Security Mechanisms and Security Services

Bill Barge (2002)

 

Online security is a growing issue as consumers make more purchases and transactions over the Internet.  The same technology that allows these transactions to take place also provides a means for others to tamper with or steal information.  In light of these concerns, system security services and their associated mechanisms are being used more frequently and to a fuller extent in more transactions.

 

There are five basic security services: confidentiality, authorization/access control, authentication, integrity, and non-repudiation. Each of these services provides some level of protection to one of both parties involved in a transaction.  This protection is accomplished by utilizing one of many security mechanisms.  These mechanisms provide the method of protection.

 

Confidentiality.  To hide the details of a transaction and provide confidentiality, encryption can be used.  Encryption is the process of scrambling data (or plain text) into an unreadable form.  This scrambling is based on algorithms that use various forms of substitution or transposition to encrypt the message. The type of algorithm and key lengths determines the strength of the encryption method.  There are three basic types of encryption: symmetric, asymmetric, and hybrid.

 

Symmetric encryption uses a private key.  The process is as follows: the sender encrypts some data using a key.  The data is treated as bits (binary digits) and is manipulated as bits.  The recipient then uses the same key to decrypt the data.  This type of encryption provides a fast and efficient method for hiding large amounts of data.

 

One problem is that the sender and receiver must use the same key.  How do they do that?  If they know one another and correspond regularly, it would not be hard to share this key.  But if this transaction were one time only, they would need some method to share the key.  If this transaction were the result of a data transmission where the sender and receiver have not talked before, are not physically talking now, and may never talk in the future (such as an Internet purchase), some other secure method would be needed to pass the key.  And if that existed, why would they need to encrypt the data in the first place?  So symmetric encryption has very real limits in its practical use.

 

PKZIP is an example of private key encryption.  The PKZIP and PKUNZIP programs know the key to encrypt and decrypt the data.  But the data is not secure because anyone with PKUNZIP can decrypt the data and see it.  But these programs were not designed for security.  Other examples of symmetrical encryption are DES and 3DES.

 

Asymmetric encryption solves the problem of both parties to the transaction needing to know the private key.  It allows the use of a public key.  With asymmetric encryption, the receiver has published (in some form) a public key.  Anyone wanting to send data will use this public key to encrypt the data.  The receiver then uses some private key to open and decrypt the data.  Two keys are used for every exchange -- a public key, which is freely distributed, and a private key which is kept secret.

 

With asymmetric encryption, the data is treated as numbers and the encryption "plays" with those numbers.  Just as math is a one-way operation (meaning that given a solution it is hard to come up with the exact problem that gave you that solution), this type of encryption is also a one-way operation, only with a built-in "trap door".  This added complexity adds security, but also can slow the encryption/decryption process down by as much as 50%.

 

The RSA algorithm and Diffie-Helman are both examples of a public key algorithm.

 

Hybrid encryption methods combine the speed of symmetric key processing and the security of asymmetric key exchange.  For example, the sender can encrypt a large amount of data with a private key.  The recipient needs this key, so a second message is sent with the private key encrypted by use of the public key.  When the recipient decrypts the sender's private key (with his asymmetric private key), he can then decrypt the data.  By encrypting the large data with a symmetric method and the small data with the asymmetric method, the encrypt/decrypt process is not slowed significantly over using the symmetric method alone. 

 

Three additional encryption algorithms include WEP, VPN, and PGP.  WEP is the Wireless Encryption Protocol.  It uses symmetrical encryption on wireless (IEEE 802.11b/11g) wireless communications.  VPN is Virtual Private Network.  VPN uses DES and/or 3DES to encrypt each packet and encapsulate the cipher text into a package before it is sent through a public network.  PGP is Pretty Good Privacy.  It uses the RSA algorithm to encrypt messages.  PGP is a popular e-mail encryption method.

