Wednesday, May 19, 2010

Exercise 9

1) Find out about SET and the use of RSA 128-bit encryption for e-commerce.

Secure Electronic Transaction is a technical specification for security payment card transactions over open networks such as the Internet. SET helps the buyer and seller to complete a transaction and have it authorized by a bank. It secures payment card transactions over the Internet by using a combination of data encryption, user authentication services and digital certificates to ensure that the transaction data is transferred without interferences. On the other hand, the RSA cryptosystem is a public-key cryptosystem that offers both encryption and digital signatures, authentication (Mullar, 2002). The RSA public-key cryptosystem can be used to authenticate or identify another person or entity. The reason is that it works well, because each entity has an associated private key which prevent access from intruder. This allows for positive and unique identification (Mullar, 2002).

Reference
Muller, N. J. (2002). Desktop encyclopedia of telecommunications (3rd ed.). New York: USA


2) What can you find out about network and host-based intrusion detection systems?

According to Cross, Intrusion detection means detecting unauthorized use of or attacks on a system or network. Intrusion Detection System (IDS) is designed and used to detect and then to deflect or deter such attacks or unauthorized use of systems, networks, and related sources (2002). Like firewalls, IDSs may be software or a combination of hardware and software. Generally, IDSs can be categorized on the basis of the systems they monitor. In example, IDSs may be divided into network-based, host-based types. If they monitor network backbones and look for attack signatures, they are called network-based IDSs, whereas those that operate on hosts defending and monitoring the operating and file systems for signs of intrusion are called host-based IDSs (Cross et al, 2002).

Reference
Cross, M., & Johnson, L.,& Piltzecker, T., & Shimonski, R. & Shinder, L. (2002). Security + Study Guide and DVD Training System.(1st ed) Rockland: Syngress Publishing, Inc.


3) What is 'phishing'?

Phishing is when someone acts as someone else with the intent of trying to extract personal information from a victim (Colmer et al, 2005). Phishing on the Internet typically occurs when someone sends a misleading e-mail that asks the victim to send personal information or update personal information on an imposter Web site. However, the Web site is a fake and only exists to steal information.

Reference
Colmer, S., & Thomas, M. (2005). The Senior's Guide to the Internet: Surfing, Shopping, E-Mail and Security. Chelsea: Eklektika Press


4) What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

In accordance to Sawyer, "Netscape's Secure Sockets Layer, SSL, provides a secure channel between web clients and web servers ... this is an important point because unlike the standard Internet protocols, such as TCP/IP, SSL must be selectively employed by the web client (the person surfing)... SSL is a layered approach to providing a secure channel" (1999, p. 103)

In SET protocol there are 4 entities: Cardholder, Merchant, Certificate Authority, Payment gateway. "SET protocol was developed jointly by Mastercard and Visa with the goal of providing a secure payment environment for the transmission of credit card data" (Sawyer et al, 1999)

According to Sawyer, "The initial version of SET protocol is considered to be a stronger security mechanism than other transmission protocols, such as SSL, because of SET's stronger authentication features" (1999) . Sawyer points out that SSL is good at providing confidentiality during the transmission of the data, but alone it does not authenticate either the sender or the receiver of the message. (Sawyer et al, 1999)

Therefore, SSL is the way or protocol to transmit data in the secure channel but it does not offer authentication. SET is used mainly for secure authentication in transaction on the Internet of e-commerce.

Is SET in common use?
Yes, because SET is developed by VISA and MasterCard bodies in 1997, the transaction involving VISA & MasterCard will use SET.

Reference
Sawyer, B., & Greely, D., & Cataudella, J. (1999). Creating Stores on the Web (2nd ed.). Berkeley: Peachpit Press


5) What are cookies and how are they used to improve security? Can the use of cookies be a security risk?

A cookie is a small piece of information that the HTTP server sends to the browser when the browser connects for the first time. Subsequently, the browser returns a copy of the cookie to the server each time it connects. Cookies contain attributes that tell the browser what servers to send them to. One of the most common uses for cookies is to track user login state (W3C, n.d.). The mechanism is quite simple: a user visits a page and signs in with a username and password. If the information is correct, a cookie is sent with the next response that uniquely identifies the user. Each page in the site checks for that cookie in order to establish login credentials. As long as the cookie remains intact, users are verified. The problem with this system is that cookies are sent in plain text over the Internet, making them vulnerable to packet sniffing where someone intercepts traffic between a computer and the Internet. Once the value of a user’s login cookie is taken, it can be used to simulate the same session elsewhere by manually setting the cookie (W3C, n.d.).

