STS , profile picture
Uploaded bySTS
PPT, PDF313 views

Seminar on ECommerce

This document provides an overview of web security concepts for e-commerce, including client/server applications, communication channels, TCP/IP, the OSI model, and TCP/IP addressing. It then discusses various security threats and how cryptography, digital signatures, certificates, SSL/TLS, and firewalls can provide security. Cryptography techniques like symmetric/asymmetric encryption, hashing, and digital signatures are explained. The document also covers setting up secure SSL connections and the SET protocol for secure online payments.

Education
Related topics:
Anna University
Download to read offline
1 A Tutorial on Web Security for E-Commerce
2 Web Concepts for E-Commerce • Client/Server Applications • Communication Channels • TCP/IP
3 Client/Server Applications Client Server Request Response
4 Communication Channels ServerClient Intranet Internet Extranet
5 Application Allows access to network resourcesApplication Allows access to network resources OSI Model Presentation Translates, encrypts and compresses data Presentation Translates, encrypts and compresses data Session Establishes, manages and terminates sessions Session Establishes, manages and terminates sessions Transport Provides end-to-end message delivery & error recovery Transport Provides end-to-end message delivery & error recovery Network Moves packets from source to destination; Provides internetworking Network Moves packets from source to destination; Provides internetworking Data Link Organizes bits into frames; Provides node-to-node delivery Data Link Organizes bits into frames; Provides node-to-node delivery Physical Transmits bits; Provides mechanical and electrical specifications Physical Transmits bits; Provides mechanical and electrical specifications
6 OSI Model cont’d Client Server Intermediate Intermediate Node Node Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Peer-to-peer protocol (7th layer) Peer-to-peer protocol (6th layer) Peer-to-peer protocol (5th layer) Peer-to-peer protocol (4th layer) Data Link Data Link NetworkNetwork Physical Physical 3rd 3rd 3rd 2nd2nd2nd 1st 1st 1st
7 TCP/IP and OSI Model Network Application Presentation Session Transport Data Link Physical SMTP Applications FTP TELNET DNS SNMP NFS TFTP RPC TCP UDP ICMP ARP RARPIP Protocols defined by the underlying networks HTTP
8 TCP/IP and OSI Modelcont’d Network Application Presentation Session Transport Data Link Physical TCP UDP IP Protocols defined by the underlying networks Applications Message Segment Datagram Bits Frame
9 TCP/IP and Addressing Processes TCP UDP IP and other protocols Underlying physical networks Application layer Transport layer Network layer Data link layer Physical layer Port address Port address IP address IP address Physical address Physical address
10 BankBank Katie sends Order Form Katie’s Bank CD Store Merchant’s Bank ISP Online CD Store CD Warehouse Web Server Internet Payment Network Katie’s order Order printed at CD warehouse CD arrives 2-3 days after order is received Typical B2C Transaction
11 ISP Online CD Store CD Warehouse Web Server Katie A Tapping line B Sniffer at ISP C Sniffer on Internet backbone E Breaking into store databaseD Internet Backbone Web Security Threats in B2C
12 Security Threats • Security threats A to D can be handled by providing secure transmission - cryptographic methods • Threat E and similar types managed by access control methods • Other types of security threats – Illegal access of server computing system (webjacking) – Illegal access client computing system – Unauthorized use of client information – Denial of Service
13 Information Security Threats • Internet Cryptography Techniques • Transport Layer Security • Application Layer Security • Server Proxies and Firewalls
14 Purpose of Cryptography • Secure stored information - regardless if access obtained • Secure transmitted information - regardless if transmission has been monitored
15 Services Provided by Cryptography • Confidentiality – provides privacy for messages and stored data by hiding • Message Integrity – provides assurance to all parties that a message remains unchanged • Non-repudiation – Can prove a document came from X even if X’ denies it • Authentication – identifies the origin of a message – verifies the identity of person using a computer system
16 Cryptography • Encryption Overview – Plain text is converted to cipher text by use of an algorithm and key. • Algorithm is publicly known • Key is held private – Three Main Categories • Secret Key – single key is used to encrypt and decrypt information • Public/Private Key – two keys are used: one for encryption (public key) and one for decryption (private key) • One-way Function – information is encrypted to produce a “digest” of the original information that can be used later to prove its authenticity
17 Encryption Techniques • Secret Key (Symmetric) – Sender and receive have the same secret key that will encrypt and decrypt plain text – Strength of encryption technique depends on key length – Known symmetrical algorithms • Data Encryption Standard (DES) – 56 bit key • Triple DES, DESX, GDES, RDES – 168 bit key • RC2, RC4, RC5 – variable length up to 2048 bits • IDEA - basis of PGP – 128 bit key • Blowfish – variable length up to 448 bits
18 Encryption Techniques (con’t) • Asymmetric Encryption (Public/Private Key) – user X has a pair of keys one public and one private – To encrypt a message to X use X’s public key – X will decrypt encrypted message using X’s private key that “matches” X’s public key – Most common algorithm is the RSA (Rivest Shamir Adelman) algorithm with key lengths from 512 to 1024 bits.
19 Encryption Techniques (con’t) • One-Way Function – non-reversible “quick” encryption – produces a fixed length value called a hash or message digest – used to authenticate contents of a message – Common message digest functions • MD4 and MD5 – produces 128 bit hashes • SHA – produces 160 bit hashes
20 Cryptographic Services Allow • Digital Signatures – sign messages to validate source and integrity of the contents • Digital Envelopes – secure delivery of secret keys • Message Digests – short bit string hash of message • Certificates (Digital Ids) – used to authenticate: users, web sites, public keys of public/private pair, and information in general • Secure Channels – Encryption can be used to create secure channels over private or public networks
21 Digital Signatures • Digital Signature – Encrypt sender’s identity string with sender’s private key – Concatenate the encrypted text and the identity string together – Encrypt this message with receiver’s public key to create message – Receiver decrypts the encrypted text with their private key – the cypher text portion of the message is decrypted with sender’s public key – The decrypted text can be compared with the normal text to checks its integrity
22 Digital Envelope • Public/Private key encryption / decryption useful for internet • Limitations – encryption / decryption slow – not reasonable for large documents • Combine symmetric and asymmetric methods – sender creates and uses symmetric (session) key to create cipher text – sender uses receiver’s public key to encrypt the symmetric key - digital envelope – sender transmits both cipher text and digital envelope to receiver
23 Message Digests • How to create and use a message digest – sender uses message as input to digest function – “sign” (encrypt) output (hash) with sender’s private key – send signed hash and original message (in plain text) to receiver – receiver decrypts hash with sender’s public key – receiver runs plain text message through digest function to obtain a hash – if receiver’s decrypted hash and computed hash match then message valid.
