E-Commerce Essentials 121

Notes

Unit 5: E-Commerce Essentials

Structure:
5.1 Electronic Data Interchange (EDI)
5.1.1 The Business of EDI
5.2 EDI Hardware and Software
5.2.1 The Tools of EDI
5.2.2 EDI Standards
5.2.3 EDI without Standards
5.2.4 Development of Standards Committees
5.2.5 National and International Standards Bodies
5.3 EDI Software
5.4 EDI Hardware Platforms
5.5 Computer Networks
5.5.1 Characteristics of a Computer Network
5.5.2 Network Cables
5.5.3 Distributors
5.5.4 Router
5.5.5 Network Card
5.5.6 Universal Serial Bus (USB)
5.6 Web Servers
5.6.1 Web Server Architecture
5.7 Types of EPS
5.7.1 Credit Card
5.7.2 Debit Card
5.7.3 Smart Card
5.7.4 E-Money
5.7.5 Electronic Fund Transfer
5.8 PayPal
5.9 Summary
5.10 Check Your Progress
5.11 Questions and Exercises
5.12 Key Terms
5.13 Check Your Progress: Answers
5.14 Case Study
5.15 Further Readings

Objectives
After going through this unit, you should be able to know:
● What is EDI?

Amity Directorate of Distance and Online Education

122 Web-Enabled Business Processes

Notes ● Advantages of EDI

● Standard means of communication
● EDI Documents
● Steps in an EDI System
● A Case Study based on this Unit

5.1 Electronic Data Interchange (EDI)

Electronic Data Interchange (EDI) is the computer-to-computer exchange of
business documents in a standard electronic format between business partners.
By moving from a paper-based exchange of business document to one that is
electronic, businesses enjoy major benefits such as reduced cost, increased processing
speed, reduced errors and improved relationships with business partners.
Each term in the definition is significant:
1. Computer-to-computer: EDI replaces postal mail, fax and e-mail. While
e-mail is also an electronic approach, the documents exchanged via e-mail
must still be handled by people rather than computers. Having people involved
slows down the processing of the documents and also introduces errors.
Instead, EDI documents can flow straight through to the appropriate application
on the receiver’s computer (e.g., the Order Management System) and
processing can begin immediately. A typical manual process looks like this,
with lots of paper and people involvement:

The EDI process looks like this — no paper, no people involved:

Amity Directorate of Distance and Online Education

E-Commerce Essentials 123

Notes

2. Business documents: These are any of the documents that are typically
exchanged between businesses. The most common documents exchanged via
EDI are purchase orders, invoices and advance ship notices. But there are
many, many others such as bill of lading, customs documents, inventory
documents, shipping status documents and payment documents.
3. Standard format: Because EDI documents must be processed by computers
rather than humans, a standard format must be used so that the computer will
be able to read and understand the documents. A standard format describes
what each piece of information is and in what format (e.g., integer, decimal,
mm-dd-yy). Without a standard format, each company would send documents
using its company-specific format and, much as an English-speaking person
probably doesn’t understand Japanese, the receiver’s computer system
doesn’t understand the company-specific format of the sender’s format.
● There are several EDI standards in use today, including ANSI, EDIFACT,
TRADACOMS and ebXML. And, for each standard, there are many
different versions, e.g., ANSI 5010 or EDIFACT version D12, Release A.
When two businesses decide to exchange EDI documents, they must
agree on the specific EDI standard and version.
● Businesses typically use an EDI translator – either as in-house software or
via an EDI service provider – to translate the EDI format so the data can
be used by their internal applications and thus enable straight through
processing of documents.
3. Business partners: The exchange of EDI documents is typically between two
different companies, referred to as business partners or trading partners. For
example, Company A may buy goods from Company B. Company A sends
orders to Company B. Company A and Company B are business partners.

5.1.1 The Business of EDI

The Need for Speed and Accuracy

To remain competitive in today’s global economy, businesses are being forced to
re-evaluate the way they do business with their customers and their vendors. The focus
of these relationships has moved relentlessly towards greater speed through shorter
transaction cycles.
At the same time, however, there is a growing emphasis on flexibility, in being able
to respond quickly to changes in consumer preference and demand. These two factors,
together with the necessity of delivering high quality products to gain and maintain
customer loyalty, while keeping rigidly controlling and/or reducing costs, define the
significant challenge of business in the future.
With the dramatic increases in price/performance of computer technology, the
impact of some of the drawbacks that led to limited implementation of EDI are being

Amity Directorate of Distance and Online Education

124 Web-Enabled Business Processes
reduced. What used to require mainframe power (and specially conditioned
Notes
environments) can now be handled on computers that fit conveniently on or under the
desk, and can operate in the office, warehouse, or production floor.
There is a similar revolution going on in the software industry. The elapsed time
from conception to deployment of new software is being dramatically reduced through
the implementation of object-oriented software design, increasingly powerful 4GL
development tools, and rapid application development techniques. Software developers
can now produce packages that can run on a variety of hardware platforms, allowing
them to concentrate on delivering greater functionality and flexibility to their core
packages, rather than spending precious development time and dollars on customization
for a specific platform.

Opportunities
This revolution in hardware speed, power and flexibility, combined with an
increasingly robust selection of high-quality software products allows business to get a
substantially higher return for each dollar they invest in computer technology. It has
allowed business to solidify the information needs of their internal processes.
Even with dramatic improvements in internal processes, progress can come to a
screeching halt if the supply and distribution chain is not similarly enhanced. So as the
internal processes have been put under control, it has also forced management to focus
on opportunities in their customer and supplier relationships – the areas of traditional EDI
are ignored.
So, the revolution in computer technology has led to another revolution: the
replacement of dictatorial or adversarial relationships between customers and suppliers,
with information partnerships. In fact, for some time in the lexicon of EDI, two businesses
engaged in electronic trading of information have been referred to as “trading partners”.
The problem was that it took management a long time to realize that partnership had
to extend much further than just agreeing to trade electronic versions of paper
documents. By breaking down the adversarial barriers between vendors and customers,
another order of magnitude increase in speed and flexibility could be introduced.
The true value of EDI, and the significant return on the technology investment,
comes when business can begin to trade or share core information. The traditional
scenario of EDI implementation painted a picture where commonly used paper
documents were replaced by electronic versions of the same documents. Purchase
orders, shipment notifications, invoicing, and accounts payable began to participate in
the process.
Now, visualize the same scenario between a hypothetical distributor of automotive
parts, called Fast Part, and its retail outlets and suppliers.
Fast Part receives regular daily updates from all of its retailer outlets, transmitted
directly from the Point of Sale registers. An up-to-the-minute inventory balance for its
retail stores and distribution warehouses is maintained. On a nightly basis, inventory
consumption of each supplier’s products is transmitted directly to the manufacturers.
The manufacturer of a key component reviews the inventory consumption and
identifies an increase in demand in one region. Accordingly, they adjust their production
schedules at a local plant to meet that demand. At the same time, they electronically
schedule transportation to pick up shipments and notify their Fast Part of expected
shipping dates, quantities, and carriers.
For larger shipments, the manufacturer has agreed to ship directly to the retail outlet,
rather than to Fast Part’s distribution centers. As the item is produced, some of it is

Amity Directorate of Distance and Online Education

E-Commerce Essentials 125

packaged as per the specifications for shelf-stocking and labelling specifications, while
Notes
other portions of the shipment are packaged for bulk storage. As each shipment is loaded
onto the carrier, the containers are scanned or otherwise automatically identified to verify
the accuracy of the order. Shipping documents are then transmitted to Fast Part, and an
electronic invoice is sent.
As Fast Part receives the electronic shipment notification, warehouse, routing
tickets for the material are prepared in advance. Some material will be identified as
needed for immediate shipment, and in order to expedite movement of this material,
shipping labels will already be prepared, and outbound shipments will be scheduled.
When the shipment is received, it is scanned and routed automatically. Material
scheduled for shipment is cross-docked, and the rest is delivered to pre-assigned
inventory locations. Inventory is automatically updated, and the receipt triggers a
payment authorization, which is sent to the central office. When the authorization is
matched with the electronic invoice, an automatic funds transfer is authorized.
One must keep in mind that in the scenario described above; Fast Part is both a
customer and a supplier. So on the outbound side of the process, moving material from
the distribution center to the retail outlets; Fast Part can apply the same steps.
As Fast Part receives Point of Sale information, it will automatically schedule
replenishment of the inventory consumed. Rather than shipping in “replenishment units”
based on each store’s basic operation shelf-stock quantity, Fast Part will replace exact
quantities, adjusting them based on known inventory trends.
Shipment notifications will be sent to the retail outlets, and in the same manner that
the vendors drop-shipped to retail outlets, the distribution center can place orders for
large customers that can be shipped directly to the customer.
All of these steps are achievable and go a long way to defining the current
environment of Electronic Commerce using EDI as an enabling technology.
This example has used a basic vendor/distributor/customer relationship. Another
example from the food brokerage industry serves to highlight the changes this enabling
technology has made possible, and the extent to which document trading partnerships
have become true business partnerships:
● A manufacturer receives a large order and makes adjustments to their master
production schedule. The production schedule updates for key components are
sent to the vendors. The vendors adjust their own production schedules and
confirm shipping dates and quantities to support the manufacturer’s new
production schedule. During the manufacturing process, product defect data is
collected and transmitted to the vendor on a daily basis, allowing the vendor to
keep its process within the required statistical limits for free-to-stock
certification of the material.
● A customer in a retail outlet asks about an out-of-stock item. From the cash
register, the clerk finds it in a store on the other side of town. Rather than ask
the customer to travel to the other store, the clerk reserves the material, and
schedules a delivery of the item that afternoon. Within minutes, the clerk
advises the customer that the item can be available at a specific time.
● A customer calls a frozen food delivery service and orders eight items, to be
delivered that afternoon. A delivery truck, already on its route can fill the order
with items already on the truck. With a small handheld unit, the driver calls up
the order, and a printed invoice is generated. When the driver returns to the
truck, the transaction is communicated to his office where a credit card
transaction is sent.

Amity Directorate of Distance and Online Education

126 Web-Enabled Business Processes
These are just a few examples of how companies can add speed and efficiency to
Notes
their businesses by entering into information partnerships with their customers and
suppliers. And without it, it is difficult to imagine how they will achieve the levels of cost
savings, quality, flexibility, and customer satisfaction necessary for survival in the
competitive global marketplace.
An EDI document is comprised of data elements, segments and envelopes that are
formatted according to the rules of a particular EDI standard.
When you create an EDI document, such as a purchase order, you must adhere to
the strict formatting rules of the standard you are using. These rules define exactly where
and how each piece of information in the document will be found. That way, when the
EDI translator on the receiving computer reads an incoming EDI purchase order, it will
immediately understand where to find the buyer’s company name, the purchase order
number, the items being ordered, the price for each item, etc. Then, that data will be fed
into the receiver’s order entry system in the proper internal format without requiring any
manual order entry.
The graphic below shows a sample purchase order in printed form and how it would
look once it’s translated into the ANSI and EDIFACT EDI formats.

In the EDI language, a single business document, such as a purchase order, invoice
or advance ship notice, is called a “transaction set” or “message.” And, a transaction set
is comprised of data elements, segments and envelopes.
There are three steps to sending EDI documents: (1) Prepare the documents,
(2) Translate the documents into EDI format and (3) Transmit the EDI documents to your
partner.

Step 1: Prepare the documents to be sent

The first step is to collect and organize the data. For example, instead of printing a
purchase order, your system creates an electronic file with the necessary information to

Amity Directorate of Distance and Online Education

E-Commerce Essentials 127

build an EDI document. The sources of data and the methods available to generate the
Notes
electronic documents can include:
● Human data entry via screens
● Exporting PC-based data from spreadsheets or databases
● Reformatted electronic reports into data files
● Enhancing existing applications to automatically create output files that are
ready for translation into an EDI standard
● Purchasing application software that has built-in interfaces for EDI files

Step 2: Translate the documents into EDI format

The next step is to feed your electronic data through translator software to convert
your internal data format into the EDI standard format using the appropriate segments
and data elements. You can purchase EDI translation software that you manage and
maintain on your premises. This requires specialized mapping expertise in order to
define how your internal data is to be mapped (i.e., correlated) to the EDI data.
Translation software is available to suit just about any computing environment and
budget, from large systems that handle thousands of transactions daily to PC-based
software that need only process a few hundred transactions per week.
Alternatively, you can use the translation services of an EDI service provider. In that
case, you send your data to the provider, who handles translation to and from the EDI
format on your behalf.

Step 3: Connect and transmit your EDI documents to your business partner
Once your business documents are translated to the appropriate EDI format, they
are ready to be transmitted to your business partner. You must decide how you will
connect to each of your partners to perform that transmission. There are several ways,
the most common of which include: (1) to connect directly using AS2 or another secure
internet protocol, (2) connect to an EDI Network provider (also referred to as a VAN
provider) using your preferred communications protocol and rely on the network provider
to connect to your business partners using whatever communications protocol your
partners prefer, or (3) a combination of both, depending on the particular partner and the
volume of transactions you expect to exchange.

Amity Directorate of Distance and Online Education

128 Web-Enabled Business Processes

Notes Paper-based vs. EDI Transaction Process

A common business process is the exchange of purchase orders and invoices. So,
let’s compare how this is done using paper or EDI.
In the paper-based method, the following process typically occurs:
● The inventory system automatically notifies the buyer to place an order, or,
after querying the inventory system, the buyer determines that an order needs
to be created.
● The buyer enters data onto the screen of a purchasing system to create the PO,
prints and mails it.
● After several days, the vendor receives the PO and manually enters it into the
sales order system.
● The vendor prints an invoice and encloses it with the shipment and/or sends it
separately by mail.
● The buyer manually enters the invoice into the Accounts Payable system.
The exchange of paper documents can add a week to the process. If there are
errors caused by manual data entry, the time can be greatly increased.
Now compare that with the EDI process:
● The buyer’s procurement system, which utilizes EDI software, automatically
generates and sends an EDI-formatted PO when inventory reaches the critical
level.
● Within minutes, the vendor’s sales order system, utilizing EDI software,
receives the EDI PO, notifies the shipping department to ship the goods and
generates an EDI invoice to be transmitted directly to the buyer’s accounts
payable system
The EDI process can be completed within hours.

Benefits of EDI
EDI continues to prove its major business value by lowering costs, improving speed,
accuracy and business efficiency. The greatest EDI benefits often come at
the strategic business level.
According to a recent research study from Forrester, EDI continues to prove its
worth as an electronic message data format. This research states that “the annual
volume of global EDI transactions exceeds 20 billion per year and is still growing.” For
buyers that handle numerous transactions, using EDI can result in millions of dollars of
annual savings due to early payment discounts. From a financial perspective alone, there
are impressive benefits from implementing EDI. Exchanging documents electronically
improves transaction speed and visibility while decreasing the amount of money you
spend on manual processes. But cost savings is far from the only benefit of using EDI.
But let’s start with cost savings anyway:
● Expenses associated with paper, printing, reproduction, storage, filing, postage
and document retrieval are all reduced or eliminated when you switch to EDI
transactions, lowering your transaction costs by at least 35%.
● A major electronics manufacturer calculates the cost of processing an order
manually at $38 compared to just $1.35 for an order processed using EDI.
● Errors due to illegible faxes, lost orders or incorrectly taken phone orders are
eliminated, saving your staff’s valuable time from handling data disputes

Amity Directorate of Distance and Online Education

E-Commerce Essentials 129

The major benefits of EDI are often stated as speed and accuracy:
Notes
● EDI can speed up your business cycles by 61%. Exchange transactions in
minutes instead of the days or weeks of wait time from the postal service.
● Improves data quality, delivering at least a 30-40% reduction in transactions
with errors—eliminating errors from illegible handwriting, lost faxes/mail and
keying and re-keying errors.
● Using EDI can reduce the order-to-cash cycle time by more than 20%,
improving business partner transactions and relationships.
However, the increase in business efficiency is also a major factor:
● Automating paper-based tasks allows your staff to concentrate on higher-value
tasks and provides them with the tools to be more productive.
● Quick processing of accurate business documents leads to less reworking of
orders, fewer stock outs and fewer cancelled orders
● Automating the exchange of data between applications across a supply chain
can ensure that business-critical data is sent on time and can be tracked in real
time. Sellers benefit from improved cash flow and reduced order-to-cash
cycles.
● Shortening the order processing and delivery times means that organizations
can reduce their inventory levels.
In many cases, the greatest EDI benefits come at the strategic business level:
● Enables real-time visibility into transaction status. This in turn enables faster
decision-making and improved responsiveness to changing customer and
market demands, and allows businesses to adopt a demand-driven business
model rather than a supply-driven one.
● Shortens the lead times for product enhancements and new product delivery.
● Streamlines your ability to enter new territories and markets. EDI provides a
common business language that facilitates business partner on boarding
anywhere in the world.
● Promotes corporate social responsibility and sustainability by replacing
paper-based processes with electronic alternatives. This will both save you
money and reduce your CO2 emissions.

5.2 EDI Hardware and Software

5.2.1 The Tools of EDI

This section will review broadly the various types of “tools” required to implement
EDI in a business. Since the range of software, hardware and service providers is
extensive, a discussion of these areas can only provide the reader with an appreciation
of the major standards, hardware, software, and communication options that may be
open to them or from which choices may be made.

5.2.2 EDI Standards

The need for definition of and adherence to standards is paramount in assuring
successful EDI. Without an agreed upon set of standards, EDI would be unworkable from
the start. There is a comprehensive set of public standards that define the syntactical
requirements for a wide variety of EDI transaction types, so that virtually any business
need can be addressed within the guidelines of an internationally accepted set of
standards.

Amity Directorate of Distance and Online Education

130 Web-Enabled Business Processes

Notes 5.2.3 EDI without Standards

Companies have been exchanging data electronically for over three decades.
Before the existence of national and international standards, companies wishing to
exchange information were left pretty much to themselves to determine mutually
acceptable formats for the interchange of data. This resulted in the emergence of
de facto standards defined by those companies with the financial clout to impose the
requirement for data interchange on their suppliers or customers. They essentially
dictated the terms under which electronic trading would take place.
While this did provide some semblance of standards, real problems arose when
equally stubborn partners with proprietary standards collided with each other. The
consequence of such contention was that the smaller or newer players in the EDI
marketplace were forced to observe a variety of conventions, depending on who the
recipient of the information was to be. Confusion aside, an inevitable consequence was
increased cost for EDI implementation.

5.2.4 Development of Standards Committees

As the various proprietary standards collided in the marketplace, the gradual result
was the development of industry interest groups formed to try to reduce the chaos and
confusion to manageable levels. The first was the Transportation Data Coordinating
Committee, whose interest area was the standardization of the transactions required for
trade and transportation. Other groups have addressed specific needs in such areas as
the food services industry, the banking industry, and the automotive industry.

5.2.5 National and International Standards Bodies

Beginning in the late 1980s, many of these standards bodies began to consolidate
their separate standards under the auspices of the American National Standards Institute.
All major American EDI transaction groups are now covered under the general umbrella
of the Accredited Standards Committee, (ASC), and are referred to as the X12 group of
standards.
The ASC X12 Standards apply only for the United States. However, more and more
companies are required to participate in the international exchange of electronic data.
The increasingly global extent of many business enterprises requires that companies
may have to at least be aware of the other major standards groups. These include,
naming a few, SCC/JTC EDI in Canada, SITPRO in the United Kingdom, and DIN in
Germany.
The United Nations has provided a forum to provide a single set/common set of
international standards, under the general authority of the United Nations EDIFACT
(Electronic Data Interchange for Administration, Commerce and Transport) Group. ASC
X12 has formal input into this process.

5.3 EDI SOFTWARE

Obviously, EDI cannot be undertaken without software, or a service that will provide
for the use of the software. For EDI users, there is a broad range of options available,
whether for low-cost first-time implementation or for the integration of EDI into a
comprehensive portfolio of existing software.
This review will be directed largely towards the options available for EDI translation
software. It will provide a broad overview of the software options a business might wish to
consider as they introduce new or enhance existing EDI capabilities. A discussion of

Amity Directorate of Distance and Online Education

E-Commerce Essentials 131

options or requirements for software to collect data internally is outside the scope of this
Notes
study.