Reference
W3C.(n.d.). Client Side Security. Retrieved on May 1 2010 from http://www.w3.org/Security/Faq/wwwsf2.html


6) What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?

If a computer is connected to the internet and it is not protected in some way, then it is vulnerable to attacks by external hackers. These attacks can be quite harmful to the PC and can even result in losing valuable data saved on the hard drive. A firewall is what protects a system from outside attacks and intrusions. There are many hackers actively trying to access computers for devious purposes. This unwanted traffic and visitor can steal data and also use your computer for their criminal plans, such as sending out junk emails. A firewall regulates this traffic to different zones, such as the internet or internal networks of which each has a different level of trust.

Personally, I feel firewall is used to protect valuable data from hacker and malware. Without firewall, the valuable data may be stolen or modified. The main point is to protect data as data is the most valuable thing. In order to protect the most valuable thing, firewall is a good security investment.

The three firewall vendors are below (Junifer Network, n.d.):

Juniper Networks - The products are Netscreen-5200 and Netscreen-5400. Juniper Networks provides mainly hardware firewall.

Watchguard - The products are Fireware XTM and Firebox X-Edge e-series. Watchguard mainly makes hardware firewall.

Checkpoint - The products are Power-1 11000 Series and Software Blades where Checkpoint offers BOTH hardware and software respectively.

References
Juniper Networks (n.d.). Product.Retrieved on May 1, 2010, from http://www.juniper.net/us/en/products-services/security/netscreen/

WatchGuard (n.d.). fireware XTM. Retrieved on May 1, 2010, from http://www.watchguard.com/products/fireware-xtm.asp?t=main


7) What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

E-commerce sites should provide many security features to acquire trust. The followings are some of the measures that can be found: review from trusted sources, digital certificates from a trusted source, encryption, customer reviews (although these cannot be guaranteed), and the provision of telephone numbers, ABN, industry membership, addresses or other details that can be used to verify that the seller is legitimate.

8) Get the latest PGP information from
http://en.wikipedia.org/wiki/Pretty_Good_Privacy.
The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?

Beside Digital Certificates and Passports, there are also other tools for validating legitimate users and avoiding consequences such as identity theft. The tools are Digital Signature, Electronic ID and Digital Fingerprint.

A digital signature or digital signature scheme is a type of asymmetric cryptography. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digitally signed messages may be anything represented as a bit string: examples include electronic mail, contracts, or a message sent via some other cryptographic protocol. (Wikipedia, 2010)

An e-ID (short for Electronic Identification) and its corresponding password is your means of identifying yourself to the various services available at SIUE. If you apply for an e-ID using the following web pages and meet all the criteria, you will be assigned an e-ID and password.
An e-ID will give you access to may services provided at SIUE. (Edwardsville, n.d.)

A digital fingerprint is an identifying sequence of digits which is the result of applying a mathematical algorithm to the complete content of a digital file. Digiprove uses a proven algorithm called "SHA256" for this. The process generates a 256-bit (64 character) calculated value, and the algorithm is so constructed that even the tiniest change to a document will result in a change to its fingerprint. The algorithm is a "one-way" process which means that it is not possible to recreate a document from the fingerprint, and that it is not possible (without massive computing power factors beyond those currently available) for a computer program to calculate a document that will result in a given fingerprint. (DIGIPROVE, n.d.)

References
Wikipedia. (2010). Digital Signature. Retrieved on May 1, 2010, from http://en.wikipedia.org/wiki/Digital_Signature

Edwardsville. (n.d.). Electronic ID (E-ID). Retrieved on May 2, 2010, from http://www.siue.edu/its/ftc/bb/ and http://www.siue.edu/its/ftc/bb/pdf/new_e_ID.pdf

DIGPROVE.(n.d.). What is Digital Fingerprint?. Retrieved on May 1, 2010, from http://www.digiprove.com/faq_what_is_digital_fingerprint.aspx

No comments:

Post a Comment