Embed Size (px)
Citation preview
11
Overview
Electronic Commerce Underlying Technologies
» Cryptography
» Network Security Protocols
Electronic Payment Systems» Credit card-based methods
» Electronic Cheques
» Anonymous payment
» Micropayments
» SmartCards
22
Commerce
Commerce: Exchange of Goods / Services Contracting parties: Buyer and Seller Fundamental principles: Trust and Security Intermediaries:
– Direct (Distributors, Retailers)– Indirect (Banks, Regulators)
Money is a medium to facilitate transactions Attributes of money:
» Acceptability, Portability, Divisibility» Security, Anonymity» Durability, Interoperability
33
E-Commerce Summary
Automation of commercial transactions using computer and communication technologies
Facilitated by Internet and WWW Business-to-Business: EDI Business-to-Consumer: WWW retailing Some features:
» Easy, global access, 24 hour availability
» Customized products and services
» Back Office integration
» Additional revenue stream
44
E-Commerce Steps
Attract prospects to your site» Positive online experience
» Value over traditional retail
Convert prospect to customer» Provide customized services
» Online ordering, billing and payment
Keep them coming back» Online customer service
» Offer more products and conveniences
Maximize revenue per sale
55
E-Commerce Participants
66
E-Commerce ProblemsSnooper
UnreliableMerchant
Unknowncustomer
77
E-Commerce risks
Customer's risks» Stolen credentials or password
» Dishonest merchant
» Disputes over transaction
» Inappropriate use of transaction details
Merchant’s risk» Forged or copied instruments
» Disputed charges
» Insufficient funds in customer’s account
» Unauthorized redistribution of purchased items
Main issue: Secure payment scheme
88
E-Commerce Security
Authorization, Access Control:» protect intranet from hordes: Firewalls
Confidentiality, Data Integrity:» protect contents against snoopers: Encryption
Authentication: » both parties prove identity before starting transaction: Digital
certificates Non-repudiation:
» proof that the document originated by you & you only: Digital signature
99
Encryption (shared key)
- Sender and receiver agree on a key K- None else knows K- K is used to derive encryption key EK & decryption key DK- Sender computes and sends EK(Message)- Receiver computes DK(EK(Message))- Example: DES: Data Encryption Standard
m: messagek: shared key
1010
Public key encryption
· Separate public key pk and private key sk · Private key is kept secret by receiver· Dsk(Epk(mesg)) = mesg and vice versa· Knowing Ke gives no clue about Kd
m: message
sk: private secret key
pk: public key
1111
Digital signature
Sign: sign(sk,m) = Dsk(m)Verify: Epk(sign(sk,m)) = m
Sign on small hash function to reduce cost
1212
Signed and secret messages
sign(sk1, m)
Encrypt(pk2)
m
Decrypt(sk2)
Verify-signEncrypt(pk1)
Epk2(Dsk1(m))
pk1
pk2
First sign, then encrypt: order is important.
1313
Digital certificates
Registerpublic key Download
public key
How to establish authenticity of public key?
1414
Certification authority
1515
E-Payments: Secure transfer
SSL: Secure socket layer» below application layer
S-HTTP: Secure HTTP: » On top of http
1616
SSL: Secure Socket Layer
Application protocol independent Provides connection security as:
» Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key
» Peer's identity can be authenticated using public (asymmetric) key
» Connection is reliable: Message transport includes a message integrity check (hash)
SSL Handshake protocol:» Allows server and client to authenticate each other and
negotiate a encryption key
1717
SSL Handshake Protocol
1. Client "Hello": challenge data, cipher specs 2. Server "Hello": connection ID, public key certificate,
cipher specs 3. Client "session-key": encrypted with server's public key 4. Client "finish": connection ID signed with client's private
key 5. Server "verify": client's challenge data signed with
server's private key 6. Server "finish": session ID signed with server's private
key
Session IDs and encryption options cached to avoid renegotiation for reconnection
1818
S-HTTP: Secure HTTP
Application level security (HTTP specific) "Content-Privacy-Domain" header:
» Allows use of digital signatures &/ encryption
» Various encryption options Server-Browser negotiate
» Property: cryptographic scheme to be used
» Value: specific algorithm to be used
» Direction: One way/Two way security
1919
E-Payments: Atomicity
Money atomicity: no creation/destruction of money when transferred
Goods atomicity: no payment w/o goods and viceversa.» Eg: pay on delivery of parcel
Certified delivery: the goods delivered is what was promised:» Open the parcel in front of a trusted 3rd party
2020
Anonymity of purchaser
2121
Payment system types
Credit card-based methods» Credit card over SSL - First Virtual -SET
Electronic Cheques» - NetCheque
Anonymous payments» - Digicash - CAFE
Micropayments SmartCards
2222
Encrypted credit card payment
Set secure communication channel between buyer and seller
Send credit card number to merchant encrypted using merchant’s public key
Problems: merchant fraud, no customer signature
Ensures money but no goods atomicity Not suitable for microtransactions
2323
First virtual
Customer assigned virtual PIN by phone Customer uses PIN to make purchases Merchant contacts First virtual First virtual send email to customer If customer confirms, payment made to merchant Not goods atomic since customer can refuse to pay Not suitable for small transactions Flood customer’s mailbox, delay merchant
2424
Cybercash
Customer opens account with cybercash, gives credit card number and gets a PIN
Special software on customer side sends PIN, signature, transaction amount to merchant
Merchant forwards to cybercash server that completes credit card transaction
Pros: credit card # not shown to server, fast Cons: not for microtransactions
2525
SET:Secure Electronic Transactions
Merge of STT, SEPP, iKP Secure credit card based protocol Common structure:
» Customer digitally signs a purchase along with price and encrypts in bank’s public key
» Merchant submits a sales request with price to bank.
