Introduction of e Com2

8/4/2019 Introduction of e Com2

http://slidepdf.com/reader/full/introduction-of-e-com2 1/58

1

Term paper of E COMMERCE

ON

SUBMITTED TO: MR. AMANDEEP

Submitted by:

Kewal krishan kapoor

ROLL No. 47

CLASS: MCA(204)

CCEERRTTIIFFIICCAATTEE



2

This is to certify that the project report entitled ―SECURITY AND

PROTECTION OF E COMMERCE‖ submitted by Mr. KEWAL

KRISHAN KAPOOR Roll No: D3804B47 is a bonfire piece of work

conducted under my guidance. No part of this work has been submitted for

any other degree of any other university. The data sources have been

acknowledged. It may be considered for evaluation in partial fulfillment of

the requirement for the Master of Computer Applications Semester II.

MR. AMANDEEP

Lecturer,

LOVELY SCHOOL OF ENGEERING

Chiheru

LLeetttteerr oof f AAuutthheennttiiccaattiioonn



3

We here by declare that the work have been presented by us in the projectentitled ―SECURITY AND PROTECTION OF ECOMMERCE ‖, inthe fulfillment of the award of master degree in MASTER OF

COMPUTER APPLICATION submitted to the department of compute

science and application LOVELY PROFESSIONAL UNIVERSITY,

PHAGWARA is an authentic record of our work carried out by us in the

degree of MCA.

KEWAL KRISHAN KAPOOR

Roll No: D3804B47



4

AACCKKNNOOWWLLEEDDGGEEMMEENNTT

“Thanks to the almighty for showering his blessings”

Nothing concrete can be achieved without a combination of inspiration

and perspiration. Although writing a few words on a piece of paper is not a

proper way of acknowledge those people who has helped us in the

completion of this project, yet the words coming from our heart and soul

need no mode of communication.

We take the opportunity to present a vote of thanks to all those

guideposts who really acted as lighting pillars to enlighten our way

throughout this project that has led to the completion of this study.

We find it a matter of honor in showering our gratitude, indebt ness

and thankfulness to our guide respected MR. AMANDEEP for her

utmost interest, kind and invaluable guidance and during the project

supporting us, gently coaxing us, giving us vital push and instilling sense

of urgency which led to successful completion of this project.

KKEEWWAALL KKRRIISSHHAANN KKAAPPOOOORR



5

CCoonntteennttss::

Topic PAGE NO.

II.. FFEEAASSIIBBIILLIITTYY SSTTUUDDYY……………………………………………………………… 77--1100

II. Introduction…………………………………………. 10

III. Definition of e-Commerce…………………………... 11

IV. Why This Study? Why Now?..................................... 11-12

V. Purpose of the Study………………………………… 12-14

VI. e-Commerce Activities……………………………… 14-15

VII. Perception of Risks……………………………………. 15

VIII. Policy and Satisfaction with Security………………… 16

IX. Protecting e-Commerce……………………………….. 16-17 X. The "Problem" of Security……………………………. 17-20

XI. SECURITY AND PROTECTION……………………..20-27

1. E-Commerce Participants

2. Internet Security Your Business & You

3. Logical Security – Threats

4. E-Commerce Security Threats

5. E-Commerce risks

6.

Why is the Internet insecure?7. E-Commerce Security

XII. Cryptomathic Offerings…………………………………28-33

1. Public key encryption

2. Digital Signatures and Certificates



6

XIII. TIPS FOR PROTECTION FROM

E-COMMERCE HACKERS……………………………34-37

XIV. Ecommerce Security Issues……………………………..37-41

1. Customer Security: Basic Principles

2. Secure Socket Layers

3. PCI, SET, Firewalls and Kerberos

4. Transactions

5. Practical Consequences

XV. Security Cameras Provide Safety………………………41-42

XVI. Encryption and Strong Authentication …………………42-51

for Electronic Commerce

XXVVIIII.. CCoonncclluussiioonnss………………………………………………………………………………………………..5522--5544

XXVVIIIIII.. SSYYSSTTEEMM RREEQQUUIIRREEMMEENNTTSS…………………………………………………………......5555--5577

XXIIXX.. RREEFFEERREENNCCEE……………………………………………………………………………………………….. 5588



7

FFEEAASSIIBBIILLIITTYY SSTTUUDDYY

Feasibility study is the determination of whether the

problem defined in initial investigation is worth solving or not, whether the

resources required for implementation of system are available or can be

acquired or not, whether the system will be used by the user if developed.

The main aim is to study whether the project to undertaken is technically,economically, and socially feasible

Feasibility study can be of following types:

Technical Feasibility

Economical Feasibility

Operational Feasibility

Technical Feasibility

In technical feasibility whether reliable hardware and software,

capable of meeting the needs of the proposed system can be acquired or



8

developed by the organization in the required time is a major concern of

the technical feasibility.

Technical feasibility includes questions like

Does the necessary technology exist to do what is suggested and can

it be acquired?

Does the Proposed equipment have the technical capacity to hold the

data required to use the new system

Will the proposed system provide adequate responses to inquiries,

regardless of the number of locations and users?

Can the system be expanded?

Is there any technical security of accuracy, reliability, ease of access

of data security

Hardware Requirements

In our case we require a PIII computer system to run our

application properly and which is easily available.

Software Requirements

The software requirements include VISUAL BASIC and MS-

ACCESS





10

In other word we can say his project can’t be more expensive then his

returns.

Operational Feasibility

The proposed system is operationally feasible also. The

operations used in the proposed system are very much simple. The existing

staff members need only a weeks training to cope up with the proposed

system as the buttons used in the system have user-friendly names.

Introduction

E-Commerce over the Internet is changing the way organizations conduct

business with each other and their customers. The reasons are simple and

compelling - speed, cost reduction, efficiency, access to new markets and

convenience. The World Wide Web is becoming the global infrastructure

for many busi-ness interactions. As e-Commerce becomes business in its

entirety, then e-Commerce controls and busi-ness controls and informationsystems controls will all converge. Many of the world's most influential

organizations are transforming their businesses through the development

and use of information and communication technologies that electronically

integrate internal and external business processes. The research should

provide solutions for the full spectrum of control objectives - such as

availability, usefulness, integrity, authenticity, traceability/auditability

(including non-repudiation) and confidentiality - posed by the transition to

doing commerce on the Internet. The solutions proposed as a part of thisresearch study include security technologies such as encryption, digital

signatures, certificates, firewalls, digital time stamps, intrusion detection

mechanisms, token-based authentication and single sign-on.



11

Central to the project is a seeming contradiction: security functions are

seen as an enabler of e-Commerce in organizations where they are present

and an inhibitor in organizations where they are not. It remains to be seen

whether management's concerns are justified and whether the security

controls in place successfully address those concerns.

