Full HTML for

Basic foilset Security Infrastructure fo Electronic Commerce and Internet

Given by Roman Markowski at CPS714 Computational Science Information Track on June 2 and June 7 99. Foils prepared July 6 99
Outside Index Summary of Material

Introduction to Network Security
E-commerce - definitions, characteristics, requirements
Security Standards and Protocols
Public Key Cryptography and Infrastructure
Secure Electronic Messaging (PGP, S/MIME)
Payments on the Web, Electronic Commerce
C2B: SSL and SET Standards
Organizing Cyber-Store
B2B: OFX and OBI Standards
Firewalls
Computer Crimes, Threats and Attacks

Table of Contents for full HTML of Security Infrastructure fo Electronic Commerce and Internet

 Denote Foils where Image Critical
Denote Foils where HTML is sufficient
1 CPS714 Portal Technologies Internet Infrastructure for Electronic Commerce
2 Overview
3 Network Security (1)
4 Network Security (2)
5 Network Security (3)
6 Network Security (4)
7 What is Electronic Commerce ?
8 Underlying framework
9 Internet Infrastructure for E-commerce
10 Requirements for E-commerce
11 Traditional Solutions
12 Electronic Solutions
13 Security Standards and Protocols (1)
14 Security Standards and Protocols (2)
15 Security Standards and Protocols (2)
16 Security Standards and Protocols (3)
17 Security Standards and Protocols (4)
18 Security Standards and Protocols (5)
19 Public Key Cryptography (1)
20 Public Key Cryptography (2)
21 Public Key Cryptography (3)
22 Public Key Cryptography (4)
23 Cryptography (1)
24 Cryptography (2)
25 Secure Electronic Messaging (1)
26 Secure Electronic Messaging (2)
27 Secure Electronic Messaging (3)
28 Secure Electronic Messaging (4)
29 Secure Electronic Messaging (5)
30 Secure Electronic Messaging (6)
31 Secure Electronic Messaging (7)
32 Traditional Credit Card Transaction (1)
33 Traditional Credit Card Transaction (2)
34 Traditional Credit Card Transaction (3)
35 Payment on the Web (1)
36 Payments on the Web (2)
37 Payments on the Web (3)
38 Payment on the Web (4)
39 Payment on the Web (5)
40 E-commerce (1)
41 Electronic Commerce (2)
42 Electronic Commerce (3)
43 Secure Socket Layer (1)
44 Secure Socket Layer (2)
45 Secure Socket Layer (3)
46 Secure Socket Layer (4)
47 Secure Socket Layer (5)
48 Secure Electronic Transaction (1)
49 Secure Electronic Transaction (2)
50 Secure Electronic Transaction (3)
51 Secure Electronic Transaction (4)
52 Secure Electronic Transaction (5)
53 Secure Electronic Transaction (6)
54 Secure Electronic Transaction (7)
55 Secure Electronic Transaction (8)
56 SET vs. SSL
57 Cyber-Store (1)
58 Cyber-Store (2)
59 Cyber-Store (3)
60 Cyber-Store (4)
61 Cyber-Store (5)
62 Cyber-Store (6)
63 Open Financial Exchange (1)
64 Open Financial Exchange (2)
65 Open Financial Exchange (3)
66 Open Buying on the Internet (1)
67 Open Buying on the Internet (2)
68 Open Buying on the Internet (3)
69 Firewalls (1)
70 Firewalls (2)
71 Firewalls (3)
72 Firewalls (4)
73 Computer crimes (1)
74 Computer crimes (2)
75 Computer crimes (3)
76 Threats
77 Trends
78 Denial of Service Attacks (1)
79 Denial of Service Attacks (2)
80 DNS Cache Poisoning (1)
81 DNS Cache Poisoning (2)
82 DNS Cache Poisoning (3)
83 Back Orifice (1)
84 Back Orifice (2)
85 Session Hijacking (1)
86 Session Hijacking (2)
87 Web Spoofing (1)
88 Frame Spoofing (1)
89 Unix vs. Windows NT

Outside Index Summary of Material

HTML version of Basic Foils prepared July 6 99

Foil 1 CPS714 Portal Technologies Internet Infrastructure for Electronic Commerce

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Roman Markowski
IS Manager
Northeast Parallel Architectures Center
Syracuse University
CPS 714, June 1999
http://www.npac.syr.edu/users/roman/
HTML version of Basic Foils prepared July 6 99

Foil 2 Overview

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Introduction to Network Security
E-commerce - definitions, characteristics, requirements
Security Standards and Protocols
Public Key Cryptography and Infrastructure
Secure Electronic Messaging (PGP, S/MIME)
Payments on the Web, Electronic Commerce
C2B: SSL and SET Standards
Organizing Cyber-Store
B2B: OFX and OBI Standards
Firewalls
Computer Crimes, Threats and Attacks
HTML version of Basic Foils prepared July 6 99

Foil 3 Network Security (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Security - protection of information as it traverses the network. Security becomes one of the primary concerns when an organization connects its private intranet to the Internet.
The Internet is open and public by design. There is no guarantee against information ending-up in the wrong hands.
HTML version of Basic Foils prepared July 6 99

Foil 4 Network Security (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Protection components:
  • Confidentiality - hiding data to all but the intended viewers typically involves encryption, where data are scrambled and unscrambled using some common algorithm (DES, RC4, RC5, IDEA) and common cryptographic keys
  • Integrity - keeping information unchanged by applying tools to detect any alterations (algorithms: MD5, SHA)- they use strong cryptographic data checksums generated at the source, sent with data and checked at the destination
HTML version of Basic Foils prepared July 6 99

Foil 5 Network Security (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Protection components:
  • Authentication - identifying of the origin of information (typically associated with logon procedures). Public key technologies (RSA, DSA) are used to create digital signatures
  • Authorization - providing authenticated users with access services through access rights
HTML version of Basic Foils prepared July 6 99

Foil 6 Network Security (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
There is no such thing as a 100% secure computer system. We can think of security as a triangle with "security", "performance" and "usability" at corners. We cannot be at all corners at the same time
Security
Performance
Usability
HTML version of Basic Foils prepared July 6 99

Foil 7 What is Electronic Commerce ?

