UNIT 4: Network Security E-Commerce

BBA 6th Semester,

E-Commerce perspective Prime College

Hem Sagar Pokhrel

Faculty Member, Computer Science & IT department
Prime College, Kathmandu
[email protected]
9843410129, 9803082585
Learning Objectives

1. Document the trends in computer and network security attacks.

2. Describe the common security practices of businesses of all
sizes.
3. Understand the basic elements of EC security.
4. Explain the basic types of network security attacks.
5. Describe common mistakes that organizations make in managing
security.
6. Discuss some of the major technologies for securing EC
communications.
7. Detail some of the major technologies for securing EC networks
components.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Course outline:

 Introduction to Network Security (Client-Server Security and Data-Message Security)

 Client/Server Security

 Firewalls and its Types

 Data and Message Security (Private or Secret and Public Key Cryptography)

 Digital Signature

 Digital Certificate

 Certificate Authority
Prepared by Hem Sagar Pokhrel, Lecturer
 Third Party Authentication, SSL,VPN, SET. E-Commerce, Prime College
Introduction to Network Security

 A network security is defined as a circumstance, condition with

the potential to cause economic hardship to data or network
resources in the form of destruction, disclosure, modification of
data, denial of service, and/or fraud, waste, and abuse.

 The discussion of security concerns in electronic commerce can

be divided into two broad types:
1. Client Server Security
2. Data and Transaction Security
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Client/server security

 Client/server security uses various authorization methods to make sure

that only valid user and programs have access to information resources
such as databases.

 Access control mechanisms must be set up to ensure that properly

authenticated users are allowed access only to those resources that they
are entitled to use.

 Such mechanisms include password protection, encrypted smart cards,

biometrics, and firewalls.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Data and transaction security

 Data and transaction security ensures the privacy and confidentiality in

electronic messages and data packets, including the authentication of
remote users in network transactions for activities such as on-line pay-
ments.

 The goal is to defeat any attempt to assume another identity while involved
with electronic mail or other forms of data communication.

 Preventive measures include data encryption using various cryptographic

methods. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
The Continuing Need for E-Commerce Security

Computer Security Institute (CSI)

Nonprofit organization located in San Francisco, California, that is
dedicated to serving and training information, computer, and
network security professionals

Computer Emergency Response Team (CERT)

Group of three teams at Carnegie Mellon University that monitor
the incidence of cyber attacks, analyze vulnerabilities, and provide
guidance on protecting against attacks

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Basic Security Issues

• What kinds of security questions arise?

• From the user’s perspective:
• How can the user be sure that the Web server is
owned and operated by a legitimate company?
• How does the user know that the Web page and
form do not contain some malicious or dangerous
code or content?
• How does the user know that the owner of the
Web site will not distribute the information the
user provides to some other party?
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Basic Security Issues

• What kinds of security questions arise?

• From the company’s perspective:
• How does the company know the user will not
attempt to break into the Web server or alter the
pages and content at the site?
• How does the company know that the user will
not try to disrupt the server so that it is not
available to others?

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Basic Security Issues

• What kinds of security questions arise?

• From both parties’ perspectives:
• How do both parties know that the network
connection is free from eavesdropping by a third
party “listening” on the line?
• How do they know that the information sent back-
and-forth between the server and the user’s
browser has not been altered?

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Basic Security Issues
authentication
The process by which one entity verifies that another entity is who he, she,
or it claims to be

authorization
The process that ensures that a person has the right to access certain
resources

auditing
The process of collecting information about attempts to access particular
resources, use particular privileges, or perform other security actions
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Types of Threats and Attacks

• Nontechnical Attacks: Social Engineering

social engineering
A type of nontechnical attack that uses social pressures to
trick computer users into compromising computer networks
to which those individuals have access
• A multiprong approach should be used to combat social
engineering
• Education and training
• Policies and procedures
• Penetration testing Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Types of Threats and Attacks

technical attack
An attack perpetrated using software and systems knowledge
or expertise
common (security) vulnerabilities and exposures (CVEs)
Publicly known computer security risks, which are collected,
listed, and shared by a board of security-related
organizations (cve.mitre.org)
National Infrastructure Protection Center (NIPC)
A joint partnership under the auspices of the FBI between
governmental and private industry; designed to prevent and
protect the nation’s infrastructure
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Types of Threats and Attacks

denial-of-service (DoS) attack

An attack on a Web site in which an attacker uses
specialized software to send a flood of data packets to
the target computer with the aim of overloading its
resources
distributed denial-ofservice (DDoS) attack
A denial-of-service attack in which the attacker gains
illegal administrative access to as many computers on
the Internet as possible and uses the multiple computers
to send a flood of data packets to the target computer
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Exhibit 11.2 Using Zombies in a Distributed
Denial-of-Service Attack

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Types of Threats and Attacks

malware
A generic term for malicious software

• A number of factors have contributed to the overall increase in

malicious code. Among these factors, the following are paramount:
• Mixing data and executable instructions
• Increasingly homogenous computing
environments
• Unprecedented connectivity
• Larger clueless user base
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Types of Threats and Attacks

