Date post: | 07-Apr-2018 |
Category: |
Documents |
Upload: | shailesh-singh |
View: | 221 times |
Download: | 0 times |
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 1/58
1
Term paper of E COMMERCE
ON
SUBMITTED TO: MR. AMANDEEP
Submitted by:
Kewal krishan kapoor
ROLL No. 47
CLASS: MCA(204)
CCEERRTTIIFFIICCAATTEE
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 2/58
2
This is to certify that the project report entitled ―SECURITY AND
PROTECTION OF E COMMERCE‖ submitted by Mr. KEWAL
KRISHAN KAPOOR Roll No: D3804B47 is a bonfire piece of work
conducted under my guidance. No part of this work has been submitted for
any other degree of any other university. The data sources have been
acknowledged. It may be considered for evaluation in partial fulfillment of
the requirement for the Master of Computer Applications Semester II.
MR. AMANDEEP
Lecturer,
LOVELY SCHOOL OF ENGEERING
Chiheru
LLeetttteerr oof f AAuutthheennttiiccaattiioonn
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 3/58
3
We here by declare that the work have been presented by us in the projectentitled ―SECURITY AND PROTECTION OF ECOMMERCE ‖, inthe fulfillment of the award of master degree in MASTER OF
COMPUTER APPLICATION submitted to the department of compute
science and application LOVELY PROFESSIONAL UNIVERSITY,
PHAGWARA is an authentic record of our work carried out by us in the
degree of MCA.
KEWAL KRISHAN KAPOOR
Roll No: D3804B47
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 4/58
4
AACCKKNNOOWWLLEEDDGGEEMMEENNTT
“Thanks to the almighty for showering his blessings”
Nothing concrete can be achieved without a combination of inspiration
and perspiration. Although writing a few words on a piece of paper is not a
proper way of acknowledge those people who has helped us in the
completion of this project, yet the words coming from our heart and soul
need no mode of communication.
We take the opportunity to present a vote of thanks to all those
guideposts who really acted as lighting pillars to enlighten our way
throughout this project that has led to the completion of this study.
We find it a matter of honor in showering our gratitude, indebt ness
and thankfulness to our guide respected MR. AMANDEEP for her
utmost interest, kind and invaluable guidance and during the project
supporting us, gently coaxing us, giving us vital push and instilling sense
of urgency which led to successful completion of this project.
KKEEWWAALL KKRRIISSHHAANN KKAAPPOOOORR
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 5/58
5
CCoonntteennttss::
Topic PAGE NO.
II.. FFEEAASSIIBBIILLIITTYY SSTTUUDDYY……………………………………………………………… 77--1100
II. Introduction…………………………………………. 10
III. Definition of e-Commerce…………………………... 11
IV. Why This Study? Why Now?..................................... 11-12
V. Purpose of the Study………………………………… 12-14
VI. e-Commerce Activities……………………………… 14-15
VII. Perception of Risks……………………………………. 15
VIII. Policy and Satisfaction with Security………………… 16
IX. Protecting e-Commerce……………………………….. 16-17 X. The "Problem" of Security……………………………. 17-20
XI. SECURITY AND PROTECTION……………………..20-27
1. E-Commerce Participants
2. Internet Security Your Business & You
3. Logical Security – Threats
4. E-Commerce Security Threats
5. E-Commerce risks
6.
Why is the Internet insecure?7. E-Commerce Security
XII. Cryptomathic Offerings…………………………………28-33
1. Public key encryption
2. Digital Signatures and Certificates
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 6/58
6
XIII. TIPS FOR PROTECTION FROM
E-COMMERCE HACKERS……………………………34-37
XIV. Ecommerce Security Issues……………………………..37-41
1. Customer Security: Basic Principles
2. Secure Socket Layers
3. PCI, SET, Firewalls and Kerberos
4. Transactions
5. Practical Consequences
XV. Security Cameras Provide Safety………………………41-42
XVI. Encryption and Strong Authentication …………………42-51
for Electronic Commerce
XXVVIIII.. CCoonncclluussiioonnss………………………………………………………………………………………………..5522--5544
XXVVIIIIII.. SSYYSSTTEEMM RREEQQUUIIRREEMMEENNTTSS…………………………………………………………......5555--5577
XXIIXX.. RREEFFEERREENNCCEE……………………………………………………………………………………………….. 5588
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 7/58
7
FFEEAASSIIBBIILLIITTYY SSTTUUDDYY
Feasibility study is the determination of whether the
problem defined in initial investigation is worth solving or not, whether the
resources required for implementation of system are available or can be
acquired or not, whether the system will be used by the user if developed.
The main aim is to study whether the project to undertaken is technically,economically, and socially feasible
Feasibility study can be of following types:
Technical Feasibility
Economical Feasibility
Operational Feasibility
Technical Feasibility
In technical feasibility whether reliable hardware and software,
capable of meeting the needs of the proposed system can be acquired or
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 8/58
8
developed by the organization in the required time is a major concern of
the technical feasibility.
Technical feasibility includes questions like
Does the necessary technology exist to do what is suggested and can
it be acquired?
Does the Proposed equipment have the technical capacity to hold the
data required to use the new system
Will the proposed system provide adequate responses to inquiries,
regardless of the number of locations and users?
Can the system be expanded?
Is there any technical security of accuracy, reliability, ease of access
of data security
Hardware Requirements
In our case we require a PIII computer system to run our
application properly and which is easily available.
Software Requirements
The software requirements include VISUAL BASIC and MS-
ACCESS
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 10/58
10
In other word we can say his project can’t be more expensive then his
returns.
Operational Feasibility
The proposed system is operationally feasible also. The
operations used in the proposed system are very much simple. The existing
staff members need only a weeks training to cope up with the proposed
system as the buttons used in the system have user-friendly names.
Introduction
E-Commerce over the Internet is changing the way organizations conduct
business with each other and their customers. The reasons are simple and
compelling - speed, cost reduction, efficiency, access to new markets and
convenience. The World Wide Web is becoming the global infrastructure
for many busi-ness interactions. As e-Commerce becomes business in its
entirety, then e-Commerce controls and busi-ness controls and informationsystems controls will all converge. Many of the world's most influential
organizations are transforming their businesses through the development
and use of information and communication technologies that electronically
integrate internal and external business processes. The research should
provide solutions for the full spectrum of control objectives - such as
availability, usefulness, integrity, authenticity, traceability/auditability
(including non-repudiation) and confidentiality - posed by the transition to
doing commerce on the Internet. The solutions proposed as a part of thisresearch study include security technologies such as encryption, digital
signatures, certificates, firewalls, digital time stamps, intrusion detection
mechanisms, token-based authentication and single sign-on.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 11/58
11
Central to the project is a seeming contradiction: security functions are
seen as an enabler of e-Commerce in organizations where they are present
and an inhibitor in organizations where they are not. It remains to be seen
whether management's concerns are justified and whether the security
controls in place successfully address those concerns.