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
E-commerce is the utilization of computer technology to accept payments and fulfill delivery of products and services via the Internet or private networks.
The explosive growth of online transactions push some companies into becoming CSP (Commerce Service Providers):OneHost, AT&T, etc.
Characteristics:
  • transport over insecure public networks
  • confidentiality: based upon cryptographic protocols
  • authentication and trust: based on digital certificates and signatures
  • fundamental unit: financial transaction
HTML version of Basic Foils prepared July 6 99

Foil 8 Underlying framework

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Legacy systems (Unix, Windows)
LANs and WANs (Ethernet, ATM, FDDI; T1, FR)
Client / Server technology
Applications (written in C, Java)
Routers, gateways
Telecommunication infrastructure
(Too) many various protocols
HTML version of Basic Foils prepared July 6 99

Foil 9 Internet Infrastructure for E-commerce

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Transparent to the network
Security; real time alert system; mutual, strong authentication is necessary
Standard-based
Scalable to growth
Auditable; monitoring: clients, servers, network events
Affordable; User friendly
Centralized management
Domestic and Foreign law
Performance
HTML version of Basic Foils prepared July 6 99

Foil 10 Requirements for E-commerce

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Confidentiality
Integrity
Authenticity
Non-Repudiation
Availability
HTML version of Basic Foils prepared July 6 99

Foil 11 Traditional Solutions

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Confidentiality ( unauthorized access)
  • Envelope
Integrity (protects against data tampering)
  • watermarks, signatures
Authenticity (protects against masquerading)
  • physical presence, notaries
Non-Repudiation (protects against denial of being a party to a transaction)
  • receipts, confirmations, signatures
HTML version of Basic Foils prepared July 6 99

Foil 12 Electronic Solutions

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Confidentiality
  • Data Encryption
Integrity
  • Hash Algorithms, Message Digests, Digital Signatures
Authenticity
  • Digital Signatures, Certificates
Non-Repudiation
  • Digital Signatures, Audit Logs
Availability
  • Redundant Systems, Automatic Rescue Procedures
HTML version of Basic Foils prepared July 6 99

Foil 13 Security Standards and Protocols (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
ITU X.509 - digital certificate (like identity card authorized by Certificate Authority (CA))
SSL - Secure Socket Layer
PAP - Password Authentication Protocol
CHAP- Challenge Handshake Authentication Protocol
TACACS - Terminal Access Controller Access-Control System
RADIUS - Remote Authentication Dial-In User Service
PKCS - Public Key Cryptography Standards
PGP - Pretty Good Privacy
S/MIME - Secure Multipurpose Internet Mail Extension
PEM - Privacy Enhanced Mail
HTML version of Basic Foils prepared July 6 99

Foil 14 Security Standards and Protocols (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
IP Sec - IP Security Protocol (IETF); IP Sec addresses the issues of encryption and integrity
DES - Data Encryption Standard - private key encryption
DSS - Digital Signature Standard
SHA -Secure Hash Algorithm
DSA - Digital Signature Algorithm
Secure DNS - is designed to stop DNS spoofing
Microsoft Crypto API
Intel Common Data Security Architecture
SET - Secure Electronic Transactions
HTML version of Basic Foils prepared July 6 99

Foil 15 Security Standards and Protocols (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
IPSEC - network layer security
  • provides security to IP protocol
  • RFC 1825-1829
  • AH: authentication header
    • Authenticates payload only
    • Uses MD5 as a default for data integrity
  • ESP: encapsulated security payload
    • Uses DES-CBC as default for encryption
AH
ESP
TCP
HTTP
FTP
SMTP
HTML version of Basic Foils prepared July 6 99

Foil 16 Security Standards and Protocols (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
SSL - session layer security
  • protocol independent
  • currently available for HTTP, NNTP, SMTP from Netscape
  • available in Netscape navigator, Microsoft IE, most servers
  • https - port 443; s-smtp- port 563; nntps - port 465
  • Key exchange: RSA, D-H, Fortezza
  • Encryption algorithms: RC2, RC4, IDEA, DES, 3DES
  • Certificates: X.509 v3
  • certificate support optional in clients (no client authentication to servers)
IP
TCP
HTTP
FTP
SMTP
SSL
HTML version of Basic Foils prepared July 6 99

Foil 17 Security Standards and Protocols (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
S-HTTP and S/MIME application layer security
  • available in some servers
  • encapsulates existing HTTP data
  • public key cryptography with encryption and digital signatures
  • not widely supported
IP
TCP
S-HTTP
S/MIME
HTML version of Basic Foils prepared July 6 99

Foil 18 Security Standards and Protocols (5)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
PGP/SET - content based security
  • completely protocol independent
  • PGP secure electronic messaging based on asymmetric and symmetric encryption
  • SET messaging protocol to secure bank-card transaction
IP
TCP
HTTP
FTP
SMTP
PGP
SET
HTML version of Basic Foils prepared July 6 99