As the number of attacks increases, the following trends in

malicious code are emerging:
• Increased speed and volume of attacks
• Reduced time between the discovery of a vulnerability and
the release of an attack to exploit the vulnerability
• Remotely-controlled bot networks are growing
• E-commerce is the most frequently targeted industry
• Attacks against Web application technologies are
increasing
• A large percent of Fortune 100 companies have been
compromised by worms Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Types of Threats and Attacks

virus
A piece of software code that inserts itself into a host, including
the operating systems, in order to propagate; it requires that its
host program be run to activate it

worm
A software program that runs independently, consuming the
resources of its host in order to maintain itself, that is capable
of propagating a complete working version of itself onto
another machine
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Managing EC Security

• Security Risk Management

security risk management
A systematic process for determining the likelihood of various security
attacks and for identifying the actions needed to prevent or mitigate
those attacks

• Security risk management consists of three phases:

• Asset identification
• Risk assessment
• Implementation
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Securing EC Communications

access control
Mechanism that determines who can legitimately use a network resource

passive tokens
Storage devices (e.g., magnetic strips) that contain a secret code used in
a two-factor authentication system

active tokens
Small, stand-alone electronic devices that generate one-time passwords
used in a two-factor authentication system

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Securing EC Communications

Biometric systems
Authentication systems that identify a person by
measurement of a biological characteristic, such as
fingerprints, iris (eye) patterns, facial features, or voice

Physiological biometrics
Measurements derived directly from different parts of the
body (e.g., fingerprint, iris, hand, facial characteristics)

Behavioral biometrics
Measurements derived from various actions and indirectly
from various body parts (e.g., voice scans or keystroke
monitoring) Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Securing EC Communications

Fingerprint scanning
Measurement of the discontinuities of a person’s fingerprint,
which are then converted to a set of numbers that are stored
as a template and used to authenticate identity

Iris scanning
Measurement of the unique spots in the iris (colored part of
the eye), which are then converted to a set of numbers that
are stored as a template and used to authenticate identity

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Client/Server Security
Client/Server Network Security

• Client/server network security is one of the biggest headaches system admin-

istrators face as they balance the opposing goals of user, easy access, and site
security and confidentiality of local information.

• According to the National Center for Computer Crime Data, computer security
violations cost U.S. businesses half a billion dollars each year.

• Major concern for commercial organizations, especially top management.

• Use of Internet for business purpose has raised many new security concerns
now a days.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Client Server Security

Fig: Unprotected Internet Connection

Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Client/Server Network Security

• By connecting to the Internet, a local network organization may be exposing itself to

the entire population on the Internet.
• An Internet connection opens itself to access from other networks comprising the public
Internet.
• That being the case, the manager of even the most relaxed organization must pay some
attention to security.
• They need to audit all access to the network.
• A system that records all log-on attempts—particularly the unsuccessful ones—can alert
managers to the need for stronger measures.
• Where important corporate assets must be made available to remote users, additional
measures must be taken.
• Hackers can use password guessing, password trapping, security holes in programs, or
common network access procedures to impersonate users and thus pose a threat to the
server.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Client/Server Network Security

Client–server network security problems manifest

themselves in three ways:

Physical Software
Inconsistent
security security
usage holes
holes holes

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Physical Security holes

 Physical security holes result when individuals gain unauthorized

physical access to a computer.

 A good example would be a public workstation room, where it would

be easy for a wandering hacker to reboot a machine into single-user
mode and tamper with the files, if precautions are not taken.

 On the network, this is also a common problem, as hackers gain

access to network systems by guessing passwords of various users.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Software Security holes

 Software security holes result when badly written programs or "privileged"

software are "compromised" into doing things they shouldn't.

 The most famous example of this category is the "sendmail" hole, which brought
the Internet to its knees in 1988.

 A more recent problem was the "rlogin" hole in the IBM RS-6000 workstations,
which enabled a cracker (a malicious hacker) to create a "root" shell or
superuser access mode.

 This is the highest level of access possible and could be used to delete the entire
file system, or create a new account or password file.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Inconsistent usage holes

 Inconsistent usage holes result when a system administrator assembles a

combination of hardware and software such that the system is seriously flawed
from a security point of view.

 The incompatibility of attempting two unconnected but useful things creates the
security hole.

 Problems like this are difficult to isolate once a system is set up and running, so
it is better to carefully build the system with them in mind.

 This type of problem is becoming common as software becomes more complex.

Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Security measures

 At the file level, operating systems typically offer mechanisms such as access
control lists that specify the resources various users and groups are entitled to
access.
 Protection—also called authorization or access control—grants privileges to the
system or resource by checking user-specific information such as passwords.
 The problem in the case of e-commerce is very simple: If consumers connect a
computer to the Internet, they can easily log into it from anywhere that the
network reaches. That's the good news. The bad news is that without proper
access control, anyone else can too.
 Over the years, several protection methods have been developed, including
trust-based security, security through obscurity, password schemes, and biometric
systems.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Trust-Based Security:

 Quite simply, trust-based security means to trust everyone and do nothing

extra for protection.
 It is possible not to provide access restrictions of any kind and to assume that
all users are trustworthy and competent in their use of the shared network.

