Unit 2:

Security and Encryption

INSTRUCTOR:
MAUMITA CHOUDHURY
 HOW TO TRUST TECHNOLOGY?
When verbally passing a message you usually need to know your contact persons
to know if you can trust them, but you also have to know your technology a little to
know if you can trust it. Technologies can leak or distort your message just as
humans can. Technologies are invested in types of trust relations: some devices are
safer than others, some can be modified, and some are better avoided.
1. No method is entirely secure;
2. You need to have a basic understanding on how and why technology works to
make it work for you;
3. You need technology for safer communication: either some basic tools, or more
sophisticated equipment, depending on where you're at and where you go.
 WHAT IS SECURITY?
Absolute security does not exist, security is always related to who your adversaries
might be. Security is therefore about informing yourself and assessing the possible
risks you, and others you communicate with, are facing. Make sure you reserve
some time to choose the right tools, install everything properly, and test if it works.
Compare it with driving a car: it takes a little bit of practice, and some judgement on
others' behaviour, but as soon you are in control it can safely get you where you
want.
To make a choice between the types of tools you need, it helps to make a
distinction between two basic types of 'threats':
• undirected threats and
• directed threats.
UNDIRECTED AND DIRECTED THREATS
• Undirected threats are threats that are not directed at you personally, but might still
affect you. Examples include phishing emails and computer virus infections. These
methods are always automated and are just looking to get new victims, that can be
everyone. Some schemes can evolve into a directed threat (for example when
responding to e-mails telling you you won the "Spanish online lottery"). Also
unprotected websites, or networks, can be dangerous if you fill in your login
• Directed threats are the most dangerous ones. A long known wisdom amongst
security specialists is the notion that "Only amateurs attack machines, professionals
attack people." Directed threats are aimed at you personally or your organization and
might involve a lot of different techniques. Attackers will use a mix of social
engineering, sophisticated tools, luck and hard work. Directed attacks are a lot more
expensive to undertake than undirected ones, as mostly they require more skills and
work hours, codes or credit card information.
 WHY IS COMPUTER AND NETWORK SECURITY IMPORTANT?
• To protect company assets: One of the primary goals of computer and network security is
the protection of company assets. By "assets," I do not mean the hardware and software
that constitute the company's computers and networks. The assets are comprised of the
"information" that is housed on a company's computers and networks. Information is a
vital organizational asset. Network and computer security is concerned, above all else,
with the protection, integrity, and availability of information. Information can be defined
as data that is organized and accessible in a coherent and meaningful manner.
• To gain a competitive advantage: Developing and maintaining effective security measures
can provide an organization with a competitive advantage over its competition. Network
security is particularly important in the arena of Internet financial services and e-
commerce. It can mean the difference between wide acceptance of a service and a
mediocre customer response. For example, how many people do you know who would
use a bank's Internet banking system if they knew that the system had been successfully
hacked in the past? Not many. They would go to the competition for their Internet
banking services.
• To comply with regulatory requirements and fiduciary responsibilities: Corporate officers of every company
have a responsibility to ensure the safety and soundness of the organization. Part of that responsibility
includes ensuring the continuing operation of the organization. Accordingly, organizations that rely on
computers for their continuing operation must develop policies and procedures that address
organizational security requirements. Such policies and procedures are necessary not only to protect
company assets but also to protect the organization from liability. For-profit organizations must also
protect shareholders' investments and maximize return. In addition, many organizations are subject to
governmental regulation, which often stipulates requirements for the safety and security of an
organization. For example, most financial institutions are subject to federal regulation. Failure to comply
with federal guidelines can result in the seizure of a financial institution by federal regulators. In some
cases, corporate officers who have not properly performed their regulatory and fiduciary responsibilities
are personally liable for any losses incurred by the financial institution that employs them.
• To keep your job: Finally, to secure one's position within an organization and to ensure future career
prospects, it is important to put into place measures that protect organizational assets. Security should be
part of every network or systems administrator's job. Failure to perform adequately can result in
termination. Termination should not be the automatic result of a security failure, but if, after a thorough
postmortem, it is determined that the failure was the result of inadequate policies and procedures or
failure to comply with existing procedures, then management needs to step in and make some changes.