Foil 19 Public Key Cryptography (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Symmetric Cryptography
  • adding Confidentiality; single key, shared secret
  • Standards: DES (Digital Encryption Standard) and IDEA (International Data Encryption Algorithm)
  • fast, easy to implement, reliable
  • problem: key exchange in un-trusted networks
Secret key, Secure channel
Cleartext
message
Cleartext
message
Encrypt
Decrypt
HTML version of Basic Foils prepared July 6 99

Foil 20 Public Key Cryptography (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Asymmetric (public-key) Cryptography
  • adding Confidentiality; 2 keys mathematically linked: public and private keys (RSA, DH)
  • either can be used for encryption /decryption
  • problem: computationally intensive
Recipient's
Public Key
Cleartext
message
Cleartext
message
Encrypt
Decrypt
Recipient's
Private key
HTML version of Basic Foils prepared July 6 99

Foil 21 Public Key Cryptography (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Digital Signatures
  • adding Authenticity
  • allows authentication of computers and people
  • used to verify authenticity of origin
Originator's
Private Key
Cleartext
message
Cleartext
message
Encrypt
Decrypt
Originator's
Public key
HTML version of Basic Foils prepared July 6 99

Foil 22 Public Key Cryptography (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Adding Integrity and Non-Repudiation
Hash functions (result cannot be decrypted): create unique fingerprint of the original message
Message
digest
Originator's
Private Key
Encrypt
Originator's
Public key
Decrypt
Message
digest
Message
digest
compare
Originator's message
Originator
Recipient
HTML version of Basic Foils prepared July 6 99

Foil 23 Cryptography (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
PlainText
Ciphertext
PlainText
Encryption
Decryption
Most ciphers consists of public algorithm and a key which needs to be long to be safe (40, 56, 128 bits)
Encryption and decryption is computationally expensive
Brute force attack:
  • if it takes one day for a device to break 40 bit DES,
  • it takes 7 years for the same device to break 56 bit DES
  • it takes several billion years to break 112 bit 3DES
HTML version of Basic Foils prepared July 6 99

Foil 24 Cryptography (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
The most popular symmetric encryption algorithms
  • DES - Data Encryption Algorithm - official US Government encryption standard (56 bit + 8 bit checksum = 64 bit)
  • 3DES - Triple Data Encryption Algorithm (112 bit, 168 bit) 3DES-EE3, 3DES-EDE3, 3DES-EEE2, 3DES-EDE2
  • IDEA - International Data Encryption Algorithm
  • RC4 - Rivest Cipher 4 (128 bit)
  • AES - Advanced Encryption Standard ( expected in year 2000)
The most popular asymmetric encryption algorithms
  • D-H Diffie Hellman
  • RSA - Rivest Shamir Adleman (1024 bit)
  • DSA - Digital Signature Algorithm (1024 bit)
  • ECC - Elliptic Curve Cryptosystem
HTML version of Basic Foils prepared July 6 99

Foil 25 Secure Electronic Messaging (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Requirements
  • privacy, authentication, integrity, availability, virus checking, support for non-text messages, non-repudiation (proof of sending and receiving)
Standards
  • SMTP - Simple Mail Transfer Protocol; POP3 - Post Office Protocol 3
  • IMAP4 - Internet Message Access Protocol 4
  • MIME, S/MIME - Secure/ Multipurpose Internet Mail Extension
  • PGP - Pretty Good Privacy; SSL - Secure Socket Layer
  • X.400 - OSI E-mail standard
  • X.509 v3 - Public key certificate standard
HTML version of Basic Foils prepared July 6 99

Foil 26 Secure Electronic Messaging (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
PGP - Pretty Good Privacy
  • Owned by Network Associates; developed by Phil Zimmermann in 1991)
  • World-Wide deployment
  • provides encryption and digital signature for e-mail and files
  • asymmetric encryption: RSA, Diffie Hellman
  • symmetric encryption: CAST, IDEA, Triple DES
  • PGP is a hybrid cryptographic system which combines the best features of symmetric and asymmetric encryption
  • widely available: http://www.pgp.com; http://www.pgpi.com
  • Windows: version 6.0.2; Unix : version 5.x.I
HTML version of Basic Foils prepared July 6 99

Foil 27 Secure Electronic Messaging (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
PGP - Pretty Good Privacy
  • source code available; public key size: up to 4096 bits
  • PGP is using digital certificates that are not compatible with X.509
  • PGP is based on the web of trusts: if A trusts B and C trusts B , then C trusts A
  • new product PGP Enterprise Security 3.0 (Network Associates, Sep 98) supports X.509
  • PGP keys available at
  • New need to generate your own
HTML version of Basic Foils prepared July 6 99

Foil 28 Secure Electronic Messaging (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
PGP - Pretty Good Privacy
Plain
text
Session
key
cipher
text
Encrypted
session
key
Plain
text
Session
key
Encrypted with
session key
Decrypted with
session key
compressed
Recipients
public key
Recipients
private key
Encryption
Decryption
HTML version of Basic Foils prepared July 6 99

Foil 29 Secure Electronic Messaging (5)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
S/MIME - Secure/Multipurpose Internet Mail Extension
  • Internet standard: RFC 2311, RFC 2312; developed by RSA in 1996; IETF is working on version 3
  • S/MIME allows users of Web messaging clients (Netscape Messenger) to send encrypted messages and authenticate received messages
  • asymmetric encryption: RSA
  • symmetric encryption: RC2, Triple DES
  • public key size : 1024 bits
  • uses X.509v3 certificates to authenticate owner of the public key
HTML version of Basic Foils prepared July 6 99