In-house Development
Definition, design and development of computer software are an expensive and
time-consuming process. The ready availability of commercial third-party packages will
generally dictate against the internal development of in-house translation packages,
since the annual cost of software licensing for third-party software will be substantially
less than the cost of developing and maintaining packages internally. In addition, the time
required for internal software development will extend appreciably the time it will take to
deploy an EDI package.
This does not say that internal development is out of the question. There may be
compelling reasons for developing a translation package internally. If the Fast Part
Company owned or controlled its distribution and retail outlets, it could be cost-effective
to create a customized EDI package tailored specifically to the company’s distribution
needs. The major drawback to such an approach is that implementation of new
transaction types will require additional development not only within the internal systems,
but within the EDI translation software.

Custom Packages
If Fast Part wished to introduce EDI into their supplier relationships but found that a
large number of their vendors had no EDI capability, an effective way for Fast Part to gain
a high level of subscription might be to provide a low-cost customized translation
package to those customers which contained only those transaction sets that Fast Part
wished to utilize. If Fast Part wished to add new transaction sets, these could be provided
to partners as upgrades, or as low-cost enhancements, on a per-transaction basis.
This option can also prove to be cost-effective for a company that is already fully
committed to trading partnerships with its major suppliers, but is having difficulty
achieving complete coverage with the smaller suppliers. The cost to Fast Part might be
justifiable if it allowed them to convert a small handful of remaining traditional suppliers to
electronic relationships. As Fast Part becomes more and more committed to exclusively
electronic partnerships, the cost of retaining tradition suppliers will increase, and it might
at that point be cost-effective to offer such a packaged option to its traditional suppliers
as an encouragement to covert.

Third Party Packages

With the continuing growth of EDI has also come the growth of a comprehensive
library of EDI translation software packages with price tags that range from very
inexpensive to significant. The scope of these packages ranges from modest PC-based
translator packages to large-scale systems for proprietary minicomputers and
mainframes complete with embedded communications features, and job and
transmission scheduling capability. Basically, a package can be found for just about
every budget.
Third party translation packages offer several advantages over in-house
development:
● Comprehensive standards coverage: Most third party translation packages
embrace at a minimum all the ANSI X.12 standards. So, if a company decides
to add more functions to their EDI capability, the transaction sets are already
available.
● Cost-effectiveness: The cost of a package is significantly less than would be
the cost for in-house development.
Amity Directorate of Distance and Online Education
132 Web-Enabled Business Processes
● Reduced maintenance: Ongoing software maintenance costs will be less than
Notes
in-house cost of software maintenance. Most third party packages will be
updated either as a part of the annual maintenance cost, or for a nominal fee.
So, additions to standard transaction sets will be received on a regular basis.

Integrated Solutions
If Fast Part is purchasing software to upgrade their information management
systems, management should certainly include EDI capability as an important point in
their evaluation criteria. They should look for packages that already contain an EDI
translation module, or at minimum, provided for preparing output files for a translation
module from a third party. Any EDI capability should meet not only current but planned
needs. If the Fast Part MIS department has to go back to the software vendor with a
costly enhancement request every time a new EDI process is added, they will find their
expansion requirements needlessly constrained both by cost and by the developer’s
schedule.

5.4 EDI HARDWARE PLATFORMS

Before the widespread availability and acceptance of PCs and UNIX workstations,
companies were pretty much bound by their existing proprietary hardware base. This
dictated that EDI be implemented on whatever hardware was available and choice of
software was severely limited by hardware options. If the company operated on a
hardware platform for which many software packages could be obtained, there was little
problem in finding an acceptable EDI solution.
However, if the hardware was old or manufactured by a company with small market
presence, it could very well mean that no EDI software could be found that would run on
the system. The alternatives in this situation were fairly well limited to in-house
development for the existing platform, or acquisition of different hardware, with all the
attendant problems of interoperability between two different proprietary systems. Value
Added Networks can also be of assistance with this problem, since some offer all the
features of EDI software ‘on the network’ by using their own computers to provide the EDI
software. In this case, it is only necessary to gain access to the VAN via standard
communications software and allow the VAN to do all the EDI functions and translation.
Fortunately, the options are considerably more flexible today. EDI options can be
found for the complete spectrum of hardware, from small P’s to large mainframes.
Because of the relatively low cost of implementing PC or workstation solutions, hardware
options no longer constrain selection of software. In fact, it is difficult to discuss hardware
options without considering software, as the reader will see from the following discussion.

Personal Computers
The business seeking to implement EDI for the first time probably already has a PC
that can be used to run an EDI translation package and communications software. In
addition, even if such hardware is either not available, or is outdated, it can be obtained
at a relatively small cost. The principal requirements for installing most PC-based
packages are not any more demanding than today’s word processing or spreadsheet
packages.

Proprietary Systems
For companies that remain committed to a specific hardware platform, how limited
their EDI choices are will be determined by the specific hardware. If the hardware
manufacturer has a fairly large market presence, the chances are good that a package

Amity Directorate of Distance and Online Education

E-Commerce Essentials 133

can be found to run on that hardware. But if the hardware platform is one for which there
Notes
is little commercial software available, the selection is likely to be very limited.
For software packages designed specifically for proprietary hardware, the price tag
is likely to be significantly higher than for an equivalent package designed for a UNIX
workstation, because of the more limited market and the more specialized technical
expertise required. Also this disparity can be expected to grow, because as RISC-based
open systems computers have gained popularity. Many software vendors are turning
from strictly proprietary software to development of packages that will run under the UNIX
operating system on a variety of RISC platforms with only minor modifications and
differences.

RISC/UNIX Systems
RISC (Reduced Instruction Set Computing) computers, because of their power,
have put mainframe computing in a PC-sized package. They have gained popularity for
client-server applications where a local PC will contain a software package that access
remote databases.
Another feature of the RISC/UNIX systems is their “open architecture” design. Open
Architecture for the EDI user means that the data on the system can be much more
easily shared with software on other platforms through standardized file access
protocols.
These UNIX systems are available in a wide range of configurations that span the
performance spectrum. At the low end, the platforms are comparable in power to the
larger PCs, with the added advantage of supporting multiple users. At the high end, they
compare favourably to mainframe capability.
This has helped companies that previously had difficulty finding third party packages.
With widely available UNIX based packages, EDI solutions can be easily integrated into
their existing hardware environment.

EDI Communications
The last major component of the EDI tool set is communication capability. This
aspect of EDI has evolved from one of the most unmanageable and complex to one of
the easiest to cope with. Where the EDI trading partner is faced with too many choices in
the areas of software and hardware, the evolution of the “Value Added Network” or VAN
service industry has greatly simplified the range of reasonable choices for
telecommunications options and other Electronic Commerce capabilities.
Early pioneers in EDI were faced with technically complicated and costly choices
when it came to communicating their trading partners. So, early use of EDI tended to be
within rather than between companies, and was limited to those who could afford to
develop and maintain extensive internal electronic networks.

Single User Communication

Single user point-to-point networking is a workable option for an EDI user, provided
that they are not expecting to deal with more than a few trading partners. Single user
connections can be as simple as a PC with a modem, or can rely on dedicated phone
lines. Many companies, in their first trading partnership, chose this option because it is,
for limited use, the quite cost-effective.
This means of exchanging electronic data quickly loses its charm as more trading
partnerships are developed. Suppose that Fast Part has no electronic trading partners.
One of their key suppliers requests that they begin placing purchase orders electronically
and provided Fast Part with specialized PC software and modem access to transmit

Amity Directorate of Distance and Online Education

134 Web-Enabled Business Processes
orders. While Fast Part may not particularly care for this arrangement, it may be a
Notes
pre-requisite to maintaining a business relationship with the supplier.
Now, imagine Fast Part a year later with a dozen different packages of software: a
dozen different ways to enter orders, and a dozen different modem transmission
schedules to observe. Very quickly, this scenario becomes a major management issue.

Proprietary Networks
Let’s examine a slightly different scenario where Fast Part is the company
promoting EDI. In this situation, assume that Fast Part already has a fairly extensive
private network in place for exchanging data with their retail outlets. If they wish to
encourage suppliers to link electronically with them, they understand that they must
provide some sort of assistance to many of their suppliers.
Fast Part chooses to integrate their suppliers into their private network. While this
may seem at first glance to be a sound option, Fast Part will probably be in for a rude
awakening as they discover some of the drawbacks of maintaining a service network for
their suppliers.
● Cost: The cost maintaining and supporting the network will fall largely on Fast
Part. They can pass on only a limited portion of the actual cost of the network.
● Security: By allowing access to their private network, Fast Part must develop
sophisticated security controls to prevent users from entering their systems
and obtaining critical data.
● Maintenance: Fast Part must now be able to provide network support to a
much larger number of users. As their business turns more and more to
electronic information exchange, the viability of their business depends more
heavily on the availability of the network.
● Redundancy: While it might be possible for Fast Part retailers to be cut off
because of a network failure, they cannot now afford the possibility that paying
customers will be without service. A network failure could result in lost business,
so redundancy must be built in. Also, now Fast Part must be in the business of
providing customer service to their suppliers.

Value-added Networks
Fortunately, Fast Part has a viable and cost-effective alternative to either of the two
examples described above. The solution lies in the Value-added Network, which grew
directly out of the growth of private networks. Some companies that developed large
internal networks saw the potential market opportunity in providing such services to
external customers. This opportunity developed into a unique service industry – the
“Value-added Network” service provider, or VAN.
What would have become a serious overhead burden to the Fast Part Company as
it extended its private network becomes an asset to the user of the VAN.
● Cost: The cost of using a VAN is relatively cheap. While billing methodologies
differ from one VAN to another, subscribers will typically pay per-transaction
charges, and a pro-rated charge based on data volume. While it is somewhat
more expensive than postage, a cost-benefit analysis that figures in reduced
handling costs and the cost-avoidance of alternate methods of network
communication will certainly find that VAN services are reasonably priced.
● Security: Security is provided, because access to a VAN allows the user to
send and receive information only to and from their own electronic mailbox.
The VAN handles all transfer of information from the sender’s mailbox into the
receiver’s mailbox, isolating the two entities completely. Fast Part need have

Amity Directorate of Distance and Online Education

E-Commerce Essentials 135

no concerns that a supplier will gain access to their systems and be able to
Notes
electronically snoop through their internal data files.
● Maintenance and redundancy: Fast Part does not have to worry about any
network maintenance. If a telephone line is down, either the VAN or the phone
company will provide alternative service.
● Accountability: By subscribing to the service of a VAN, Fast Part will be able
to quantify explicitly their networking costs. While billing services vary, most
VANs provide detailed breakdowns of billing charges, in much the same way
that credit card companies provide similar services to their corporate accounts.
● Additional benefits: VANs can also provide ‘on the network’ translation when
EDI software is too expensive or unavailable. The support of experienced EDI
VAN personnel, both for implementation and continuing operations should not
be minimized. Full service EDI and Electronic Commerce specialists such as
GE Information Services provide extensive capabilities and support on a global
basis for their customers.

Processing the Electronic Documents

For a large manufacturer, their vendor base will surely range from large corporations
with sophisticated application systems, to small “mom-and-pop shops” with only a
modem and a PC. The vendor with a highly automated process may process the
information directly into their applications and act upon it without intervention. The small
business may do little more than print reports. In either case, and regardless of the scale,
EDI can be successfully implemented. The final step in the process may be to transmit an
acknowledgment transaction back to the vendor to close the loop.

Implementing EDI
This review of EDI has stressed the numerous advantages of employing electronic
data interchange in a wide range of business activities. This section will provide an
overview of the major requirements for EDI implementation, with some observations
about some land mines that can be avoided along the way.
Implementing EDI in a business need not be difficult, and the benefits can be
substantial. To assure success, there are several key areas where some understanding
and advanced planning is required. Recognizing some of the potential pitfalls and
avoiding them, especially with an initial implementation, will go a long way toward
assuring success.

Define a Strategy
It is important from the outset to understand that EDI is a tool. It is not a panacea. As
a company’s management team begins to plan its EDI strategy, a careful assessment of
the problems the company wishes to address is critical. Such a review can help to insure
that applying an EDI solution will actually contribute to solving problems and rather
symptoms.
Without a strategic analysis, it is very easy to solve the wrong problem. If Fast Part
successfully implements a project that reduces retail order processing time from days to
hours, but has failed to understand that reducing delivery time from weeks to days is the
real problem, the benefits of the improvement will go unnoticed. Or, worse yet, the effort
put into an EDI implementation will be written off as a bad investment, and further
implementations may be curtailed or eliminated.

Amity Directorate of Distance and Online Education

136 Web-Enabled Business Processes
Seek Objectives of Mutual Benefit
Notes
EDI is first and foremost an enterprise requiring partnership. Nothing is guaranteed
to quell enthusiasm for an EDI project more quickly than the perception that benefits and
costs are not shared equally within the partnership. Setting forth objectives that are
advantageous to only one partner is a sure-fire method of guaranteeing failure.
Returning to the Fast Part Company, suppose that a major customer has required
that they be invoiced electronically. The advantage to the customer is a major reduction
in the overhead in processing their invoices. The problem with this approach is that Fast
Part will obtain no benefit from the exchange. While it will help the customer, it will not
guarantee that Fast Part gets paid any sooner. If the customer is an important one, Fast
Part may have little choice but to implement the transaction.
This is not an ideal method for encouraging and developing a true business
partnership. A more realistic approach to this EDI partnership would be to offer, in
exchange for electronic invoicing, automatic fund transfer for payment, thereby helping
the Fast Part to reduce the cycle of their accounts receivable. Everybody goes home a
winner.

Define Realistic Objectives

Everyone has had contact at one time or another with a sales representative who
was pitching a product that would solve every problem put to it, and insure proper
weather on the weekend for the company golf outing. So even if the product did
everything it was designed to, if it rained on the golf outing, the product would be
perceived as a failure.
For initial EDI projects, limited objectives with perceivable benefits should be sought
out. If Fast Part selects, for its first project an ambitious plan to completely overhaul their
entire retail distribution process, they may well be attempting too large a first step. A
more realistic initial project would be to automate customer order processes, along with
providing order confirmations and delivery notifications.
An even more realistic objective would be to implement a project that can be
undertaken on a pilot basis, to clearly demonstrate benefits, with very limited risk. A
properly selected and limited pilot project will be easier to implement with minimal impact.
The success of the pilot will surely be an asset in selling expansion of the project to
company-wide application.

Provide Measurable Objectives

Of the many entries on “the most frustrating experience” list, one of them has surely
got to be completing a project and not knowing whether it was a success. A key factor in
insuring success is defining the objectives in terms that can be measured.
If management proposes to install an EDI system, but fails to adequately identify
why it is doing so, and what specific benefits should be achieved, the targeted user
community will quickly define its own objectives, with little guarantee that any can actually
be met.
If, on the other hand, the objective of a project is stated as reducing a specific
expense, or specific transaction cycle time by some amount, when the project is
complete, the numbers will bear out the success.

Plan Carefully
Much of the work of planning and implementation can be eased if objectives have
been carefully defined. Implementing a company-wide comprehensive EDI solution

Amity Directorate of Distance and Online Education

E-Commerce Essentials 137

cannot be integrated into the existing framework of a company’s business in one step. It
Notes
must be applied carefully, step by step.
An important aspect of implementation planning is involving all concerned parties at
all steps of the project. Good communication is essential, so that newly installed EDI
capabilities will change the way business is done, not disrupt it.
One of the most valuable ways of providing good communication and project
management is to define an EDI coordinator’s position. This position should be filled by
an individual with strong knowledge of both the business requirements being addressed,
and the technical requirements of EDI.
A critical step in implementation planning is the testing process. Before users are
actually committed to depending on their new EDI function, they must be comfortable that
the process actually works reliably, all the time. This must be proven beyond doubt by
carefully constructed testing and validation procedures. In most cases, since data is
being transferred to another trading partner, it will be necessary to assure both internal
and external users that correct information is being traded.

Know the Costs

In any project, it is necessary to know what the true cost of implementation will be,
and it is no different with EDI implementations. Some of the cost exposures are obvious,
such as hardware and software. This list is certainly not definitive, but may provide some
direction in anticipating costs that are not so obvious.
● Translation software: Cost is usually on a per-CPU basis, and most vendors
will negotiate site license costs.
● Software maintenance: Purchasing a software maintenance contract is
always advisable, since this will usually provide technical assistance, and will
frequently guarantee automatic updates. With translation software, the updates
should include additional transaction sets as they are implemented.
● Internal software development costs: Modifications to internal systems
should be cosseted as any other software project would be.
● Hardware costs: Cost will depend not only upon platform, but upon the
specific configuration of the platform. Additional costs may be encountered in
operating system, software licensing, hardware interfaces for networking, and
additional peripheral devices such as tape backup systems.
● Training costs: These costs can include in-house training for new procedures,
vendor training for software products and for hardware.
● Additional resource costs: If a business is venturing for the first time into the
UNIX open systems environment, it may be necessary to hire a technical
specialist that is familiar with system administration and support for the
platform.
● Specialty hardware: The EDI project may require special data collection
devices such as bar code equipment or special printers.
● Networking costs: If a private network will be used, there are leasing costs for
phone lines, and additional networking hardware costs. If the business opts for
the use of a VAN, explicit pricing policies for all services should be available,
allowing for exact determination of start-up and ongoing communications costs.
● Legal costs: Since EDI requires entering partnerships with other companies, it
will require that contractual relationships are defined. For EDI, a standard
contract form has been developed called an EDI Trading Partner Agreement.
This form helps define relationships and responsibilities. It is a fairly

Amity Directorate of Distance and Online Education

138 Web-Enabled Business Processes
straightforward form, and should serve as the basis for any contractual
Notes
arrangements. Also, it is always advisable to insure that such contracts
properly protect parties, so legal costs may have to be factored into project
estimates.
● Consulting costs: It may be a worthwhile investment for a company new to
EDI to hire the consulting services of knowledgeable experts. Professional
expertise can be invaluable in initial planning, particularly in determining
strategic objectives.

Encourage Widespread Participation

EDI is a process that can touch many parts of a business. It is crucial to get
involvement of all affected parties within the business. Also it is equally important to
develop a good working relationship with the individuals and groups that will be affected
within the new trading partner’s organization.
It is important to remember that EDI implementation will be eliminating paper
documents that have probably been the single most visible focus of many jobs.
Removing that paper will generate a considerable degree of insecurity. It must be
replaced with the confidence that “the system” has the paper, all the time, every time.
Extended involvement of the user community in requirements definition, pilot projects,
testing, and parallel testing is vital, and should be a high priority consideration for the EDI
coordinator.

Training
Most companies understand that training is an integral part implementing any new
process or procedure in their business. EDI is no exception. Training will be required in
the user community because job functions will change, sometimes dramatically. Training
may be required in several different areas:
● General understanding of EDI. This training should be developed early, since
unless a company already has an investment in EDI, it is critical that
employees learn what to expect of the process.
● Technical hardware and software training. If new hardware is being
acquired, technical and operational support training may be needed. Vendors
may offer a variety of training options, either as a part of the purchase cost, or
as an extra adder. Such vendor-supplied training may range from limited
“train-the-trainer” programs, to extensive on-site user training.
● User training for certification in new procedures. If sufficient in-house
expertise is available, such training, particularly in the area of user certification,
can and probably should be done internally. Many industry experts and
consulting groups provide such training, and it should be tailored to the specific
needs of the company.

5.5 Computer Networks

A computer network is a system in which multiple computers are connected to each
other to share information and resources.

