| Preface | p. xix |
| What is covered in this book | p. xix |
| Is security an obstacle to e-commerce development? | p. xx |
| Why I wrote this book | p. xxi |
| Some disclaimers | p. xxi |
| How to read this book | p. xxi |
| Acknowledgements | p. xxii |
| Information Security | p. 1 |
| Introduction to Security | p. 3 |
| Security Threats | p. 3 |
| Risk Management | p. 4 |
| Security Services | p. 5 |
| Security Mechanisms | p. 6 |
| Security Mechanisms | p. 11 |
| Data Integrity Mechanisms | p. 11 |
| Cryptographic Hash Functions | p. 12 |
| Message Authentication Code | p. 14 |
| Encryption Mechanisms | p. 15 |
| Symmetric Mechanisms | p. 15 |
| Public Key Mechanisms | p. 24 |
| Digital Signature Mechanisms | p. 36 |
| RSA Digital Signature | p. 37 |
| Digital Signature Algorithm | p. 38 |
| Elliptic Curve Analog of DSA | p. 40 |
| Public Key Management | p. 41 |
| Access Control Mechanisms | p. 41 |
| Identity-Based Access Control | p. 42 |
| Rule-Based Access Control | p. 43 |
| Authentication Exchange Mechanisms | p. 43 |
| Zero-Knowledge Protocols | p. 44 |
| Guillou-Quisquater | p. 44 |
| Traffic Padding Mechanisms | p. 45 |
| Message Freshness | p. 46 |
| Random Numbers | p. 47 |
| Key Management and Certificates | p. 51 |
| Key Exchange Protocols | p. 51 |
| Diffie-Hellman | p. 52 |
| Elliptic Curve Analog of Diffie-Hellman | p. 53 |
| Public Key Infrastructure | p. 53 |
| X.509 Certificate Format | p. 54 |
| Internet X.509 Public Key Infrastructure | p. 59 |
| Encoding Methods | p. 61 |
| Electronic Payment Security | p. 65 |
| Electronic Payment Systems | p. 67 |
| Electronic Commerce | p. 67 |
| Electronic Payment Systems | p. 68 |
| Off-line Versus Online | p. 69 |
| Debit Versus Credit | p. 70 |
| Macro Versus Micro | p. 70 |
| Payment Instruments | p. 70 |
| Electronic Wallet | p. 75 |
| Smart Cards | p. 75 |
| Electronic Payment Security | p. 76 |
| Payment Security Services | p. 79 |
| Payment Security Services | p. 79 |
| Payment Transaction Security | p. 81 |
| Digital Money Security | p. 83 |
| Electronic Check Security | p. 83 |
| Availability and Reliability | p. 84 |
| Payment Transaction Security | p. 85 |
| User Anonymity and Location Untraceability | p. 85 |
| Chain of Mixes | p. 86 |
| Payer Anonymity | p. 88 |
| Pseudonyms | p. 88 |
| Payment Transaction Untraceability | p. 90 |
| Randomized Hashsum in iKP | p. 90 |
| Randomized Hashsum in SET | p. 90 |
| Confidentiality of Payment Transaction Data | p. 91 |
| Pseudorandom Function | p. 91 |
| Dual Signature | p. 93 |
| Nonrepudiation of Payment Transaction Messages | p. 95 |
| Digital Signature | p. 96 |
| Freshness of Payment Transaction Messages | p. 98 |
| Nonces and Time Stamps | p. 98 |
| Digital Money Security | p. 101 |
| Payment Transaction Untraceability | p. 101 |
| Blind Signature | p. 102 |
| Exchanging Coins | p. 102 |
| Protection Against Double Spending | p. 103 |
| Conditional Anonymity by Cut-and-Choose | p. 103 |
| Blind Signature | p. 104 |
| Exchanging Coins | p. 104 |
| Guardian | p. 105 |
| Protection Against of Forging of Coins | p. 110 |
| Expensive-to-Produce Coins | p. 110 |
| Protection Against Stealing of Coins | p. 111 |
| Customized Coins | p. 111 |
