Securing the E-Commerce Environment
E-Commerce Security Introduction The Internet has become the newest and most exciting way to create business. With its unlimited potential, far-reaching demographics, and cost efficiency, it's the most effective Marketing and Sales tool of our time.
Technology is rapidly replacing the need for physical purchasing. In other words: you don't need to go to the shops to buy a gift or call a 0181/0171 number and wait on hold. People are opting to do their purchasing via the Internet.
Security issues in today's world have become increasing complex. The rise of the Internet, E-Commerce, the increase of external connectivity, and the need to ensure security in more complex client/server environments have forced businesses to face new security challenges. Concern over transaction security has made many consumers hesitant to use their credit cards over the Internet. The challenges involved in securing transactions over the Internet fall into three main categories: privacy, message integrity, and peer authentication.
· Privacy requires that only the parties involved in a communication are able to read the message.
· Message Integrity ensures that vandals cannot intercept a message and alter a message that is on route to a recipient.
· Peer Authentication involves irrefutably identifying the parties involved in a conversation or data exchange, preventing both forgery and impersonation.
The account below identifies a number of security measures that are being taken by organisations in order to protect potential customers, when purchasing goods over the Internet, and what measures the Security First Network Bank (which claims to be the worlds first internet bank) takes regarding e-commerce security for its customers.
Cryptography
Cryptography is the study of mathematical techniques employed to keep information secure. Some aspects of information security include confidentiality, data integrity and authentication. Confidentiality of data implies keeping the message or data itself secret.
Confidentiality can be achieved through a process known as encryption. Encryption is the transformation of data into an unreadable form. Decryption is the process that reverses the effects of encryption on data, thus converting the data back into readable form. The encryption / decryption process requires the use of some secret information - the key. Some encryption / decryption schemes require only one secret key to both encrypt and decrypt information, while other schemes require one key for encryption and a second key (mathematically related to the first key) for decryption.
Consider a multi-user setting. Encryption allows for secure communication over an insecure channel. Suppose Sue wishes to send Joe a message such that no one else besides Joe can read it. Sue can encrypt the message (or plaintext) with an encryption key to obtain the encrypted message (or ciphertext). Sue can then send the ciphertext to Joe over the insecure channel.
Joe then decrypts the ciphertext with the decryption key and reads the message. An attacker, Thomas, may intercept the ciphertext on its way to Joe, without knowledge of the decryption key, Thomas cannot reconstruct the original message. Sue will then send the ciphertext, along with the encrypted secret key, to Joe. Joe receives the data and decrypts the secret key with his private decryption key. He will then use the secret key to decrypt the message from Sue. Cryptography is one method that Security First Network Bank (SFNB) uses.
When a customer opens an account with the bank, the bank will assign a password, which is sent to the customer along with an account verification letter. SFNB also provides server authentication using the latest in public key cryptography. If the customer wishes to start a transaction they will use their browser to send a secure message via SSL to the bank. The bank will then respond by sending a certificate which contains the bank's public key. The browser authenticates the certificate, then generates a session key which is used to encrypt data travelling between the customer's browser and the bank server. By using the bank's public key the session key is encrypted and is sent back to the bank.
The bank decrypts this message using its private key, and then uses the session key for the remainder of the communication. By exchanging messages using the public/private key pair, the customer can be satisfied they are actually communicating with the bank, and not a third party trying to intercept their transaction. When a session is encrypted, the key icon at the lower left corner of the browser's screen becomes solid, and a blue line appears at the top of the screen. If the key icon appears broken, encryption is not in use and the current session is not secure. Notice here that keeping the key(s) secret is very important. Keys should generally be as long as possible to avoid an attacker simply trying all possible combinations of key values to decrypt the ciphertext.
Traditionally these strong keys are stored on the user's computer and are secured with a user-defined 6 or 8-letter logon password. The security of the encryption / decryption key is thus only as secure as the password. Alternatively encryption keys could be stored on portable hardware, such as smart cards, but these could be lost or stolen. Security first network bank should consider using symmetric systems. One advantage that symmetric systems have over public/private keys is speed. Symmetric key encryption / decryption tends to be much faster than that for public / private key schemes. For this reason many systems implement both algorithms. Joe still creates a public / private key pair and still publishes his public key. In order to send plaintext securely to Joe, Sue uses a secret (symmetric) key to encrypt the plaintext, she then encrypts this secret key with Joe's public key. Note that the plaintext will generally be much larger than the size of the secret key.
