Security Protocols on the E-commerce

-

 Security Protocols on the Internet 

 We will discuss here some of the popular protocols used over the internet to ensure secured online transactions. Some of them are SSL, SHTTP, SET...

1) Secure Socket Layer (SSL) 

  • It is the most commonly used protocol and is widely used across the industry.
  •  It meets the following security requirements −  Authentication, Encryption,  Integrity, Non-reputability 
  • "HTTPS://" is to be used for HTTP URLs with SSL, whereas "HTTP:/" is to be used for HTTP URLs without SSL.
  • SSL was originally designed by Netscape. 
  • It was developed to provide encryption and authentication between a web client and a web server. 
  • SSL begins with a handshake phase that consists of two main steps: 

a) Negotiating the encryption algorithm 

b) Authenticating identity (optional) 

         After that, encrypted data can be sent.

a)Negotiating the encryption algorithm: 

- SSL session begins with a negotiation between the client and the server about the cipher suite. 

- The cipher suite includes the public key encryption algorithms, symmetric key encryption algorithms, hash functions, and key sizes to be used. 

- The client tells the server which cipher suites it has available, and the server chooses the best mutually acceptable cipher suite.

b) Authenticating identity (optional) 

- It is an optional step, but in eCommerce, it is always a good idea to authenticate the server. 

- To authenticate the server, the server presents its public key certificate to the client. 

- If this certificate is valid, the client can be sure about the identity of the server and the organization that owns it. 

- Practically, the SSL-enabled browser maintains a list of trusted Certification Authorities (CAs) with the public keys of these CAs.


  • The client and the server exchange information that allows them to agree on the secret key. 
  • For example, with RSA, the client uses the server's public key, obtained from the public key certificate, to encrypt the session key information. 
  • The client sends the encrypted session key information to the server. 
  • Only the server can decrypt this message since the server's private key is required for this decryption. In some cases the server needs to authenticate the client.

 Overview of the handshake phase of SSL



  •  Both the client and the server now have access to the same session key. 
  • With each message, they use the cryptographic hash function (chosen in the first step of the negotiation process), to use it in the digital signature. 
  • They use the session key and the session key algorithm (chosen in the first step of the negotiation process), to encrypt the data and the message digest.

Notes about SSL: SSL is the basis of the TLS too. SSL and TLS are not limited to web applications. In fact, they can be used for authentication and data encryption in IMAP mail access. SSL can be seen as a layer between the application layer and the transport layer. On the sender side, It receives data (for example http messages) from the application layer and encrypts it before directing the encrypted data to a TCP socket. The opposite happens at the receiver side.


 Limitations of SSL in E-commerce: 

  • SSL is popular today. SSL-enabled servers and browsers provide a popular platform for card transactions.
  •  In spite of that, SSL was not developed specifically for card payment, but instead for generic secure communication between a client and a server.
  • The generic design of SSL may cause problems. For example, by using SSL we can authenticate the customer and the merchant, but we can’t be sure whether the merchant is authorized to accept payment, nor whether the customer is authorized to pay money. 
  • SSL also doesn’t tie a client to a specific card. 
  • For these reasons, we need a protocol that handles authentication and authorization for card payments transactions. The answer was the SET protocol.

2) Secure Hypertext Transfer Protocol (SHTTP)/ Secure HTTP (S-HTTP)Protocol 

  •  SHTTP extends the HTTP internet protocol with public key encryption, authentication, and a digital signature over the internet. 
  • Secure HTTP supports multiple security mechanisms, providing security to the end-users. 
  • SHTTP works by negotiating encryption scheme types used between the client and the server.
  •  It is an extension to the HTTP protocol that provides numerous security features such as
  1.  Client and server authentication 
  2. Spontaneous encryption 
  3.  Request/response nonrepudiation 
  • It provides symmetric and public-key encryption like the SSL. 
  • It also uses a message digest (hash number or summaries of messages as integers) to be transmitted with the message for message integrity. So, if the message is changed during transmission, it will be detected. 
  •  A secure digital envelope encapsulates a message and provides secrecy, integrity, and client/server authentication.

3)  Secure Electronic Transaction

  •  It is a secure protocol developed by MasterCard and Visa in collaboration. 

  • An open encryption and security specification for protecting payment card transactions on the internet

  • Theoretically, it is the best security protocol. It has the following components −
  •  Card Holder's Digital Wallet Software − Digital Wallet allows the cardholder to make secure purchases online via a point and click interface. 
  • Merchant Software − This software helps merchants to communicate with potential customers and financial institutions securely. 
  • Payment Gateway Server Software − Payment gateway provides automatic and standard payment process. It supports the process for merchant certificate requests. 
  •  Certificate Authority Software − This software is used by financial institutions to issue digital certificates to cardholders and merchants, and to enable them to register their account agreements for secure electronic commerce.