| Electronic Check Security | p. 119 |
| Payment Authorization Transfer | p. 119 |
| Proxies | p. 120 |
| An Electronic Payment Framework | p. 125 |
| Internet Open Trading Protocol (IOTP) | p. 125 |
| Security Issues | p. 127 |
| An Example With Digital Signatures | p. 128 |
| Communication Security | p. 133 |
| Communication Network | p. 135 |
| Introduction | p. 135 |
| The OSI Reference Model | p. 136 |
| The Internet Model | p. 138 |
| Networking Technologies | p. 141 |
| Security at Different Layers | p. 143 |
| Protocol Selection Criteria | p. 145 |
| Malicious Programs | p. 146 |
| The Internet Worm | p. 147 |
| Macros and Executable Content | p. 149 |
| Communication Security Issues | p. 149 |
| Security Threats | p. 150 |
| Security Negotiation | p. 153 |
| TCP/IP Support Protocols | p. 154 |
| Vulnerabilities and Flaws | p. 154 |
| Firewalls | p. 157 |
| Virtual Private Networks (VPN) | p. 158 |
| Network Access Layer Security | p. 161 |
| Introduction | p. 161 |
| Asynchronous Transfer Mode (ATM) | p. 162 |
| ATM Security Services | p. 164 |
| Multicast Security | p. 169 |
| ATM Security Message Exchange | p. 169 |
| ATM VPN | p. 169 |
| Point-to-Point Protocol (PPP) | p. 170 |
| Password Authentication Protocol (PAP) | p. 173 |
| Challenge-Handshake Authentication Protocol (CHAP) | p. 174 |
| Extensible Authentication Protocol (EAP) | p. 176 |
| Encryption Control Protocol (ECP) | p. 179 |
| Layer Two Tunneling Protocol (L2TP) | p. 179 |
| Internet Layer Security | p. 185 |
| Introduction | p. 185 |
| Packet Filters | p. 186 |
| Filtering Based on IP Addresses | p. 186 |
| Filtering Based on IP Addresses and Port Numbers | p. 188 |
| Problems With TCP | p. 191 |
| Network Address Translation (NAT) | p. 195 |
| IP Security (IPsec) | p. 196 |
| Security Association | p. 197 |
| The Internet Key Exchange (IKE) | p. 199 |
| IP Security Mechanisms | p. 204 |
| Domain Name Service (DNS) Security | p. 210 |
| Network-Based Intrusion Detection | p. 210 |
| Network Intrusion Detection Model | p. 212 |
| Intrusion Detection Methods | p. 213 |
| Attack Signatures | p. 215 |
| Transport Layer Security | p. 221 |
| Introduction | p. 221 |
| TCP Wrapper | p. 222 |
| Circuit Gateways | p. 223 |
| SOCKS Version 5 | p. 223 |
| Transport Layer Security (TLS) | p. 225 |
| TLS Record Protocol | p. 226 |
| TLS Handshake Protocol | p. 227 |
| Simple Authentication and Security Layer (SASL) | p. 232 |
| An Example: LDAPv3 With SASL | p. 233 |
| Internet Security Association and Key Management Protocol (ISAKMP) | p. 235 |
| Domain of Interpretation (DOI) | p. 235 |
| ISAKMP Negotiations | p. 236 |
| Application Layer Security | p. 243 |
| Introduction | p. 243 |
| Application Gateways and Content Filters | p. 244 |
| Access Control and Authorization | p. 245 |
| Operating System Security | p. 246 |
| Host-Based Intrusion Detection | p. 249 |
| Audit Records | p. 249 |
| Types of Intruders | p. 249 |
| Statistical Intrusion Detection | p. 250 |
| Security-Enhanced Internet Applications | p. 251 |
| Security Testing | p. 251 |
| Web Security | p. 255 |
| The Hypertext Transfer Protocol | p. 257 |
| Introduction | p. 257 |
| Hypertext Transfer Protocol (HTTP) | p. 258 |
| HTTP Messages | p. 260 |