 The Security Trinity

The three legs of the "security trinity," prevention, detection, and response,
comprise the basis for network security. The security trinity should be the
foundation for all security policies and measures that an organization develops
and deploys.
• Prevention
The foundation of the security trinity is prevention. To provide some level of security, it is
necessary to implement measures to prevent the exploitation of vulnerabilities. In developing
network security schemes, organizations should emphasize preventative measures over detection
and response: It is easier, more efficient, and much more cost-effective to prevent a security
breach than to detect or respond to one. Remember that it is impossible to devise a security
scheme that will prevent all vulnerabilities from being exploited, but companies should ensure
that their preventative measures are strong enough to discourage potential criminals-so they go
to an easier target.
• Detection
Once preventative measures are implemented, procedures need to be put in place to detect
potential problems or security breaches, in the event preventative measures fail. As later chapters
show, it is very important that problems be detected immediately. The sooner a problem is
detected the easier it is to correct and cleanup.
• Response
Organizations need to develop a plan that identifies the appropriate response to a security
breach. The plan should be in writing and should identify who is responsible for what actions and
the varying responses and levels of escalation.
SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT

• Threats
A threat is anything that can disrupt the operation, functioning,
integrity, or availability of a network or system. There are different
categories of threats. There are natural threats, occurrences such
as floods, earthquakes, and storms. There are also unintentional
threats that are the result of accidents and stupidity. Finally, there
are intentional threats that are the result of malicious indent. Each
type of threat can be deadly to a network.
• Vulnerabilities
• A vulnerability is an inherent weakness in the
design, configuration, implementation, or
management of a network or system that
renders it susceptible to a threat. Vulnerabilities
are what make networks susceptible to
information loss and downtime. Every network
and system has some kind of vulnerability.
• Attacks
• An attack is a specific technique used to exploit a vulnerability.
For example, a threat could be a denial of service. A vulnerability
is in the design of the operating system, and an attack could be a
"ping of death." There are two general categories of attacks,
passive and active. Passive attacks are very difficult to detect,
because there is no overt activity that can be monitored or
detected. Examples of passive attacks would be packet sniffing
or traffic analysis. These types of attacks are designed to
monitor and record traffic on the network. They are usually
employed for gathering information that can be used later in
active attacks.
• Viruses
• A virus is a parasitic program that cannot function independently, is
a program or code fragment that is self-propagating. It is called a
virus, because like its biological counterpart, it requires a "host" to
function. In the case of a computer virus the host is some other
program to which the virus attaches itself. A virus is usually spread
by executing an infected program or by sending an infected file to
someone else, usually in the form of an e-mail attachment. There
are several virus scanning programs available on the market. Most
are effective against known viruses. Unfortunately, however, they
are incapable of recognizing and adapting to new viruses.
• Worm
• A worm is a self-contained and independent
program that is usually designed to propagate or
spawn itself on infected systems and to seek other
systems via available networks. The main difference
between a virus and a worm is that a virus is not an
independent program. However, there are new
breeds of computer bugs that are blurring the
difference between viruses and worms.
• Trojan Horses
• A Trojan horse is a program or code fragment that hides inside a
program and performs a disguised function. This type of threat gets
its name from Greek mythology and the story of the siege of Troy.
The story tells of how Odysseus and his men conquered Troy by
hiding within a giant wooden horse. A Trojan horse program hides
within another program or disguises itself as a legitimate program.
This can be accomplished by modifying the existing program or by
simply replacing the existing program with a new one. The Trojan
horse program functions much the same way as the legitimate
program, but usually it also performs some other function, such as
recording sensitive information or providing a trap door.
• Logic Bombs
• A logic bomb is a program or subsection of a
program designed with malevolent intent. It is
referred to as a logic bomb, because the program is
triggered when certain logical conditions are met.
This type of attack is almost always perpetrated by
an insider with privileged access to the network. The
perpetrator could be a programmer or a vendor that
supplies software.
