Trinity Solutions Logo
Search Trinity Solutions
Trinity Solutions
| Home
Page		 | 3
Stage Model		 | Business
Case		 | Sales &
Marketing		 | Security
Issues		 | Legal
Issues		 | Government
Incentives		 | Future
Trends		 | Contact
Details		 |
 
Introduction
 
Threats
 
Solutions
 
Security Policy
 

Solutions

There are various solutions to the various security problems that present themselves. These include:
  • Secure Server
  • Encryption
  • Cryptography
  • Certificates and Digital Signatures
  • Proxy Servers/ Firewalls
  • Antivirus Software

Secure server. These servers allow for secure credit card payments on the web server hosting the SMEs web site, using SSL (Secure Sockets Layer). This must be implemented on a server capable of running SSL and must also be implemented on the browser. Most of the latest versions of browsers can use this protocol (Webmonkey, 1999)

Encryption Technology, SSL and SET "Encryption is the key to secure commercial transactions. The process of encoding information in order to keep it private, works by substituting different characters for the actual characters and then reversing the process at the end. Secure Electronic Transactions (SET) encrypts data between a web browser and a web server, giving online buyers reassurance that their credit card details are safe. Secure Sockets Layer is the protocol for establishing a secure communication channel to prevent the interception of critical information such as credit card information." (Davis, Kogan Page Limited, 2000, pg 111) Cryptography is concerned with the encryption of the data.

Cryptography There are a number of popular methods of cryptography: Public Key Cryptography (PKI) This is based on the Rivest, Shamir, and Adelman algorithm of 64bit / 128bit cryptography for asymmetric encryption. The sender encrypts the message with the receiver?s public key. The public key is known to all authorised users. This requires the receiver?s public key to be delivered in advance. The private key is generated at the owner?s computer and is not sent to anyone. To send a message safely using public key cryptography you require one private key to encrypt a message and one public key to decrypt it. The message encrypted in this manner can only be decrypted with the receiver?s private key. This is a security issue in itself. The most popular algorithm for public key cryptography is the RSA algorithm. This algorithm has not yet been broken by hackers so it is seen as the safest encryption known to date. The RSA algorithm is usually used to transmit the secret key for the DES algorithm because DES is more efficient and faster in handling encryption and decryption.

DES (Data Encryption Standard) Algorithm Secret (Private) Key Cryptography

A single secret (Private) key is used between sender and receiver. This is also known as symmetric encryption or private key encryption. The most widely accepted algorithm for secret key cryptography is DES, although some cryptographers believe that the algorithm is penetrable. The Secure Electronic Transfer (SET) protocol is based on this algorithm. The diagram shows that there is a problem in that the key must be transmitted to the counterpart. This is overcome with use of Public key cryptography.


Fig 8.2

(Turban et al, Prentice Hall,2000,Pg.279)

SET (Secure Electronic Transfer.) This was originally designed by MasterCard and Visa in 1997. It meets the four security requirements for e-business, namely authentication, encryption, integrity and non-repudiation. Paypal.com uses this method for payments between C2C, C2B, and B2B. SET is tailored to credit card payment on the internet but is difficult to implement "128 bit encryption is regarded by cryptographers to be ?uncrackable?." (The Thawte Guide to Full Strength Crypto: SGC SuperCerts, www.thawte.com, 21/02/02.)

Certificates and Digital Signatures "A Certificate usually implies an identifying certificate issued by a CA. This includes records such as a serial number, name of owner, owners public keys (one for secret key exchange as receiver and one for digital signature as sender, an algorithm that uses these keys, certificate type, name of CA, and CAs digital signature." (Turban et al, 2000, Pg. 280)

Trusted Certification Issuing Authorities (CAs): The purpose of these independently audited companies is to verify that the requester of the certificate is exactly who they say they are. The CA checks to ensure that the company or individuals own the domain in question. All CAs, operate across the main browsers and Internet software that are available. A certificate, once issued is used by the CA to perform secure transactions across the Internet or World Wide Web with its customers. An example is SET and SSL protocols using cryptography and these certificate keys. An Post are offering PKI encryption with use of certificates that it issues in a service known as Safemail from its subsidiary Posttrust. Private companies are also able to avail of the mechanism to create their own in house certificates for use in software production processes such as testing of telecommunications billing systems. Some well known Certificate authorities are Verisign, Thawte, Baltimore Technology, and An Post. The Chambers of Commerce in Ireland are in the process of launching ChamberCert.

Choosing a Trusted Certification Issuing Authority:

  • Choose a company with a reputation and integrity.
  • Certificates and keys should be generated in a secure environment using tamper resistant hardware.
  • Personal Identification Numbers and keys should be distributed separately.
  • Certificate Revocation of compromised or stolen certificates should be in place.
  • A CA is mission critical, so it must have a disaster recovery plan in place.
  • CA must be independently audited.
  • Cross certification with other CAs is most important for cross platform e-business (Turban et al, 2000).

Digital Signature: "This is used for the authentication of senders by applying public key cryptography in reverse. To make a digital signature, a sender encrypts a message with their private key. Any receivers with that person's public key can read it, but the receiver can be sure that the sender is really the author of the message. The digital signature is usually attached to the sent message, just like the hand written signature on the end of document." (Turban et al, 2000, Pg.279)

Proxy Servers/ Firewalls As discussed in Chapter 4, Proxy Servers and Firewalls are essential components for securing your office systems from the outside world when connected to the Internet. By installing both, you can be sure that the majority of external security threats will be neutralised.

Antivirus Software It is crucial that antivirus software is installed at both the client and server end and that the virus definitions are kept up to date. An out of date virus scanner is worse than having no virus scanner at all as it can lead the user into a false sense of security. Regular sweeps of the network and all local drives should be conducted and email should be checked at the mail server rather than relying on the end user to run scans.


© Trinity Solutions 2002 ~ 2012