 

Authorization.  To keep a transaction or a system secure, access has to be limited.  The process of determining who is allowed access to the system or the data is authorization.  It can be as simple as a control list of who is allowed.  In the non-IT world, when I go to the movie theater, the ticket is my authorization to get in.  No ticket, no movie.  In the IT world, it is similar. For example, as an NT user without administrator rights, I am not allowed to add new software to the computer.  Before it allows be to add the software, NT checks my user name against its permissions file to determine if I am authorized to do this. If no, then I get a message saying that I need to be the administrator to add the software.

 

Authentication.  To allow or deny a transaction or entry into a system, some method of establishing proof of identity is needed.  The process of having to prove you are who you say you are is authentication.

 

Some methods of authentication are passwords, biometrics, tokens, challenge-response, and smart cards.  Passwords give a measure of security.  A logon id may be public, but the password is not.  The combination of using the two helps to keep only the correct person the ability to access the system.  But others can find out or guess a password.

 

Biometrics use fingerprints, retina scans, voiceprints, or even DNA to authenticate that the correct person is trying to gain access.  Biometrics are not as widely used as the movies would lead us to think they are, due to the cost of the devices and unreliability. 

 

Tokens provide a two-factor authentication process.  In trying to gain access to a system, the user needs to items -- what he has and what he knows.  With the ATM machine, you need both the ATM card and the password to show you are the one who should have access to the account.  Time-tokens not only require you to know the password for the system, but to also insert the password on a token at a particular moment in time. 

 

Challenge-Response authentication requires an answer to a question.  Similar to a password, this method can actually require for multiple correct answers before granting authentication.  To reset a mainframe password at GTE/Verizon, five correct answers are needed to questions ranging from your net accredited service data to your mother's maiden name.  There were a few times I didn't know the answers to the questions -- and they were about me!

 

Ten years ago when I ran my own software business, I used a similar method in the custom software I wrote.  A client stiffed me for several hundred dollars.  He never paid the final installment because, by that time, he had the complete program.  After that, every program I wrote had a routine in it that would shut it down if I had not been paid by a certain date.  (I had the help of two high school kids who were able to crack the system, which prompted me to add a few more security features).  When the time expired, the user would get a screen telling him that he needed to call me right way.  There was a code displayed with this message.  This code, once translated, was the key to unlocking the system.  If they had paid and they received this message, I could give them the password to reset the trigger so the program would run.  If they had not paid, I would not ship a "code fix" until I had received payment (and the check cleared). The authentication part of this routine was that only I (and not the customer) knew how to interpret the code!

 

Smart cards are similar in size to a credit card, but they contain a microprocessor.  These cards are programmable and could be used as not only a means of identification but also to gain access to systems and store keys.  The price of these cards is keeping them from being more widely used.  The typical smart card has a cost of $15 compared to the $1 or $2 per card cost needed to make them feasible. 

 

Integrity.  Security not only involves keeping the data secret, but also a method for insuring the data did not change.  Hashing functions are one method that can help prove data integrity.

 

A hash algorithm takes in data and outputs a fixed-length number.  The output is the same size regardless of the size of the input data.  A hashing function has three properties:

 

1.      It must be infeasible to determine the input data based on the output.

2.      It must be impossible to find an arbitrary data that has a desired output.

3.      It should be computationally infeasible to find two different samples of data that have the same output.

 

Just like asymmetric encryption, hashing functions are one-way functions.  Once the data is "crunched" through the algorithm, you can not get back the original data.

 

A collision happens when two dissimilar samples of data hash to the same value.  Based on our properties above, this hashing function is no good.

 

Hashing functions are used to prove that the data has not been altered.  To do this, the sender not only sends the data (which could also be encrypted) but also sends a hash of the data.  The receiver then hashes the data he receives.  If the hash sent and the newly calculated hash are the same, then the receiver has proved the data has not been altered.

 

Digital signatures (not electronic signatures) also can be used to prove data integrity.  The sender can append a digital signature (a string of characters) to an electronic message.  The receiver can use this digital signature to authenticate the sender is who he says he is and that the data has not been altered after being sent. 