» Bank compares purchase and sales request. If price match, bank authorizes sales
Avoids merchant fraud, ensures money but no goods atomicity
2626
Electronic Cheques
Leverages the check payments system, a core competency of the banking industry.
Fits within current business practices Works like a paper check does but in pure
electronic form, with fewer manual steps. Can be used by all bank customers who
have checking accounts Different from Electronic fund transfers
2727
How does echeck work?
Exactly same way as paper Check writer "writes" the echeck using one of
many types of electronic devices ”Gives" the echeck to the payee electronically. Payee "deposits" echeck, receives credit, Payee's bank "clears" the echeck to the paying
bank. Paying bank validates the echeck and "charges"
the check writer's account for the check.
2828
Anonymous payments
1. Withdraw money:cyrpographically encodedtokens
2. Transform so merchant can check validity but identity hidden
3. Send token after addingmerchant’s identity
4. Check validity and send goods
5. Deposit token at bank.If double spent reveal identity and notify police
customermerchant
2929
Problems with the protocol
Not money atomic: if crash after 3, money lost» if money actually sent to merchant: returning to
bank will alert police» if money not sent: not sending will lead to loss
High cost of cryptographic transformations: not suitable for micropayments
Examples: Digicash
3030
Micropayments on hyperlinks
HTML extended to have pricing details with each link: displayed when user around the link
On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site
Payment for content providers Attempt to reduce overhead per transaction
3131
Micropayments: NetBill Customer & merchant have account with NetBill
server Protocol:
» Customer request quote from merchant, gets quote and accepts
» Merchant sends goods encrypted by key K
» Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods>
» Merchant countersigns EPO, signs K and sends both to NetBill server
» NetBill verifies signatures and transfers funds, stores K and crypto-checksum and
» NetBill sends receipt to merchant and K to customer
3232
Recent micropayment systems
Company Paymentsystem
Uniquecode
Compaq Millicent mcent
IBM IBM paymentsystem
mpay
FranceTelecom
Micrommerce microm
3333
Smartcards
8-bit micro, < 5MHz, < 2k RAM, 20k ROM Download electronic money on a card: wallet on a
card Efficient, secure, paperless, intuitive and speedy Real and virtual stores accept them Less susceptible to net attacks since disconnected Has other uses spanning many industries, from
banking to health care
3434
Mondex
Smart card based sales and card to card transfers Money is secured through a password and
transactions are logged on the card Other operation and features similar to traditional
debit cards Card signs transaction: so no anonymity Need card reader everywhere Available only in prototypes
3535
Summary
Various protocols and software infrastructure for ecommerce
Today: credit card over SSL or S-HTTP Getting there:
» smart cards,» digital certificates
Need:» legal base for the entire ecommerce business» global market place for ecommerce
3636
Electronic Commerce-Definition
Using electronic methods and procedures to conduct all forms of business activity including governance.
