Homework #1 88-590 E-Commerce

Srdjan Miskovic (970-780-420)

1. a) Electronic purse is a reloadable pre-paid card that can be used in place of other forms of monies. In other words, an electronic purse is a form of an electronic register which holds the value that the owner physically possesses. The protection of electronic purses relies on difficulties of creating fake cards and modifying the registers. b) Dematerialized currency is an emerging form of currency that differs from classical material currencies. Currently there are three emerging types of dematerialized currency. They are electronic money, virtual money and digital money. c) Security mechanisms are techniques and schemes that are used for implementing a desired security service. They can involve different levels of complexity, and can take advantage of such techniques as encryption, access control lists, password authentications etc. d) The difference between active and passive attacks lies in whether the attacker is actively modifying or creating false data streams in active attacks (for example, replay attacks, denial of service, modification of messages) or simply monitoring the data stream in passive attacks (for example, eavesdropping or traffic analysis). e) Security risk indicates the likelihood or probability of a security threat occurring which will be taking an advantage of a security vulnerability.

2. a) Violation of confidentiality b) Violation of availability. If Nabih had to bypass securities on Weis computer, then its also a violation of confidentiality.

c) Violation of integrity. d) Violation of integrity. e) Violation of availability f) This is a violation of confidentiality (Shervin is essentially performing a man in the middle attack), integrity (Shervin is presenting himself as Maher to the bank) and availability (Maher loses the access to his credit card as the number has changed). g) Violation of confidentiality and integrity.

3.

4. Confidentiality, Integrity, Identification, Authentication, Access Control, and Nonrepudiation

5. a) Mechanism: Software which checks whether the password is less than five characters or if it can be found in the dictionary. Policy: User passwords shall be longer than five characters and shall not be common words found in the dictionary. b) Mechanism: Access control, authentication exchange. Network administrator will only create accounts for students in the DSP class. Policy: Accounts on the RCIM computer system shall be assigned only to the students enrolled in the DSP class. c) Mechanism: Access control (login program disallows more than three failed login attempts) Policy: User account shall be locked after three failed login attempts. d) Mechanism: Access control, authentication exchange. Network administrator will require authentication in order for users to access the folder containing the Network Security Exams. Policy: Only authorized users shall have access and copying permission e) Mechanism: System will monitor the traffic, and block or restrict communication to and from the server when traffic goes beyond 80% of the networks capacity. Policy: WWW traffic will not exceed 80% of the networks capacity. f) Mechanism: Event detection. System analyst detects, using software or other tool, that system is being scanned for vulnerabilities. Policy: The system shall not be scanned for vulnerabilities by students. g) Mechanism: Program which disables itself after a specified date. Policy: No late homeworks shall be accepted.

6. While encryption plays a crucial component, in order to provide the desired levels of confidentiality and integrity one will need security protocols to be implemented. Security protocols rely on many security mechanisms in addition to encryption. Some

examples of required security mechanisms (other than encryption) are access control and event detection. 7. a)

b)

c)

d)

8. Digital Signature is required to offer non-repudiation services. 9. There are several vulnerabilities of the biometric authentication mechanisms. First of all, theres the issue of the security of input mechanism. As Bruce Schneider points out, the biometric authentication data could be a bit string supplied by the attacker rather than the data generated by the scanner/input device. Second, once the data is entered, the actual biometric identifier is converted to digital data. This data can be copied and injected elsewhere by an attacker. Further, there are issues with the difficulty of resetting a biometric identifier, and the fact that the same identifier might be used for various applications (this would be the same vulnerability as when using the same password for various services, i.e. all of them could jeopardized if the password is compromised).

10. One example where absolute denial of service to a user could be a serious problem would be when dealing with time sensitive material, for example, submitting Homework solutions to the CLEW system. If denial of service attack was to occur prior to and up until the deadline, user wouldnt be able to submit their homework. Similar situations could occur with money transfers or paying bills using online banking. If the rate was 10 percent slower, it could be an issue if there are timestamps involved in the authentication protocol. It could be possible that the timestamp would expire due to the slowness of communication, and result in an inability to authenticate oneself, and therefore not be able to access the services. Access by unauthorized people could slow down the system if they started bombarding the system with erroneous service requests, or if the system can only handle a certain amount of users (in which unauthorized users would burden the system capacity beyond what it is designed for).