Definition of e-Commerce
ISACA defines e-Commerce as the processes by which organizations
conduct business electronically with their customers, suppliers and other
external business partners, using the Internet as an enabling technology. It
therefore encompasses both business-to business and business-to-consumer
e-Commerce models, but does not include existing non-Internet e-
Commerce methods based on private networks, such as EDI and SWIFT.
The term e-Business is also used to describe Internet based commercial
activities. Distinguishing the two terms is difficult. Some take e-Business
to be more inclusive, denoting the Internet and the World Wide Web as
connected to existing enterprise information technology and business
competencies. E-Business is seen as enhancing brand value,communication and service by leveraging information; improving
efficiency by automating business processes; reducing costs and cycle
time; and increasing revenue from new markets and new electronic
channels. However, in this study, no distinction is made between e-
Business and e-Commerce. Since e-Commerce is the older and more
internationally used term, it has been used throughout this study.
The way in which e-Commerce is defined sets the agenda for the security
and controls required. For instance, in the ISACA definition the emphasisis on the Internet as a medium for business, but it is not the central theme.
Not all Internet usage is e-Commerce; not all electronic business is e-
Commerce, either. Therefore, the application of security should be focused
on both technology and business controls. Some executives interviewed for
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 12/58
12
this study hold more (or less) inclusive views of e-Commerce and thus
their views of security differ as well.
Why This Study? Why Now?
ISACA is a global enterprise. Around the world, organizations are
transforming the way they do business, with the Internet providing
everything from showrooms to banking conduits. Since ISACA's charter
embraces both business controls and technology, it is appropriate that e-
Commerce security be a subject for investigation on a global basis. There
has been no lack of e-Commerce surveys, but it is difficult to find one that
speaks to the particular concerns of ISACA's membership. Security has
been described as the major inhibitor to adoption of e-Commerce, and yetthe companies that have demonstrated success in using the Internet for
their businesses have built sophisticated security functions for processing.
It is part of the mission of ISACA to provide the link between the control
concerns of management and the implementation of controls in
information systems. To achieve this mission, ISACA's members need to
understand the underlying technology of e-Commerce - both the
telecommunications infrastructure and the security within the applications
and the environment.
Purpose of the Study
Management is placing great emphasis on the quality of information
security tools to provide the founda-tion to safely build e-Commerce. In
the approximately five years during which e-Commerce has been building
up to its current state, the security and controls to be applied to e-
Commerce have not so much been introduced as re-introduced. Olderforms of security and control have been adapted to this new envi-ronment.
For example, the essential control to protect both integrity and
confidentiality (though not other attributes of security) is encryption, the
process of transforming messages into indecipherable strings of bits.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 13/58
13
Encryption was not invented to solve e-Commerce problems, rather, e-
Commerce has validated encryption as the security tool of choice.
The accompanying chart shows the flow of activity in a typical e-
Commerce environment. In general, security is provided by variousimplementations of cryptography, including encryption, digital signatures
and notarization, secure protocols, certificates, and a foundation for all the
above, generally referred to as Public Key Infrastructure (PKI).
In many ways, the purpose of this research is to provide ISACA members -
and other stakeholders - with an understanding of management's concerns,
and in return, to educate management on the effectiveness of the availablecontrols. Recognizing that the impact of e-Commerce is only just
beginning, it is time to assess e-Commerce security as a predictor of the
future and as a guide to ensure that the future is a safe one.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 14/58
14
Today, e-Commerce is viewed by some as a novel and innovative way of
doing business. The Internet and the World Wide Web have caused many
to rethink the flow of their operations and finances. In the next century
there will be no real distinction between e-Commerce and commerce in
general. The technology of the Internet will be so integrated with overallbusiness practices that it will appear seamless.
Achieving this state requires security solutions which are in tune with the
needs of business. While no one can predict what paths information
technology will take, the solutions must take into account the trends in
technological development that point the way to the future.
Many of the world's most influential organizations are transforming their
businesses through the develop-ment and use of information andcommunication technologies that electronically integrate internal and
external business processes. But are they managing the risks? ISACA has
sponsored a worldwide research project in an attempt to find this out. To
be meaningful, the research for this project needed to be based on the
actual experiences of major companies around the world that are doing
business on the Internet. The process of evaluating the status and role of
security as it relates to e-Commerce within organizations involved two
separate tasks - a survey and executive interviews. The population of
respondents was composed of IT and audit professionals from 46 countries
throughout the Americas, Asia/Pacific, Europe, the Middle East and
Africa. The largest populations of respondents from these regions were
from the United States, Japan, the United Kingdom and South Africa,
respectively. The demographics of the companies surveyed provided a
means for analyzing the responses allowing them to be grouped by size,
region and industry.
e-Commerce Activities The activities of the organizations surveyed are almost evenly split among
business-to-business, business-to-consumer and other business related
activities. These activities have been defined in the following categories:
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 15/58
15
Business-to-Business
Customer self-
service
(informational) Customer self-
service
(transactional)
Interactive
customer service
(e.g., e-mail)
Direct
purchasing
Direct selling
Customer billing
Customer
reporting
Business-to-
Consumer
Customer self-
service(informational)
Customer self-
service
(transactional)
Interactive
customer service
(e.g., e-mail)
Direct selling
Customer
reporting
Other
Marketing or
advertising
Research Financial or
regulatory reporting
Interaction with
geographically
dispersed employees
and sales agents
Recruiting
Respondents cited a wide number of reasons for entering into e-
Commerce. In general, the major focus was on cost-cutting opportunities,
new or revised ways of doing business and improving timeliness and
efficiency. However, in numerous interviews in companies around the
world, executives expressed the idea that real success in e-Commerce will
come to those who develop ways of improving revenue and profits.
Perception of Risks
Our research shows a consistent assessment that e-Commerce security
presents low risk. Given that most of the respondents have audit,
information technology and security-related titles, it is not surprising thatthey believe they have a greater understanding of the variety of risks than
their top management. The results reveal that access by unauthorized users
is the area of risk that approaches the level of "significant" and is perceived
to present the greatest overall security risk to e-Commerce. With regard to
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 16/58
16
the risk of the non-availability, denial of service attacks and the destruction
of web sites, they are perceived to present the highest level of exposure,
albeit low risk overall. The primary concern associated with confidentiality
risks is the disclosure of customer information and is considered more of a
concern than the disclosure of an organization's own information.
Policy and Satisfaction with Security
Policy is how management expresses its intentions for security and control,
provides guidance for those responsible for implementation and execution
of business processes and systems and sets the boundaries of acceptable
behavior in an organization. There is almost an even split between
companies that have and have not developed e-Commerce security
policies. When those that have partially developed such policies are
included, it can be concluded that the majority of organizations have
formal policies in this area.