24 Digital Certificates (ID) • Certification Authorities (CA) – used to distribute the public key of a public/private pair – guarantees the validity of the public key • does this by verifying the credentials of the entity associated with the public key – Some Case • Versign - http://www.versign.com • U.S. Post Office - http://www.ups.gov • CommerceNet - http//www.commerce.net – certificates contain • public key • e-mail • full name • Digital certificates are secure – cannot be forged nor modified
25 Digital Certificates • Process to create Digital Certificate – User generates public/private pair – User creates and sends a certificate request • contains: identifying information and user’s public key – CA verifies this information – CA creates a certificate containing user’s public key and information – CA creates message digest from certificate and signs it with CA’s private key – This a signed certificate
26 Digital Certificates • Using a Digital Certificate – before sending a secure message sender request a signed certificate from receiver – sender decrypts signed certificate with CA’s known public key to obtain message digest of info and public key provided to CA by receiver – sender creates a message digest of public key and info provided by the receiver for sender’s use – sender compare the message digests if they match then receiver is validated.
27 Digital Certificates • Types of Digital Certificates – site certificates • used to authenticate web servers – personal certificates • used to authenticate individual users – software publishers certificates • used to authenticate executables – CA certificates • used to authenticate CA’s public keys – All certificates have the common format standard of X.509v3
28 Secure Channels • Encrypted Traffic may use – Symmetric Key – Public/Private Key • Negotiated Secure Session – Secure Socket Layer (SSL) – Transport Layer Security (TLS) – SSL or TLS provides these services • Authenticate users and servers • Encryption to hide transmitted data - symmetric or asymmetric • Integrity to provide assurance that data has not been altered during transmission – SSL or TLS require certificates to be issued by a CA
29 Secure Channels (con’t) • Internet Tunnels – virtual network circuit across the Internet between specified remote sites – uses an encrypting router that automatically encrypts all traffic that traverses the links of the virtual circuit • Tunneling Protocols – PPTP by Microsoft - http://www.microsoft.com – Layer 2 Forwarding (L2F) by Cisco - http://www.cisco.com – L2TP (combines PPTP and L2F) - http://www.ietf.com
30 Secure Sockets Layer • SSL History – Competitor to S-HTTP – S-HTTP an extension of HTTP – General purpose encryption system using symmetric encryption – S-HTTP only encrypts Web protocols – Three versions v1.0, v2.0 and v3.0 • SSL v3.0 implemented in Netscape 3.0 and Internet Explorer 3.0 and higher • SSL v3.0 supports Diffie-Hellman anonymous key exchange and Fortezza smart card
31 Secure Sockets Layer • SSL Characteristics – Operates at the TCP/IP transport layer – Encrypts (decrypts) input from application (transport) layer – Any program using TCP can be modified to use SSL connections – SSL connection uses a dedicated TCP/IP socket (e.g. port 443 for https or port 465 for ssmtp)
32 Secure Sockets Layer • SSL Characteristics – SSL is flexible in choice of which symmetric encryption, message digest, and authentication algorithms can be used – When SSL client makes contact with SSL server they try to pick strongest encryption methods they have in common. – SSL provides built in data compression • compress first then encrypt
33 Secure Sockets Layer • SSL Characteristics – When SSL connection established browser-to-server and server-to- browser communications are encrypted. This includes: • URL of requested document • Contents of the document • Contents of browser forms • Cookies sent from browser to server • Cookies sent from server to browser • Contents of HTTP header • But NOT particular browser to particular server – socket addresses not encrypted – can use proxy server for privacy
34 Secure Sockets Layer • Establishing an SSL Connection – The client (browser) opens a connection to server port – Browser sends “client hello” message. Client hello message contains: • version of SSL browser uses • ciphers and data compression methods it supports – The Server responds with a “server hello” message. Server hello message contains • session id • the chosen versions for ciphers and data compression methods.
35 Secure Sockets Layer • Establishing an SSL Connection (con’t.) – The server sends its certificate • used to authenticate server to client – Optionally the server may request client’s certificate – If requested, client will send its certificate of authentication • if client has no certificate then connection failure – Client sends a “ClientKeyExchange” message • symmetric session key chosen • digital envelope is created using server’s public key and contains the symmetric session key
36 Secure Sockets Layer • Establishing an SSL Connection (con’t.) – Optionally, if client authentication is used the client will send a certificate verify message. – Server and client send “ChangeCipherSpec” message indicating they are ready to begin encrypted transmission. – Client and server send “Finished” messages to each other • These are a message digest of their entire conversation up to this point. • If the digests match then messages were received without interference.
37 Client (Browser) Server 1. Client sends ClientHello message 2.Server acknowledges with ServerHello message .Session Key Server Certificate Client Certificate 3. Server sends its certificate (4. Server requests client’s certificate) (5. Client sends its certificate) Server’s public key 6. Client sends “ClientKeyExchange” message Server’s private key Session key Digital signature (7. Client sends a “Certificate Verify” message) 8. Both send “ChangeCiperSpec” messages 9. Both send “Finished” messages Digital envelope SSL Connection Setup . .X
38 Transport Layer Security TLS • IETF (Internet Engineering Task Force) Standard for secure connection • Derivative of SSLv3.0 • Uses different digest functions and different set of encryption algorithms • see TLS URL for more details – http://www.consensus.com/ietf-tls/ • see SSL URL for more details – WBSRV = home.netscape.com/ • WBSRV/newsref/std/SSL.html • WBSER/ref/internet-security.html
39 Application Layer Security • Secure Electronic Transactions – SET • Digital Payment Systems – First Virtual – CyberCash – DigiCash – Millicent • Pretty Good Privacy – PGP: used to secure e-mail • These are the applications sender/receiver use to give secure communication
40 Secure Electronic Transactions • Cryptographic protocol • Developed by Visa, Mastercard, Netscape, and Microsoft • Used for credit card transactions on the Web • Provides – Authentication of all parties in transaction – Confidentiality: transaction is encrypted to foil eavesdroppers – Message integrity: not possible to alter account number or transaction amount – Linkage: attachments can only be read by 3rd party if necessary
41 Secure Electronic Transactions • SET protocol supports all features of credit card system – Cardholder registration – Merchant registration – Purchase requests – Payment authorizations – Funds transfer (payment capture) – Chargebacks (refuns) – Credits – Credit reversals – Debit card transactions • SET can manage – real-time & batch transactions – installment payments
42 BankBank Customer Merchant Customer’s bank “Issuer” Merchant’s bank 1. Customer browses and decides to purchase 2. SET sends order and payment information 7. Merchant completes order 3. Merchant forwards payment information to bank 6. Bank authorizes payment 8. Merchant captures transaction 4. Bank checks with issuer for payment authorization 5. Issuer authorizes payment 9. Issuer sends credit card bill to customer Secure Electronic Transaction