 This approach assumes that no one ever makes an expensive breach such as
getting root access and deleting all files (a common hacker trick).

 This approach worked in the past, when the system administrator had to
worry about a limited threat.

 Today, this is no longer the case. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Security through Obscurity:

• Most organizations in the mainframe era practiced a philosophy

known as security through obscurity (STO)—the notion that any
network can be secure as long as nobody outside its management
group is allowed to find out anything about its operational details
and users are provided information on a need-to-know basis.
• Hiding account passwords in binary files or scripts with the
presumption that "nobody will ever find them" is a prime case of STO
(somewhat like hiding the housekey under the doormat and telling
only family and friends).
• In short, STO provides a false sense of security in computing systems
by hiding information.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Password Schemes:
 One straightforward security solution, a password scheme, erects a
first-level barrier to accidental intrusion.

 In actuality, however, password schemes do little about deliberate

attack, especially when common words or proper names are
selected as passwords.

 For instance, network administrators at a Texas air force base

discovered that they could crack about 70 percent of the passwords
on their UNIX network with tools resembling those used by hackers.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Password Schemes:

 The simplest method used by most hackers is dictionary

comparison— comparing a list of encrypted user passwords against
a dictionary of encrypted common words.
 This scheme often works because users tend to choose relatively
simple or familiar words as passwords.
 To beat the dictionary comparison method, experts often
recommend using a minimum of eight-character length mixed-case
passwords containing at least one non- alphanumeric character and
changing passwords every 60 to 90 days.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Biometric Systems:

 Biometric systems, the most secure level of authorization, involve

some unique aspect of a person's body.
 Past biometric authentication was based on comparisons of
fingerprints, palm prints, retinal patterns, or on signature verification
or voice recognition.
 Biometric systems are very expensive to implement: At a cost of
several thousand dollars per reader station, they may be better suited
for controlling physical access—where one biometric unit can serve for
many workers—than for network or workstation access.
 Many biometric devices also carry a high price in terms of
inconvenience. (time to verify an access request.) Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Firewalls and Its Types:

 The most commonly accepted network protection is a barrier—a

firewall between the corporate network and the outside world
(untrusted network).
 Firewall is a method of placing a device—a computer or a router—
between the network and the Internet to control and monitor all
traffic between the outside world and the local network.
 Typically, the device allows insiders to have full access to services.
 While granting access from the outside only selectively, based on log-
on name, password, IP address or other identifiers as shown in figure
below.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Fig: Firewall-secured Internet Connection
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Firewalls and Its Types:

 In general, a firewall is a protection device to shield vulnerable areas

from some form of danger.
 In the context of the Internet, a firewall is a system—a router, a
personal computer, a host, or a collection of hosts—set up specifically
to shield a site or subnet from protocols and services that can be
abused from hosts on the outside of the subnet.
 A firewall system is usually located at a gateway point, such as a site's
connection to the Internet, but can be located at internal gateways to
provide protection for smaller collection of hosts or subnets.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Firewalls and Its Types:

• Generally, firewalls operate by screening packets and/or the

applications that pass through them, provide controllable filtering of
network traffic, allow restricted access to certain applications, and
block access to everything else.
• The actual mechanism that accomplishes filtering varies widely, but in
principle, the firewall can be thought of as a pair of mechanisms: one
to block incoming traffic and the other to permit outgoing traffic.
• Some firewalls place a greater emphasis on blocking traffic, and others
emphasize permitting traffic.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Types of Firewall (Firewalls in Practice)

• Firewalls range from simple traffic logging systems that record all
network traffic flowing through the firewall in a file or database for
auditing purposes to more complex methods such as IP packet
screening routers, hardened fire-wall hosts, and proxy application
gateways.
• The simplest firewall is a packet- filtering gateway or screening router.
Configured with filters to restrict packet traffic to designated
addresses, screening routers also limit the types of services that can
pass through them.
• More complex and secure are application gateways.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
1. IP Packet Screening Routers:

• This is a static traffic routing service placed between the network

service provider's router and the internal network.
• The traffic routing service may be implemented at an IP level via
screening rules in a router or at an application level via proxy
gateways and services.
• Figure below shows a secure firewall with an IP packet screening
router.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
1. IP Packet Screening Routers:

Fig: Secure firewall with IP packet screening router

Prepared by Hem Sagar Pokhrel, Lecturer E-Commerce, Prime College
• The firewall router filters incoming packets to permit or deny IP
packets based on several screening rules.
• These screening rules, implemented into the router are
automatically performed.
• Rules include target interface to which the packet is routed,
known source IP address, and incoming packet protocol (TCP, UDP,
ICMP).
• ICMP stands for Internet Control Message Protocol, a network
management tool of the TCP/IP protocol suite.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Disadvantages

• Although properly configured routers can plug many security holes,

they do have several disadvantages.
• First, screening rules are difficult to specify, given the vastly
diverse needs of users.
• Second, screening routers are fairly inflexible and do not easily
extend to deal with functionality different from that
preprogrammed by the vendor.
• Lastly, if the screening router is circumvented by a hacker, the rest
of the network is open to attack.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
2. Proxy Application Gateways:

• A proxy application gateway is a special server that typically runs

on a firewall machine.
• Their primary use is access to applications such as the World Wide
Web from within a secure perimeter as shown in figure below.
• Instead of talking directly to external WWW servers, each request
from the client would be routed to a proxy on the firewall that is
defined by the user.