Definition of e-Commerce

ISACA defines e-Commerce as the processes by which organizations

conduct business electronically with their customers, suppliers and other

external business partners, using the Internet as an enabling technology. It

therefore encompasses both business-to business and business-to-consumer

e-Commerce models, but does not include existing non-Internet e-

Commerce methods based on private networks, such as EDI and SWIFT.

The term e-Business is also used to describe Internet based commercial

activities. Distinguishing the two terms is difficult. Some take e-Business

to be more inclusive, denoting the Internet and the World Wide Web as

connected to existing enterprise information technology and business

competencies. E-Business is seen as enhancing brand value,communication and service by leveraging information; improving

efficiency by automating business processes; reducing costs and cycle

time; and increasing revenue from new markets and new electronic

channels. However, in this study, no distinction is made between e-

Business and e-Commerce. Since e-Commerce is the older and more

internationally used term, it has been used throughout this study.

The way in which e-Commerce is defined sets the agenda for the security

and controls required. For instance, in the ISACA definition the emphasisis on the Internet as a medium for business, but it is not the central theme.

Not all Internet usage is e-Commerce; not all electronic business is e-

Commerce, either. Therefore, the application of security should be focused

on both technology and business controls. Some executives interviewed for



12

this study hold more (or less) inclusive views of e-Commerce and thus

their views of security differ as well.

Why This Study? Why Now?

ISACA is a global enterprise. Around the world, organizations are

transforming the way they do business, with the Internet providing

everything from showrooms to banking conduits. Since ISACA's charter

embraces both business controls and technology, it is appropriate that e-

Commerce security be a subject for investigation on a global basis. There

has been no lack of e-Commerce surveys, but it is difficult to find one that

speaks to the particular concerns of ISACA's membership. Security has

been described as the major inhibitor to adoption of e-Commerce, and yetthe companies that have demonstrated success in using the Internet for

their businesses have built sophisticated security functions for processing.

It is part of the mission of ISACA to provide the link between the control

concerns of management and the implementation of controls in

information systems. To achieve this mission, ISACA's members need to

understand the underlying technology of e-Commerce - both the

telecommunications infrastructure and the security within the applications

and the environment.

Purpose of the Study

Management is placing great emphasis on the quality of information

security tools to provide the founda-tion to safely build e-Commerce. In

the approximately five years during which e-Commerce has been building

up to its current state, the security and controls to be applied to e-

Commerce have not so much been introduced as re-introduced. Olderforms of security and control have been adapted to this new envi-ronment.

For example, the essential control to protect both integrity and

confidentiality (though not other attributes of security) is encryption, the

process of transforming messages into indecipherable strings of bits.



13

Encryption was not invented to solve e-Commerce problems, rather, e-

Commerce has validated encryption as the security tool of choice.

The accompanying chart shows the flow of activity in a typical e-

Commerce environment. In general, security is provided by variousimplementations of cryptography, including encryption, digital signatures

and notarization, secure protocols, certificates, and a foundation for all the

above, generally referred to as Public Key Infrastructure (PKI).

In many ways, the purpose of this research is to provide ISACA members -

and other stakeholders - with an understanding of management's concerns,

and in return, to educate management on the effectiveness of the availablecontrols. Recognizing that the impact of e-Commerce is only just

beginning, it is time to assess e-Commerce security as a predictor of the

future and as a guide to ensure that the future is a safe one.



14

Today, e-Commerce is viewed by some as a novel and innovative way of

doing business. The Internet and the World Wide Web have caused many

to rethink the flow of their operations and finances. In the next century

there will be no real distinction between e-Commerce and commerce in

general. The technology of the Internet will be so integrated with overallbusiness practices that it will appear seamless.

Achieving this state requires security solutions which are in tune with the

needs of business. While no one can predict what paths information

technology will take, the solutions must take into account the trends in

technological development that point the way to the future.

Many of the world's most influential organizations are transforming their

businesses through the develop-ment and use of information andcommunication technologies that electronically integrate internal and

external business processes. But are they managing the risks? ISACA has

sponsored a worldwide research project in an attempt to find this out. To

be meaningful, the research for this project needed to be based on the

actual experiences of major companies around the world that are doing

business on the Internet. The process of evaluating the status and role of

security as it relates to e-Commerce within organizations involved two

separate tasks - a survey and executive interviews. The population of

respondents was composed of IT and audit professionals from 46 countries

throughout the Americas, Asia/Pacific, Europe, the Middle East and

Africa. The largest populations of respondents from these regions were

from the United States, Japan, the United Kingdom and South Africa,

respectively. The demographics of the companies surveyed provided a

means for analyzing the responses allowing them to be grouped by size,

region and industry.

e-Commerce Activities The activities of the organizations surveyed are almost evenly split among

business-to-business, business-to-consumer and other business related

activities. These activities have been defined in the following categories:



15

Business-to-Business

Customer self-

service

(informational) Customer self-

service

(transactional)

Interactive

customer service

(e.g., e-mail)

Direct

purchasing

Direct selling

Customer billing

Customer

reporting

Business-to-

Consumer

Customer self-

service(informational)

Customer self-

service

(transactional)

Interactive

customer service

(e.g., e-mail)

Direct selling

Customer

reporting

Other

Marketing or

advertising

Research Financial or

regulatory reporting

Interaction with

geographically

dispersed employees

and sales agents

Recruiting

Respondents cited a wide number of reasons for entering into e-

Commerce. In general, the major focus was on cost-cutting opportunities,

new or revised ways of doing business and improving timeliness and

efficiency. However, in numerous interviews in companies around the

world, executives expressed the idea that real success in e-Commerce will

come to those who develop ways of improving revenue and profits.

Perception of Risks

Our research shows a consistent assessment that e-Commerce security

presents low risk. Given that most of the respondents have audit,

information technology and security-related titles, it is not surprising thatthey believe they have a greater understanding of the variety of risks than

their top management. The results reveal that access by unauthorized users

is the area of risk that approaches the level of "significant" and is perceived

to present the greatest overall security risk to e-Commerce. With regard to



16

the risk of the non-availability, denial of service attacks and the destruction

of web sites, they are perceived to present the highest level of exposure,

albeit low risk overall. The primary concern associated with confidentiality

risks is the disclosure of customer information and is considered more of a

concern than the disclosure of an organization's own information.

Policy and Satisfaction with Security

Policy is how management expresses its intentions for security and control,

provides guidance for those responsible for implementation and execution

of business processes and systems and sets the boundaries of acceptable

behavior in an organization. There is almost an even split between

companies that have and have not developed e-Commerce security

policies. When those that have partially developed such policies are

included, it can be concluded that the majority of organizations have

formal policies in this area.

The existence of an articulated policy in an organization correlates with the

organization's satisfaction with their security control objectives. Eighty-

one percent of the respondents stated they are satisfied that they met alltheir control objectives with regards to confidentiality, integrity,

availability, accuracy, and auditability. In fact, those companies that have

partial security policies are almost as likely (77%) to be satisfied with their

control objectives as those with full policies implemented. The most

surprising finding from our research is that 69% of companies with no

security policies are also satisfied with the achieve-ment of their control

objectives.

