Web Security For E-Commerce

Submitted byPiyush Mittal Department of Computer Science, NIT Rourkela

Introduction to e-commerce
E Commerce (Electronic Commerce) is any form of business transaction in which the parties interact electronically over the Internet rather than by physical exchange or conduct. Use of electronic communications and digital information processing technology in business transactions to create, transform, and redefine relationships for value creation among organizations, and between organizations and individuals.

EVOLUTION OF TECHNOLOGIES
EFT (Electronic Fund Transfer)
Electronic transmissions of account exchange information over private communications networks .

EDI (Electronic Data Interchange)

EDI occurs when one business transmits computer readable
data in standard format to another business.

Web Concepts for E-Commerce

Client/Server Applications (request/ response) Communication Channels (internet, intra, extranet) TCP/IP (protocol suites)

E-Commerce: Challenges
Trusting others electronically
E-Commerce infrastructure

Security threats the real threats and the perceptions Network connectivity and availability issues
Better architecture and planning

Global economy issues

Flexible solutions

continue
Trusting others electronically
Authentication Handling of private information Message integrity Digital signatures and non-repudiation Access to timely information

Information Security Threats

Internet Cryptography Techniques Transport Layer Security Application Layer Security Server Proxies and Firewalls

Purpose of Cryptography
Secure stored information - regardless if access obtained by unauthorized disclosure. Secure transmitted information - regardless if transmission has been monitored.

 Digital Signatures

Cryptographic Services Allow

sign messages to validate source and integrity of the contents

Digital Envelopes
secure delivery of secret keys

Message Digests
short bit string hash of message

Certificates (Digital Ids)

used to authenticate: users, web sites, public keys of public/private pair, and information in general

Secure Channels
Encryption can be used to create secure channels over private or public networks
9

Secure Protocols
How to communicate securely:
SSL the web security protocols IPSEC the IP layer security protocol SMIME the email security protocol SET credit card transaction security protocol Others

Secure Sockets Layer (SSL)

Platform and Application Independent
Operates between application and transport layers
Web Applications
HTTP NNTP FTP Telnet Etc. Future Apps

SSL
TCP/IP

Secure Sockets Layer (SSL)

Negotiates and employs essential functions for secure transactions
Mutual Authentication Data Encryption Data Integrity

As simple and transparent as possible

SSL Connection Setup

Client (Browser) Session Key 1. Client sends ClientHello message 2.Server acknowledges with Server Hello message Server

3. Server sends its certificate (4. Server requests clients certificate)

Server Certificate

(5. Client sends its certificate) Servers public key

Client Certificate

Servers private key 6. Client sends Client Key Exchange message

Digital envelope

(7. Client sends a Certificate Verify message)

Session key Digital signature

9. Both send Finished messages

13

Why did SSL Succeed

Simple solution with many applications e-business and e-commerce No change in operating systems or network stacks very low overhead for deployment Focuses on the weak link the open wire, not trying to do everything to everyone Solution to authentication, privacy and integrity problems and avoiding classes of attacks

Application Layer Security

Secure Electronic Transactions
SET

Digital Payment Systems

CyberCash DigiCash

Pretty Good Privacy

PGP: used to secure e-mail

These are the applications sender/receiver use to give secure communication

15

Secure Electronic Transactions

Cryptographic protocol Developed by Visa, Mastercard, Netscape, and Microsoft Used for credit card transactions on the Web Provides
Authentication of all parties in transaction Confidentiality: transaction is encrypted to foil eavesdroppers Message integrity: not possible to alter account number or transaction amount Linkage: attachments can only be read by 3rd party if necessary
16

Secure Electronic Transactions

SET protocol supports all features of credit card system
Cardholder registration Merchant registration Purchase requests Payment authorizations Funds transfer (payment capture) Credits Credit reversals Debit card transactions

SET can manage

real-time & batch transactions installment payments
17

Securing Private Networks

Minimize external access to LAN Done by means of firewalls and proxy servers Firewalls provide a secure interface between an inner trusted network and outer untrusted network every packet to and from inner and outer network is processed Firewalls require hardware and software to implement Three main hardware architectures
dual-homed host screened gateway screened subnet gateway
18

Dual Homed Gateway

Gateway (Bastion)

Proxies

Local Area Network Private Net Outside

Internet

19

Screened Host Gateway

Gateway (Bastion)

Allowed

Proxies

Allowed

Local Area Network

Router Internet
Private Net Outside

20

Screened Subnet Gateway

Web Server

Gateway (Bastion)

LAN
Router Router

Internet

Private Net

Demilitarized Zone

21

Securing Private Networks Software that is used are proxies and filters that allow or deny network traffic access to either network Proxy programs
application-level circuit-level

Filters
packet filtering

22

Conclusion
Electronic commerce is growing rapidly. A number of technologies have converged to facilitate the proliferation of e-commerce. E Commerce is more secure than most business we conduct everyday and is getting better every minute. Knowing various hacking techniques on the Internet and having built an eCommerce package.

References
Kalakota R, Whinston A B 1999 Frontiers of e-commerce (Reading, MA: Addison-Wesley/Longman) Mazumdar C, BarikMS, Das S, Roy J, BarkatMA2003 e-Commerce security. www.upu.int/security/en/ecommercesecurityen.pdf