Foil 30 Secure Electronic Messaging (6)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
S/MIME
  • wide vendor support (built into Netscape E-mail, Microsoft Outlook and Outlook Express, Lotus)
  • interoperability problems
  • S/MIME offers the following features:
    • encryption for message privacy
    • sender authentication with digital signatures
    • tamper detection (via secure hashing functions)
    • interoperability with other S/MIME compatible software
    • cross platform messaging
    • seamless integration into Netscape Messanger
  • See http://www.rsa.com for more details
HTML version of Basic Foils prepared July 6 99

Foil 31 Secure Electronic Messaging (7)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
S/MIME
  • is seamlessly integrated into software (browsers, servers)
MIME header
Content
S/MIME header
Encrypted
Content
HTML version of Basic Foils prepared July 6 99

Foil 32 Traditional Credit Card Transaction (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
How credit card transaction work ?
How it is being mapped into the Web ?
  • (1) Before you can accept credit cards you need a merchant account from a financial institution (acquiring bank, merchant bank - determines what type of credit cards you can accept)
  • (2) The issuing bank (client's bank), represents a client in the transaction (offers a client credit in the form of the plastic card)
  • (3) The processing network : for example Verifone credit card readers in stores and supermarkets
HTML version of Basic Foils prepared July 6 99

Foil 33 Traditional Credit Card Transaction (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Transaction types
  • (1) immediate sales transaction:
    • authorization and fund capture are immediate, and settlement occurs between authorizing (client) and acquiring (merchant) banks at a later time
  • (2) book-and-ship transaction:
    • authorization (merchant - client's bank)
    • draft capture between merchant and consumer
    • settlement between the issuing and acquiring banks
HTML version of Basic Foils prepared July 6 99

Foil 34 Traditional Credit Card Transaction (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
in the real world:
  • the card owner comes to a supermarket, gives his credit card and signs a receipt in the presence of a merchant
  • the card reader calls the bank twice: once for the individual authorization and then again at the end of the day for settlement and accounting.
Card Holder
(owner of the card)
Card Processing
Network
(verifone reader
in supermarket)
Issuing bank
(represents a client)
Acquiring bank
(represents a merchent)
HTML version of Basic Foils prepared July 6 99

Foil 35 Payment on the Web (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
The Web is open for business. The number of commercial sites is growing
Buzzwords: e-commerce, virtual malls, cyber-shops, virtual storefront, electronic shopping carts, etc.
Despite the hype, the current Internet market is a tiny fraction of the traditional market (growing fast)
major concern: security
HTML version of Basic Foils prepared July 6 99

Foil 36 Payments on the Web (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Models existing systems; built on existing infrastructure
Technologies such as SSL and SET make purchasing over the Internet possible
Heavily relies on SSL
  • users can authenticate servers, but not vice versa
  • it is easier to implement certificates on the server
Users retrieve server certificate
Clients use user ID and passwords to authenticate to a server
HTML version of Basic Foils prepared July 6 99

Foil 37 Payments on the Web (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Client
Server
hello
User ID/password
Client
Server
hello
HTML version of Basic Foils prepared July 6 99

Foil 38 Payment on the Web (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Internet Commerce Characteristics
  • Client (consumer, purchaser) trusts Client's bank (issuing bank)
  • Merchant (vendor) trusts Merchant's bank (acquiring bank)
  • Merchants are authenticated to Clients
  • Clients are authenticated to Merchants (user-ID /password, sometimes certificates)
HTML version of Basic Foils prepared July 6 99

Foil 39 Payment on the Web (5)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Issuing
BANK
Purchaser
Merchant
Acquiring
BANK
Flow of Data
verification
settlement
Certificate
Certificate
Settlement
HTML version of Basic Foils prepared July 6 99

Foil 40 E-commerce (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Merchant
Server
Web
Server
DB
Internet
Banks
Client
Customer order
Payment authoriz.
Order confirmation
Database query
Firewall
HTML version of Basic Foils prepared July 6 99

Foil 41 Electronic Commerce (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Merchant Server
  • processes electronic purchases
  • keeps transactions secure (strong authorization and encryption)
  • high performance, load balancing
  • access 24 hours a day
Examples of merchant servers
  • Open Market's OM-Transaction $250,000
  • Microsoft's Merchant Server $18,000
  • IBM's Net.Commerce $5,000
  • Oracle Internet Commerce Server $5,000
HTML version of Basic Foils prepared July 6 99

Foil 42 Electronic Commerce (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
On the internet it is common to deal with vendors and clients we have never meet before, who have no reputation, and whom we can never meet again
E-commerce allows do business over the Internet (insecure network). Security based on
  • SSL Secure Socket Layer
  • SET Secure Electronic Transaction
  • X.509 certificates; used to authenticates customers
SET and SSL are widely known communication protocols, each providing a way to make payments over the Internet
HTML version of Basic Foils prepared July 6 99

Foil 43 Secure Socket Layer (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Client
Web
and
Merchant
Servers
Banks
SSL
Order page
Credit card
Receipt
Traditional Clearing
Stealing credit card information from the Merchant Server happens
HTML version of Basic Foils prepared July 6 99