 

For example, the sender hashes a message and then uses a private key to encrypt the hash.  The encrypted hash is the digital signature.  The receiver then hashes the message he received and applies the public key to decrypt the received hash.  If the hashes match, the received message has not been altered.

 

Non-Repudiation.  In a transaction, you need proof that each party made the transaction.   Non-repudiation services provide a means or proving that a transaction occurred, whether it was an order being placed at an online store or an e-mail message being sent and received.  By keeping logs of transactions, the detailed information on who performed what actions and at what time will prove the transaction has taken place.

 

Each of the security services and their associated security mechanisms by themselves will not guarantee system security, but by using a combination of these services, systems and transactions can be much more secure.

 

 

 

 

Identity Authentication

 

 

The expansion of e-commerce as a means of business has led to changes in the buyer/seller relationship.  The most simplistic change is the fact that there is no longer a face-to-face transaction, which can lead to fraud and significant financial loss.  Due to this fact, there has been a recent shift on e-commerce site toward customer identification and authentication, which has resulted in some benefits for the e-retailer.  To allow or deny a transaction, some method of establishing proof of identity is needed.  The processes of having to prove you are who you say you are is authentication.

 

E-commerce retailers face a potential liability with each sale that is made.  Statistics from credit card companies show that while a credit card holder’s liability due to fraud is limited to $50, most online retailers are liable for the full amount of any credit card fraud that happens on their website. (How Creating an Online Business Works).  That means that the cost of those goods needs to be made up for by increasing the price of the goods sold, which may deter future sales. Even though mail order companies have faced and responded to many of these same issues, the e-retailer, due to no human interaction with the customer, is still at risk for much more damage.  There are, however, techniques that the e-retailer can use to reduce the risk of fraud associated with e-commerce sales. 

 

Authentication

A brick-and-mortar business will authenticate the credit-card paying customer in a face-to-face transaction by means of some type of identity check, such as matching the signature and name on the credit card to that on the customer’s driver’s license.  Since the e-retailer does not have this same face-to-face contact, he must rely on other methods to verify a customer is who he says he is.  Identity authentication is the “process whereby some chosen attribute of a real-world entity ('the distinguishing character or personality of an individual') is demonstrated to belong to that entity.” (Identity Authentication and E-Commerce) Some successful authentication methods are:

·         Symmetric encryption.  This method is a private key system.  Each party in the transaction must know some secret key to encrypt a message.  This method as advantages of speed of the encryption/decryption process and no-third party needs to be involved.  A big disadvantage for the e-commerce business is that some type of previous relationship needs to have been established between the buyer and seller, or there is the risk of the key being compromised during transmission.  For the purpose of authenticating the casual shopper on a website, this method is not viable.

 

·         Asymmetric cryptography.  This method is also known as a Public Key system.  The seller would have the buyer’s order information encrypted with a public key before the transmission.  While this method is ideal for keeping the contents of a transaction of a casual shopper secret, it does not address the problem of authenticating the user of the customer information.

 

·         Biometrics.  The use of a physical characteristic of the buyer, such as using a fingerprint, hand geometry, retina pattern, or voice recognition, can provide a high level of authentication to the user.  Each time a user visits the website, the pattern could be used to uniquely identify that customer.  However, while the user may be able to be linked and identified to this physical characteristic, this method of authentication requires the user to posses some optical reading equipment, which is unrealistic for a business-to-consumer e-commerce sale. 

 

·         Sharing Codes and Secrets.  By using an ID and password, or a digital signature stored on a smart card, computer users can be uniquely identified.  The more secure method is to use a digital signature, which in effect is an encrypted number used for unique identification.  The use of a smart card also offers a two-factor identification process, where the customer is expected to know something (the digital signature) and have something (the smart card).  Using a smart card containing a digital signature in conjunction with an ID and password creates a very secure authentication method.   While this method may be more secure, it is unrealistic to expect casual shoppers at a web site to have been issued a digital signature, let alone expecting them to have a smart card reader connected to their personal computer.

