7.8 Security

Security is crucial to business, and the technology has three components:

1. Privacy of data,
2. Secure channels of communication, and
3. Protection of the system by firewalls and anti-virus software.

Privacy

While most ecommerce merchants leave the mechanics to their hosting company or IT staff, it helps to understand the basic principles. Any security system has to meet four requirements:

1. Privacy: information must be kept from unauthorized parties.
2. Integrity: message must not be altered or tampered with.
3. Authentication: sender and recipient must prove their identities to each other.
4. Non-repudiation: proof is needed that the message was indeed received.

Encryption

Privacy is handled by encryption. In PKI (public key infrastructure) a message is encrypted by a public key, and decrypted by a private key. The public key is widely distributed, but only the recipient has the private key. For authentication (proving the identity of the sender, since only the sender has the particular key) the encrypted message is encrypted again, but this time with a private key. Such procedures form the basis of RSA (used by banks and governments) and PGP (Pretty Good Privacy, used to encrypt emails).

Unfortunately, PKI is not an efficient way of sending large amounts of information, and is often used only as a first step — to allow two parties to agree upon a key for symmetric secret key encryption. Here sender and recipient use keys that are generated for the particular message by a third body: a key distribution center. The keys are not identical, but each is shared with the key distribution center, which allows the message to be read. Then the symmetric keys are encrypted in the RSA manner, and rules set under various protocols.

Naturally, the private keys have to be kept secret, and most security lapses indeed arise here.

Digital Signatures and Certificates

Digital signatures meet the need for authentication and integrity. To vastly simplify matters (as throughout this page), a plain text message is run through a hash function and so given a value: the message digest. This digest, the hash function, and the plain text encrypted with the recipient's public key is sent to the recipient. The recipient decodes the message with their private key, and runs the message through the supplied hash function to check that the message digest value remains unchanged (message has not been tampered with). Very often, the message is also timestamped by a third party agency, which provides non-repudiation.

What about authentication? How does a customer know that the website receiving sensitive information is not set up by some other party posing as the emerchant? They check the digital certificate. This is a digital document issued by the CA (certification authority: Verisign, Thawte, etc.) that uniquely identifies the merchant.

Digital certificates are sold for emails, emerchants and web-servers.

Secure Channel Communication

Secure Socket Layers

Information sent over the Internet commonly uses the set of rules called TCP/IP (Transmission Control Protocol / Internet Protocol). The information is broken into packets, numbered sequentially, and an error control attached. Individual packets are sent by different routes. TCP/IP reassembles them in order and resubmits any packet showing errors. SSL uses PKI and digital certificates to ensure privacy and authentication.

The procedure is something like this: the client sends a message to the server, which replies with a digital certificate. Using PKI, server and client negotiate to create session keys, which are symmetrical secret keys specially created for that particular transmission. Once the session keys are agreed, communication continues with these session keys and the digital certificates.

PCI, SET and Kerberos

Credit card details can be safely sent with SSL, but once stored on the server they are vulnerable to outsiders hacking into the server and accompanying network. A PCI (peripheral component interconnect: hardware) card is often added for protection, therefore, or another approach altogether is adopted: SET (Secure Electronic Transaction). Developed by Visa and Mastercard, SET uses PKI for privacy, and digital certificates to authenticate the three parties: merchant, customer and bank. More importantly, sensitive information is not seen by the merchant, and is not kept on the merchant's server.

Network Protection

Firewalls

Firewalls (software and/or hardware) protect a server, a network and an individual PC from attack by viruses and hackers. The system (which may be a separate, networked computer but is commonly just a program running on the client network or computer) filters communication packages according to some prearranged set of rules. The rules are generally set by default modified by some question and answer routine, and cover such matters as source IP address, destination port or address, and type of service requested. Filtering is then automatic, with anything outside the rules being flagged for an individual decision. The types of firewalls exist:

1. Packet filters, that examine the origin and destination of packets: fast but vulnerable to snooping.
2. Application gateways, that examine the application being requested: more secure but slow the system down.

Equally important is protection from malice or carelessness within the system, and many companies use the Kerberos protocol, which uses symmetric secret key cryptography to restrict access to authorized employees.

Proxy Servers

Proxy servers operate between the Internet and the client system, and perform these functions:

1. Validate the request, acting somewhat as a firewall.
2. Restrict access, preventing employees visiting stock-trading and pornography sites in company hours.
3. Hide the company's IP address from would-be hackers.

Anti-Virus Software

Anti-virus software is cheap and widely available. The software needs to be run regularly and updated continually, often several times a day as new viruses are being devised and released all the time. Anti-virus programs will generally catch and identify viruses, worms and trojans, but separate programs (again cheap) are often needed to eliminate spyware.

Because these programs can interfere with the smooth running of systems, some IT managers rely entirely on finely-tuned firewalls for network protection.

Transactions

Sensitive information has to be protected through at least three transactions:

1. Credit card details supplied by the customer, either to the merchant or payment gateway. Handled by the server's SSL and the merchant/server's digital certificates.
2. Credit card details passed to the bank for processing. Handled by the complex security measures of the payment gateway.
3. Order and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing company. Handled by SSL, server security, digital certificates (and payment gateway sometimes).

Questions

1. What are the four requirements of any security system?
2. Explain how PKI encryption works.
3. What protocols are available for secure channel communication? Explain briefly how they work.
4. How are networks kept secure? Name some popular services and/or software available.
5. What security measures surround the online handling of credit card information?

Sources and Further Reading

1. Epic. Aims to focus public attention on emerging civil liberties issues and to protect privacy.
2. Security Information Magazine. Latest security news and vendor information: downloadable articles.
3. Security Magazine. News, product reviews and free magazine for security professionals.
4. WindowsSecurity. Extensive listings of security articles, services and resources: somewhat technical: newsletter.
5. Cryptography FAQ. Extensive list of questions and answers.
6. Computer Security Resource Center. Government papers on firewalls and other security matters.
7. Gild. Overview and listing of firewall products.
8. Kerberos: Network Authentication Protocol. Extensive articles on theory and implementation.
9. Kerberos FAQ. Very full answers to usual questions.