Foil 44 Secure Socket Layer (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Case Study (SSL)
  • I want to buy the product over the Internet; I locate several online stores and choose one
  • With whom am I dealing ? Handshake phase
Client Hello (a list of cipher suites supported)
Server Hello (server selects a cipher suite)
Certificate: contains the server public key
Session Key encrypted with server public key
HTTP communication over secure channel
Client (browser)
Merchant (Server)
verification
decryption
HTML version of Basic Foils prepared July 6 99

Foil 45 Secure Socket Layer (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
SSL does NOT assure me that the Merchant is authorized to accept my credit card
Is the conversation private ?
  • Session key is known only to my browser and the server
  • confidentiality obtained through encryption (privacy; prevents eavesdropping)
  • data integrity obtained through hashing (MD5)
  • server authentication obtained via digital certificates
  • (optional) client authentication via digital certificates
  • my credit card number can be read only by the Merchant Server
  • SSL session involves exchange certificates and keys
HTML version of Basic Foils prepared July 6 99

Foil 46 Secure Socket Layer (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
SSL was originally designed by Netscape
Netscape made C-based source code available for developers (SSLRef Library): http://home.netscape.com/eng/US-Current (US government restrictions)
SSL is open, not proprietary protocol
SSL is easy to apply and use because is built in all major Web browsers (IE, Netscape) and servers
SSL is using S/MIME to send secure data: a user transmitting information to an SSL server from within his browser will transmit that info within a S/MIME packet)
HTML version of Basic Foils prepared July 6 99

Foil 47 Secure Socket Layer (5)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Message transfer is 40 bit RC4 (export) and 128 bit RC4 (in USA)
Public key cryptography - RSA 1024 bit, D-H
HTTP protocol is using port 80 (by default); HTTP+SSL (https://...) is using port 443 by default
Naming convention for SSL enabled servers: HTTPS, FTPS, NNTPS
The same server can run both secure and insecure servers simultaneously: access to catalog of products can be insecure, whereas ordering and payment should be done through the secure channel
Non-SSL browser cannot access https server
HTML version of Basic Foils prepared July 6 99

Foil 48 Secure Electronic Transaction (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
SET is a messaging protocol specifically designed by Master Card, Visa, and others to secure bank-card payment transactions over open networks
  • Not ready yet for most consumers; not widely deployed
  • SET models all the players involved in card payments, the trust relationships between them, legal meaning of digital signatures
  • SET provides cryptographic identity authentication of every entity involved in a transaction (multiparty security)
  • SET uses message not channel encryption
  • With SET every cardholder is issued a digital signature. This, plus the software that talks SET protocol, compose a SET electronic wallet
HTML version of Basic Foils prepared July 6 99

Foil 49 Secure Electronic Transaction (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Case Study (SET)
  • I browse Web, select Merchant, select Item
  • I choose to make a payment with my electronic wallet
  • The Merchant server sends an order to my Web browser to open my wallet
  • My wallet exchange handshake messages with the server
    • confirms that the Merchant is authorized to process payments with my CC
    • confirms to the Merchant that I am an authorized card holder
  • My wallet constructs the Purchase Order and payment instruction (cryptographically protected)
  • Payment instruction is sent to the Merchant gateway server (usually run by the Merchant's bank)
  • My wallet receives purchase-response message. This ends the electronic payment procedure
HTML version of Basic Foils prepared July 6 99

Foil 50 Secure Electronic Transaction (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Case Study (SET)
Consumer
CA
BankNet
Payment
Gareway
Merchant
Transaction
Certificate
Certificate
Authorization
Settlement
Digital
Wallet
HTML version of Basic Foils prepared July 6 99

Foil 51 Secure Electronic Transaction (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Cardholder "wallet" software: It allows secure purchases. It communicates with the merchant's (server) software verify the merchant's digital certificate. This program also maintains, and administers the cardholder's certificate (client).
Merchant Software: This application is required to communicate securely with the cardholder and its financial institution. It also manages the exchange of digital certificates prior to a sale transaction.
HTML version of Basic Foils prepared July 6 99

Foil 52 Secure Electronic Transaction (5)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Payment Gateway server software: It performs standard and automatic payment processes. It decrypts payment instructions from cardholders and supports the process of merchant certificate request.
Certificate authority software: The application allows customers (client) and merchants (server) to register their respective account agreements for secure electronic commerce. It is used to issue digital certificates to cardholders (client) and merchants (server).
HTML version of Basic Foils prepared July 6 99

Foil 53 Secure Electronic Transaction (6)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
SET messages are essentially the same as those that have been used in the traditional banking networks for years. SET allows them to flow across the insecure, open Internet
SET defines all necessary communication between banks, merchants, cardholders, whereas SSL creates a secure connection between 2 computers.
SET provides merchants with assurance that the card holder will not say "it is not me"; the bank has evidence that I made a purchase
SET provides a card holder with assurance that the merchant is legitimate
HTML version of Basic Foils prepared July 6 99

Foil 54 Secure Electronic Transaction (7)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
SET offers security at the expense of simplicity
SET is so complicated that banks and merchants are not eager to deploy it
In practical implementations:
  • SSL is used to protect privacy of the transaction
  • SET is used to enable consumer and merchant to authenticate each other
SET extends the current message flow in banking networks into cyberspace
HTML version of Basic Foils prepared July 6 99

Foil 55 Secure Electronic Transaction (8)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
SET requires appropriate software installed in the banking network, at merchant's locations, and on consumer's computers
Merchant does not have access to client's account information (privacy of financial data)
SET offers a complete card payment system (payment transport, confirmation and inquiry)
Symmetric key Cryptography: DES 56 bit key
Public key Cryptography: RSA 768, 1024, 2048 bit keys
Hashing: SHA-1
HTML version of Basic Foils prepared July 6 99

