Joel Reedy and Shauna Schullo

1
Chapter 15

• Security on the E-commerce Site

2
A Survey of Cryptography

• Cryptography results in the creation of
  cryptographic methods, known as cryptosystems
• Symmetric cryptosystems use the same key, or the
  secret key, to encrypt, or scramble, and decrypt,
  or unscramble a message
• Asymmetric cryptosystems, on the other hand, use
  one key to encrypt a message and a different key
  to decrypt it
• Asymmetric cryptosystems, are also called public
  key cryptosystems, and rely on technology in
  which two keys, the public key and the private
  key, are used to encrypt or decrypt data
• Symmetric cryptosystems are the easier of the two
  to implement, since only one key is required

3
Digital Certificate

• Authentication is the digital process of
  verifying that people or entities are whom or
  what they claim to be
• Digital certificates are in effect virtual
  fingerprints, or retinal scans that authenticate
  the identity of a person or thing in a concrete,
  verifiable way

4
Digital Certificate

• A typical digital certificate is a data file of
  information, digitally signed and sealed using
  RSA encryption techniques, that can be verified
  by anyone and includes
• The name of the holder and other identification
  information, such as e-mail address
• A public key, which can by used to verify the
  digital signature of a message sender previously
  signed with the matching mathematically unique
  private key
• The name of the issuer, or Certificate Authority
• The certificates validity period

5
Digital Certificate

• To create a digital certificate for an
  individual, the identity of the person, device,
  or entity that requests a certificate must be
  confirmed. This is typically accomplished through
  a combination of the following
• Personal presence
• Identification documents

6
Digital Certificate

• Digital certificates may be distributed online.
  Typical means of distributing certificates
  include
• Certificate accompanying signature
• Directory service
• The decision to revoke a certificate is the
  responsibility of the issuing company

7
Secure Sockets Layers (SSL)

• SSL was introduced in 1995 by Netscape as a
  component of its popular Navigator browser and as
  a means of providing privacy with respect to
  information being transmitted between a users
  browser and the target server, typically that of
  a merchant
• SSL establishes a secure session between a
  browser and a server 

8
Secure Sockets Layers (SSL)

• A channel is the two-way communication stream
  established between the browser and the server,
  and the definition of channel security indicates
  three basic requirements
• The channel is reliable
• The channel is private
• The channel is authenticated
• By virtue of SSLs requirement of Transmission
  Control Protocol (TCP) as the transport
  mechanism, channel reliability is inherent

9
Secure Sockets Layers (SSL)

• This encryption is preceded by a data handshake
  and has two major phases
• The first phase is used to establish private
  communications, and uses the key-agreement
  algorithm
• The second phase is used for client
  authentication
• Limits of SSL
• While the possibility is very slight, successful
  cryptographic attacks made against these
  technologies can render SSL insecure

10
Secure Electronic Transaction (SET)

• On February 1, 1996, MasterCard International and
  Visa International announced the development of a
  single technical standard for safeguarding
  payment card purchases made over open networks
  called Secure Electronic Transaction (SET)
• SET seeks to bolster confidence in the payment
  process by ensuring that merchants are authorized
  to accept credit card payments, thus reducing
  risks associated with merchant fraud, and
  ensuring that the purchaser is an authorized user
  of the payment card
• SET protocol was created to bolster the
  confidence of the online consumer by mitigating
  the security risks in SSL

11
Secure Electronic Transaction (SET)

• While the goal of SSL is to reduce the likelihood
  of communication interception, the goal of SET is
  to reduce the likelihood of fraud
• SET provides the special security needs of
  electronic commerce with the following
• Privacy of payment data and confidentiality of
  order information transmission
• Authentication of a cardholder for a branded bank
  card account
• Authentication of the merchant to accept credit
  card payments

12
Secure Electronic Transaction (SET)

• The purchasing process
• A merchant applies for, and receives, an account
  with an issuing bank, just as they would apply
  for a normal credit card merchant account
• A consumer makes an application to an issuing
  bank for a digital credit card, which is a
  digital certificate that has been personalized
  for the credit card-holder
• After the consumer receives her digital credit
  card, she adds it to her browser wallet
• The consumer browses the Web at a particular site

13
Secure Electronic Transaction (SET)

• The process continued
• At checkout time, the Web site asks for the
  shoppers credit card
• Instead of typing in the credit card number, the
  browser wallet is queried by the Web site SET
  software and, following selection of the
  appropriate credit card and entry of its password
  by the consumer, the bank-issued digital credit
  card is submitted to the merchant
• The merchant receives the digital credit card in
  a digital envelope

14
Secure Electronic Transaction (SET)

• The process Continued
• The merchant software then sends the SET
  transaction to a credit card processor (also
  known as a payment gateway application or
  acquirer) for verification
• The financial institution performs functions on
  the transaction including authorization, credit
  and capture (voiding and refund) reversals
• Following successful processing, the merchant,
  cardholder, and credit card processors are all
  advised electronically that the purchase has been
  approved

15
Secure Electronic Transaction (SET)

• The process continued
• Following this notification, the cardholder is
  debited and the merchant is paid through
  subsequent capture transactions
• The merchant can then ship the merchandise,
  knowing that the customer transaction is approved

16
Secure Electronic Transaction (SET)

• Limitations of SET and SSL
• A downside of both SSL and SET protocols is that
  they both require the use of cryptographic
  algorithms that place significant loads on the
  computer systems involved in the commerce
  transaction
• For the low and medium e-commerce applications,
  there is no additional server cost to support SET
  over SSL

17
Secure Electronic Transaction (SET)

• Limitations continued
• For the large e-commerce server application,
  support of SET requires additional hardware
  acceleration in the medium term resulting in a 5
  to 6 difference in server cost
• In the medium term, this payment gateway
  application will require additional hardware
  acceleration to support SET resulting in a 5
  increase in server cost

18
Secure Electronic Transaction (SET)

• Thus, the conclusion is that SET as an emerging
  technology has a definitive security component
  that very clearly represents an advance in
  technology over SSL, and that any deficits that
  may be related to performance will quickly be
  rendered minor as hardware-based processing
  technology rapidly advances