 

E-retailers could assign digital signatures to their customers and save these signatures on the customer’s computer in the form of a cookie file.  However, this method leads to the assumption that customers participating in e-commerce always use the same computer, and that they are the only one using that computer.  In fact, customers may make purchases from several computers, including the computer at work and the one at home.  And everyone in the family may use the home computer.  In addition, customers may have their browser set to not save cookie files. 

 

Using an ID and password is a low-tech solution to this identity authentication problem.  While this method does have some disadvantages, such as a risk of an authentication compromise, it does allow a fast and portable authentication method that does not require any third party involvement, as would be needed with smart cards and digital signatures.

 

• Other Methods.  The e-retailer could capture and verify/validate the e-mail address and/or the Internet domain or IP address used by the customer.  This solution offers an easy to use, fast, low cost method of customer identity identification, which can be done without the customer’s knowledge.  However, because the customer may use multiple computers, use dial-up access, use multiple ISPs, or use a public computer, this method offers a very low level of confidence in uniquely identifying a specific customer. (Enhancing Legal Uncertainty for electronic signatures and other authentication methods)

 

The best method of customer identity authentication for the e-retailer operating a business with casual users is the use of an ID and password.  Passwords give a measure of security.  A logon ID may be public, such as an e-mail address, but the password should not be.  The password should be a secret only the customer and e-retailer know.  The combination of using the two helps to uniquely identify the correct person as the customer.  The customer would enter the ID and password.  This pair would be compared to entries in a customer database or customer file.  A match would authenticate the customer and allow access.  If the pair is not found, the customer would not be allowed to order from the website.  The pair not matching the file is not a problem if the customer is new, but if an existing customer creates a new identity, then authentication problems can exist.

 

The article “e-Security: Do You Know Who You’re Doing e-business with?” puts this identify authentication problem into perspective with the simple question, “Is this right for your e-business?”  The e-retailer must design the authentication system to match the value of data and risks.  The risks include the potential for customer fraud.  What is the value of data?  Data collection is one reason why an e-commerce business should want to authenticate the identity of its customers.

 

In the 1990’s, marketers realized the potential demographic information that could be easily gathered due to the interactive nature of the Internet.  Companies began to collect “unprecedented” amounts of data about those who visited their websites via site registration, questionnaires, and even tracking what customers ordered. (e-commerce)  The terms “data mining” and “clickstream data” are used to represent this data collection operation. (T2: E-Commerce and Clickstream Mining)  The data collected can give a company an insight as to how customers are using the website, the ease of navigation of the site, and the complementary products customers order.  All this said, the only reason an e-retailer would need to authenticate the identity of a customer is to recognize that specific customer when he returns.  By personalizing the website for the returning customer, this identification helps build a social trust between the buyer and seller. (Identity Authentication and E-Commerce)  For the buyer, this trust may be as simple as having the shipping information saved by the e-commerce site so it does not need to be entered at each order.  For the e-retailer, this trust may translate to the marketing opportunities and validated credit-worthiness of a customer. 

 

By collecting order data and history, an e-retailer can match promotions and advertisements to a particular customer’s interest.  A recent article quoted a GartnerG2 statistic that said pop-up ads tend to “have twice as many click-throughs than a normal banner (ad) on a web page.” (Is It Curtains for the Pop-Up Window?)  Collecting sales data also allows the e-retailer to use the “you want fries with that” strategy, suggesting complementary products.  Amazon.com uses this strategy when it says, “Customers who shopped for this item also shopped for these items.”  And by tying sales to the specific customer, it is easy for the e-retailer to remind the customer not to forget frequently purchased items.

 

Other reasons to authenticate the identity of a customer are for payment options and security.  Many companies who authenticate their customers allow the customer to store shipping and payment information with their unique ID.  The e-retailer does this for the convenience of the customer, but it also helps the e-retailer validate the payment method. 