Foil 56 SET vs. SSL

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Will SET replace SSL ? NO, there are virtually no technical similarities between SET and SSL, except that both use RSA public key cryptography
Is SET dead ? NO, it is just much more complex, advanced
Is SSL good enough for e-commerce ? NO, but it is being used
Does merchant know who the client is ? NO, credit card-over-SSL authenticate the identity of the server to the browser, but not vice versa; it can be done in SSL but clients have no certificates.
HTML version of Basic Foils prepared July 6 99

Foil 57 Cyber-Store (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Going Virtual (From a merchant perspective)
  • Choose "Online" or "Offline" CC authorization
    • Online: consumer's CC balance is queried and possibly debited, during the transaction
    • Offline: Web server is used simply to collect credit card orders; theses are then processed at a later stage (e.g. CC terminal with someone keying CC numbers by hand)
  • Decide if you want to do everything by yourself or use one or more third party companies (outsourcing)
    • iCat Software does everything from hosting the shopping cart software to collecting payments at no cost (up to 10 products)
HTML version of Basic Foils prepared July 6 99

Foil 58 Cyber-Store (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
To "go virtual" you will need some of the following to start taking credit card orders over the Web:
  • an SSL-enabled suite
  • a merchant account
  • catalog and shopping cart software
  • sales-tax software
  • payment processing software
  • a shopping mall web site with scripts for payment processing
  • sales reports and analysis tools
HTML version of Basic Foils prepared July 6 99

Foil 59 Cyber-Store (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
SSL-Enabled Web Site
  • Verisign, Thawte, Entrust can provide digital certificates to SSL-enable your Web server
  • SSL enabling is a straight-forward for most servers and will cost $100-$700
  • CA is checking the shopping mall (by phone) before digital certificate can be issued
  • With SSLv2, if the shopping mall doesn't have a valid digital certificate, the browser shows warning, but is trying to use SSL anyway
  • With SSLv3 the web server and the client browser require valid digital certificate
HTML version of Basic Foils prepared July 6 99

Foil 60 Cyber-Store (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Merchant Account
  • probably the most difficult part in setting up CyberStore
  • You must obtain Merchant Account which will allow you to transfer funds from your client's CC into your bank account
  • banks require the company credit history, tax returns, references from your ISP, personal account banks, security deposit, etc.
  • banks insists that you lease expensive hardware and software that cannot be used in your e-commerce Web site, and take 2-5% from every transaction
  • Virtual stores can appear and disappear.....
  • CardService and EMS2000 can help opening merchant account and provide other services. They make money by knowing how to get around the bureaucracy
  • WebAgency, Vantage Technology will perform transactions for you (you do not need merchant account)
HTML version of Basic Foils prepared July 6 99

Foil 61 Cyber-Store (5)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Catalog and Shopping Cart Software
  • you can write your own software or buy ($0 - $100,000+)
  • IBM, Lotus, Netscape, Microsoft, Oracle as well as Ecstore, iCat, Open Market, Internet Factory, etc
  • before you buy
    • is the software available for your operating system ?
    • Is it cookie based ?
    • How easy it can be customized ?
    • What is the support for the database back-end ?
    • Does it support your payment-processing software ?
HTML version of Basic Foils prepared July 6 99

Foil 62 Cyber-Store (6)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Sales-Tax Software
  • www.TaxWare.com has products which integrate with most shopping cart software and Web servers
  • If you sell in NYS, you need to collect sales tax...
Payment Processing Software
  • CyberCash's MCK (Merchant Connection Kit) and CashRegister; Verifone's vPOS; Microsoft's MS Wallet; ICVerify's NetVerify
  • all MCK-to-CashRegister commands (scripts) are SSL encrypted (Triple DES)
  • Scripts are written in C, Perl, VBScript
HTML version of Basic Foils prepared July 6 99

Foil 63 Open Financial Exchange (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Focus: User-to-Bank Transactions
Online banking standard from Microsoft, Checkfree and Intruit
Merger of 2 standards
  • Quicken: Open Exchange
  • Microsoft: Open Financial Connectivity
Built on open standards
  • SSL for channel security between Client and Server
  • TCP/IP and HTTP for transport
  • SGML for message formatting
Supported by: Web browsers and Desktop applications (Quicken, MS Money)
HTML version of Basic Foils prepared July 6 99

Foil 64 Open Financial Exchange (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Transport independent (currently HTTP but not required)
Services
  • bank statement download; fund transfer
  • consumer payments; business payments
  • credit card statement download
Security
  • server certificates used to identify Financial Institutions (issued by OFX approved CAs)
  • Clients must recognize all approved CAs
  • All certificates X.509v3
More info: www.ofx.com
HTML version of Basic Foils prepared July 6 99

Foil 65 Open Financial Exchange (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Client
OFX
Server
Web
Server
Profile
Server
Clients locate
Financial
Institutions
via Profile
Servers
FI Identifier
FI Profile
OFX Request
OFX Response
Financial Institution (FI)
(SSL (OFX Data (Encrypted Password)))
(OFX Data (Encrypted Password))
HTML version of Basic Foils prepared July 6 99