43 Securing Private Networks • Minimize external access to LAN • Done by means of firewalls and proxy servers • Firewalls provide a secure interface between an “inner” trusted network and “outer” untrusted network • every packet to and from inner and outer network is “processed” • Firewalls require hardware and software to implement • Three main hardware architectures – dual-homed host – screened gateway – screened subnet gateway
44 Local Area Network Internet Proxies Private Net Outside Blocked Gateway (Bastion) Dual Homed Gateway
45 Local Area Network Internet Proxies Private Net Outside Blocked Router Allowed Allowed Gateway (Bastion) Screened Host Gateway
46 LAN Internet Private Net Router Gateway (Bastion) Router Web Server Demilitarized Zone Screened Subnet Gateway
47 Securing Private Networks • Software that is used are proxies and filters that allow or deny network traffic access to either network • Proxy programs – application-level – circuit-level • Filters – packet filtering
48 Securing Private Networks • Application level proxies – written for each particular protocol • e.g. HTTP or FTP or SMTP – regardless of protocol its function is to forward or not forward messages across firewall – they decide based on TCP/IP information • e.g. source and destination ports and IP addresses – they decide based on content of message • e.g. do not forward on and message containing VB executable or ActiveX components
49 Securing Private Networks • Circuit level proxies – software’s function is to forward or not forward packets across firewall – decides only on basis of header information in the packet • i.e. source and destination IP addresses and port numbers – they cannot peek into packet – advantage • very fast - less computation required • very general - handle many protocols – SOCKS • freeware circuit level proxy – SMLI • stateful multilayer inspection gateway • correlates incoming and outgoing packets
50 Securing Private Networks • Packet Filtering – technically not software – used with screen host or screened subnet host architecture – uses router’s routing table to decide which packets to forward or not forward – if bastion does not have proxy for a given service (e.g. TFTP) then packet filter can be configured to bypass firewall
51 Access Security Threats • Access Control – Threats • Webjacking: site vandalism – Countermeasures • User Authentication • User Authorization • Denial of Service – Threat • Unable to user server resources • Type of DOS Attacks – Counter Measures (limited) • Firewalls • System Configuration
52 Access Control • User authentication – process used to identify user who accesses a web server – determines legitimate user – Generally referred to as access control • User authorization – once user authenticated specifies what server resources that user may access – resources are: files, scripts, and directories
53 User Authentication • Several type of access control – Based on IP address • validates web browser based on its host’s IP address – Based on Domain Name • validates web browser based on its host’s domain name – Based on user name and password • User of browser is validated on basis of user ID and its associated password – Based on client certificates • remote user is issued a secure certificate to use as a digital signature – Based on network security protocols • solves validation problems associated with accessing via LAN and WAN • e.g. Kerberos and DCE
54 Authentication based on host IP address and/or DNS name • Screen browsers based on their source IP address, Domain Name, network,or subnetworks • Advantages – easy to set up – not likely to be incorrectly configured • Disadvantages – difficult to grant access to users who migrate – difficult hand DHCP protocol and Web proxies – security issues of • DNS spoofing • IP spoofing
55 Countermeasures to DNS Spoofing • DNS Spoofing – Attacker assumes control if DNS host/name lookup system • Counter by – Paranoid DNS checking • Upon receiving packet from browser server uses that source IP address to make two DNS requests • First resolves IP address to get a Domain Name • Returned domain name used to find its IP address • if domain name correlates with IP address then legitimate remote host – Use a firewall’s DNS lookup
56 Countermeasures to IP Spoofing • IP spoofing requires technical expertise • Uses source routing protocol – appears as if request originates from within LAN – can be used to insert CGI script or modify OS • Prevented by – configuring routers and firewalls to reject connections using source routing protocol – configure the server’s operating system to reject connections using source routing
57 Authentication Based on User ID and Password • Requires user to provide protected information in order to be authenticated • Advantages – Authenticates users not hosts – Users can migrate from host to host – No problems with Web proxies or DHCP • Disadvantages – Users share passwords, forget passwords, do not keep passwords private, or choose poor passwords – passwords can be “sniffed” if transmitted over a network
58 Authentication Based on User ID and Password • Countermeasures to disadvantages – Users share passwords, forget passwords, do not keep passwords private, or they choose poor passwords • User education • Chose hard passwords but easy to remember
59 Authentication Based on User ID and Password • Countermeasures to disadvantages – passwords can be “sniffed” if transmitted over a network • Basic authentication is carryout in plain text but coded in Base 64 MIME - HTTP/1.0 • Can be intercepted and decoded • Since HTTP protocol stateless every access to protected resource needs to be authenticated • Basic Authentication process occurs frequently hence more opportunity to be sniffed. – Use secure transmissions • HTTP/1.1 uses Digest Authentication process • Use encrypted communications e.g. SSL connection
60 Client Based Certificate System • Certificates – when user logs on (presents their certificate) the authentication server verifies the certificate is valid by opening it with the CA’s public key – certificate contains users public key and personal information. – Server sends a challenge to the user - a one-time value the user signs with their private key – Server then signs the same value with its copy of the user’s private key – If the signatures match then user is authenticated
61 Other Forms of Access Control • Kerberos authentication model – Uses a secure “key server” – Once user authenticated free to use any resources of the system – All transmissions are encrypted • Distributed Computing Environment – DCE is designed by Open Software Foundation – Similar to Kerberos authentication model • Two Factor Authentication • need something you have - ATM card • need something you know - PIN number
62 Other Forms of Access Control • Smart Card Type – token access device that has information that is in sync with server information (e.g. counter, time, random number generator, etc.) – “One time pad” of user name and password
63 Denial of Service • Some Types of Attack – TCP/IP SYN attack • To set TCP/IP connection use a three step “handshake” protocol – client requests – server acknowledges and waits – client acknowledges • if no client acknowledgement or many client requests then server overwhelmed. – PING of Death • many clients “ping” server – Flood server with URL requests • either one client or many in parallel • DDOS attack
64 Denial of Service • Countermeasures to DOS – Minimal counter measures after attack has started • DOS attacks require client(s) to carry requests • locate source(s) of requests and terminate those processes – Countermeasures prior to attack • prevent attacks by making sure all hosts a going to be used legitimately • requires securing all remote hosts - not likely • e.g. DDOS: number of freeware programs that when run will create SYN flooding attack make sure remote host does not run this program.