There is a high level of satisfaction among the respondents that the state of their e-Commerce security is rather good. Regardless of the reasons and

motivations an organization may have for engaging in e-Commerce, the

respondents are aware of the security implications of their involvement in

e-Commerce. They are aware of the controls required to secure themselves



17

from the threats of "opening a door" to the organization and they believe

that the controls they have implemented are mitigating the risks.

Protecting e-Commerce

Broadly speaking, the security impact of e-Commerce can be placed into

two categories:

Improper or unauthorized use of the organization's e-Commerce

offering (i.e., web site)

Using connectivity to the Internet as the path to the organization's

internal, private systems for unauthorized access

A greater percentage of those interviewed felt that private networks were atleast somewhat protected. This is based on confidence in the access control

mechanisms used to keep the public network (the Internet) separate from

the private network.

The most widely adopted encryption method for e-Commerce is Secure

Sockets Layer, or SSL. SSL is a protocol intended for secure

communication across an arbitrary network between a client and a server.

It enables the customer (client) to be certain of the vendor (server) but not

vice versa. For that reason, the use of SSL is often supplemented by

passwords for user authentication.

Since the advent of online computer systems, there has been a need to

identify users of those systems to validate that they are authorized for each

system and to associate them with the files and functions for which they

are authorized. Historically, the most widely used method of authenticating

users has been to issue them a user Id and a password which was to be kept

secret in order to ensure the legitimacy of the sign-on. In e-Commercesystems, the use of shared secrets - passwords - is still the most prevalent

form of authenticity checking. Further analysis has shown that primary

reliance on passwords is the norm in all regions and among all industries,

in roughly the same proportions.



18

The "Problem" of Security

Nearly half of all respondents to the survey gave their views on the key

problems of e-Commerce. They overwhelmingly cited security as the most

important problem. This apparently contradicts their overall satisfaction

with the achievement of their control objectives. However, this finding

may also be interpret-ed as recognition that security is a concern to be

continually dealt with. While they are content with their present security,

they may recognize that the safeguards that are appropriate for today may

be insuffi-cient for the future.

At the foundation of every electronic commerce transaction is trust

between the buyer and seller. The VeriSign Secured® Seal is one of the

most recognized trust marks on the Internet. The VeriSign® Layered

Security Solution not only builds confidence in your brand with online

customers, our comprehensive approach to securing networks and Web

sites helps you comply with security regulations and manage risk.

Challenge: Gaining Consumer Trust in Online Transactions

Nothing should stand between your customer and the decision to buy. Yet

concerns about fraud and identity theft continue to erode confidence in e-

commerce, causing customers to abandon online transactions. Web site

visitors want to see that their transactions will be protected and confirm the

identity of the Web site owner. Online merchants need better protection

against fraud and malicious attacks.

Solution: Layered Security

Gaining customer confidence and protecting transactional data requires a

layered approach to security at all points vulnerable to attack. The

application of security technologies and services across business assets



19

provides comprehensive protection for the consumer, brand, Web site, and

network.

How VeriSign Helps

VeriSign security experts help balance risk, cost and user experience to

apply the most effective security approach to your unique business. Over

one million Web servers worldwide, including over 95% of the Fortune

500 and the world’s 40 largest banks are secured with SSL Certificatessold by VeriSign*.

*Includes VeriSign subsidiaries, affiliates, and resellers.

Asset Layer Protected How VeriSignHelps

Customer Protection

Easy-to-use authentication and transparent

fraud detection from a trusted provider

protects online transactions without slowing

transactions.

VeriSign®

Identity

Protection

Web Site Security

Give your customers the confidence totransact online by displaying the green

address bar in the latest high-security

browser with Extended Validation SSL on

your Web site.

SSL

Certificates Secure Site

Pro with EV

SSL

Certificates

Network Security

Authentication solutions for the enterprise,

Web applications, and e-mail combined with

comprehensive network protection helpreduce risk while meeting compliance

requirements.

Managed

Security

Services

UnifiedAuthenticatio

n

Managed

http://www.verisign.com/authentication/consumer-authentication/identity-protection/index.html






http://www.verisign.com/ssl/index.html





http://www.verisign.com/ssl/buy-ssl-certificates/extended-validation-pro-ssl-certificates/index.html







http://www.verisign.com/managed-security-services/index.html






http://www.verisign.com/authentication/enterprise-authentication/enterprise-otp/index.html






http://www.verisign.com/authentication/enterprise-authentication/pki-infrastructure-solutions/index.html





















20

PKI Services

Expert Assistance and Intelligence

Security consulting and advanced

intelligence reporting help you assess,analyze and update a layered approach to

secure business assets.

Global

Consulting

Services VeriSign®

iDefense

Security

Intelligence

Services

Supply Chain Visibility

Large retailers and suppliers need to open

their networks to partners, affiliates, and

customers to enhance services and speed

operations while keeping confidential data

secure.

RFID

Consulting

VeriSign®

Identity

Protection

SECURITY ANDPROTECTIONOverview

Electronic Commerce

Underlying Technologies

– Cryptography

– Network Security Protocols




http://www.verisign.com/global-consulting/index.html






http://www.verisign.com/security-intelligence-service/index.html








http://www.verisign.com/static/doc_DEV036965.html



























21

Electronic Payment Systems

– Credit card-based methods

– Electronic Cheques

– Anonymous payment

– Micropayments

SmartCards

Commerce

Commerce: Exchange of Goods / Services

Contracting parties: Buyer and Seller

Fundamental principles: Trust and Security

Intermediaries:

• Direct (Distributors, Retailers)

• Indirect (Banks, Regulators)

Money is a medium to facilitate transactions

Attributes of money:

– Acceptability, Portability, Divisibility

– Security, Anonymity

– Durability, Interoperability

E-Commerce



22

Automation of commercial transactions using computer and

communication technologies

Facilitated by Internet and WWW

Business-to-Business: EDI

Business-to-Consumer: WWW retailing

Some features:

– Easy, global access, 24 hour availability

– Customized products and services

– Back Office integration

– Additional revenue stream

E-Commerce Steps

Attract prospects to your site

– Positive online experience

– Value over traditional retail

Convert prospect to customer

– Provide customized services

– Online ordering, billing and payment

Keep them coming back

– Online customer service

– Offer more products and conveniences

Maximize revenue per sale



23

E-Commerce Participants

Internet Security:

Your Business & You

Physical Security - the protection of tangible assets from

unauthorized access, alteration or destruction.

Logical Security - the protection of assets using non-physical

mechanisms; passwords, anti-virus software, encryption.

