Project security


Published on

پروژه درس امنیت-مریم سادات حاج اکبری

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Project security

  1. 1. Security in e-Business<br />استاد: آقاي دکتر سخاوتی<br />مريم سادات حاج اکبری<br />8861022<br />2/8/2011<br />1<br />
  2. 2. Electronic commerce<br />Type of electronic commerce<br /><ul><li>Business to business -> such as EDI
  3. 3. Customer to business -> such as online stores
  4. 4. Customer to customer -> such as Ebay
  5. 5. Customer business to public administrator -> such as filling electronic tax</li></ul>2/8/2011<br />2<br />
  6. 6. A typical electronic payment system<br />3<br />6.Interbank(clearing) network<br />7.ok<br />Payment<br />gateway <br />4.withdrawal<br />5.deposit<br />8.Registration<br />Authorization<br /> transaction<br />3.registration<br />2.Check account customer<br />1.Payment info<br />9.Delivery+Confirmation <br />
  7. 7. E-payment systems<br />Offline vs. online<br />Debit vs. credit<br />Macro vs. Micro<br />2/8/2011<br />4<br />
  8. 8. Offline vs. Online<br />Offline payment system<br /><ul><li>Customer and seller are online but their banking info is offline.</li></ul>Use in Airlines<br /><ul><li>Payment mechanism:
  9. 9. Crew prints payment’s information and customer’s credit card by a mechanical device in a paper and then enter online system.</li></ul>2/8/2011<br />5<br />
  10. 10. Offline vs. Online<br />Online payment system<br />2/8/2011<br />6<br />
  11. 11. Debit vs. credit<br />Debit card:<br /><ul><li>Such as Iran banking system -> checks</li></ul>Credit card: <br /><ul><li>Entities involve in credit system
  12. 12. Card holder
  13. 13. Card issuing bank -> visa or Master or AMEX ….
  14. 14. Merchant
  15. 15. Name on credit card -> visa or master
  16. 16. Association </li></ul>2/8/2011<br />7<br />
  17. 17. How credit card act?<br />2/8/2011<br />8<br />
  18. 18. Macro .VS Micro<br />Macro system<br /><ul><li>Paid more than the 5$ to 10$</li></ul>Micro payment<br /><ul><li>Paid less than 5$ to 1$
  19. 19. Example: Public transportation system, Restaurants, Online Advertising….
  20. 20. Difference:
  21. 21. For any transaction it has a fee about 20 to 30 cent for payer and payee.</li></ul>2/8/2011<br />9<br />
  22. 22. Payment instructure<br />Cash like<br />Check like<br />Credit card<br />Electronic money<br />Electronic check<br />2/8/2011<br />10<br />
  23. 23. Mechanism payment by credit cart<br />2/8/2011<br />11<br />3<br />2<br />4<br />1<br />
  24. 24. Credit card security<br />Two original Illegal Use from credit card<br /><ul><li>Eavesdroppers
  25. 25. Dishonest</li></ul>The solution:<br /><ul><li>Encryption & coding such as SSL
  26. 26. Will issue next chapter</li></ul>2/8/2011<br />12<br />
  27. 27. Electronic money<br />Define : Scripting money or exchanged only in electronic form<br />Called as:e- cash, digital cash, digital/electronic currency<br />Mainly Used as: micro system<br />Electronic Currencies : Digital or electronic coin<br />2/8/2011<br />13<br />
  28. 28. Digital money<br />Such as Octopus system in Hong Kong<br /><ul><li>It use in transportation system</li></ul>The best example is pay pal<br /><ul><li>User holds Amount of credits in your account.
  29. 29. The user can from their account to other account holders to give or receive money.</li></ul>2/8/2011<br />14<br />
  30. 30. Electronic check<br />2/8/2011<br />15<br />6.Interbank(clearing) network settlement<br />Difference with cash like:<br />In cash like, Electronic payment system the first check customer’s account then delivery product or services<br />5.Endorsed check<br />1.Payment info<br />2- invoice <br />3.Signed check<br />4.<br />
  31. 31. Electronic wallet<br />2/8/2011<br />16<br />Define: It is a interface for save any financial information.<br />Usage: Complete electronic forms without re-entering the transaction data when the transaction<br /><ul><li>The best example is pay pal
  32. 32. Such as digital money and credit cards
  33. 33. Google check out</li></li></ul><li>Electronic payment security<br />Design a security services<br /><ul><li>Analysis risk
  34. 34. Identify risks, threats, vulnerability
  35. 35. Identify Related priorities</li></ul>Notice: any payment system have needs and special features.<br />2/8/2011<br />17<br />
  36. 36. Electronic payment security<br /> Problems Traditional payment systems<br /><ul><li>Money can be counterfeited
  37. 37. Signature can be forgot
  38. 38. Checks can bounce</li></ul>Problems electronic payment systems<br /><ul><li>Digital documents can be copied perfectly and arbitrarily.