• Spoofs
• Spoofs cover a broad category of threats. In general
terms, a spoof entails falsifying one's identity or
masquerading as some other individual or entity to
gain access to a system or network or to gain
information for some other unauthorized purpose.
There are many different kinds of spoofs, including,
among many others, IP address spoofing, session
highjacking, domain name service (DNS) spoofing,
sequence number spoofing, and replay attacks.
• Sniffing
• Network sniffing or packet sniffing is the process of monitoring a
network in an attempt to gather information that may be useful in an
attack. With the proper tools a hacker can monitor the network
packets to obtain passwords or IP addresses. Many vendors
manufacture hardware and software for legitimate purposes that can
be abused by hackers. The only comforting fact about these products
is that hackers usually can't afford them. They can, however, steal
them. There are also some common utilities available and programs
that can be downloaded from hacker sites such as tcpmon, tcpdump,
or gobbler. Network Associates‘ Sniffer Pro is an example of a
commercially available product.
• Web Site Defacement
• Very often some organization's Web site is
defaced by hackers, who post some message
protesting something or other. Web site
defacements are usually achieved by exploiting
some incorrect configuration or known
vulnerability of the Web server software, or by
exploiting some other protocol-based
vulnerability of the server's operating system.
• SPAM
• SPAM is unwanted e-mail. Anyone who has an e-mail account has received
SPAM. Usually it takes the form of a marketing solicitation from some
company trying to sell something we don't want or need. To most of us it is
just an annoyance, but to a server it can also be used as a denial-of-service
attack. By inundating a targeted system with thousands of e-mail
messages, SPAM can eat available network bandwidth, overload CPUs,
cause log files to grow very large, and consume all available disk space on a
system. Ultimately, it can cause a system to crash. SPAM can be used as a
means to launch an indirect attack on a third party. SPAM messages can
contain a falsified return address, which may be the legitimate address of
some innocent unsuspecting person. As a result, an innocent person,
whose address was used as the return address, may be spammed by all the
individuals targeted in the original SPAM.
 Hacking
• During the 1990s, the term "hacker" originally denoted a skilled programmer proficient in machine code and
computer operating systems. In particular, these individuals could always hack on an unsatisfactory system to
solve problems and engage in a little software company espionage by interpreting a competitor's code.
Unfortunately, some of these hackers also became experts at accessing password-protected computers, files,
and networks and came to known as "crackers." Of course, an effective and dangerous "cracker" must be a
good hacker and the terms became intertwined. Hacker won out in popular use and in the media and today
refers to anyone who performs some form of computer sabotage. Hacking is an attempt to exploit a computer
system or a private network inside a computer. Simply put, it is the unauthorised access to or control over
computer network security systems for some illicit purpose.
• White hat professionals hack to check their own security systems to make it more hack-proof. In most cases,
they are part of the same organisation.
• Black hat hackers hack to take control over the system for personal gains. They can destroy, steal or even
prevent authorized users from accessing the system. They do this by finding loopholes and weaknesses in the
system. Some computer experts call them crackers instead of hackers.
• Grey hat hackers comprise curious people who have just about enough computer language skills to enable
them to hack a system to locate potential loopholes in the network security system. Grey hats differ from
black hats in the sense that the former notify the admin of the network system about the weaknesses
discovered in the system, whereas the latter is only looking for personal gains. All kinds of hacking are
considered illegal barring the work done by white hat hackers.
• Cybervandalism is damage or destruction that takes place in digital
form. Cyber vandals operate by defacing a website (such as
Wikipedia), creating malware that damages electronic files or
elements that interrupt its normal utilization or removing a disk
drive to disable a computer system. Unlike digital espionage, where
the purpose is to steal and misuse data, digital vandalism only
seeks to damage, destroy or disable data, computers or networks.
Cybervandalism can impact businesses drastically, including the
ability of your customers to access services as well as financial loss
or impact to your brand or reputation. Deleting, altering or adding
content to someone else’s online content. It is most often not for
profit, but to prove they can, or to protest against something they
don’t agree with online.
