Security Issues - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Security Issues

Description:

Need to secure communications between client (customer at a web browser) and ... Encrypted data is meaningless to snoopers and cannot be altered without detection. ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 17
Provided by: kelly9
Category:

less

Transcript and Presenter's Notes

Title: Security Issues


1
Security Issues
  • To maintain a successful online business, you
    MUST
  • Secure your E-Commerce transactions
  • Secure your servers and data
  • Formulate, post and follow a customer privacy
    policy

2
Securing Transactions
  • Need to secure communications between client
    (customer at a web browser) and server (your web
    site and beyond)
  • What kinds of data need securing?
  • Credit card data (card number, expiration date,
    etc.)
  • Personal data (phone , address, etc.)
  • Order data
  • Etc.

3
Securing Transactions
  • Authenticate message source
  • the party is who they claim to be
  • Ensure privacy by encryption
  • no one can see or understand my message
  • Ensure integrity of transmission
  • the data has not been tampered with
  • Guarantee non-repudiation of purchases and
    payments
  • the order WAS placed
  • the payment Was received

4
Encryption
  • A secret "key" is used to encrypt ("scramble")
    and decrypt ("unscramble") any data passed
    between browser and server.
  • The encryption technique and key are chosen so
    that it would be computationally infeasible to
    decipher the data without the key (i.e. break the
    code).

5
Public Key Cryptography
Message
Digital Signature
6
Encryption
  • If the key is kept secret, the "right" encrypted
    data can only be generated by the browser or the
    server. Encrypted data is meaningless to
    snoopers and cannot be altered without detection.
  • This provides authentication, integrity and
    privacy.

7
Key Distribution Problem
  • Problem how to get the key to the other party
    over an insecure network like the Internet?
  • Answer public key encryption
  • PKE uses two keys whichever one is used to
    encrypt, the other one must be used to decrypt
  • Typically, one key is made public, the other is
    kept secret.
  • How does this help?

8
Session Keys
  • If the browser can get the public key of the
    merchant, it could encrypt a one-time session key
    and send it to merchant server.
  • Then the two sides could use the shared session
    key to encrypt and communicate securely.
  • To get the merchant's public key, the server
    could send it over to the browser when it first
    connects.
  • Problem how does the browser know if it has the
    real public key and not a fraudulent one?

9
Digital Signatures
  • A merchant's public key can be digitally signed.
  • A digital signature is a token (a little bit of
    data) attached to the end of the key.
  • Using encryption technology, it is possible to
    verify the authenticity of the key by examining
    the "signature".
  • If you trust the key signer, you can trust that
    the key is valid.
  • Who can be trusted to sign (vouch for) a
    merchant's public key?

10
Client
Request Secure Document
Server
Public Key Certificate
Client
Encrypted Session Key
Server
Document Encrypted With Session Key
Client
11
Certificate Authority
  • A certificate authority is a trusted third party
    that is in the business of signing public keys.
    A key signed by a CA is called a digital
    certificate.
  • A merchant purchases a certificate and puts it on
    his server.
  • When a browser makes a connection the certificate
    is downloaded. The browser verifies the signature
    on the certificate and extracts the public key.
  • The browser encrypts a session key and sends it
    to the server. Both sides can now securely
    communicate.

12
Certificate
  • Identifying the holder of a public key
    (Key-Exchange)
  • Issued by a trusted certificate authority (CA)

13
Digital Certificates
  • Certificates are available from a number of
    certificate authorities. One of the first, and
    biggest, is Verisign (www.verisign.com)
  • Certificates start at about 150 and go up from
    there, depending on the expected use of the
    certificate.
  • A certificate is dated and is only good for a
    certain time period. After that date a browser
    will reject it.
  • To keep current, a merchant will need to purchase
    new certificates just before the old ones expire.

14
Securing Your Site
  • Disable all nonessential services, programs and
    user accounts
  • Use complex passwords and change them reasonably
    often
  • Keep up with the latest security bulletins (CERT)
    and software updates

15
Securing Your Site
  • Monitor logs for suspicious activity
  • Consider installing a firewall, monitoring
    software and/or secure communications software
  • Have a periodic professional security audit
  • Does your Host provide all of this?

16
Customer Privacy
  • What does your company do with the data it
    collects from customers?
  • Does not release customer data outside the
    company, under any circumstances, except to legal
    authorities
  • makes names, addresses, etc. available to
    selected partners and third parties
  • sells customer data to marketers
  • These are all valid policies!
  • Need to be up front formulate a privacy policy,
    post it on your web site and follow it !
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Security Issues" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!