Foil 66 Open Buying on the Internet (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Focus : Business-to-Business transactions
Designed as EDI complement (Electronic Data Interchange); targets high volume, low cost corporate orders (distributors, suppliers, business partners, agents, etc.)
Security based on
  • X.509 digital certificates for authentication
  • SSL for communication\
  • SET for credit card transactions
Characteristics
  • cost effective, robust, flexible, interoperable
Standard supported by
  • Netscape (BuyerXpert, SellerXpert), Microsoft (Site Server), IBM (Net.Commerce), AMEX
HTML version of Basic Foils prepared July 6 99

Foil 67 Open Buying on the Internet (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
OBI Architecture
Buying
Organization
Requisitioner
Payment
Authority
Selling
Organization
HTML version of Basic Foils prepared July 6 99

Foil 68 Open Buying on the Internet (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Requisitioner: End-user in the system who places an order. It also has a digital certificate, issued by the trusted certificate authority.
Buying Organization: Represents the purchasing management and the information systems which support purchasing. These systems include the OBI server, receives and requests OBI orders, trading partner information, workflow, approvals, account, and tax status.
Selling Organization: maintains dynamic online catalog. It also presents price and product information.
Payment authority: It provides authority for the payment vehicle presented by the requisitioner.
HTML version of Basic Foils prepared July 6 99

Foil 69 Firewalls (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Firewalls - guardians for areas of the network. The firewall must permit only authorized traffic. The firewall itself must be immune to penetration. Setting up an Internet Firewall without a comprehensive security policy is like placing a steel door on a tent.
Architecture of firewalls is based on : packet filtering, proxies, state inspection, or network address hiding and translation
HTML version of Basic Foils prepared July 6 99

Foil 70 Firewalls (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
What is a firewall ?
  • Hardware and software connecting 2 networks (filters, proxies)
  • mediates all traffic between the nets
  • protects each network from attacks originating on the other
Firewall types
  • packet filters; packet analyzers
  • application level proxies
  • circuit level proxies (SOCKS)
  • hybrid
Firewall characteristics
  • simple, reliable, configurable, manageable, operable
HTML version of Basic Foils prepared July 6 99

Foil 71 Firewalls (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Management and systems personnel often assume that if they have a firewall, they have sufficient security and no further security checks are needed
Some network services (like ftp, http, sendmail, telnet) are passed through the firewall
External
network
Internal
Mail, DNS, NIS, FTP
Print, NFS, WWW
Web
Server
Firewall
DNS
Multi-homed firewall
HTML version of Basic Foils prepared July 6 99

Foil 72 Firewalls (4)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Gauntlet Firewall 2.0 for Windows NT from Network Associates (http://www.nai.com)
FireWall-1 for Windows NT from Check Point Software Technologies (http://www.checkpoint.com)
Firewall policy:
  • must support without internal client modifications: telnet, FTP, e-mail (SMTP out, POP3 in), HTTP, HTTPS, NNTP, IRC, RealAudio
  • ICMP (ping, traceroute) allowed from internal host outside; firewall should prevent ping and traceroute from outside
  • Telnet and FTP allowed inbound with strong authentication
  • secure remote administration allowed
  • firewall must prevent IP spoofing attempts
  • the firewall needs logging and reporting mechanisms
HTML version of Basic Foils prepared July 6 99

Foil 73 Computer crimes (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Computer crimes
  • First network attack: 1988 (Worm; Robert Morris, Cornell)
  • Attackers: hackers vs. crackers ( vandals, spies)
  • hacker are proud of what they are doing and publish their achievements; crackers-hacking for profit
  • US companies lose $7.5 billion annually
Attacks
  • Social engineering method (obtaining username and password from another person)
  • Trojan Horses and system modifications (modified login, su, telnet, in.telnetd, ftp, ls, ps, netstat, ifconfig, find, du, df, libc, sync, inetd, and syslogd)
HTML version of Basic Foils prepared July 6 99

Foil 74 Computer crimes (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Attacks
  • Denial of service - some servers or services stop running
  • IP Spoofing - a hacker poses as a legitimate host using a fabricated IP address
  • Session hijacking - stealing sessions
  • Web spoofing - creating fake Web sites
  • DNS hijacking - redirect DNS
  • Password Sniffing - there are some tools like TCP Grab or Passfinder
  • Holes in commercial and public domain software (sendmail, flexlm, yppasswd, ftpd, various servers)
HTML version of Basic Foils prepared July 6 99

Foil 75 Computer crimes (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Attacks
  • Hostile Java applets
  • Invasion of privacy - access and modification to private data
  • Viruses (for Windows and Unix) annoying, destructive
Only 5% of crackers write their own code; most cracker tools is publicly available
Large majority of attacks are INTERNAL
HTML version of Basic Foils prepared July 6 99

Foil 76 Threats

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Hacker attacks (vandalism, springboard)
Denial of service (competition)
Theft (software, ideas, money)
Damage to public image (companies, people)
HTML version of Basic Foils prepared July 6 99

Foil 77 Trends

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Hacker tools getting easier to use (GUI) and easily distributed (hacker groups as distribution houses)
High quality, extremely functional hacker tools; lots of good tools
Attack from multiple sources simultaneously at Christmas time, New Years Eve, etc
New hacks all the time
The attacks are getting more sophisticated
Various hacks are combined
Hackers are one step ahead of security solution deployment
HTML version of Basic Foils prepared July 6 99

Foil 78 Denial of Service Attacks (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Against companies to make their computers unusable; damage the company image
Takes systems attention from real attack
There are countless DoS attacks out there today ftp://info.cert.org/pub/tech_tips/denial_of_service
Various forms:
  • SYN Flooding
  • Land and similar
  • Teardrop and similar
  • Smurf, papasmurf
  • Ping o'Death
HTML version of Basic Foils prepared July 6 99

