ISA 767 - Secure Electronic Commerce

Spring 2008

ISA 767 - Secure Electronic Commerce

Thur. 7:20 p.m. - 10:00 p.m.

Fine Arts Building B106

Last updated 4.17.2008 0700

Announcements

MIDTERM PROJECT FINAL

TOT 150

AVG 127.5

HI 149

Finals Schedule
Academic Calendar

Professor:Dr. Michael Smeltzer
msmeltze at gmu dot edu
Office Hours: By Appointment

PREREQUISITES : H------
ISA 662 - Information Systems Security
ISA 666 - Internet Security Protocols

DESCRIPTION :
Course Catalog: Cryptography review, cryptographic protocols, secure electronic transactions, public key certificates and infrastructures, authentication and authorization certificates, secure credential services and role-based authorization, mobile code security, security of agent-based systems, electronic payment systems, intellectual property protection, secure time stamping and notarization.

TEXT:
No text is required. We will read papers from the GMU Digital Library and some found on the Internet.

"NOTIONAL" SCHEDULE:

WEEK TOPIC READING

1/24 An introduction to e-Commerce Slides

updated 1/24 1. Oppliger, Rolf. "Shaping the research agenda for security in e-commerce." IEEE Conference Proceeding. 1999.
2. Oreku, George S. and Jianzhong Li. "Rethinking E-commerce Security." Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on Intelligent Agents, Web Technologies and Internet Commerce. IEEE. 2005.
3. Amit, Yair, Danny Alen and Adi Sharabani. "Overtaking Google Desktop." Watchfire. 2007.
4. Bashir, Imran, Enrico Serafini, and Kevin Wall. "Securing Network Software Applications" Communications of the ACM. February, 2001.

1/31 A QUICK review of encryption, access control, SSL and firewalls Slides

1. Apostolopoulos, George, Vinod Peris, Prashant Pradhan, and Debanjan Saha. "Securing Electronic Commerce: Reducing the SSL Overhead." Network, IEEE. July-August, 2000.
2. Coron, Jean-Sebastien. "What is cryptography?" Security & Privacy Magazine, IEEE Jan.-Feb. 2006.
3. Kuhn, D.Richard, Vincent C. Hu, W.Timothy Polk, and Shu-Jen Chang. Introduction to Public Key Technology and the Federal PKI Infrastructure NIST. February, 2001. pp. 1-32.

2/7 Access Control Slides

botNETS and DDOS Slides

Significant Update 2/4 1. Joshi, James, Walid Aref,Arif Ghafoor, and Eugene Spafford. "Security Models for Web Based Applications." Communications of the ACM. February, 2001.
2. Park, Jaehong, and Ravi Sandhu. "The UCON_ABC Usage Control Model." ACM Transactions on Information and System Security. 2004.
3. Sandhu, Ravi S., Edward Coyne, Hala L. Feinstein, and Charles E. Youman. "Role Based Access Control Models" Computer. February, 1996.
4. A good set of three videos by WatchGuard Technologies on botNets.

2/14 Client Side Security Slides

Updated 2/16 1. Park, Joon and Ravi Sandhu. "Secure Cookies on the Web." IEEE Internet Computing. July-August 2000.
2. Provos, Niels, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, and Nagendra Modadugu The Ghost In The Browser Analysis of Web-based Malware This is a very interesting paper by some researchers at Google who have the objective of protecting Google search results from drive by downloads.
3. Berghel, Hal. "Digital Village: Caustic Cookies." Communications of the ACM May, 2001.
4. Stein, Lincoln, and John Stewart. "Client Side Security" W3C Security FAQ. 2003. [** Although dated 2003 much of the material in this document is from 1998 so export policy has changed and identified vulnerabilities have been addressed. **]
5. Princeton Secure Internet Programming Team. "Security Tradeoffs: Java vs. ActiveX." April, 1997.

