csci 5941 web security
spring 2004
Questions on the veriSign's Technical Brief: "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services"

Note: Sample answers provided by each team follow the respective questions. The answers are provided as samples and may not necessarily be the "correct" answers. Please exercise caution when using the sample answers. Send your comments or corrections, if any, to the discussion group.

---

Answer the following questions using your own words:

1. By offering products and services on the Web, what unique benfits can businesses gain? answer
   
2. According to the article, what was the percentage of Web users reported that a lack of security made them uncomfortable sending credit card numbers over the Internet? Answers2&12&22
   
3. To succeed in the fiercely competitive e-commerce marketplace, businesses must become fully aware of Internet security threats, take advantage of the technology that overcomes them, and win customers’ trust. What are the Internet security threats discussed in the article? Classify each of the threats as violation of one of the security goals, that is, confidentiality, data integrity, origin integrity, availability, and non-repudiability. Answers3&13&23
4. List and explain three or more security threats that were not included in the article. Classify the threats according to the security goals (see above).  Sampleanswer
   
5. Four goals were discussed in section I.B of the article. Availability was not one of them. Should an e-commerce site be concerned with availability? Justify your answer.  Questions_5_15_25.doc
   
6. Two essential components were proposed as the solution for meeting each of the goals listed in section  I.B.  Explain how each of the four goals would be achieved by the proposed solution.  websec%206&16&26.doc
7. In section II.A, it was stated  that "This section presents background technical information on cryptographic systems,
   including Public Key Cryptography, the system underlying Secure Sockets Layer (SSL)—the basis for every e-commerce trust infrastructure." 
1. Do you agree SSL being the basis for every e-commerce trust infrastructure? Justify your answer.
2. Explain why Public Key Cryptography is the system underlying Secure Sockets Layer (SSL). sampleAnswer
   
8.  Explain why symmetric cryptography is considered as impractical in today's web-based systems. Answer8&18&28
   
9. Expalin why a hybrid approach of combining both public-key and traditional symmetric cryptography is used in modern cryptographic systems. SampleAnswer
   
10. Explain what Key Management Problem is, in the respective context of symmetric and public key cryptography. Answer
11. What security goals can be achieved by using digital signatures? Explain how. answer
    
12. What unique problem can digital certificate help to mitigate? Be specific.  Answers2&12&22
13. In section IV, it was stated "SSL server certificates satisfy the need for confidentiality, integrity, authentication, and nonrepudiation." Do you agree with the statement? Justify your answer by arguing for or against the statement. Answers3&13&23
14. What necessary functions to establish e-commerce trust are fulfilled by SSL server certificates? Explain how. Sampleanswer
15. Explain the differences between the 40-bit SSL server certificates and the 128-bit SSL server certificates.  Questions_5_15_25.doc
    
16. What size of the private key should a web administrator select, in order to establish a 128-bit SSL server certificate using veriSign's Global Server ID?  websec%206&16&26.doc
17. Explain what Server Gated Cryptography (SGC) means. sampleAnswer
18. In complex, multiserver environments, SSL server certificates must be used carefully in order to satisfy the three requirements of online trust. Explain what the requiremetns are in multiserver environments.  Answer8&18&28
19. Explain the term Fail-Safe Backup.  SampleAnswer
20. Explain what Load Balancing mean. Answer
21. Explain how a single certificate issued to an ISP’s domain would be used on multiple servers by multiple Web sites. answer
    
22. What is Name-Based Virtual Hosting? Answers2&12&22
23. Visit http://www.verisign.com/rsc/wp/certshare/certshare.html and read the white paper "Securing Multiple Web Server and Domain Configurations".  Answers3&13&23
    
24. Explain what an Internet payment gateway is, and its role in a typical online payment transaction. Sampleanswer
25. Explain what a processor is, and its role in a typical online payment transaction. Questions_5_15_25.doc
    
26. Explain the relationship between SSL server certificate and Internet payment gateway. websec%206&16&26.doc
27. Explain the differences between business-to-consumer (B2C) and business-to-business (B2B) payment applications. sampleAnswer
28. Explain how VeriSign Payflow Payment Services support B2B payment applications. Answer8&18&28
29. Explain the different ways that, at the application level, VeriSign’s payment processing services can be accessed.  SampleAnswer
30. It was claimed that "The VeriSign architecture has the highest performance in the industry. The average transaction response time is 2.2 seconds." Explain how the veriSign system achieve maximum throughput. Answer