document is correctly identified, with
  assurance that the identity is not false
• Integrity
• Ensures that only authorized parties are able to
  modify an electronic document

21
Security Services Basic Principles

• Non-repudiation
• Require that neither the sender nor the receiver
  of a message be able to deny the transmission
• Auditing
• Requires logging of all system activities at
  levels sufficient for the reconstruction of
  events.
• Access control
• Requires that access to information recourses may
  be controlled or for the target system
• Availability
• Requires that computer system asset be available
  to authorized parties when needed

22
Security Mechanisms

• Detect, prevent, or recover from a security
  attack
• Encipherment
• the process of enciphering or converting plain
  language, indicators, etc. into cipher.
• Digital signature mechanisms
• Access control mechanisms
• Data integrity mechanisms
• Authentication exchange mechanisms
• Traffic padding mechanisms
• Routing control mechanisms
• Notarization mechanisms

23
E-commerce v.s. Paper-based Commerce

• Security attributes of signed paper document
• Semi-permanence of ink embedded in paper fibers
• Particular printing process
• such as letterhead
• Watermarks
• Biometrics of signature
• Time stamp
• Obviousness of modifications, interlineations,
  and deletions

24
E-commerce v.s. Paper-based Commerce

• Computer-based document do not have such security
  attributes
• Computer-based records can be modified freely and
  without detection
• Certain supplemental control mechanisms must be
  applied to achieve a level of trustworthiness
  comparable to that on paper
• Paper-based and computer-based documents may not
  perform equal or exactly analogous function in
  business and law
• Ex. negotiable document of title

25
E-commerce Security Framework

• Business requirements for security
• Security Strategy
• Threats
• Vulnerabilities
• Defenses
• Legal
• Security Architecture
• Procedures
• Technology
• People (training, monitoring, audits)
• Security Technology
• Main focus of this course
• Cryptography, Certificates, PKI, SSL

26
Model for Network Security
27
Security Service Design Basics

• Basic tasks in designing a particular security
  service
• Design an algorithm for performing the
  security-related transformation
• Generate secret information to be used with the
  algorithm
• Develop methods for the distribution and sharing
  of the secret information
• Specify a protocol to be used by the two
  principals to achieve a particular security
  service

28
Next Session Highlights

• Chapter 4 of Ford and Baum
• Complete Assignment 1