Your SlideShare is downloading. ×
Secrity project   keyvan
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Secrity project keyvan


Published on

security in ecommerce

security in ecommerce

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. 1
  • 2. Security in Electronic Commerce
    Keyvan vahidy
    Graduate student
    Collage nooretouba
  • 3. abstract
  • 4. mechanismsCryptography
    • CryptographyPrinciples of encryption, the encryption
    Goals of Cryptography
    Determines who can
    read the message
    Determines who can
    write the message
    • Prevent forgery
    • 5. Prevent alteration
    • 6. Prevent eavesdropping
    • 7. Prevent tracing
  • Mechanisms Cryptography types
  • 8. Type Method Symmetric
    Cryptography Symmetric Key to encrypt, decrypt equal
    Method Symmetric two type:
    Stream cipher
    Block cipher
  • 9. Type Method Symmetric
    Block cipher
    Stream cipher
  • 10. Type Method Symmetric
    Stream cipher a string of data to continuously receive the encrypted
    Stream advantages:
    Immunity insertations & modifications
    Stream disadvantages.:
    Slow encryption
    Error propagation
  • 11. Type Method Symmetric
    Block cipher Into every block of data to which the blocks are individually password
    Block advantages:
    Speed of transformation
    Low error propagation
    Block disadvantages.:
    Low diffusion
    Malicious insertations & modifications possible
  • 12. Encryption algorithms for security
    Two kinds of widely known Encryption algorithms :
  • 13. Data Encryption Standard (DES)
    Released by NBS in 1976, based on ‘Lucifer’
    Combination of substitution and transposition
    16 iterations with 56-bit key (64)
    Based on diffusion and confusion (Shannon)
    Supported then adopted by NSA
    Can be broken (in 22 hours, parallel attack)
    Key length dilemma, new algorithm to be AES
  • 14. Data Encryption Standard (DES)
    Firstly the IP (explained below) is applied to the 64 bit plaintext. The result is then divided into two 32 bit halves, named L0 and R0. Then, the following happens 16 times:
    Key transformation number i (a permutation, but dropping 8 bits off - defined in the specification) is applied to the key to produce 48 bits.
    Apply the function f(Ri,Ki+1) (explained below) to produce a 32 bit output.
    Exclusive OR Li and f(Ri,Ki+1), and call this Ri+1.
    Make Li+1 = Ri
  • 15. Data Encryption Standard (DES)
  • 16. RSA Encryption
    1978. By Rivest-Shamir-Adelman ) is a popular asymmetric key encryption standard.
    Difficulty of determinating prime factors
    It is based on number theory (more specifically the difficulty in factorizing a large number).
    The key size ranges between 512 and 2048 bits.
    It is used in many e-commerce applications such as the Secure Electronic Transaction (SET) protocol for credit card payment.
  • 17. RSA Encryption
    Picks two large prime numbers p and q
    Multiplies p and q to obtain n
    Chooses d, such that d and w=(p-1)(q-1)are relatively prime (no common factor).
    Chooses e such that 1 = d x e mod w
    Public key is: <e, n>
    Private key is: <d, n>
    Message code m, secret code c
    c = memod n
    m = cd mod n
  • 18. Public Key
    Only the decryption key is kept secret. The encryption key is made public.
    Each user has two keys, one secret and one public.
    Public keys are maintained in a public directory.
    To send a message M to user B, encrypt using the public key of B.
    B decrypts using his secret key.
    Signing Messages
    For a user Y to send a signed message M to user X.
    Y encrypts M using his secret key.
    X decrypts the message using Y’s public key.
  • 19. Public Key
  • 20. Public Key Infrastructure(PKI)
    A set of technologies and procedures to enable electronic authentication
    Uses public key cryptography and digital certificates
    Certificate life-cycle management
  • 21. Public Key Infrastructure(PKI)
    Many products from many vendors are available for certificate issuance and some management functions
    Interoperability is a big issue -- especially when it comes to policies
    Enabling the use of PKI in applications is limited today
    Building and managing policies is the least understood issue
  • 22. Public Key Infrastructure(PKI)
    Authentication and registration of certificate applicants
    System administration and access to signing keys
    Application use and interfacing
    Trust between hierarchies
    Trust decisions to be made at different points within the application need different views
    Certificate fields, authorization and allowed use is really the hardest issue