Amity Directorate of Distance and Online Education

E-Commerce Essentials 139

Notes

5.5.1 Characteristics of a Computer Network

● Share resources from one computer to another
● Create files and store them in one computer, access those files from the other
computer(s) connected over the network
● Connect a printer, scanner, or a fax machine to one computer within the
network and let other computers of the network use the machines available
over network.
Following is the list of hardwares required to set up a computer network.
● Network Cables
● Distributors
● Routers
● Internal Network Cards
● External Network Cards

5.5.2 Network Cables

Network cables are used to connect computers. The most commonly used cable is
Category 5 Cable RJ-45.

Amity Directorate of Distance and Online Education

140 Web-Enabled Business Processes

Notes 5.5.3 Distributors

A computer can be connected to another one via a serial port but if we need to
connect many computers to produce a network, this serial connection will not work. The
solution is to use a central body to which other computers, printers, scanners, etc. can be
connected and then this body will manage or distribute network traffic.

5.5.4 Router
A router is a type of device which acts as the central point among computers and
other devices that are part of a network. A router is equipped with holes called ports and
computers and other devices are connected to a router using network cables. Nowadays,
router comes in wireless modes using which computers can be connected without any
physical cable.

5.5.5 Network Card

Network card is a necessary component of a computer without which a computer
cannot be connected over a network. It is also known as network adapter or Network
Interface Card (NIC). Most branded computers have network card pre-installed. Network
cards are of two types: Internal and External Network Cards.

Amity Directorate of Distance and Online Education

E-Commerce Essentials 141

Internal Network Cards

Notes
Motherboard has a slot for internal network card where it is to be inserted. Internal
network cards are of two types in which first type uses Peripheral Component
Interconnect (PCI) connection while the second type uses Industry Standard Architecture
(ISA). Network cables are required to provide network access.

External Network Cards

External network cards come in two flavours: Wireless and USB-based. Wireless
network card need to be inserted into the motherboard but no network cable is required
to connect to network.

5.5.6 Universal Serial Bus (USB)

USB card are easy to use and connect via USB port. Computers automatically
detect USB card and can install the drivers required to support the USB network card
automatically.

Amity Directorate of Distance and Online Education

142 Web-Enabled Business Processes

Notes

5.6 Web Servers

Web servers are computers that deliver (serves up) Web pages. Every Web server
has an IP address and possibly a domain name. For example, if you enter the URL
http://www.webopedia.com/index.html in your browser, this sends a request to the Web
server whose domain name is webopedia.com. The server then fetches the page named
index.html and sends it to your browser.
Any computer can be turned into a Web server by installing server software and
connecting the machine to the Internet. There are many Web server software
applications, including public domain software and commercial packages.
Every website sits on a computer known as a Web server. This server is always
connected to the internet. Every web server that is connected to the Internet is given a
unique address made up of a series of four numbers between 0 and 255 separated by
periods. For example, 68.178.157.132 or 68.122.35.127.

5.6.1 Web Server Architecture

When you register a web address, also known as a domain name, such as
tutorialspoint.com, you have to specify the IP address of the web server that will host the
site. You can load up with Dedicated Servers that can support your web-based
operations.
There are four leading web servers − Apache, IIS, lighttpd and Jagsaw. Now, we will
see these servers in bit more detail.

Amity Directorate of Distance and Online Education

E-Commerce Essentials 143

Apart from these Web Servers, there are other Web Servers also available in the
Notes
market but they are very expensive. Major ones are Netscape’s iPlanet, Bea’s Web Logic
and IBM’s WebSphere.

Apache HTTP Server

This is the most popular web server in the world developed by the Apache Software
Foundation. Apache web server is open source software and can be installed on almost
all operating systems including Linux, UNIX, Windows, FreeBSD, Mac OS X and more.
About 60% of the web server machines run the Apache Web Server.
You can have Apache with tomcat module to have JSP and J2EE related support.
You can have detailed information about this server at Apache HTTP Server.

Internet Information Services

The Internet Information Server (IIS) is a high performance Web Server from
Microsoft. This web server runs on Windows NT/2000 and 2003 platforms (and may be
on upcoming new Windows version also). IIS comes bundled with Windows NT/2000 and
2003. Because IIS is tightly integrated with the operating system, so it is relatively easy to
administer it.
You can have detailed information about this server at Microsoft IIS.

lighttpd
The lighttpd, pronounced lightly is also a free web server that is distributed with the
FreeBSD operating system. This open source web server is fast, secure and consumes
much less CPU power. Lighttpd can also run on Windows, Mac OS X, Linux and Solaris
operating systems.
You can have detailed information about this server at lighttpd.

Sun Java System Web Server

This web server from Sun Microsystems is suited for medium and large websites.
Though the server is free, it is not open source. It however, runs on Windows, Linux and
UNIX platforms. The Sun Java System web server supports various languages, scripts
and technologies required for Web 2.0 such as JSP, Java Servlets, PHP, Perl, Python,
and Ruby on Rails, ASP and ColdFusion, etc.
You can have detailed information about this server at Sun Java System Web
Server.

Jigsaw Server

Amity Directorate of Distance and Online Education

144 Web-Enabled Business Processes

Notes

Jigsaw (W3C’s Server) comes from the World Wide Web Consortium. It is open
source and free and can run on various platforms like Linux, UNIX, Windows, and Mac
OS X Free BSD, etc. Jigsaw has been written in Java and can run CGI scripts and PHP
programs.

5.7 Types of EPS

E-Commerce or Electronics Commerce sites use electronic payment where
electronic payment refers to paperless monetary transactions. Electronic payment has
revolutionized the business processing by reducing paperwork, transaction costs, labour
cost. Being user-friendly and less time-consuming than manual processing, helps
business organization to expand its market reach/expansion. Some of the modes of
electronic payments are following:
● Credit Card
● Debit Card
● Smart Card
● E-Money
● Electronic Fund Transfer (EFT)

5.7.1 Credit Card

Payment using credit card is one of most common mode of electronic payment.
Credit card is small plastic card with a unique number attached with an account. It has
also a magnetic strip embedded in it which is used to read credit card via card readers.
When a customer purchases a product via credit card, credit card issuer bank pays on
behalf of the customer and customer has a certain time period after which he/she can

Amity Directorate of Distance and Online Education

E-Commerce Essentials 145

pay the credit card bill. It is usually credit card monthly payment cycle. Following are the
Notes
actors in the credit card system.
Ɣ The card holder – customer
Ɣ The merchant – seller of product who can accept credit card payments
Ɣ The card issuer bank – card holder’s bank
Ɣ The acquirer bank – the merchant’s bank
Ɣ The card brand – for example, Visa or Mastercard.

Credit Card Payment Process

Step Description
Step 1 Bank issues and activates a credit card to customer on his/her request.
Step 2 Customer presents credit card information to merchant site or to merchant from
whom he/she want to purchase a product/service.
Step 3 Merchant validates customer’s identity by asking for approval from card brand
company.
Step 4 Card brand company authenticates the credit card and paid the transaction by
credit. Merchant keeps the sales slip.
Step 5 Merchant submits the sales slip to acquirer banks and gets the service chargers
paid to him/her.
Step 6 Acquirer bank requests the card brand company to clear the credit amount and
gets the payment.
Step 7 Now card brand company asks to clear amount from the issuer bank and amount
gets transferred to card brand company.

5.7.2 Debit Card

Debit card, like credit card, is a small plastic card with a unique number mapped with
the bank account number. It is required to have a bank account before getting a debit
card from the bank. The major difference between debit card and credit card is that in
case of payment through debit card, amount gets deducted from card’s bank account
immediately and there should be sufficient balance in bank account for the transaction to
get completed. Whereas in case of credit card, there is no such compulsion.
Debit cards free customer to carry cash, cheques and even merchants accepts debit
card more readily. Having restriction on amount being in bank account also helps
customer to keep a check on his/her spending.

5.7.3 Smart Card

Smart card is again similar to credit card and debit card in appearance but it has a
small microprocessor chip embedded in it. It has the capacity to store customer work
related/personal information. Smart card is also used to store money which is reduced as
per usage.
Smart card can be accessed only using a PIN of customer. Smart cards are secure
as they store information in encrypted format and are less expensive/provide faster
processing. Mondex and Visa Cash cards are examples of smart cards.

5.7.4 E-Money
E-Money transactions refer to situation where payment is done over the network
and amount gets transferred from one financial body to another financial body without

Amity Directorate of Distance and Online Education

146 Web-Enabled Business Processes
any involvement of a middleman. E-Money transactions are faster, convenient and save
Notes
a lot of time.
Online payments done via credit card, debit card or smart card are examples of
e-money transactions. Another popular example is e-cash. In case of e-cash, both
customer and merchant both have to sign up with the bank or company issuing e-cash.

5.7.5 Electronic Fund Transfer

It is a very popular electronic payment method to transfer money from one bank
account to another bank account. Accounts can be in same bank or different bank. Fund
transfer can be done using ATM (Automated Teller Machine) or using computer.
Nowadays, internet-based EFT is getting popularity. In this case, customer uses
website provided by the bank. Customer logins to the bank’s website and registers
another bank account. He/she then places a request to transfer certain amount to that
account. Customer’s bank transfers amount to other account if it is in same bank
otherwise transfer request is forwarded to ACH (Automated Clearing House) to transfer
amount to other account and amount is deducted from customer’s account. Once amount
is transferred to other account, customer is notified of the fund transfer by the bank.
Credit cards, debit cards and prepaid cards currently represent the most common
form of electronic payments. For all three types of cards, the consumer or the business
most often uses a plastic card, commonly with a magnetic stripe. The cardholder gives
his or her card or card number to a merchant who swipes the card through a terminal or
enters the data to a PC. The terminal transmits data to his or her bank, the acquirer. The
acquirer transmits the data through a card association to the card issuer who makes a
decision on the transaction and relays it back to the merchant, who gives goods or
services to the cardholder. Funds flow later for settlement with credit cards and are
debited immediately for debit or prepaid cards.
Along with magnetic stripe cards, smart cards are and will increasingly be used for
payments. Smart cards are at present overwhelmingly plastic credit cards with an
embedded computer chip. Until recently, many smart cards are operated using
proprietary rather than common standards. A standard set of specifications, EMV, has
been developed and is being used increasingly so that the chips on smart cards are
interoperable. Korea and Japan are among the most advanced countries in Asia for
smart card payments, with Malaysia catching up fast due to government mandates for
banks to issue smart cards. Most credit and debit cards are expected to be issued or
reissued as smart cards by 2008 or earlier.
Over time, the chip for payment can be expected to move onto other devices. A
“smart card” might then become the computer chip in a phone, PDA or other device that
can perform the same function as chip in a plastic card, eliminating the need for the
actual plastic card. Smart cards could thus evolve into “smartphones”, “smart PDAs” or
other “smart” devices.

Internet
Online payments involve the customer transferring money or making a purchase
online via the internet. Consumers and businesses can transfer money to third parties
from the bank or other account, and they can also use credit, debit and prepaid cards to
make purchases online.
Current estimates are that over 80% of payments for online purchases are made
using a credit card or debit card. At present, most online transactions involve payment
with a credit card. While other forms of payment such as direct debits to accounts or

Amity Directorate of Distance and Online Education

E-Commerce Essentials 147

prepaid accounts and cards are increasing, they currently represent a less developed
Notes
transaction methodology.

Mobile Payments
Mobile phones are currently used for a limited number of electronic transactions.
However, the percentage seems likely to increase as mobile phone manufacturers
enable the chip and software in the phone for easier electronic commerce.
Consumers can use their mobile phone to pay for transactions in several ways.
Consumers may send an SMS message, transmit a PIN number, and use WAP to make
online payments, or perform other segments of their transaction with the phone. As
phones develop further, consumers are likely to be able to use infrared, Bluetooth and
other means more frequently to transmit full account data in order to make payments
securely and easily from their phone.
Additionally, merchants can obtain an authorization for a credit or debit card
transaction by attaching a device to their mobile phone. A consortium in the US also
recently announced Power Swipe, for example, which physically connects to a Nextel
phone, weighs 3.1 ounces, and incorporates a magnetic stripe reader, infrared printing
port, and pass-through connector for charging the handset battery.

Financial Service Kiosks

Companies and service providers in several countries, including Singapore and the
US, have set up kiosks to enable financial and non-financial transactions. These kiosks
are fixed stations with phone connections where the customer usually uses a keyboard
and television-like screen to transaction or to access information.
At AXS stations in Singapore, for example, consumers can make electronic bill
payments, send e-mail or SMS message and make phone calls. Kiosks in the United
States enable the customer to send money via wire transfers, cash checks, make
purchases using cash, and make phone calls.
Located at convenient public locations such as bus or subway stations, convenience
stores or shopping malls, these kiosks enable electronic payments by individuals who
may not have regular access to the internet or mobile phones.

Television Set-top Boxes and Satellite Receiver

Specialized boxes attached to a television can also be used for payments in some
locations. The set-top box attaches to the television and a keyboard or other device, and
customers can make purchases by viewing items on the television. Payment is made
electronically using a credit card or other account. While usage is presently low, it could
grow substantially in countries with a strong cable or satellite television network.

Biometric Payments
Electronic payments using biometrics are still largely in their infancy. Trials are
underway in the United States, Australia and a limited number of other countries. Most
biometric payments involve using fingerprints as the identification and access tool,
though companies like Visa International are piloting voice recognition technology and
retina scans are also under consideration. Essentially, a biometric identifier such as a
fingerprint or voice could replace the plastic card and more securely identifies the person
undertaking the transaction. The electronic payment is still charged to a credit card or
other account, with the biometric identifier replacing the card, check or other transaction
mechanism.

Amity Directorate of Distance and Online Education

148 Web-Enabled Business Processes
Electronic Payments Networks
Notes
Various countries have electronic payments networks that consumer can use to
make payments electronically. ACH (Automated Clearing House) in the US, domestic
EFTPOS networks in Australia and Singapore, and other networks enable electronic
payments between businesses and between individuals. The consumer can go online, to
a financial service kiosk or use other front-end devices to access their account and make
payments to businesses or other individuals.

Person-to-Person (P2P) Payments

P2P payments enable one individual to pay another using an account, a prepaid
card or another mechanism that stores value. PayPal in the US, which was recently
purchased by eBay, is one of the most frequently used P2P mechanisms. The Tower
Group estimates that the volume of P2P payments will grow from 105 million transactions
in 2002 to 1.4 billion transactions by 2005. P2P payments can be made through a variety
of means, including services like PayPal, transfers using card readers, or other. In the
future, other devices such as mobile phones or PDAs, could also be used to enable P2P
electronic payments.

Types of E-Payment and Initiatives

Overview of EBPP (Electronic Bill Presentment and Payment)

EBPP, or electronic bill presentment and payment, is a system that is commonly
used in the banking industry today. With this system, a bill will be provided to a customer
over the Internet, and then the customer will pay for the bill over the Internet as well. With
this system, traditional checks are not used but electronic payments are instead utilized.
Here are a few things to consider about electronic bill payment and how it works.

Amity Directorate of Distance and Online Education

E-Commerce Essentials 149

EBPP
Notes
EBPP is essentially the same thing as electronic billing. With this system, a
company will send an electronic statement to a customer. For example, this is common
with utility providers or mortgage lenders. Instead of sending a paper bill, the company
will send an e-mail to a customer. At that point, the customer will then look at the bill by
checking their e-mail or logging into a secure website. Once the customer has reviewed
the bill, they can then make a payment in the appropriate amount to the biller.
Two Types of Electronic Bill Presentment and Payment
There are two main types of electronic bill presentment and payment that are
commonly used in the industry today. The first type of electronic bill presentment and
payment is referred to as a biller-direct system. This system is commonly used with utility
companies today. For example, the utility company will send an electronic bill to the
customer and the customer will make a payment directly to the company. There is no
intermediary used in this transaction.
The other type of electronic bill presentment and payment is known as the
bank-aggregator strategy. With this strategy, an individual works with a bank in order to
make electronic payments to multiple billers simultaneously. This is often referred to as
online banking or online bill pay. With this system, an individual will log into an online
bank account and specify the amount and date of a payment. Typically, the consumer will
have all of the bills that they regularly pay set up in the online banking system. At that
point, the individual can then simply log into an account, select the payments that need to
be made and then press submit. The bank will then handle sending all the payments to
the appropriate places. Some banks will send out these payments immediately, while
others take a little bit more time. In fact, some banks may take anywhere from 3 to 5 days
to send out these payments to the appropriate places.

NACHA
NACHA stands for National Automated Clearing House Association. This is an
organization that helps set the standards for the Automated Clearing House. The
Automated Clearing House or ACH is the system that is commonly used to distribute
electronic payments in the banking industry. This organization works to help prevent
fraud with this type of billing and payment system. Financial institutions generally follow
the guidelines that are set by NACHA.

VeriSign
VeriSign Inc. is an American company based in Reston, Virginia, United States that
operates a diverse array of network infrastructure, including two of the Internet’s thirteen
root name servers, the authoritative registry for the .com, .net, and .name generic
top-level domains and the .cc and .tv country-code top-level domains, and the back-end
systems for the .jobs, .gov, and .edu top-level domains. VeriSign also offers a range of
security services, including managed DNS, Distributed Denial of Service (DDoS)
mitigation and cyber-threat reporting.
In 2010, VeriSign sold its authentication business unit – which included SSL
certificate, PKI, VeriSign Trust Seal, and VeriSign Identity Protection (VIP) services – to
Symantec for $1.28 billion. The deal capped a multi-year effort by VeriSign to narrow its
focus to its core infrastructure and security business units.
VeriSign’s former CFO Brian Robins announced in August 2010 that the company
would move from its original location of Mountain View, California, to Dulles in Northern
Virginia by 2011 due to 95% of the company’s business being on the East Coast.

Amity Directorate of Distance and Online Education

150 Web-Enabled Business Processes
VeriSign was founded in 1995 as a spin-off of the RSA Security certification services
Notes
business. The new company received licenses to key cryptographic patents held by RSA
and a time limited non-compete agreement. The new company served as a certificate
authority (CA) and its initial mission was “providing trust for the Internet and Electronic
Commerce through our Digital Authentication services and products”. Prior to selling its
certificate business to Symantec in 2010, VeriSign had more than 3 million certificates in
operation for everything from military to financial services and retail applications, making
it the largest CA in the world.
In 2000, VeriSign acquired Network Solutions, which operated the .com, .net
and .org TLDs under agreements with the Internet Corporation for Assigned Names and
Numbers (ICANN) and the United States Department of Commerce. Those core registry
functions formed the basis for VeriSign’s naming division, which is now the company’s
largest and most significant business unit. In 2002, VeriSign was charged with violation of
the Securities Exchange Act. VeriSign divested the Network Solutions retail (domain
name registrar) business in 2003, retaining the domain name registry (wholesale)
function as its core Internet addressing business. For the year ended December 31, 2010,
VeriSign reported revenue of $681 million, up 10% from $616 million in 2009. VeriSign
operates two businesses, Naming Services, which encompasses the operation of
top-level domains and critical Internet infrastructure, and Network Intelligence and
Availability (NIA) Services, which encompasses DDoS mitigation, managed DNS and
threat intelligence.
VeriSign’s share price tumbled in early 2014, hastened by the US government’s
announcement that it would “relinquish oversight of the Internet’s domain-naming system
to a non-government entity”.

5.8 PayPal
PayPal Holdings Inc. is an American company operating a worldwide online
payments system. Online money transfers serve as electronic alternatives to traditional
paper methods like checks and money orders. PayPal is one of the world’s largest
internet payment companies. The company operates as an acquirer, performing payment
processing for online vendors, auction sites and other commercial users, for which it
charges a fee.
Established in 1998, PayPal had its IPO in 2002, and became a wholly owned
subsidiary of eBay later that year. In 2014, PayPal moved $228 billion in 26 currencies
across more than 190 nations, generating total revenue of $7.9 billion (44% of eBay’s
total profits). The same year, eBay announced plans to spin-off PayPal into an
independent company by mid-2015 and was complete on July 18, 2015.

