Explain
in detail about Security issues and approaches related to web commerce
Many of the
concerns about electronic commerce developments, particularly over open
networks (e.g., the Internet), deal with the risks of possible fraud, security
infractions, counterfeiting, and with consumer privacy issues.
Issues
relate to:
(1) Secure payments via electronic cash
(e-cash);
(2) Confidentiality (encryption) and
authentication of financial transactions; and
(3) General confidentiality in the
transfer of any document.
v The
good news is that the technology to solve these problems is well developed and
well understood. Many financial and technology companies are working to develop
encryption software for the Internet.
v Encryption
refers to the encoding of data so that it can only be decoded by the intended
recipient who knows the key (code). Much of the software is based on RSA Data
Security’s public-key encryption, which uses a matched pair of encryption keys.
v Each
key performs a one-way transformation of data—what on encrypts, only the other
can decrypt. Encryption frustrates disclosure of information while in transfer.
Strong host security for resident files is most critical when one understands
how breaches usually occur.
v Secure payments.
E-cash can be thought of as the minting of electronic money or tokens. In
electronic cash schemes, buyers and sellers trade electronic value tokens which
are issued or backed by some third party, be it an establishes bank or a new
(Internet-based) institution.
v The
effects of a system failure in an electronic cash scheme are much harder to
anticipate; system failure could also occur through many means, not the least
of which is insufficient funds (or paper money) to back up the new electronic
money.
v Secure transactions. Agreements on standard Internet payment
systems were getting closer at press time. During 1996, IBM/MasterCard and
Microsoft/Visa respectively, agreed on a single industry standard for
conducting credit card transactions over the Internet. The agreement was aimed
at removing what had been the major obstacle in the emergence of large-scale
electronic commerce applications for the Web.
v Such
agreement resolves a long-standing struggle on standardized security
technology. The issue has been which technology to use Microsoft’s Secure
Transaction Technology (STT) or IBM’s SEPP; the breakthrough came when the four
companies agreed to use SET (Secure Electronic Transfer); based on earlier SEPP
work.
v SEPP
is a protocol originally developed by MasterCard; IBM, Netscape, GTE and Cyber
Cash have also signed on to further develop the protocol specification.
§ The
development of electronic commerce is at a critical juncture at this time for
the following reasons:
§ Consumer
demand for secure access to electronic shopping and other service is high.
§ Merchants
seek simple, cost-effective methods for conducting electronic transactions.
§ Financial
institutions look for a level playing field for software suppliers to ensure
quality products at competitive prices.
§ Payment
card brands must be able to differentiate electronic commerce transactions
without significant impact to the existing infrastructure.
The
solutions for achieving secure, cost-effective on-line transactions that will
satisfy market demand is the development of a single, open industry
specification.
v Message transfer confidentiality
and authentication.
Two different protocols have been developed for enhanced Web security:
Secure Hyper Text Transfer Protocol (S-HTTP) and the Secure Sockets Layer
(SSL).
v Besides
confidentiality there are also issues of authentication: not only could a buyer
masquerade for another buyer (in order to steal the payment instrument), but a
fake Web-site merchant could put up a fraudulent storefront to steal payments
(but never skip any goods).
v Companies
such as VeriSign provide an authentication function by acting as a certificate
authority. They provide two types of certificates: ID Class 1 and ID Class 2.
v S-HTTP
is an extension of HTTP that provides a variety of security enhancements for
the Web. Message protection is provided three ways: signature, authentication
and encryption.
v S-HTTP
is flexible in that it allows each application to configure the level of
security required. A transmission from client-to-server or server-to-client can
be signed, encrypted, both or neither.
v A secure
HTTP message consists
of a request
or status line
followed by a
series of headers
followed by an
encapsulated content. Once the content has been decoded. it should
either be another
S-HTTP message, and HTTP
message ,or simple data.
v Secure sockets
layer(SSL) is a transport layer
security technique that
can be applied
to HTTP as
well as to
other TCP/IP-based protocols. The SSL
protocol is designed
to provided privacy
between two communicating applications, for
example, a client and a
server.SSL provides authentication, encryption, and data
verification.
v The
SSL protocol is actually
composed of two protocols. Layered on top of
some reliable transport protocol,
is the SSL record protocol. the
SSL record protocol
is used for
encapsulation of all
transmitted and received
data, including the SSL
handshake protocol, which is
used to establish
security parameters.
The advantage of
the SSL protocol
is that it
is
application-protocol-independent. A
higher-level application protocol ( for example
HTTP, FTP, and Telnet) can run
transparently on top of
the SSL protocol.
The SSL protocol can negotiate an
encryption algorithm and
session key, as well as
authenticate a server before
the application protocol
transmits or receives its
first byte of data. all of
the application protocol data
is transmitted encrypted,
ensuring privacy.
S-HTTP is an
more flexible than SSL
in that an
application can configure
the level of
security it needs.
1 Comments
Very nice and helpful information about security issues.
ReplyDeleteForex Exchange in Bangalore | Money Exchange Near me | Travel Card