lOMoARcPSD|28245750

UNIT-V
Security and Encryption

Need and Concepts:

- Understand the scope of e-commerce crime and security problems.
- Describe the key dimensions of e-commerce security and the tension between security and
other values.
- Identify the key security threats in the e-commerce environment.
- Describe how technology helps protect the security of messages sent over the Internet.
- Identify the tools used to establish secure internet communications channels and protect
networks, servers, and clients.
- Appreciate the importance of policies, procedures, and laws in creating security.
E-Commerce Security Environment:
Introduction: -
E-Commerce security refers to the principles which guide safe electronic transactions, allowing
the buying and selling of goods and services through the Internet, but with protocols in place to provide
safety for those involved.

Definition: -
Ecommerce security is a set of protocols that safely guide ecommerce transactions. Stringent
security requirements must be in place to protect companies from threats like credit card fraud, or they
risk jeopardizing revenue and customer trust, due to the inability to guarantee safe credit card processing.

Scope of e-commerce crime and security problems:

While the overall size of cyber-crime is unclear at this time, cyber-crime

against e-commerce sites is growing rapidly, the number of losses is growing, and
the management of e-commerce sites must prepare for a variety of criminal
assaults.

Cybercrime is becoming a more significant problem for both organizations

and consumers. A variety of worldwide cyber-attacks make daily headlines. It is
difficult to accurately estimate the actual amount of cybercrime, but one source of
information is the Ponemon Institute of 58 representative US companies.

Reducing risks in e-commerce is a complex process that involves new

technologies, organizational policies and procedures, and new laws and industry
standards that empower law enforcement officials to investigate and prosecute
offenders. Figure shows multi-layered nature of e-commerce security.
 lOMoARcPSD|28245750

Fig. The E-Commerce Security

Environment

The key dimensions of e-commerce security:

There are six key dimensions to e-commerce security:
- Integrity
- Non-repudiation
- Authenticity
- Confidentiality
- Privacy
- Availability
Integrity: Ensures that information displayed on a Web site or sent or received via
the Internet has not been altered in any way by an unauthorized party.
Non-repudiation: Ensure that e-commerce participants do not deny (repudiate)
their online actions.
Authenticity: Verifies an individual’s or business’s identity.
Confidentiality: Determines whether information shared online, such as through
e-mail communication or an order process, can be viewed by anyone other than
the intended recipient.
Privacy: The ability to control the use of information about oneself

Availability: Determines whether a Web site is accessible and operational at any

given moment.
 lOMoARcPSD|28245750

The tension between security and other values:

Although computer security is considered necessary to protect e-commerce
activities, it is not without a downside. Two major areas where there are tensions
between security and Web site operations include: Ease of use and Public safety.

Ease of use: The more security measures that are added to an e-commerce site, the
more difficult it is to use and the slower the site becomes, hampering ease of use.
Security is purchased at the price of slowing down processors and adding
significantly to data storage demands. Too much security can harm profitability,
while not enough can potentially put a company out of business.

Public safety: Use of technology by criminals to plan crimes or threaten nation-

state.
 lOMoARcPSD|28245750

Security Threats in The E-Commerce Environment:

A threat is anything that can disrupt the operations, functioning, integrity, or
availability of a network system. A threat is an object, person , or other entity that
represents a constant danger to an asset.
From a Technology perspective, Three key points of vulnerability in e-commerce
environment:
1. Client
2. Server
3. Communications pipeline (Internet communications channels)

Fig. A Typical E-Commerce Transaction.

Fig. Vulnerable points in E-Commerce Transaction

The nine most common and most damaging forms of security threats
to e-commerce sites include:
 lOMoARcPSD|28245750

- Malicious code
- Unwanted programs (adware, spyware, etc.)
- Phishing
- Hacking and cyber-vandalism
- Spoofing(Pharming) and Spam(Junk) websites
- Denial of Service attacks
- Sniffing
- Insider jobs
- Poorly designed server and client software
1. Malicious code: Includes a variety of threats such as viruses, worms, Trojan
horses, and “bad applets” . virus is a computer program that has the ability to
replicate or make copies of itself, and spread to other files. worm is designed to
spread from computer to computer. Trojan horse appears to be benign, but then
does something other than expected.

