1. Find out about SET and the use of RSA 128-Bit encryption for e-commerce.
Secure Electronic Transaction (SET) was a standard protocol for securing credit card transaction over insecure networks called internet. SET was not itself a payment system, but rather a set of security protocols and formats that enable to employ the existing credit card payment infrastructure on an open network in a secure fashion.
SET was developed by SETco, led by VISA and MasterCard starting in 1996. SET was based on X.509 certificates with several extensions. The first version was finalised in May 1997 and a pilot test was announced in July 1998.
SET allowed parties to cryptographically identify themselves to each other and exchange information securely. SET used a blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit-card number
Some key features of SET are as follows:-
- Confidentiality of information
- Integrity of data
- Cardholder account authentication
- Merchant authentication
There are actually a few encryption methods available, but for secure payment, well we definitely need one which serves this purpose. One of them is the RSA(named after the 3 people who worked it out namely Rivest, Shamir and Adleman). Let see how this works.
RSA uses a set of two keys, one public which is know by everyone and one is the secret code known only to you. So everything that is encrypted with a private key can only be decrypted using it’s correspond public key, thus making sure that the data sent is from a know site.
It has to be noted here is that once data has been encrypted with a key, the same can be decrypted using the other set of key which makes the public and private set of keys.
In short, a user requests a Public key, encrypt and send the data to the server which uses a Private Key to decrypt the data.
RSA uses a set of two keys, one public which is know by everyone and one is the secret code known only to you. So everything that is encrypted with a private key can only be decrypted using it’s correspond public key, thus making sure that the data sent is from a know site.
It has to be noted here is that once data has been encrypted with a key, the same can be decrypted using the other set of key which makes the public and private set of keys.
In short, a user requests a Public key, encrypt and send the data to the server which uses a Private Key to decrypt the data.
2. What can you find out about network and host-based intrusion detection system?
Network Based Intrusion Detection
Network-based intrusion detection systems use raw network packets as the data source. A
network-based IDS typically utilizes a network adapter running in promiscuous mode to monitor and analyze all traffic in real-time as it travels across the network. Its attack recognition module uses four common techniques to recognize an attack signature:
· Pattern, expression or bytecode matching,
· Frequency or threshold crossing
· Correlation of lesser events
· Statistical anomaly detection
Once an attack has been detected, the IDS’ response module provides a variety of options to
notify, alert and take action in response to the attack. These responses vary by product, but
usually involve administrator notification, connection termination and/or session recording for forensic analysis and evidence collection.
Host Based Intrusion Detection
Host-based intrusion detection started in the early 1980s before networks were as prevalent,
complex and interconnected as they are today. In this simpler environment, it was common
practice to review audit logs for suspicious activity. Intrusions were sufficiently rare that after the-fact analysis proved adequate to prevent future attacks. Today’s host-based intrusion detection systems remain a powerful tool for understanding previous attacks and determining proper methods to defeat their future application. Host-based IDS still use audit logs, but they are much more automated, having evolved sophisticated and responsive detection techniques. Host based IDS typically monitor system, event, and security logs on Windows NT and syslog in Unix environments. When any of these files change, the IDS compares the new log entry with attack signatures to see if there is a match. If so, the system responds with administrator alerts and other calls to action.
Host-based IDS have grown to include other technologies. One popular method for detecting
Intrusions checks key system files and executables via checksums at regular intervals for
unexpected changes. The timeliness of the response is in direct relation to the frequency of the polling interval. Finally, some products listen to port activity and alert administrators when specific ports are accessed. This type of detection brings an elementary level of network-based intrusion detection into the host-based environment.
3. What is ‘phishing’?
In IT field, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by concealed as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messages and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication. it may require tremendous skill to detect that the website is fake.
A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, probably influenced by phreaking and alludes to baits used to "catch" financial information and passwords.
4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?
Secure Electronic Transaction (SET) was a standard protocol for securing credit card transaction over insecure networks called internet.
A protocol developed by Netscape, Secure Socket Layer (SSL) creates a secure connection for web servers and web clients. It generally uses the public key cryptosystem to ensure the security of data during transmission. During an SSL session, the server and client generate a unique session key that they will both use to encrypt sensitive information during the SSL data exchange process.
Secure Electronic Transaction (SET) is a payment protocol that Visa and MasterCard developed to ensure the security of data when financial transactions are carried out over the Internet. Like SSL, it depends mainly on cryptology, but with SET, the client uses an electronic wallet in which his/her credit card numbers and digital certificate are stored.
Secure Electronic Transaction (SET) is a payment protocol that Visa and MasterCard developed to ensure the security of data when financial transactions are carried out over the Internet. Like SSL, it depends mainly on cryptology, but with SET, the client uses an electronic wallet in which his/her credit card numbers and digital certificate are stored.
5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?
A cookie, also known as a web cookie, browser cookie, and HTTP cookie, is a text string stored by a user’s web browser. A cookie consists of one or more name value pairs containing bits of information, which may be encrypted for information privacy and data security purpose. A cookie can be used for authentication, session tracking, storing site preferences, and shopping carts contents, the identifier for a server-based session or anything else that can be accomplished through storing textual data.
As text, cookies are not executable. Because they are not executed, they cannot replicate themselves and are not virues.However, due to the browser mechanism to set and read cookies; they can be used as spyware. Anti-spyware products may warn users about some cookies because cookies can be used to track people—a privacy concern.
Some drawbacks of cookies are as follows:-
Besides privacy concerns, cookies also have some technical drawbacks. In particular, they do not always accurately identify users, they can be used for security attacks, and they are at odds with the Representational State Transfer (REST) software architectural style.
a. Inaccurate identification
If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a user account, a computer, and a Web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.
b. Cookie hijacking
c. Cookie theft The cookie specifications constrain cookies to be sent back only to the servers in the same domain as the server from which they originate. However, the value of cookies can be sent to other servers using means different from the Cookie header.
d. Cookie poisoning While cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server. If, for example, a cookie contains the total value a user has to pay for the items in their shopping basket, changing this value exposes the server to the risk of making the attacker pay less than the supposed price. The process of tampering with the value of cookies is called cookie poisoning, and is sometimes used after cookie theft to make an attack persistent.
In cross-site cooking, the attacker exploits a browser bug to send an invalid cookie to a server.
e. Cross-site cooking
f. Inconsistent state on client and server
g. Cookie expiry
6. What makes a firewall a good security investment? Accessing the internet, find two or three firewall vendors. Do they provide hardware, software or both?
A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
- Packet filter: - Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spooling.
- Application Gateway:-This applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation.
- Circuit-level gateway:-Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
- Proxy Server:-Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?
In the e-commerce business, the main issue is that customers will need to make payments online. While with all new technology, a complete risk assessment needs to be made, here the major threat to customers who wish to buy things online would be online theft. People would not put any of their details online if they cannot trust the service and secondly is the trader or supplier really exists and has a good track record or are they just a scam.
For those two threats, there is a common solution. These sorts of threats are solved by SSL security and SET.
For those two threats, there is a common solution. These sorts of threats are solved by SSL security and SET.
8. Get the latest pretty good privacy (PGP) information.
Pretty Good Privacy (PGP) was created by Philip Zimmermann in 1991.It is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications.
PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a user name and/or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server are:-Compatibility, Digital, signatures, Certificates, Security quality
Reference:-
No comments:
Post a Comment