 

The e-retailer can process the credit card payment himself, use a third party to process the credit card payment, use another service, such as PayPal, to process the payment, or use electronic checks.  The Uniform Commercial Code, Title 3, allows a customer to authorize a business to endorse a check on his behalf.  An electronic check can be nothing more than the customer’s checking account information, which is used to make a withdrawal from the customer’s account.  Whatever method the e-retailer chooses, these payments still should be verified as being legitimate.  The e-retailer also bears the responsibility to protect this customer information.  Using an encryption protocol, such as SSL (Secure Socket Layer), the e-retailer can protect the information as well as show the customer that the e-commerce site is legitimate and making attempts to keep the customer’s information confidential.

 

Even with identity authentication, the e-retailer should still expect some fraud.  However, by having customer information associated with the ID and password, the e-retailer should:

• Be wary of a different “ship to” address than the billing address.  The e-retailer may want to use an address verification service to validate the address before the order is shipped.
• Require a phone number.  If the phone number cannot be verified, there is a high probability of fraud and the order should not be shipped.
• Track a customer’s order history.  If an order does not match the customer’s “typical order”, the e-retailer should verify that the customer placed the order.
• Verify orders placed from customers with e-mail addresses from free e-mail services like Hotmail.  Someone wanting to hide their identity, possibility to commit fraud, can use these free services.
• Collect the IP address of the computer placing the order.  If fraud is involved, the ISP handling that IP address can be notified.

 

It should be remembered that any identity authentication method used by an e-retailer should match the sensitivity of the data.  But by being able to uniquely identify their customers, e-commerce retailers can build loyalty and trust, increase sales, and decrease the losses associated with fraud.

 

 

 

 

 

 

 

Sources

 

Andress, Mandy. Surviving Security. Indianapolis: SAMS. 2002. Chapter 4.

 

Burnett, Steve and Stephen Paine. RSA Security’s Official Guide to Cryptography. New York: Osborne/McGraw-Hill. 2001.  Chapters 1-4.

 

“e-commerce”, http://searchcio.techtarget.com/sDefinition/0,,sid19_gci212029,00.html

 

“e-Security: Do You Know Who You’re Doing e-business with?”, RSA. http://www.rsasecurity.com/solutions/web/whitepapers/AUEB_WP_1100.pdf

 

Faria, Jose’ Angelo Estrella. “Enhancing Legal Uncertanity for electronic signatures and other authentication methods”. United Nations Commision on International Trade Law. http://r0.unctad.org/ecommerce/event_docs/bangkok/faria.ppt

 

Find the Best Authentication Method for Your Organization”. Security Decisions Conference Sessions .http://securityconf.techtarget.com/html/ci_sessions_speakers.htm

 

Ford, Matthew D. “Identity Authentication and 'E-Commerce”. http://elj.warwick.ac.uk/jilt/98-3/ford.html

 

Fraley, Michael. “Is it curtains for the pop-up window?”. Herald-Republican. Sunday, March 16, 2003. p. C5.

 

“Keeping e-Business Secure”. Silicon Trust Online. http://www.silicon-trust.com/redirect.asp?path=/problems/tec_ecommerce.htm

 

Kohavi, Ronny and Jon Becher. “T2: E-Commerce and Click-Stream Mining”. http://www.siam.org/meetings/sdm01/html/t2.htm

 

Obringer, Lee Ann. “How Creating an Online Business Works”. http://money.howstuffworks.com/online-biz-do-it.htm

 

Rayport, Jefferey F. and Bernard J. Jaworski. Introduction to e-Commerce. Boston: McGraw-Hill. 2002.

 

Rein, Bob.  “A Security Roadmap for B2B E-Commerce”. EDS E Solutions. http://www.eds.com/thought/news_thought_roadmap_paper.shtml

 

Tyson, Jeff.  “How Encryption Works”. http://computer.howstuffworks.com/encryption3.htm