Services
As of 2015, PayPal operates in 203 markets and has 159 million active, registered
accounts. PayPal allows customers to send, receive, and hold funds in 26 currencies
worldwide.
PayPal’s services allow people to make financial transactions online by granting the
ability to transfer funds electronically between individuals and businesses. Through
PayPal, users can send or receive payments for online auctions on websites like eBay,
purchase or sell goods and services, or donate money or receive donations. It is not
necessary to have a PayPal account to use the company’s services. PayPal launched
Student Accounts for teenagers in August 2009, allowing parents to set up a student
account, transfer money into it, and obtain a debit card for student use. The program
provides tools to teach how to spend money wisely and take responsibility for actions. In

Amity Directorate of Distance and Online Education

E-Commerce Essentials 151

November 2009, PayPal opened its platform, allowing other services to get access to its
Notes
code and to use its infrastructure in order to enable peer-to-peer online transactions.
In 2008, PayPal acquired the online credit product Bill Me Later, which has since
been rebranded as PayPal Credit, and provides services for Community Capital Bank,
the lender of PayPal Credit accounts. Founded in 2000, Bill Me Later Inc. was acquired
by eBay Inc. in 2008, and is a PayPal company headquartered in Timonium, Maryland,
with additional offices in Hunt Valley, Maryland, Chandler, Arizona and San Francisco,
California. PayPal Credit offers shoppers ‘access to an instant online revolving line of
credit at thousands of vendors that accept PayPal, subject to credit approval. PayPal
Credit allows consumers to shop online in much the same way as they would with a
traditional credit card. The rebranding of Bill Me Later as PayPal Credit also means that
consumers can use PayPal Credit to fund transactions virtually anywhere PayPal is
accepted.
The PayPal app is available online or at the iTunes App Store and Google Play. One
year after acquiring Braintree, PayPal introduced its “One Touch” service, which allows
users to pay with a one-touch option on participating merchant’s websites or apps. On
November 28, 2011, PayPal reported Black Friday brought record mobile engagement
including a 538% increase in global mobile payment volume when compared with Black
Friday 2010.
In 2012, the company launched “PayPal Here”, a small business mobile payment
system that includes a combination of a free mobile app and a small card reader that
plugs into a smartphone. PayPal launched an updated app for iOS and Android in 2013
that expanded its mobile app capabilities by allowing users to search for local shops and
restaurants that accept PayPal payments, order ahead at participating venues, and
access their PayPal Credit accounts (formerly known as Bill Me Later).

PayPal Business Model Evolution

PayPal’s success in users and volumes was the product of a three-phase strategy
described by former eBay CEO Meg Whitman: “First, PayPal focused on expanding its
service among eBay users in the US. Second, we began expanding PayPal to eBay’s
international sites. And third, we started to build PayPal’s business off eBay.”

Phase 1
In the first phase, payment volumes were coming mostly from the eBay auction
website. The system was very attractive to auction sellers, most of which were individuals
or small businesses that were unable to accept credit cards, and for consumers as well.
In fact, many sellers could not qualify for a credit card Merchant account because they
lacked a commercial credit history. The service also appealed to auction buyers because
they could fund PayPal accounts using credit cards or bank account balances, without
divulging credit card numbers to unknown sellers. PayPal employed an aggressive
marketing campaign to accelerate its growth, depositing $10 in new users’ PayPal
accounts.

Phase 2
Until 2000, PayPal’s strategy was to earn interest on funds in PayPal accounts.
However, most recipients of PayPal credits withdrew funds immediately. Also, a large
majority of senders funded their payments using credit cards, which cost PayPal roughly
2% of payment value per transaction.
To solve this problem, PayPal tailored its product to cater more to business
accounts. Instead of relying on interests earned from deposited funds, PayPal started

Amity Directorate of Distance and Online Education

152 Web-Enabled Business Processes
relying on earnings from service charges. They offered seller protection to PayPal
Notes
account holders, provided that they comply with reimbursement policies. For example,
PayPal merchants are either required to retain a traceable proof of shipping to a
confirmed address or to provide a signed receipt for items valued over $750.

Phase 3
After fine-tuning PayPal’s business model and increasing its domestic and
international penetration on eBay, PayPal started its off-eBay strategy. This was based
on developing stronger growth in active users by adding users across multiple platforms,
despite the slowdown in on-eBay growth and low-single-digit user growth on the eBay
site. A late 2003 reorganization created a new business unit within PayPal—Merchant
Services—to provide payment solutions to small and large e-Commerce merchants
outside the eBay auction community. Starting in the second half of 2004, PayPal
Merchant Services unveiled several initiatives to enroll online merchants outside the
eBay auction community, including:
● Lowering its transaction fee for high-volume merchants from 2.2% to 1.9%
(while increasing the monthly transaction volume required to qualify for the
lowest fee to $100,000)
● Encouraging its users to recruit non-eBay merchants by increasing its referral
bonus to a maximum of $1,000 (versus the previous $100 cap)
● Persuading credit card gateway providers, including Cyber Source and Retail
Decisions USA, to include PayPal among their offerings to online merchants.
● Hiring a new sales force to acquire large merchants such as Dell, Apple’s
iTunes, and Yahoo! Stores, which hosted thousands of online merchants
● Reducing fees for online music purchases and other “micropayments”
● Launching PayPal Mobile, which allowed users to make payments using text
messaging on their cell phones

Local Restrictions
Countries not supported by PayPal include Iraq, Afghanistan, and Pakistan, in
addition to the countries on the US economic sanction list.
There are three Basic PayPal e-Commerce widgets that you can use on your site:
● PayPal Single Product Widget: Displays a single product for sale.
● PayPal Product Catalog Widget: Add this to your page to display more than
one product for sale.
● Donation Collection Widget: Allows people to make donations and
contributions to your cause.
To be able to use these widgets, you need to sign up on www.paypal.com for a free
Premier or Business account (a link is provided from Yola – see below). Once your
account with PayPal has been created, you are ready to add PayPal buttons to your site.

Register with PayPal.com

1. Go to Widgets > e-Commerce.
2. There are three options available: Single Product, Product Catalog and
Donation Collection.

Amity Directorate of Distance and Online Education

E-Commerce Essentials 153

Notes

3. Drag and drop your chosen widget onto your page.

4. The PayPal dialog box will open.
5. Click on the “Get one now” link to get a PayPal account.

6. On the PayPal screen, click the “Start Now” link. This will take you to a screen
where you can create your account.
7. Fill in all your personal information and create your account.
8. Add the PayPal widgets to your site

5.8.1 Adding the PayPal Single Product Widget

1. Drag and drop the PayPal Single Product Widget onto your page.
2. A dialog box will open and you can enter the following information:
● Your PayPal e-mail address. This is the e-mail address you use to access
your PayPal account.
● A product a title. This should be as brief and accurate a name for the
product you are selling as possible. Important Note: Each of your products
must have a unique title and description. If you give your products the
same title or description, they will be added to the cart as the same
product.
● The price of the item.
● A description the of product. Use the description field to add further relevant
details about the product.

Amity Directorate of Distance and Online Education

154 Web-Enabled Business Processes
3. You can also upload an image of the product. A clear, well-taken photograph
Notes
will go a long way towards selling your product!
4. Use the radio buttons in the bottom-left corner of the dialog box to set the
alignment of your widget.
5. When you have finished editing your settings, click “Save” to add all the
product information.
6. A PayPal “Buy Now” button will be added to your page.
7. If you need to go back and edit the settings of a widget already added to the
page, click “Edit” on the top left corner of the widget.

5.8.2 Adding the PayPal Product Catalog Widget

1. Drag and drop the PayPal Product Catalog Widget onto your page.
2. A dialog box will open where you can add your PayPal e-mail address as well
as start to add details of the products you are selling.
3. Click on the “Click here to add one” link or “+ Add Product” button to begin
adding your products.
4. You can then add, and edit, the settings of the particular product you are
selling. Important Note: Each of your products must have a unique Title and
Description. If you give your products the same Title or Description, they will be
added to the cart as the same product.
5. Continue to add products to your page until you are satisfied with the number
of products you have added.
6. Click “Save” to add the catalog to your page.
7. You can easily go back and edit the settings, or add more products, by clicking
“Edit” on the top left corner of the Catalog Widget.

5.8.3 Adding the Donation Collection Widget

1. Drag and drop the Donation Collection Widget onto your page.
2. A dialog box will open, where you can enter your PayPal e-mail address. This
is the e-mail address you use to access your PayPal account.
3. Click “Save” to add the widget to your page.
4. If you need to go back and change the PayPal e-mail address used to set up
the widget, click “Edit” on the top left corner of the Donation Collection Widget.

Publish Your Site!

To test any of your PayPal buttons, simply save and preview your page. When
someone wants to purchase a product, they will click on the “Buy Now” button and will be
taken to the PayPal checkout facility to complete their purchase.
When you are satisfied with your store, you can put your site online and start selling!
For more information on publishing, please see our tutorial Publishing Your Site.
The Basic PayPal e-Commerce Widgets give you an opportunity to start selling your
goods online, and become familiar with how e-Commerce works. Set yours up and start
your internet business today!

5.9 Summary
EDI replaces postal mail, fax and e-mail. While e-mail is also an electronic approach,
the documents exchanged via e-mail must still be handled by people rather than

Amity Directorate of Distance and Online Education

E-Commerce Essentials 155

computers. Having people involved slows down the processing of the documents and
Notes
also introduces errors. Instead, EDI documents can flow straight through to the
appropriate application on the receiver’s computer (e.g., the Order Management System)
and processing can begin immediately. A typical manual process looks like this, with lots
of paper and people involvement:
● Business documents: These are any of the documents that are typically
exchanged between businesses. The most common documents exchanged via
EDI are purchase orders, invoices and advance ship notices. But there are
many, many others such as bill of lading, customs documents, inventory
documents, shipping status documents and payment documents.
● Standard format: Because EDI documents must be processed by computers
rather than humans, a standard format must be used so that the computer will
be able to read and understand the documents. A standard format describes
what each piece of information is and in what format (e.g., integer, decimal,
mm-dd-yy). Without a standard format, each company would send documents
using its company-specific format and, much as an English-speaking person
probably doesn’t understand Japanese, the receiver’s computer system
doesn’t understand the company-specific format of the sender’s format.
● There are several EDI standards in use today, including ANSI, EDIFACT,
TRADACOMS and ebXML. And, for each standard, there are many different
versions, e.g., ANSI 5010 or EDIFACT version D12, Release A. When two
businesses decide to exchange EDI documents, they must agree on the
specific EDI standard and version.
● Businesses typically use an EDI translator – either as in-house software or via
an EDI service provider – to translate the EDI format so that the data can be
used by their internal applications and thus enable straight through processing
of documents.
● Business partners: The exchange of EDI documents is typically between two
different companies, referred to as business partners or trading partners. For
example, Company A may buy goods from Company B. Company A sends
orders to Company B. Company A and Company B are business partners.

5.10 Check Your Progress

I. Fill in the Blanks
1. An IP address is made of ___________ decimal numbers separated by dots.
2. The shopping cart function in Amazon.com is made possible by the use of
___________.
3. ___________ is necessary to convert HTML contents to format acceptable by
database servers, but the reverse information conversion is done by
___________ software, that connects two otherwise separate applications.
4. In an information system or e-Commerce sense, a layer is a program or set of
programs that___________ to the layer above it and ___________ provided
by the layer below it.
5. ___________ is an established tool for finding customers and building brand
recognition and___________ is the act of modifying a product or service to fit
an individual customer’s requirements.
II. True or False
1. There is a significant correlation between a company’s strategic agility and its
IT infrastructure capability.

Amity Directorate of Distance and Online Education

156 Web-Enabled Business Processes
2. Both reduction of selling price of a product and reduction on manufacturing
Notes
cost can give a long-term competitive advantage to a company.
3. Cyber squatting, the practice of registering trademarks, company names,
slogans and celebrity names with the intent of later selling the rights, is legal.
4. A company’s value chain is a set of business processes that allow multiple
independent entities such as suppliers, manufacturers, and retailers to function
as one organization to deliver products to consumers.
5. Using a standard modem connection, data usually moves faster just before it
reaches its destination, as opposed to the beginning or middle of the
transmission.
III. Multiple Choice Questions
1. With respect to IT innovation, which of the following is not an innovation
classification?
(a) Product innovation
(b) Delivery innovation
(c) Market innovation
(d) They are all valid categories with respect to IT innovation
2. Digital products are particularly appealing for a company’s bottomline because
of __________.
(a) the freedom from the law of diminishing returns
(b) the integration of the value chain
(c) the increasing brand recognition
(d) the changes they bring to the industry
3. The differences between B2B and B2C exchanges include __________.
(i) size of customer set
(ii) transaction volume
(iii) form of payment
(iv) level of customization on products/services
(a) (i) and (ii)
(b) (i), (ii), and (iii)
(c) (ii) and (iii)
(d) All of the above
4. What is the most significant part of e-Commerce?
(a) B2B
(b) B2E
(c) B2C
(d) C2C
5. It is particularly difficult to maintain the competition advantage based on
________.
(a) Quality
(b) Efficiency
(c) Price
(d) Internal Cost Reduction
(e) Brand
6. Security-and-risk services include __________.
(a) Firewalls and policies for remote access

Amity Directorate of Distance and Online Education

E-Commerce Essentials 157

(b) Encryption and use of passwords

Notes
(c) Disaster planning and recovery
(d) All of the above
(e) (a) and (b) only
7. Business Plans are important when trying to find capital to start up your new
business. Important elements of a business plan include __________.
(a) sales and marketing
(b) human resources handbook
(c) business description
(d) (a) and (c)
8. E-Commerce increases competition by: erasing geographical boundaries,
empowering customers and suppliers, commoditizing new products, etc. How
do companies usually solve this problem?
(a) By competing on price
(b) By selling only through traditional channels
(c) By lowering costs
(d) By creating attractive websites
9. Why did the e-Commerce boom, as evidenced by soaring stock prices of
Internet businesses such as Pets.com and eToys, went bust in 2000?
(a) Websites started by techies who lack business knowledge
(b) Lack of good business model
(c) Investors’ and entrepreneurs’ greed and ignorance
(d) All of the above
10. The Internet __________.
(a) is providing the infrastructure for electronic business because its
technology and technology standards can also be used to make
information flow seamlessly from one part of the organization to another
(b) provides a much lower cost and easier to use alternative for coordination
activities than proprietary networks
(c) reduces agency costs
(d) does all of the above

5.11 Questions and Exercises

1. What is e-Commerce? Explain advantages and disadvantages of
e-Commerce.
2. Explain the architecture of e-Commerce.
3. Explain the components of e-Commerce.
4. Explain different applications of e-Commerce.
5. What are the different models of e-Commerce?
6. Explain about B2C model.
7. Explain about the Web-based e-Commerce architecture? (OR) What are the
requirements of Web-based e-Commerce?
8. What are the different types of issues to be considered in e-Commerce?
9. What are the basic applications of internet?
10. Explain about E-marketing.

Amity Directorate of Distance and Online Education

158 Web-Enabled Business Processes
11. What is E-marketplace and explain different functions of E-marketplaces?
Notes
12. What are the different types of E-marketplaces?
13. What is an EDI? Explain the advantages of EDI.
14. Write about EDI architecture.
15. What are the different security methods for e-Commerce.
16. What value does e-Commerce bring to traditional business transactions?
17. Why are “open standards” important?
18. What is the value of scripts and applets?
19. What are the most common revenue sources for B2C e-Commerce
companies?

5.12 Key Terms

● E-Commerce vs. Commerce: ‘E-Commerce’ is the abbreviated version of
“Electronic Commerce”, where the word ‘Commerce’ is a general more
inclusive word that describes transactions and interactions from multiple
channels both online and offline.
● Business-to-Business (B2B): The business model and process of one
company selling to another.
● Business-to-Consumer (B2C): The business model and process of a
company selling to direct consumers
● Business-to-Business-to-Consumer (B2B2C): The business model of when
B2B companies create digital strategies and go directly to a business where
there is a known engagement with customers, or go directly to consumers
themselves.
● Bricks and Mortar: A business that has a physical store location (or multiple
locations) where merchandise can be purchased.
● Wholesaler: A person or company that buys goods in large quantities from
various vendors with the intention of selling them to resellers who then sell to
direct to consumer. Distributors and wholesalers usually work together as
channel partners.
● Manufacturer: A person or company that makes goods for sale.
● Customer Lifetime Value (CLV) or Lifetime Value of a Customer (LTV):
The prediction of future revenue, net profit and value that a customer will
generate during the entire relationship with a merchant.
● Conversion Rate: Only one metric in a series of other measures that asses
the health of your e-Commerce business. It is calculated by dividing the
number of people who complete a particular action by the number of visitors to
a particular page/process.
● Conversion Rate Optimization (CRO): The process of improving the user
experience of a website with the goal of increasing the percentage of visitors
that convert into customers.
● Revenue Optimization: A holistic approach to e-Commerce growth. It is about
user-centric design, technical implementation, applied statistics, web analytics,
and most importantly a dedication to continuous improvement through a cycle
of testing and learning. It requires a curiosity to constantly identify new
opportunities for improvement, develop hypotheses, and test solutions.
● Landing Page Optimization: The process of creating, monitoring and
tweaking landing pages to maximize the conversion of traffic.

Amity Directorate of Distance and Online Education

E-Commerce Essentials 159

● Buyer Personas: A research and data-based, semi-fictional representation of

Notes
your ideal customer.
● Customer Segmentation: Targeting your most profitable customer and those
with the highest profit potential. These can include frequent shoppers, high
average order values, few returns, customers that provide reviews, responsive
customers (i.e., respond to special offers and promotions).

5.13 Check Your Progress: Answers

I. Fill in the Blanks
1. four
2. cookie
3. Translation/middleware
4. provides services/uses the services
5. Advertisement/customization
II. True or False
1. True
2. False
3. False
4. False
5. False
III. Multiple Choice Questions
1. (d) They are all valid categories with respect to IT innovation
2. (a) the freedom from the law of diminishing returns
3. (d) All of the above
4. (a) B2B
5. (c) Price
6. (d) All of the above
7. (d) (a) and (c)
8. (c) By lowering costs
9. (d) All of the above
10. (d) does all of the above

5.14 Case Study

Impact of E-Commerce in Today’s Business World

Virtual companies and the internet are changing traditionally accepted economic
practices and making competition even fiercer than it has ever been in the past. As the
internet opens up larger markets to take advantage of, more and more flexible
competitors are entering your market, all offering better priced value propositions in order
to steal market share.
eBusiness: changing the landscape of your industry, the threat is real and it is here
to stay!
Being an industry leader today is in no way a security blanket to confirm tomorrow’s
success. In order to maintain competitive advantage and emerge as an industry leader
tomorrow, established old school companies must be ready to take on the challenge of
some difficult and painful changes.

Amity Directorate of Distance and Online Education

160 Web-Enabled Business Processes
Not only in leveraging IT to its limit but also to change the way employees and
Notes
administration think and work to a whole new level.
A new threat to traditional enterprise has arrived and established vertically
integrated companies are caught off guard on how to defend successfully and win the
war to retain exiting market share while expanding to new markets. Why has the world of
e-Commerce caused such a problem to established enterprise? The reason being that
most brick-and-mortar companies are still strategizing to win according to old rules that
do not apply in today’s eMarket. Today’s truly successful companies must embrace
Information Technology and leverage it in order to achieve great results. Traditional
Economic truths are no longer applicable in the virtual world of the Internet and in
eBusiness, as accepted principles in Physics are not applicable with the inversed world
of a black hole.
Following are some major changes to basic traditional economic thinking and
business strategy that should be looked at carefully in order to adapt successfully into the
future and experience growth.