The existence of an articulated policy in an organization correlates with the
organization's satisfaction with their security control objectives. Eighty-
one percent of the respondents stated they are satisfied that they met alltheir control objectives with regards to confidentiality, integrity,
availability, accuracy, and auditability. In fact, those companies that have
partial security policies are almost as likely (77%) to be satisfied with their
control objectives as those with full policies implemented. The most
surprising finding from our research is that 69% of companies with no
security policies are also satisfied with the achieve-ment of their control
objectives.
There is a high level of satisfaction among the respondents that the state of their e-Commerce security is rather good. Regardless of the reasons and
motivations an organization may have for engaging in e-Commerce, the
respondents are aware of the security implications of their involvement in
e-Commerce. They are aware of the controls required to secure themselves
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 17/58
17
from the threats of "opening a door" to the organization and they believe
that the controls they have implemented are mitigating the risks.
Protecting e-Commerce
Broadly speaking, the security impact of e-Commerce can be placed into
two categories:
Improper or unauthorized use of the organization's e-Commerce
offering (i.e., web site)
Using connectivity to the Internet as the path to the organization's
internal, private systems for unauthorized access
A greater percentage of those interviewed felt that private networks were atleast somewhat protected. This is based on confidence in the access control
mechanisms used to keep the public network (the Internet) separate from
the private network.
The most widely adopted encryption method for e-Commerce is Secure
Sockets Layer, or SSL. SSL is a protocol intended for secure
communication across an arbitrary network between a client and a server.
It enables the customer (client) to be certain of the vendor (server) but not
vice versa. For that reason, the use of SSL is often supplemented by
passwords for user authentication.
Since the advent of online computer systems, there has been a need to
identify users of those systems to validate that they are authorized for each
system and to associate them with the files and functions for which they
are authorized. Historically, the most widely used method of authenticating
users has been to issue them a user Id and a password which was to be kept
secret in order to ensure the legitimacy of the sign-on. In e-Commercesystems, the use of shared secrets - passwords - is still the most prevalent
form of authenticity checking. Further analysis has shown that primary
reliance on passwords is the norm in all regions and among all industries,
in roughly the same proportions.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 18/58
18
The "Problem" of Security
Nearly half of all respondents to the survey gave their views on the key
problems of e-Commerce. They overwhelmingly cited security as the most
important problem. This apparently contradicts their overall satisfaction
with the achievement of their control objectives. However, this finding
may also be interpret-ed as recognition that security is a concern to be
continually dealt with. While they are content with their present security,
they may recognize that the safeguards that are appropriate for today may
be insuffi-cient for the future.
At the foundation of every electronic commerce transaction is trust
between the buyer and seller. The VeriSign Secured® Seal is one of the
most recognized trust marks on the Internet. The VeriSign® Layered
Security Solution not only builds confidence in your brand with online
customers, our comprehensive approach to securing networks and Web
sites helps you comply with security regulations and manage risk.
Challenge: Gaining Consumer Trust in Online Transactions
Nothing should stand between your customer and the decision to buy. Yet
concerns about fraud and identity theft continue to erode confidence in e-
commerce, causing customers to abandon online transactions. Web site
visitors want to see that their transactions will be protected and confirm the
identity of the Web site owner. Online merchants need better protection
against fraud and malicious attacks.
Solution: Layered Security
Gaining customer confidence and protecting transactional data requires a
layered approach to security at all points vulnerable to attack. The
application of security technologies and services across business assets
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 19/58
19
provides comprehensive protection for the consumer, brand, Web site, and
network.
How VeriSign Helps
VeriSign security experts help balance risk, cost and user experience to
apply the most effective security approach to your unique business. Over
one million Web servers worldwide, including over 95% of the Fortune
500 and the world’s 40 largest banks are secured with SSL Certificatessold by VeriSign*.
*Includes VeriSign subsidiaries, affiliates, and resellers.
Asset Layer Protected How VeriSignHelps
Customer Protection
Easy-to-use authentication and transparent
fraud detection from a trusted provider
protects online transactions without slowing
transactions.
VeriSign®
Identity
Protection
Web Site Security
Give your customers the confidence totransact online by displaying the green
address bar in the latest high-security
browser with Extended Validation SSL on
your Web site.
SSL
Certificates Secure Site
Pro with EV
SSL
Certificates
Network Security
Authentication solutions for the enterprise,
Web applications, and e-mail combined with
comprehensive network protection helpreduce risk while meeting compliance
requirements.
Managed
Security
Services
UnifiedAuthenticatio
n
Managed
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 20/58
20
PKI Services
Expert Assistance and Intelligence
Security consulting and advanced
intelligence reporting help you assess,analyze and update a layered approach to
secure business assets.
Global
Consulting
Services VeriSign®
iDefense
Security
Intelligence
Services
Supply Chain Visibility
Large retailers and suppliers need to open
their networks to partners, affiliates, and
customers to enhance services and speed
operations while keeping confidential data
secure.
RFID
Consulting
VeriSign®
Identity
Protection
SECURITY ANDPROTECTIONOverview
Electronic Commerce
Underlying Technologies
– Cryptography
– Network Security Protocols
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 21/58
21
Electronic Payment Systems
– Credit card-based methods
– Electronic Cheques
– Anonymous payment
– Micropayments
SmartCards
Commerce
Commerce: Exchange of Goods / Services
Contracting parties: Buyer and Seller
Fundamental principles: Trust and Security
Intermediaries:
• Direct (Distributors, Retailers)
• Indirect (Banks, Regulators)
Money is a medium to facilitate transactions
Attributes of money:
– Acceptability, Portability, Divisibility
– Security, Anonymity
– Durability, Interoperability
E-Commerce
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 22/58
22
Automation of commercial transactions using computer and
communication technologies
Facilitated by Internet and WWW
Business-to-Business: EDI
Business-to-Consumer: WWW retailing
Some features:
– Easy, global access, 24 hour availability
– Customized products and services
– Back Office integration
– Additional revenue stream
E-Commerce Steps
Attract prospects to your site
– Positive online experience
– Value over traditional retail
Convert prospect to customer
– Provide customized services
– Online ordering, billing and payment
Keep them coming back
– Online customer service
– Offer more products and conveniences
Maximize revenue per sale
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 23/58
23
E-Commerce Participants
Internet Security:
Your Business & You
Physical Security - the protection of tangible assets from
unauthorized access, alteration or destruction.
Logical Security - the protection of assets using non-physical
mechanisms; passwords, anti-virus software, encryption.