Prepared by Hem Sagar Pokhrel, Lecturer E-Commerce, Prime College

2. Proxy Application Gateways:

• The proxy knows how to get through the firewall.

• An application-Level proxy makes a firewall safely permeable for users in an
organization, without creating a potential security hole through which
hackers can get into corporate networks.
• The proxy waits for a request from inside the firewall, forwards the request
to the remote server outside the firewall, reads the response, and then
returns it to the client.
• In the usual case, all clients within a given subnet use the same proxy.
• This makes it possible for the proxy to execute efficient caching of doc-
uments that are requested by a number of clients.
• The proxy must be in a position to filter dangerous URLs and malformed
commands.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Fig: Proxy servers on the World Wide Web Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
3. Hardened Firewall Hosts:

• A hardened firewall host is a stripped-down machine that has been

configured for increased security.
• This type of firewall requires inside or outside users to connect to the
trusted applications on the firewall machine before connecting further.
• Generally, these firewalls are configured to protect against unauthenticated
interactive log-ins from the external world.
• This, more than anything, helps prevent unauthorized users from logging into
machines on the network.
• The hardened firewall host method can provide a greater level of audit and
security, in return for increased configuration cost and decreased 'level of
service (because a proxy needs to be developed for each desired service).
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Most Common Security Threats in the
E-commerce Environment

• Malicious code (malware, exploits)

• Drive-by downloads
• Viruses
• Worms
• Ransomware
• Trojan horses
• Backdoors
• Bots, botnets
• Threats at both client and server levels

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Most Common Security Threats (cont.)

• Potentially unwanted programs (PUPs)

• Browser parasites
• Adware
• Spyware
• Phishing
• Social engineering
• E-mail scams
• Spear-phishing
• Identity fraud/theft

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
 Most Common Security Threats (cont.)

• Hacking
• Hackers vs. crackers
• Types of hackers: White, black, grey hats
• Hacktivism
• Cybervandalism:
• Disrupting, defacing, destroying Web site
• Data breach
• Losing control over corporate information to outsiders

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Most Common Security Threats (cont.)

• Credit card fraud/theft

• Spoofing
• Spam (junk) Web sites (link farms)
• Identity fraud/theft
• Denial of service (DoS) attack
• Hackers flood site with useless traffic to overwhelm network
• Distributed denial of service (DDoS) attack

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
 Most Common Security Threats (cont.)

 Sniffing
 Eavesdropping program that monitors information traveling
over a network
 Insider attacks
 Poorly designed server and client software
 Social network security issues
 Mobile platform security issues
 Vishing, smishing, madware
 Cloud security issues
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Definitions -
 Cryptology
 The branch of mathematics
encompassing both cryptography and
cryptanalysis is cryptology.
 Cryptography
 The science of coding and decoding
messages so as to keep these
messages secure. Coding (see
encryption) takes place using a key
that ideally is known only by the
sender and intended recipient of the
message.
 Cryptanalysis
 Cryptosystem
 Steganography
 Steganography is the science of Prepared by Hem Sagar Pokhrel, Lecturer
hiding information. E-Commerce, Prime College
Encryption Techniques for Data and Message Security
(Private and Public Key Cryptography)
• The success or failure of an e-commerce operation depends on different key
factors, including but not limited to the business model, the team, the customers,
the investors, the product, and the security of data transmissions and storage.
• Data security has taken on heightened importance since a series of high-profile
"cracker" attacks have humbled popular Web sites, resulted in the impersonation
of employees for the purposes of digital certification, and the misuse of credit
card numbers of customers at business-to-consumer e-commerce destinations.
• Technologists are building new security measures while others are working to
crack the security systems. One of the most effective means of ensuring data
security and integrity is encryption.
• Cryptography is the method of encrypting messages so that unauthorized parties
wouldn’t get it. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Cryptography is everywhere

 Secure communication:
 –web traffic: HTTPS
 –wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth
 Encrypting files on disk: EFS, TrueCrypt
 Content protection (e.g. DVD, Blu-ray): CSS, AACS
 User authentication
and much much more..

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
History of Cryptography

 The first known evidence of the use of

cryptography (in some form) was found in an
inscription carved around 1900 BC, in the main
chamber of the tomb of the nobleman
Khnumhotep II, in Egypt.
 Around 400 B.C., the Spartans used a system of
encrypting information by writing a message on
a sheet of papers.
 Around 100 B.C., Julius Caesar was known to
use a form of encryption to convey secret
messages to his army generals posted in the
war front. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
• During the 16th century, Vigenere designed a
cipher that was supposedly the first cipher which
used an encryption key.
• At the start of the 19th century when everything
became electric, Hebern designed an electro-
mechanical contraption which was called the
Hebern rotor machine.