Vertical Integration is the way, or maybe not…

Vertical Integration was tried, tested and true in the past. The idea being that if you
want something done right, do it yourself. Companies as they grew larger decided to
include more and more processes to be completed in-house. The entire process from
R&D all the way down the chain to the retail level was handled in-house in order to
ensure that it be done exactly according to the requirements set forth at the offset.
However, this mentality is costing companies large unnecessary overheads making them
inefficient and inflexible. In today’s marketplace, there is an immergence of many smaller
highly specialized firms who can execute these processes much more efficiently.
Stick to your core activities. If you are not the absolute best in the industry for
performing a function that can be bought from another provider, DO NOT DO IT
YOURSELF.
Today’s economy is a truly global one. Outsourcing to another company specializing
in a given function can help reduce unnecessary overheads, capital costs and
investments, allowing a lot more room to maneuver and focus on providing customers
with a value product ensuring success.
Traditional companies proud of the costly infrastructure and processes implemented
through years of painful implementation and careful thinking are finding themselves being
out-matched by smaller, leaner companies, even startups, based on the e-Commerce
model. E-Commerce allows new startups to grab a hold of market share previously held
by traditional companies very quickly as, in most cases, they do not carry inventory and
do not have to deal with large overheads. Most e-Commerce enterprises will sell items
that are shipped directly to customers from distributors. This allows more fund allocation
to finding out what the market is asking for and to ensuring superior customer service.
Amazon.com is a good example of how a virtual company challenged traditional
enterprise and grabbed a fair market segment, forcing tradition book stores to also offer
their products online often at a reduced price to what they would be sold at in-store.
This is easier said than done as major investments have been made in the past into
the production and supply chain in order to add value to the process. Therefore, the
disintegration of an enterprise is an extremely scary thought; however, the alternative is
even bleaker.
Careful thinking and forging of the right partnerships is a must in order to ensure
success.

Amity Directorate of Distance and Online Education

E-Commerce Essentials 161

Decreasing or Increasing Returns to Scale? Notes

A classic economic theory is that of Decreasing Returns to Scale, which states that
no enterprise can continue to grow forever profitably. However, this principle does not
apply directly to eBusiness, which has been shown to be able to sustain incredible
growth extremely fast while increasing returns the whole way. The reason being that
e-Commerce is based heavily on information and communication and travels light.
As most eBusinesses have minimal infrastructure and inventory, it is possible to
minimize the effect of this classically accepted economic theory. The bulk of investment
can be allocated to R&D, IT Infrastructure (made upfront) and client relations/support.
After which the cost per unit decreases dramatically compared to traditional models.
Increased returns to scale are also clearly evident for companies in the
information-based product industries; where distribution and sale through e-Commerce
can bring the cost per unit to almost zero. A good example of such enterprise would be
software vendors who allow customers to research and purchase products and added
licenses directly online. This allows a higher level of customer involvement, support and
satisfaction. Most vendors allow clients to download a trial version of the latest release
directly online after filling out a simple questionnaire that can be later used for R&D and
marketing efforts. These trial versions are either limited time trials or with limited
functionality, the former being more popular. The concept of try it before you buy it can
truly be applied in this case.
Other products can also experience what is known as network effects causing the
value of each unit to go up as number of individuals using each unit increases. A good
example is how the common use of flash as a medium to display videos online has
caused most users to have the flash plug-in installed on their computer. There are other
platforms for displaying videos online provided by competitors to Adobe; however, as the
popularity of Flash grows, it is becoming more and more of an industry standard and
therefore benefiting from the network effect.
Another major factor resulting in Increased Returns to Scale is an industry locking in
to a specific vendor’s products. In any given industry, established standards are
imperative for collaboration, therefore markets will converge towards the technology that
is most likely to win out; this effect allowing popular vendors to grab a strong hold of a
given market. In most markets, there will be two or three top vendors who are enjoying
such loyalty from clients. Microsoft products, for instance, have such a market share on
commonly used software applications and eBay is a good example of an online auction
house.
Another example was in the case of Beta vs. VHS – VHS dominating the market and
never allowing BETA to gain popularity in the marketplace.
The flexibility and scalability of e-Commerce allows companies to grow rapidly and
adapt quickly to satisfy the market demands without suffering from Decreasing Returns
to Scale.
Once vertical integration is re-assessed and quality partnerships are forged, a
successful online initiative can result in much greater Increased Returns to Scale than
could be expected through traditional methods. It is important to understand that the
online venture for an established enterprise should always be part of a complete
business model and not always intended to replace existing methods of distribution and
sales but rather to act as an additional venue to gain exposure and increase returns.
Some vendors chose to abandon traditional storefront for a complete virtual storefront.
DELL Computers are a good example of such a company that has experienced
incredible growth while showing Increased Returns to Scale while focusing their efforts

Amity Directorate of Distance and Online Education

162 Web-Enabled Business Processes
on customer service, customer-specific solutions and made to measure products.
Notes
However, this is definitely not a solution for every company.
This is not to say that Decreasing Return to Scale is no longer applicable as it is still
the case when dealing with tangible physical assets. However, this economical principle
has less effect when it comes to intangible intellectual property and is only applicable to
intangible value components of a business. In traditional business models, it is almost
impossible to think of such intangibles and customer service without the consideration of
physical assets, capital as well as recurring costs. In e-Commerce, it is possible to easily
separate these components from the physical and therefore allow easy scalability and
flexibility with minimal added cost. A good example is the outsourcing of customer
service to offshore providers, driving the cost down dramatically while allowing easy
scalability without added cost in infrastructure, HR and training.
The result being that in any given industry, the choices are made early on by
customers. First on the scene will always gain a stronghold on the market, giving it
enough momentum to carry on successfully into the future. This trend can only be upset
by either the vendor making serious strategic mistakes or a competitor offering a
revolutionary new solution with added value at a lower cost making the transition
between vendors worthwhile.

Return on Intangibles
The centrality of physical assets is becoming less important in today’s commercial
reality. In the past, the intangible assets helped businesses to be competitive in their
industry but strong emphasis was also put on their physical assets such as plants and
equipment along with good management (HR), customer relations and support and
IT infrastructure to achieve competitive advantage. However, these intangibles have had
little or no value when separated from a business’s physical core. Intellectual property
added value and was considered as part of the cost of doing business but not a source of
revenue to the business in itself. Developers were not be able to effectively collaborate
with manufacturers to produce the goods causing returns to be small and the
manufacturers would eat into the developer’s profits during the negotiations; the cost of
collaborating between developers and manufacturers was too high.
The internet has allowed companies to give more emphasis to the intangibles and
bring them to the front line and turn their value into revenue. Making communications and
collaboration between companies easy and inexpensive, e-Commerce allows intangible
assets to be leveraged across a much larger buyer base. As e-Commerce offers a model
with no more time and space constrains, companies no longer have to co-locate with the
tangible means of production.
A good example is eBay. With almost no physical assets, eBay was valued at $1.88
billion dollars at the IPO, surpassing Sotheby’s value of $1.02 billion dollars. Physical
assets are not important to businesses within the eEconomy as was in the Industrial age.
But instead it is a company’s intellectual property and customer relationships that drive
e-Commerce businesses and result in positive cash flow and returns.
Once again, a sour note to more established enterprises with large physical assets
and overhead. Such businesses also have great intellectual property, loyal customer
base and market insight gained through years of experience. However, the profit margins
that can be leveraged through these intangibles are all minimized by the inefficiency and
high cost of their physical assets.

Amity Directorate of Distance and Online Education

E-Commerce Essentials 163

The Assumption of “Perfect” Information Notes

One of the basic traditional assumptions in Economics is the assumption that actors
in an economy have access to ‘perfect’ information. Meaning that vendors know what
buyers want and the buyers know exactly what all the vendors are offering. This
assumption has never been truer than in the internet era.
Information has never been perfect and accurate, as it is difficult and expensive to
acquire quality information with some players having more than others. Not all vendors
are equal and have access to the same quality of information. For instance, consumer
goods manufacturers have spent large amounts of money in an attempt to gain insight
into the likes, dislikes, needs and behaviours of their respective markets. In the past, it
was considered a breakthrough when marketing personnel were able to understand and
dissect a large vague client base into smaller less vague customer bases.
Customers also had very little insight about the quality, price, availability and
alternative sources before making a choice in purchasing a product or soliciting a service.
A customer’s primary source of information was advertising, provided directly by the
manufacturers designed to entice a potential client to buy, and through word-of-mouth
reference from a known party, both sources being not objective and/or accurate.
The introduction on the internet allows sellers to be able to get insight on their
customer’s habits and hopes, not only at a segment level, but an individual level,
translating into quality targeted products and services being offered to clients. The web is
having an enormous impact on how customer-driven businesses conduct R&D, service
and market their products to existing and potential clients. Having such information
allows vendors to be able to offer clients exactly what they want, developing a loyal client
base that is fully satisfied. A good example is Dell Computer Corporation. Before, clients
would step into a retail storefront and purchase a pre-configured PC that had been
designed to appeal to a given broad market segment. In today’s world of design your own
PC, Dell offers clients the opportunity to purchase exactly the PC they are looking for,
having 100% customer satisfaction.
The other main aspect that the internet has revolutionized is the availability of an
extensive array of resources about any given product to the client. Comprehensive
information regarding a vendor, their product lines and even reviews made by countless
individuals and its price relative to almost all of its competitors are available online,
usually free of charge. As a result, sellers have lost the power they have gained from the
inequality of information, to the extent where price is no longer the main prerogative, but
rather client satisfaction. Customers are always being bombarded with better
propositions from competitors and vendors must always stay a step ahead to maintain
their client base.
As a result, the customers are always searching and finding great bargains.
Priceline.com, for instance, invites their clients to ‘make an offer’ to airlines and hotels for
their air travel and accommodations at a desired destination, which airlines and hotels
with otherwise empty seats or rooms can decide to take or leave.
Today’s buyers and sellers are both living in an Information Age. We see companies
offering clients more and more transparency in terms of their offers vs. that of their
competitors, with some even going as far as to provide this information within their own
website. For instance, Progressive.com has made it the center of their marketing strategy
to show their clients the offers they would get from competitors, something unheard of in
the past.
The term ‘Perfect’ is still not applicable, but we are the closest today than we have
ever been in the past. Marketers and strategists now must learn to make sense of the

Amity Directorate of Distance and Online Education

164 Web-Enabled Business Processes
vast volume of information they are faced with on a daily basis and learn to read trends
Notes
and filter garbage quickly enough to act faster than ever before.

No Time to Spare
The last revolutionary effect of e-Commerce on strategy stems directly from the fact
of its very virtuality. In the past, businesses wanting to enter the marketplace had to
depend upon the design, means of production, marketing, planning and sales being
coordinated by a central vertical enterprise converging finally at a physical location; the
storefront. This meant a daunting and expensive task for new sellers wishing to enter the
market. If they did not have the right elements all in place and a proper vision of the
future and were unable to bring all the necessary elements together, it meant that they
would not be able to participate in the game and succeed. All these individual elements
had to be performed under one roof, creating the vertical model thanks to the limiting
nature of traditional business in terms of the high costs of collaboration and poor
communications between partners.
These classical restrictions do not apply in the e-Commerce business model as
coordination can be achieved easily, virtually, at a very low cost. Entire supply chains can
be created quickly through linking desktops together. The physical locations of the seller,
the warehouse and the payment processor and whether it is three independent
companies is a fact that is immaterial to the buyer of e-Commerce storefronts. All the
buyer expects is that the quality, price and service are met according to their wants.
This all looks like a great opportunity for any business person looking to carve out a
small piece of the market. Unless you are an established enterprise, in which case the
online e-Commerce sellers are a real dangerous threat. What is to prevent any random
person from registering a URL and entering your market and stealing your share? Not
much, and it is being done everyday, putting established businesses on their knees. On
the other hand, with the industry experience and expertise that established firms have,
along with their existing customer base, what is stopping these businesses from doing
the same? The answer is fear of change and the costs involved in adapting. But
unfortunately, there is not much choice in the matter. If you want to survive, you must
adapt and evolve. Forward thinking CEOs will always maintain their competitive
advantage and survive in an even fiercer marketplace.
Senior executives are notorious for not being proactive. Always being reactive and
not willing to embrace the changes in the marketplace, especially in terms of the real
threat posed by the online sellers. Always thinking in brick-and-mortar terms and being
unable to process the virtual world of e-Commerce. Meeting the new challengers in the
marketplace and emerging victorious can only be achieved by beating the newcomers at
their own game. It’s time to start thinking outside the box and restructuring your business
to adapt to the new market.
A prime example of an established enterprise having difficulty competing with the
newly emerging eBusinesses is that of Blockbuster vs. Netflix. Blockbuster is an
enterprise that has enjoyed many years of success within the market, as one of the
largest video rental and sales franchises in the world. Netflix, being a new e-Commerce
enterprise offering a value proposition to the customers of Blockbuster, has managed to
steal a segment of their market. As the threat was perceived to be real and dangerous,
Blockbuster has implemented a value-added feature to their regular in-store rentals by
allowing customers to rent films online (which they receive in the mail) and exchange
them at a physical storefront if they wish, giving them the added option of exchanging the
viewed DVD for a new one at a local Blockbuster franchise. Whereas the clients of Netflix

Amity Directorate of Distance and Online Education

E-Commerce Essentials 165

have no such option but to mail the DVDs back and eagerly wait for their newly selected
Notes
films to arrive in the post.
The first step in such a frightening evolution is to re-evaluate your business model,
putting less emphasis on the physical infrastructure. Keep in mind the golden rule: ‘Stick
to your core activities. If you are not the absolute best in the industry for performing a
function that can be bought from another provider, DO NOT DO IT YOURSELF”.

List of points that you should review carefully:

1. What are the expectations of the market?
2. What are the products customers want to buy?
3. Am I competitive within my industry?
4. What is the most effective value proposition I can offer to customers in the
short, medium and long run?
5. What roles should I play—make, sell or service—and who are my customers?
6. Who are my competitors, and how do I need to be positioned?
7. What is my operating model?
8. With whom should I partner/network?
Your answers, if they are assisted by a good understanding of your market and
industry, as well as the economic implications and the opportunities of the eEconomy, will
result in a very clear and different vision of your business and its model for the future.
With this in mind, you must implement an enterprise-wide vision for your future which has
to be identified and defined thoroughly; one that will help you get your staff on board and
bring you to your final destination successfully.
For most businesses, achieving such vision will require a greater understanding and
expertise in the strategic and operation applications of Information Technology, which is
the driving force of the quick evolution of e-Commerce. You will definitely need to
incorporate cross-industry, cross-functional perspectives and expertise as the
businesses of the future will be moulded by customer needs and relations and not by
core competencies.
When the smoke clears and the dust settles in the end, strategy is only as good as
its execution. This newly constructed economic strategy will have to be translated into
changes not only related to Technology but also to processes and HR. Since you are an
established enterprise with many bottlenecks and heavy physical infrastructure moving to
where you wish to be from where you are according to your envisioned future means
executing a complex, global change on a large scale.
At the end, it involves a great deal of work and innovative vision which needs to be
shared at all levels of your enterprise. The first step is to take this threat seriously and
begin planning for the defense.

5.15 Further Readings

1. Internet Commerce: Digital Models for Business, Lawrence et al., Wiley
2. Electronic Commerce: A Manager’s Guide, Kalakota et al., Addison-Wesley
3. Frontiers of Electronic Commerce, Kalakota et al., Addison-Wesley
4. Web Commerce Technology Handbook, Minoli et al., McGraw Hill
5. The Economics of Electronic Commerce, Choi et al., MacMillan
6. Designing Systems for Electronic Commerce, Treese et a., Addison-Wesley

Amity Directorate of Distance and Online Education

166 Web-Enabled Business Processes

Notes

Unit 6: E-Commerce Security

Structure:
6.1 Threats
6.1.1 Delivery Methods
6.1.2 Growth of Web Threats
6.1.3 Prevention and Detection
6.2 Measure to Counter Threats
6.2.1 STRIDE
6.2.2 STRIDE Threats and Countermeasures
6.2.3 Network Threats and Countermeasures
6.3 Application Threats and Countermeasures
6.3.1 Input Validation
6.3.2 Buffer Overflows
6.3.3 Cross-site Scripting
6.3.4 SQL Injection
6.3.5 Canonicalization
6.3.6 Authentication
6.4 Authorization
6.4.1 Elevation of Privilege
6.4.2 Disclosure of Confidential Data
6.4.3 Data Tampering
6.4.4 Luring Attacks
6.5 Configuration Management
6.5.1 Unauthorized Access to Administration Interfaces
6.5.2 Unauthorized Access to Configuration Stores
6.5.3 Retrieval of Plaintext Configuration Secrets
6.5.4 Lack of Individual Accountability
6.5.5 Overprivileged Application and Service Accounts
6.6 Cryptography
6.6.1 History of Cryptography
6.7 Encryption and Decryption
6.7.1 RSA Encryption
6.7.2 RSA Decryption
6.8 RSA Analysis
6.8.1 ElGamal Cryptosystem
6.8.2 Generation of ElGamal Key Pair
6.9 Elliptic Curve Cryptography (ECC)
6.10 Cryptography Digital Signatures
6.11 Model of Digital Signature
6.12 Importance of Digital Signature

Amity Directorate of Distance and Online Education

E-Commerce Security 167

6.13 Public Key Infrastructure (PKI)

Notes
6.14 Certifying Authority (CA)
6.15 Cryptography – Benefits
6.16 Future of Cryptography
6.17 Watermark
6.18 Cylinder Mould Process
6.19 Summary
6.20 Check Your Progress
6.21 Questions and Exercises
6.22 Key Terms
6.23 Check Your Progress: Answers
6.24 Case Study
6.25 Further Readings

Objectives
After going through this unit, you should be able to know:
Ɣ Significance of cryptography to maintain the privacy of computer data
Ɣ Security Services of Cryptography
Ɣ Cryptography Primitives
Ɣ Components of a Cryptosystem
Ɣ Types of Cryptosystems
Ɣ Digital Signature
Ɣ A Case Study based on this Unit

6.1 Threats
A web threat is any threat that uses the World Wide Web to facilitate cybercrime.
Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS
protocols, but may also employ other protocols and components, such as links in e-mail
or IM, or malware attachments or on servers that access the Web. They benefit
cybercriminals by stealing information for subsequent sale and help absorb infected PCs
into botnets. Web threats pose a broad range of risks, including financial damages,
identity theft, loss of confidential information/data, theft of network resources, damaged
brand/personal reputation, and erosion of consumer confidence in e-Commerce and
online banking.
It is a type of threat related to information technology (IT). The IT risk, i.e., risk
affecting has gained an increasing impact on society due to the spread of IT processes.

6.1.1 Delivery Methods

Web threats can be divided into two primary categories, based on delivery method –
push and pull. Push-based threats use spam, phishing, or other fraudulent means to lure
a user to a malicious (often spoofed) website which then collects information and/or
injects malware. Push attacks use phishing, DNS poisoning (or pharming), and other
means to appear to originate from a trusted source.

Amity Directorate of Distance and Online Education

168 Web-Enabled Business Processes
Precisely-targeted push-based web threats are often referred to as spear phishing
Notes
to reflect the focus of their data gathering attack. Spear phishing typically targets specific
individuals and groups for financial gain. In other push-based web threats, malware
authors use social engineering such as enticing subject lines that reference holidays,
popular personalities, sports, pornography, world events and other hot topics to persuade
recipients to open the e-mail and follow links to malicious websites or open attachments
with malware that accesses the Web.
Pull-based web threats are often referred to as “drive-by” threats by experts (and
more commonly as “drive-by downloads” by journalists and the general public), since
they can affect any website visitor. Cybercriminals infect legitimate websites, which
unknowingly transmit malware to visitors or alter search results to take users to malicious
websites. Upon loading the page, the user’s browser passively runs a malware
downloader in a hidden HTML frame (IFRAME) without any user interaction.

6.1.2 Growth of Web Threats

“And if today’s malware mostly runs on Windows because it’s the commonest
executable platform, tomorrow’s will likely run on the Web, for the very same reason.
Because, like it or not, the Web is already a huge executable platform, and we should
start thinking of it this way, from a security perspective.” – Giorgio Maone
The growth of web threats is a result of the popularity of the Web – a relatively
unprotected, widely and consistently used medium that is crucial to business productivity,
online banking, and e-Commerce as well as the everyday lives of people worldwide. The
appeal of Web 2.0 applications and websites increases the vulnerability of the Web. Most
Web 2.0 applications make use of AJAX, a group of web development programming tools
used for creating interactive web applications or rich Internet applications. While users
benefit from greater interactivity and more dynamic websites, they are also exposed to
the greater security risks inherent in browser client processing.