More Related Content

PDF
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
PDF
CS6004 CYBER FORENSICS
byKathirvel Ayyaswamy
 
PDF
CS6004 CYBER FORENSICS
byKathirvel Ayyaswamy
 
PPT
Message authentication and hash function
byomarShiekh1
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PDF
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
PDF
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
PPTX
Key Distribution Problem in advanced operating system
byMerlin Florrence
 
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
CS6004 CYBER FORENSICS
byKathirvel Ayyaswamy
 
CS6004 CYBER FORENSICS
byKathirvel Ayyaswamy
 
Message authentication and hash function
byomarShiekh1
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
Key Distribution Problem in advanced operating system
byMerlin Florrence
 

What's hot

PPT
key distribution in network security
bybabak danyal
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PPTX
Pgp pretty good privacy
byPawan Arya
 
PDF
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
PPTX
Network security
byABHISHEK KUMAR
 
PDF
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
PPTX
Key management and distribution
byRiya Choudhary
 
PPT
Distribution of public keys and hmac
byanuragjagetiya
 
PPTX
Key distribution code.ppt
byPrabhat Kumar
 
PPTX
Information and network security 45 digital signature standard
byVaibhav Khanna
 
PDF
TLS/SSL Protocol Design 201006
byNate Lawson
 
PPT
Lecture 9 key distribution and user authentication
byrajakhurram
 
PDF
Encryption and Key Distribution Methods
byGulcin Yildirim Jelinek
 
PPS
Message AUthentication Code
byKeval Bhogayata
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PPTX
MAC-Message Authentication Codes
byDarshanPatil82
 
DOCX
network security
byBishalWosti1
 
PDF
BAIT1103 Chapter 3
bylimsh
 
PDF
BAIT1103 Chapter 2
bylimsh
 
PDF
Message authentication code_course_bouchra_echandouri
byBouchra Echandouri
 
key distribution in network security
bybabak danyal
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
Pgp pretty good privacy
byPawan Arya
 
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
Network security
byABHISHEK KUMAR
 
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
Key management and distribution
byRiya Choudhary
 
Distribution of public keys and hmac
byanuragjagetiya
 
Key distribution code.ppt
byPrabhat Kumar
 
Information and network security 45 digital signature standard
byVaibhav Khanna
 
TLS/SSL Protocol Design 201006
byNate Lawson
 
Lecture 9 key distribution and user authentication
byrajakhurram
 
Encryption and Key Distribution Methods
byGulcin Yildirim Jelinek
 
Message AUthentication Code
byKeval Bhogayata
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
MAC-Message Authentication Codes
byDarshanPatil82
 
network security
byBishalWosti1
 
BAIT1103 Chapter 3
bylimsh
 
BAIT1103 Chapter 2
bylimsh
 
Message authentication code_course_bouchra_echandouri
byBouchra Echandouri
 

Similar to Seminar on ECommerce

PPSX
Web security for e-commerce
byNishant Pahad
 
PPT
ch22.ppt
byImXaib
 
PPT
Secure payment systems
byAbdulaziz Mohd
 
PPTX
Cryptographic Tools Week#11 Lecture #01,02.pptx
byFaizanAli393009
 
PPT
unit6.ppt
bySrinivas Devulapalli
 
PPTX
network security for cyber security in bsc.pptx
byKarthikKarthik694746
 
PPT
Websphere - About Websphere ssl part ii
byVibrant Technologies & Computers
 
PPTX
Chapter 2 System Security.pptx
byRushikeshChikane2
 
PPTX
IS-Crypttools.pptx
byV.V.Vanniaperumal College for Women
 
PPT
Cryptography
byJohnsonDaniel JohnsonDaniel
 
PPTX
PKI.pptx
byalirezafiroozian
 
PPT
Encryption
byNaiyan Noor
 
PPT
SSl and certificates
byNetri Chowdhary
 
PPTX
Encryption techniques
byMohitManna
 
PPT
Websphere - Introduction to ssl part ii
byVibrant Technologies & Computers
 
PPT
Cryptography
byTêjäçhoudhary Maddineni
 
PPT
Cryptography
byPragun Shah
 
PDF
Secure 3 kany-vanda
byVanda KANY
 
PPT
Network security
byanoop negi
 
PPTX
ET4045-2-cryptography-3
byTutun Juhana
 
Web security for e-commerce
byNishant Pahad
 
ch22.ppt
byImXaib
 
Secure payment systems
byAbdulaziz Mohd
 
Cryptographic Tools Week#11 Lecture #01,02.pptx
byFaizanAli393009
 
unit6.ppt
bySrinivas Devulapalli
 
network security for cyber security in bsc.pptx
byKarthikKarthik694746
 
Websphere - About Websphere ssl part ii
byVibrant Technologies & Computers
 
Chapter 2 System Security.pptx
byRushikeshChikane2
 
IS-Crypttools.pptx
byV.V.Vanniaperumal College for Women
 
Cryptography
byJohnsonDaniel JohnsonDaniel
 
PKI.pptx
byalirezafiroozian
 
Encryption
byNaiyan Noor
 
SSl and certificates
byNetri Chowdhary
 
Encryption techniques
byMohitManna
 
Websphere - Introduction to ssl part ii
byVibrant Technologies & Computers
 
Cryptography
byTêjäçhoudhary Maddineni
 
Cryptography
byPragun Shah
 
Secure 3 kany-vanda
byVanda KANY
 
Network security
byanoop negi
 
ET4045-2-cryptography-3
byTutun Juhana
 

Recently uploaded

PDF
Unit4DC_TransportLayer &NetworkLayer.pdf
bySonaShaiju1
 
PDF
Plant Domestication | Complete Concept Explained BREEDING PLANT DOMESTICATION
bySatyam Sharma
 