Logical Security – Threats
Theft or Fraud
Data contamination or alteration
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 24/58
24
Denial-of-Service attack
Privacy Threats
Intellectual Property Threats
E-Commerce Security Threats
E-Commerce Security Threats
Access Control
Audit
Authentication
Data Integrity
Secrecy
Nonrepudiation
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 25/58
25
E-Commerce risks
Customer's risks
– Stolen credentials or password
– Dishonest merchant
– Disputes over transaction
– Inappropriate use of transaction details
Merchant’s risk
– Forged or copied instruments
– Disputed charges
– Insufficient funds in customer’s account
– Unauthorized redistribution of purchased items
Main issue: Secure payment scheme
Why is the Internet insecure?
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 26/58
26
E-Commerce Security
Authorization, Access Control:
– protect intranet from hordes: Firewalls
Confidentiality, Data Integrity:
– protect contents against snoopers: Encryption
Authentication:
– both parties prove identity before starting transaction: Digital
certificates
Non-repudiation:
– proof that the document originated by you & you only: Digital
signature
Authentication & Signing
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 27/58
27
The internet provides a very effecient and convenient way of
enabling services and creating transactions. Authentication &
Signing is vital in building the secure infrastructure required to
minimise fraud and meet security compliance.
Authentication
Authentication is a key component in ensuring that systems, users
and data are reliable and trustworthy. Authenticating users to systems
is a particularly important task in a world demanding increased
security as more and more business is done electronically.
SigningAuthentication on its own can provide limited security. Digital
signatures, ensuring authenticity and non-repudiation, play a crucial
role in securing electronic transactions regardless of industries, e.g.
government, banking, transportation, media, telecom etc.
Our comprehensive solutions are token vendor independent,
modular, innovative and scalable.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 28/58
28
Cryptomathic Offerings
-Cryptomathic Authenticator (2FA server)
- Cryptomathic Token Manager
- Cryptomathic Signer (central signature server)
- Professional Services, e.g. design
Cryptomathic solutions comply and support open
standards, including OATH, CAP and X.509, etc.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 29/58
29
Sender and receiver agree on a key K
- No one else knows K
- K is used to derive encryption key EK & decryption key DK
- Sender computes and sends EK (Message)
- Receiver computes DK ( EK (Message))
- Example: DES: Data Encryption Standard
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 30/58
30
Public key encryption
· Separate public key pk and private key sk
· Private key is kept secret by receiver
· Dsk( Epk(mesg)) = mesg and vice versa
Knowing Ke gives no clue about Kd
Digital Signatures
The private-key signs (create) signatures, and the public-key verifies
signatures
Only the owner can create the digital signature, hence it can be used to
verify who created a message
Generally don't sign the whole message (doubling the size of information
exchanged), but just a digest or hash of the message
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 31/58
31
A hash function takes the message, and produces a fixed size (typically
64 to 512 bits) value dependent on the message
It must be hard to create another message with the same hash value
(otherwise some forgeries are possible)
Developing good hash functions is another non-trivial problem
Sign: sign(sk,m) = Dsk (m)
Verify: Epk (sign(sk,m)) = m
Sign on small hash function to reduce cost
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 32/58
32
Signed and secret messages
sign(sk1, m)
Encrypt(pk2)
m
Decrypt(sk2)
Verify-signEncrypt(pk1)
Epk2( Dsk1(m))
pk1
pk2
First sign, then encrypt: order is important.
Certification authority
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 33/58
33
Digital Signatures and Certificates
Digital signatures meet the need for authentication and integrity. To vastlysimplify matters (as throughout this page), a plain text message is run
through a hash function and so given a value: the message digest. This
digest, the hash function and the plain text encrypted with the recipient's
public key is sent to the recipient. The recipient decodes the message with
their private key, and runs the message through the supplied hash function
to that the message digest value remains unchanged (message has not been
tampered with). Very often, the message is also timestamped by a third
party agency, which provides non-repudiation.
What about authentication? How does a customer know that the website
receiving sensitive information is not set up by some other party posing as
the e-merchant? They check the digital certificate. This is a digital
document issued by the CA (certification authority: Verisign, Thawte, etc.)
that uniquely identifies the merchant. Digital certificates are sold for
emails, e-merchants and web-servers.
Digital certificates
Register public key
Download public key
How to establish authenticity of public key?
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 34/58
34
TIPS FOR PROTECTION FROM E-COMMERCE
HACKERS
The American Institute of Certified Public Accountants (AICPA) is
offering several tips to e-commerce sites to help protect them and their
customers against disruptive actions.
"With the advent of e-commerce comes the vulnerability of Web sites
to attacks from hackers, among other cyber-crimes," says Anthony
Pugliese, Director of Assurance Services of the AICPA. "Many online
businesses are searching for tools with which they can protect their sites
and provide assurance to their customers that their information is kept
private and their transactions are protected."
The AICPA offers these tips to e-commerce businesses:
1. Conduct a risk assessment of your Internet business: A risk
assessment should be carried out prior to implementing specific
technical controls, allowing you to identify possible security
vulnerabilities and decide what enhancements are necessary. The
greatest threat will come from the weakest links in your defenses, so
the risks you face will change as you develop your security solutions.
2. Develop security standards: Criminal hackers exist inside and
outside an organization, and experts recommend that online
businesses must protect against both threats. A security policy based
on technical standards and procedures must underpin any technical
solutions. The company security policy must be clearly
communicated to employees so that they are aware of their
responsibilities, the penalties for misuse and what to do in the eventof a suspected security breach.
3. Test your defenses: Check your physical security systems to prevent
an attack by an outsider who may have very little knowledge about
your company but is capable of using either information or a physical
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 35/58
35
product that can be used to hack into your system. Test remote access
to systems using specialist tools to attempt access to resources
through e-mall, the Internet and telephone systems. Also test for
unauthorized attacks by employees. Conduct an entire system audit,
testing the security -- especially firewalls -- to identify loopholes.4. Develop procedures for prevention and use independent third-
parties to test them: Prevention of fraud depends on having robust
procedures, strict controls and strong audit capabilities. Work with
independent third-parties, such as CAs or CPAs, to test and verify the
security and safety of your site. A licensed CA who offers WebTrust
will examine the site's firewalls, security systems, and risk analysis
tools to provide recommendations for improved protection. Stronger
prevention and thorough examination will help e-commerce sites
lower the risk of security breeches.
5. Limit the number of individuals who may access controls to your
e-commerce business: Access to controls should be implemented
according to the basic rule that access is only provided to the
minimum number of people for the minimum possible number of
systems and for the minimum amount of time required to do the job.
Use authentication methods such as passwords, smart cards, PIN
numbers or fingerprint scans to access your systems. Utilize digital
certificates to verify electronic identities. Use encryption to renderdata unintelligible to unauthorized users who do not have access to
the decryption key. Utilize anti-virus software and keep it up-to-date.
Software should be installed on individual client machines, servers or
firewalls.