  39. 39. A payer’s identity can be associated with every payment transaction.
  40. 40. Digital signatures can be produced by who knows the private key.</li></ul>Notice: electronic commerce need <br /> To more attention.<br />2/8/2011<br />18<br />
  41. 41. Three types of adversaries!<br />Outsiders eavesdropping <br /><ul><li>Misusing the collected data (e.g. credit card numbers )</li></ul>Active attackers<br /><ul><li>Sending forged message to authorized</li></ul>Dishonest payment system participants<br /><ul><li> trying to obtain and misuse payment transaction data that</li></ul>They are not authorized to see or use<br />2/8/2011<br />19<br />
  42. 42. The basic security requirements<br />Payment authentication<br />Payment integrity<br />Payment authorization<br />Payment confidentiality<br />2/8/2011<br />20<br />
  43. 43. Payment authentication<br />No anonymity -> mechanisms such as MAC – SHA – MD5 <br />With anonymity –> It needs to more security<br />2/8/2011<br />21<br />
  44. 44. Payment integrity<br />Payment integrity requires that payment transaction data cannot be modifiable by unauthorized principals.<br />payment transaction data:<br /><ul><li>Payer’s identity.
  45. 45. Payee’s identity.
  46. 46. Content of the purchase.
  47. 47. The amount.</li></ul>2/8/2011<br />22<br />
  48. 48. Payment authorization<br />2/8/2011<br />23<br /><ul><li>Payment authorization ensures that no money can be taken from a customer’s account or smart card without his explicit permission</li></li></ul><li>Payment confidentiality<br />2/8/2011<br />24<br />Payment confidentiality covers of one or more pieces of payment transaction data<br />
  49. 49. Payment security services<br />Payment transaction security services<br />Digital money security<br />Electronic checks security <br />2/8/2011<br />25<br />
  50. 50. Payment transaction security services<br />User anonymity <br />Location un-traceability<br />Payer anonymity<br />Payment transaction intractability<br />Confidentiality of payment<br />Non-repudiation<br />freshness<br />2/8/2011<br />26<br />
  51. 51. User anonymity <br />User anonymity protects against disclosure of a user’s identity in a network transaction.<br />Mechanism:<br /><ul><li>Chain of mixes</li></ul>2/8/2011<br />27<br />
  52. 52. Location untraceability<br />Location untraceability protects against disclosure of where a payment transaction originated.<br />Mechanism:<br /><ul><li>Chain of mixes</li></ul>2/8/2011<br />28<br />
  53. 53. Payer anonymity<br />Payer anonymity protects against disclosure of a payer’s identity in a payment transaction.<br />Mechanism:<br /><ul><li>psedudonyms</li></ul>2/8/2011<br />29<br />
  54. 54. Payment transaction intractability<br />Payment transaction intractability protects against linking of two different payment transactions involving the same customer.<br />Mechanism:<br /><ul><li>Hash function</li></ul>2/8/2011<br />30<br />
  55. 55. Confidentiality of payment <br />Confidentiality of payment transaction data selectively protects against disclosure of specific parts of payment transaction data to selected principals from the group authorized principals.<br />Mechanism:<br /><ul><li>Hash function</li></ul>2/8/2011<br />31<br />
  56. 56. Non-repudiation<br />Non-repudiation of payment messages protects against denial of the origin of protocol message exchanged in a payment transaction.<br />Mechanism:<br /><ul><li>Digital signature</li></ul>2/8/2011<br />32<br />
  57. 57. Freshness<br />Freshness of payment transaction messages protects against replaying of payment transactions messages. <br />Mechanism:<br /><ul><li>Nonces and Time Stamps</li></ul>2/8/2011<br />33<br />
  58. 58. Payment transaction security<br />An electronic payment transaction is an execution of a protocol by which an amount of money is taken from a payer and given to payee<br />2/8/2011<br />34<br />
  59. 59. User anonymity and location untraceability<br />User anonymity and location un-traceability can be provided separately.<br />A pure user anonymity security service would protected against disclosure of a user’s identity.<br /><ul><li>For example, a user’s employing pseudonyms instead of his or her real name.