3737
E-commerce 6 Cs & 6 Ps
Content Community Commerce Context Communication Collaboration
Products Price Packaging Penetration Protection Pace
3838
Electronic Commerce-IssuesTechnology
Infrastructure
Legal
Management
Security
Trade, Scope & Coverage
Impact on Economy
3939
Infrastructure
Power Reliable communication Environment Human resource Interface with suppliers and consumers Faith, trust and ethics Legal
4040
e-Law: Global Internet requires Global Laws
Industrial laws to be transformed to Information Age
Laws to protect value protection and minimum ethics in Industrial practices when Government transforms itself to be a facilitator
4141
Relationship between Information Technology and EconomyRelationship between Information Technology and Economy
Information Technology and Paradigm Shift of Economy
Agricultural SocietyAgricultural Society
Farmer
Energy
Farm Product
Farm
Rate of Yields
LaborLabor
Intermediate Resource
Intermediate Resource
Main Resources
Main Resources
ProductProduct
Product Site
Product Site
Knowledge and Information-based Society
Knowledge and Information-based Society
Informatization
Informatization
Knowledge Worker
Knowledge
Information
Knowledge
ResearchInstitute, University
Rate of Transformation from Information to Knowledge
IndustrializationIndustrialization
White CollarWorker
Energy
Product
Value -Added Rate
Factory
Land
Industrial SocietyIndustrial Society
4242
Ontological issues Definition
» What is electronic money ?– Relative to traditional money – Relative to traditional electronic money
Continuity or upheaval ?
» What should be the basis of definition– Purpose
What do you buy ?– Payment system
How do you pay ?
4343
Technology
HardwareSoftwareFirmwareCommunication & NetworksSecuritySmart Cards
4444
Role of Technology
lower transaction costs reducing asymmetric information 24-hour trading borderless global trading network improve market efficiency
4545
Technology Hype Cycle
4646
Financial ServicesFinancial Financial ServicesServices
Online bill payment, investment services and banking
Value ChainValue Chain
Direct Marketing, Direct Marketing, Selling & ServiceSelling & Service
Corporate Corporate PurchasingPurchasing
Employee self-service purchasing from suppliers (indirect goods)
Online bill payment, investment services and banking
Internet Commerce OpportunitiesInternet Commerce Opportunities
CustomerService
DirectSelling
Brand Development
Establish process linking with trading partners (direct goods)
4747
Smart card Technology
4848
Smart cards =>Micro e-commerce
Smart cards in e-banking Smart cards in e-transportation Smart cards in e-identification Smart cards in e-logistics business Smart cards in e-personal health care
business Smart cards in e-insurance
4949
Smart Card Issues
Interoperability Selection of Operating System Smart Chip supplier Card manufacturer and Integrator Application software Multi Application Support National & Global Usage
5050
International Concerns
Limited chip and card suppliers(Cost and capacity restriction)
Interoperability between various cards and terminal systems
Europe’s effort in EMV 2000 specs CEPS effort by visa? Limitation in Multi application support Card remote update and load and delete
applications
5151
Barriers to E-commerce
An Effective payment mechanism User Identification and Authenticity Bandwidth Local phone charges Import/Export issues for physical goods delivery Search engine overload Fear of distribution of today’s Good-distribution
model
5252
E-COMMERCE -SECURITY THREATS SPOOFING BY creating illegitimate sites UNAUTHORISED DISCLOSURE-intercept
transmissions on customers’ sensitive information UNAUTHORIZED ACTION- alter original website
so that it refuses services to potential clients DATA ALTERATION- TRANSACTION ALTERED
ENROUTE EITHER MALICIOUSLY OR ACCIDENTALLY.
5353
CERTIFICATIONSEMANTIC ISSUES
What is certification; what does it denote and mean?
What are the principal concepts and elements of certification
What additional concepts and notions are expressed and implied by certification?
What is the Intent of the certification; what is it you are trying to do in certifying something?
TECHNOLOGICAL ISSUES
How is certification achieved?
How are the prerequisites and context for certification established?
What is it you are certifying? (Object of certification)
Certification with respect to what? (Business for certification)
What relation must exist for certification? (Object/basis relation)
What activities/decisions are prerequisite for certification?
How and when is certification to be conducted?
ADMINISTRATIVEISSUES
Who does the certification?Who is the recipient of thecertification?
What is the significance of thecertification for the certifier?
What is the significance of thecertification for the recipient?
Why certify?
5454
Delivering Security Services
A Merger of Technological and legal view points.
Consists of Confidentiality-
Exclusive Knowledge Authentication of
sender-Who?
Data Integrity-What were the contents?
Time stamp- when the message was sent?
Non-repudiation-Blocks False denial of
(a) Sending the message (b) contents of the
message
5555
References
State of the art in electronic payment systems, IEEE COMPUTER 30/9 (1997) 28-35
Internet privacy - The quest for anonymity, Communications of the ACM 42/2 (1999) 28-60.
Hyper links:» http://www.javasoft.com/products/commerce/
» http://www.semper.org/
» http://www.echeck.org/
» http://nii-server.isi.edu/info/NetCheque/» http://www.ec-europe.org/Welcome.html/» http://www.zdnet.com/icom/e-business/