• Distributed Denial of Service Attacks (DDoS)
• Businesses that rely on web-based transactions are
continues to be vulnerable to Denial of Service (DoS) attacks.
DoS attack scripts are the most common, effective and
easiest to implement attacks available on the web. No actual
damage is done to the victim site. The access paths to it are
simply overwhelmed with incoming packets. It would be
every businessman's dream to be in this situation if the
incoming packets were legitimate customer orders. However,
it can be their worst nightmare if they are the targets of a
DoS attack.
 OSI REFERENCE MODEL
The OSI reference model is a seven-layer model that was
developed by the International Standards Organization (ISO)
in 1978. The OSI model is a framework for international
standards that can be used for implementing a
heterogeneous computer network architecture. The OSI
architecture is split into seven layers. Figure illustrates the
seven layers of the OSI model. Each layer uses the layer
immediately below it and provides a service to the layer
above. In some implementations a layer may itself be
composed of sublayers.
The physical layer addresses the physical link and is concerned
with the signal voltage, bit rate, and duration. The data link layer
is concerned with the reliable transmission of data across a
physical link. In other words, getting a signal from one end of a
wire to the other end. It handles flow control and error
correction. The network layer handles the routing of data and
ensures that data is forwarded to the right destination. The
transport layer provides end-to-end control and constructs the
packets into which the data is placed to be transmitted or
"transported" across the logical circuit. The session layer handles
the session set-up with another network node. It handles the
initial handshake and negotiates the flow of information and
termination of connections between nodes. The presentation
layer handles the conversion of data from the session layer, so
that it can be "presented" to the application layer in a format
that the application layer can understand. The application layer is
the end-user interface. This includes interfaces such as browsers,
virtual terminals, and FTP programs.
 INFORMATION SECURITY
• Information Security
Network security is concerned, above all else, with the security of company
information assets. We often lose sight of the fact that it is the information and our
ability to access that information that we are really trying to protect-and not the
computers and networks. Definition for information security:
• Information security = confidentiality + integrity + availability + authentication

• Nonrepudiation
The ability to prevent individuals or entities from denying (repudiating) that
information, data, or files were sent or received or that information or files were
accessed or altered, when in fact they were. This capability is crucial to e-commerce.
Without it an individual or entity can deny that he, she, or it is responsible for a
transaction and that he, she, or it is, therefore, not financially liable.
• Confidentiality
This can also be called privacy or secrecy and refers to the protection of information from unauthorized
disclosure. Usually achieved either by restricting access to the information or by encrypting the information so
that it is not meaningful to unauthorized individuals or entities.
• Integrity
This can be thought of as accuracy. This refers to the ability to protect information, data, or transmissions from
unauthorized, uncontrolled, or accidental alterations. The term integrity can also be used in reference to the
functioning of a network, system, or application.
• Availability
This refers to whether the network, system, hardware, and software are reliable and can recover quickly and
completely in the event of an interruption in service. Ideally, these elements should not be susceptible to denial
of service attacks.
• Authentication
Authentication serves as proof that you are who you say you are or what you claim to be. Authentication is
critical if there is to be any trust between parties. Authentication is required when communicating over a
network or logging onto a network. When communicating over a network you should ask yourself two
questions: 1) With whom am I communicating? and 2) Why do I believe this person or entity is who he, she, or
it claims to be? If you don't have a good answer for question 2, then chances are you are wrong on question 1.
 STEPS TO PROTECT FROM THREATS
• KEEP YOUR OS UPDATED Keep your operating system up-to-date: the developers of
operating systems provide updates that you should install from time to time. These may be
automatic or you may have to request them by entering a command or adjusting your
system settings. Some of these updates make your computer more efficient and easier to
use, and others fix security holes.
• USER ACCOUNT AND PASSWORD Every computer needs an account to login. This account is
needed to access your data and use the functions of your computer. Please be sure to setup
a password for every account. Use good passwords: no password selection system can
guard against being threatened with violence, but you can improve your security by making
it harder to guess.