Logical Security – Threats

Theft or Fraud

Data contamination or alteration



24

Denial-of-Service attack

Privacy Threats

Intellectual Property Threats

E-Commerce Security Threats

E-Commerce Security Threats

Access Control

Audit

Authentication

Data Integrity

Secrecy

Nonrepudiation



25

E-Commerce risks

Customer's risks

– Stolen credentials or password

– Dishonest merchant

– Disputes over transaction

– Inappropriate use of transaction details

Merchant’s risk

– Forged or copied instruments

– Disputed charges

– Insufficient funds in customer’s account

– Unauthorized redistribution of purchased items

Main issue: Secure payment scheme

Why is the Internet insecure?



26

E-Commerce Security

Authorization, Access Control:

– protect intranet from hordes: Firewalls

Confidentiality, Data Integrity:

– protect contents against snoopers: Encryption

Authentication:

– both parties prove identity before starting transaction: Digital

certificates

Non-repudiation:

– proof that the document originated by you & you only: Digital

signature

Authentication & Signing



27

The internet provides a very effecient and convenient way of

enabling services and creating transactions. Authentication &

Signing is vital in building the secure infrastructure required to

minimise fraud and meet security compliance.

Authentication

Authentication is a key component in ensuring that systems, users

and data are reliable and trustworthy. Authenticating users to systems

is a particularly important task in a world demanding increased

security as more and more business is done electronically.

SigningAuthentication on its own can provide limited security. Digital

signatures, ensuring authenticity and non-repudiation, play a crucial

role in securing electronic transactions regardless of industries, e.g.

government, banking, transportation, media, telecom etc.

Our comprehensive solutions are token vendor independent,

modular, innovative and scalable.



28

Cryptomathic Offerings

-Cryptomathic Authenticator (2FA server)

- Cryptomathic Token Manager

- Cryptomathic Signer (central signature server)

- Professional Services, e.g. design

Cryptomathic solutions comply and support open

standards, including OATH, CAP and X.509, etc.



29

Sender and receiver agree on a key K

- No one else knows K

- K is used to derive encryption key EK & decryption key DK

- Sender computes and sends EK (Message)

- Receiver computes DK ( EK (Message))

- Example: DES: Data Encryption Standard



30

Public key encryption

· Separate public key pk and private key sk

· Private key is kept secret by receiver

· Dsk( Epk(mesg)) = mesg and vice versa

Knowing Ke gives no clue about Kd

Digital Signatures

The private-key signs (create) signatures, and the public-key verifies

signatures

Only the owner can create the digital signature, hence it can be used to

verify who created a message

Generally don't sign the whole message (doubling the size of information

exchanged), but just a digest or hash of the message



31

A hash function takes the message, and produces a fixed size (typically

64 to 512 bits) value dependent on the message

It must be hard to create another message with the same hash value

(otherwise some forgeries are possible)

Developing good hash functions is another non-trivial problem

Sign: sign(sk,m) = Dsk (m)

Verify: Epk (sign(sk,m)) = m

Sign on small hash function to reduce cost



32

Signed and secret messages

sign(sk1, m)

Encrypt(pk2)

m

Decrypt(sk2)

Verify-signEncrypt(pk1)

Epk2( Dsk1(m))

pk1

pk2

First sign, then encrypt: order is important.

Certification authority



33

Digital Signatures and Certificates

Digital signatures meet the need for authentication and integrity. To vastlysimplify matters (as throughout this page), a plain text message is run

through a hash function and so given a value: the message digest. This

digest, the hash function and the plain text encrypted with the recipient's

public key is sent to the recipient. The recipient decodes the message with

their private key, and runs the message through the supplied hash function

to that the message digest value remains unchanged (message has not been

tampered with). Very often, the message is also timestamped by a third

party agency, which provides non-repudiation.

What about authentication? How does a customer know that the website

receiving sensitive information is not set up by some other party posing as

the e-merchant? They check the digital certificate. This is a digital

document issued by the CA (certification authority: Verisign, Thawte, etc.)

that uniquely identifies the merchant. Digital certificates are sold for

emails, e-merchants and web-servers.

Digital certificates

Register public key

Download public key

How to establish authenticity of public key?



34

TIPS FOR PROTECTION FROM E-COMMERCE

HACKERS

The American Institute of Certified Public Accountants (AICPA) is

offering several tips to e-commerce sites to help protect them and their

customers against disruptive actions.

"With the advent of e-commerce comes the vulnerability of Web sites

to attacks from hackers, among other cyber-crimes," says Anthony

Pugliese, Director of Assurance Services of the AICPA. "Many online

businesses are searching for tools with which they can protect their sites

and provide assurance to their customers that their information is kept

private and their transactions are protected."

The AICPA offers these tips to e-commerce businesses:

1. Conduct a risk assessment of your Internet business: A risk

assessment should be carried out prior to implementing specific

technical controls, allowing you to identify possible security

vulnerabilities and decide what enhancements are necessary. The

greatest threat will come from the weakest links in your defenses, so

the risks you face will change as you develop your security solutions.

2. Develop security standards: Criminal hackers exist inside and

outside an organization, and experts recommend that online

businesses must protect against both threats. A security policy based

on technical standards and procedures must underpin any technical

solutions. The company security policy must be clearly

communicated to employees so that they are aware of their

responsibilities, the penalties for misuse and what to do in the eventof a suspected security breach.

3. Test your defenses: Check your physical security systems to prevent

an attack by an outsider who may have very little knowledge about

your company but is capable of using either information or a physical



35

product that can be used to hack into your system. Test remote access

to systems using specialist tools to attempt access to resources

through e-mall, the Internet and telephone systems. Also test for

unauthorized attacks by employees. Conduct an entire system audit,

testing the security -- especially firewalls -- to identify loopholes.4. Develop procedures for prevention and use independent third-

parties to test them: Prevention of fraud depends on having robust

procedures, strict controls and strong audit capabilities. Work with

independent third-parties, such as CAs or CPAs, to test and verify the

security and safety of your site. A licensed CA who offers WebTrust

will examine the site's firewalls, security systems, and risk analysis

tools to provide recommendations for improved protection. Stronger

prevention and thorough examination will help e-commerce sites

lower the risk of security breeches.

5. Limit the number of individuals who may access controls to your

e-commerce business: Access to controls should be implemented

according to the basic rule that access is only provided to the

minimum number of people for the minimum possible number of

systems and for the minimum amount of time required to do the job.

Use authentication methods such as passwords, smart cards, PIN

numbers or fingerprint scans to access your systems. Utilize digital

certificates to verify electronic identities. Use encryption to renderdata unintelligible to unauthorized users who do not have access to

the decryption key. Utilize anti-virus software and keep it up-to-date.

Software should be installed on individual client machines, servers or

firewalls.

6. Utilize Firewalls: Firewalls intelligently isolate one network from

another by passing messages through a control point at which the

system can check whether their transmission conforms to the site's

security policy. Firewalls can be implemented in various ways, the

most typical involving a combination of devices, including routersand servers running appropriate software.