PPTX
COMMUNICATION. pptx
byAneetaSharma15
 
PPTX
GASTROINTESTINAL DISORDERS(1-Upper Gastrointestinal Bleeding 2-Lower Gastroi...
byDr PANKAJ PARMAR
 
PPTX
How to Manage Reconciliation of Draft Entries in Odoo 19
byCeline George
 
PPTX
What are Forecast Reports in Odoo 18 CRM
byCeline George
 
PDF
MS. LAPORE (QUIZ BOWL FILE 2025) . pdf
byjadepcuadra
 
PPTX
THERAPEUTIC COMMUNICATION for 2nd year GNM, 2ND YEAR P.B.B.SC NSG, 5TH SEM B....
byparmarjuli1412
 
PPTX
How to Set Up Default Header_Footer in Odoo 18.2
byCeline George
 
PPTX
Nasopulmonary drug delivery system Pradip Sontakke
byDrxpradipPatil
 
PDF
JRF Plant Science Preparation Strategy by Experts | Complete Syllabus Discuss...
bySatyam Sharma
 
PDF
🧬 ICAR SRF & ASRB NET Exam – Genetics and Plant Breeding Syllabus | Complete ...
bySatyam Sharma
 
PDF
Unit - I Communication Skills. B.pharmacy and D. Pharmacy
bySayyadTarannum
 
PPTX
DepEd_ARAL_Program_Orientation FINAL COPY.pptx
byAljohnEspejo1
 
PDF
Genetic Erosion in Crop Plants: Causes, Consequences, and Conservation Strate...
bySatyam Sharma
 
PDF
Hunwick's Roman Roads and Ridge Roads, a Discussion Document
byJohn Pallister
 
PDF
Happy Nov Greetings All Students by LDMMIA
byLDMMIA, Reiki Yoga
 
PPT
Layers of the Earth crust and Lithosphere.ppt
bybonpat1954
 
PPTX
Tablets & Liquid orals Industrial pharmacy-I UNIT-2, B. Pharam V Semester PPT
byARUN KUMAR
 
PDF
2025 Caribbean Examinations Council CAPE Merit List
byCaribbean Examinations Council
 
Unit4DC_TransportLayer &NetworkLayer.pdf
bySonaShaiju1
 
Plant Domestication | Complete Concept Explained BREEDING PLANT DOMESTICATION
bySatyam Sharma
 
COMMUNICATION. pptx
byAneetaSharma15
 
GASTROINTESTINAL DISORDERS(1-Upper Gastrointestinal Bleeding 2-Lower Gastroi...
byDr PANKAJ PARMAR
 
How to Manage Reconciliation of Draft Entries in Odoo 19
byCeline George
 
What are Forecast Reports in Odoo 18 CRM
byCeline George
 
MS. LAPORE (QUIZ BOWL FILE 2025) . pdf
byjadepcuadra
 
THERAPEUTIC COMMUNICATION for 2nd year GNM, 2ND YEAR P.B.B.SC NSG, 5TH SEM B....
byparmarjuli1412
 
How to Set Up Default Header_Footer in Odoo 18.2
byCeline George
 
Nasopulmonary drug delivery system Pradip Sontakke
byDrxpradipPatil
 
JRF Plant Science Preparation Strategy by Experts | Complete Syllabus Discuss...
bySatyam Sharma
 
🧬 ICAR SRF & ASRB NET Exam – Genetics and Plant Breeding Syllabus | Complete ...
bySatyam Sharma
 
Unit - I Communication Skills. B.pharmacy and D. Pharmacy
bySayyadTarannum
 
DepEd_ARAL_Program_Orientation FINAL COPY.pptx
byAljohnEspejo1
 
Genetic Erosion in Crop Plants: Causes, Consequences, and Conservation Strate...
bySatyam Sharma
 
Hunwick's Roman Roads and Ridge Roads, a Discussion Document
byJohn Pallister
 
Happy Nov Greetings All Students by LDMMIA
byLDMMIA, Reiki Yoga
 
Layers of the Earth crust and Lithosphere.ppt
bybonpat1954
 
Tablets & Liquid orals Industrial pharmacy-I UNIT-2, B. Pharam V Semester PPT
byARUN KUMAR
 