2/21 Server Side Security Slides

Updated 2/17 1. Jovanovic, Nenad, Engin Kirda, and Christopher Kruegel. "Preventing Cross Site Request Forgery Attacks." IEEE. 2006.
2. Ollman, Gunter. The Phishing Guide Next Generation Security Software Ltd. 2004.
3. Hayes, James M. "The Problem with Multiple Roots in Web Browsers - Certificate Masquerading" IEEE Computer Society. 1998.
4. Stein, Lincoln, and John Stewart. "CGI (Server) Scripts" W3C Security FAQ. 2003.
5. "CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests." February, 2000.
6. Hayes, James M. "Restricting Access with Certificate Attributes in Multiple Root Environments – A Recipe for Certificate Masquerading" 17th Annual Computer Security Applications Conference. 2001.
2/28 m-Commerce Slides

Updated 2/26 1. Ghosh, Anup K., and Tara M. Swaminatha. "Software security and privacy risks in mobile e-commerce." Communications of the ACM. February, 2001.
2. Schwiderski-Grosche, Scarlet and Heiko Knospe. "Secure m-Commerce"

3/6 MIDTERM

3/13 Spring Break

3/20 Payment Methods Slides
1. Lesk, Michael. "Micropayments: An Idea Whose Time Has Passed Twice?" IEEE Computer Society. 2004.
2. "Electronic Payment Methods." Trade on-line project. "www.electronic-payments.co.uk"
3. Spiliopoulos, S. "AGROWEB eCommerce Training Material."
4. Tewari, Hitesh, Donal O'Mahony, and Michael Peirce."Reusable Off-line Electronic Cash Using Secret Splitting." Technical Report. Computer Science Department. Trinity College. 1998.
5. Chaum David. "Blind signatures for untraceable payments." Advances in Cryptology. Proceedings of CRYPTO '82. David Chaum, Ronald L. Rivest, and Alan T. Sherman, eds. Plenum Press, 1983. ---

3/27 Fair Data Exchange Slides

1. Maruyama, Hiroshi, Taiaga Nakamura, and Tony Hsieh. "Optimistic Fair Contract Signing for Web Services." Proceedings of the 2003 ACM workshop on XML security. ACM Press. 2003.
2. Liu, Peng, Peng Ning, Sushil Jajodia, "Avoiding loss of fairness owing to failures in fair data exchange systems," Decision Support Systems, Vol. 31, 2001, pages 337-350
3. Ray, Indrajit and Indrakshi Ray. "Fair Exchange in e-Commerce." ACM. May, 2002

4/3 Digital Rights Management Slides
Updated 3/30 1. Biddle, Peter, Paul England,Marcus Peinado, and Bryan Willman. "The Darknet and the Future of Content Distribution." Microsoft. 2002.
2. A very interesting perspective on how Vista provides content protection. "A Cost Analysis of Windows Vista Content Protection" by Peter Gutmann. I wish there was as much interest in protecting our privacy on the internet as there is in protecting the income of the recording industry!
3. Liu, Qiong, Reihaneh Safavi-Naini, and Nicholas P. Sheppard. "Digital Rights Management for Content Distribution." Australian Computer Society. ACM. January 2003.
4. Microsoft Technical Resource "Technical Overview of Windows Rights Management System" Online. 2003.

4/10 Privacy Slides
Minor Updates 4/10 1. Linn, John. "Technology and Web User Data Privacy: A Survey of Risks and Countermeasures" IEEE Security and Privacy. 2005.
2. "Privacy in Cyberspace." Privacy Rights Clearinghouse. September, 2005.
3. There are some interesting articles on privacy at Rajeev Motwani's web site at Stanford University.

4/17 Web Services Slides
Updated 4/17 1. Vinoski, Steve. "Where is Middleware?" IEEE Internet Computing. March, 2002.
2. Curbera, Francisco, Matthew Duftler, Rania Khalaf, William Nagy, Nirmal Mukhi, and Sanajiva Weerawarana. "Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI." Internet Computing, IEEE. March-April 2002.
3. Samtani, Gunjan, and Dimple Sadhwani. "EAI and Web Services." Web Services Architect. October, 2001.
4.Menasce, Daniel. "MOM vs. RPC: Communication Models for Distributed Applications" IEEE Internet Computing. March, 2005.

