Exercise 12

Designing for a Secure Framework

1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.

SET stands for Secure Electronic Transaction, it is a protocol for ensuring the security and integrity of credit card details transmitted over the internet. It began in 1996 as a standard that was developed by two credit card companies Visa and Mastercard as a response to uniting two opposing standards, STT from Visa and SEPP from Mastercard, that had been created in earlier years.

Despite its benefits it has failed to win market share because it required cooperation from too many parties for installation of client-side software and certificates, with the end result being that uptake was too low, also it had to compete with the existing SSL alternative which was easier to implement.

The aims of the SET protocol were to eliminate the security problems that were associated with credit card usage on the internet, the following elements were focused on:

1. Message Authentication, to ensure all parties relevant parties involved in the transaction process knew who they were dealing with.
2. Data Integrity, to prevent messages from being ’spoofed’, i.e., someone masquerading as someone else.
3. Confidentiality, to prevent others from viewing or gaining access to the details of the transaction.

SET has three components:

1. An electronic wallet which resides on the client computer.
2. An SET Server which is the responsibility of the merchant.
3. And a Payment Server which was resident at a bank or credit card company.

The process for using SET was as follows:

1. The Customer stores their credit card details in encrypted form in the electronic wallet.
2. The software associated with SET would produce a Private and Public Key.
3. Purchases by the client using the credit card were encrypted using the Private Key.
4. The Purchase would then be sent to the merchant’s server, who then attaches a Digital Signature to the credit card details which establishes their identity.
5. The Purchase and the Digital Signature is then sent to the Payment Server at the Bank or Credit Card company.
6. The Payment server then validates the card and performs the transaction and sends back a receipt to the Merchant and the Customer.

This process ensured that the Merchant’s staff were not able to view the Credit Card details, therefore, reducing the amount of Credit Card related fraud.

RSA 128-bit encryption

RSA is an algorithm for public-key cryptography, it is widely used in electronic commerce and can be used for both encryption and authentication. It was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. Its name is derived from their initials. As of 2003 RSA Security claims that 3072-bit RSA keys are equivalent in strength to 128-bit symmetric keys. An RSA key length of 3072 bits should be used if security is required beyond 2030.

2. Design a Web application form for a new Credit Card.

When designing an example credit card form I looked at some existing credit card applications. They tended to use a 3 to 5 step process over a secure connection, that divided the process into the following:

1. Terms and Conditions, requires applicant to agree to the conditions before proceeding.
2. Personal Details, requires applicants to enter their details. Also attempts to additional details about the applicant.
3. Employment and Financial details, requires applicants to enter details about their income and employers.
4. Card options, allows applicants to select the from a list of possible options for the card.
5. Confirm details, finalises the process and issues a receipt number.

3. What can you find out about network and host-based intrusion detection systems

The detection systems (IDS) take either a network-or a host-based approach to recognizing and deflecting attacks. In either case, these products look for attack signatures, specific patterns that usually indicate malicious or suspicious intent. When an IDS looks for these patterns in network traffic, it’s network-based. When an IDS looks for attack signatures in log files, it’s host-based.

A network intrusion detection system (NIDS) tries to detect malicious activity such as denial of service attacks, port-scans or even attempts to crack into computers by monitoring network traffic. The NIDS does this by reading all the incoming packets and trying to find suspicious patterns, for example, a large number of TCP connection requests to a very large number of different ports is observed, one could assume that there is someone committing a “portscan” at some of the computer(s) in the network [11].

A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyses the internals of a computing system [9]. A host-based intrusion detection system (HIDS) uses host log information, system activity, and scanners such as virus scanners to determine whether a computer host is being used for illegitimate purposes [12].

---

References.

1. Darrell Ince. Internet Security. Developing Distributed and E-commerce Applications. (2004). (pp 319-320): Pearson, Addison Wesley
2. Wikipedia. Secure Electronic Transaction. (n.d.). Retrieved 3th July 2009 from http://en.wikipedia.org/wiki/Secure_electronic_transfer
3. Hossein Bidgoli. The Internet Encyclopedia, Volume 3. (2003). (pp 248-249): John Wiley & Sons
4. Free Encyclopedia of Ecommerce. Secure Electronic Transaction (SET). (n.d.). Retrieved 3th July 2009 from http://ecommerce.hostip.info/pages/925/Secure-Electronic-Transaction-SET.html
5. RSA Laboratories. 3.6.1 What is Diffie-Hellman?.(n.d.). Retrieved 4th July 2009 from http://www.rsa.com/rsalabs/node.asp?id=2248
6. Wikipedia. RSA. (n.d.). Retrieved 4th July 2009 from http://en.wikipedia.org/wiki/RSA
7. Wikipedia. Key size. (n.d.). Retrieved 4th July 2009 from http://en.wikipedia.org/wiki/Key_size
8. So Jake Says. Why Does RSA Work?. (6th January 2008). Retrieved 4th July 2009 from http://www.jakevoytko.com/blog/2008/01/06/why-does-rsa-work/#rsa_math
9. Wikipedia. Host-based intrusion detection system. (n.d.). Retrieved 4th July 2009 from http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
10. Tech Republic. Network- vs. Host-based Intrusion Detection: A Guide to Intrusion Detection Technology. Retrieved 4th July 2009 from http://whitepapers.techrepublic.com.com/abstract.aspx?docid=1453
11. Network Intrusion Detection. Network Intrusion Detection. Retrieved 4th July 2009 from http://www.network-intrusion-detection.com/info.html
12. Network Intrusion Detection. Host-based intrusion detection. Retrieved 4th July 2009 from http://www.network-intrusion-detection.com/167.html