Title: Lecturer: Ellis E' Confer
1Secure Electronic Commerce ECT 582 Spring 2006
- Lecturer Ellis E. Confer
- E-mail econfer_at_cs.depaul.edu
- Office Hours Tuesday 430 600 pm
2Session Number 1
- Session Date March 28, 2006
- Session Objectives
- Introductions Administrative Items
- Course Overview
- Session Topics Introduction to Secure e-Commerce
3ECT 582 Course Objectives
- This course discusses extensions to notions of
traditional computer security to include current
advancements and issues related to commerce and
business conducted over nonproprietary networks.
We will specifically concentrate on the Internet
as the medium of choice. We will discuss issues
of secrecy, integrity and availability threats,
vulnerability, control and attacks hypertext
transfer protocols encryption and decryption
digital certificates and signatures
non-repudiation and legal differences between
e-commerce and traditional commerce. This course
will address e-commerce as well as the
architectural differences that determine
particular security solutions.
4Prerequisites Text and Supplementary Reading
Materials
- Prerequisites DS 425 Distributed Systems
Fundamental is considered a prerequisite. CSC
390 Fundamentals of Information Assurance is also
considered a prerequisite. . - Texts
- Secure Electronic Commerce, 2nd edition, by
Warwick Ford Michael S. Baum's, Prentice Hall,
ISBN 0-13-027276-0. - Other articles and selected web references.
5Grading Procedure
- The students final grade will be based on a
weighted average of the homework assignments,
exams, and class participation. Weights are as
follows - Weight
- Homework Assignments 40
- Exams 50
- Participation 10
- Class attendance and participation in class
discussion represent 10 of overall grade and is
highly considered. - Grades will be determined as follows
6Procedures and policies
- 1. No makeup exams will be given.
- 2. Homework assignments must be turned in on
time. - Late homework assignments will not be accepted.
- Turning in a hard copy version of an
assignment is the most reliable way to ensure
that assignments are received on time. When
transmitting a soft copy of an assignment via
email, make sure to give yourself adequate time
for the mail to be delivered by no later than the
day when the assignment is due. Email delivery
problems do occur, please ask for a receipt of
delivery.
7ECT 582 Tentative Schedule of Discussions
- Week 1 Introduction to
secure e-commerce - Â
- Week 2 Cryptography (or
Overview of Cryptography) - Â
- Week 3 Digital
certificates - Â
- Week 4 Public key
infrastructure - Â
- Week 5 Midterm Exam (no lecture)
- Â
- Week 6 Non-repudiation,
Electronic Signature Law - Â
- Week 7 Electronic Payment
Systems - Â
- Week 8 Internet security
- Â
- Week 9 Web services
security issues - Â
- Week 10 Password security
8Introduction
- Who am I?
- Who are you?
- The introduction will be written down so that I
may collect them when we are done. - What is your name?
- Where are you in your graduate/underground
program? - Why are you taking this course?
- What do you hope to learn from this course?
- Anything else you feel is interesting and
appropriate
9Instructor background
- Professional experience
- 20 years experience as consultant and
entrepreneur - Stints with Accenture, IBM, Sybase, Tandem, CNA
Financial - Presently senior executive with consultancy
software development firms - Educational training
- BSEE from University of Michigan
- MBA from Indiana University
- Concentration in finance operations research
10Class Info
- ECT 582 homepage
- http//facweb.cs.depaul.edu/econfer/ect582
- Class starts 615 PM
- Class break 730 PM (15 minutes)
- Lecture material and discussions
- Discussions encouraged
- Topics e.g.
- Your e-commerce experiences related to security
- Reports on security published as the course
progresses - Goal Have fun while learning about security
- Web site will contain breaking news etc.
- Each student should check it at least once a week
11Introduction To Secure E-Commerce
12Introduction to Secure e-Commerce
- What is Security?
- What are we securing in e-commerce?
- Security is heterogeneous concept in general.
- All security, including e-commerce, deals with
these 2 KEY concepts - Risk
- Trust
- Business risk management
- Risk analysis
- Risk mitigation
- Risk transfer
13Security Risks to E-commerce
- Direct financial loss resulting from fraud
- Payment account abuse
- Transfer funds without authorization
- Destroy or hide financial records
- Customer impersonation
- Exposure of confidential information
- False or malicious websites
- Customer Data Exposures
- Ex. HR block erroneously import customers' data
into others' tax returns (February 2000) - Data theft
14 2005 CSI/FBI Computer Crime and Security Survey
- Highlights of the 2005 Computer Crime and
Security Survey include - The total dollar amount of financial losses
resulting from security breaches is decreasing,
with an average loss of 204,000 per
respondent-down 61 percent from last year's
average loss of 526,000. - Virus attacks continue as the source of the
greatest financial losses, accounting for 32
percent of the overall losses reported. - Unauthorized access showed a dramatic increase
and replaced denial of service as the second most
significant contributor to computer crime losses,
accounting for 24 percent of overall reported
losses, and showing a significant increase in
average dollar loss. - Theft of proprietary information also showed a
significant increase in average loss per
respondent, more than double that of last year. - The percentage of organizations reporting
computer intrusions to law enforcement has
continued its multi-year decline. The key reason
cited for not reporting intrusions to law
enforcement is the concern for negative
publicity.
