E-Commerce Security

-
E-Commerce Security

Attacks on security:

Security attacks can be classified in the following two categories depending on the nature of the attacker.

  • Passive attacks: The attacker can only eavesdrop or monitor the network.Typically, this is teh easiest form of attck and can be performed qithout difficulty. In many networking environam,ents, for eg, broadcast type networks sucha sEthernet and wireless networks
  • Active Attacks: Thre attacker is not on.ly able to listen to the transmission but also able too actively alter or obstruct it. Furthermore,depoending on trhe attack's action, the following sub categories can be used to cover the majority of ATTacks

Other types of attacks on Security

  • Eavesdropping: This attack is used to gain knowledge of the transmitted data. However, using an encryption scheme to protect the transmitted data can easily prevent this attack
  • Traffic Analysis: The main goal of this attack is not to gain direct knowledge about the transmitted data but to extract information from the characteristics from the transmission, for e.g., amount of data transmitted, identity of the communicating nodes, etc. This information may allow the attacker to reduce sensitive information., for e.g., the rules of the communicating nodes, their position, etc. Unlike the previously described attack, this one is more difficult to prevent
  • Impersonation:Here the attacker uses the identity of another node to gain unauthorized access to resource
  • Replay: The attacker retransmits data previously transmitted by legitimate node
  • Denial of service: This active attack aims at obstructing or limiting access to a certain resoource. This resource could be a specific node or service or the whole netwok

    • Digital Signatures

    Digital signature is bascially a way to ensure that an e(lectronic document email,spreasheet,text file etc) is authentic.
    Authentic means that you know who created the document and you know that it is not be altered in any way since that person created it.

    Symmetric Key Systems

    The process invovlved with symmetric key systems:

    1. Create, distribute and store the symmetric private key securely
    2. Sender creates a digital signature by hashing the plaintext and attcaching the resulting syring to the plaintext
    3. Sender applies the fast symmetric encryption / decryption algorithm with the symmetric private key tpo the package (plaintext and attached digital signature) to produce the ciphertext. Authentication happens inherently because only the sender has the symmetric proivate key and can encrypt the package
    4. Only the receiver holing the symmetric private key and can decrypt this package
    5. Sender transfers the ciphertext. The private symmetric key is never transmitted over the unsecure communication lines
    6. Receiver applies the same symmetric encryption / decryption algorithm with the same symmetric key(which the reciver already has) to the cophertext to produce the origibnal plaintext and digital signature. This authenticates whoever holds the ptovate key
    7. Receiver detaches the digital signature form the plaintext
    8. Recceiver creates a digital signature by hashing the plaintext
    9. Receiver compares the two digitakl signatures to prove messaGE integrity (uhaltered data)

    The process involved with asymmetric-key systems:

