Académique Documents
Professionnel Documents
Culture Documents
Architecture
Hassan Khawaja
201211275
Secure E-Commerce Course
E-commerce Process
Architecture & The Nine components
1)
2)
3)
4)
5)
6)
7)
8)
9)
Security in E-commerce
E-commerce Security is a part
of the Information Security
framework and is specifically
applied to the components that
affect e-commerce that include
Computer Security, Data
security and other wider realms
of the Information Security
framework.
So each information & system
is given certain priority (high,
medium, low) just as in
Information Assurance.
Challenges In Security
Introduction
Two Major Developments During the Past Decade:
1.Widespread Computerization
2.Growing Networking and Internetworking
The Internet
Introduction (Continued)
Network security is complex. Some reasons are:
Requirements for security services are:
x
x
x
Confidentiality
Authentication
Integrity
Security Threats
1)
2)
3)
4)
Unauthorized access
Loss of message confidentiality or integrity
User Identification
Access Control
Players:
User community
Network Administration
Introducers/Hackers
The bigger the system, the safer it is
MVS mainframe users (5%)
UNIX users (25%)
Desktop users (50%)
Introduction to
Security Risk
The
Internet:
open
virus
$$
Your network:
data!
2)
3)
4)
5)
Virus
1)
2)
x Freeware
x Distributed software
Security Strategies
Use a separate host
Permanently connected to the Internet, not to your
network.
Users dial in to a separate host and get onto the
Internet through it.
Passwords
Most important protection
Should be at least eight characters long
Use a mixture of alpha and numeric
Should not be able to be found in dictionary
should not be associated with you!
Change regularly
is accessed
Tracks
Generates alarms when someone attempts to
Cryptography
The Science of Secret writing.
Encryption:
Decryption:
Plaintext
Ciphertext
Decryption
Types of Cipher
1) Transposition
2) Substitution
Cryptography (Continued)
Types of Cipher
Transposition:
Transposition of the letters "GOOD DOG" can result in
"DGOGDOO".
Substitution:
For example "GOOD DOG" can be encrypted as "PLLX
XLP" where "L" substitutes for "O", "P" for "G", and "X" for
"D" in the message.
These simple ciphers and examples are easy to crack,
even without plaintext-ciphertext pairs.
More cryptography system has been developed to secure
these encryption in a modernized way such as DES, RSA,
etc,.. Which are efficient for encryption and decryption.
Cryptography (Continued)
PKI ( Public Key Infrastructure):
We need to provide some form of key administration to act as
an authority and guarantee the identity of each party. We need
to develop an authority that can manage the public and private
keys. Such an authority certifies the identity of the user by
actually requiring some physical proof of identity such as a
driver's license, passport, etc. This certificate authority (CA)
will then distribute the private key to the key owner and
manage the public key.
Philip Zimmermann created PGP (Pretty Good Privacy). In
a classic PGP-based PKI, each user issues and manages
his or her own digital certificates of authority. The use of
PGP is growing, as it is an excellent security structure for
use with fully distributed networks based on peer-to-peer
networking
Cryptography (Continued)
PKI ( Public Key Infrastructure) Handshake
Cryptography (Continued)
SSL ( Secure Socket Layer):
Transport Layer Security (TLS) and its predecessor,
Secure Sockets Layer (SSL), are cryptographic protocols
which are designed to provide communication security
over the Internet. They use certificates and hence
asymmetric cryptography to assure the counterparty
whom they are talking with, and to exchange a symmetric
key.
This session key is then used to encrypt data flowing between
the parties. This allows for data/message confidentiality, and
message authentication codes for message integrity and as a
by-product message authentication.
Several versions of the protocols are in widespread use in
applications such as web browsing, electronic mail, Internet
faxing, instant messaging and voice-over-IP (VoIP). An
important property in this context is forward secrecy, so the
short term session key cannot be derived from the long term
asymmetric secret key.
Cryptography (Continued)
SSL ( Secure Socket Layer) Handshake
Components In E-commerce
Network Architecture
CLIENT
WEB SERVER
APPLICATION
SERVER
FIREWALLS
DATABASE
LOAD
BALANCER
Client
A client can be an application, which uses a Graphical
User Interface (GUI) that sends request to a server for
certain services.