| Headers Leaking Sensitive Information | p. 262 |
| HTTP Cache Security Issues | p. 263 |
| HTTP Client Authentication | p. 264 |
| SSL Tunneling | p. 267 |
| Web Transaction Security | p. 268 |
| S-HTTP | p. 270 |
| Web Server Security | p. 273 |
| Common Gateway Interface | p. 274 |
| Servlets | p. 276 |
| Anonymous Web Publishing: Rewebber | p. 277 |
| Database Security | p. 277 |
| Copyright Protection | p. 280 |
| Web Client Security | p. 285 |
| Web Spoofing | p. 286 |
| Privacy Violations | p. 287 |
| Anonymizing Techniques | p. 288 |
| Anonymous Remailers | p. 289 |
| Anonymous Routing: Onion Routing | p. 290 |
| Anonymous Routing: Crowds | p. 291 |
| Web Anonymizer | p. 295 |
| Lucent Personalized Web Assistant (LPWA) | p. 295 |
| Mobile Code Security | p. 299 |
| Introduction | p. 299 |
| Helper Applications and Plug-Ins | p. 302 |
| Java | p. 302 |
| Java Safety | p. 304 |
| Java Type Safety | p. 305 |
| Java Threads and Timing Attacks | p. 307 |
| Java Applets | p. 308 |
| Malicious and Hostile Applets | p. 309 |
| Stack Inspection | p. 310 |
| Protection Domains in JDK 1.2.x | p. 312 |
| Writing Secure Applications in Java | p. 314 |
| ActiveX Controls and Authenticode | p. 315 |
| JavaScript | p. 316 |
| Web-Based E-Commerce Concepts | p. 321 |
| Introduction | p. 321 |
| XML-Based Concepts | p. 322 |
| Micropayment Markup | p. 324 |
| Joint Electronic Payments Initiative (JEPI) | p. 324 |
| Java Commerce | p. 325 |
| Mobile Security | p. 329 |
| Mobile Agent Security | p. 331 |
| Introduction | p. 331 |
| Mobile Agents | p. 333 |
| Security Issues | p. 334 |
| Protecting Platforms From Hostile Agents | p. 336 |
| Protecting Platforms From Agents Tampered With by Hostile Platforms | p. 337 |
| Path Histories | p. 337 |
| State Appraisal | p. 338 |
| Signing of Mutable Agent Information | p. 338 |
| Protecting Agents From Hostile Platforms | p. 339 |
| Cryptographic Traces | p. 340 |
| Partial Result Chaining | p. 341 |
| Environmental Key Generation | p. 343 |
| Computing With Encrypted Functions | p. 344 |
| Code Obfuscation | p. 344 |
| Tamper-Resistant Hardware | p. 345 |
| Cooperating Agents | p. 345 |
| Replicated Agents | p. 346 |
| Standardization Efforts | p. 348 |
| Mobile Commerce Security | p. 353 |
| Introduction | p. 353 |
| Technology Overview | p. 354 |
| GSM Security | p. 356 |
| Subscriber Identity Confidentiality | p. 359 |
| Subscriber Identity Authentication | p. 359 |
| Data and Connection Confidentiality | p. 360 |
| Wireless Application Protocol | p. 361 |
| Wireless Transport Layer Security (WTLS) | p. 363 |
| WAP Identity Module | p. 364 |
| WML Security Issues | p. 364 |
| SIM Application Toolkit | p. 364 |
| Mobile Station Application Execution Environment (MExE) | p. 365 |
| Outlook | p. 366 |
| Smart Card Security | p. 369 |
| Introduction | p. 369 |
| Hardware Security | p. 371 |
| Card Operating System Security | p. 373 |
| Card Application Security | p. 374 |
| Java Card | p. 376 |
| SIM Card | p. 377 |
| Biometrics | p. 377 |
| Physiological Characteristics | p. 381 |
| Behavioral Characteristics | p. 382 |
| Afterword | p. 385 |
| About the Authors | p. 389 |
| Index | p. 391 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