Secure Transaction Protocols: SSL (Secure Sockets Layer)
Secure Sockets Layer (SSL) is an industry-standard protocol that makes considerable us of both secret-key and public-key technology. SSL is widely deployed on the Internet in the form of SSL-capable servers and browsers. The SSL protocol provides data encryption, enables server and browser authentication, and ensures message integrity over a TCP/IP connection. To ensure authentication, the server and the client must prove their identity. These identities are coded in the form of public-key digital certificates, which are exchanged during the SSL handshake'.
To demonstrate that the entity presenting the certificate is the legitimate certificate owner, SSL requires that the certificate holder digitally sign the information that is transmitted (which includes their certificates) during the handshake. The entities provide digital signatures that verify that an impostor is not presenting a foreign certificate. The certificate does not authenticate, but the combination of the certificate and the digital signature does. Here's an outline of what happens during the SSL handshake when a purchase is made from an SSL-enabled client (browser) and server:
· The client decides to make a purchase from an online store and presses the 'BUY' button · Transparent to the client, the browser connects to the SSL port and initiates an SSL session.
· The client and the server negotiate the SSL version to use and the level of encryption required for the session
· Once the session is initiated, the client and server exchange certificates
· The browser and server verify each other's certificates by checking validity dates, and verifying that the certificate was issued by a trusted CA (Certificate Authorities)
· The client randomly generates two pairs of keys that will be used to encrypt the transmitted information, which are then encrypted using the server's public key, and transmitted to the server (separate keys are used for client to server and server to client communications)
· A message algorithm (for encryption) and hash function (for integrity) are negotiated
· Secure communication has been initiated 3.2 SET (Secure Electronic Transactions) SET is an open standard developed jointly by MasterCard, VISA, Microsoft, and other technology partners.
The major advantage of SET over other existing security systems is that its core protocol is based on digital certificates. The cardholder, vendor, financial institution, and VISA and MasterCard payment systems are all associated. The certificates provide cardholders and vendors with the confidence that transactions will be processed in the same integral manner that non-Internet VISA and MasterCard transactions are handled. To begin a SET transaction, users must get a copy of a vendor's digital certificate, which contains the vendor's public key.
Users can then create an encrypted message containing orders and payment information. The message is sent via a specific algorithm, which creates a message digest, and is then signed by users with digital signatures. Next, a 1,024-bit value is generated and stored as a session key. This session key, in turn, is used to symmetrically encrypt messages, as well as users' certificates and digital signatures. The session key is then encrypted with the vendor's public key to create a 'digital envelope'. A separate, secure channel used to transfer the symmetric key.
Firewalls & Routers
A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one, which exists to block traffic, and the other, which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasise permitting traffic. Probably the most important thing to recognise about a firewall is that it implements an access control policy.
If you don't have a good idea what kind of access you want to permit or deny, or you simply permit someone or some product to configure a firewall based on what they or it think it should do, then they are making the policy for your organisation as a whole. Security first network bank uses a number of firewalls & routers to protect its customer's money and personal information from intruders who may attack the system. The banks firewalls and routers act as a barrier between the outside Internet and the internal bank network. The router will verify the source and the destination of each network packet and decides whether or not to let the packet pass through. If the packet is not directed at a specific, available service then access is denied.
The firewall is used to shield the bank's customer service network from the Internet. Any incoming IP traffic is addressed to the firewall, which is designed to allow only e-mail into the customer service environment. Traffic through the firewall is subjected to a special proxy process, which operates in much the same way as a filtering router, verifying the source and destination of each information packet. The proxy will then change the IP address of the packet to deliver it to the appropriate site within the customer service network. In this way, all inside addresses are protected from outside access, and the structure of the bank's internal networks is invisible to outside observers.
Again firewalls are not 100% effective in preventing attacks and they do have their disadvantages. One disadvantage is that firewalls do not protect against back doors into the site. For example, if unrestricted modem access is still permitted into a site protected by a firewall, attackers could jump around the firewall. Today modem speeds are fast enough to allow running a SLIP (Serial Line IP) connection inside a protected subnet. In theory this is just another network connection and a possible backdoor. So why have a firewall if unrestricted modem access can be permitted.
Another downside to firewalls is that they do not usually provide protection from inside threats. A firewall is usually designed to prevent outsiders from obtaining secret data, the firewall does not usually prevent an insider from copying the data onto tape and taking it out of the facility. So it would be wrong if security first network bank assumed that the existence of the firewall they currently have in place provides protection from insider attacks or attacks in general that do not need to use the firewall.
However saying that, security first network bank have a counter measure in place which would deal with a inside attack if such a thing occurred. That measure consists of a security system called HannaH which is was designed and implemented by the bank. The system provides a strong measure of protection against any such inside attacks. Internal staff, such as the customer service representatives, must authenticate their identity each time they log into the system by pressing their cryptographic certificate to the server. Every transaction is documented by the bank's operating system. The customer service machines will also be running Troy (a program that provides security against worms, trojan horses and viruses by associating cryptographic checksums with authorised programs), so that no unauthorised software can be added to a machine, and no code can be introduced using the floppy drive.
