The History of E-Commerce

Electronic commerce came to public attention during the so-called e-commerce explosion from 1993-2000. During this time the idea of using the internet for widespread business usage progressed from a novelty conception which many questioned and considered inconceivable to the main stream actuality it is today.

For today’s modern society it seems almost farcical to think that a mere decade ago the presence of e-commerce was nearly unheard of. In fact without e-commerce the simplicity and speed of business transactions which we almost take for granted would be reduced to almost stone-age techniques that prove extremely time-consuming and thus significantly more expensive. Most forms of business transactions rely on e-commerce on a constant basis to come to fruition. The removal of this vital core catalyst would prove as catastrophic to businesses as the absence of the motor vehicle would be to the average commuter.

Every form of transaction, from significant firm relations to the average consumer purchasing Christmas presents for loved ones, from critical information distribution to the access of media and educational tools, is bound to e-commerce as the attraction and professionalism of this golden age of technology has become such an important integral part of effective reliable procedures that it has become impossible and irrational to resist.

As a result the entire world has adopted this new age with welcome arms creating an exponentially increasing amount of traffic over the medium. It is due to this that the emergence of various methods of security has been forced into action. In many cases sensitive information is required to be sent undetectable to the prying eye of the humble hacker. As the World Wide Web is an open ocean of information it is possible for these hackers to happen upon this sensitive information with the greatest of ease. When dealing with information such as account details, credit card numbers and so forth it is essential that security measures be employed to ensure this information is not leaked out and pilfered by these pirates of the modern age. If these measures did not exist e-commerce would become unfeasible thus adequate security must be in place to ensure guaranteed authenticity and privacy.

We must ensure this firstly through hardware provisions and software encryption procedures. To ensure confidential information cannot be retrieved through the users own computer a so-called gate-keeper is called for that can distinguish what services to allow and which to block. This is because the idea of restricting traffic has become impossible. The general term for these gate-keepers is a ‘fire-wall’. A fire-wall is a dedicated computer placed between the internet and the company’s computers. The fire-wall works on the principal of a packet filter. It contains special software that examines the packets and selectively blocks or allows access, i.e. drops any TCP/IP packets coming from the internet to the tel-net of any internal host. Firewalls also filter packets going from the company to the internet to prevent so-called Trojan-horse attacks.

Another form of hardware security would be smart-cards which permit authentication and encryption of the network or computer devices. They have memory and a simple processor embedded in them. When connecting to a network the user would insert the card and enter a password, the card not only contains the authentication of the user but their encryption keys.

With regard to the information being sent over the net an un-secure medium where basically anyone can listen to traffic various encryption methods have been installed. Most traffic is not encrypted and as such it can be easily intercepted and copied without either party knowing. As commerce on the internet grows securing data becomes an important issue. Presently there are several competing standards for secure transactions over the net with new ones rapidly being introduced. The three most popular being s/http (secure hyper text transfer protocol) SSL (secure sockets layer) and SET (secure electronic transaction).

Secure transactions overview

The key requirements of electronic commerce are;

Message Privacy

Message integration (i.e., communication between trading parties are not altered)

Authentication (a general trust vital for secure transactions and their enforcement.)

Authorisation (ensuring that a party to a transaction has the authority to make a transaction, or access specific information.)

These key requirements are maintained through encryption. Encryption is the transformation of electronic information based on a secret “key code”. There are two basic types of encryption:

“Symmetric” and “Asymmetric”.

An example of symmetric crypt ion would be the DES (Data Encryption Standard), a US government standard for symmetric encryption. Through this process the data is encrypted over a network using a secret encryption key in such a way that the message can only be decrypted on the other side using the same key. An advantage of this method is that it is difficult to break computationally. However, it is unsuitable for use separately over the net. The reason for this is that both sides must have knowledge of the key in question. It is also difficult to scale up to a large number of users as each user would require a different key for every other user or merchant with whom they transact or exchange messages.

Asymmetric cryptography addresses the major limitations of symmetric cryptographic schemes. The encryption and decryption of data is performed using “key pairs”. Both the sender and receiver each own a unique key pair, one of the keys within the pair being a “public key”, the other a “private key”. The private key is never transmitted over the net. The sender encrypts the message using the receiver’s public key and digitally signs the message with the private key. The receiver then decrypts the message using their private key and verifies the signature using the sender’s key. Thus communicating parties only have to reveal their public keys to enable secure communication. The advantage of this method is that secrecy is not needed for the public key. It also simplifies the distribution and management of keys. The disadvantage is it’s computational requirements and speed. As it requires more computational power the performance becomes much slower.