Prepared by Hem Sagar Pokhrel, Lecturer E-Commerce, Prime College

Ciphers

In cryptography, a cipher is
an algorithm for performing
encryption or decryption—a
series of well-defined steps
that can be followed as a
procedure. An alternative,
less common term is
encipherment.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
 Encryption

 Encryption is a generic term that refers to the act of encoding data,

in this context so that those data can be securely transmitted via the
Internet.
 Encryption can protect the data at the simplest level by preventing
other people from reading the data.
 Encryption technologies can help in other ways as well:
 establishing the identity of users (or abusers);
 control the unauthorized transmission or forwarding of data;
 verify the integrity of the data (i.e., that it has not been altered in any way);
and
 ensure that users take responsibility for data that they have transmitted.
Prepared by Hem Sagar Pokhrel, Lecturer E-Commerce, Prime College
Encryption..
 Encryption can therefore be used either to keep communications secret
(defensively) or to identify people involved in communications (offensively).
 Encryption Provide Following Security:
 Message Integrity: provides assurance that the message has not been altered.
 No repudiation: prevents the users from denying he/she sent the message
 Authentication: verify the identity of the person (or machine) sending the message.
 Confidentiality: give assurance that the message was not read by others.
 There are two types of encryption:
 symmetric key encryption and
 asymmetric key encryption.
 Symmetric key and asymmetric key encryption are used, often in conjunction, to
provide a variety of security functions for data and message security in e-commerc
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
CRYPTOSYSTEMS & CRYPTOGRAPHY METHODS

Cryptosystem is a suite of cryptographic algorithms needed to implement a

particular security service, most commonly for achieving confidentiality
encryption. Typically, a cryptosystem consists of three algorithms: one for key
generation, one for encryption, and one for decryption.

1. Symmetric Key Cryptography

 Same key for encryption and decryption
 Key distribution problem
2. Asymmetric Key Cryptography
 Key pairs for encryption and decryption
 Public and private keys

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Symmetric Cryptosystem

• It is also called as Secret Key Cryptography

• Single key used for both encrypt & decrypt
• Key must be known to both the parties

Key

Original
Plaintext Encryptio Ciphertext Decryptio Plaintext

n n

Symmetric Cryptosystem

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Symmetric Key Encryption (Private or
Secret Key Encryption):

 Encryption algorithms that use the same key for encrypting and for
decrypting information are called symmetric-key algorithms.
 The symmetric key is also called a secret key because it is kept as a
shared secret between the sender and receiver of information.
Otherwise, the confidentiality of the encrypted information is
compromised.
 Figure below shows basic symmetric key encryption and decryption.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Private Key
Encryption..

 Symmetric key technology is

generally used to provide
secrecy for the bulk
encryption and decryption
of information.
 Symmetric key encryption is
much faster than public key
encryption, often by 100 to
1,000 times.
Fig: Encryption and Decryption with a Symmetric Key
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Public Key Cryptosystem

 Public key cryptography is a scheme that uses a Pair of keys for

encryption: a Public key, which encrypts data, and a corresponding
Private key (secret key) for decryption.

Fig: Symmetric Key Cryptosystem

Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Public Key Encryption..

 Encryption algorithms that use different keys for encrypting and decrypting
information are most often called public-key algorithms but are sometimes also
called asymmetric key algorithm.
 Public key encryption requires the use of both a private key (a key that is known
only to its owner) and a public key (a key that is available to and known to other
entities on the network).
 A user's public key, for example, can be published in the directory so that it is
accessible to other people in the organization.
 The two keys are different but complementary in function.
 Information that is encrypted with the public key can be decrypted only with the
corresponding private key of the set. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
 Bob’s Bob’s
Alice wants to send message to Bob securely.
Public Private
Key Key

Alice Bob
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Public Key Cryptography
How it works?

Bob’s Bob’s
Public Private
Key Key

Alice sends
Alice get public key encrypted
of Bob and encrypt message via
his message with it. publiconly Bob
Now, Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
network.
will be able to
Public Key
Encryption..
• Today, public key
encryption plays an
increasingly important
role in providing strong,
scalable security on
intranets and the
Internet.

Fig: Encryption and Decryption with Asymmetr

Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Simply,

 Private keys are used for decrypting.

 Public keys are used for encrypting

encryption
plaintext ciphertext
public key

decryption
ciphertext plaintext
private key
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Public Key Encryption..

 Public key encryption is commonly used to perform the following functions:

1. Encrypt symmetric secret keys to protect the symmetric keys
during exchange over the network.
2. Create digital signatures to provide authentication and non-
repudiation for online entities.
3. Create digital signatures to provide data integrity for
electronic files and documents.
 Algorithms that use public key encryption methods include RSA and Diffie-
Hellman.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
COMMON TYPES OF CRYPTOGRAPHIC ATTACKS

Brute force
• Trying all key values in the keyspace.