6. Utilize Firewalls: Firewalls intelligently isolate one network from
another by passing messages through a control point at which the
system can check whether their transmission conforms to the site's
security policy. Firewalls can be implemented in various ways, the
most typical involving a combination of devices, including routersand servers running appropriate software.
7. Utilize surveillance tools: Surveillance tools allow you to monitor
employees to quickly identify if they are abusing legitimate access to
the system. Products in this category normally act by "sniffing" the
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 36/58
36
network cable and logging actions, raising alerts if certain criteria are
matched. The detailed logs produced by such tools can be used as
documentary evidence in legal proceedings.
Security tools: Security management tools can help administratorsto enforce security policies consistently across the various technical
environments within a site and simplify or even automate the process
of managing user privileges.
E-mail security tools: E-mail security tools allow e-mail to be
intercepted and scanned automatically to determine if it presents a
security risk. This type of tool can review content, access
authorizations and sensitivity of information.
8. Monitor your networks for unusual activity: If you discover
unusual activity, monitor important systems using intrusion detection
software or services. This can help mitigate the attack by discovering
actions that can be taken (e.g. installing security patches, expanding
RAM to maintain performance during Denial-Of-Service attacks). It
can also help detect signs that this attack is more than a nuisance e.g.,
it can determine that a Denial-Of-Service attack is being waged as a
diversion intended to distract your attention from an actual takeover
of your systems. If other organizations are under particular attack,check your systems for similar signs of attack as well.
9. Contact your Internet Service Provider: Contact your ISP (if your
site uses one) to determine the level of protection it already has in
place. In addition, it is possible that the ISP can take action to block
the attacks before they reach your computer systems.
10. Report computer violations to the proper law enforcement
authorities: Contact law enforcement authorities to inform them of
the incident. You may not be the only organization under attack, andthe authorities may be able to provide technical assistance or contacts
to help your response efforts. You can help the law enforcement
efforts by collecting system log information from target systems.
These logs may be important evidence that law enforcement needs to
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 37/58
37
take action. It is critical that this information be collected and
protected before it is accidentally or deliberately erased.
In cooperation with the Canadian Institute of Chartered Accountants,
the AICPA has developed WebTrust, a service by which CAs, CPAs andtheir international counterparts examine online businesses to determine if
they are legitimate, their transactions are secure, the information they
collect from customers is kept private, their business practices are fully
disclosed to customers, and they have a mechanism to resolve customer
complaints.
WebTrust is now being offered in the United States, Canada, Puerto
Rico, England, France, Ireland, Scotland, Wales, Australia and New
Zealand. Negotiations with other European and Asian countries are
currently underway.
Ecommerce Security Issues
Keeping your site and customer data safe.
Customer Security: Basic Principles
Most ecommerce merchants leave the mechanics to their hosting company
or IT staff, but it helps to understand the basic principles. Any system has
to meet four requirements:
privacy: information must be kept from unauthorized parties.
integrity: message must not be altered or tampered with.
authentication: sender and recipient must prove their identities toeach other.
non-repudiation: proof is needed that the message was indeed
received.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 38/58
38
Privacy is handled by encryption. In PKI (public key infrastructure) a
message is encrypted by a public key, and decrypted by a private key. The
public key is widely distributed, but only the recipient has the private key.
For authentication (proving the identity of the sender, since only the sender
has the particular key) the encrypted message is encrypted again, but thistime with a private key. Such procedures form the basis of RSA (used by
banks and governments) and PGP (Pretty Good Privacy, used to encrypt
emails).
Unfortunately, PKI is not an efficient way of sending large amounts of
information, and is often used only as a first step — to allow two parties to
agree upon a key for symmetric secret key encryption. Here sender and
recipient use keys that are generated for the particular message by a third
body: a key distribution center. The keys are not identical, but each isshared with the key distribution center, which allows the message to be
read. Then the symmetric keys are encrypted in the RSA manner, and rules
set under various protocols. Naturally, the private keys have to be kept
secret, and most security lapses indeed arise here.
Secure Socket Layers
Information sent over the Internet commonly uses the set of rules called
TCP/IP (Transmission Control Protocol / Internet Protocol). The
information is broken into packets, numbered sequentially, and an error
control attached. Individual packets are sent by different routes. TCP/IP
reassembles them in order and resubmits any packet showing errors. SSL
uses PKI and digital certificates to ensure privacy and authentication. The
procedure is something like this: the client sends a message to the server,
which replies with a digital certificate. Using PKI, server and client
negotiate to create session keys, which are symmetrical secret keys
specially created for that particular transmission. Once the session keys areagreed, communication continues with these session keys and the digital
certificates.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 39/58
39
PCI, SET, Firewalls and Kerberos
Credit card details can be safely sent with SSL, but once stored on the
server they are vulnerable to outsiders hacking into the server and
accompanying network. A PCI (peripheral component interconnect:hardware) card is often added for protection, therefore, or another
approach altogether is adopted: SET (Secure Electronic Transaction).
Developed by Visa and Mastercard, SET uses PKI for privacy, and digital
certificates to authenticate the three parties: merchant, customer and bank.
More importantly, sensitive information is not seen by the merchant, and is
not kept on the merchant's server.
Firewalls (software or hardware) protect a server, a network and an
individual PC from attack by viruses and hackers. Equally important isprotection from malice or carelessness within the system, and many
companies use the Kerberos protocol, which uses symmetric secret key
cryptography to restrict access to authorized employees.
Transactions
Sensitive information has to be protected through at least three
transactions:
credit card details supplied by the customer, either to the merchant or
payment gateway. Handled by the server's SSL and the
merchant/server's digital certificates.
credit card details passed to the bank for processing. Handled by the
complex security measures of the payment gateway.
order and customer details supplied to the merchant, either directly or
from the payment gateway/credit card processing company. Handled
by SSL, server security, digital certificates (and payment gatewaysometimes).
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 40/58
40
Practical Consequences
1. The merchant is always responsible for security of the Internet-
connected PC where customer details are handled. Virus protection and a
firewall are the minimum requirement. To be absolutely safe, storesensitive information and customer details on zip-disks, a physically
separate PC or with a commercial file storage service. Always keep
multiple back-ups of essential information, and ensure they are stored
safely off-site.
2. Where customers order by email, information should be encrypted with
PGP or similar software. Or payment should be made by specially
encrypted checks and ordering software.
3. Where credit cards are taken online and processed later, it's the
merchant's responsibility to check the security of the hosting company's
webserver. Use a reputable company and demand detailed replies to your
queries.
4. Where credit cards are taken online and processed in real time, four
situations arise:
(I) You use a service bureau. Sensitive information is handledentirely by the service bureau, which is responsible for its security.
Other customer and order details are your responsibility as in 3.
above.
(II) You possess an ecommerce merchant account but use the
digital certificate supplied by the hosting company. A cheap option
acceptable for smallish transactions with SMEs. Check out the
hosting company, and the terms and conditions applying to the
digital certificate.