As a result asymmetrical encryption is rarely used in isolation, instead and integration between the two is favoured. This means the Asymmetric cryptography is used to encrypt a symmetric encryption key and a checksum (a generated number which describes various properties of the message).

SHTTP

SHTTP is a standard proposed by the www consortion and was designed by E. Rescorla and A. Schiffman of EIT to secure HTTP connections providing a secure means of transporting sensitive data. SHTTP works by encrypting the sensitive data e.g. pin numbers, credit card numbers, with a method that both the client and server can agree on. As a result of this negotiation a wide range of encryption mechanisms can be used. And since it works in conjunction with HTTP, an S-HTTP browser is able to communicate with a non S-HTTP server without any changes to the browser.

The main advantage of this method of security is as it is a superset of HTTP, allowing messages to be encapsulated in various ways, including encryption, signing or “MAC” based authentication. These encapsulations can be recursive and the message can have many applications applied to it. S-HTTP also includes header definitions to provide key transfer, certificate transfer and similar administrative functions. S-HTTP appears to be extremely flexible in what it will allow the programmer to do. It also offers the potential for substantial user interface over the authentication and encryption activities.

S-HTTP also does not rely on a particular key certification scheme. Key certifications can be provided in a message or obtained elsewhere. Similar to SSL, which will be described in detail later, client public keys are not required. The protocol ensures an S-HTTP message is a “request” or “statuslilne”, followed by other “headers” and some content, which can be raw data, an S-HTTP or HTTP message. These lines are defined to preclude an attacker from seeing the success or failure of a given request. S-HTTP takes a generally paranoid attitude to all information leaking as little as possible.

There are a few headers that should go in the S-HTTP header, then others to the HTTP header, which in turn is encapsulated within the S-HTTP message. Those headers are defined in S-HTTP, but are usual as headers in the HTTP document, i.e. they are protected by the encapsulation.

To offer flexibility in the cryptographic enhancement used, client and server negotiate about the enhancements each is willing to use, or will require be used. Negotiation blocks have four parts;

Property, Value, Direction (always with respect to the negotiator), and Strength (of preference).

The format of the body of a message is indicated by the content-domain S-HTTP header line. There are several acceptable content-privacy- domains, the most interesting option is self signed signature certificate in the message body. In the event of errors in secure HTTP result in connections being closed. Some will require a new attempt, with different options. Clients must interpret server messages to decide on the appropriateness of a retry. There are limits placed on automatic retries because of attacks possible with HTTP. The client is only allowed if the server is requesting the retry already has the information. Retries can only be accepted provided it’s encrypted and signed.

Threats to S-HTTP are similar to those against SSL. However, the more general nature of S-HTTP makes it difficult to access exactly what is possible. In the case of a hacker, the attack on a CA may be more difficult, due to the existence of multiple CA’s. S-HTTP is substantially more resistant to attack than that of SSL. It is more robust than SSL, because option renegotiations and retries are permitted. The use of in bond key exchange is potentially very problematic, the authors do not spend enough time ensuring keys are transferred properly. An improper transfer would be a system that sends key B as Ea(B), i.e. key B replaces key A and can not be sent using key A to encrypt it. If an attacker has broken key A then he will have key B.

SET

Set is a proposed standard that was created primarily by Master Card and Visa. Although the intended scope of this protocol is only to authorise credit card transactions over the web, SET is poised to become a standard for commerce over the Internet. SET works on the principal of public keys, only a certificate system. It provides mutual authentication of client and server, data integrity checking, and encryption of sensitive data. However, the methods use or focused at secure transactions between customers, merchants and financial intuitions

Digital Certification creates a trust chain throughout the transaction, verifying cardholder and validity, a process unparalleled by other Internet security solutions. SET relies on cryptography and digital certificates to ensure message confidentiality and security. Message data is encrypted using a randomly generated key that is further encrypted using the recipient’s public key, referred to as a “digital envelope” and is sent to the recipient with the encrypted message.

SSL

The most widely used protocol devised for secure communication is SSL, built on top of “TCP/IP”. The main feature at its disposal is the ability to verify the authenticity and ensure message privacy. Designed for “Netscape” (the grandfather of secure web data transfer), SSL was the first communications protocol for secure web transactions. The first version of the Protocol was released in the summer of 1994 for the use in the Mosaic browser. The second version was integrated into the original Netscape Navigator Web Browser, released late in 1994. Less than a year later following the release of Netscape “Microsoft” released “Explorer” which went on to incorporate a new version to overcome some SSL 2.0’s weakness. By the winter of 1995 Netscape released SSL v 3.0 which incorporated many of the ideas introduced by Microsoft.

