TEAMFLY Team-Fly ® Security Fundamentals for E-Commerce For a complete listing of the Artech House Computing Library, turn to the back of this book. For quite a long time, computer security was a rather narrow field of study that was populated mainly by theoretical computer scientists, electrical engineers, and applied mathematicians. With the proliferation of open sys- tems in general, and the Internet and the World Wide Web (WWW) in par- ticular, this situation has changed fundamentally. Today, computer and network practitioners are equally interested in computer security, since they require technologies and solutions that can be used to secure applications related to electronic commerce (e-commerce). Against this background, the field of computer security has become very broad and includes many topics of interest. The aim of this series is to publish state-of-the-art, high standard technical books on topics related to computer security. Further information about the series can be found on the WWW by the following URL: http://www.esecurity.ch/serieseditor.html Also, if youd like to contribute to the series and write a book about a topic related to computer security, feel free to contact either the Commis- sioning Editor or the Series Editor at Artech House. Recent Titles in the Artech House Computer Security Series Rolf Oppliger, Series Editor Information Hiding Techniques for Steganography and Digital Watermarking, Stefan Katzenbeisser and Fabien A. P. Petitcolas Security Fundamentals for E-Commerce, Vesna Hassler Security Technologies for the World Wide Web, Rolf Oppliger Security Fundamentals for E-Commerce Vesna Hassler Pedrick Moore Technical Editor Artech House Boston  London www.artechhouse.com Library of Congress Cataloging-in-Publication Data Hassler, Vesna. Security fundamentals for E-commerce / Vesna Hassler; Pedrick Moore, technical editor. p. cm.  (Artech House computer security series) Includes bibliographical references and index. ISBN 1-58053-108-3 (alk. paper) 1. Electronic commerceSecurity measures. 2. Broadband communication systems. I. Moore, Pedrick. II. Title. III. Series. HF5548.32 .H375 2000 658.84dc21 00-064278 CIP British Library Cataloguing in Publication Data Hassler, Vesna Security fundamentals for e-commerce.  (Artech House computer security series) 1. Business enterprisesComputer networksSecurity measures 2. Electronic commerceSecurity measures 3. Broadband communication systems I. Title II. Moore, Pedrick 005.8 ISBN1-58053-406-6 Cover design by Wayne McCaul © 2001 ARTECH HOUSE, INC. 685 Canton Street Norwood, MA 02062 All rights reserved. Printed and bound in the United States of America. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, in- cluding photocopying, recording, or by any information storage and retrieval system, with- out permission in writing from the publisher. All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Artech House cannot attest to the accuracy of this informa- tion. Use of a term in this book should not be regarded as affecting the validity of any trade- mark or service mark. International Standard Book Number: 1-58053-108-3 Library of Congress Catalog Card Number: 00-064278 10987654321 3.2 Public Key Infrastructure 53 3.2.1 X.509 Certificate Format 54 3.2.2 Internet X.509 Public Key Infrastructure 59 3.3 Encoding Methods 61 Part 2 Electronic Payment Security 65 4 Electronic Payment Systems 67 4.1 Electronic Commerce 67 4.2 Electronic Payment Systems 68 4.2.1 Off-line Versus Online 69 4.2.2 Debit Versus Credit 70 4.2.3 Macro Versus Micro 70 4.2.4 Payment Instruments 70 4.2.5 Electronic Wallet 75 4.2.6 Smart Cards 75 4.3 Electronic Payment Security 76 5 Payment Security Services 79 5.1 Payment Security Services 79 5.1.1 Payment Transaction Security 81 5.1.2 Digital Money Security 83 5.1.3 Electronic Check Security 83 5.2 Availability and Reliability 84 6 Payment Transaction Security 85 6.1 User Anonymity and Location Untraceability 85 6.1.1 Chain of Mixes 86 Contents ix To my families, Ristic ′ and Hassler Contents Preface xix What is covered in this book xix Is security an obstacle to e-commerce development? xx Why I wrote this book xxi Some disclaimers xxi How to read this book xxi Acknowledgements xxii Part 1 Information Security 1 1 Introduction to Security 3 1.1 Security Threats 3 1.2 Risk Management 4 1.3 Security Services 5 1.4 Security Mechanisms 6 vii 2 Security Mechanisms 11 2.1 Data Integrity Mechanisms 11 2.1.1 Cryptographic Hash Functions 12 2.1.2 Message Authentication Code 14 2.2 Encryption Mechanisms 15 2.2.1 Symmetric Mechanisms 15 2.2.2 Public Key Mechanisms 24 2.3 Digital Signature Mechanisms 36 2.3.1 RSA Digital Signature 37 2.3.2 Digital Signature Algorithm 38 2.3.3 Elliptic Curve Analog of DSA 40 2.3.4 Public Key Management 41 2.4 Access Control Mechanisms 41 2.4.1 Identity-Based Access Control 42 2.4.2 Rule-Based Access Control 43 2.5 Authentication Exchange Mechanisms 43 2.5.1 Zero-Knowledge Protocols 44 2.5.2 Guillou-Quisquater 44 2.6 Traffic Padding Mechanisms 45 2.7 Message Freshness 46 2.8 Random Numbers 47 3 Key Management and Certificates 51 3.1 Key Exchange Protocols 51 3.1.1 Diffie-Hellman 52 3.1.2 Elliptic Curve Analog of Diffie-Hellman 53 viii Security Fundamentals for E-Commerce [...]