Smart Cards
A smart card is a card that is embedded with either a microprocessor or a memory chip or only a memory chip with non-programmable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation. Smart cards, unlike magnetic stripe cards, can carry all necessary functions and information on the card. Therefore, they do not require access to remote databases at the time of the transaction. One type of smart card is the Integrated Circuit (IC) Microprocessor Cards. Microprocessor cards (also generally referred to by the industry as "chip cards".
This offers greater memory storage and security of data than a traditional magnetic stripe card. Chip cards can process data on the card. The current generation of chip cards has an eight-bit processor, 16KB read-only memory, and 512 bytes of random-access memory. This gives them the equivalent processing power of the original IBM-XT computer, albeit with slightly less memory capacity. Integrated circuit microprocessor cards are used for a variety of applications, especially those that have cryptography built in, which requires manipulation of large numbers. Thus, chip cards have been the main platform for cards that hold a secure digital identity. These cards are typically used for:
· Cards that hold money ("stored value cards")
· Card that hold money equivalents (for example, "affinity cards)
· Cards that provide secure access to a network
· Cards that secure cellular phones from fraud
· Cards that allow set-top boxes on televisions to remain secure from piracy
At present, customers who belong to security first network bank are issued with an account package when they open a new account. This package consists of a user name and password, which is sent to the customer by post. In the near future the bank are hoping to issue this information onto a smart card for their customers. Again smart cards have there downsides, unusual voltages and temperatures can affect EEPROM (place where data is stored) write operation.
Physical attacks on some micro-controllers are almost trivial, If a certain portion of the chip is exposed to UV light. Potential loss of privacy as the smart card hackers gets access to valuable information on the smart card (personal). Sometimes newly implemented crypto systems are being broken in no time. Since a lot of financial transactions are carried out over the Internet, 54% saw tighter security as more of a challenge that made accessing system more enjoyable.
The smart card is a new technology for the moment, SMARTCARDS exist outside financial regulations. The government has not certified it as a secured means of electronic transfer. Customers have to adapt to a new technology. Introduction of Smart cards leads to new fees. Customers are put to lot of inconvenience due to different cards, terminals and schemes.
Digital Certificates and Certificate Authorities
To address the issue of peer authentication, secure transaction protocols use digital certificates. Digital certificates are electronic credentials that are digitally signed by a Certificate Authority to verify an entity or an individual's identity. Over a network, a digital ID serves the same purpose as a driver's license or passport -- it proves that an individual or organisation is who it claims to be. Certificate Authorities (CAs) are trusted third parties that issue digital certificates that authenticate the identities of certificate holders as well as distribute public keys.
CAs issue two types of certificates:
· Browser certificates
· Server certificates.
Each comes in several classes, which refer to the level of verification performed by the CA. Class-1 certificates require less verification work by the CA than Class-2 certificates. For instance, a Class-1 certificate may only require an e-mail address at the organisation. The certificate authority could then verify the organisation through its IP address, which could be determined through its domain name. A Class-2 certificate may require more verification than a Class-1 certificate, for example, an organisation may be required to provide original legal documentation that verifies the registration of the business, a copy of a previous tax return, and other legal documentation that verifies the legitimacy of the business.
Conclusion
There are a number of advantages with online banking. Customers are able to use their computers and a telephone modem to dial in from home or any site where they have access to a computer. On-line banking is available 7 days a week, 24 hours a day. Transactions are executed and confirmed quickly, although not instantaneously and processing time is comparable to that of an ATM transaction. And the range of transactions available is quite broad. Customers can do virtually anything from checking their balance to applying for a mortgage.
Although there are a number of security measures in place to protect the customer from on-line banking and shopping there are still a number of concerns which worry the customer and why on-line banking/shopping is still yet to take off in today's society. Security is still a big issue. People still feel unsure about putting personal information such as credit card numbers, pin numbers, financial information and social security numbers on-line into a system with millions of users with unlimited access. It is also possibility that the information the customer(s) receives over the Internet will not be accurate for reasons of human error, tampering or even the failure to update the service. And finally there is also the question of cost.
It is very costly for a service to provide for constant updating, maintenance and keeping up with the current trends. The real question is, how is that cost being passed onto the customer? Is the customer going to pay extra for simply having a bank account on-line? Until these issues are resolved on-line banking/shopping is still a thing of the future.
Financial Information Systems-John Lindsay-1999