Overview l l Electronic Commerce Underlying Technologies Cryptography

  • Slides: 55
Download presentation
Overview l l Electronic Commerce Underlying Technologies » Cryptography » Network Security Protocols l

Overview l l Electronic Commerce Underlying Technologies » Cryptography » Network Security Protocols l Electronic Payment Systems » Credit card-based methods » Electronic Cheques » Anonymous payment » Micropayments » Smart. Cards 1

Commerce l l Commerce: Exchange of Goods / Services Contracting parties: Buyer and Seller

Commerce l l Commerce: Exchange of Goods / Services Contracting parties: Buyer and Seller Fundamental principles: Trust and Security Intermediaries: – Direct (Distributors, Retailers) – Indirect (Banks, Regulators) l l Money is a medium to facilitate transactions Attributes of money: » Acceptability, Portability, Divisibility » Security, Anonymity » Durability, Interoperability 2

E-Commerce Summary l l l Automation of commercial transactions using computer and communication technologies

E-Commerce Summary l l l Automation of commercial transactions using computer and communication technologies Facilitated by Internet and WWW Business-to-Business: EDI Business-to-Consumer: WWW retailing Some features: » » Easy, global access, 24 hour availability Customized products and services Back Office integration Additional revenue stream 3

E-Commerce Steps l Attract prospects to your site » Positive online experience » Value

E-Commerce Steps l Attract prospects to your site » Positive online experience » Value over traditional retail l Convert prospect to customer » Provide customized services » Online ordering, billing and payment l Keep them coming back » Online customer service » Offer more products and conveniences Maximize revenue per sale 4

E-Commerce Participants 5

E-Commerce Participants 5

E-Commerce Problems Snooper Unknown customer Unreliable Merchant 6

E-Commerce Problems Snooper Unknown customer Unreliable Merchant 6

E-Commerce risks l Customer's risks » Stolen credentials or password » Dishonest merchant »

E-Commerce risks l Customer's risks » Stolen credentials or password » Dishonest merchant » Disputes over transaction » Inappropriate use of transaction details l Merchant’s risk » Forged or copied instruments » Disputed charges » Insufficient funds in customer’s account » Unauthorized redistribution of purchased items l Main issue: Secure payment scheme 7

E-Commerce Security l Authorization, Access Control: » protect intranet from hordes: Firewalls l Confidentiality,

E-Commerce Security l Authorization, Access Control: » protect intranet from hordes: Firewalls l Confidentiality, Data Integrity: » protect contents against snoopers: Encryption l Authentication: » both parties prove identity before starting transaction: Digital certificates l Non-repudiation: » proof that the document originated by you & you only: Digital signature 8

Encryption (shared key) m: message k: shared key - Sender and receiver agree on

Encryption (shared key) m: message k: shared key - Sender and receiver agree on a key K None else knows K K is used to derive encryption key EK & decryption key DK Sender computes and sends EK(Message) Receiver computes DK(EK(Message)) 9 Example: DES: Data Encryption Standard

Public key encryption m: message sk: private secret key pk: public key · Separate

Public key encryption m: message sk: private secret key pk: public key · Separate public key pk and private key sk · Private key is kept secret by receiver · Dsk(Epk(mesg)) = mesg and vice versa · Knowing Ke gives no clue about Kd 10

Digital signature Sign: sign(sk, m) = Dsk(m) Verify: Epk(sign(sk, m)) = m Sign on

Digital signature Sign: sign(sk, m) = Dsk(m) Verify: Epk(sign(sk, m)) = m Sign on small hash function to reduce cost 11

Signed and secret messages pk 2 m pk 1 Verify-sign Encrypt(pk 1) sign(sk 1,

Signed and secret messages pk 2 m pk 1 Verify-sign Encrypt(pk 1) sign(sk 1, m) Encrypt(pk 2) Epk 2(Dsk 1(m)) Decrypt(sk 2) First sign, then encrypt: order is important. 12

Digital certificates How to establish authenticity of public key? Register public key Download public

Digital certificates How to establish authenticity of public key? Register public key Download public key 13

Certification authority 14

Certification authority 14

E-Payments: Secure transfer l SSL: Secure socket layer » below application layer l S-HTTP:

E-Payments: Secure transfer l SSL: Secure socket layer » below application layer l S-HTTP: Secure HTTP: » On top of http 15

SSL: Secure Socket Layer l l Application protocol independent Provides connection security as: »

