1. Find out about SET and the use of RSA 128-bit encryption of e-commerce.
In the Internet arena, the growth of e-commerce is not much quickly as the Internet growth itself. It is largely hindered by the security threat. Many security protection mechanisms have been developed.
The SET (Secure Electronic Transaction) is an ‘open encryption and security specification designed to protect credit card transactions on the Internet.’ (Stalling, 2002) The initial version, SETv1, was emerged from a call for security standards by MasterCard and Visa in February 1996. Later more companies jointed the development of the specification, like IBM, Microsoft, Netscape, RSA, Terisa, and Verisign.
After years of evolution, SET is now widely used for secured digital transactions. The digital certificates, digital signatures, and digital wallets all function according to the SET protocol. (Free Encyclopedia of Ecommerce, n.d.)
- The Cardholder Application, also referred to as a digital wallet, is held by an online consumer and packages a digital signature and credit card information that ensures his or her identity and safeguards his or her financial information through a complex encryption system.
- The Merchant Server component is the verification product held by the merchant to process the online card payment.
- The Payment Gateway component is held by an acquiring bank or other trusted third party that accepts and processes the merchant's verification and the customer's payment information and filters them to their appropriate financial institutions.
- The Certificate Authority component, usually run by a financial institution, is the trusted agent that issues the digital certificates and is responsible for ensuring that all users of digital certificates are in fact secure and trustworthy customers.
As the SET is more on the security mechanism side, the RSA is a cryptography algorithm. The name RSA actually named after the three inventor called Rivest, Shamir and Adleman, where they were the first to invent this algorithm for public-key cryptography. From Wiki, It is the ‘first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.’ (Wiki, 2010)
In the cryptography, the key size or key length makes a difference on the security level. The 128 bits key size follows the standard AES (Advanced Encryption Standard) that published in 2001. Optional It also can use keys up to 256 bits (a specification requirement for submissions to the AES contest). 128 bits is currently thought, by many observers, to be sufficient for the foreseeable future for symmetric algorithms of AES's quality. The U.S. Government requires 192 or 256-bit AES keys for highly sensitive data.
References
Free Encyclopedia of Ecommerce. (n.d.) Secure Electronic Transaction. Retrieved on 11 May 2010 from http://ecommerce.hostip.info/pages/925/Secure-Electronic-Transaction-SET.html#ixzz0naiBdjeg
Stallings, W. (2002). Introduction to Secure Electronic Transaction (SET), Prentice Hall. Retrieved on 11 May 11, 2010 from http://www.informit.com/articles/article.aspx?p=26857
Wiki. (2010). Key size. Retrieved on 11 May 2010 from http://en.wikipedia.org/wiki/Key_size
2. What can you find out about network and host-based intrusion detection systems?
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. An IDS (Intrusion detection system) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.
There are two main types of IDS's: network-based and host-based IDS.
In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic.
In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed, including file system, logs and the kernel. Some application-based IDS are also part of this category.
Wiki. (2010). Intrusion detection system. Retrieved on 11 May 2010 from
http://en.wikipedia.org/wiki/Intrusion_detection_system
3. What is 'phishing'?
Phishing basically is the online identity theft. It usually appears in the form of email of your friend or a trustworthy web site, and links to a web site to input the personal information like user name and password, credit card information.
4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?
While the SET uses a mechanism to avoid the merchants get the credit card detail information, the SSL (Secure Sockets Layer) is a encrypted client/server protocols to enable safe communication between network devices.
The SSL was developed by Netscape, as a encryption standard for the data between a Web browser and a Web server. ‘The version 1.0 was never publicly released; version 2.0 was released in February 1995 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0", which was released in 1996’ (Rescorla 2001).T
SSL is supported and built into all major browsers and web servers nowadays; it is easily used to install a digital certificate on the machine The encryption level also depends on the key size, with 40 and 128-bit, which the 128-bit key is deemed to be strongly secured for foreseeable future.
As supported by the major browsers and easy to use, the SSL is vastly used in the outlet shops. The SET might be more secure because of the double checking mechanism but it asks for higher cost and complexity, and mainly supported by the Visa and Master Card, therefore it is less popular.