  60. 60. Problem: if a network transaction can be traced back to the originating host, and if the host is used by a known network user only, </li></ul>This anonymity is obviously not sufficient<br />2/8/2011<br />35<br />
  61. 61. location untraceability<br />A pure location untraceability security service would protect against disclosure of where a message originates.<br /><ul><li>One possible solution is to route the network traffic through a set of anonymizing host.
  62. 62. The requires that at least one of the hosts on the network path be honest.</li></ul>2/8/2011<br />36<br />
  63. 63. Chain of mixes<br />A user anonymity and location untraceability mechanism based on a series of anonymizing hosts or mixes has been proposed by D. Chaum.<br />2/8/2011<br />37<br />Mix<br />A<br />X<br />B<br />Y<br />Z<br />C<br />
  64. 64. Chain of mixes<br />The problem of having a mix trusted by all participants can be solved by using a matrix (or network) of mixes instead of just one.<br />2/8/2011<br />38<br />
  65. 65. Chain of mixes<br />2/8/2011<br />39<br />If A wants to send an anonymous and untraceable message to Y, as in the example with one mix, the protocol goes as follows:<br />
  66. 66. Payer Anonymity<br />2/8/2011<br />40<br />The simplest way to ensure payer anonymity with respect to the payee is for the payer to use pseudonyms instead of his or her real identity. <br />If one wants be sure that two different payment transactions by the same payer cannot be linked, then payment transaction untraceabilitymust also be provided.<br />
  67. 67. Pseudonyms<br />2/8/2011<br />41<br />First virtual Holding, Inc<br />Started to operate the first <br />internet payment system <br />that was based on the Existing <br />Internet infrastructure, <br />that is e-mail and telnet<br />Send email<br />
  68. 68. Pseudorandom Function<br />2/8/2011<br />42<br />Payment Transaction Untraceability<br /><ul><li>IDC = hk (RC ,BAN)</li></ul>Payment Transaction Data confidentiality<br /><ul><li>IDC = hk (RC ,BAN)
  69. 69. IDC = hk (SALTc, DESC)</li></ul>Payment instruction: credit card info- account number- ...<br /><ul><li>It should be secret from view merchant.</li></ul>Oder information: what buy?- where buy?- how delivery?...<br /><ul><li>It should be secret from view acquirer bank, issuer bank...</li></li></ul><li>Secure Electronic TransactionSET<br />2/8/2011<br />43<br />SET is an open encryption and security specification designed to protect credit card transaction on the internet.<br /><ul><li>Important feature of SET: it prevents the merchant from learning the card holder’s credit card number.</li></li></ul><li>Dual Signature<br />2/8/2011<br />44<br />The purpose of dual Signature is to link two message that are intended for two different recipients<br />
  70. 70. Nonrepudiation of Payment Transaction Messages<br />2/8/2011<br />45<br />Digital Signature:<br />To explain the nonrepudiation<br /> issues in a payment <br />transaction protocol<br />we will use a simplified<br /> model based on the 3KP<br /> payment protocol<br />Nonrepudiation messages.<br />
  71. 71. Freshness of Payment Transaction Messages<br />2/8/2011<br />46<br />This service protects against replay attacks. In other words, it prevents eavesdroppers or dishonest participants from reusing the messages exchanged during a payment transaction.<br /><ul><li>Nonces and Time Stamps</li></li></ul><li>IOTP<br />2/8/2011<br />47<br />The Internet Open Trading Protocol (IOTP) is an electronic payment framework for Internet commerce whose purpose is to ensure interoperability<br /> among different payment systems.<br />IOTP is payment system-independent. That means that any electronic payment system (e.g., SET, DigiCash) can be used within the framework.<br />IOTP messages are well-formed XML (Extensible Markup Language) documents.<br />
  72. 72. IOTP<br />2/8/2011<br />48<br />Format for electronic payment<br />It is for any transaction<br />It modify for any message<br />Data integrity + nonrepudiation -> <br />Digital certificate+ Digital signature<br />Confidentiality -> ssl+tls<br />
  73. 73. Fine<br />2/8/2011<br />49<br />