SSL: Secure Socket Layer l l Application protocol independent Provides connection security as: » Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key » Peer's identity can be authenticated using public (asymmetric) key » Connection is reliable: Message transport includes a message integrity check (hash) l SSL Handshake protocol: » Allows server and client to authenticate each other and negotiate a encryption key 16

SSL Handshake Protocol l 1. Client "Hello": challenge data, cipher specs l 2. Server

SSL Handshake Protocol l 1. Client "Hello": challenge data, cipher specs l 2. Server "Hello": connection ID, public key certificate, cipher specs l 3. Client "session-key": encrypted with server's public key l 4. Client "finish": connection ID signed with client's private key l 5. Server "verify": client's challenge data signed with server's private key l 6. Server "finish": session ID signed with server's private key l Session IDs and encryption options cached to avoid renegotiation for reconnection 17

S-HTTP: Secure HTTP l l Application level security (HTTP specific) "Content-Privacy-Domain" header: » Allows

S-HTTP: Secure HTTP l l Application level security (HTTP specific) "Content-Privacy-Domain" header: » Allows use of digital signatures &/ encryption » Various encryption options l Server-Browser negotiate » Property: cryptographic scheme to be used » Value: specific algorithm to be used » Direction: One way/Two way security 18

E-Payments: Atomicity Money atomicity: no creation/destruction of money when transferred l Goods atomicity: no

E-Payments: Atomicity Money atomicity: no creation/destruction of money when transferred l Goods atomicity: no payment w/o goods and viceversa. l » Eg: pay on delivery of parcel l Certified delivery: the goods delivered is what was promised: » Open the parcel in front of a trusted 3 rd party 19

Anonymity of purchaser 20

Anonymity of purchaser 20

Payment system types l Credit card-based methods » Credit card over SSL l -

Payment system types l Credit card-based methods » Credit card over SSL l - First Virtual -SET Electronic Cheques » - Net. Cheque l Anonymous payments » - Digicash - CAFE l Micropayments l Smart. Cards 21

Encrypted credit card payment Set secure communication channel between buyer and seller l Send

Encrypted credit card payment Set secure communication channel between buyer and seller l Send credit card number to merchant encrypted using merchant’s public key l Problems: merchant fraud, no customer signature l Ensures money but no goods atomicity l Not suitable for microtransactions l 22

First virtual l l l l Customer assigned virtual PIN by phone Customer uses

First virtual l l l l Customer assigned virtual PIN by phone Customer uses PIN to make purchases Merchant contacts First virtual send email to customer If customer confirms, payment made to merchant Not goods atomic since customer can refuse to pay Not suitable for small transactions Flood customer’s mailbox, delay merchant 23

Cybercash l l l Customer opens account with cybercash, gives credit card number and

Cybercash l l l Customer opens account with cybercash, gives credit card number and gets a PIN Special software on customer side sends PIN, signature, transaction amount to merchant Merchant forwards to cybercash server that completes credit card transaction Pros: credit card # not shown to server, fast Cons: not for microtransactions 24

SET: Secure Electronic Transactions l Merge of STT, SEPP, i. KP l Secure credit

SET: Secure Electronic Transactions l Merge of STT, SEPP, i. KP l Secure credit card based protocol l Common structure: » Customer digitally signs a purchase along with price and encrypts in bank’s public key » Merchant submits a sales request with price to bank. » Bank compares purchase and sales request. If price match, bank authorizes sales l Avoids merchant fraud, ensures money but no goods atomicity 25

Electronic Cheques Leverages the check payments system, a core competency of the banking industry.

Electronic Cheques Leverages the check payments system, a core competency of the banking industry. l Fits within current business practices l Works like a paper check does but in pure electronic form, with fewer manual steps. l Can be used by all bank customers who have checking accounts l Different from Electronic fund transfers l 26

How does echeck work? l l l Exactly same way as paper Check writer

How does echeck work? l l l Exactly same way as paper Check writer "writes" the echeck using one of many types of electronic devices ”Gives" the echeck to the payee electronically. Payee "deposits" echeck, receives credit, Payee's bank "clears" the echeck to the paying bank. Paying bank validates the echeck and "charges" the check writer's account for the check. 27

Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify

Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify police 1. Withdraw money: cyrpographically encoded tokens customer merchant 3. Send token after adding merchant’s identity 4. Check validity and send goods 2. Transform so merchant can check validity but identity hidden 28

