ECT 582 Secure Electronic Commerce - PowerPoint PPT Presentation

1 / 43

About This Presentation

Title:

ECT 582 Secure Electronic Commerce

Description:

freedom from care, apprehension or doubt; well-founded confidence ... Webster's Encyclopedic Unabridged Dictionary of the English Language. E-Commerce ... – PowerPoint PPT presentation

Number of Views:75

Avg rating:3.0/5.0

Slides: 44

Provided by: robin3

Learn more at: http://josquin.cti.depaul.edu

Category:

more less

Transcript and Presenter's Notes

Title: ECT 582 Secure Electronic Commerce

1
ECT 582Secure Electronic Commerce

Professor Robin Burke

2
Introductions

About me
http//josquin.cs.depaul.edu/rburke/
About you
Student information sheet

3
Resources

Course on-line
discussion forum
grades
Course home page

4
Security

freedom from danger, risk, etc. safety
freedom from care, apprehension or doubt
well-founded confidence
something that secures or makes safe protection
defense
precautions taken to guard against theft,
sabotage, the stealing of military secrets, etc
Websters Encyclopedic Unabridged Dictionary of
the English Language

5
E-Commerce

the process of electronically buying and selling
goods, services and information, and the
maintenance of all the relationships, both
personal and organizational, required for an
electronic marketplace to function.

6
What are we securing?
7
Post-9/11 realities

Aspects of business operations may impact public
safety
E-commerce opens a hole for interacting with an
organization

8
What can we do to improve security?
9
Key concepts

Risk
Trust

10
Risk

What are the possible losses we are guarding
against?

11
Trust

Must choose where trust is to be placed

12
Risk management

Risk analysis
Risk mitigation
Risk transfer

13
What are the primary risks?

Disclosure of proprietary information
Denial of service
Virus attacks
Insider net abuse
Financial fraud
Sabotage
- CSI/FBI 2003 Computer Crime and Security Survey

14
Disclosure of Proprietary Info

Customer data exposure
Data theft
Sensitive information

15
Fraud

Payment account abuse
Transfer funds without authorization
Destroy or hide financial records
Customer impersonation

16
Secondary risks

Damage to relations with customer or business
partners
Legal, public relations, or business resumption
cost
Public relations damage
Uptake failure due to lack of confidence

17
How is e-commerce different?

Need for physical proximity
Differences in document

18
Physical documents

Semi-permanence of ink embedded in paper fibers
Particular printing process
letterhead
watermark
Biometrics of signature
Time stamp
Obviousness of modifications, interlineations,
and deletions

19
Computer documents

Computer-based records can be modified freely and
without detection
Supplemental control mechanisms must be applied
to achieve a level of trustworthiness comparable
to that on paper
Less permanent, too

20
Legal differences

In some cases, possession matters
negotiable document of title
cash money

21
Attack

Any action that compromises the security of
information systems
Normal flow

22
Interruption

Attack on availability

Info source
Info destination
23
Interception

Attack on confidentiality

Info source
Info destination
24
Modification

Attack on integrity

Info source
Info destination
25
Fabrication

Attack on authenticity

Info source
Info destination
26
Passive vs active

Passive
Monitor communication
Disclose contents
but also traffic analysis
Active
Interfere with communication

27
Active attacks masquerade

Masquerade one entity pretends to be a different
entity
Example Session Hijacking
Taking over an existing active session.
It can bypass the authentication process and gain
access to a machine

28
Active attacks replay

Passive capture of data
Later retransmission to produce an unauthorized
effect
Example Password sniffing
Program capture user id / password info
Case in Tokyo sniffer installed at Internet
cafe. 16 million Yen stolen.

29
Active attacks modification

Some portion of a legitimate message is altered,
or that message are delayed or reordered, to
produce an unauthorized effect
Example Spam
Return-To header on spam email is always forged
to prevent tracking the sender

30
Active attacks DoS

Denial of service
prevents or inhibits the normal use or management
of communication facilities
Example SYN flooding
send open request for TCP connection but dont
respond to handshake
do this over and over again

31
Security properties

What do we want out of a secure e-commerce
system?
Confidentiality
Authentication
Integrity
Non-repudiation
Access control
Availability

32
Confidentiality

Protects against interception
Ensures that a message is only readable by
intended recipient
Technology
Encryption

33
Authentication

Protects against fabrication
Ensures that the origin of a message or
electronic document is correctly identified, with
assurance that the identity is not false
Technology
User Id/Password
Digital certificates

34
Integrity

Protects against modification
Ensures that only authorized parties are able to
modify an electronic document or
Allow modification to be detected
Technology
Digital signatures

35
Non-repudiation

Protects against an e-commerce participant acting
in bad faith
Require that neither the sender nor the receiver
of a message be able to deny the transmission
Technology
(Complicated)

36
Access control

Protects against unauthorized access
Allows the establishment of fine-grained control
over access to files and applications for
different users and groups
Technology
(Various, usually tied to authentication)

37
Availability