Feature of SET:
  • Protects the privacy of transmitted payment and order
  • Ensures integrity of all transmitted data
  • Provides authentication that a payment cardholder is a legitimate
  • Allows payment cardholder to verify that the merchant has a relationship whit an institution that allows it to accept payment cards.
  • Implemented by large e-commerce vendors for large financial institutions….
  • E.g., Verifone supplied SET to the Royal Bank of Canada
                                   OR,

Secure Electronic Transaction Protocol (SET)
  •  SET was developed in 1996 by Visa, MasterCard, Microsoft, Netscape, IBM among others. 
  • This protocol was designed specifically to secure card payment transactions over the internet.
  • It encrypts payment related messages. SET can’t be used for general purposes like encrypting arbitrary text of images. 
  • SET involves all three players in E-payment (who are they?).
  • In SET all three players must have certificates. 
  • The customer’s and merchant’s certificates are issued by their banks in order to assure that they are permitted to make/receive payments by card. 
  • In a SET transaction, the customer's card number is passed to the merchant’s bank. This number is never seen by the merchant as plaintext.


 SET is extremely secure since: 
  • All players must hold trusted certificates.
  •  All parties are authenticated. SET provides privacy, the merchant will never see the customer’s card number. 
  • SET provides data integrity SET provides customer non-repudiation guarantee.
  •  SET provides customer and merchant authorization.
  • To handle SET, the customer needs to have an “e-wallet”, which is a software that runs the client side of the SET protocol and stores customer payment card information.

Q..Why SET failed to win the market? 

The disadvantages of SET: 
  • SET is not easy to implement. 
  • SET requires the customer to install an e-wallet. 
  • It is expensive to integrate with legacy applications.
  •  It is more secure than what is usually needed.


Comments

Post a Comment

Popular posts from this blog

Suppose that a data warehouse for Big-University consists of the following four dimensions: student, course, semester, and instructor, and two measures count and avg_grade. When at the lowest conceptual level (e.g., for a given student, course, semester, and instructor combination), the avg_grade measure stores the actual course grade of the student. At higher conceptual levels, avg_grade stores the average grade for the given combination. a) Draw a snowflake schema diagram for the data warehouse. b) Starting with the base cuboid [student, course, semester, instructor], what specific OLAP operations (e.g., roll-up from semester to year) should one perform in order to list the average grade of CS courses for each BigUniversity student. c) If each dimension has five levels (including all), such as “student < major < status < university < all”, how many cuboids will this cube contain (including the base and apex cuboids)?

-
Image
a) A Snowflake Shema is shown in figure below: b) The specific OLAP operations to be performed: 1. Roll-up on course from course_id to department. 2. Roll-up on a student from student_id to university. 3. Dice on course, student with department ="CS" and university = "biguniversity" 4. Drill-down on a student from the university to student_name. c) N = 4 dimensions The cube will contain 54 = 625 cuboids.
Read more

Pure Versus Partial EC

-
Image
Pure Versus Partial EC EC takes several forms depending on the degree of digitization (the transformation from physical to digital). Companies utilizing pure EC conduct all of their business online. Businesses utilizing partial EC conduct a portion of their business online and a portion of their business off-line OR,    Pure E-electronic commerce refers to a situation where a business transacts its business activities PURELY online. that is, the goods or services sold do not have any physical presence. take a business that sells software, for example, you just pay and download, or one that sells music files online. Partial E-Commerce on the other hand refers to a slightly opposite situation where a business has an online presence, but still has a physical location for the goods and services it sells. For example, Amazon, Walmart, and any other you can think of. you buy the goods online but receive them physically.                   ...
Read more

Discuss classification or taxonomy of virtualization at different levels.

-
Image
Taxonomy of virtualization Virtualization is mainly used to emulate the execution environment, storage, and networks. The execution environment is classified into two: – Process-level – implemented on top of an existing operating system.  – System-level – implemented directly on hardware and does not or minimum requirement of the existing operating system. OR,  Virtualization covers a wide range of emulation techniques that are applied to different areas of computing. A classification of these techniques helps us better understand their characteristics and use  V irtualization is mainly used to emulate  ● Execution Environments: To provide support for the execution of the programs eg. OS, and Application.  ○ Process Level: Implemented on top of an existing OS that has full control of the hardware  ○ System Level: Implemented directly on Hardware and do not require support from existing OS.  ● Storage: Storage vi...
Read more