2. Unwanted programs (adware, spyware, etc.): A kind of security threat that

arises when programs are surreptitiously installed on your computer or computer
network with.
■ Potentially unwanted programs (PUPs)
❖ Browser parasites: Can monitor and change settings of a
user’s browser
❖ Adware: Calls for unwanted pop-up ads
❖ Spyware: Can be used to obtain information, such as a user’s
keystrokes, e-mail, IMs, etc.
3.Phishing: Any deceptive, online attempt by a third party to obtain confidential
information for financial gain. Most popular type: e-mail scam letter.
4. Hacking and cyber-vandalism: Intentionally disrupting, defacing, or even
destroying a site.
■ Hacking
• Hacker: Individual who intends to gain unauthorized access to
computer systems
• Cracker: Hacker with criminal intent (two terms often used
interchangeably)
 lOMoARcPSD|28245750

■ Cyber-vandalism: Intentionally disrupting, defacing or destroying a

Web site.
Example:
Credit card fraud/theft: One of the most feared occurrences and one the
main reasons more consumers do not participate in e-commerce. The most
common cause of credit card fraud is a lost or stolen card that is used by
someone else, followed by employee theft of customer numbers and stolen
identities (criminals applying for credit card using false identities).
■ Security breach:
A security breach is any incident that results in unauthorized access
to computer data, applications, networks or devices. It results in information
being accessed without authorization. Typically, it occurs when an intruder
is able to bypass security mechanisms. Technically, there's a distinction
between a security breach and a data breach. A security breach is effectively
a break-in, whereas a data breach is defined as the cybercriminal getting
away with information.

5.Spoofing (Pharming) and Spam (Junk) websites: Occurs when hackers

attempt to hide their true identities or misrepresent themselves by using fake e-
mail addresses or masquerading as someone else. Spoofing also can involve
redirecting a Web link to an address different from the intended one, with the site
masquerading as the intended destination.
6.Denial of Service attacks: Hackers flood a Web site with useless traffic to
inundate and overwhelm the network, frequently causing it to shut down and
damaging a site’s reputation and customer relationships.
7.Sniffing: A type of eavesdropping program that monitors information traveling
over a network, enabling hackers to steal proprietary information from anywhere
on a network, including e-mail messages, company files, and confidential report.
The threat of sniffing is that confidential or personal information will be made
public.
8. Insider jobs: Although the bulk of Internet security efforts are focused on
keeping outsiders out, the biggest threat is from employees who have access to
sensitive information and procedures.
 lOMoARcPSD|28245750

9. Poorly designed server and client software: The increase in complexity and
size of software programs has contributed to an increase in software flaws or
vulnerabilities that hackers can exploit weaknesses.

Technology Solutions
1. Protecting Internet communications (Encryption)
2. Securing channels of communication (SSL, S-HTTP, VPNs)
3. Protecting networks (Firewalls & Proxy Servers)
4. Protecting servers and clients (Operating system & Anti-Virus Software)

Fig. Tools Available to Achieve Site Security

1. Protecting Internet communications (Encryption):

• The process of transforming plain text or data into cipher text that cannot be read
by anyone outside of the sender and the receiver.
• The purpose of encryption is:
(a) to secure stored information and
(b) to secure information transmission.
• Cipher text is text that has been encrypted and thus cannot be read by anyone
besides the sender and the receiver.
• Provides:
– Message integrity
– Non-repudiation
– Authentication
– Confidentiality
 lOMoARcPSD|28245750

Encryption is done in two types:

i. Symmetric key encryption

ii. Public key encryption
1. Symmetric key encryption:

Symmetric key encryption (secret key encryption) the sender and the
receiver use the same key to encrypt and decrypt the message. Data Encryption
Standard (DES) is the most widely used symmetric key encryption, developed by
the National Security Agency (NSA) and IBM. Uses a 56-bit encryption key.

