Electronic commerce fundamentals ch6
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1009.67 KB, 46 trang )
Chapter 6
6
Implementing Security
for
Electronic Commerce
Electronic Commerce
1
Objectives
Security measures that can reduce or
eliminate intellectual property theft
◆ Securing client computers from attack
by viruses and by ill-intentioned
programs and scripts downloaded in
Web pages
◆ Authenticate users to servers and
authenticate servers
◆
6
2
Objectives
Available protection mechanisms to
secure information sent between a
client and a server
◆ Message integrity security, preventing
another program from altering
information as it travels across the
Internet
◆
6
3
Objectives
◆
6
◆
◆
Safeguards that are available so commerce
servers can authenticate users
Protecting intranets with firewalls and
corporate servers against being attacked
through the Internet
The role Secure Socket Layer, Secure HTTP
and secure electronic transaction protocols
play in protecting e-commerce
4
Protecting Electronic
Commerce Assets
◆
6
You cannot hope to produce secure
commerce systems unless there is a
written security policy
● What
assets are to be protected
● What is needed to protect those assets
● Analysis of the likelihood of threats
● Rules to be enforced to protect those
assets
5
Protecting Electronic
Commerce Assets
◆
6
Both defense and commercial security
guidelines state that you must protect assets
from
●
●
●
◆
Unauthorized disclosure
Modification
Destruction
Typical security policy concerning
confidential company information
●
Do not reveal company confidential information to
anyone outside the company
6
Minimum Requirements for
Secure Electronic Commerce
Figure 6-1
6
7
Protecting
Intellectual Property
The dilemma for digital property is how
to display and make available
intellectual property on the Web while
protecting those copyrighted works
◆ Intellectual Property Protection in
Cyberspace recommends:
◆
6
● Host
name blocking
● Packet filtering
● Proxy servers
8
Companies Providing Intellectual
Property Protection Software
◆
ARIS Technologies
● Digital
6
◆
◆
audio watermarking systems
Embedded code in audio file uniquely
identifying the intellectual property
Digimarc Corporation
● Watermarking
for various file formats
● Controls software and playback devices
9
Companies Providing Intellectual
Property Protection Software
◆
SoftLock Services
● Allows
6
authors and publishers to lock files
containing digital information for sale on
the Web
● Posts files to the Web that must be
unlocked with a purchased ‘key’ before
viewing
10
SoftLock Services Home Page
Figure 6-2
6
11
Protecting Client Computers
Active content, delivered over the
Internet in dynamic Web pages, can be
one of the most serious threats to client
computers
◆ Threats can hide in
◆
6
● Web
pages
● Downloaded graphics and plug-ins
● E-mail attachments
12
Protecting Client Computers
◆
Cookies
●
6
●
●
◆
Small pieces of text stored on your computer and
contain sensitive information that is not encrypted
Anyone can read and interpret cookie data
Do not harm client machines directly, but
potentially could still cause damage
Misplaced trust
●
Web sites that aren’t really what they seem and
trick the user into revealing sensitive data
13
Monitoring Active Content
Netscape Navigator and Microsoft
Internet Explorer browsers are
equipped to allow the user to monitor
active content before allowing it to
download
◆ Digital certificates provide assurance to
clients and servers that the participant
is authenticated
◆
6
14
Digital Certificates
Also known as a digital ID
◆ An attachment to an e-mail message
◆ Embedded in a Web page
◆ Serves as proof that the holder is the
person or company identified by the
certificate
◆ Encoded so that others cannot read or
duplicate it
◆
6
15
VeriSign -- A Certification Authority
Figure 6-3
6
16
VeriSign
Oldest and best-known Certification
Authority (CA)
◆ Offers several classes of certificates
◆
6
● Class
◆
1 (lowest level)
Bind e-mail address and associated public keys
● Class
4 (highest level)
Apply to servers and their organizations
◆ Offers assurance of an individual’s identity and
relationship to a specified organization
◆
17
Structure of a VeriSign Certificate
Figure 6-4
6
18
Microsoft Internet Explorer
Provides client-side protection right
inside the browser
◆ Reacts to ActiveX and Java-based
content
◆ Authenticode verifies the identity of
downloaded content
◆ The user decides to ‘trust’ code from
individual companies
◆
6
19
Security Warning and Certificate Validation
Figure 6-5
6
20
Internet Explorer Zones and Security Levels
Figure 6-6
6
21
Internet Explorer Security Zone Default Settings
Figure 6-7
6
22
Netscape Navigator
User can decide to allow Navigator to
download active content
◆ User can view the signature attached to
Java and JavaSript
◆ Security is set in the Preferences dialog
box
◆ Cookie options are also set in the
Preferences dialog box
◆
6
23
Setting Netscape Navigator Preferences
Figure 6-8
6
24
A Typical Netscape Navigator
Java Security Alert
Figure 6-9
6
25