• PHYSICAL PROTECTION A lot of people do not realize the information on your computer can
be very valuable for others. If you are working in an unknown/uncontrolled environment or
area, always keep a good look on your belongings and never leave them unattended. Take
some time to think over what the risks are if the data on your computers fall in the wrong
hands. Ask yourself, "which information is actually stored on my computer and what can
other people do with this information?".
• LOCK SCREEN It is very well possible you are working in a cafe or other (semi) public place
on your laptop. Maybe you have opened some password protected websites (webmail)
and maybe even have opened some encrypted files or emails. Once you go out for a quick
break, please be sure at least your screen is locked.
• USE ANTI-VIRUS SOFTWARE If you're still using Microsoft Windows, use anti-virus
software and keep it updated. Malware is software written in order to steal information or
to use your computer for other purposes. Viruses and malware can gain access to your
system, make changes and hide themselves. They could be sent to you in an e-mail, be on
a Web page you visit, or be part of a file that does not appear to be suspicious.
• ONLY USE TRUSTED AND OPEN SOURCE SOFTWARE Be sure you can trust the vendor of
the applications you use. A lot of companies are offering applications on the internet.
Between these companies there are several with other intentions then they will tell you.
• BE UPDATED Keep yourself updated on the latest security threats: the effort put into
harming you may change. Methods to protect yourself that works today may stop working
or even become a threat themselves tomorrow. Even if you don't need it now, know
where to find information and use different sources of information.
 SECURITY PROTOCOLS FOR ELECTRONIC COMMERCE
• Secure Sockets Layer (SSL) Secure Socket Layer (SSL)
It is the most commonly used protocol designed and implemented by Netscape Communications.
Netscape claims it is designed to work, as the name implies, at the socket layer, to protect any higher
level protocol built on sockets, such as Telnet, FTP or HTTP. It is ignorant of the details of higher level
protocols and what is being transported. SSL provides for the encryption of a session, authentication of a
server, and optionally a client, and message authentication. This means that once a secure session is
established, all communication over the internet is encrypted.
• Secure Electronic Transaction (SET)
The SET protocol is a set of written standards that describes how credit card associations, banks,
merchants and consumers should implement credit card transactions across the internet’s World Wide
Web. It was established by MasterCard and Visa for the secure use of credit, debit and corporate
purchasing cards over the internet. SET represents an evolution, merging and replacement of S-HTTP and
SSL. SET is intended to reduce fraud by unscrupulous merchants and consumers, thus reducing the
financial risk of internet based commerce, to both merchant banks and honest merchants. The SET
architecture involves a number of players. These include entities known as the cardholder, merchant
acquirer, issuer and payment gateway, as well as number of certification authorities.
• S-HTTP
Secure HTTP is a scheme proposed by CommerceNet, a coalition of businesses interested in developing the internet for
commercial uses. Current HTTP implementations only provide modest support for the security mechanisms necessary for
commerce. SHTTP provide a variety of mechanisms to provide for confidentiality, authentication and integrity to HTTP
clients and servers. Separation of policy from mechanism was an explicit goal in the design of this protocol. The system is
not tied to any particular cryptographic system, key infrastructure, or cryptographic format. Secure HTTP is a secure
message-oriented communications protocol, designed for use in conjunction with HTTP. It is a superset of HTTP, which
allows messages to be encapsulated in various ways. Encapsulations can include encryption, signing, or message
authentication code (MAC) based authentication.
• SHEN
SHEN provides for three separate security-related mechanisms:
1. Weak authentication with low maintenance overheads, and without patent or export restrictions:
A user identity must be established as genuine. Unauthorised access must be improbable, but security from all possible
forms of attack events need not be provided.
2. Strong authentication through public key exchange:
A user identity must be established as genuine. Unauthorised access must be impossible except by random chance or by
access to unknown technology.
3. Strong encryption of message content:
The data must not be transmitted in a form comprehensible to a third party; with an identified party acting as guarantor
in this respect.
