1 / 58

ECT 582 Secure Electronic Commerce

This course outlines the importance of security in e-commerce, covering topics such as secure messaging, transactions, hosts and applications, and privacy. Grading is based on knowledge, reasoning, and communication skills.

eolande
Download Presentation

ECT 582 Secure Electronic Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECT 582Secure Electronic Commerce Professor Robin Burke

  2. Outline • Introductions • Course and Syllabus • Security • E-Commerce

  3. Introductions • Student information sheet

  4. Administrativa • Contacting me • CS&T 453 • x 25910 • rburke@cs.depaul.edu • Course web site • http://josquin.cs.depaul.edu/~rburke/courses/w04/ect360/

  5. About Me • 2nd year at CTI • PhD in AI, 1993 • Research • AI applications in E-Commerce • "smart catalogs" • Taught web development since 1996 • Founded an e-commerce company

  6. Course • Public key infrastructure • how to enable large-scale secure messaging? • Secure transactions • Securing hosts and applications • Privacy

  7. Grading • Six assignments – 35% • Midterm – 25% • Final – 30% • Participation – 10%

  8. Grading • Three Components • Knowledge • Does the work display correct technical knowledge? • Reasoning • Does the work indicate good problem-solving skills? • Communication • Is the answer well-written English?

  9. Grading, cont'd • A = Excellent work • Thorough knowledge of the subject matter • Well-considered and creative solutions • Well-written answers • B = Very good work • Complete knowledge of the subject matter • No major errors of reasoning in problem solutions • Competent written answers • C = Average work • Some gaps in knowledge of subject matter • Some errors or omissions in problem solving • Written answers may contain grammatical and other errors • D = Below average work • Substantial gaps in knowledge of subject matter. • Problem solving incomplete or incorrect • Poor English in written answers

  10. Discussion Forum • Important for this course • More DL than local students • Automatically mailed to all students • Uses • Questions about assignments • Announcements • Discussion about security issues • DL students • required to post at least weekly • All students • component of "Participation Grade"

  11. Security • freedom from danger, risk, etc.: safety • freedom from care, apprehension or doubt; well-founded confidence • something that secures or makes safe; protection; defense • precautions taken to guard against theft, sabotage, the stealing of military secrets, etc • Webster’s Encyclopedic Unabridged Dictionary of the English Language

  12. E-Commerce • the process of electronically buying and selling goods, services and information, and the maintenance of all the relationships, both personal and organizational, required for an electronic marketplace to function.

  13. What are we securing?

  14. Post-9/11 realities • Aspects of business operations may impact public safety

  15. Inherent Hazard • E-commerce opens a hole for interacting with an organization • Any Internet user can attack that opening • Good design • Minimizes the risk associated with enabling e-commerce • While still preserving its benefits • Bad design • Fails to reduce the risks of e-commerce, or • Eliminates the benefits of e-commerce

  16. Basic concepts • Assets • Attackers • Attacks • Protocol • Risk

  17. Assets • Financial • Customer data • Proprietary info • Reputation • Systems

  18. Is e-commerce different? • Need for physical proximity • Differences in documents

  19. Physical documents • Semi-permanence of ink embedded in paper fibers • Particular printing process • letterhead • watermark • Biometrics of signature • Time stamp • Obviousness of modifications, interlineations, and deletions

  20. Computer documents • Computer-based records can be modified freely and without detection • Supplemental control mechanisms must be applied to achieve a level of trustworthiness comparable to that on paper • Less permanent, too

  21. Legal differences • In some cases, possession matters • negotiable document of title • cash money

  22. Loss of assets • Physical assets • loss = theft or destruction • Information assets • loss = violation of • confidentiality • availability • integrity • authenticity

  23. Attackers • Class 0 • casual passerby • Class 1 • capable outsider • Class 2 • knowledgeable insider • Class 3 • determined organization

  24. E-Commerce • Proximity is not an issue • Scale • Many, many Class 1 attackers • Mutability • Easy for insiders to cover their tracks

  25. Attack • Any action that compromises the security of an e-commerce system • Simplifying assumption • security = protecting messages

  26. Passive vs active • Passive • Attacker monitors communication • disclose contents • but also traffic analysis • Active • Attacker interferes with communication • generates messages • prevents transmission or reception

  27. Normal messaging

  28. Basic attack types • Interception • Interruption • Modification • Fabrication

  29. Interception Attack on confidentiality

  30. Example: Password sniffer • Program to capture user id / password info • Case in Tokyo • sniffer installed at Internet cafe • 16 million Yen stolen

  31. Interruption • Attack on availability

  32. Example: SYN flooding • send open request for TCP connection • but don’t respond to handshake • do this over and over again • eventually server can't accept new connections

  33. Modification Attack on integrity

  34. Example: Shareware trojan • Alice posts a shareware application • Eve modifies it to contain her virus • Bob downloads the modified version

  35. Fabrication Attack on authenticity

  36. Example: Session hijacking • Taking over active sessions • after Alice leaves • before application times out • Bypass the authentication process • have Alice's privileges

  37. Protocol • A set of formal rules describing how to transmit data, especially across a network....High level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages etc. • FOLDOC

  38. To describe a protocol • The roles • who participates • The steps • how the interaction unfolds • The messages • syntax and meaning of messages sent and received • The process • processing by each player

  39. Example: Homework protocol • Instructor hands out assignment • includes requirements and due date • Student performs assignment • submits by due date • Instructor grades assignment • grade is incorporated into course database • Graded work is returned to student

  40. Protocol security • Generally we talk about the protecting the protocol messages • Different protocols have different security characteristics • Homework protocol is not secure against fabrication • Test taking protocol is more secure • Attacks can target different protocol steps • "grader" example

  41. Risk • Risk is • value of loss * probability of loss • Both can be hard to quantify • Risk management • process of analyzing and mitigating risk • one technique is historical • what losses have others suffered?

  42. What are the primary risks? • Disclosure of proprietary information • Denial of service • Virus attacks • Insider net abuse • Financial fraud • Sabotage • CSI/FBI 2003 Computer Crime and Security Survey Total value of losses: $200 million

  43. Secondary risks • Damage to relations with customer or business partners • Legal, public relations, or business resumption cost • Public relations damage • Uptake failure due to lack of confidence

  44. Secure E-Commerce • Not E-Commerce Risk Management • Very big topic • strategy • architecture • technology

  45. Security strategy • Threats • what is valuable? • who might want it? • Vulnerabilities • where is the organization exposed? • Defenses • what can be done to manage the risks? • Legal • what liabilities and legal requirements exist?

  46. Security architecture • People • how are they hired, trained, monitored, audited? • Systems • what systems exist? • how are systems connected to each and to the larger Internet? • Procedures • how are systems used? • who gets access to what under what circumstances?

  47. Security technology • Main focus of this course • Specific technologies for achieving security-related goals • But • meaningless in the absence of a strategy and an architecture

  48. Secure E-Commerce • Technologies for securing the protocols of electronic commerce • One component of risk management • not the only component • sometimes not even the most important • but a basic safeguard

  49. What can technology provide? • Confidentiality • Authentication • Integrity • Non-repudiation • Access control • Availability

  50. Confidentiality • Protects against interception • Ensures that a message is only readable by intended recipient • Technology • Encryption

More Related