2025 Caribbean Examinations Council CAPE Merit List
byCaribbean Examinations Council
 

Seminar on ECommerce

  • 1.
    1 A Tutorial onWeb Security for E-Commerce
  • 2.
    2 Web Concepts forE-Commerce • Client/Server Applications • Communication Channels • TCP/IP
  • 3.
  • 4.
  • 5.
    5 Application Allows accessto network resourcesApplication Allows access to network resources OSI Model Presentation Translates, encrypts and compresses data Presentation Translates, encrypts and compresses data Session Establishes, manages and terminates sessions Session Establishes, manages and terminates sessions Transport Provides end-to-end message delivery & error recovery Transport Provides end-to-end message delivery & error recovery Network Moves packets from source to destination; Provides internetworking Network Moves packets from source to destination; Provides internetworking Data Link Organizes bits into frames; Provides node-to-node delivery Data Link Organizes bits into frames; Provides node-to-node delivery Physical Transmits bits; Provides mechanical and electrical specifications Physical Transmits bits; Provides mechanical and electrical specifications
  • 6.
    6 OSI Model cont’d ClientServer Intermediate Intermediate Node Node Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Peer-to-peer protocol (7th layer) Peer-to-peer protocol (6th layer) Peer-to-peer protocol (5th layer) Peer-to-peer protocol (4th layer) Data Link Data Link NetworkNetwork Physical Physical 3rd 3rd 3rd 2nd2nd2nd 1st 1st 1st
  • 7.
    7 TCP/IP and OSIModel Network Application Presentation Session Transport Data Link Physical SMTP Applications FTP TELNET DNS SNMP NFS TFTP RPC TCP UDP ICMP ARP RARPIP Protocols defined by the underlying networks HTTP
  • 8.
    8 TCP/IP and OSIModelcont’d Network Application Presentation Session Transport Data Link Physical TCP UDP IP Protocols defined by the underlying networks Applications Message Segment Datagram Bits Frame
  • 9.
    9 TCP/IP and Addressing Processes TCPUDP IP and other protocols Underlying physical networks Application layer Transport layer Network layer Data link layer Physical layer Port address Port address IP address IP address Physical address Physical address
  • 10.
    10 BankBank Katie sends Order Form Katie’sBank CD Store Merchant’s Bank ISP Online CD Store CD Warehouse Web Server Internet Payment Network Katie’s order Order printed at CD warehouse CD arrives 2-3 days after order is received Typical B2C Transaction
  • 11.
    11 ISP Online CD Store CD Warehouse WebServer Katie A Tapping line B Sniffer at ISP C Sniffer on Internet backbone E Breaking into store databaseD Internet Backbone Web Security Threats in B2C
  • 12.
    12 Security Threats • Securitythreats A to D can be handled by providing secure transmission - cryptographic methods • Threat E and similar types managed by access control methods • Other types of security threats – Illegal access of server computing system (webjacking) – Illegal access client computing system – Unauthorized use of client information – Denial of Service
  • 13.
    13 Information Security Threats • InternetCryptography Techniques • Transport Layer Security • Application Layer Security • Server Proxies and Firewalls
  • 14.
    14 Purpose of Cryptography • Securestored information - regardless if access obtained • Secure transmitted information - regardless if transmission has been monitored
  • 15.
    15 Services Provided by Cryptography •Confidentiality – provides privacy for messages and stored data by hiding • Message Integrity – provides assurance to all parties that a message remains unchanged • Non-repudiation – Can prove a document came from X even if X’ denies it • Authentication – identifies the origin of a message – verifies the identity of person using a computer system
  • 16.
    16 Cryptography • Encryption Overview –Plain text is converted to cipher text by use of an algorithm and key. • Algorithm is publicly known • Key is held private – Three Main Categories • Secret Key – single key is used to encrypt and decrypt information • Public/Private Key – two keys are used: one for encryption (public key) and one for decryption (private key) • One-way Function – information is encrypted to produce a “digest” of the original information that can be used later to prove its authenticity
  • 17.
    17 Encryption Techniques • SecretKey (Symmetric) – Sender and receive have the same secret key that will encrypt and decrypt plain text – Strength of encryption technique depends on key length – Known symmetrical algorithms • Data Encryption Standard (DES) – 56 bit key • Triple DES, DESX, GDES, RDES – 168 bit key • RC2, RC4, RC5 – variable length up to 2048 bits • IDEA - basis of PGP – 128 bit key • Blowfish – variable length up to 448 bits
  • 18.
    18 Encryption Techniques (con’t) •Asymmetric Encryption (Public/Private Key) – user X has a pair of keys one public and one private – To encrypt a message to X use X’s public key – X will decrypt encrypted message using X’s private key that “matches” X’s public key – Most common algorithm is the RSA (Rivest Shamir Adelman) algorithm with key lengths from 512 to 1024 bits.
  • 19.
    19 Encryption Techniques (con’t) •One-Way Function – non-reversible “quick” encryption – produces a fixed length value called a hash or message digest – used to authenticate contents of a message – Common message digest functions • MD4 and MD5 – produces 128 bit hashes • SHA – produces 160 bit hashes
  • 20.
    20 Cryptographic Services Allow •Digital Signatures – sign messages to validate source and integrity of the contents • Digital Envelopes – secure delivery of secret keys • Message Digests – short bit string hash of message • Certificates (Digital Ids) – used to authenticate: users, web sites, public keys of public/private pair, and information in general • Secure Channels – Encryption can be used to create secure channels over private or public networks
  • 21.
    21 Digital Signatures • DigitalSignature – Encrypt sender’s identity string with sender’s private key – Concatenate the encrypted text and the identity string together – Encrypt this message with receiver’s public key to create message – Receiver decrypts the encrypted text with their private key – the cypher text portion of the message is decrypted with sender’s public key – The decrypted text can be compared with the normal text to checks its integrity
  • 22.
    22 Digital Envelope • Public/Privatekey encryption / decryption useful for internet • Limitations – encryption / decryption slow – not reasonable for large documents • Combine symmetric and asymmetric methods – sender creates and uses symmetric (session) key to create cipher text – sender uses receiver’s public key to encrypt the symmetric key - digital envelope – sender transmits both cipher text and digital envelope to receiver
  • 23.
    23 Message Digests • Howto create and use a message digest – sender uses message as input to digest function – “sign” (encrypt) output (hash) with sender’s private key – send signed hash and original message (in plain text) to receiver – receiver decrypts hash with sender’s public key – receiver runs plain text message through digest function to obtain a hash – if receiver’s decrypted hash and computed hash match then message valid.
  • 24.
    24 Digital Certificates (ID) •Certification Authorities (CA) – used to distribute the public key of a public/private pair – guarantees the validity of the public key • does this by verifying the credentials of the entity associated with the public key – Some Case • Versign - http://www.versign.com • U.S. Post Office - http://www.ups.gov • CommerceNet - http//www.commerce.net – certificates contain • public key • e-mail • full name • Digital certificates are secure – cannot be forged nor modified
  • 25.