7. Utilize surveillance tools: Surveillance tools allow you to monitor

employees to quickly identify if they are abusing legitimate access to

the system. Products in this category normally act by "sniffing" the



36

network cable and logging actions, raising alerts if certain criteria are

matched. The detailed logs produced by such tools can be used as

documentary evidence in legal proceedings.

Security tools: Security management tools can help administratorsto enforce security policies consistently across the various technical

environments within a site and simplify or even automate the process

of managing user privileges.

E-mail security tools: E-mail security tools allow e-mail to be

intercepted and scanned automatically to determine if it presents a

security risk. This type of tool can review content, access

authorizations and sensitivity of information.

8. Monitor your networks for unusual activity: If you discover

unusual activity, monitor important systems using intrusion detection

software or services. This can help mitigate the attack by discovering

actions that can be taken (e.g. installing security patches, expanding

RAM to maintain performance during Denial-Of-Service attacks). It

can also help detect signs that this attack is more than a nuisance e.g.,

it can determine that a Denial-Of-Service attack is being waged as a

diversion intended to distract your attention from an actual takeover

of your systems. If other organizations are under particular attack,check your systems for similar signs of attack as well.

9. Contact your Internet Service Provider: Contact your ISP (if your

site uses one) to determine the level of protection it already has in

place. In addition, it is possible that the ISP can take action to block

the attacks before they reach your computer systems.

10. Report computer violations to the proper law enforcement

authorities: Contact law enforcement authorities to inform them of

the incident. You may not be the only organization under attack, andthe authorities may be able to provide technical assistance or contacts

to help your response efforts. You can help the law enforcement

efforts by collecting system log information from target systems.

These logs may be important evidence that law enforcement needs to



37

take action. It is critical that this information be collected and

protected before it is accidentally or deliberately erased.

In cooperation with the Canadian Institute of Chartered Accountants,

the AICPA has developed WebTrust, a service by which CAs, CPAs andtheir international counterparts examine online businesses to determine if

they are legitimate, their transactions are secure, the information they

collect from customers is kept private, their business practices are fully

disclosed to customers, and they have a mechanism to resolve customer

complaints.

WebTrust is now being offered in the United States, Canada, Puerto

Rico, England, France, Ireland, Scotland, Wales, Australia and New

Zealand. Negotiations with other European and Asian countries are

currently underway.

Ecommerce Security Issues

Keeping your site and customer data safe.

Customer Security: Basic Principles

Most ecommerce merchants leave the mechanics to their hosting company

or IT staff, but it helps to understand the basic principles. Any system has

to meet four requirements:

privacy: information must be kept from unauthorized parties.

integrity: message must not be altered or tampered with.

authentication: sender and recipient must prove their identities toeach other.

non-repudiation: proof is needed that the message was indeed

received.



38

Privacy is handled by encryption. In PKI (public key infrastructure) a

message is encrypted by a public key, and decrypted by a private key. The

public key is widely distributed, but only the recipient has the private key.

For authentication (proving the identity of the sender, since only the sender

has the particular key) the encrypted message is encrypted again, but thistime with a private key. Such procedures form the basis of RSA (used by

banks and governments) and PGP (Pretty Good Privacy, used to encrypt

emails).

Unfortunately, PKI is not an efficient way of sending large amounts of

information, and is often used only as a first step — to allow two parties to

agree upon a key for symmetric secret key encryption. Here sender and

recipient use keys that are generated for the particular message by a third

body: a key distribution center. The keys are not identical, but each isshared with the key distribution center, which allows the message to be

read. Then the symmetric keys are encrypted in the RSA manner, and rules

set under various protocols. Naturally, the private keys have to be kept

secret, and most security lapses indeed arise here.

Secure Socket Layers

Information sent over the Internet commonly uses the set of rules called

TCP/IP (Transmission Control Protocol / Internet Protocol). The

information is broken into packets, numbered sequentially, and an error

control attached. Individual packets are sent by different routes. TCP/IP

reassembles them in order and resubmits any packet showing errors. SSL

uses PKI and digital certificates to ensure privacy and authentication. The

procedure is something like this: the client sends a message to the server,

which replies with a digital certificate. Using PKI, server and client

negotiate to create session keys, which are symmetrical secret keys

specially created for that particular transmission. Once the session keys areagreed, communication continues with these session keys and the digital

certificates.



39

PCI, SET, Firewalls and Kerberos

Credit card details can be safely sent with SSL, but once stored on the

server they are vulnerable to outsiders hacking into the server and

accompanying network. A PCI (peripheral component interconnect:hardware) card is often added for protection, therefore, or another

approach altogether is adopted: SET (Secure Electronic Transaction).

Developed by Visa and Mastercard, SET uses PKI for privacy, and digital

certificates to authenticate the three parties: merchant, customer and bank.

More importantly, sensitive information is not seen by the merchant, and is

not kept on the merchant's server.

Firewalls (software or hardware) protect a server, a network and an

individual PC from attack by viruses and hackers. Equally important isprotection from malice or carelessness within the system, and many

companies use the Kerberos protocol, which uses symmetric secret key

cryptography to restrict access to authorized employees.

Transactions

Sensitive information has to be protected through at least three

transactions:

credit card details supplied by the customer, either to the merchant or

payment gateway. Handled by the server's SSL and the

merchant/server's digital certificates.

credit card details passed to the bank for processing. Handled by the

complex security measures of the payment gateway.

order and customer details supplied to the merchant, either directly or

from the payment gateway/credit card processing company. Handled

by SSL, server security, digital certificates (and payment gatewaysometimes).



40

Practical Consequences

1. The merchant is always responsible for security of the Internet-

connected PC where customer details are handled. Virus protection and a

firewall are the minimum requirement. To be absolutely safe, storesensitive information and customer details on zip-disks, a physically

separate PC or with a commercial file storage service. Always keep

multiple back-ups of essential information, and ensure they are stored

safely off-site.

2. Where customers order by email, information should be encrypted with

PGP or similar software. Or payment should be made by specially

encrypted checks and ordering software.

3. Where credit cards are taken online and processed later, it's the

merchant's responsibility to check the security of the hosting company's

webserver. Use a reputable company and demand detailed replies to your

queries.

4. Where credit cards are taken online and processed in real time, four

situations arise:

(I) You use a service bureau. Sensitive information is handledentirely by the service bureau, which is responsible for its security.

Other customer and order details are your responsibility as in 3.

above.

(II) You possess an ecommerce merchant account but use the

digital certificate supplied by the hosting company. A cheap option

acceptable for smallish transactions with SMEs. Check out the

hosting company, and the terms and conditions applying to the

digital certificate.