Chosen Ciphertext
• Decrypt known ciphertext to discover key.

Dictionary Attack
• Find plaintext based on common words.

Frequency Analysis
• Guess values based on frequency of occurrence. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Common Cryptosystems
a. RSA Algorithm

 RSA is the most commonly used public key algorithm, although

it is vulnerable to attack.
 Named after its inventors, Ron Rivest, Adi Shamir and Len
Adleman, of the MIT, RSA was first published in 1978.
 It is used for encryption as well as for electronic signatures
(discussed later). RSA lets you choose the size of your public
key.
 The 512-bit keys are considered insecure or weak.
 The 768-bit keys are secure from everything but 1024-bit keys
Prepared by Hem Sagar Pokhrel, Lecturer
are secure from virtually anything. E-Commerce, Prime College
b. Data Encryption Standards (DES)

• DES was developed by IBM in1974 in response to a public solicitation from the US
Department of Commerce.
• It was adopted as a US federal standard in1977 and as a financial industry standard
in1981.
• DES uses a 56-bit key to encrypt.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
c. 3DES

 A stronger version of DES, called 3DES or Triple DES, uses three 56-bit keys to
encrypt each block.
 The first key encrypts the data block, the second key decrypts the data block,
and the third key encrypts the same data block again.
 The 3DES version requires a 168-bit key that makes the process quite secure
and much safer than plain DES.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
d. RC4

 RC4 was designed by Ron Rivest RSA Data Security Inc.

 This variable-length cipher is widely used on the Internet as the bulk encryption
cipher in the SSL protocol, with key length ranging from 40 to 128 bits.
 RC4 has a repudiation of being very fast

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
d. IDEA

• IDEA (International Data Encryption Algorithm) was created in Switzerland in1991.

• It offers very strong encryption using 128-bit key to encrypt 64-bit blocks.
• This system is widely used as the bulk encryption cipher in older version of Pretty
Good Privacy(PGP)

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
DIGITAL SIGNATURES
Message-Digest Algorithms

 It maps a variable-length input message to a fixed-length output

digest. (i.e. message fingerprint)
 It is not feasible to determine the original message based on its
digest.
 It is impossible to find an arbitrary message that has a desired
digest.
 It is infeasible to find two messages that have the same digest.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Message-Digest How to

Original Message
 A hash function is a math equation (Document, E-mail)
that create a message digest from
message.
 A message digest is used to create a
unique digital signature from a Hash Function
particular document.
 MD5 example
Digest
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Message Digest Demo

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Message-Digest

Message-Digest Digest Length

Algorithm (bits)
MD2 128

MD4 128

MD5 128

Secure Hash 160

Algorithm (SHA)
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
DIGITAL SIGNATURES

 is a type of asymmetric cryptography used to simulate the security properties

of a signature in digital, rather than written, form.
 is an electronic signature that can be used to authenticate the identity of the
sender of a message or the signer of a document, and possibly to ensure that the
original content of the message or document that has been sent is unchanged.
 Digital signature schemes normally give two algorithms, one for signing which
involves the user's secret or private key, and one for verifying signatures which
involves the user's public key. The output of the signature process is called the
"digital signature.“
 Digital signatures are easily transportable, cannot be imitated by someone else,
and can be automatically time-stamped.
 The ability to ensure that the original signed message arrived means that the
sender cannot easily repudiate it later.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
How digital Signature works?

User A Transmit via the Internet

Use A’s private key to sign the document

User B received
Verify the signature the document with
by A’s public key stored signature attached
at the directory
User B

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
DS PROCESSES
 The use of digital signatures usually involves two processes, one
performed by the signer and the other by the receiver of the digital
signature:
1. Digital signature creation uses a hash result derived from and unique to
both the signed message and a given private key. For the hash result to be
secure, there must be only a negligible possibility that the same digital
signature could be created by the combination of any other message or
private key.
2. Digital signature verification is the process of checking the digital signature
by reference to the original message and a given public key, thereby
determining whether the digital signature was created for that same
message using the private key that corresponds to the referenced public key.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
DIGITAL SIGNATURE CREATION

• One possible method for creating a digital signature is for the originator of
data to create the signature by encrypting all of the data with the originator's
private key and enclosing the signature with the original data.
• Anyone with the originator's public key can decrypt the signature and
compare the decrypted message to the original message.
• Because only someone with the private key can create the signature, the
integrity of the message is verified when the decrypted message matches the
original.
• If an intruder alters the original message during transit, the intruder cannot
also create a new valid signature.
• If an intruder alters the signature during transit, the signature does not verify
properly and is invalid.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
DIGITAL SIGNATURES CREATION..

 However, encrypting all data to provide a digital signature is

impractical for following two reasons:
 The ciphertext signature is the same size as the corresponding plaintext,
so message sizes are doubled, consuming large amounts of bandwidth and
storage space.
 Public key encryption is slow and places heavy computational loads on
computer processors.

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
DIGITAL SIGNATURE CREATION..