Problems with the protocol l Not money atomic: if crash after 3, money lost

Problems with the protocol l Not money atomic: if crash after 3, money lost » if money actually sent to merchant: returning to bank will alert police » if money not sent: not sending will lead to loss High cost of cryptographic transformations: not suitable for micropayments l Examples: Digicash l 29

Micropayments on hyperlinks l l HTML extended to have pricing details with each link:

Micropayments on hyperlinks l l HTML extended to have pricing details with each link: displayed when user around the link On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site Payment for content providers Attempt to reduce overhead per transaction 30

 Micropayments: Net. Bill l l Customer & merchant have account with Net. Bill

Micropayments: Net. Bill l l Customer & merchant have account with Net. Bill server Protocol: » Customer request quote from merchant, gets quote and accepts » Merchant sends goods encrypted by key K » Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> » Merchant countersigns EPO, signs K and sends both to Net. Bill server » Net. Bill verifies signatures and transfers funds, stores K and crypto-checksum and » Net. Bill sends receipt to merchant and K to customer 31

Recent micropayment systems Company Compaq IBM France Telecom Payment system Millicent Unique code mcent

Recent micropayment systems Company Compaq IBM France Telecom Payment system Millicent Unique code mcent IBM payment system Micrommerce mpay microm 32

Smartcards l l l 8 -bit micro, < 5 MHz, < 2 k RAM,

Smartcards l l l 8 -bit micro, < 5 MHz, < 2 k RAM, 20 k ROM Download electronic money on a card: wallet on a card Efficient, secure, paperless, intuitive and speedy Real and virtual stores accept them Less susceptible to net attacks since disconnected Has other uses spanning many industries, from banking to health care 33

Mondex l l l Smart card based sales and card to card transfers Money

Mondex l l l Smart card based sales and card to card transfers Money is secured through a password and transactions are logged on the card Other operation and features similar to traditional debit cards Card signs transaction: so no anonymity Need card reader everywhere Available only in prototypes 34

Summary l l l Various protocols and software infrastructure for ecommerce Today: credit card

Summary l l l Various protocols and software infrastructure for ecommerce Today: credit card over SSL or S-HTTP Getting there: » smart cards, » digital certificates l Need: » legal base for the entire ecommerce business » global market place for ecommerce 35

Electronic Commerce-Definition Using electronic methods and procedures to conduct all forms of business activity

Electronic Commerce-Definition Using electronic methods and procedures to conduct all forms of business activity including governance. 36

E-commerce 6 Cs & 6 Ps l l l Content Community Commerce Context Communication

E-commerce 6 Cs & 6 Ps l l l Content Community Commerce Context Communication Collaboration l l l Products Price Packaging Penetration Protection Pace 37

Electronic Commerce-Issues Technology Infrastructure Legal Management Security Trade, Scope & Coverage Impact on Economy

Electronic Commerce-Issues Technology Infrastructure Legal Management Security Trade, Scope & Coverage Impact on Economy 38

Infrastructure Power l Reliable communication l Environment l Human resource l Interface with suppliers

Infrastructure Power l Reliable communication l Environment l Human resource l Interface with suppliers and consumers l Faith, trust and ethics l Legal l 39

e-Law: Global Internet requires Global Laws l Industrial laws to be transformed to Information

e-Law: Global Internet requires Global Laws l Industrial laws to be transformed to Information Age l Laws to protect value protection and minimum ethics in Industrial practices when Government transforms itself to be a facilitator 40

Relationship between Information Technology and Economy Information Technology and Paradigm Shift of Economy Agricultural

Relationship between Information Technology and Economy Information Technology and Paradigm Shift of Economy Agricultural Society Knowledge and Information-based Society Industrial Society Labor Farmer Intermediate Resource Knowledge Land Farm Product Value -Added Rate Energy Product Site Factory Informatization Main Resources Industrialization Rate of Yields Product Knowledge Worker White Collar Worker Energy Rate of Transformation from Information to Knowledge Information Knowledge Research Institute, University Farm 41

Ontological issues l Definition » What is electronic money ? – – » Relative

Ontological issues l Definition » What is electronic money ? – – » Relative to traditional money Relative to traditional electronic money l Continuity or upheaval ? What should be the basis of definition – – Purpose l What do you buy ? Payment system l How do you pay ? 42

Technology l Hardware l Software l Firmware l Communication & Networks l Security l