(III) You possess an ecommerce merchant account and obtain your

own digital certificate (costing some hundreds of dollars). Check out

the hosting company, and enter into a dialogue with the certification

authority: they will certainly probe your credentials.

http://www.ecommerce-digest.com/b2b-ecommerce-r.html

http://www.ecommerce-digest.com/ecommerce-site-hosting.html

http://www.ecommerce-digest.com/no-merchant-account.html

http://www.ecommerce-digest.com/merchant-account-internet.html


http://www.ecommerce-digest.com/ecommerce-security-issues-r.html

http://www.ecommerce-digest.com/ecommerce-security-issues-r.html


http://www.ecommerce-digest.com/merchant-account-internet.html

http://www.ecommerce-digest.com/no-merchant-account.html


http://www.ecommerce-digest.com/b2b-ecommerce-r.html



41

(IV) You possess a merchant account, and run the business from

your own server. You need trained IT staff to maintain all aspects of

security — firewalls, Kerberos, SSL, and a digital certificate for the

server (costing thousands or tens of thousands of dollars).

Security is a vexing, costly and complicated business, but a single lapse

can be expensive in lost funds, records and reputation. Don't wait for

disaster to strike, but stay proactive, employing a security expert where

necessary.

Security Cameras Provide Safety

Many home owners who want the idea of feeling safer have security

cameras installed over their garages aimed at the driveway or street,

possibly another one over their door entrance, or at the back door entrance

of the home. Often times these security cameras are basic, and some

simply record surveillance, while others show real time viewing. The idea

of having these cameras allows the home owner to feel at peace knowing

the camera is installed.

If an intruder sees the security camera he or she will do everything possibleto avoid it, and in essence feel as though there are other additional security

measures taken on the house. Such as door alarms or window alarms. In

this case an intruder would initially leave the premises trying to avoid

being seen or recorded.

Another good reason why a home owner would have cameras installed

might be if they travel a lot, it will video tape the surroundings while they

are away and if any type of vandalism or break in does occur, the

appropriate measures can be taken.

Many apartment complexes have security cameras at the entrance for

safety reasons. Each time a vehicle or person goes through the entrance it





42

will aim for the tags of vehicles. This is often successful when vehicles

that don't belong in the complex are recorded or viewed.

So the fact remains obvious that security cameras being used do provide

safety measures for a variety of people, even those who don't really like theidea. They feel although in some ways it does interfere with their right to

privacy they realize the increase of the acts of violence in the United States

today. Therefore, they are not going to complain.

If a security camera is in a parking lot and their car is stolen in most cases

it can be retrieved, not to mention they have that peace of mind of walking

to their cars under surveillance and know that there is a lower risk of being

attacked or abducted by someone intending to harm them or hurt them in

order to gain access to their belongings or their vehicle. There's just toomuch crime to not have security cameras in most places.

Encryption and Strong

Authentication forElectronic CommerceElectronic Commerce is not possible if the parties cannot authenticate each

other or if the transaction can be altered by some malicious third party.

This paper presents some of the available methods for securing

transactions over an unsecure network and for authenticating

communicating parties. The advantages and drawbacks of the different

methods are presented and a comparison of the methods is made.



43

The rapid growth of the internet has lead to an increasing demand for

secure electronic communcation. The demand is most apparent on the

internet, but is by no means restricted to it. Companies want to exploit

computer networks to their full potential, connecting sites that may be

situated on opposite sides of the earth. Individual users want to securely

access remote sites without disclosing their identities or activities.

Modern cryptography offers practical solutions to the problems that users

in a networked environment are faced with. The next section presents some

of the basic techniques of cryptography, but before you apply the solutions,

you should understand the problems.

The first thing that springs to mind from the term cryptography isconfidentiality, i.e. the ability to protect information from disclosure. It is

immediately obvious that some types of information need adequate

protection. Both individuals and companies have information that they

don't want the whole world to know, so sending such information over an

unprotected network is quite out of the question.

What is less obvious, and more controversial, is the fact that an individual

should have the right to protect all the private information he or she wantsto protect. We won't go into details in this politically highly sensitive area,

but you should always remember that some governments want to restrict

the private citizen's rights to use cryptography. Several less democratic

countries have legislation that restricts the use or export of cryptographic

algorithms, in the interest of the government.

The classical form of authentication is to use a user id and a password

transmitted in the clear. Once this was barely adequate, but nowadaysauthentication must be handled using more sophisticated techniques.

Modern cryptography offers several techniques for very strong

authentication, and they can be used to authenticate almost anything on a

network; users, hosts, clients, servers, you name it.



44

In some contexts where authentication is used today, authorization would

be a more proper technique. The distinction between the two is clear, but

nevertheless they are often confused. When you authenticate yourself, you

prove your identity, whereas you use authorization to prove that you are

authorized to use some facility. This gets interesting when you realize that

cryptography offers you the possibility to authorize yourself without

disclosing your identity.

The value of integrity of a piece of information is often underrated. In a

closed system, you can assume that all the information you get is correct,

or that you can easily detect that it has been corrupted. In a networked

system, you must ensure the integrity of the information you send and

receive. If you were to make a payment to the other side of the world, you

would most certainly want to ensure that nobody could alter the sum you

were paying or redirect it to the wrong account.

Commercial transactions, and many other transactions, require that none of

the parties cannot later on claim that the transaction never took place. The

principle of nonrepudiation is getting increasingly important, and can quite

easily be solved using appropriate cryptographic techniques.

As with everything else, there is a downside to the use of cryptography.

The possibility to reliably identify a user can easily invade the privacy of

said user. Improper application of cryptography can give governments and

corporations more power over the lives of ordinary citizens. The balance

between anonymity and privacy on one hand and surveillance and

authentication on the other is very delicate. When applying cryptography

to a problem you should always consider its ramifications.Users tend to lose their keys, regardless of how much the system

administrators try to avoid such situations. There are cryptographic

methods that can be used for key recovery, but sofar most organizations

simply use key escrow. The difference is significant, as key escrow means



45

that the key can fall in the wrong hands, whereas key recovery guarantees

that only the rightful owner can recover a lost key.

Ciphers

The process of encrypting and decrypting a message. Depending on how

you interpret the different parts, the figure actually describes virtually

every encryption technique available. The message you want to encrypt is

fed to a cryptographic algorithm and encrypted using a key. The output

from the algorithm is called ciphertext. The only way to recover the

original message is to decrypt the ciphertext with the correct decryptionalgorithm and key.

Some historic ciphers relied on keeping the cryptographic algorithm secret,

but all modern ciphers rely only on the key for their security. A. Kerckhoff

first presented the fundamental principle of cryptanalysis that the crypto

designer must assume that the cryptanalyst has complete details of the

design and implementation of the cryptographic algorithm. A cipher is

considered strong only when it has been scrutinized by the collectiveknowledge of the international cryptography community and no major

faults have been found.