4/24 Presentations Schedule and Teams

5/1 Presentations

5/8 FINAL 7:30 - 10:15

GRADING:

Grades will be calculated as follows:

Normalize the scores so that point totals carry the exact weight shown in the table below.
Calculate the 100 percentile using the highest score in the class.
Assign grades
A: 90% -100%
B: 70% - 90%
C: 60% - 70%
F: Below 60%

Midterm Exam 33 %
Final Exam 33 %
Project 33 %

Example: Suppose your grade on the project is 45/60, the midterm is 80/100 and the final is 50/70. Then there are 60+100+70 = 230 total points. Dividing by three, each of the components is worth 76.6 points. So the factors applied at the end of the term will be 76.6/60 = 1.27, 76.6/100 = .766 and 76.6/70 = 1.09. So your score would be adjusted accordingly. 45*1.27 + 80*.76 + 50*1.09 = 172.4. If the highest score in the class is 200, your result would be 172.4/200 = 86% which would be either a B or B+.

PROJECT:
Students will be required to complete a project on e-commerce security as part of a team of about 4 students, and the project will represent 1/3 of your grade. The team will make a 45 minute presentation to the class on a subject related to e-commerce security. Presentations will be scheduled on April 24th and May 1.
Schedule and Teams

One good source of papers will be references listed in the recommended reading for the course. You may also search the GMU article database using keywords or try Google Scholar. The intent of this assignment is to learn something new about e-commerce security that you don't already know. The intent is NOT to leverage a project, paper, lecture material from another course, or something you or colleagues have done at work. In order for me to evaluate this, please cite your references as part of the presentation material. If the material is not readily available in the GMU database or on the Internet, please provide a copy. Your project will be evaluated on

Criteria Points

Pertinence of the article to e-commerce security 10

Quality of the analysis 20

Teams's grasp of the presented material 10

Thoroughness - The amount of work actully accomplished 20

Questions/Answers and class discussion 10

Presentation skills 10

TOTAL 80

The only thing you need to hand in is an electronic copy of the presentation, and it must include citations for all sources of information. Please provide it three days before you are scheduled to present the material. I will post it on the class web page for others to view.

After the presentation, the team must facilitate a class discussion. I will allocate extra credit points to students in the audience who make a substantive contribution to the discussion.

At a minimum your presentation should include the following:

Members of the team

Introduction to the issue being discussed

Issue's relevance to e-commerce

Summary of the conclusions and key results

Value of the result

Terminology used

Assumptions made

Discussion of the analysis (multiple slides)

Identification of papers and material analyzed

References

Ensure that you give proper credit to all author(s) of all material presented.

The presentation may be given by one or more members of the team. In addition to technical content I will be evaluating the presentation itself to determine that the presenter(s)

are prepared,

aren't just reading notes,

have grasped of the concepts and are providing more than a simple section-by-section summary of a paper or other material found on the Internet,

can be heard, and

can articulate security ideas.

Plagiarism will result in a score of 0, and I may use automated tools provided by the university to identify plagiarism.

In order to ensure every member of the team does an adequate share of the work, each student will be asked to evaluate the participation of his/her teammates. If there is an indication that a student is not contributing a fair share, I will meet with all members of the team individually to evaluate the situation, and if I feel the assessment is accurate, that student's point total for the project will be reduced accordingly.

EXAMS:

University Finals Schedule

You can NOT make up the exams, and you must take the final during the registrar's official scheduled timeslot -ABSOLUTELY NO EXCEPTIONS!! - Coordinate your travel accordingly.