... Vulnerabilities and Flaws 14 9 15 0 15 3 15 4 15 4 10 .8 Firewalls 15 7 xii Security Fundamentals for E- Commerce 10 .9 Virtual Private Networks (VPN) 15 8 11 Network Access Layer Security 16 1 11 .1 Introduction 16 1 11 .2 11 .2 .1 11. 2.2 Asynchronous Transfer Mode (ATM) ATM Security Services Multicast Security 16 2 16 4 16 9 11 .2.3 11 .2.4 ATM Security Message Exchange ATM VPN 16 9 16 9 11 .3 11 .3 .1 11. 3.2 17 0 17 3 11 .3.3 11 .3.4... Communication Network 13 5 10 .1 Introduction 13 5 10 .2 The OSI Reference Model 13 6 10 .3 The Internet Model 13 8 10 .4 Networking Technologies 14 1 10 .5 10 .5 .1 Security at Different Layers Protocol Selection Criteria 14 3 14 5 10 .6 10 .6 .1 10.6.2 Malicious Programs The Internet Worm Macros and Executable Content 14 6 14 7 14 9 10 .7 10 .7 .1 10.7.2 10 .7.3 10 .7.4 Communication Security Issues Security Threats Security Negotiation... Addresses and Port Numbers Problems With TCP Network Address Translation (NAT) 18 6 18 6 18 8 19 1 19 5 12 .3 12 .3 .1 12.3.2 12 .3.3 IP Security (IPsec) Security Association The Internet Key Exchange (IKE) IP Security Mechanisms 19 6 19 7 19 9 204 12 .4 Domain Name Service (DNS) Security 210 17 4 17 6 17 9 Contents xiii 12 .5 12 .5 .1 12.5.2 12 .5.3 Network-Based Intrusion Detection Network Intrusion Detection Model Intrusion... (Table 1. 2 [4]) 8 Security Fundamentals for E- Commerce Table 1. 2 Placement of Security Services in the OSI 7-Layer Reference Model Application Presentation Session Transport Network Nonrepudiation of Delivery Nonrepudiation of Origin Data Link Selective Field Confidentiality Selective Field Connection Integrity Selective Field Connectionless Integrity Connection Integrity with Recovery Connection Integrity... Fundamentals for E- Commerce 14 .5.2 14 .5.3 Types of Intruders Statistical Intrusion Detection 249 250 14 .6 Security- Enhanced Internet Applications 2 51 14.7 Security Testing 2 51 Part 4 Web Security 255 15 The Hypertext Transfer Protocol 257 15 .1 Introduction 257 15 .2 15 .2 .1 15.2.2 15 .2.3 15 .2.4 15 .2.5 Hypertext Transfer Protocol (HTTP) HTTP Messages Headers Leaking Sensitive Information HTTP Cache Security Issues... because of the frequent reports on security incidents1 and denial-of-service attacks.2 One “positive” consequence of such attacks is that certain governments have now recognized the importance of a common network security infrastructure, because vulnerabilities at one place on the network can create risks for all.3 Security technologies are, for the most part, sufficiently mature for e- commerce To some extent... probability Seriousness Seldom Not often Often Not serious 1 2 3 Serious 4 5 6 Very serious 7 8 9 Introduction to Security 5 security measures implemented are sufficient The Internet is a constantly changing environment, also from the security perspective; new vulnerabilities and new, more efficient, attacks are being discovered all the time It is the role of compliance management to analyze whether the security. .. are outside the scope of this book Nor are notarization mechanisms considered further, since they are based on authentication and nonrepudiation mechanisms The ISO standard [3] defines the placement of security services and mechanisms in the OSI (Open Systems Interconnection) seven-layer reference model Some services may be provided at more than one layer if the effect on security is different (Table... Expensive-to-Produce Coins 11 0 11 0 7.4 7.4 .1 Protection Against Stealing of Coins Customized Coins 11 1 11 1 8 Electronic Check Security 11 9 7 Team-Fly® Contents xi 8 .1 8 .1. 1 Payment Authorization Transfer Proxies 11 9 12 0 9 An Electronic Payment Framework 12 5 9 .1 Internet Open Trading Protocol (IOTP) 12 5 9.2 Security Issues 12 7 9.3 An Example With Digital Signatures 12 8 Part 3 Communication Security 13 3 10 ... computer and network security at the graduate level The book is also intended for all IT professionals and others with some technical background who are interested in e- commerce security Some disclaimers This book does not cover all aspects of e- commerce, nor does it discuss specific e- commerce models and their particular security requirements As its name says, the book deals with the fundamental security . Data Hassler, Vesna Security fundamentals for e- commerce.  (Artech House computer security series) 1. Business enterprisesComputer networks Security measures 2. Electronic commerce Security measures. Private Networks (VPN) 15 8 11 Network Access Layer Security 16 1 11 .1 Introduction 16 1 11 .2 Asynchronous Transfer Mode (ATM) 16 2 11 .2 .1 ATM Security Services 16 4 11 .2.2 Multicast Security 16 9 11 .2.3. Stefan Katzenbeisser and Fabien A. P. Petitcolas Security Fundamentals for E- Commerce, Vesna Hassler Security Technologies for the World Wide Web, Rolf Oppliger Security Fundamentals for E- Commerce Vesna