 The most common types of digital signatures today are created by

signing message digests with the originator's private key to create a
digital thumbprint of the message.
 Because only the message digest is signed, the signature is usually
much shorter than the data that was signed.
 Therefore, digital signatures place a relatively low load on
computer processors during the signing process, consume
insignificant amounts of bandwidth.
 Two of the most widely used digital signature algorithms today are
the RSA digital signature process and the Digital Signature
Algorithm (DSA).
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
 Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College

Digital Signature Generation and Verification

Message Sender Message Receiver

Message Message

Hash function Hash function

Public
Digest Key
Private Encryption
Key Decryption
Signature
Expected Digest Digest
 DIGITAL SIGNATURE CREATION..

• In the RSA digital signature

process, the private key is used
to encrypt only the message
digest. The encrypted message
digest becomes the digital
signature and is attached to the
original data. Figure below
illustrates the basic RSA Data
Security digital signature process.

Prepared by Hem Sagar Pokhrel, Lecturer

Fig: Basic RSA Data Security Digital Signature Pro
E-Commerce, Prime College
Fig: Basic RSA Data Security Digital Signature Process
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
DIGITAL SIGNATURE VERIFICATION..

 To verify the contents of digitally signed data, the recipient

generates a new message digest from the data that was received,
decrypts the original message digest with the originator's public key,
and compares the decrypted digest with the newly generated
digest.
 If the two digests match, the integrity of the message is verified.
 The identification of the originator also is confirmed because the
public key can decrypt only data that has been encrypted with the
corresponding private key.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
 DIGITAL CERTIFICATE &
CERTIFICATION AUTHORITY
DIGITAL CERTIFICATE

 Electronic credentials that are used to assert the online identities

of individuals, computers, and other entities on a network.
 Function similarly to identification cards such as passports and
drivers licenses.
 Most commonly they contain a public key and the identity of the
owner.
 They are issued by certification authorities (CAs) that must validate
the identity of the certificate-holder both before the certificate is
issued and when the certificate is used.
 Common uses include business scenarios requiring authentication,
encryption, and digital signing. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
DIGITAL CERTIFICATE

 Based on the X.509v3 certificate standard.

 X.509v3 stands for version 3 of the International Telecommunication Union
Telecommunication Standardization Sector (ITU-T) recommendation X.509 for
certificate syntax and format.
 Typically, digital certificates contain the following information:
 The subject’s public key value
 The subject’s identifier information, such as the name and email address
 The validity period (the length of time that the certificate is considered
valid)
 Issuer identifier information
 The digital signature of the issuer, which attests to the validity of the binding
between the subject’s public key and the subject’s identifier information
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
PROCESS TO OBTAIN DIGITAL CERTIFICATE
 One can obtain a certificate for your
business from commercial CAs.
 The Issuing entities of commercial CAs
provide certificate with a cost.
 User can generate a Key pair of its own
and generate a Certificate Signing
Request (CSR) and then send the CSR
to Issuing CA for a certificate.

 CSR contains the public key of the user and user identity information in a format
that issuing CAs would normally expect as shown in figure above.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
CERTIFICATION AUTHORITY (CA)

 A Certificate Authority (CA) is a trusted institution/agent who

issues digital certificates that contain a public key and the
identity of the owner.
 The matching private key is not made available publicly, but kept
secret by the end user who generated the key pair.
 The certificate is also a confirmation or validation by the CA that
the public key contained in the certificate belongs to the person,
organization, server or other entity noted in the certificate.
 A CA's obligation in such schemes is to verify an applicant's
credentials, so that users and relying parties can trust the
information in the CA's certificates. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
CERTIFICATION AUTHORITY (CA)

 CAs use a variety of standards and tests to do so. In essence, the

Certificate Authority is responsible for saying "yes, this person is who
they say they are, and we, the CA, verify that".
 If the user trusts the CA and can verify the CA's signature, then he
can also verify that a certain public key does indeed belong to
whoever is identified in the certificate.
 Browsers maintain list of well known CAs root certificates.
 Aside from commercial CAs, some providers issue digital certificates
to the public at no cost.
 Large institutions or government entities may have their own CAs.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
THIRD PARTY AUTHENTICATION

• In third-party authentication systems, the password or encryption key itself

never travels over the network. Rather, an "authentication server"
maintains a file of obscure facts about each registered user.
• At log-on time, the server demands the entry of a randomly chosen fact—
mother's maiden name is a traditional example—but this information is not
sent to the server.
• Instead, the server uses it (along with other data, such as the time of day)
to compute a token. The server then transmits an encrypted message
containing the token, which can be decoded with the user's key.
• If the key was properly computed, the user can decrypt the message. The
message contains an authentication token that allows users to log on to
network services.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
USING CERTIFICATES FOR SECURE
WEB COMMUNICATIONS

SECURE SOCKET LAYER (SSL)