    Authorization policies for management of CAs and RAs
  • 23. Public Key Infrastructure(PKI)
  • 24. Message authentication code (MAC)
  • 25. Malicious programs
  • 26. Viruses
    Unauthorized software being run
    Widely distributed software
    Distributed software
  • 27. Trojan horse
    A Trojan horse, or Trojan, is that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system
  • 28. computer worm
    a computer worm is a self-replicating. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwith, whereas viruses almost always corrupt or modify files on a targeted computer
  • 29. Firewalls
    A firewall is a barrier placed between the private network and the outside world.
    All incoming and outgoing traffic must pass through it.
    Can be used to separate address domains.
    Control network traffic.
    Cost: ranges from no-cost (available on the Internet) to $ 100,000 hardware/software system.
    Host Based
    Circuit Gateways
  • 30. View of a Firewall
  • 31. Firewall Types(Router-Based)
  • 32. Firewall Types(Host-Based)
  • 33. Secure Protocols
    How to communicate securely:
    SSL – “the web security protocols”
    IPSEC – “the IP layer security protocol”
    SMIME – “the email security protocol”
    SET – “credit card transaction security protocol”
    S-HTTP – “Secure Hypertext Transfer Protocol”
    Others …
  • 34. SSL
    • Negotiates and employs essential functions for secure transactions
    • 35. Mutual Authentication
    • 36. Data Encryption
    • 37. Data Integrity
    • 38. Operates between application and transport layers
    Web Applications
  • 39. SSL and Security Attacks
  • 40. IP SEC
  • 41. SMIME
  • 42. SET
    SET standard two companies by VISA, Master card with the aim of ensuring security in the credit transaction year 1997 was introduced
    Privacy information: credit card numbers of buyers see the seller remains hidden (using DES)
    Cardholder authentication: digital signatures with certificates X.509v3
    Authentication vendor: Digital signature certificate X.509v3
  • 43. Goal SET
    Maintain confidentiality and purchase order payment information
    Owner authentication Azaynrvkh cardholder authentication of a legitimate user is using a credit card account
    Maintain the integrity of data transferred kidney
    Ensure the safety of data transferred all
    Seller to provide authentication for the transaction
    Ensure the best security techniques and systems designed to protect all existing laws on electronic commerce transactions
  • 44. Dual Signature(SET)
  • 45. S-HTTP
    Security on application layer
    Protection mechanism:
    Digital Signature
    Message authentication
    Message encryption
    Support private & public key cryptograph
    Enhanced HTTP data exchange
  • 46. S-HTTP
    Operate on application layer
    Encryption and digital signature
    Work only with (HTTP)
    Application dependant
    More secure than SSL at end point even after data transfer
    No particular cryptographic system
    Multiple times encryption
  • 47. Electronic Mail Security
    E-mail is the most widely used application in the Internet.
    Who wants to read your mail ?
    Business competitors
    Friends and Family
    Two approaches are used:
    PGP: Pretty Good Privacy
    PEM: Privacy-Enhanced Mail
  • 48. E-mail Security(PGP)
    Available free worldwide in versions running on:
    Based on:
  • 49. E-mail Security(PEM)
    A draft Internet Standard (1993).
    Used with SMTP.
    Implemented at application layer.
    Disclosure protection
    Originator authenticity
    Message integrity
  • 50. Transaction Security
  • 51. Agents participating in a Transaction
  • 52. Agents participating in a Transaction
    Financial Audit Institute (Acquirer): A financial institution required with the following tasks:
    Open an Account for Sellers
    Ceiling set and enabled them credit cards
    Deposit amount received by the card vendor account
    Payment Gateway (Payment Gateway): processing messages and vendor payments by the Acquirer or the third person
    Reference Certification (CA): X509 certificate issuer for cards owners, sellers, and payment gateway
  • 53. Payment Gatway
    Verify all certificates
    Decrypt the digital license to obtain and decrypt the symmetric key block
    Verify the sign vendor
    Decrypt digital pay to obtain and decrypt the symmetric key block
    Verify the signature block double payment
    Requested and received permission Sender
  • 54. Customer Account
  • 55. Order Buying(Customer)
  • 56. Order Customer(Merchant)
  • 57. Thank you for your attention dear