Five Fundamental Requirements of a Secure Transaction System

1
Five Fundamental Requirements of a Secure
Transaction System

• Privacy information not read by third party
• Integrity information not compromised or
  altered
• Authentication sender and receiver prove
  identities
• Non-repudiation legally prove message was sent
  and received
• Availability -- computer systems continually
  accessible

2
Security Requirements and Controls
3
Cryptography to Secure Privacy

• Digital
• Encryption and decryption keys are binary strings
  with a given key length
• With Symmetric or Secret-key Cryptography, both
  sender and receiver have a secret key and all
  messages are encrypted and decrypted using the
  same key.
• With Asymmetric or Public-key cryptography,
  message is sent with public key and read using
  private key.

4
Secret-key Cryptography

• Has a problem with protecting key exchange
• Also has a problem knowing who actually created
  message (authentication)
• Can use key distribution center, which reduces
  the risk of and increases the efficiency the key
  exchange process.
• DES (or some variation thereof)

5
Public Key Cryptography

• Each party has both a public and a private key
• Data is sent using the public key.
• Receiver reads the message using private key and
  sends reply using senders public key thus both
  sender and receiver are authenticated.
• RSA Is most commonly used public-key algorithm.
• Also non-governmental algorithm named Pretty Good
  Privacy (PGP)

6
Digital Signatures

• Developed to be used in public-key systems.
• Plaintext run through hash function which gives
  message a mathematical value called hash value or
  message digest
• Collision occurs when multiple messages have same
  hash value
• Hash function is encrypted with private-key
• Original message (encrypted with public key),
  signature, and hash function sent to receiver.
• Receiver uses senders public key to decipher the
  digital signature and reveal the message digest.
• Then receiver applies hash function to received
  message to insure match.

7
Timestamping

• Binds a time and date to message, solves
  non-repudiation
• Third party, timestamping agency, timestamps
  messags

8
Digital certificate

• Digital document issued by certification
  authority
• Includes name of company, companys public key,
  serial number, expiration date and signature of
  trusted third party
• Leading certificate authority --Verisign
  (www.verisign.com)

9
Secure Sockets Layer (SSL)

• Non-proprietary protocol that provides
  transaction security
• Developed by Netscape
• Operates between TCP/IP and application software
• Uses public-key technology and digital
  certificates to authenticate server and protect
  private information.
• Client and server negotiate session keys
  (private, symmetric key) to continue transaction
• Protocol switches from http to https

10
Secure Electronic Transaction (SETTM)

• Designed to protect e-commerce payments
• Certifies customer, merchant and merchants bank
• Requires that
• Merchants have a digital certificate and SET
  software
• Customers have a digital certificate and digital
  wallet to store credit card information and
  identification
• Merchant never sees the customers personal
  information as it is sent straight to bank

11
Attacks on Security

• Denial of service attacks
• Use a network of computers to overload servers
  and cause them to crash or become unavailable to
  legitimate users
• Flood servers with data packets
• Alter routing tables which direct data from one
  computer to another
• Distributed denial of service attack comes from
  multiple computers
• Viruses
• Computer programs that corrupt or delete files
• Sent as attachments or embedded in other files
• Worm
• Can spread itself over a network, doesnt need to
  be sent
• Web defacing

12
Firewalls

• Used to protect intranets connected to Internet
• Allow only authorized users access
• Prevent unauthorized users from obtaining access
• Trade-off between security and performance and
  convenience
• Prohibits all data not explicitly allowed or
  allows all data not explicitly prohibited

13
Types of Firewalls

• Packet filtering firewall examines all data sent
  from outside the LAN and rejects any external
  data packets that are addressed to local network
  addresses (e.g., router)
• Application firewall is an application that
  mediates traffic between a protected network and
  the Internet (e.g., proxy server). It includes
  software components that do logging and access
  control, network address translation, etc.
  However, having an application in the way in some
  cases may impact performance and may make the
  firewall less transparent.

14
Biometrics

• Has become a very important topic not just for
  Internet usage.
• Uses personal information to identify a user,
  e.g., fingerprint, iris scan, face scan, etc.
• Suggested as a possible ID card for frequent
  flyers, etc.

15
Steganography

• Hiding information within other information
• Usually hidden in image or sound or video
• Again, a very hot topic right now as it is
  suspected that terrorists used Internet for
  communication, but hid transmissions perhaps
  using steganorgraphy

16
Error Detection and Control

• Included as part of TCP/IP protocol.
• Operates primarily at packet level. Uses packet
  checksum which is computed and sent with each
  packet. Recomputed on the receiving end.
• Uses ACK and NAK protocol to acknowledge
  successful or non-successful transmission

17
Availability

• Redundant components
• Disaster Recovery
• Business continuity plan
• Available in-company resources
• Available hosted disaster recovery facilities
• Mobile data centers
• Aftermath Technology Tools and Services