SECURE SOCKET LAYER (SSL)
• SSL is a standard security technology for establishing an encrypted
link between a server and a client—typically a web server (website)
and a browser; or a mail server and a mail client (e.g., Gmail).
 It is a TCP based transport layer security service developed by
Netscape. Two important SSL concepts are:
1. SSL Connection and
2. SSL session.
 Session is an association between Client and a server created by using
handshake Protocol i.e. TCP.
 Connection is a type of transport service that are transient, peer-to-
peer, and associated to one session.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
C S
L E
I R
E V
N E
T R

Figure: Secured Web Communication using SSL Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
SECURE SOCKET LAYER (SSL)..
 Version 3.1 of SSL Protocol was designed with public review & industry
inputs and it subsequently became internet standard known as TLS
(Transport Layer Security).
 TLS is the standardized (on the Internet Engineering Task Force—IETF—
level) version of SSL. TLS is also referred to as SSL version 3.1,
whereas the most commonly used SSL version is 3.0. Both protocols
can provide the following basic security services:
 Mutual authentication: Verifies the identities of both the server and client through exchange
and validation of their digital certificates.
 Communication privacy: Encrypts information exchanged between secure servers and secure
clients using a secure channel.
 Communication integrity: Verifies the integrity of the contents of messages exchanged
between client and server, which ensures that messages haven’t been altered en route.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Fig: SSL Handshake (Working Mechanism of SSL)
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
SECURE SOCKET LAYER (SSL)..
- Sample Scenario Example
 Here’s an example of an environment using SSL/TLS. When you use
the Internet for online banking, it’s important to know that your Web
browser is communicating directly and securely with your bank’s Web
server.
 Your Web browser must be able to achieve Web server authentication
before a safe transaction can occur. That is, the Web server must be
able to prove its identity to your Web browser before the transaction
can proceed.
 Microsoft IE uses SSL to encrypt messages and transmit them securely
across the Internet, as do most other modern Web browsers and Web
servers.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
 ASSIGNMENT
Deadline: Tuesday, July 19 2016

Question #1:
What is third-party authentication? Write short note on third party
authentication protocol(Kerberos).
Question #2:
Explain in details about TCP/IP Protocol suite with well labelled diagram.
References for assignment

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
VIRTUAL PRIVATE NETWORK
Virtual Private Network

 VPN, or virtual private network, is a network that is constructed

by using public wires — usually the Internet — to connect to
a private network, such as a company's internal network. There
are a number of systems that enable you to create networks using
the Internet as the medium for transporting data.
 In other word, VPN is a collection of technologies that create
secure connections between a group of computer via the Internet.
 Provide an encrypted channel between users and offices over a
public network. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
 Accommodate the needs of remote employees and distant offices.
Virtual Private Network..

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Virtual Private Network..

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
APPLICATION AREAS
In general, provide users with connection
to the corporate network regardless of
their location.

The alternative of using truly dedicated

lines for a private network are expensive
propositions.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Some Common Uses of VPN

 Provide users with secured remote access over the

Internet to corporate resources.
 Connect two computer networks securely over the
Internet
 Example: Connect a branch office network to the network in
the head office
 Secure part of a corporate network for security and
confidentiality purpose
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Remote Access Over the Internet

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Connecting Two Computer Networks Securely

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Securing a Part of the Corporate Network

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Other Benefits of VPN

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
Disadvantages of VPN’s

 Because the connection travels over public lines, a strong

understanding of network security issues and proper precautions
before VPN deployment are necessary
 VPN connection stability is mainly in control of the Internet
stability, factors outside an organizations control
 Differing VPN technologies may not work together due to
immature standards

Prepared by Hem Sagar Pokhrel, Lecturer

E-Commerce, Prime College
SECURE ELECTRONIC TRANSMISSION (SET)
Secure Electronic Transmission (SET)

 A form of protocol for electronic credit card payments. As the name

implies, the secure electronic transaction (SET) protocol is used to
facilitate the secure transmission of consumer credit card information
via electronic avenues, such as the Internet.

 The Secure Electronic Transmission protocol imitates the current

structure of the credit card processing system.
 SET makes banks by default one of the major distributors of certificates.
When a user might change organizations or lose his or her key pair, or an
e-commerce site using SSL may discontinue its operations; a certificate
must be revoked before it expires. Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Secure Electronic Transmission (SET)

 The most important property of SET is that the credit card

number is not open to the seller.
 On the other hand, the SET protocol, despite strong support from
Visa and MasterCard, has not appeared as a leading standard.
 The two major reasons for lack of widespread acceptance are
followings:
1. The complexity of SET
2. The need for the added security.
Prepared by Hem Sagar Pokhrel, Lecturer
E-Commerce, Prime College
Secure Electronic Transmission (SET)

 Though, this might change in the future as encryption technology

becomes more commonly utilized in the e-business world.
 Advantages of SET: Some of the advantages of SET contain the
following:
 Information security: Neither anyone listening in nor a merchant can use
the information passed during a transaction for fraud.
 Credit card security: There is no chance for anybody to steal a credit
card.
 Flexibility in shopping: If a person has a phone he/she can shop.
 Disadvantages of SET: Some of the disadvantages of SET include
Prepared by Hem Sagar Pokhrel, Lecturer
 complexity and high cost for implementation. E-Commerce, Prime College