I reserve the right to compare projects and papers submitted by students to any other papers by any means necessary (automated or non-automated) to identify violations of the GMU Honor Code. Please notice that the Dean has identified plagiarism as a serious problem at every level of study.
There will NOT be an option for extra credit projects or papers

George Mason University

Department Of Computer Science

Information and Software Engineering

Spring 2008

ISA 767 - Secure Electronic Commerce

Announcements

Finals Schedule

Academic Calendar

WEEK	TOPIC	READING
1/24	An introduction to e-Commerce Slides updated 1/24	1. Oppliger, Rolf. "Shaping the research agenda for security in e-commerce." IEEE Conference Proceeding. 1999. 2. Oreku, George S. and Jianzhong Li. "Rethinking E-commerce Security." Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on Intelligent Agents, Web Technologies and Internet Commerce. IEEE. 2005. 3. Amit, Yair, Danny Alen and Adi Sharabani. "Overtaking Google Desktop." Watchfire. 2007. 4. Bashir, Imran, Enrico Serafini, and Kevin Wall. "Securing Network Software Applications" Communications of the ACM. February, 2001.
1/31	*A QUICK* review of encryption, access control, SSL and firewalls Slides**	1. Apostolopoulos, George, Vinod Peris, Prashant Pradhan, and Debanjan Saha. "Securing Electronic Commerce: Reducing the SSL Overhead." Network, IEEE. July-August, 2000. 2. Coron, Jean-Sebastien. "What is cryptography?" Security & Privacy Magazine, IEEE Jan.-Feb. 2006. 3. Kuhn, D.Richard, Vincent C. Hu, W.Timothy Polk, and Shu-Jen Chang. Introduction to Public Key Technology and the Federal PKI Infrastructure NIST. February, 2001. pp. 1-32.
2/7	Access Control Slides botNETS and DDOS Slides Significant Update 2/4	1. Joshi, James, Walid Aref,Arif Ghafoor, and Eugene Spafford. "Security Models for Web Based Applications." Communications of the ACM. February, 2001. 2. Park, Jaehong, and Ravi Sandhu. "The UCON_ABC Usage Control Model." ACM Transactions on Information and System Security. 2004. 3. Sandhu, Ravi S., Edward Coyne, Hala L. Feinstein, and Charles E. Youman. "Role Based Access Control Models" Computer. February, 1996. 4. A good set of three videos by WatchGuard Technologies on botNets.
2/14	Client Side Security Slides Updated 2/16	1. Park, Joon and Ravi Sandhu. "Secure Cookies on the Web." IEEE Internet Computing. July-August 2000. 2. Provos, Niels, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, and Nagendra Modadugu The Ghost In The Browser Analysis of Web-based Malware This is a very interesting paper by some researchers at Google who have the objective of protecting Google search results from drive by downloads. 3. Berghel, Hal. "Digital Village: Caustic Cookies." Communications of the ACM May, 2001. 4. Stein, Lincoln, and John Stewart. "Client Side Security" W3C Security FAQ. 2003. [ Although dated 2003 much of the material in this document is from 1998 so export policy has changed and identified vulnerabilities have been addressed. ] 5. Princeton Secure Internet Programming Team. "Security Tradeoffs: Java vs. ActiveX." April, 1997.
2/21	Server Side Security Slides Updated 2/17	1. Jovanovic, Nenad, Engin Kirda, and Christopher Kruegel. "Preventing Cross Site Request Forgery Attacks." IEEE. 2006. 2. Ollman, Gunter. The Phishing Guide Next Generation Security Software Ltd. 2004. 3. Hayes, James M. "The Problem with Multiple Roots in Web Browsers - Certificate Masquerading" IEEE Computer Society. 1998. 4. Stein, Lincoln, and John Stewart. "CGI (Server) Scripts" W3C Security FAQ. 2003. 5. "CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests." February, 2000. 6. Hayes, James M. "Restricting Access with Certificate Attributes in Multiple Root Environments – A Recipe for Certificate Masquerading" 17th Annual Computer Security Applications Conference. 2001.
