CSE-409
E-Commerce & Web Engineering
Lecture -08
Sahab Uddin Rana
Lecturer, Dept. of CSE, DIU
1
� Dimensions of e-commerce security
There are six key dimensions to e-commerce security:
1.Integrity: The ability to ensure that information being displayed on a
website or transmitted or received over the internet has not been
altered in any way by an unauthorized party.
2.Nonrepudiation: The ability to ensure that e-commerce participants do
not deny (i.e., repudiate) their online actions.
3.Authenticity: The ability to identify the identity of a person or entity
with whom you are dealing on the Internet.
2
�Dimensions of e-commerce security (Cont.)
4. Confidentiality: The ability to ensure that messages and data are
available only to those who are authorized to view them.
5. Privacy: the ability to control the use of information about
oneself.
6. Availability: The ability to ensure that an e-commerce site
continues to function as intended.
3
�4
�A Typical E-commerce Transaction with a consumer using a credit
card to purchase a product
5
�Security Threats in the E-commerce Environment
Three key points of vulnerability in e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet communications channels)
6
�7
�Most common and most damaging forms of security threats
to e-commerce consumers and site operators:
▪ Malicious code (malware, exploits):
◦Drive-by downloads: malware that comes with a downloaded file that a
user requests.
◦Viruses: a computer program that has the ability to replicate or make
copies of itself, and spread to other files.
◦Worms: malware that is designed to spread from computer to computer.
◦Ransomware: is a type of malware that locks your computer or files to
stop you from accessing them.
◦Trojan horses
◦Backdoors
◦Bots, botnets
◦Threats at both client and server levels
8
�▪ Potentially unwanted programs (PUPs)
◦Browser parasites: a program that can monitor and change the settings of a
user’s browser.
◦Adware: A PUP that serves pop-up ads to your computer.
◦Spyware: a program used to obtain information such as a user’s keystrokes,
e-mail, instant messages, and so on.
▪ Phishing
◦Social engineering
◦E-mail scams
◦Spear-phishing
◦Identity fraud/theft
9
�▪ Hacking
◦Hackers vs. crackers
◦Types of hackers: White, black, grey hats
◦Hacktivism
▪ Cyber vandalism:
◦Disrupting, defacing, destroying Web site
▪ Data breach
◦Losing control over corporate information to outsiders
10
�▪ Credit card fraud/theft
▪ Spoofing and pharming
▪ Spam (junk) Web sites (link farms)
▪ Identity fraud/theft
▪ Denial of service (DoS) attack
◦Hackers flood sites with useless traffic to overwhelm the network
▪ Distributed denial of service (DDoS) attack
▪ Poorly designed server and client software
◦ SQL injection attacks
11
�Tools Available to Achieve Site
Security
12
�Technology Solutions
▪ Protecting Internet communications
◦Encryption
▪ Securing channels of communication
◦SSL, VPNs
▪ Protecting networks
◦Firewalls
▪ Protecting servers and clients
13
�Encryption
◦Transforms data into ciphertext readable only by sender and receiver.
◦Secures stored information and information transmission.
◦Provides 4 of 6 key dimensions of e-commerce security:
◦Message integrity: provides assurance that the message has not been altered.
◦Nonrepudiation: prevents the user from denying he or she sent the message.
◦Authentication: provides verification of the identity of the person (or computer)
sending the message
◦Confidentiality: gives assurance that the message was not read by others.
14
�Symmetric/secret Key Encryption
▪ Sender and receiver use the same digital key to encrypt and decrypt
the message
▪ Requires a different set of keys for each transaction
▪ Strength of encryption
◦ Length of the binary key used to encrypt data
▪ Data Encryption Standard (DES)
▪ Advanced Encryption Standard (AES)
◦ The most widely used symmetric key encryption
◦ Uses 128-, 192-, and 256-bit encryption keys
▪ Other standards use keys with up to 2,048 bits
15
�Public Key Encryption
▪ Uses two mathematically related digital keys
◦ Public key (widely disseminated)
◦ Private key (kept secret by owner)
▪ Both keys used to encrypt and decrypt the message
▪ Once key is used to encrypt the message, the same key cannot be
used to decrypt the message
▪ Sender uses recipient’s public key to encrypt the message; recipient
uses the private key to decrypt it.
16
�Public Key Cryptography: A Simple
Case
17
�18
�Public Key Encryption using Digital Signatures and Hash
Digests
▪ Hash function:
◦Mathematical algorithm that produces a fixed-length number called message or hash
digest.
▪ Hash digest of the message sent to the recipient along with a message to
verify the integrity.
▪ Hash digest and message encrypted with recipient’s public key
▪ Entire ciphertext then encrypted with recipient’s private key—creating
digital signature—for authenticity, nonrepudiation
▪ Digital signature (e-signature) “signed” ciphertext that can be sent over the
internet.
19
�Public Key Cryptography with Digital Signatures
20
�21
� Digital Envelopes
▪ A technique that uses symmetric encryption for large documents, but public-key
encryption to encrypt and send the symmetric key
▪Address weaknesses of:
•Public key encryption
◦Computationally slow, decreased transmission speed, increased processing time
•Symmetric key encryption
◦Insecure transmission lines
▪ Uses symmetric key encryption to encrypt the document
▪ Uses public key encryption to encrypt and send asymmetric key
22
�Creating a Digital
Envelope
23
�Thank you!
24
