Sunday, May 17, 2009

Exercise 12: Designing for a secure framework

  1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.
  2. According to (Wikipedia) Secure Electronic Transaction (SET) was a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain traction.

    SET was developed by SETco, led by VISA and MasterCard (and involving other companies such as GTE, IBM, Microsoft, Netscape, RSA and VeriSign) starting in 1996. SET was based on X.509 certificates with several extensions. The first version was finalised in May 1997 and a pilot test was announced in July 1998.

    SET was intended to become the de facto standard of payment method on the Internet between the merchants, the buyers, and the credit-card companies. Despite heavy publicity, it failed to win market share. Reasons for this include:

    • Network effect - need to install client software (an e wallet).
    • Cost and complexity for merchants to offer support and comparatively low cost and simplicity of the existing SSL based alternative.
    • Client-side certificate distribution logistics.

    According to (Wikipedia) RSA keys are typically 1024-2048 bits long. RSA is an algorithm for public-key cryptography. It is the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

  3. Design a Web application form for a new credit card.
  4. x
  5. What can you find out about network and host-based intrusion detection systems?
  6. (Wikipedia)says that one can think of a HIDS as an agent that monitors whether anything or anyone, whether internal or external, has circumvented the system's security policy.

    According to (Wikipedia)a network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.

    The NIDS does this by reading all the incoming packets and trying to find suspicious patterns. If, for example, a large number of TCP connection requests to a very large number of different ports are observed, one could assume that there is someone conducting a port scan of some or all of the computer(s) in the network. It also (mostly) tries to detect incoming shellcodes in the same manner that an ordinary intrusion detection systems does.

    A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all.


References
Wikipedia. Host-based intrusion detection system. Retrieved 30 June 2009, from http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
Wikipedia. Network intrusion detection system. Retrieved 30 June 2009, from http://en.wikipedia.org/wiki/Network_intrusion_detection_system
Wikipedia. RSA. Retrieved 20 July 2009, from http://en.wikipedia.org/wiki/RSA
Wikipedia. Secure Electronic Transaction. Retrieved 20 July 2009, from http://en.wikipedia.org/wiki/Secure_Electronic_Transaction

No comments:

Post a Comment