Based on responses from 700 computer security
practitioners in U.S. corporations, government
agencies, financial institutions, medical
institutions and universities
15Security Risks to E-commerce (continued)
- Damage to relations with customer or business
partners - An organization that suffers a security-related
attack or failure may not publicize it - Unforeseen cost
- Legal, public relations, or business resumption
cost - Recovering from a security compromise
- Public relations damage
- Masquerading
- Manipulation of web content
- Malicious rumor
- Uptake failure due to lack of confidence
Security is an essential ingredient of any
e-commerce solution.
16Security Attacks
- Any actions that compromises the security of
information systems - Normal flow
- Interruption attack on availability
Info source
Info destination
17Security Attacks (continued)
Info source
Info destination
Interception Attack on confidentiality
Modification Attack on Integrity
Info source
Info destination
Fabrication Attack on authenticity
Info source
Info destination
18Passive and Active Attacks
- Passive attacks eavesdropping on, or monitoring
of, information transmission - Release of message contents
- Traffic analysis
- Active Attacks modification or creation of false
information - Masquerade one entity pretends to be a different
entity - Ex. Session Hijacking taking over an existing
active session. It can bypass the authentication
process and gain access to a machine - Session Hijacking tool Hunt
19Passive and Active Attacks (continued)
- Replay passive capture of a data, retransmission
to produce an unauthorized effect - Modification of message some portion of a
legitimate message is altered, or that message
are delayed or reordered, to produce an
unauthorized effect - Denial of service (DoS) prevents or inhibits the
normal use or management of communication
facilities - SYN flooding
- Winnuke (Perl code of Winnuke)
- Unfortunately, there are NO security mechanisms
to counter DoS
20Security Services Basic Principles
- Enhances the security of information systems of
an organization - Confidentiality
- Ensures that info are accessible only for reading
by authorized parties - Authentication
- Ensures that the origin of a message or
electronic document is correctly identified, with
assurance that the identity is not false - Integrity
- Ensures that only authorized parties are able to
modify an electronic document
21Security Services Basic Principles
- Non-repudiation
- Require that neither the sender nor the receiver
of a message be able to deny the transmission - Auditing
- Requires logging of all system activities at
levels sufficient for the reconstruction of
events. - Access control
- Requires that access to information recourses may
be controlled or for the target system - Availability
- Requires that computer system asset be available
to authorized parties when needed
22Security Mechanisms
- Detect, prevent, or recover from a security
attack - Encipherment
- the process of enciphering or converting plain
language, indicators, etc. into cipher. - Digital signature mechanisms
- Access control mechanisms
- Data integrity mechanisms
- Authentication exchange mechanisms
- Traffic padding mechanisms
- Routing control mechanisms
- Notarization mechanisms
23E-commerce v.s. Paper-based Commerce
- Security attributes of signed paper document
- Semi-permanence of ink embedded in paper fibers
- Particular printing process
- such as letterhead
- Watermarks
- Biometrics of signature
- Time stamp
- Obviousness of modifications, interlineations,
and deletions
24E-commerce v.s. Paper-based Commerce
- Computer-based document do not have such security
attributes - Computer-based records can be modified freely and
without detection - Certain supplemental control mechanisms must be
applied to achieve a level of trustworthiness
comparable to that on paper - Paper-based and computer-based documents may not
perform equal or exactly analogous function in
business and law - Ex. negotiable document of title
25E-commerce Security Framework
- Business requirements for security
- Security Strategy
- Threats
- Vulnerabilities
- Defenses
- Legal
- Security Architecture
- Procedures
- Technology
- People (training, monitoring, audits)
- Security Technology
- Main focus of this course
- Cryptography, Certificates, PKI, SSL
26Model for Network Security
27Security Service Design Basics
- Basic tasks in designing a particular security
service - Design an algorithm for performing the
security-related transformation - Generate secret information to be used with the
algorithm - Develop methods for the distribution and sharing
of the secret information - Specify a protocol to be used by the two
principals to achieve a particular security
service
28Next Session Highlights
- Chapter 4 of Ford and Baum
- Complete Assignment 1