Technology l Hardware l Software l Firmware l Communication & Networks l Security l Smart Cards 43

Role of Technology lower transaction costs l reducing asymmetric information l 24 -hour trading

Role of Technology lower transaction costs l reducing asymmetric information l 24 -hour trading l borderless global trading network l improve market efficiency l 44

Technology Hype Cycle 45

Technology Hype Cycle 45

Internet Commerce Opportunities Direct Marketing, Selling & Service Brand Development Direct Selling Customer Service

Internet Commerce Opportunities Direct Marketing, Selling & Service Brand Development Direct Selling Customer Service Corporate Purchasing Employee self-service purchasing from suppliers (indirect goods) Value Chain Establish process linking with trading partners (direct goods) Financial Services Online bill payment, investment services and banking 46

Smart card Technology 47

Smart card Technology 47

Smart cards =>Micro e-commerce Smart cards in e-banking l Smart cards in e-transportation l

Smart cards =>Micro e-commerce Smart cards in e-banking l Smart cards in e-transportation l Smart cards in e-identification l Smart cards in e-logistics business l Smart cards in e-personal health care business l Smart cards in e-insurance l 48

Smart Card Issues Interoperability l Selection of Operating System l Smart Chip supplier l

Smart Card Issues Interoperability l Selection of Operating System l Smart Chip supplier l Card manufacturer and Integrator l Application software l Multi Application Support l National & Global Usage l 49

International Concerns l l l Limited chip and card suppliers(Cost and capacity restriction) Interoperability

International Concerns l l l Limited chip and card suppliers(Cost and capacity restriction) Interoperability between various cards and terminal systems Europe’s effort in EMV 2000 specs CEPS effort by visa? Limitation in Multi application support Card remote update and load and delete applications 50

Barriers to E-commerce l l l l An Effective payment mechanism User Identification and

Barriers to E-commerce l l l l An Effective payment mechanism User Identification and Authenticity Bandwidth Local phone charges Import/Export issues for physical goods delivery Search engine overload Fear of distribution of today’s Good-distribution model 51

E-COMMERCE -SECURITY THREATS l l SPOOFING BY creating illegitimate sites UNAUTHORISED DISCLOSURE-intercept transmissions on

E-COMMERCE -SECURITY THREATS l l SPOOFING BY creating illegitimate sites UNAUTHORISED DISCLOSURE-intercept transmissions on customers’ sensitive information UNAUTHORIZED ACTION- alter original website so that it refuses services to potential clients DATA ALTERATION- TRANSACTION ALTERED ENROUTE EITHER MALICIOUSLY OR ACCIDENTALLY. 52

SEMANTIC ISSUES CERTIFICATION What is certification; what does TECHNOLOGICAL ISSUES How is certification achieved?

SEMANTIC ISSUES CERTIFICATION What is certification; what does TECHNOLOGICAL ISSUES How is certification achieved? it denote and mean? How are the prerequisites and context for certification established? What are the principal concepts and elements of certification What is it you are certifying? (Object of certification) What additional concepts and notions are expressed and implied by certification? Certification with respect to what? (Business for certification) What is the Intent of the certification; what is it you are trying to do in certifying something? What relation must exist for certification? (Object/basis relation) ADMINISTRATIVE ISSUES What activities/decisions are prerequisite for certification? Who does the certification? Who is the recipient of the certification? How and when is certification to be conducted? What is the significance of the certification for the certifier? What is the significance of the certification for the recipient? Why certify? 53

Delivering Security Services l l A Merger of Technological and legal view points. Consists

Delivering Security Services l l A Merger of Technological and legal view points. Consists of Confidentiality. Exclusive Knowledge Authentication of sender-Who? l l Data Integrity-What were the contents? Time stamp- when the message was sent? Non-repudiation-Blocks False denial of (a) Sending the message (b) contents of the message 54

References l l l State of the art in electronic payment systems, IEEE COMPUTER

References l l l State of the art in electronic payment systems, IEEE COMPUTER 30/9 (1997) 28 -35 Internet privacy - The quest for anonymity, Communications of the ACM 42/2 (1999) 28 -60. Hyper links: » http: //www. javasoft. com/products/commerce/ » http: //www. semper. org/ » http: //www. echeck. org/ » http: //nii-server. isi. edu/info/Net. Cheque/ » http: //www. ec-europe. org/Welcome. html/ » http: //www. zdnet. com/icom/e-business/ 55