Web Server
Main job of a Web server computer is to respond to requests
from Web client or client computers.
Three main elements of a Web server
1) Hardware
2) Operating system software
3) Web server software
Hardware
1) Web server computers
More memory, larger hard disk drives, and faster
processors than typical PCs
2) Blade servers
Placing small server computers on a single computer
board, then installing boards into a rack mounted frame
3) Virtual server (virtual host)
Maintains more than one server on one machine
Popular Operating Systems
Linux
Windows
Etc.,.
Application Server
The application server is the foundation for all other
applications the business will be running in its ecommerce site.
An application server is defined as a middleware server
program that allows front-end, browser-based clients to
retrieve data from back-end databases and legacy systems
such as large server computers or mainframes.
Oftentimes, an application server is combined with a Web
server, which makes retrieved data readable by client
browsers, to serve as the middle tier in a 3-tier application
structure. However, in large e-commerce operations where
load balancing is a concern, an n-tier or multiple tier
application may be distributed across a handful of application
servers and several separate Web servers.
Firewalls
A firewall is a barrier placed between the private network and
the outside world.
All incoming and outgoing traffic must pass through it.
Can be used to separate address domains.
Control network traffic.
Cost: ranges from no-cost (available on the Internet) to $
100,000 hardware/software system.
Types:
1) Router-Based
2) Host Based
3) Circuit Gateway
Firewalls (Continued)
Types:
1. Router-Based
Use programmable routers Control traffic based on IP
addresses or port information.
Examples:
Bastion Configuration
Diode Configuration
To improve security:
Never allow in-band programming via Telnet to a firewall
router.
Firewall routers should never advertise their presence to
outside users.
Firewalls (Continued)
2. Host Based
Firewalls (Continued)
3. Circuit Gateway
Database
A database is a data structure that stores organized
information.
Nearly all e-commerce sites uses databases to store
product inventory and customer information. These sites
use a database management system (or DBMS),
Some example of DBMS are:
MySQL
Microsoft SQL Server
Oracle
IBM DB2
Such DBMS serve as the "back end" to the website. By
storing website data in a database, the data can be easily
searched, sorted, and updated. This flexibility is
important for e-commerce sites and other types of
dynamic websites.
Load Balancer
A Load balancer is a device which distributes traffic load to a
number of servers.
A load balancer can achieve lots of clever things such as
if one of the servers failed and stopped functioning, the
load balancer will detect this problem and allocate the
entire load to the other server or servers that are
maintaining high availability.
It also has ability to provide persistence support which
allows a user to maintain their connection with the same
server. This feature is required when the servers are
hosting some type of ecommerce site. The load balancer
will ensure they are using the same server from when the
end user is purchasing goods via an online shopping cart
to the actual purchase of the goods or services.
2) Server Weight
Each server is assigned a weight. The load balancer will send a percentage of
traffic to a particular server depending on the weight assigned. For example if
server A was assigned a weight of 5 and server B was assigned a weight of 1,
then the load balancer will send 5 times more traffic to server A.
3) Least connection
With least connections the load balancer will send traffic to the server with
currently the lowest number of open connections. This is a strategy and
technique is to ensure the least busiest server gets to handle the next request
and this is worked out by which server has the least open connections.
Ecommerce Architecture
E-commerce is based on the client-server architecture.
In E-commerce, a client refers to a customer who requests for
certain services and the server refers to the business
application through which the services are provided. The
business application that provides services is deployed on a
Web' server. The Web server is a computer program that
provides services to "other computer programs and serves
requested Hyper Text Mark-up Language (HTML) pages or
files.
Ecommerce Architecture
Elements
Personal Systems
Desktops, PDAs, Phones, etc.
Network Components
Routers, Load Balancers, Switches, etc.
Security Elements
Firewalls, Encryption, VPNs, etc.
Servers
Web, App, DB, Directory, etc.
Application Components / Web Services
Packaged and/or Custom
Data
Local, Remote, Internal, External
Web-Servers
App-Server
DB-Server &
Storage
Best Practices
Secure E-commerce
Keep software patches up to date, especially on systems that
host public services and are accessible through your firewall,
e.g., HTTP, FTP and DNS.