(III) You possess an ecommerce merchant account and obtain your
own digital certificate (costing some hundreds of dollars). Check out
the hosting company, and enter into a dialogue with the certification
authority: they will certainly probe your credentials.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 41/58
41
(IV) You possess a merchant account, and run the business from
your own server. You need trained IT staff to maintain all aspects of
security — firewalls, Kerberos, SSL, and a digital certificate for the
server (costing thousands or tens of thousands of dollars).
Security is a vexing, costly and complicated business, but a single lapse
can be expensive in lost funds, records and reputation. Don't wait for
disaster to strike, but stay proactive, employing a security expert where
necessary.
Security Cameras Provide Safety
Many home owners who want the idea of feeling safer have security
cameras installed over their garages aimed at the driveway or street,
possibly another one over their door entrance, or at the back door entrance
of the home. Often times these security cameras are basic, and some
simply record surveillance, while others show real time viewing. The idea
of having these cameras allows the home owner to feel at peace knowing
the camera is installed.
If an intruder sees the security camera he or she will do everything possibleto avoid it, and in essence feel as though there are other additional security
measures taken on the house. Such as door alarms or window alarms. In
this case an intruder would initially leave the premises trying to avoid
being seen or recorded.
Another good reason why a home owner would have cameras installed
might be if they travel a lot, it will video tape the surroundings while they
are away and if any type of vandalism or break in does occur, the
appropriate measures can be taken.
Many apartment complexes have security cameras at the entrance for
safety reasons. Each time a vehicle or person goes through the entrance it
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 42/58
42
will aim for the tags of vehicles. This is often successful when vehicles
that don't belong in the complex are recorded or viewed.
So the fact remains obvious that security cameras being used do provide
safety measures for a variety of people, even those who don't really like theidea. They feel although in some ways it does interfere with their right to
privacy they realize the increase of the acts of violence in the United States
today. Therefore, they are not going to complain.
If a security camera is in a parking lot and their car is stolen in most cases
it can be retrieved, not to mention they have that peace of mind of walking
to their cars under surveillance and know that there is a lower risk of being
attacked or abducted by someone intending to harm them or hurt them in
order to gain access to their belongings or their vehicle. There's just toomuch crime to not have security cameras in most places.
Encryption and Strong
Authentication forElectronic CommerceElectronic Commerce is not possible if the parties cannot authenticate each
other or if the transaction can be altered by some malicious third party.
This paper presents some of the available methods for securing
transactions over an unsecure network and for authenticating
communicating parties. The advantages and drawbacks of the different
methods are presented and a comparison of the methods is made.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 43/58
43
The rapid growth of the internet has lead to an increasing demand for
secure electronic communcation. The demand is most apparent on the
internet, but is by no means restricted to it. Companies want to exploit
computer networks to their full potential, connecting sites that may be
situated on opposite sides of the earth. Individual users want to securely
access remote sites without disclosing their identities or activities.
Modern cryptography offers practical solutions to the problems that users
in a networked environment are faced with. The next section presents some
of the basic techniques of cryptography, but before you apply the solutions,
you should understand the problems.
The first thing that springs to mind from the term cryptography isconfidentiality, i.e. the ability to protect information from disclosure. It is
immediately obvious that some types of information need adequate
protection. Both individuals and companies have information that they
don't want the whole world to know, so sending such information over an
unprotected network is quite out of the question.
What is less obvious, and more controversial, is the fact that an individual
should have the right to protect all the private information he or she wantsto protect. We won't go into details in this politically highly sensitive area,
but you should always remember that some governments want to restrict
the private citizen's rights to use cryptography. Several less democratic
countries have legislation that restricts the use or export of cryptographic
algorithms, in the interest of the government.
The classical form of authentication is to use a user id and a password
transmitted in the clear. Once this was barely adequate, but nowadaysauthentication must be handled using more sophisticated techniques.
Modern cryptography offers several techniques for very strong
authentication, and they can be used to authenticate almost anything on a
network; users, hosts, clients, servers, you name it.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 44/58
44
In some contexts where authentication is used today, authorization would
be a more proper technique. The distinction between the two is clear, but
nevertheless they are often confused. When you authenticate yourself, you
prove your identity, whereas you use authorization to prove that you are
authorized to use some facility. This gets interesting when you realize that
cryptography offers you the possibility to authorize yourself without
disclosing your identity.
The value of integrity of a piece of information is often underrated. In a
closed system, you can assume that all the information you get is correct,
or that you can easily detect that it has been corrupted. In a networked
system, you must ensure the integrity of the information you send and
receive. If you were to make a payment to the other side of the world, you
would most certainly want to ensure that nobody could alter the sum you
were paying or redirect it to the wrong account.
Commercial transactions, and many other transactions, require that none of
the parties cannot later on claim that the transaction never took place. The
principle of nonrepudiation is getting increasingly important, and can quite
easily be solved using appropriate cryptographic techniques.
As with everything else, there is a downside to the use of cryptography.
The possibility to reliably identify a user can easily invade the privacy of
said user. Improper application of cryptography can give governments and
corporations more power over the lives of ordinary citizens. The balance
between anonymity and privacy on one hand and surveillance and
authentication on the other is very delicate. When applying cryptography
to a problem you should always consider its ramifications.Users tend to lose their keys, regardless of how much the system
administrators try to avoid such situations. There are cryptographic
methods that can be used for key recovery, but sofar most organizations
simply use key escrow. The difference is significant, as key escrow means
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 45/58
45
that the key can fall in the wrong hands, whereas key recovery guarantees
that only the rightful owner can recover a lost key.
Ciphers
The process of encrypting and decrypting a message. Depending on how
you interpret the different parts, the figure actually describes virtually
every encryption technique available. The message you want to encrypt is
fed to a cryptographic algorithm and encrypted using a key. The output
from the algorithm is called ciphertext. The only way to recover the
original message is to decrypt the ciphertext with the correct decryptionalgorithm and key.
Some historic ciphers relied on keeping the cryptographic algorithm secret,
but all modern ciphers rely only on the key for their security. A. Kerckhoff
first presented the fundamental principle of cryptanalysis that the crypto
designer must assume that the cryptanalyst has complete details of the
design and implementation of the cryptographic algorithm. A cipher is
considered strong only when it has been scrutinized by the collectiveknowledge of the international cryptography community and no major
faults have been found.
Symmetric algorithms
When the same key is used both for encryption and decryption, the
algorithm is called a symmetric algorithm. Most of the fastest algorithms
known today are symmetric, and they are part of virtually every
cryptographic package currently in use. Using the same key makes things a
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 46/58
46
bit complicated, as the parties must be able to decide on a key to use,
without disclosing it to anybody else. This problem can be solved using
asymmetric algorithms.
