E-Commerce: Software, Security, Payments, & Planning


Communication Channel Security One of the most important areas of any site to keep secure is the means in which a client communicates with a server. Some of the threats that can be posed include secrecy, integrity, and necessity threats, as well as physical security threats, and threats to wireless networks. Some of the solutions to these threats include encryption algorithms, hash coding, asymmetric/symmetric encryption, SSL protocol, and S-HTTP. The main secrecy threat that exists in communication channels is personal information being stolen through various means, such as a sniffer program, which acts similar to tapping a phone line to listen in on a conversation; and backdoors, which can occur by mistake or on purpose, and can allow anyone who knows the access information to access personal information on an e-commerce site. Another example of a secrecy threat occurs when a user accesses a Web site, then goes to another one that can obtain information from the previous site that can be accessed by any user on the network that can access the server to obtain private information. There are four main integrity threats: active wiretapping, cybervandalism, spoofing, and phishing expeditions. Active wiretapping can be used to alter information on a Web site, such as banking information. Unlike secrecy threats, integrity threats can cause damage to a company's or person's reputation if not caught in time. Cybervandalism occurs when changes the content of a Web site to show their own content rather than the content that was originally on there. This can be done through spoofing, which utilizes a loophole found in some DNSs that allow them to put their website address in the place of the original address. Finally, phishing expeditions occur when a cracker obtains information entered on a Web site that looks legitimate, but is actually not. The main necessity threat is a denial-of-service threat, in which a user who has accessed the network to remove or alter information in a file or message being sent from one user to another. The biggest physical threat is when a users connection to the Internet is disconnected, and similarly when a user is connected to a wireless network. One of the biggest issues with a wireless network is that if a network does not have WEP turned on, anyone can access the network without permission of the company or person who originally setup the network. Another issue occurs when there is no password set for access to the network, which can be combined with no WEP protection to allow for free access.	There are a variety of encryption solutions that can be used to make the channels of communication more secure. The main method is through an encryption algorithm, which cipers a message being sent so only the target recipient can see the message. There are other types of encryption programs that form the three main functions of encryption: hash coding, asymmetric encryption, and symmetric encryption. Hash coding is used for making sure that a message that has been sent has not been altered. Since each message has a unique hash value, you can compare the original with the one recieved, and if the values are different, then the message has been altered and should not be opened. Asymmetric and symmetric encryption use keys to secure the means of communication between two users. In asymmetric encryption, an individual encrypts a message by using the recipient's public key, or a key that can be used by anyone who engages in secure communications with the holder of that key. When the recipient gets the message, it is no longer private, but they can send a reply back using the sender's public key to encrypt the message, which will stay private until opened. In symmetric encryption, each pair of users has their own private keys, and can communicate with someone as long as they know that persons private key. One downside to this is that in larger companies, there may be a very large number of private keys in order to allow for pirvate communications over the network. SSL, or Secure Sockets Layer Protocol, serves as a private communication channel between a client computer and a server computer in which the client may perform various tasks that are encrypted so that there is no means of accessing the infomation. If someone tries to access the information, they will only receive information that is unable to be read. S-HTTP, or Secure HTTP, is a form of symmetric encryption in which it sets up the communication channel by using headers that contain information about the security technique used which includes how the private-key encryption is applied, client/server authentication, etc. There are two ways to ensure transaction integrity: with hash functions or with digital signatures. Using hash coding allows a company to make sure that a transaction that has been made was made by the right person, and not a cracker. If it is found that the transaction was not placed by the person that is listed, they can then reimburse the person the amount they may have been charged. In a similar manner, using digital signatures allows a recipient to know that the site they are using is trusted and that their information is secure there. The best way to ensure that a transaction occurs in a timely manner is through the use of TCP, which can be used to determine if anything was altered whether by mistake or intentionally.
Previous Topic: Software	Overview	Client/Server Security	Next Topic: Payments
Copyright 2010, Albert Smarowsky	Site Map	Home	Contact

Communication Channel Security

One of the most important areas of any site to keep secure is the means in which a client communicates with a server. Some of the threats that can be posed include secrecy, integrity, and necessity threats, as well as physical security threats, and threats to wireless networks. Some of the solutions to these threats include encryption algorithms, hash coding, asymmetric/symmetric encryption, SSL protocol, and S-HTTP.