    25 Digital Certificates • Processto create Digital Certificate – User generates public/private pair – User creates and sends a certificate request • contains: identifying information and user’s public key – CA verifies this information – CA creates a certificate containing user’s public key and information – CA creates message digest from certificate and signs it with CA’s private key – This a signed certificate
  • 26.
    26 Digital Certificates • Usinga Digital Certificate – before sending a secure message sender request a signed certificate from receiver – sender decrypts signed certificate with CA’s known public key to obtain message digest of info and public key provided to CA by receiver – sender creates a message digest of public key and info provided by the receiver for sender’s use – sender compare the message digests if they match then receiver is validated.
  • 27.
    27 Digital Certificates • Typesof Digital Certificates – site certificates • used to authenticate web servers – personal certificates • used to authenticate individual users – software publishers certificates • used to authenticate executables – CA certificates • used to authenticate CA’s public keys – All certificates have the common format standard of X.509v3
  • 28.
    28 Secure Channels • EncryptedTraffic may use – Symmetric Key – Public/Private Key • Negotiated Secure Session – Secure Socket Layer (SSL) – Transport Layer Security (TLS) – SSL or TLS provides these services • Authenticate users and servers • Encryption to hide transmitted data - symmetric or asymmetric • Integrity to provide assurance that data has not been altered during transmission – SSL or TLS require certificates to be issued by a CA
  • 29.
    29 Secure Channels (con’t) •Internet Tunnels – virtual network circuit across the Internet between specified remote sites – uses an encrypting router that automatically encrypts all traffic that traverses the links of the virtual circuit • Tunneling Protocols – PPTP by Microsoft - http://www.microsoft.com – Layer 2 Forwarding (L2F) by Cisco - http://www.cisco.com – L2TP (combines PPTP and L2F) - http://www.ietf.com
  • 30.
    30 Secure Sockets Layer •SSL History – Competitor to S-HTTP – S-HTTP an extension of HTTP – General purpose encryption system using symmetric encryption – S-HTTP only encrypts Web protocols – Three versions v1.0, v2.0 and v3.0 • SSL v3.0 implemented in Netscape 3.0 and Internet Explorer 3.0 and higher • SSL v3.0 supports Diffie-Hellman anonymous key exchange and Fortezza smart card
  • 31.
    31 Secure Sockets Layer •SSL Characteristics – Operates at the TCP/IP transport layer – Encrypts (decrypts) input from application (transport) layer – Any program using TCP can be modified to use SSL connections – SSL connection uses a dedicated TCP/IP socket (e.g. port 443 for https or port 465 for ssmtp)
  • 32.
    32 Secure Sockets Layer •SSL Characteristics – SSL is flexible in choice of which symmetric encryption, message digest, and authentication algorithms can be used – When SSL client makes contact with SSL server they try to pick strongest encryption methods they have in common. – SSL provides built in data compression • compress first then encrypt
  • 33.
    33 Secure Sockets Layer •SSL Characteristics – When SSL connection established browser-to-server and server-to- browser communications are encrypted. This includes: • URL of requested document • Contents of the document • Contents of browser forms • Cookies sent from browser to server • Cookies sent from server to browser • Contents of HTTP header • But NOT particular browser to particular server – socket addresses not encrypted – can use proxy server for privacy
  • 34.
    34 Secure Sockets Layer •Establishing an SSL Connection – The client (browser) opens a connection to server port – Browser sends “client hello” message. Client hello message contains: • version of SSL browser uses • ciphers and data compression methods it supports – The Server responds with a “server hello” message. Server hello message contains • session id • the chosen versions for ciphers and data compression methods.
  • 35.
    35 Secure Sockets Layer •Establishing an SSL Connection (con’t.) – The server sends its certificate • used to authenticate server to client – Optionally the server may request client’s certificate – If requested, client will send its certificate of authentication • if client has no certificate then connection failure – Client sends a “ClientKeyExchange” message • symmetric session key chosen • digital envelope is created using server’s public key and contains the symmetric session key
  • 36.
    36 Secure Sockets Layer •Establishing an SSL Connection (con’t.) – Optionally, if client authentication is used the client will send a certificate verify message. – Server and client send “ChangeCipherSpec” message indicating they are ready to begin encrypted transmission. – Client and server send “Finished” messages to each other • These are a message digest of their entire conversation up to this point. • If the digests match then messages were received without interference.
  • 37.
    37 Client (Browser) Server 1. Client sendsClientHello message 2.Server acknowledges with ServerHello message .Session Key Server Certificate Client Certificate 3. Server sends its certificate (4. Server requests client’s certificate) (5. Client sends its certificate) Server’s public key 6. Client sends “ClientKeyExchange” message Server’s private key Session key Digital signature (7. Client sends a “Certificate Verify” message) 8. Both send “ChangeCiperSpec” messages 9. Both send “Finished” messages Digital envelope SSL Connection Setup . .X
  • 38.
    38 Transport Layer Security TLS •IETF (Internet Engineering Task Force) Standard for secure connection • Derivative of SSLv3.0 • Uses different digest functions and different set of encryption algorithms • see TLS URL for more details – http://www.consensus.com/ietf-tls/ • see SSL URL for more details – WBSRV = home.netscape.com/ • WBSRV/newsref/std/SSL.html • WBSER/ref/internet-security.html
  • 39.
    39 Application Layer Security •Secure Electronic Transactions – SET • Digital Payment Systems – First Virtual – CyberCash – DigiCash – Millicent • Pretty Good Privacy – PGP: used to secure e-mail • These are the applications sender/receiver use to give secure communication
  • 40.
    40 Secure Electronic Transactions •Cryptographic protocol • Developed by Visa, Mastercard, Netscape, and Microsoft • Used for credit card transactions on the Web • Provides – Authentication of all parties in transaction – Confidentiality: transaction is encrypted to foil eavesdroppers – Message integrity: not possible to alter account number or transaction amount – Linkage: attachments can only be read by 3rd party if necessary
  • 41.
    41 Secure Electronic Transactions •SET protocol supports all features of credit card system – Cardholder registration – Merchant registration – Purchase requests – Payment authorizations – Funds transfer (payment capture) – Chargebacks (refuns) – Credits – Credit reversals – Debit card transactions • SET can manage – real-time & batch transactions – installment payments
  • 42.
    42 BankBank Customer Merchant Customer’s bank “Issuer” Merchant’sbank 1. Customer browses and decides to purchase 2. SET sends order and payment information 7. Merchant completes order 3. Merchant forwards payment information to bank 6. Bank authorizes payment 8. Merchant captures transaction 4. Bank checks with issuer for payment authorization 5. Issuer authorizes payment 9. Issuer sends credit card bill to customer Secure Electronic Transaction
  • 43.