EK(M) = C
DK(C) = M
Symmetric algorithms can be roughly divided into two categories, stream
ciphers and block ciphers. A stream cipher operates on very small units,
often as little as a bit at a time, whereas a block cipher encrypts constant
sized blocks. Many block ciphers can be used in a mode that turns them
into stream ciphers. Stream ciphers are suitable for encrypting data on the
fly, block ciphers are best used for encrypting data in place.
Modern block ciphers are designed using two basic techniques, confusion
and diffusion. They can both be used separately to create quite complex
algorithms, but are not as effective as a combination of the two. Confusion
is basically substitution, patterns of plaintext are exchanged for patterns of
cyphertext. Modern substitutions are very complex and vary for each bit in
the plaintext and each key. Diffusion spreads the information of the
plaintext by transposing the bits so that patterns in the plaintext are harder
to find.
Stream ciphers obviously cannot directly apply diffusion to the plaintext,
but often the underlying algorithm uses both confusion and diffusion to
produce the bit stream used for encryption.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 47/58
47
Asymmetric algorithms
Algorithms that use different keys for encryption and decryption are called
asymmetric algorithms, and are often referred to as "public-key
algorithms", as one of the keys typically is publicly known. Asymmetricalgorithms have several interesting properties and can be used to produce
digital signatures for authentication purposes and integrity checks. The
major drawback of asymmetric algorithms is their speed; typical
implementations may be a thousand times slower than symmetric
algorithms. The keys are also considerably larger than keys for symmetric
algorithms.
The asymmetric algorithms rely on mathematical problems that aregenerally considered "hard". There are several types of problems that have
baffled mathematicians for centuries and that currently are considered very
hard to solve. Unfortunately nobody has been able to prove that they are
hard, which means that most asymmetric algorithms are sensitive to
mathematical breakthroughs.
Modular arithmetic is one of the main building blocks of asymmetric
algorithms. Calculating discrete logarithms and square roots mod n is hard,whereas raising to a power mod n can be efficiently implemented in binary
arithmetic. Factoring large numbers is also time consuming, especially
when suitable primes are chosen to generate the large number. If you study
the litterature, you will find that primes and modular arithmetic are major
concerns when designing algorithms.
Asymmetric algorithms also often have several properties that make them
vulnerable to attack if they are used improperly. When you are designing a
cryptosystem, it is not enough to ensure that the algorithm you use is
strong enough, you also have to verify that the whole system is strong. For
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 48/58
48
instance, the RSA algorithm is very sensitive to chosen ciphertext attack
and elements in the algorithm should be chosen with care.
There are several asymmetric algorithms that have been designed for a
particular purpose. The algorithm may only produce digital signatures orbe intended only for key exchange. The more general-purpose asymmetric
algorithms can be adopted for such use as well.
Hybrid ciphers
Symmetric and asymmetric algorithms are often combined to form hybrid
ciphers. Typically an asymmetric algorithm is used to securely transfer a
symmetric key to the correct recipient and to provide authentication and
integrity. A much faster symmetric algorithm is then used to encrypt the
actual message.
Designing a hybrid cipher requires more skill than using normal
algorithms, but the result is definitely more flexible and easier to use than
ciphers relying on only symmetric or asymmetric algorithms. The very
popular cryptographic program "Pretty Good Privacy - PGP" [PGP] uses a
hybrid of RSA and IDEA with excellent results. The only drawback of a
hybrid cipher is that it relies on the strength of two different algorithms. If
either of the algorithms is broken, then the whole hybrid scheme can be
attacked as well.
Cipher strength
Once you have found a cryptographic algorithm that you considerreasonably strong, you must consider its key length. If the keys are too
short, the cipher can be broken with a brute-force attack, i.e. an exhaustive
search of the keyspace. Some algorithms are more suited to this type of
attack than others, but the difference is negligible when compared to the
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 49/58
49
impact of key length on the strength of a cipher. The difficulty of a brute-
force attack grows exponentially with the number of bits, if you add ten
bits to the key length you increase the number of keys by a factor of 210 =
1024.
In late 1995, an ad hoc group of known cryptographers and scientists tried
to estimate the minimum key length for symmetric ciphers. They published
their estimates in [Cryptographers], a paper that everyone using
cryptography should read. We chose to cite some of the statements in the
paper, as they are quite direct and to the point.
Neither corporations nor individuals will entrust their private business or
personal data to computer networks unless they can assure theirinformation's security.
This is probably correct when it comes to some kinds of information, but
in our view experience has shown that the corporations' and idividuals'
view of what is "secure" often is severely misguided. The market is full of
cryptographic products that either use bad algorithms or too short keys and
sometimes even both.
It is a property of computer encryption that modest increases in
computational cost can produce vast increases in security. Encrypting
information very securely (e.g., with 128-bit keys) typically requires little
more computing than encrypting it weakly (e.g., with 40-bit keys).
If you are using cryptography to protect information, there is no reason not
to use the strongest cryptography you can afford. Saving a few bits in key
length gives you very little savings in efficiency, but may drastically
reduce the strength of the encryption. On the other hand, increasing the key
length just for the sake of long keys is not always necessary. A brute-force
attack on a 256-bit key is practically infeasible for every foreseeable
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 50/58
50
future. Using longer keys than 256 bits only goes to counteract possible
weaknesses in the algorithm itself.
The paper shows that a key length of 40 bits is totally inadequate and that
56-bit DES is on the verge of becoming too weak.
Bearing in mind that the additional computational costs of stronger
encryption are modest, we strongly recommend a minimum key-length of
90 bits for symmetric cryptosystems.
This statement could easily be interpreted as "90 bits is enough". We
would rather interpret it as "use as many bits as possible, but never use less
than 90", which is probably the intended interpretation. IDEA uses 128
bits, which should be enough for almost any use, Blowfish can be used
with key sizes up to 448 bits if you want to. If you use a key size of 256
bits, you would be safe even if some cryptographic breakthrough reduced
the key size with 50%. That is highly unlikely.
Other factors that you have to take into account when you are selecting a
cryptosystem are the value and lifetime of the information you are about toprotect. If the cost of breaking the encryption far outweighs the possible
gain from it, it is highly unlikely that anyone will even try. If, however, the
information you are protecting is valuable or will have to be protected for a
very long time, you should definitely use the strongest cryptography
possible.
Table 2.4 from [Crypto] compares symmetric and asymmetric key length.