Examples
In September 2008, malicious hackers broke into several sections of
BusinessWeek.com to redirect visitors to malware hosting websites. Hundreds of pages
were compromised with malicious JavaScript pointing to third-party servers.
In August 2008, popular social networking sites were hit by a worm using social
engineering techniques to get users to install a piece of malware. The worm installs
comments on the sites with links to a fake site. If users follow the link, they are told they
need to update their Flash Player. The installer then installs malware rather than the
Flash Player. The malware then downloads a rogue anti-spyware application, AntiSpy
Spider.
In May 2008, websites worldwide were compromised with a malicious JavaScript.
Initially, a half million websites worldwide were infected with a SQL injection which
leveraged a ZLOB variant which then downloaded additional Trojan onto users’ PCs.
Then websites in China, Taiwan and Singapore were compromised followed shortly
thereafter by humanitarian, government and news sites in the UK, Israel and Asia. In this
attack, the compromised websites led, through a variety of redirects, to the download of a
Trojan.

6.1.3 Prevention and Detection

Conventional approaches have failed to fully protect consumers and businesses
from web threats. The most viable approach is to implement multi-layered

Amity Directorate of Distance and Online Education

E-Commerce Security 169

protection—protection in the cloud, at the Internet gateway, across network servers and
Notes
on the client.
6.2 Measure to Counter Threats
When you incorporate security features into your application’s design,
implementation, and deployment, it helps to have a good understanding of how attackers
think. By thinking like attackers and being aware of their likely tactics, you can be more
effective when applying countermeasures. This unit describes the classic attacker
methodology and profiles the anatomy of a typical attack.
This unit analyzes Web application security from the perspectives of threats,
countermeasures, vulnerabilities, and attacks. The following set of core terms are defined
to avoid confusion and to ensure they are used in the correct context.
Ɣ Asset. A resource of value such as the data in a database or on the file system,
or a system resource
Ɣ Threat. A potential occurrence — malicious or otherwise — that may harm an
asset
Ɣ Vulnerability. A weakness that makes a threat possible
Ɣ Attack (or exploit). An action taken to harm an asset
Ɣ Countermeasure. A safeguard that addresses a threat and mitigates risk
This unit also identifies a set of common network, host, and application level threats,
and the recommended countermeasures to address each one. The unit does not contain
an exhaustive list of threats, but it does highlight many top threats. With this information
and knowledge of how an attacker works, you will be able to identify additional threats.
You need to know the threats that are most likely to impact your system to be able to
build effective threat models.
By understanding the basic approach used by attackers to target your Web
application, you will be better equipped to take defensive measures because you will
know what you are up against. The basic steps in attacker methodology are summarized
below and illustrated in Figure 6.1:
Ɣ Survey and assess
Ɣ Exploit and penetrate
Ɣ Escalate privileges
Ɣ Maintain access
Ɣ Deny service

Survey and Assess Exploit and Penetrate Escalate Privileges

Maintain Access Deny Service

Figure 6.1

Amity Directorate of Distance and Online Education

170 Web-Enabled Business Processes
Basic Steps for Attacking Methodology
Notes
1. Survey and Assess: Surveying and assessing the potential target are done in
tandem. The first step an attacker usually takes is to survey the potential target
to identify and assess its characteristics. These characteristics may include its
supported services and protocols together with potential vulnerabilities and
entry points. The attacker uses the information gathered in the survey and
assess phase to plan an initial attack.
For example, an attacker can detect a cross-site scripting (XSS) vulnerability
by testing to see if any controls in a Web page echo back output.
2. Exploit and Penetrate: Having surveyed a potential target, the next step is to
exploit and penetrate. If the network and host are fully secured, your
application (the front gate) becomes the next channel for attack.
For an attacker, the easiest way into an application is through the same
entrance that legitimate users use — for example, through the application’s
logon page or a page that does not require authentication.
3. Escalate Privileges: After attackers manage to compromise an application or
network, perhaps by injecting code into an application or creating an
authenticated session with the Microsoft® Windows® 2000 operating system,
they immediately attempt to escalate privileges. Specifically, they look for
administration privileges provided by accounts that are members of the
Administrators group. They also seek out the high level of privileges offered by
the local system account.
Using least privileged service accounts throughout your application is a primary
defense against privilege escalation attacks. Also, many network level privilege
escalation attacks require an interactive logon session.
4. Maintain Access: Having gained access to a system, an attacker takes steps
to make future access easier and to cover his or her tracks. Common
approaches for making future access easier include planting back-door
programs or using an existing account that lacks strong protection. Covering
tracks typically involves clearing logs and hiding tools. As such, audit logs are a
primary target for the attacker.
Log files should be secured, and they should be analyzed on a regular basis.
Log file analysis can often uncover the early signs of an attempted break-in
before damage is done.
5. Deny Service: Attackers who cannot gain access often mount a
denial-of-service attack to prevent others from using the application. For other
attackers, the denial-of-service option is their goal from the outset. An example
is the SYN flood attack, where the attacker uses a program to send a flood of
TCP SYN requests to fill the pending connection queue on the server. This
prevents other users from establishing network connections.
6. Understanding Threat Categories: While there are many variations of
specific attacks and attack techniques, it is useful to think about threats in
terms of what the attacker is trying to achieve. This changes your focus from
the identification of every specific attack — which is really just a means to an
end — to focusing on the end results of possible attacks.

6.2.1 STRIDE
Threats faced by the application can be categorized based on the goals and
purposes of the attacks. A working knowledge of these categories of threats can help you

Amity Directorate of Distance and Online Education

E-Commerce Security 171

organize a security strategy so that you have planned responses to threats. STRIDE is
Notes
the acronym used at Microsoft to categorize different threat types. STRIDE stands for:
Ɣ Spoofing. Spoofing is attempting to gain access to a system by using a false
identity. This can be accomplished using stolen user credentials or a false IP
address. After the attacker successfully gains access as a legitimate user or
host, elevation of privileges or abuse using authorization can begin.
Ɣ Tampering. Tampering is the unauthorized modification of data, for example,
as it flows over a network between two computers.
Ɣ Repudiation. Repudiation is the ability of users (legitimate or otherwise) to
deny that they performed specific actions or transactions. Without adequate
auditing, repudiation attacks are difficult to prove.
Ɣ Information disclosure. Information disclosure is the unwanted exposure of
private data. For example, a user views the contents of a table or file he or she
is not authorized to open, or monitors data passed in plaintext over a network.
Some examples of information disclosure vulnerabilities include the use of
hidden form fields, comments embedded in Web pages that contain database
connection strings and connection details, and weak exception handling that
can lead to internal system level details being revealed to the client. Any of this
information can be very useful to the attacker.
Ɣ Denial of service. Denial of service is the process of making a system or
application unavailable. For example, a denial-of-service attack might be
accomplished by bombarding a server with requests to consume all available
system resources or by passing it malformed input data that can crash an
application process.
Ɣ Elevation of privilege. Elevation of privilege occurs when a user with limited
privileges assumes the identity of a privileged user to gain privileged access to
an application. For example, an attacker with limited privileges might elevate
his or her privilege level to compromise and take control of a highly privileged
and trusted process or account.

6.2.2 STRIDE Threats and Countermeasures

Each threat category described by STRIDE has a corresponding set of
countermeasure techniques that should be used to reduce risk. These are summarized in
Table 6.1. The appropriate countermeasure depends upon the specific attack. More
threats, attacks, and countermeasures that apply at the network, host, and application
levels are presented later in this unit.
Table 6.1: STRIDE Threats and Countermeasures

Threat Countermeasures
Use strong authentication.
Do not store secrets (for example, passwords) in plaintext.
Spoofing user identity
Do not pass credentials in plaintext over the wire.
Protect authentication cookies with Secure Sockets Layer (SSL).
Use data hashing and signing.
Tampering with data Use digital signatures.
Use strong authorization.
Use tamper-resistant protocols across communication links.

Amity Directorate of Distance and Online Education

172 Web-Enabled Business Processes

Notes Secure communication links with protocols that provide message

integrity.
Repudiation Create secure audit trails.
Use digital signatures.
Use strong authorization.
Use strong encryption.
Information disclosure
Secure communication links with protocols that provide message
confidentiality.
Do not store secrets (for example, passwords) in plaintext.
Use resource and bandwidth throttling techniques.
Denial of service
Validate and filter input.
Follow the principle of least privilege and use least privileged
Elevation of privilege
service accounts to run processes and access resources.

6.2.3 Network Threats and Countermeasures

The primary components that make up your network infrastructure are routers,
firewalls, and switches. They act as the gatekeepers guarding your servers and
applications from attacks and intrusions. An attacker may exploit poorly configured
network devices. Common vulnerabilities include weak default installation settings, wide
open access controls, and devices lacking the latest security patches. Top network level
threats include:
Ɣ Information gathering
Ɣ Sniffing
Ɣ Spoofing
Ɣ Session hijacking
Ɣ Denial of service

Information Gathering
Network devices can be discovered and profiled in much the same way as other
types of systems. Attackers usually start with port scanning. After they identify open ports,
they use banner grabbing and enumeration to detect device types and to determine
operating system and application versions. Armed with this information, an attacker can
attack known vulnerabilities that may not be updated with security patches.
Countermeasures to prevent information gathering include:
Ɣ Configure routers to restrict their responses to footprinting requests.
Ɣ Configure operating systems that host network software (for example, software
firewalls) to prevent footprinting by disabling unused protocols and
unnecessary ports.

Sniffing
Sniffing or eavesdropping is the act of monitoring traffic on the network for data such
as plaintext passwords or configuration information. With a simple packet sniffer, an
attacker can easily read all plaintext traffic. Also, attackers can crack packets encrypted
by lightweight hashing algorithms and can decipher the payload that you considered to
be safe. The sniffing of packets requires a packet sniffer in the path of the server/client
communication.
Countermeasures to help prevent sniffing include:
Amity Directorate of Distance and Online Education
E-Commerce Security 173

Ɣ Use strong physical security and proper segmenting of the network. This is the
Notes
first step in preventing traffic from being collected locally.
Ɣ Encrypt communication fully, including authentication credentials. This
prevents sniffed packets from being usable to an attacker. SSL and IPSec
(Internet Protocol Security) are examples of encryption solutions.

Spoofing
Spoofing is a means to hide one’s true identity on the network. To create a spoofed
identity, an attacker uses a fake source address that does not represent the actual
address of the packet. Spoofing may be used to hide the original source of an attack or to
work around network access control lists (ACLs) that are in place to limit host access
based on source address rules.
Although carefully crafted spoofed packets may never be tracked to the original
sender, a combination of filtering rules prevents spoofed packets from originating from
your network, allowing you to block obviously spoofed packets.
Countermeasures to prevent spoofing include:
Ɣ Filter incoming packets that appear to come from an internal IP address at your
perimeter.
Ɣ Filter outgoing packets that appear to originate from an invalid local IP address.

Session Hijacking
Also known as man-in-the-middle attacks, session hijacking deceives a server or a
client into accepting the upstream host as the actual legitimate host. Instead the
upstream host is an attacker’s host that is manipulating the network, so the attacker’s
host appears to be the desired destination.
Countermeasures to help prevent session hijacking include:
Ɣ Use encrypted session negotiation.
Ɣ Use encrypted communication channels.
Ɣ Stay informed of platform patches to fix TCP/IP vulnerabilities, such as
predictable packet sequences.

Denial of Service
Denial of service denies legitimate users’ access to a server or services. The SYN
flood attack is a common example of a network level denial-of-service attack. It is easy to
launch and difficult to track. The aim of the attack is to send more requests to a server
than it can handle. The attack exploits a potential vulnerability in the TCP/IP connection
establishment mechanism and floods the server’s pending connection queue.
Countermeasures to prevent denial of service include:
Ɣ Apply the latest service packs.
Ɣ Harden the TCP/IP stack by applying the appropriate registry settings to
increase the size of the TCP connection queue, decrease the connection
establishment period, and employ dynamic backlog mechanisms to ensure that
the connection queue is never exhausted.
Ɣ Use a network Intrusion Detection System (IDS) because these can
automatically detect and respond to SYN attacks.

Host Threats and Countermeasures

Host threats are directed at the system software upon which your applications are
built. This includes Windows 2000, Microsoft Windows Server 2003, Internet Information

Amity Directorate of Distance and Online Education

174 Web-Enabled Business Processes
Services (IIS), the .NET Framework, and SQL Server depending upon the specific server
Notes
role. Top host level threats include:
Ɣ Viruses, Trojan horses, and worms
Ɣ Footprinting
Ɣ Profiling
Ɣ Password cracking
Ɣ Denial of service
Ɣ Arbitrary code execution
Ɣ Unauthorized access

Viruses, Trojan Horses, and Worms

A virus is a program that is designed to perform malicious acts and cause disruption
to your operating system or applications. A Trojan horse resembles a virus except that
the malicious code is contained inside what appears to be a harmless data file or
executable program. A worm is similar to a Trojan horse except that it self-replicates from
one server to another. Worms are difficult to detect because they do not regularly create
files that can be seen. They are often noticed only when they begin to consume system
resources because the system slows down or the execution of other programs halt. The
Code Red Worm is one of the most notorious to afflict IIS; it relied upon buffer overflow
vulnerability in a particular ISAPI filter.
Although these three threats are actually attacks, together they pose a significant
threat to Web applications, the hosts these applications live on, and the network used to
deliver these applications. The success of these attacks on any system is possible
through many vulnerabilities such as weak defaults, software bugs, user error, and
inherent vulnerabilities in Internet protocols.
Countermeasures that you can use against viruses, Trojan horses, and worms
include:
Ɣ Stay current with the latest operating system service packs and software
patches.
Ɣ Block all unnecessary ports at the firewall and host.
Ɣ Disable unused functionality including protocols and services.
Ɣ Harden weak, default configuration settings.

Footprinting
Examples of footprinting are port scans, ping sweeps, and NetBIOS enumeration
that can be used by attackers to glean valuable system-level information to help prepare
for more significant attacks. The type of information potentially revealed by footprinting
includes account details, operating system and other software versions, server names,
and database schema details.
Countermeasures to help prevent footprinting include:
Ɣ Disable unnecessary protocols.
Ɣ Lock down ports with the appropriate firewall configuration.
Ɣ Use TCP/IP and IPSec filters for defense in depth.
Ɣ Configure IIS to prevent information disclosure through banner grabbing.
Ɣ Use an IDS that can be configured to pick up footprinting patterns and reject
suspicious traffic.

Amity Directorate of Distance and Online Education

E-Commerce Security 175

Password Cracking
Notes
If the attacker cannot establish an anonymous connection with the server, he or she
will try to establish an authenticated connection. For this, the attacker must know a valid
username and password combination. If you use default account names, you are giving
the attacker a head-start. Then the attacker only has to crack the account’s password.
The use of blank or weak passwords makes the attacker’s job even easier.
Countermeasures to help prevent password cracking include:
Ɣ Use strong passwords for all account types.
Ɣ Apply lockout policies to end-user accounts to limit the number of retry
attempts that can be used to guess the password.
Ɣ Do not use default account names, and rename standard accounts such as the
administrator’s account and the anonymous Internet user account used by
many Web applications.
Ɣ Audit failed logins for patterns of password hacking attempts.

Denial of Service
Denial of service can be attained by many methods aimed at several targets within
your infrastructure. At the host, an attacker can disrupt service by brute force against
your application, or an attacker may know of a vulnerability that exists in the service your
application is hosted in or in the operating system that runs your server.
Countermeasures to help prevent denial of service include:
Ɣ Configure your applications, services, and operating system with denial of
service in mind.
Ɣ Stay current with patches and security updates.
Ɣ Harden the TCP/IP stack against denial of service.
Ɣ Make sure your account lockout policies cannot be exploited to lock out
well-known service accounts.
Ɣ Make sure your application is capable of handling high volumes of traffic and
that thresholds are in place to handle abnormally high loads.
Ɣ Review your application’s failover functionality.
Ɣ Use an IDS that can detect potential denial-of-service attacks.

Arbitrary Code Execution

If an attacker can execute malicious code on your server, the attacker can either
compromise server resources or mount further attacks against downstream systems.
The risks posed by arbitrary code execution increase if the server process under which
the attacker’s code runs is overprivileged. Common vulnerabilities include weak IIS
configuration and unpatched servers that allow path traversal and buffer overflow attacks,
both of which can lead to arbitrary code execution.
Countermeasures to help prevent arbitrary code execution include:
Ɣ Configure IIS to reject URLs with “../” to prevent path traversal.
Ɣ Lock down system commands and utilities with restricted ACLs.
Ɣ Stay current with patches and updates to ensure that newly discovered buffer
overflows are speedily patched.

Amity Directorate of Distance and Online Education

176 Web-Enabled Business Processes
Unauthorized Access
Notes
Inadequate access controls could allow an unauthorized user to access restricted
information or perform restricted operations. Common vulnerabilities include weak IIS
Web access controls, including Web permissions and weak NTFS permissions.
Countermeasures to help prevent unauthorized access include:
Ɣ Configure secure Web permissions.
Ɣ Lock down files and folders with restricted NTFS permissions.
Ɣ Use. NET Framework access control mechanisms within your ASP.NET
applications, including URL authorization and principal permission demands.

6.3 Application Threats and Countermeasures

A good way to analyze application-level threats is to organize them by application
vulnerability category. The various categories used in the subsequent sections of this unit
and throughout the guide, together with the main threats to your application, are
summarized in Table 6.2.
Table 6.2: Threats by Application Vulnerability Category

Category Threats
Input validation Buffer overflow; cross-site scripting; SQL injection;
canonicalization
Authentication Network eavesdropping; brute force attacks
dictionary attacks; cookie replay; credential theft
Authorization Elevation of privilege; disclosure of confidential data; data
tampering; luring attacks
Configuration Unauthorized access to administration interfaces;
management unauthorized access to configuration stores; retrieval of clear
text configuration data; lack of individual accountability;
overprivileged process and service accounts
Sensitive data Access sensitive data in storage; network eavesdropping;
data tampering
Session management Session hijacking; session replay; man in the middle
Cryptography Poor key generation or key management; weak or custom
encryption
Parameter manipulation Query string manipulation; form field manipulation; cookie
manipulation; HTTP header manipulation
Exception management Information disclosure; denial of service
Auditing and logging User denies performing an operation; attacker exploits an
application without trace; attacker covers his or her tracks

6.3.1 Input Validation

Input validation is a security issue if an attacker discovers that your application
makes unfounded assumptions about the type, length, format, or range of input data. The
attacker can then supply carefully crafted input that compromises your application.
When network and host level entry points are fully secured, the public interfaces
exposed by your application become the only source of attack. The input to your
application is a means to both test your system and a way to execute code on an
Amity Directorate of Distance and Online Education
E-Commerce Security 177

attacker’s behalf. Does your application blindly trust input? If it does, your application
Notes
may be susceptible to the following:
Ɣ Buffer overflows
Ɣ Cross-site scripting
Ɣ SQL injection
Ɣ Canonicalization
The following section examines these vulnerabilities in detail, including what makes
these vulnerabilities possible.