    1. Create and distribute asymmetric public and private keys securely
    2. The asymmetric private key is delivered to the owner
    3. The asymmetric public key is strored in an X.500 database and managed by the Certification Authority(CA)
    4. User must implicitly trust the secure creation, distribution and management of the keys
    5. Further, if the creator and the person or system manging the keys is different than the end user must implicitly trust that the creator if the keys that he has actually deleted his copies
    6. Create a digital signature by hashing the plaintext. Encrypt the resulting digital signature using the sender's asymmetric private key and attach the resulting string to the palintext(only the ssenvder has has creeated th edigital sidgnature)
    7. Create a private symmetric key used only for this tranmsmission(the session key) and apply it and the symmetric encryption / decryption algorithm to the plaintext and attcahed encryptred digital signature to produce the ciphertext
    8. The problem of sending the session key to the receiver must now be addressed
    9. Make certain the sender has the CA's asymmetric public key
    10. Interception of unencrypted request for the public key is a common form of attack
    11. There may bve a whole hierarchy of certificates attesting to the validilty of the CA's public key
    12. X.509 describes different methods for establishing user access to the CA public keys, all of which provide an entry point to spoofers and show that there is no system that guarantees the identity of the CA
    13. Ask the CA for ther receivers asymmteric public key
    14. The process is vulnerable to the main-in-the-middle attack
    15. The receivers assymetric public key has been "digitally signed" by the CA
    16. This means that tha CA has used the CA's assymetric private key to encrypt the receivers asymetric public key
    17. Since only the CA holds the CA's Asymmetric private key, then the receiver asymmtric public key came from the CA
    18. Once received, decrypt the receiver's asymmetric public key using the CA's asymmetric public key and an asymmetric encryption / decryption algorithm
    19. Implicit trust in the CA and that the CA is not compromised are required
    20. If the CA (When you requested the CA's public key did ypu actually receive the CA's public key or something else's compromised, the entire infrastructure is unusable
    21. Those holding the public key can encrypt, but there is no way of knowing if the key has been compromised
    22. Using the receiver asymmetric public key (now received from the CA) and decrypted and an asymmtric encrypion / decryption algorithm encrypt the session key
    23. Only those holding the receiver public key can encrypt, but there is no way of knowing of the key has been compromised
    24. Attach the encrypted sesion key to the ciphertext (which includes the previously encrypted digital signature)
    25. The encrypted session key is transmitted acroess the unsecured network and is the target for various types of attacks
    26. Receiver detaches the encryoted session key from the ciphertext
    27. The ptroblem of decrpyting the session key by the receive must now be addressed
    28. Make certain the receiver hast the CA's Asymmetric public key
    29. The same coomments like above can be made here
    30. Using the receivers asymmetric private key and the same asymmetric encryption / decryption algorithm, receiver decrypts the session key
    31. Receiver applies the same symmetric encryption / decryption algorithm with the now unencrypted symmetric key (session key) to the ciphertext to produce the plaintext and attached hash of digital signature
    32. Receiver detaches the hash from the plaintext
    33. Receiver asks the CA for the sender's asymmetric public key
    34. Once received, receiver decrypts the sender asymetric public key using the CA's public key and the correct asymnetric encryption / decryption algorithm
    35. The same comments alike above can be made here
    36. Using the sender's asymmetric public key and an asymmetric encrytion / decryption algorithm receiver decrypts the hash string
    37. Create a digital signature by hashing the plaintext
    38. Compare the two hashes to prove that the data has been altered
    39. Transfer the package(ciphertext) that includes the digital signature and the attached encrypted session key

Comments

Post a Comment

Popular posts from this blog

Parallel Database design, query processing

-
Image
Parallel Database design, query processing, and case study In this post, we are going to analyze the concepts of Parallel Database design, query processing, and case study. Parallel database design Hardware Architecture Data partitioning Query processing Hardware Architecture Shared Memory Shared Disk> Shared Nothing Data Partitioning Partitioning a relation involves distributing its tuples over several disks Three Kinds – Range Partitioning Round-robin Partitioning Hashing Partitioning Range Partitioning is good for Ideal for point and range queries on the partitioning attribute Hash partitioning Ideal for point queries based on the partitioning attribute Ideal for sequential sca...
Read more

Laravel | PHP | Basics | Part 2

-
Image
Learning Laravel through Screenshots Caching Laravel by default supports multiple cache stores like memcached , redis ,etc. To install redis as a cache store, you should use composer install predis/predis predis stands for PHP redis The default port number is 6379 Every Cache store requires a prefix which is stored in the ENV file or in the config/cache.php Following are the cache stores supported by laravel Blade Templates Blade is a templating engine for views in laravel. All the files which are of type blade.php are having the extension .blade.php They are stored in the resources/views directory YOu can create suub-folders in the reosurces/views directory like layouts for all the common UI components lke header , footer, sidebar , navbar, menubar, serach bar, etc. To include the parenet ...
Read more

Apache Hadoop | Running MapReduce Jobs

-
Image
Apache Hadoop | Running MapReduce Jobs After setting up your environment and running the HDFS and YARN daemons, we can start working on running MapReduce jobs on our local machine. We need to compile our code, produce a JAR file, move our inputs, and run a MapReduce job on Hadoop. Step 1 - Configure extra environment variables As a preface, it is best to setup some extra environment variables to make running jobs from the CLI quicker and easier. You can name these environment variables anything you want, but we will name them HADOOP_CP and HDFS_LOC to not potentially conlict with other environment variables. Open the Start Menu and type in 'environment' and press enter. A new window with System Properties should open up. Click the Environment Variables button near the bottom right. HADOOP_CP environment variable This is used to compile your Java files. The backticks (eg. `some command here`) do not work on Win...
Read more