The main secrecy threat that exists in communication channels is personal information being stolen through various means, such as a sniffer program, which acts similar to tapping a phone line to listen in on a conversation; and backdoors, which can occur by mistake or on purpose, and can allow anyone who knows the access information to access personal information on an e-commerce site. Another example of a secrecy threat occurs when a user accesses a Web site, then goes to another one that can obtain information from the previous site that can be accessed by any user on the network that can access the server to obtain private information.

There are four main integrity threats: active wiretapping, cybervandalism, spoofing, and phishing expeditions. Active wiretapping can be used to alter information on a Web site, such as banking information. Unlike secrecy threats, integrity threats can cause damage to a company's or person's reputation if not caught in time. Cybervandalism occurs when changes the content of a Web site to show their own content rather than the content that was originally on there. This can be done through spoofing, which utilizes a loophole found in some DNSs that allow them to put their website address in the place of the original address. Finally, phishing expeditions occur when a cracker obtains information entered on a Web site that looks legitimate, but is actually not.

The main necessity threat is a denial-of-service threat, in which a user who has accessed the network to remove or alter information in a file or message being sent from one user to another.

The biggest physical threat is when a users connection to the Internet is disconnected, and similarly when a user is connected to a wireless network. One of the biggest issues with a wireless network is that if a network does not have WEP turned on, anyone can access the network without permission of the company or person who originally setup the network. Another issue occurs when there is no password set for access to the network, which can be combined with no WEP protection to allow for free access.

disconnected

encryption

There are a variety of encryption solutions that can be used to make the channels of communication more secure. The main method is through an encryption algorithm, which cipers a message being sent so only the target recipient can see the message. There are other types of encryption programs that form the three main functions of encryption: hash coding, asymmetric encryption, and symmetric encryption.

Hash coding is used for making sure that a message that has been sent has not been altered. Since each message has a unique hash value, you can compare the original with the one recieved, and if the values are different, then the message has been altered and should not be opened.

Asymmetric and symmetric encryption use keys to secure the means of communication between two users. In asymmetric encryption, an individual encrypts a message by using the recipient's public key, or a key that can be used by anyone who engages in secure communications with the holder of that key. When the recipient gets the message, it is no longer private, but they can send a reply back using the sender's public key to encrypt the message, which will stay private until opened. In symmetric encryption, each pair of users has their own private keys, and can communicate with someone as long as they know that persons private key. One downside to this is that in larger companies, there may be a very large number of private keys in order to allow for pirvate communications over the network.

SSL, or Secure Sockets Layer Protocol, serves as a private communication channel between a client computer and a server computer in which the client may perform various tasks that are encrypted so that there is no means of accessing the infomation. If someone tries to access the information, they will only receive information that is unable to be read.

S-HTTP, or Secure HTTP, is a form of symmetric encryption in which it sets up the communication channel by using headers that contain information about the security technique used which includes how the private-key encryption is applied, client/server authentication, etc.

There are two ways to ensure transaction integrity: with hash functions or with digital signatures. Using hash coding allows a company to make sure that a transaction that has been made was made by the right person, and not a cracker. If it is found that the transaction was not placed by the person that is listed, they can then reimburse the person the amount they may have been charged. In a similar manner, using digital signatures allows a recipient to know that the site they are using is trusted and that their information is secure there. The best way to ensure that a transaction occurs in a timely manner is through the use of TCP, which can be used to determine if anything was altered whether by mistake or intentionally.

Previous Topic: Software

Overview

Client/Server Security

Next Topic: Payments

Site Map

Home

Contact