    43 Securing Private Networks •Minimize external access to LAN • Done by means of firewalls and proxy servers • Firewalls provide a secure interface between an “inner” trusted network and “outer” untrusted network • every packet to and from inner and outer network is “processed” • Firewalls require hardware and software to implement • Three main hardware architectures – dual-homed host – screened gateway – screened subnet gateway
  • 44.
    44 Local Area Network Internet Proxies Private NetOutside Blocked Gateway (Bastion) Dual Homed Gateway
  • 45.
    45 Local Area Network Internet Proxies Private NetOutside Blocked Router Allowed Allowed Gateway (Bastion) Screened Host Gateway
  • 46.
  • 47.
    47 Securing Private Networks •Software that is used are proxies and filters that allow or deny network traffic access to either network • Proxy programs – application-level – circuit-level • Filters – packet filtering
  • 48.
    48 Securing Private Networks •Application level proxies – written for each particular protocol • e.g. HTTP or FTP or SMTP – regardless of protocol its function is to forward or not forward messages across firewall – they decide based on TCP/IP information • e.g. source and destination ports and IP addresses – they decide based on content of message • e.g. do not forward on and message containing VB executable or ActiveX components
  • 49.
    49 Securing Private Networks •Circuit level proxies – software’s function is to forward or not forward packets across firewall – decides only on basis of header information in the packet • i.e. source and destination IP addresses and port numbers – they cannot peek into packet – advantage • very fast - less computation required • very general - handle many protocols – SOCKS • freeware circuit level proxy – SMLI • stateful multilayer inspection gateway • correlates incoming and outgoing packets
  • 50.
    50 Securing Private Networks •Packet Filtering – technically not software – used with screen host or screened subnet host architecture – uses router’s routing table to decide which packets to forward or not forward – if bastion does not have proxy for a given service (e.g. TFTP) then packet filter can be configured to bypass firewall
  • 51.
    51 Access Security Threats •Access Control – Threats • Webjacking: site vandalism – Countermeasures • User Authentication • User Authorization • Denial of Service – Threat • Unable to user server resources • Type of DOS Attacks – Counter Measures (limited) • Firewalls • System Configuration
  • 52.
    52 Access Control • Userauthentication – process used to identify user who accesses a web server – determines legitimate user – Generally referred to as access control • User authorization – once user authenticated specifies what server resources that user may access – resources are: files, scripts, and directories
  • 53.
    53 User Authentication • Severaltype of access control – Based on IP address • validates web browser based on its host’s IP address – Based on Domain Name • validates web browser based on its host’s domain name – Based on user name and password • User of browser is validated on basis of user ID and its associated password – Based on client certificates • remote user is issued a secure certificate to use as a digital signature – Based on network security protocols • solves validation problems associated with accessing via LAN and WAN • e.g. Kerberos and DCE
  • 54.
    54 Authentication based onhost IP address and/or DNS name • Screen browsers based on their source IP address, Domain Name, network,or subnetworks • Advantages – easy to set up – not likely to be incorrectly configured • Disadvantages – difficult to grant access to users who migrate – difficult hand DHCP protocol and Web proxies – security issues of • DNS spoofing • IP spoofing
  • 55.
    55 Countermeasures to DNSSpoofing • DNS Spoofing – Attacker assumes control if DNS host/name lookup system • Counter by – Paranoid DNS checking • Upon receiving packet from browser server uses that source IP address to make two DNS requests • First resolves IP address to get a Domain Name • Returned domain name used to find its IP address • if domain name correlates with IP address then legitimate remote host – Use a firewall’s DNS lookup
  • 56.
    56 Countermeasures to IPSpoofing • IP spoofing requires technical expertise • Uses source routing protocol – appears as if request originates from within LAN – can be used to insert CGI script or modify OS • Prevented by – configuring routers and firewalls to reject connections using source routing protocol – configure the server’s operating system to reject connections using source routing
  • 57.
    57 Authentication Based onUser ID and Password • Requires user to provide protected information in order to be authenticated • Advantages – Authenticates users not hosts – Users can migrate from host to host – No problems with Web proxies or DHCP • Disadvantages – Users share passwords, forget passwords, do not keep passwords private, or choose poor passwords – passwords can be “sniffed” if transmitted over a network
  • 58.
    58 Authentication Based onUser ID and Password • Countermeasures to disadvantages – Users share passwords, forget passwords, do not keep passwords private, or they choose poor passwords • User education • Chose hard passwords but easy to remember
  • 59.
    59 Authentication Based onUser ID and Password • Countermeasures to disadvantages – passwords can be “sniffed” if transmitted over a network • Basic authentication is carryout in plain text but coded in Base 64 MIME - HTTP/1.0 • Can be intercepted and decoded • Since HTTP protocol stateless every access to protected resource needs to be authenticated • Basic Authentication process occurs frequently hence more opportunity to be sniffed. – Use secure transmissions • HTTP/1.1 uses Digest Authentication process • Use encrypted communications e.g. SSL connection
  • 60.
    60 Client Based CertificateSystem • Certificates – when user logs on (presents their certificate) the authentication server verifies the certificate is valid by opening it with the CA’s public key – certificate contains users public key and personal information. – Server sends a challenge to the user - a one-time value the user signs with their private key – Server then signs the same value with its copy of the user’s private key – If the signatures match then user is authenticated
  • 61.
    61 Other Forms ofAccess Control • Kerberos authentication model – Uses a secure “key server” – Once user authenticated free to use any resources of the system – All transmissions are encrypted • Distributed Computing Environment – DCE is designed by Open Software Foundation – Similar to Kerberos authentication model • Two Factor Authentication • need something you have - ATM card • need something you know - PIN number
  • 62.
    62 Other Forms ofAccess Control • Smart Card Type – token access device that has information that is in sync with server information (e.g. counter, time, random number generator, etc.) – “One time pad” of user name and password
  • 63.
    63 Denial of Service •Some Types of Attack – TCP/IP SYN attack • To set TCP/IP connection use a three step “handshake” protocol – client requests – server acknowledges and waits – client acknowledges • if no client acknowledgement or many client requests then server overwhelmed. – PING of Death • many clients “ping” server – Flood server with URL requests • either one client or many in parallel • DDOS attack
  • 64.
    64 Denial of Service •Countermeasures to DOS – Minimal counter measures after attack has started • DOS attacks require client(s) to carry requests • locate source(s) of requests and terminate those processes – Countermeasures prior to attack • prevent attacks by making sure all hosts a going to be used legitimately • requires securing all remote hosts - not likely • e.g. DDOS: number of freeware programs that when run will create SYN flooding attack make sure remote host does not run this program.