Symmetric algorithms

When the same key is used both for encryption and decryption, the

algorithm is called a symmetric algorithm. Most of the fastest algorithms

known today are symmetric, and they are part of virtually every

cryptographic package currently in use. Using the same key makes things a



46

bit complicated, as the parties must be able to decide on a key to use,

without disclosing it to anybody else. This problem can be solved using

asymmetric algorithms.

EK(M) = C

DK(C) = M

Symmetric algorithms can be roughly divided into two categories, stream

ciphers and block ciphers. A stream cipher operates on very small units,

often as little as a bit at a time, whereas a block cipher encrypts constant

sized blocks. Many block ciphers can be used in a mode that turns them

into stream ciphers. Stream ciphers are suitable for encrypting data on the

fly, block ciphers are best used for encrypting data in place.

Modern block ciphers are designed using two basic techniques, confusion

and diffusion. They can both be used separately to create quite complex

algorithms, but are not as effective as a combination of the two. Confusion

is basically substitution, patterns of plaintext are exchanged for patterns of

cyphertext. Modern substitutions are very complex and vary for each bit in

the plaintext and each key. Diffusion spreads the information of the

plaintext by transposing the bits so that patterns in the plaintext are harder

to find.

Stream ciphers obviously cannot directly apply diffusion to the plaintext,

but often the underlying algorithm uses both confusion and diffusion to

produce the bit stream used for encryption.



47

Asymmetric algorithms

Algorithms that use different keys for encryption and decryption are called

asymmetric algorithms, and are often referred to as "public-key

algorithms", as one of the keys typically is publicly known. Asymmetricalgorithms have several interesting properties and can be used to produce

digital signatures for authentication purposes and integrity checks. The

major drawback of asymmetric algorithms is their speed; typical

implementations may be a thousand times slower than symmetric

algorithms. The keys are also considerably larger than keys for symmetric

algorithms.

The asymmetric algorithms rely on mathematical problems that aregenerally considered "hard". There are several types of problems that have

baffled mathematicians for centuries and that currently are considered very

hard to solve. Unfortunately nobody has been able to prove that they are

hard, which means that most asymmetric algorithms are sensitive to

mathematical breakthroughs.

Modular arithmetic is one of the main building blocks of asymmetric

algorithms. Calculating discrete logarithms and square roots mod n is hard,whereas raising to a power mod n can be efficiently implemented in binary

arithmetic. Factoring large numbers is also time consuming, especially

when suitable primes are chosen to generate the large number. If you study

the litterature, you will find that primes and modular arithmetic are major

concerns when designing algorithms.

Asymmetric algorithms also often have several properties that make them

vulnerable to attack if they are used improperly. When you are designing a

cryptosystem, it is not enough to ensure that the algorithm you use is

strong enough, you also have to verify that the whole system is strong. For



48

instance, the RSA algorithm is very sensitive to chosen ciphertext attack

and elements in the algorithm should be chosen with care.

There are several asymmetric algorithms that have been designed for a

particular purpose. The algorithm may only produce digital signatures orbe intended only for key exchange. The more general-purpose asymmetric

algorithms can be adopted for such use as well.

Hybrid ciphers

Symmetric and asymmetric algorithms are often combined to form hybrid

ciphers. Typically an asymmetric algorithm is used to securely transfer a

symmetric key to the correct recipient and to provide authentication and

integrity. A much faster symmetric algorithm is then used to encrypt the

actual message.

Designing a hybrid cipher requires more skill than using normal

algorithms, but the result is definitely more flexible and easier to use than

ciphers relying on only symmetric or asymmetric algorithms. The very

popular cryptographic program "Pretty Good Privacy - PGP" [PGP] uses a

hybrid of RSA and IDEA with excellent results. The only drawback of a

hybrid cipher is that it relies on the strength of two different algorithms. If

either of the algorithms is broken, then the whole hybrid scheme can be

attacked as well.

Cipher strength

Once you have found a cryptographic algorithm that you considerreasonably strong, you must consider its key length. If the keys are too

short, the cipher can be broken with a brute-force attack, i.e. an exhaustive

search of the keyspace. Some algorithms are more suited to this type of

attack than others, but the difference is negligible when compared to the



49

impact of key length on the strength of a cipher. The difficulty of a brute-

force attack grows exponentially with the number of bits, if you add ten

bits to the key length you increase the number of keys by a factor of 210 =

1024.

In late 1995, an ad hoc group of known cryptographers and scientists tried

to estimate the minimum key length for symmetric ciphers. They published

their estimates in [Cryptographers], a paper that everyone using

cryptography should read. We chose to cite some of the statements in the

paper, as they are quite direct and to the point.

Neither corporations nor individuals will entrust their private business or

personal data to computer networks unless they can assure theirinformation's security.

This is probably correct when it comes to some kinds of information, but

in our view experience has shown that the corporations' and idividuals'

view of what is "secure" often is severely misguided. The market is full of

cryptographic products that either use bad algorithms or too short keys and

sometimes even both.

It is a property of computer encryption that modest increases in

computational cost can produce vast increases in security. Encrypting

information very securely (e.g., with 128-bit keys) typically requires little

more computing than encrypting it weakly (e.g., with 40-bit keys).

If you are using cryptography to protect information, there is no reason not

to use the strongest cryptography you can afford. Saving a few bits in key

length gives you very little savings in efficiency, but may drastically

reduce the strength of the encryption. On the other hand, increasing the key

length just for the sake of long keys is not always necessary. A brute-force

attack on a 256-bit key is practically infeasible for every foreseeable



50

future. Using longer keys than 256 bits only goes to counteract possible

weaknesses in the algorithm itself.

The paper shows that a key length of 40 bits is totally inadequate and that

56-bit DES is on the verge of becoming too weak.

Bearing in mind that the additional computational costs of stronger

encryption are modest, we strongly recommend a minimum key-length of

90 bits for symmetric cryptosystems.

This statement could easily be interpreted as "90 bits is enough". We

would rather interpret it as "use as many bits as possible, but never use less

than 90", which is probably the intended interpretation. IDEA uses 128

bits, which should be enough for almost any use, Blowfish can be used

with key sizes up to 448 bits if you want to. If you use a key size of 256

bits, you would be safe even if some cryptographic breakthrough reduced

the key size with 50%. That is highly unlikely.

Other factors that you have to take into account when you are selecting a

cryptosystem are the value and lifetime of the information you are about toprotect. If the cost of breaking the encryption far outweighs the possible

gain from it, it is highly unlikely that anyone will even try. If, however, the

information you are protecting is valuable or will have to be protected for a

very long time, you should definitely use the strongest cryptography

possible.

Table 2.4 from [Crypto] compares symmetric and asymmetric key length.

When reading the table keep in mind that asymmetric keys usually arearound for much longer than symmetric keys. You should choose longer

asymmetric keys to be on the safe side, but the higher computational

requirements may restrict you to smaller sizes. The values cannot actually

be compared directly, so the numbers are based on several assumptions.