When reading the table keep in mind that asymmetric keys usually arearound for much longer than symmetric keys. You should choose longer
asymmetric keys to be on the safe side, but the higher computational
requirements may restrict you to smaller sizes. The values cannot actually
be compared directly, so the numbers are based on several assumptions.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 51/58
51
Symmetric asymmetric
56 384
64 512
80 768
112 1792
128 2304
Table 2.4 Comparison of asymmetric an symmetric key lengths (in bits)
However strong your cipher, you must always keep in mind that the
cryptographic algorithm is only a part of a larger system. The system is
never stronger than its weakest link. We won't go into details of why
cryptosystems fail, but for the interested reader we strongly recommend
[WCF]. To quote the abstract:
It turns out that the threat model commonly used by cryptosystem
designers was wrong: most frauds were not caused by cryptanalysis or
other technical attacks, but by implementation errors and management
failures.
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 52/58
52
CCoonncclluussiioonnss
EElleeccttrroonniicc CCoommmmeerrccee rreeqquuiirreess tthhaatt tthhee
ttrraannssaaccttiioonnss rreemmaaiinn ccoonnf f iiddeennttiiaall aanndd ccaannnnoott bbee
mmooddiif f iieedd oorr rreeppuuddiiaatteedd.. TThhee ccuurrrreenntt nneettwwoorrk k
eennccrryyppttiioonn ssoolluuttiioonnss pprroovviiddee sseeccuurree aauutthheennttiiccaatteedd
cchhaannnneellss,, bbuutt iinn pprraaccttiiccee aauutthheennttiiccaattiioonn oof f tthhee
aaccttuuaall ttrraannssaaccttiioonnss wwiillll hhaavvee ttoo bbee hhaannddlleedd
sseeppaarraatteellyy.. TThhiiss iiss nnoott aa pprroobblleemm,, aass sseeppaarraattee
aapppplliiccaattiioonn llaayyeerr pprroottooccoollss eexxiisstt f f oorr aauutthheennttiiccaatteedd
eelleeccttrroonniicc ttrraannssaaccttiioonnss..
WW
ee
aarree
f f rriigg
hh
tteenn
eedd
bb
yy
ssoo
mm
ee
oo
f f
tthh
ee
ccuu
rrrreenn
tt
ccrryyppttooggrraapphhiicc aapppplliiccaattiioonnss.. TThhee eexxppoorrtt vveerrssiioonn oof f
SSSSLL iiss aaccttuuaallllyy uusseedd f f oorr sseeccuurree ttrraannssaaccttiioonnss,, bbyy
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 53/58
53
ppeeooppllee wwhhoo hhaavvee bbeeeenn mmiisslleeaadd ttoo bbeelliieevvee tthhaatt iitt iiss
sseeccuurree.. EEvveenn wwoorrssee,, ssoommee oof f tthhee ccoommppaanniieess
oof f f f eerriinngg tthheessee ""sseeccuurree"" sseerrvviicceess mmaayy eevveenn bbeelliieevvee
tthheeyy aarree sseeccuurree.. TThhiiss sseeeemmss ttoo iinnddiiccaattee tthhaatt tthhee
ppuubblliicc aawwaarreenneessss oof f ccrryyppttooggrraapphhyy aanndd iittss
aapppplliiccaattiioonnss nneeeeddss ttoo bbee iimmpprroovveedd..
OOnnccee yyoouu wweeeedd oouutt tthhee wweeaak k ssoolluuttiioonnss,, yyoouu aarree
lleef f tt wwiitthh ssoommee vveerryy pprroommiissiinngg pprroottooccoollss.. TThheeyy
hhaavvee mmaannyy f f eeaattuurreess iinn ccoommmmoonn,, aanndd pprroovviiddee bbootthh
ssttrroonngg eennccrryyppttiioonn aanndd ssttrroonngg aauutthheennttiiccaattiioonn.. TThhee
iimmpplleemmeennttaattiioonnss mmaayy ssttiillll hhaavvee ssoommee f f llaawwss,, bbuutt
aallrreeaaddyy yyoouu ccaann cclleeaarrllyy sseeee tthhaatt aann IInntteerrnneett
iinnf f rraassttrruuccttuurree oof f eennccrryypptteedd ccoonnnneeccttiioonnss iiss
f f oorrmmiinngg.. SSuuppppoorrtt f f oorr ccrryyppttooggrraapphhiicc pprroottooccoollss iiss
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 54/58
54
rraappiiddllyy iinnccrreeaassiinngg,, aanndd wwiitthh tthhaatt tthhee aawwaarreenneessss oof f
hhooww iinnsseeccuurree tthhee eeaarrlliieerr ccoonnnneeccttiioonnss hhaavvee bbeeeenn..
IInn oouurr ooppiinniioonn tthhee IInntteerrnneett aallrreeaaddyy hhaass aann
eessttaabblliisshheedd bbaassee oof f ccrryyppttooggrraapphhiicc pprroottooccoollss.. YYoouu
sshhoouulldd nneevveerr aaggaaiinn hhaavvee ttoo mmaak k ee aann uunneennccrryypptteedd
eelleeccttrroonniicc ttrraannssaaccttiioonn,, aanndd iif f yyoouu aarree f f aacceedd wwiitthh tthhaatt cchhooiiccee,, yyoouu ccaann rreeqquuiirree tthhee sseerrvviiccee pprroovviiddeerr
ttoo oof f f f eerr yyoouu aa sseeccuurree aalltteerrnnaattiivvee.. AAssk k f f oorr tthhee
ssttrroonnggeesstt ppoossssiibbllee eennccrryyppttiioonn aanndd aauutthheennttiiccaattiioonn,,
aanndd ddoo nnoott sseettttllee f f oorr aannyytthhiinngg lleessss..
AAbboovvee aallll,, rreemmeemmbbeerr tthhaatt tthhee ccrryyppttoossyysstteemm iiss
nneevveerr ssttrroonnggeerr tthhaann iittss wweeaak k eesstt lliinnk k .. FFiinndd tthhiiss
lliinnk k ,, aanndd mmaak k ee aa ddeetteerrmmiinnaattiioonn aass ttoo hhooww ssttrroonngg
iitt rreeaallllyy iiss,, aanndd iif f iitt iiss ssttrroonngg eennoouugghh..
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 56/58
56
Required SpecificationsThe minimum hardware and software
requirements for the successful running of the website are divided into twocategories:
Requirements for Host.
Requirements for User.
Requirements from the Hosting point of view: The following are thehardware and software requirements from the hosting point of view for the
website.
Hardware Required:
Processor: A high speed Pentium processor for Web Servers.
Web Space: 10 MB
Software Required:
Operating system: Windows 2000 or XP
Web Server: IIS
Requirements from the User point of view:
The following are the hardware and software requirements from the user
point of view:
8/4/2019 Introduction of e Com2
http://slidepdf.com/reader/full/introduction-of-e-com2 57/58
57
Hardware Requirements: The user must have an Internet enabled PC
with following requirements:
Processor: Pentium IV or higher speed processor
RAM: Minimum 256 MB
Software Requirements:
Operating System: Windows XP.
Browser: Internet Explorer, Netscape Navigator etc