6.3.2 Buffer Overflows

Buffer overflow vulnerabilities can lead to denial-of-service attacks or code injection.
A denial-of-service attack causes a process crash; code injection alters the program
execution address to run an attacker’s injected code. The following code fragment
illustrates a common example of buffer overflow vulnerability.
void SomeFunction( char *pszInput )
{
char szBuffer[10];
// Input is copied straight into the buffer when no type checking is performed
strcpy(szBuffer, pszInput);
...
}
Managed .NET code is not susceptible to this problem because array bounds are
automatically checked whenever an array is accessed. This makes the threat of buffer
overflow attacks on managed code much less of an issue. It is still a concern, however,
especially where managed code calls unmanaged APIs or COM objects.
Countermeasures to help prevent buffer overflows include:
Ɣ Perform thorough input validation. This is the first line of defense against buffer
overflows. Although a bug may exist in your application that permits expected
input to reach beyond the bounds of a container, unexpected input will be the
primary cause of this vulnerability. Constrain input by validating it for type,
length, format and range.
Ɣ When possible, limit your application’s use of unmanaged code, and thoroughly
inspect the unmanaged APIs to ensure that input is properly validated.
Ɣ Inspect the managed code that calls the unmanaged API to ensure that only
appropriate values can be passed as parameters to the unmanaged API.
Ɣ Use the /GS flag to compile code developed with the Microsoft Visual C++®
development system. The /GS flag causes the compiler to inject security
checks into the compiled code. This is not a fail-proof solution or a replacement
for your specific validation code; it does, however, protect your code from
commonly known buffer overflow attacks. For more information, see the .NET
Framework Product Documentation http://msdn.microsoft. com/en-us/librar y/8
dbf701c(VS.71).aspx and Microsoft Knowledge Base article 325483 “WebCast:
Compiler Security Checks: The –GS Compiler switch”.

Example of Code Injection through Buffer Overflows

An attacker can exploit a buffer overflow vulnerability to inject code. With this attack,
a malicious user exploits an unchecked buffer in a process by supplying a carefully

Amity Directorate of Distance and Online Education

178 Web-Enabled Business Processes
constructed input value that overwrites the program’s stack and alters a function’s return
Notes
address. This causes execution to jump to the attacker’s injected code.
The attacker’s code usually ends up running under the process security context.
This emphasizes the importance of using least privileged process accounts. If the current
thread is impersonating, the attacker’s code ends up running under the security context
defined by the thread impersonation token. The first thing an attacker usually does is call
the RevertToSelf API to revert to the process level security context that the attacker
hopes has higher privileges.
Make sure you validate input for type and length, especially before you call
unmanaged code because unmanaged code is particularly susceptible to buffer
overflows.

6.3.3 Cross-site Scripting

An XSS attack can cause arbitrary code to run in a user’s browser while the browser
is connected to a trusted website. The attack targets your application’s users and not the
application itself, but it uses your application as the vehicle for the attack.
Because the script code is downloaded by the browser from a trusted site, the
browser has no way of knowing that the code is not legitimate. Internet Explorer security
zones provide no defense. Since the attacker’s code has access to the cookies
associated with the trusted site and are stored on the user’s local computer, a user’s
authentication cookies are typically the target of attack.

Example of Cross-site Scripting

To initiate the attack, the attacker must convince the user to click on a carefully
crafted hyperlink, for example, by embedding a link in an e-mail sent to the user or by
adding a malicious link to a newsgroup posting. The link points to a vulnerable page in
your application that echoes the unvalidated input back to the browser in the HTML
output stream. For example, consider the following two links.
Here is a legitimate link:
www.yourwebapplication.com/logon.aspx?username=bob
Here is a malicious link:
www.yourwebapplication.com/logon.aspx?username=<script>alert( ‘hackercode’)
</script>
If the Web application takes the query string, fails to properly validate it, and then
returns it to the browser, the script code executes in the browser. The preceding example
displays a harmless pop-up message. With the appropriate script, the attacker can easily
extract the user’s authentication cookie, post it to his site, and subsequently make a
request to the target website as the authenticated user.
Countermeasures to prevent XSS include:
Ɣ Perform thorough input validation. Your applications must ensure that input
from query strings, form fields, and cookies are valid for the application.
Consider all users input as possibly malicious, and filter or sanitize for the
context of the downstream code. Validate all input for known valid values and
then reject all other input. Use regular expressions to validate input data
received via HTML form fields, cookies, and query strings.
Ɣ Use HTML Encode and URL Encode functions to encode any output that
includes user input. This converts executable script into harmless HTML.

Amity Directorate of Distance and Online Education

E-Commerce Security 179

6.3.4 SQL Injection Notes

A SQL injection attack exploits vulnerabilities in input validation to run arbitrary
commands in the database. It can occur when your application uses input to construct
dynamic SQL statements to access the database. It can also occur if your code uses
stored procedures that are passed strings that contain unfiltered user input. Using the
SQL injection attack, the attacker can execute arbitrary commands in the database. The
issue is magnified if the application uses an overprivileged account to connect to the
database. In this instance, it is possible to use the database server to run operating
system commands and potentially compromise other servers, in addition to being able to
retrieve, manipulate, and destroy data.

Example of SQL Injection

Your application may be susceptible to SQL injection attacks when you incorporate
unvalidated user input into database queries. Particularly susceptible is code that
constructs dynamic SQL statements with unfiltered user input. Consider the following
code:
SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT * FROM Users
WHERE UserName ='" + txtuid.Text + "'", conn);
Attackers can inject SQL by terminating the intended SQL statement with the single
quote character followed by a semicolon character to begin a new command, and then
executing the command of their choice. Consider the following character string entered
into the txtuid field.
';DROP TABLE Customers -
This results in the following statement being submitted to the database for
execution.
SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --'
This deletes the Customers’ table, assuming that the application’s login has
sufficient permissions in the database (another reason to use a least privileged login in
the database). The double dash (--) denotes a SQL comment and is used to comment
out any other characters added by the programmer, such as the trailing quote.
Note: The semicolon is not actually required. SQL Server will execute two
commands separated by spaces.
Other more subtle tricks can be performed. Supplying this input to the txtuid field:
'OR 1=1 -
builds this command:
SELECT * FROM Users WHERE UserName='' OR 1=1 -
Because 1=1 is always true, the attacker retrieves every row of data from the Users
table.
Countermeasures to prevent SQL injection include:
Ɣ Perform thorough input validation. Your application should validate its input
prior to sending a request to the database.
Ɣ Use parameterized stored procedures for database access to ensure that input
strings are not treated as executable statements. If you cannot use stored
procedures, use SQL parameters when you build SQL commands.
Ɣ Use least privileged accounts to connect to the database.

Amity Directorate of Distance and Online Education

180 Web-Enabled Business Processes

Notes 6.3.5 Canonicalization

Different forms of input that resolve to the same standard name (the canonical
name), is referred to as canonicalization. Code is particularly susceptible to
canonicalization issues if it makes security decisions based on the name of a resource
that is passed to the program as input. Files, paths, and URLs are resource types that
are vulnerable to canonicalization because in each case there are many different ways to
represent the same name. File names are also problematic. For example, a single file
could be represented as:
c:\temp\somefile.dat
somefile.dat
c:\temp\subdir\..\somefile.dat
c:\ temp\ somefile.dat
..\somefile.dat
Ideally, your code should not accept input file names. If it does, the name should be
converted to its canonical form prior to making security decisions, such as whether
access should be granted or denied to the specified file.
Countermeasures to address canonicalization issues include:
Ɣ Avoid using file names as input where possible and instead use absolute file
paths that cannot be changed by the end-user.
Ɣ Make sure that file names are well formed (if you must accept file names as
input) and validate them within the context of your application. For example,
check that they are within your application’s directory hierarchy.
Ɣ Ensure that the character encoding is set correctly to limit how input can be
represented. Check that your application’s Web.config has set the
requestEncoding and responseEncoding attributes on the <globalization>
element.

6.3.6 Authentication
Depending on your requirements, there are several available authentication
mechanisms to choose from. If they are not correctly chosen and implemented, the
authentication mechanism can expose vulnerabilities that attackers can exploit to gain
access to your system. The top threats that exploit authentication vulnerabilities include:
Ɣ Network eavesdropping
Ɣ Brute force attacks
Ɣ Dictionary attacks
Ɣ Cookie replay attacks
Ɣ Credential theft

Network Eavesdropping
If authentication credentials are passed in plaintext from client to server, an attacker
armed with rudimentary network monitoring software on a host on the same network can
capture traffic and obtain user names and passwords.
Countermeasures to prevent network eavesdropping include:
Ɣ Use authentication mechanisms that do not transmit the password over the
network such as Kerberos protocol or Windows authentication.
Ɣ Make sure passwords are encrypted (if you must transmit passwords over the
network) or use an encrypted communication channel, for example with SSL.

Amity Directorate of Distance and Online Education

E-Commerce Security 181

Brute Force Attacks

Notes
Brute force attacks rely on computational power to crack hashed passwords or other
secrets secured with hashing and encryption. To mitigate the risk, use strong passwords.
Additionally, use hashed passwords with salt; this slows down the attacker considerably
and allows sufficient time for countermeasures to be activated.

Dictionary Attacks
This attack is used to obtain passwords. Most password systems do not store
plaintext passwords or encrypted passwords. They avoid encrypted passwords because
a compromised key leads to the compromise of all passwords in the data store. Lost keys
mean that all passwords are invalidated.
Most user store implementations hold password hashes (or digests). Users are
authenticated by recomputing the hash based on the user-supplied password value and
comparing it against the hash value stored in the database. If an attacker manages to
obtain the list of hashed passwords, a brute force attack can be used to crack the
password hashes.
With the dictionary attack, an attacker uses a program to iterate through all of the
words in a dictionary (or multiple dictionaries in different languages) and computes the
hash for each word. The resultant hash is compared with the value in the data store.
Weak passwords such as “Yankees” (a favourite team) or “Mustang” (a favourite car) will
be cracked quickly. Stronger passwords such as “?You'LlNevaFiNdMeyePasSWerd!”,
are less likely to be cracked.
Note: Once the attacker has obtained the list of password hashes, the dictionary
attack can be performed offline and does not require interaction with the application.
Countermeasures to prevent dictionary attacks include:
Ɣ Use strong passwords that are complex, are not regular words, and contain a
mixture of upper case, lower case, numeric, and special characters.
Ɣ Store non-reversible password hashes in the user store. Also combine a salt
value (a cryptographically strong random number) with the password hash.
For more information about storing password hashes with added salt, see Unit 14,
“Building Secure Data Access”.

Cookie Replay Attacks

With this type of attack, the attacker captures the user’s authentication cookie using
monitoring software and replays it to the application to gain access under a false identity.
Countermeasures to prevent cookie replay include:
Ɣ Use an encrypted communication channel provided by SSL whenever an
authentication cookie is transmitted.
Ɣ Use a cookie timeout to a value that forces authentication after a relatively
short time interval. Although this doesn’t prevent replay attacks, it reduces the
time interval in which the attacker can replay a request without being forced to
re-authenticate because the session has timed out.

Credential Theft
If your application implements its own user store containing user account names
and passwords, compare its security to the credential stores provided by the platform, for
example, a Microsoft Active Directory® directory service or Security Accounts Manager
(SAM) user store. Browser history and cache also store user login information for future

Amity Directorate of Distance and Online Education

182 Web-Enabled Business Processes
use. If the terminal is accessed by someone other than the user who logged on, and the
Notes
same page is hit, the saved login will be available.
Countermeasures to help prevent credential theft include:
Ɣ Use and enforce strong passwords.
Ɣ Store password verifiers in the form of one-way hashes with added salt.
Ɣ Enforce account lockout for end-user accounts after a set number of retry
attempts.
Ɣ To counter the possibility of the browser cache allowing login access, create
functionality that either allows the user to choose to not save credentials, or
force this functionality as a default policy.

6.4 Authorization
Based on user identity and role membership, authorization to a particular resource
or service is either allowed or denied. Top threats that exploit authorization vulnerabilities
include:
Ɣ Elevation of privilege
Ɣ Disclosure of confidential data
Ɣ Data tampering
Ɣ Luring attacks

6.4.1 Elevation of Privilege

When you design an authorization model, you must consider the threat of an
attacker trying to elevate privileges to a powerful account such as a member of the local
administrators group or the local system account. By doing this, the attacker is able to
take complete control over the application and local machine. For example, with classic
ASP programming, calling the RevertToSelf API from a component might cause the
executing thread to run as the local system account with the most power and privileges
on the local machine.
The main countermeasure that you can use to prevent elevation of privilege is to
use least privileged process, service, and user accounts.

6.4.2 Disclosure of Confidential Data

The disclosure of confidential data can occur if sensitive data can be viewed by
unauthorized users. Confidential data includes application specific data such as credit
card numbers, employee details, financial records and so on together with application
configuration data such as service account credentials and database connection strings.
To prevent the disclosure of confidential data, you should secure it in persistent stores
such as databases and configuration files, and during transit over the network. Only
authenticated and authorized users should be able to access the data that is specific to
them. Access to system level configuration data should be restricted to administrators.
Countermeasures to prevent disclosure of confidential data include:
Ɣ Perform role checks before allowing access to the operations that could
potentially reveal sensitive data.
Ɣ Use strong ACLs to secure Windows resources.
Ɣ Use standard encryption to store sensitive data in configuration files and
databases.

Amity Directorate of Distance and Online Education

E-Commerce Security 183

6.4.3 Data Tampering Notes

Data tampering refers to the unauthorized modification of data.
Countermeasures to prevent data tampering include:
Ɣ Use strong access controls to protect data in persistent stores to ensure that
only authorized users can access and modify the data.
Ɣ Use role-based security to differentiate between users who can view data and
users who can modify data.

6.4.4 Luring Attacks

A luring attack occurs when an entity with few privileges is able to have an entity
with more privileges perform an action on its behalf.
To counter the threat, you must restrict access to trusted code with the appropriate
authorization. Using .NET Framework code access security helps in this respect by
authorizing calling code whenever a secure resource is accessed or a privileged
operation is performed.

6.5 Configuration Management

Many applications support configuration management interfaces and functionality to
allow operators and administrators to change configuration parameters, update Website
content, and to perform routine maintenance. Top configuration management threats
include:
Ɣ Unauthorized access to administration interfaces
Ɣ Unauthorized access to configuration stores
Ɣ Retrieval of plaintext configuration secrets
Ɣ Lack of individual accountability
Ɣ Overprivileged process and service accounts

6.5.1 Unauthorized Access to Administration Interfaces

Administration interfaces are often provided through additional Web pages or
separate Web applications that allow administrators, operators, and content developers
to managed site content and configuration. Administration interfaces such as these
should be available only to restricted and authorized users. Malicious users able to
access a configuration management function can potentially deface the Website, access
downstream systems and databases, or take the application out of action altogether by
corrupting configuration data.
Countermeasures to prevent unauthorized access to administration interfaces
include:
Ɣ Minimize the number of administration interfaces.
Ɣ Use strong authentication, for example, by using certificates.
Ɣ Use strong authorization with multiple gatekeepers.
Ɣ Consider supporting only local administration. If remote administration is
absolutely essential, use encrypted channels, for example, with VPN
technology or SSL, because of the sensitive nature of the data passed over
administrative interfaces. To further reduce risk, also consider using IPSec
policies to limit remote administration to computers on the internal network.

Amity Directorate of Distance and Online Education

184 Web-Enabled Business Processes

Notes 6.5.2 Unauthorized Access to Configuration Stores

Because of the sensitive nature of the data maintained in configuration stores, you
should ensure that the stores are adequately secured.
Countermeasures to protect configuration stores include:
Ɣ Configure restricted ACLs on text-based configuration files such as
Machine.config and Web.config.
Ɣ Keep custom configuration stores outside of the Web space. This removes the
potential to download Web Server configurations to exploit their vulnerabilities.

6.5.3 Retrieval of Plaintext Configuration Secrets

Restricting access to the configuration store is a must. As an important defense in
depth mechanism, you should encrypt sensitive data such as passwords and connection
strings. This helps prevent external attackers from obtaining sensitive configuration data.
It also prevents rogue administrators and internal employees from obtaining sensitive
details such as database connection strings and account credentials that might allow
them to gain access to other systems.

6.5.4 Lack of Individual Accountability

Lack of auditing and logging of changes made to configuration information threatens
the ability to identify when changes were made and who made those changes. When a
breaking change is made either by an honest operator error or by a malicious change to
grant privileged access, action must first be taken to correct the change. Then apply
preventive measures to prevent breaking changes to be introduced in the same manner.
Keep in mind that auditing and logging can be circumvented by a shared account; this
applies to both administrative and user/application/service accounts. Administrative
accounts must not be shared. User/application/service accounts must be assigned at a
level that allows the identification of a single source of access using the account, and that
contains any damage to the privileges granted that account.

6.5.5 Overprivileged Application and Service Accounts

If application and service accounts are granted access to change configuration
information on the system, they may be manipulated to do so by an attacker. The risk of
this threat can be mitigated by adopting a policy of using least privileged service and
application accounts. Be wary of granting accounts the ability to modify their own
configuration information unless explicitly required by design.

Sensitive Data
Sensitive data is subject to a variety of threats. Attacks that attempt to view or
modify sensitive data can target persistent data stores and networks. Top threats to
sensitive data include:
Ɣ Access to sensitive data in storage
Ɣ Network eavesdropping
Ɣ Data tampering

Access to Sensitive Data in Storage

You must secure sensitive data in storage to prevent a user — malicious or
otherwise — from gaining access to and reading the data.
Countermeasures to protect sensitive data in storage include:
Ɣ Use restricted ACLs on the persistent data stores that contain sensitive data.

Amity Directorate of Distance and Online Education

E-Commerce Security 185

Ɣ Store encrypted data.

Notes
Ɣ Use identity and role-based authorization to ensure that only the user or users
with the appropriate level of authority are allowed access to sensitive data. Use
role-based security to differentiate between users who can view data and users
who can modify data.

Network Eavesdropping
The HTTP data for Web application travels across networks in plaintext and is
subject to network eavesdropping attacks, where an attacker uses network monitoring
software to capture and potentially modify sensitive data.
Countermeasures to prevent network eavesdropping and to provide privacy include:
Ɣ Encrypt the data
Ɣ Use an encrypted communication channel, for example, SSL

Data Tampering
Data tampering refers to the unauthorized modification of data, often as it is passed
over the network.
One countermeasure to prevent data tampering is to protect sensitive data passed
across the network with tamper-resistant protocols such as hashed message
authentication codes (HMACs).
An HMAC provides message integrity in the following way:
1. The sender uses a shared secret key to create a hash based on the message
payload.
2. The sender transmits the hash along with the message payload.
3. The receiver uses the shared key to recalculate the hash based on the
received message payload. The receiver then compares the new hash value
with the transmitted hash value. If they are the same, the message cannot
have been tampered with.

Session Management
Session management for Web applications is an application layer responsibility.
Session security is critical to the overall security of the application.
Top session management threats include:
Ɣ Session hijacking
Ɣ Session replay
Ɣ Man in the middle

Session Hijacking
A session hijacking attack occurs when an attacker uses network monitoring
software to capture the authentication token (often a cookie) used to represent a user’s
session with an application. With the captured cookie, the attacker can spoof the user’s
session and gain access to the application. The attacker has the same level of privileges
as the legitimate user.
Countermeasures to prevent session hijacking include:
Ɣ Use SSL to create a secure communication channel and only pass the
authentication cookie over an HTTPS connection.
Ɣ Implement logout functionality to allow a user to end a session that forces
authentication if another session is started.

Amity Directorate of Distance and Online Education

186 Web-Enabled Business Processes
Ɣ Make sure you limit the expiration period on the session cookie if you do not
Notes
use SSL. Although this does not prevent session hijacking, it reduces the time
window available to the attacker.

Session Replay
Session replay occurs when a user’s session token is intercepted and submitted by
an attacker to bypass the authentication mechanism. For example, if the session token is
in plaintext in a cookie or URL, an attacker can sniff it. The attacker then posts a request
using the hijacked session token.
Countermeasures to help address the threat of session replay include:
Ɣ Re-authenticate when performing critical functions. For example, prior to
performing a monetary transfer in a banking application, make the user supply
the account password again.
Ɣ Expire sessions appropriately, including all cookies and session tokens.
Ɣ Create a “do not remember me” option to allow no session data to be stored on
the client.