51

Symmetric asymmetric

56 384

64 512

80 768

112 1792

128 2304

Table 2.4 Comparison of asymmetric an symmetric key lengths (in bits)

However strong your cipher, you must always keep in mind that the

cryptographic algorithm is only a part of a larger system. The system is

never stronger than its weakest link. We won't go into details of why

cryptosystems fail, but for the interested reader we strongly recommend

[WCF]. To quote the abstract:

It turns out that the threat model commonly used by cryptosystem

designers was wrong: most frauds were not caused by cryptanalysis or

other technical attacks, but by implementation errors and management

failures.



52

CCoonncclluussiioonnss

EElleeccttrroonniicc CCoommmmeerrccee rreeqquuiirreess tthhaatt tthhee

ttrraannssaaccttiioonnss rreemmaaiinn ccoonnf f iiddeennttiiaall aanndd ccaannnnoott bbee

mmooddiif f iieedd oorr rreeppuuddiiaatteedd.. TThhee ccuurrrreenntt nneettwwoorrk k

eennccrryyppttiioonn ssoolluuttiioonnss pprroovviiddee sseeccuurree aauutthheennttiiccaatteedd

cchhaannnneellss,, bbuutt iinn pprraaccttiiccee aauutthheennttiiccaattiioonn oof f tthhee

aaccttuuaall ttrraannssaaccttiioonnss wwiillll hhaavvee ttoo bbee hhaannddlleedd

sseeppaarraatteellyy.. TThhiiss iiss nnoott aa pprroobblleemm,, aass sseeppaarraattee

aapppplliiccaattiioonn llaayyeerr pprroottooccoollss eexxiisstt f f oorr aauutthheennttiiccaatteedd

eelleeccttrroonniicc ttrraannssaaccttiioonnss..

WW

ee

aarree

f f rriigg

hh

tteenn

eedd

bb

yy

ssoo

mm

ee

oo

f f

tthh

ee

ccuu

rrrreenn

tt

ccrryyppttooggrraapphhiicc aapppplliiccaattiioonnss.. TThhee eexxppoorrtt vveerrssiioonn oof f

SSSSLL iiss aaccttuuaallllyy uusseedd f f oorr sseeccuurree ttrraannssaaccttiioonnss,, bbyy



53

ppeeooppllee wwhhoo hhaavvee bbeeeenn mmiisslleeaadd ttoo bbeelliieevvee tthhaatt iitt iiss

sseeccuurree.. EEvveenn wwoorrssee,, ssoommee oof f tthhee ccoommppaanniieess

oof f f f eerriinngg tthheessee ""sseeccuurree"" sseerrvviicceess mmaayy eevveenn bbeelliieevvee

tthheeyy aarree sseeccuurree.. TThhiiss sseeeemmss ttoo iinnddiiccaattee tthhaatt tthhee

ppuubblliicc aawwaarreenneessss oof f ccrryyppttooggrraapphhyy aanndd iittss

aapppplliiccaattiioonnss nneeeeddss ttoo bbee iimmpprroovveedd..

OOnnccee yyoouu wweeeedd oouutt tthhee wweeaak k ssoolluuttiioonnss,, yyoouu aarree

lleef f tt wwiitthh ssoommee vveerryy pprroommiissiinngg pprroottooccoollss.. TThheeyy

hhaavvee mmaannyy f f eeaattuurreess iinn ccoommmmoonn,, aanndd pprroovviiddee bbootthh

ssttrroonngg eennccrryyppttiioonn aanndd ssttrroonngg aauutthheennttiiccaattiioonn.. TThhee

iimmpplleemmeennttaattiioonnss mmaayy ssttiillll hhaavvee ssoommee f f llaawwss,, bbuutt

aallrreeaaddyy yyoouu ccaann cclleeaarrllyy sseeee tthhaatt aann IInntteerrnneett

iinnf f rraassttrruuccttuurree oof f eennccrryypptteedd ccoonnnneeccttiioonnss iiss

f f oorrmmiinngg.. SSuuppppoorrtt f f oorr ccrryyppttooggrraapphhiicc pprroottooccoollss iiss



54

rraappiiddllyy iinnccrreeaassiinngg,, aanndd wwiitthh tthhaatt tthhee aawwaarreenneessss oof f

hhooww iinnsseeccuurree tthhee eeaarrlliieerr ccoonnnneeccttiioonnss hhaavvee bbeeeenn..

IInn oouurr ooppiinniioonn tthhee IInntteerrnneett aallrreeaaddyy hhaass aann

eessttaabblliisshheedd bbaassee oof f ccrryyppttooggrraapphhiicc pprroottooccoollss.. YYoouu

sshhoouulldd nneevveerr aaggaaiinn hhaavvee ttoo mmaak k ee aann uunneennccrryypptteedd

eelleeccttrroonniicc ttrraannssaaccttiioonn,, aanndd iif f yyoouu aarree f f aacceedd wwiitthh tthhaatt cchhooiiccee,, yyoouu ccaann rreeqquuiirree tthhee sseerrvviiccee pprroovviiddeerr

ttoo oof f f f eerr yyoouu aa sseeccuurree aalltteerrnnaattiivvee.. AAssk k f f oorr tthhee

ssttrroonnggeesstt ppoossssiibbllee eennccrryyppttiioonn aanndd aauutthheennttiiccaattiioonn,,

aanndd ddoo nnoott sseettttllee f f oorr aannyytthhiinngg lleessss..

AAbboovvee aallll,, rreemmeemmbbeerr tthhaatt tthhee ccrryyppttoossyysstteemm iiss

nneevveerr ssttrroonnggeerr tthhaann iittss wweeaak k eesstt lliinnk k .. FFiinndd tthhiiss

lliinnk k ,, aanndd mmaak k ee aa ddeetteerrmmiinnaattiioonn aass ttoo hhooww ssttrroonngg

iitt rreeaallllyy iiss,, aanndd iif f iitt iiss ssttrroonngg eennoouugghh..





56

Required SpecificationsThe minimum hardware and software

requirements for the successful running of the website are divided into twocategories:

Requirements for Host.

Requirements for User.

Requirements from the Hosting point of view: The following are thehardware and software requirements from the hosting point of view for the

website.

Hardware Required:

Processor: A high speed Pentium processor for Web Servers.

Web Space: 10 MB

Software Required:

Operating system: Windows 2000 or XP

Web Server: IIS

Requirements from the User point of view:

The following are the hardware and software requirements from the user

point of view:



57

Hardware Requirements: The user must have an Internet enabled PC

with following requirements:

Processor: Pentium IV or higher speed processor

RAM: Minimum 256 MB

Software Requirements:

Operating System: Windows XP.

Browser: Internet Explorer, Netscape Navigator etc



Date post:	07-Apr-2018
Category:	Documents
Upload:	shailesh-singh
View:	221 times
Download:	0 times

Introduction of e Com2

Documents