2. Public key encryption:

• Solves symmetric key encryption problem of having to
exchange secret key
• Uses two mathematically related digital keys – public key
(widely disseminated) and private key (kept secret by owner)
• Both keys used to encrypt and decrypt message
• Once key used to encrypt message, same key cannot be used
to decrypt message
• For example, sender uses recipient’s public key to encrypt message;
recipient uses his/her private key to decrypt it.

Fig. Sample public key encryption

 lOMoARcPSD|28245750

Public Key Encryption using Digital Signatures, Hash Digests and Digital envelops
• Digital signature is a “signed” cipher text that can be sent over the
Internet.
• Hash function uses an algorithm that produces a fixed-length number
called a hash or message digest.
• Digital envelop is a technique that uses symmetric encryption for large
documents, but public key encryption to encrypt and send the symmetric
key.

Fig. Public key cryptography with digital

signatures

Digital Envelops:
• Addresses weaknesses of public key encryption (computationally
slow, decreases transmission speed, increases processing time) and
symmetric key encryption (faster, but more secure).
• Uses symmetric key encryption to encrypt document but public key
encryption to encrypt and send symmetric key
 lOMoARcPSD|28245750

Public Key Cryptography: Creating a Digital Envelope

Digital Certificates and Public Key Infrastructure (PKI):
Digital certificate is a digital document issued by a certification authority.
• Digital certificate includes:
– Name of subject/company
– Subject’s public key
– Digital certificate serial number
– Expiration date
– Issuance date
– Digital signature of certification authority (trusted
third party institution) that issues certificate
– Other identifying information
• Public Key Infrastructure (PKI): refers to the CAs and
digital certificate procedures that are accepted by all parties

Fig. Digital Certificates and Certification Authorities

 lOMoARcPSD|28245750

Limits to Encryption Solutions:

■ Doesn’t protect storage of private key

❖ PKI not effective against insiders, employees

❖ Protection of private keys by individuals may be haphazard
■ No guarantee that verifying computer of merchant is secure
■ CAs are unregulated, self-selecting organizations
2. Securing channels of communication (SSL, S-HTTP, VPNs):
a. Secure Sockets Layer (SSL):
Most common form of securing channels of communication; used to
establish a secure negotiated session (client-server session in which
URL of requested document, along with contents, is encrypted)
b. S-HTTP:
Alternative method; provides a secure message-oriented
communications protocol designed for use in conjunction with HTTP
c. Virtual Private Networks (VPNs):
Allow remote users to securely access internal networks via the
Internet, using Point-to-Point Tunneling Protocol (PPTP).

Fig. Secure Negotiated Sessions Using SSL

 lOMoARcPSD|28245750

3. Protecting networks (firewalls& Proxy Servers):

i. Firewalls are software applications that act as a filter between a company’s
private network and the Internet itself and Uses security policy to filter packets.
Firewall methods include: - Packet filters
- Application gateways
ii. Proxy server is a software server that handles all communications
originating from or being sent to the Internet, acting as a spokesperson or
bodyguard for the organization.

Fig. Firewalls and Proxy Servers

4. Protecting servers and client:

• Operating system controls allow for the authentication of the user and
access controls to files, directories, and network paths.
• Anti-virus software is the easiest and least expensive way to prevent
threats to system integrity.

Policies, Procedures, and Laws:

Developing an e-commerce security plan:
• Perform a risk assessment
• Develop a security policy
• Develop an implementation plan
• Create a security organization
• Perform a security audit.
 lOMoARcPSD|28245750

Fig. Policies, Procedures & Law: Developing an E-

Commerce Security Plan