 E-COMMERCE SECURITY TOOLS
Authentication:
There are several techniques that can identify and verify someone seeking to access an
e-commerce system. These includes
• A user name and password combination, where the password can vary in length and
include numbers and characters
• “Two factor” authentication requiring something the user has and something the
used knows
• A digital certificate that enables authentication through the use of an individuals’
unique signing key
• A person’s unique physical attribute, referred to as a biometric. This can range from a
fingerprint or iris scan, through to retina or facial-feature recognition.
Access control
This restricts different classes of users to subsets of information and
ensures that they can only access data and services for which they have
been authorized. These include using:
• Network restrictions to prevent access to other computer systems
and networks
• Application controls to ensure individuals are limited in the data or
service they can access
• Changes to access privileges must be controlled to prevent users
retaining them if they transfer between departments or leave the
business.
Encryption:

It is a very effective and practical way to safeguard the data being transmitted over the
network. Sender of the information encrypts the data using a secret code and specified
receiver only can decrypt the data using the same or different secret code. Encryption should
be applied to protect the confidentiality of sensitive or critical information. Based on a risk
assessment, the required level of protection should be identified taking into account the type
and quality of the encryption algorithm used and the length of cryptographic keys to be used.
Specialist advice should be sought to identify the appropriate level of protection, to select
suitable products that will provide the required protection and the implementation of a
secure system of key management. In addition, legal advice may need to be sought regarding
the laws and regulations that might apply to the organization's intended use of encryption.
Procedures for the use of cryptographic controls for the protection of information must be
developed and followed. Such procedures are necessary to maximize benefits and minimize
the risks of using cryptographic techniques and to avoid inappropriate or incorrect use
Firewall

A firewall insulates a private network from a public network using carefully

established controls on the types of request they will route through to the
private network for processing and fulfillment. For example, an HTTP request for
a public Web page will be honored, whereas an FTP request to a host behind the
firewall may be dishonored. Firewall is a hardware or software security device
that filters information passing between internal and external networks. It
controls access to the internet by internal users, preventing outside parties from
gaining access to systems and information on the internal network. A firewall can
be applied at the network level, to provide protection for multiple workstations
or internal networks, or at the personal level where it is installed on an individual
PC.
Digital Signature:
Digital signature ensures the authenticity of the information. A digital signature is a e-signature authentic authenticated
through encryption and password. The digital signature is to electronic world what the handwritten signature is to the
commerce. It must incorporate the following properties:
• It must be able to verify the author, the date and the time of the signature
• It must be able to authenticate the contents at the time of signature
• It must be verifiable by third parties, in case of any dispute.
The above properties place the following requirements on the digital signature:
• The signature must be a bit pattern that is dependent on the message being signed
• To prevent forgery and denial, the signature must use some information unique to the sender
• The digital signature must be easy to generate
• The storage of a copy of the digital signature must be simple.
• Forging the signature must be computationally infeasible, i.e., either by constructing a fraudulent signature for a given
message, or constructing a new message with an existing signature
• The signature must be easy to recognise and verify.

One key in the pair which can be shared with everyone is called the public key. The other key in the pair which is kept
secret and is only known by the owner is called the private key. Either of the keys can be used to encrypt a message; the
opposite key from the one used to encrypt the message is used for decryption.
Public key– Key which is known to everyone. Ex-public key of A is 7, this information is known to everyone.
Private key– Key which is only known to the person who's private key it is.
Features of digital signature
Digital signatures have the following features
Evidence: When the signee makes a mark in a distinctive manner, the signature
becomes attributable to signee.
Legality: The signature makes the document legal.
Approval: By signing, the signee gives the approval that he/she accepts the terms
Authenticity: The increasing use of electronic documents poses special challenges
in verifying authenticity because digital technology makes such documents easy to
alter or copy leading to multiple non-identical versions that can be used in
unauthorised or illegitimate ways.
A digital signature mainly provides authentication to a message. The paper stores
the information as atoms of link and computer stores the information in bits as
digital signature.
One key in the pair which can be shared with everyone is called the public key. The
other key in the pair which is kept secret and is only known by the owner is called
the private key. Either of the keys can be used to encrypt a message; the opposite
key from the one used to encrypt the message is used for decryption.