2/28	m-Commerce Slides Updated 2/26	1. Ghosh, Anup K., and Tara M. Swaminatha. "Software security and privacy risks in mobile e-commerce." Communications of the ACM. February, 2001. 2. Schwiderski-Grosche, Scarlet and Heiko Knospe. "Secure m-Commerce"
3/6	MIDTERM
3/13	Spring Break
3/20	Payment Methods Slides	1. Lesk, Michael. "Micropayments: An Idea Whose Time Has Passed Twice?" IEEE Computer Society. 2004. 2. "Electronic Payment Methods." Trade on-line project. "www.electronic-payments.co.uk" 3. Spiliopoulos, S. "AGROWEB eCommerce Training Material." 4. Tewari, Hitesh, Donal O'Mahony, and Michael Peirce."Reusable Off-line Electronic Cash Using Secret Splitting." Technical Report. Computer Science Department. Trinity College. 1998. 5. Chaum David. "Blind signatures for untraceable payments." Advances in Cryptology. Proceedings of CRYPTO '82. David Chaum, Ronald L. Rivest, and Alan T. Sherman, eds. Plenum Press, 1983. ---
3/27	Fair Data Exchange Slides	1. Maruyama, Hiroshi, Taiaga Nakamura, and Tony Hsieh. "Optimistic Fair Contract Signing for Web Services." Proceedings of the 2003 ACM workshop on XML security. ACM Press. 2003. 2. Liu, Peng, Peng Ning, Sushil Jajodia, "Avoiding loss of fairness owing to failures in fair data exchange systems," Decision Support Systems, Vol. 31, 2001, pages 337-350 3. Ray, Indrajit and Indrakshi Ray. "Fair Exchange in e-Commerce." ACM. May, 2002
4/3	Digital Rights Management Slides Updated 3/30	1. Biddle, Peter, Paul England,Marcus Peinado, and Bryan Willman. "The Darknet and the Future of Content Distribution." Microsoft. 2002. 2. A very interesting perspective on how Vista provides content protection. "A Cost Analysis of Windows Vista Content Protection" by Peter Gutmann. I wish there was as much interest in protecting our privacy on the internet as there is in protecting the income of the recording industry! 3. Liu, Qiong, Reihaneh Safavi-Naini, and Nicholas P. Sheppard. "Digital Rights Management for Content Distribution." Australian Computer Society. ACM. January 2003. 4. Microsoft Technical Resource "Technical Overview of Windows Rights Management System" Online. 2003.
4/10	Privacy Slides Minor Updates 4/10	1. Linn, John. "Technology and Web User Data Privacy: A Survey of Risks and Countermeasures" IEEE Security and Privacy. 2005. 2. "Privacy in Cyberspace." Privacy Rights Clearinghouse. September, 2005. 3. There are some interesting articles on privacy at Rajeev Motwani's web site at Stanford University.
4/17	Web Services Slides Updated 4/17	1. Vinoski, Steve. "Where is Middleware?" IEEE Internet Computing. March, 2002. 2. Curbera, Francisco, Matthew Duftler, Rania Khalaf, William Nagy, Nirmal Mukhi, and Sanajiva Weerawarana. "Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI." Internet Computing, IEEE. March-April 2002. 3. Samtani, Gunjan, and Dimple Sadhwani. "EAI and Web Services." Web Services Architect. October, 2001. 4.Menasce, Daniel. "MOM vs. RPC: Communication Models for Distributed Applications" IEEE Internet Computing. March, 2005.
4/24	Presentations	Schedule and Teams
5/1	Presentations
5/8	FINAL 7:30 - 10:15

Criteria	Points
Pertinence of the article to e-commerce security	10
Quality of the analysis	20
Teams's grasp of the presented material	10
Thoroughness - The amount of work actully accomplished	20
Questions/Answers and class discussion	10
Presentation skills	10
TOTAL	80