Foil 79 Denial of Service Attacks (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Land Attack
  • November 1997
  • affects many Unix,Windows NT/95, routers and switches
  • uses poorly implemented TCP/IP stack
  • send a TCP SYNC packet
    • destination IP address= source IP address= victim's IP address
    • source port = destination port = available port on victim's machine
  • result: machine crashes
Land Attack defense
  • vendor patches
  • anti-spoof filters
HTML version of Basic Foils prepared July 6 99

Foil 80 DNS Cache Poisoning (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
DNS - Domain Name Service - critical component of the Internet; maps names to IP addresses; mail exchanger
Clients use resolver to access DNS servers
BIND - Berkeley Internet Name Domain - most common DNS
DNS servers query each other to resolve names (QueryID)
To lower traffic requirements, DNS servers will cache answers
Client
Local
DNS
Company
DNS
COM
DNS
Root
DNS
www.company.com
HTML version of Basic Foils prepared July 6 99

Foil 81 DNS Cache Poisoning (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Evil
x.y.z.w
DNS
good
DNS
evil
DNS
bank
(1) any.evil.com ?
(2) any.evil.com ?
(3) store Query ID#
(4) www.bank.com ?
(5) www.bank.com ?
(6) spoof answer:
www.bank.com=x.y.z.w
(7) Cache:
www.bank.com
= x.y.z.w
Good
(8) www.bank.com ?
(9) x.y.z.w
(10) bank transaction
Www
bank
HTML version of Basic Foils prepared July 6 99

Foil 82 DNS Cache Poisoning (3)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
DNS cache attack affects all versions of BIND and Windows NT Server DNS
Defense
  • decrease TTL
  • use hard to predict Query ID #
  • digitally sign DNS records
  • use SSL / HTTPS for important transactions
  • protect DNS server
  • use suspicious activity detection software
HTML version of Basic Foils prepared July 6 99

Foil 83 Back Orifice (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Allows remote control of Win 95 and Win 98
Backdoor: allows attacker to bypass system security controls
Gives remote access to File system, registry, passwords, operating system, network, processes, screen and keyboard
Introduced in August 1998 by Cult of the Dead Cow (cDc); Free from http://www.cultdeadcow.com
BO2K (Back Orifice 2000) on the way!
Contains integrated services: HTTP server, packet sniffer, keyboard monitor for logging keystrokes, connection and application redirection
HTML version of Basic Foils prepared July 6 99

Foil 84 Back Orifice (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Works in Client - Server model; client and server communicate over UDP port 31337; port can be changed; all packets between client and server are "weak" encrypted
Server must be installed on the victim machine; trivial to install; does not show up in the task list
Client runs on hacker's machine
Very nice GUI; there is also command line interface
HTML version of Basic Foils prepared July 6 99

Foil 85 Session Hijacking (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Allows an attacker to steal, share, terminate, monitor and log any terminal session that is in progress
Session stolen across the network
bypass all forms of strong authentication
HUNT, session hijacking tool written in November 1998: http://www.rootshell.com allows insertion of commands or takeover of session
What can be hijacked: telnet, rlogin, rsh, ftp
HTML version of Basic Foils prepared July 6 99

Foil 86 Session Hijacking (2)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Session hijacking scenario:
  • A telnets to B to get some work done
  • Attacker resets connection to A
  • Attacker kicks of A and takes over the session to B. The logs will show that A made all changes
Other tools: Juggernout, TTYWatcher, IPWatcher
Defenses: use strong authentication (SSH), do not telnet to critical computers
HTML version of Basic Foils prepared July 6 99

Foil 87 Web Spoofing (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Web spoofing = URL rewritting
The attacker creates false "copy" of a the entire Web
  • attacker takes selected pages, the rest is available on-line
  • attacker web server is between a victim and the rest of the Web (DNS poisoning, registering false URL in a search engine)
  • if you see http://www.bad.com/http://www.good.com you are under attack; works even with secure connection
  • You can ask for it: http://www.anonymizer.com/
  • he can intercept and modify data
  • capture passwords, credit card information, etc
Defense
  • disable JavaScript (prevents attacker from hiding URLs)
  • Display URL and look at it
HTML version of Basic Foils prepared July 6 99

Foil 88 Frame Spoofing (1)

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
The attacker inserts a frame into a web page
  • one of user frames can be controlled by an attacker while all others are normal
  • the attacker frame can be used to gather passwords, credit card information, or display misleading information
  • exploits implementation vulnerability on most browsers
  • http://www.secureexperts.com/framespoof
  • developed in December and January 1999
  • attacker web server is between a victim and the rest of the Web
  • web and frame spoofing creates a BIG opportunity
Defense
  • patch your browsers
  • use dynamic frame names for sensitive screens
HTML version of Basic Foils prepared July 6 99

Foil 89 Unix vs. Windows NT

From Security Infrastructure fo Electronic Commerce and Internet CPS714 Computational Science Information Track -- June 2 and June 7 99. *
Full HTML Index
Unix since 1969; never intended to be secure; trusted (C2 and up) versions available; better knowledge what is going on; more mature; eaasier than NT to setup security
Windows NT - relatively new; many unknown security issues (black box); very unsecure
© Northeast Parallel Architectures Center, Syracuse University, npac@npac.syr.edu

If you have any comments about this server, send e-mail to webmaster@npac.syr.edu.

Page produced by wwwfoil on Tue Jul 6 1999