In May 1996 the Internet Engineering Task Force (IETF) took on the responsibility of making SSL an international standard. In January of 1999 SSL was renamed Transport Layer Security (TLS) protocol by the IETF. Today all major web browsers support its protocol. Its presence in web browsers is virtually transparent to users, with the exception of a HTTPS web address prefix or an icon designating a secure connection.

The SSL protocol is an optional layer that fits between the TCP (transmission control protocol), which assures that Internet Protocol (IP; “router”) messages are reliably transmitted, and the HTTP protocol layers.

The purpose of which is to serve as an easily deployed, dedicated security protocol that offers full security for multiple applications. By inserting the SSL security protocol between the two layers, means SSL does not require significant changes to them .As it is a “stand-alone” security changes to them. As it is a “stand-alone” security protocol, it can serve other protocols above it. SSL’s “stand-alone” solution, flexible protocol and position as industry standard serve beneficial to it’s extending usage.

The main functions, similar to S-HTTP involve a process of client and server authentication and to encrypt the communication connection. The authentication is performed using key techniques, which verify the server’s certificate is valid and issued by a trusted certificate authority.

To encrypt the message SSL uses ciphers, cryptographic algorithms used to scramble data. Clients and servers must use the same cipher in any given SSL session, the type dependent on the SSL version. A large variety of ciphers are available and are at the disposal of applicable parties.

When initiating a secure session a SSL “Handshake” is first obtained. This is a process where the client and server exchange information and negotiate services, the two main functions being authentic and channel encryption. Without authentication there would be no assurance that the information would be sent to the appropriate party. A number of tests are put in place to confirm the identity of the server. Firstly the server’s certificate expiration date is checked. Secondly, the certificate is checked with trusted CA’s (Cert authority). The third step involves validating the server’s private key used to sign the server’s certificate with the public key on record with the CA. The final step involves verifying that the server’s domain name listed on the Cert matches the server in question. This final step protects against “Man –in –the middle” attacks.

To establish a secure channel the client must select a cipher, the most secure cipher is selected and the client generates a premaster secret. The secret is then encrypted with the server’s public key which in turn can only be decoded by the server with it’s private key. Next both the server and client generate the master secret, which is used to generate “encrypt” and “decrypt” symmetric session keys used for securing all future information exchanges. All future transmissions will be encrypted with the session keys.

The disadvantages to SSL are mainly due to performance issues regarding the

Unforgiving pressure on the server processors. As a result during peak usage’s a significant increase in traffic can cause connection failures as it fails to process a connection in adequate time. The solution undertaken was to accelerate the rate at which traffic is processed. There are also aspects of key security risks to be taken in to consideration. As the server’s private keys usually reside on an insecure hard drive and are copied to the processor when needed, if stolen it would be easy for a third port to assume your identity. To combat this IVEA developed the Crypto Swift Hardware Security Module (HSM), which is a tamper resistant, high-speed processor card, allowing for fast and secure transactions.

Conclusion

SSL is the current leader of these proposed standards. Although commercial transactions will begin to move to the SET protocol as it matures, it is likely that SSL will remain an industry standard for most other types of transactions S-HTTP has not received much support within the industry and is likely to disappear.

It is also important to mention the pressure of methods set up to provide similar protection against over viewing private e-mails. Two such methods include “Privacy Enhanced Mail (PEM), and “Pretty Good Privacy” (PGP). Although all these methods do make the world of e-commerce and privacy over the net a far more secure place than before, there still remains some room for improvement. Even the greatest of protocols cannot prevent a client falling into the trap of a dishonest merchant or vendor. Although the transaction may be secure, if you can not trust the party whom you are making the transaction with, even the strongest measure can not aid.

Sources:

IVEA technologies

Building Cyberstores: Martin Nemzow

SET – intro and technical net: Larry Locb

VN:F [1.8.8_1072]
Rating: 0.0/10 (0 votes cast)
VN:F [1.8.8_1072]
Rating: 0 (from 0 votes)

Related posts:

  1. MS SQL Server Vs MS Access
  2. Java Paint Applet
  3. A Case Study on Malware and the CodeRed Worm
  4. Social Networking Websites Review

Leave a Reply

(required)

(required)