References
Wiki. (2010). SSL. Retrieved on 12 May 2010 from http://en.wikipedia.org/wiki/SSL
5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?
Cookies are ‘name-value’ pairs to contain user information of the browser. It can store user name, password, site preferences…etc. This information basically are stored in text strings. The cookie is sent from the web server to the browser machine as an HTTP header, then sent back each time it access the server.
The cookies can be improved the security by encrypted the data. However, as it contains the user information, some spywares target the cookie to track the user’s privacy, so it can be a security risk.
References
Wiki. (2010). HTTP Cookies. Retrieved on 12 May 2010 from http://en.wikipedia.org/wiki/HTTP_cookie
6. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?
From a research report, a firewall can bring the below benefits as ROI (Computer Economics, n.d.)
The return on investment is calculated based on the following product benefits:
- Increases network availability by stopping the spread of malicious code attacks (i.e., Nimda, Trojan horses, DDoS).
- Protects remote users from attacks.
- Reduces administrative costs and deploys rapidly with ePolicy Orchestrator management capabilities.
- Stops internal hackers from stealing proprietary data from desktops.
- Temporarily or permanently blocks unauthorized, vulnerable, and expensive application connections.
As the hacking technology getting advanced every day, the firewall technologies have to be getting up-to-date as well. The three firewall software below are the top-listed in 2010, from ‘All-Internet-Security.com’ (All-Internet-Security.com, 2010)
#1 ZoneAlarm PRO Firewall 2010
#2 F-Secure Internet Security 2010
#3 Prisma Firewall 2009
References
All-Internet-Security. (2010). Best Firewall Software - Editor's Choice. Retrieved on 12 May 2010 from http://www.all-internet-security.com/top_10_firewall_software.html
Computer Economics. (n.d.). ROI Analysis of McAfee Desktop Firewall
Software and Support. Retrieved on 12 May 2010 from www.crswann.com/.../DesktopFirewall-ROI-Analysis(ComputerEconomics).pdf
7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?
According to the research from Xerox and Research Technology, the e-commerce trust can be measured by the ‘trust metric’. (Manchala, 2000) The measurement can be summarized as below.
- Transacting entity: Any entity that engages itself in an electronic commerce transaction is a transacting entity. This entity could be a customer, a vendor, a broker, an intelligent agent, a payment server, or any intermediary.
- Trust authority: Trust matrices are used to evaluate the trust on a certain transaction or on the next set of transactions. Unless these trust matrices are protected against manipulation and are maintained by certain authorities, transacting entities cannot trust them. These authorities are called trust authorities (TA). Transacting entities use trust protocols to access trust matrices. A TA maintains trust matrices by updating them based on the information received from each completed transaction. TAs should be able to provide proof to trust matrix updates using non repudiation services and to provide each of the transacting entities the level of trust index to be placed on a certain transaction.
- Agreement Framework1: A relationship binding all the transacting entities involved in a single set of transactions. The relationship usually includes various policies for conducting transactions and is usually placed at a TA. Each set of transactions is interpreted based on the policy, and the results are used to update trust matrices.
References
Manchala, D. (2000). E-Commerce Trust Metrics and Models. Xerox Research and Technology. Retrieved on 12 May 2010 from ftp://ftp.tik.ee.ethz.ch/pub/lehre/inteco/SS02/material/00832944.pdf
M. Roscheisen and T. Winograd, “A Communication Agreement Framework of
Access/Action Control,” Proc. IEEE Symp. Security and Privacy, IEEE Computer
Society Press,
8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy
The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?
According to Wiki, Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications. It was created by Philip Zimmermann in 1991.
PGP and similar products follow the OpenPGP standard (RFC 4880) for encrypting and decrypting data. The latest version is called PGP5.
Besides the digital certificates and passports, web of trust and security quality are two other tools.
References
Wiki. (2010). PGP. Retrieved on 12 May 12, 2010 from http://en.wikipedia.org/wiki/Pretty_Good_Privacy
No comments:
Post a Comment