Man-in-the-middle Attacks
A man-in-the-middle attack occurs when the attacker intercepts messages sent
between you and your intended recipient. The attacker then changes your message and
sends it to the original recipient. The recipient receives the message, sees that it came
from you, and acts on it. When the recipient sends a message back to you, the attacker
intercepts it, alters it, and returns it to you. You and your recipient never know that you
have been attacked.
Any network request involving client-server communication, including Web requests,
Distributed Component Object Model (DCOM) requests, and calls to remote components
and Web services, are subject to man-in-the-middle attacks.
Countermeasures to prevent man-in-the-middle attacks include:
Ɣ Use cryptography. If you encrypt the data before transmitting it, the attacker
can still intercept it but cannot read it or alter it. If the attacker cannot read it, he
or she cannot know which parts to alter. If the attacker blindly modifies your
encrypted message, then the original recipient is unable to successfully
decrypt it and, as a result, knows that it has been tampered with.
Ɣ Use Hashed Message Authentication Codes (HMACs). If an attacker alters the
message, the recalculation of the HMAC at the recipient fails and the data can
be rejected as invalid.

Cryptography
Most applications use cryptography to protect data and to ensure it remains private
and unaltered. Top threats surrounding your application’s use of cryptography include:
Ɣ Poor key generation or key management
Ɣ Weak or custom encryption
Ɣ Checksum spoofing

Poor Key Generation or Key Management

Attackers can decrypt encrypted data if they have access to the encryption key or
can derive the encryption key. Attackers can discover a key if keys are managed poorly
or if they were generated in a non-random fashion.

Amity Directorate of Distance and Online Education

E-Commerce Security 187

Countermeasures to address the threat of poor key generation and key

Notes
management include:
Ɣ Use built-in encryption routines that include secure key management. Data
Protection application programming interface (DPAPI) is an example of an
encryption service provided on Windows 2000 and later operating systems
where the operating system manages the key.
Ɣ Use strong random key generation functions and store the key in a restricted
location — for example, in a registry key secured with a restricted ACL — if you
use an encryption mechanism that requires you to generate or manage the
key.
Ɣ Encrypt the encryption key using DPAPI for added security.
Ɣ Expire keys regularly.

Weak or Custom Encryption

An encryption algorithm provides no security if the encryption is cracked or is
vulnerable to brute force cracking. Custom algorithms are particularly vulnerable if they
have not been tested. Instead, use published, well-known encryption algorithms that
have withstood years of rigorous attacks and scrutiny.
Countermeasures that address the vulnerabilities of weak or custom encryption
include:
Ɣ Do not develop your own custom algorithms.
Ɣ Use the proven cryptographic services provided by the platform.
Ɣ Stay informed about cracked algorithms and the techniques used to crack
them.

Checksum Spoofing
Do not rely on hashes to provide data integrity for messages sent over networks.
Hashes such as Secure Hash Algorithm (SHA1) and Message Digest Compression
Algorithm (MD5) can be intercepted and changed. Consider the following base
64 encoding UTF-8 message with an appended Message Authentication Code (MAC).
Plaintext: Place 10 orders.
Hash: T0mUNdEQh13IO9oTcaP4FYDX6pU=
If an attacker intercepts the message by monitoring the network, the attacker could
update the message and recompute the hash (guessing the algorithm that you used). For
example, the message could be changed to:
Plaintext: Place 100 orders.
Hash: oEDuJpv/ZtIU7BXDDNv17EAHeAU=
When recipients process the message, and they run the plaintext (“Place 100
orders”) through the hashing algorithm, and then recompute the hash, the hash they
calculate will be equal to whatever the attacker computed.
To counter this attack, use a MAC or HMAC. The Message Authentication Code
Triple Data Encryption Standard (MACTripleDES) algorithm computes a MAC, and
HMACSHA1 computes an HMAC. Both use a key to produce a checksum. With these
algorithms, an attacker needs to know the key to generate a checksum that would
compute correctly at the receiver.

Amity Directorate of Distance and Online Education

188 Web-Enabled Business Processes

Notes Parameter Manipulation

Parameter manipulation attacks are a class of attack that relies on the modification
of the parameter data sent between the client and Web application. This includes query
strings, form fields, cookies, and HTTP headers. Top parameter manipulation threats
include:
Ɣ Query string manipulation
Ɣ Form field manipulation
Ɣ Cookie manipulation
Ɣ HTTP header manipulation

Query String Manipulation

Users can easily manipulate the query string values passed by HTTP GET from
client to server because they are displayed in the browser’s URL address bar. If your
application relies on query string values to make security decisions, or if the values
represent sensitive data such as monetary amounts, the application is vulnerable to
attack.
Countermeasures to address the threat of query string manipulation include:
Ɣ Avoid using query string parameters that contain sensitive data or data that can
influence the security logic on the server. Instead, use a session identifier to
identify the client and store sensitive items in the session store on the server.
Ɣ Choose HTTP POST instead of GET to submit forms.
Ɣ Encrypt query string parameters.

Form Field Manipulation

The values of HTML form fields are sent in plaintext to the server using the HTTP
POST protocol. This may include visible and hidden form fields. Form fields of any type
can be easily modified and client-side validation routines bypassed. As a result,
applications that rely on form field input values to make security decisions on the server
are vulnerable to attack.
To counter the threat of form field manipulation, instead of using hidden form fields,
use session identifiers to reference state maintained in the state store on the server.

Cookie Manipulation
Cookies are susceptible to modification by the client. This is true of both persistent
and memory-resident cookies. A number of tools are available to help an attacker modify
the contents of a memory-resident cookie. Cookie manipulation is the attack that refers to
the modification of a cookie, usually to gain unauthorized access to a website.
While SSL protects cookies over the network, it does not prevent them from being
modified on the client computer. To counter the threat of cookie manipulation, encrypt
and use an HMAC with the cookie.

HTTP Header Manipulation

HTTP headers pass information between the client and the server. The client
constructs request headers while the server constructs response headers. If your
application relies on request headers to make a decision, your application is vulnerable to
attack.
Do not base your security decisions on HTTP headers. For example, do not trust the
HTTP Referer to determine where a client came from because this is easily falsified.

Amity Directorate of Distance and Online Education

E-Commerce Security 189

Exception Management Notes

Exceptions that are allowed to propagate to the client can reveal internal
implementation details that make no sense to the end-user but are useful to attackers.
Applications that do not use exception handling or implement it poorly are also subject to
denial-of-service attacks. Top exception handling threats include:
Ɣ Attacker reveals implementation details
Ɣ Denial of service

Attacker Reveals Implementation Details

One of the important features of the .NET Framework is that it provides rich
exception details that are invaluable to developers. If the same information is allowed to
fall into the hands of an attacker, it can greatly help the attacker exploit potential
vulnerabilities and plan future attacks. The type of information that could be returned
includes platform versions, server names, SQL command strings, and database
connection strings.
Countermeasures to help prevent internal implementation details from being
revealed to the client include:
Ɣ Use exception handling throughout your application’s code base.
Ɣ Handle and log exceptions that are allowed to propagate to the application
boundary.
Ɣ Return generic, harmless error messages to the client.

Denial of Service
Attackers will probe a Web application, usually by passing deliberately malformed
input. They often have two goals in mind. The first is to cause exceptions that reveal
useful information and the second is to crash the Web application process. This can
occur if exceptions are not properly caught and handled.
Countermeasures to help prevent application-level denial of service include:
Ɣ Thoroughly validate all input data at the server.
Ɣ Use exception handling throughout your application’s code base.

Auditing and Logging

Auditing and logging should be used to help detect suspicious activity such as
footprinting or possible password cracking attempts before an exploit actually occurs. It
can also help deal with the threat of repudiation. It is much harder for a user to deny
performing an operation if a series of synchronized log entries on multiple servers
indicate that the user performed that transaction.
Top auditing and logging related threats include:
Ɣ User denies performing an operation
Ɣ Attackers exploit an application without leaving a trace
Ɣ Attackers cover their tracks

User Denies Performing an Operation

The issue of repudiation is concerned with a user denying that he or she performed
an action or initiated a transaction. You need defense mechanisms in place to ensure
that all user activity can be tracked and recorded.
Countermeasures to help prevent repudiation threats include:

Amity Directorate of Distance and Online Education

190 Web-Enabled Business Processes
Ɣ Audit and log activity on the Web server and database server, and on the
Notes
application server as well, if you use one.
Ɣ Log key events such as transactions and login and logout events.
Ɣ Do not use shared accounts since the original source cannot be determined.

Attackers Exploit an Application without Leaving a Trace

System and application-level auditing is required to ensure that suspicious activity
does not go undetected.
Countermeasures to detect suspicious activity include:
Ɣ Log-critical application level operations.
Ɣ Use platform-level auditing to audit login and logout events, access to the file
system, and failed object access attempts.
Ɣ Back up log files and regularly analyze them for signs of suspicious activity.

Attackers Cover Their Tracks

Your log files must be well-protected to ensure that attackers are not able to cover
their tracks.
Countermeasures to help prevent attackers from covering their tracks include:
Ɣ Secure log files by using restricted ACLs.
Ɣ Relocate system log files away from their default locations.

6.6 Cryptography
Although cryptography is now a core part of modern commerce, it is often regarded
as a ‘black art’. This is largely because of a fundamental lack of understanding, as well as
lack of access to the basic building blocks.
However, understanding and implementing cryptography (encryption, decryption
and key management) need not be a trial. A comprehensive and detailed kit is now
available to help understand, audit, review, and implement cryptography.
Human being from ages had two inherent needs í (a) to communicate and share
information and (b) to communicate selectively. These two needs gave rise to the art of
coding the messages in such a way that only the intended people could have access to
the information. Unauthorized people could not extract any information, even if the
scrambled messages fell in their hand.
The art and science of concealing the messages to introduce secrecy in information
security is recognized as cryptography.
The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’
meaning hidden and ‘graphene’ meaning writing.

6.6.1 History of Cryptography

The art of cryptography is considered to be born along with the art of writing. As
civilizations evolved, human beings got organized in tribes, groups, and kingdoms. This
led to the emergence of ideas such as power, battles, supremacy and politics. These
ideas further fuelled the natural need of people to communicate secretly with selective
recipient which in turn ensured the continuous evolution of cryptography as well.
The roots of cryptography are found in Roman and Egyptian civilizations.

Amity Directorate of Distance and Online Education

E-Commerce Security 191

Hieroglyph í The Oldest Cryptographic Technique Notes

The first known evidence of cryptography can be traced to the use of ‘hieroglyph’.
Some 4000 years ago, the Egyptians used to communicate by messages written in
hieroglyph. This code was the secret known only to the scribes who used to transmit
messages on behalf of the kings. One such hieroglyph is shown below.

Later, the scholars moved on to using simple monoalphabetic substitution ciphers

during 500 to 600 BC. This involved replacing alphabets of message with other alphabets
with some secret rule. This rule became a key to retrieve the message back from the
garbled message.
The earlier Roman method of cryptography, popularly known as the Caesar Shift
Cipher, relies on shifting the letters of a message by an agreed number (three was a
common choice), the recipient of this message would then shift the letters back by the
same number and obtain the original message.

Steganography
Steganography is similar but adds another dimension to Cryptography. In this
method, people not only want to protect the secrecy of an information by concealing it,
but they also want to make sure any unauthorized person gets no evidence that the
information even exists. For example, invisible watermarking.
In steganography, an unintended recipient or an intruder is unaware of the fact that
observed data contains hidden information. In cryptography, an intruder is normally
aware that data is being communicated, because they can see the coded/scrambled
message.

Amity Directorate of Distance and Online Education

192 Web-Enabled Business Processes

Notes

Evolution of Cryptography
It is during and after the European Renaissance, various Italian and Papal states led
the rapid proliferation of cryptographic techniques. Various analysis and attack
techniques were researched in this era to break the secret codes.
Ɣ Improved coding techniques such as Vigenere Coding came into existence in
the 15th century, which offered moving letters in the message with a number of
variable places instead of moving them the same number of places.
Ɣ Only after the 19th century, cryptography evolved from the ad hoc approaches
to encryption to the more sophisticated art and science of information security.
Ɣ In the early 20th century, the invention of mechanical and electromechanical
machines, such as the Enigma rotor machine, provided more advanced and
efficient means of coding the information.
Ɣ During the period of World War II, both cryptography and cryptanalysis
became excessively mathematical.
With the advances taking place in this field, government organizations, military units,
and some corporate houses started adopting the applications of cryptography. They used
cryptography to guard their secrets from others. Now, the arrival of computers and the
Internet has brought effective cryptography within the reach of common people.
Modern cryptography is the cornerstone of computer and communications security.
Its foundation is based on various concepts of mathematics such as number theory,
computational complexity theory, and probability theory.

Characteristics of Modern Cryptography

There are three major characteristics that separate modern cryptography from the
classical approach.

Amity Directorate of Distance and Online Education

E-Commerce Security 193

Classic Cryptography Modern Cryptography Notes

It manipulates traditional characters, i.e., It operates on binary bit sequences.
letters and digits directly.

It is mainly based on ‘security through It relies on publicly known mathematical

obscurity’. The techniques employed for
coding were kept secret and only the parties
involved in communication knew about them.
algorithms for coding the information. Secrecy
is obtained through a secrete key which is used
as the seed for the algorithms. The
computational difficulty of algorithms, absence
of secret key, etc. make it impossible for an
attacker to obtain the original information even
if he knows the algorithm used for coding.

It requires the entire cryptosystem for Modern cryptography requires parties

communicating confidentially. interested in secure communication to possess
the secret key only.

Context of Cryptography
Cryptology, the study of cryptosystems, can be subdivided into two branches:
Ɣ Cryptography
Ɣ Cryptanalysis

What is Cryptography?
Cryptography is the art and science of making a cryptosystem that is capable of
providing information security.
Cryptography deals with the actual securing of digital data. It refers to the design of
mechanisms based on mathematical algorithms that provide fundamental information
security services. You can think of cryptography as the establishment of a large toolkit
containing different techniques in security applications.

What is Cryptanalysis?
The art and science of breaking the cipher text is known as cryptanalysis.
Cryptanalysis is the sister branch of cryptography and they both co-exist. The
cryptographic process results in the cipher text for transmission or storage. It involves the
study of cryptographic mechanism with the intention to break them. Cryptanalysis is also
used during the design of the new cryptographic techniques to test their security
strengths.

Amity Directorate of Distance and Online Education

194 Web-Enabled Business Processes
Note: Cryptography concerns with the design of cryptosystems, while cryptanalysis
Notes
studies the breaking of cryptosystems.
The primary objective of using cryptography is to provide the following four
fundamental information security services. Let us now see the possible goals intended to
be fulfilled by cryptography.

Security Services of Cryptography

The primary objective of using cryptography is to provide the following four
fundamental information security services. Let us now see the possible goals intended to
be fulfilled by cryptography.

Confidentiality
Confidentiality is the fundamental security service provided by cryptography. It is a
security service that keeps the information from an unauthorized person. It is sometimes
referred to as privacy or secrecy.
Confidentiality can be achieved through numerous means starting from physical
securing to the use of mathematical algorithms for data encryption.

Data Integrity
It is security service that deals with identifying any alteration to the data. The data
may get modified by an unauthorized entity intentionally or accidently. Integrity service
confirms that whether data is intact or not since it was last created, transmitted, or stored
by an authorized user.
Data integrity cannot prevent the alteration of data, but provides a means for
detecting whether data has been manipulated in an unauthorized manner.

Authentication
Authentication provides the identification of the originator. It confirms to the receiver
that the data received has been sent only by an identified and verified sender.
Authentication service has two variants:
Ɣ Message authentication identifies the originator of the message without any
regard router or system that has sent the message.
Ɣ Entity authentication is assurance that data has been received from a
specific entity, say a particular website.
Apart from the originator, authentication may also provide assurance about other
parameters related to data such as the date and time of creation/transmission.

Non-repudiation
It is a security service that ensures that an entity cannot refuse the ownership of a
previous commitment or an action. It is an assurance that the original creator of the data
cannot deny the creation or transmission of the said data to a recipient or third party.
Non-repudiation is a property that is most desirable in situations where there are
chances of a dispute over the exchange of data. For example, once an order is placed
electronically, a purchaser cannot deny the purchase order, if non-repudiation service
was enabled in this transaction.

Cryptography Primitives
Cryptography primitives are nothing but the tools and techniques in Cryptography
that can be selectively used to provide a set of desired security services:

Amity Directorate of Distance and Online Education

E-Commerce Security 195

Ɣ Encryption
Notes
Ɣ Hash functions
Ɣ Message Authentication Codes (MAC)
Ɣ Digital Signatures
The following table shows the primitives that can achieve a particular security
service on their own.

Note: Cryptographic primitives are intricately related and they are often combined to
achieve a set of desired security services from a cryptosystem.
A cryptosystem is an implementation of cryptographic techniques and their
accompanying infrastructure to provide information security services. A cryptosystem is
also referred to as a cipher system.
Let us discuss a simple model of a cryptosystem that provides confidentiality to the
information being transmitted. This basic model is depicted in the illustration below.

The illustration shows a sender who wants to transfer some sensitive data to a
receiver in such a way that any party intercepting or eavesdropping on the
communication channel cannot extract the data.
The objective of this simple cryptosystem is that at the end of the process, only the
sender and the receiver will know the plaintext.

Amity Directorate of Distance and Online Education

196 Web-Enabled Business Processes

Notes Components of a Cryptosystem

The various components of a basic cryptosystem are as follows:
Ɣ Plaintext. It is the data to be protected during transmission.
Ɣ Encryption Algorithm. It is a mathematical process that produces a ciphertext
for any given plaintext and encryption key. It is a cryptographic algorithm that
takes plaintext and an encryption key as input and produces a ciphertext.
Ɣ Ciphertext. It is the scrambled version of the plaintext produced by the
encryption algorithm using a specific the encryption key. The ciphertext is not
guarded. It flows on public channel. It can be intercepted or compromised by
anyone who has access to the communication channel.
Ɣ Decryption Algorithm, It is a mathematical process, that produces a unique
plaintext for any given ciphertext and decryption key. It is a cryptographic
algorithm that takes a ciphertext and a decryption key as input, and outputs a
plaintext. The decryption algorithm essentially reverses the encryption
algorithm and is thus closely related to it.
Ɣ Encryption Key. It is a value that is known to the sender. The sender inputs
the encryption key into the encryption algorithm along with the plaintext in order
to compute the ciphertext.
Ɣ Decryption Key. It is a value that is known to the receiver. The decryption key
is related to the encryption key, but is not always identical to it. The receiver
inputs the decryption key into the decryption algorithm along with the ciphertext
in order to compute the plaintext.
For a given cryptosystem, a collection of all possible decryption keys is called a key
space.
An interceptor (an attacker) is an unauthorized entity who attempts to determine
the plaintext. He can see the ciphertext and may know the decryption algorithm. He,
however, must never know the decryption key.

Types of Cryptosystems
Fundamentally, there are two types of cryptosystems based on the manner in which
encryption-decryption is carried out in the system.
Ɣ Symmetric Key Encryption
Ɣ Asymmetric Key Encryption
The main difference between these cryptosystems is the relationship between the
encryption and the decryption key. Logically, in any cryptosystem, both the keys are
closely associated. It is practically impossible to decrypt the ciphertext with the key that is
unrelated to the encryption key.

Symmetric Key Encryption

The encryption process where same keys are used for encrypting and
decrypting the information is known as Symmetric Key Encryption.
The study of symmetric cryptosystems is referred to as symmetric cryptography.
Symmetric cryptosystems are also sometimes referred to as secret key cryptosystems.
A few well-known examples of symmetric key encryption methods are Digital
Encryption Standard (DES), Triple DES (3DES), IDEA, and BLOWFISH.

Amity Directorate of Distance and Online Education

E-Commerce Security 197

Notes

Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its
relevance is very high and it is being used extensively in many cryptosystems. It is very
unlikely that this encryption will fade away, as it has certain advantages over asymmetric
key encryption.
The salient features of cryptosystem based on symmetric key encryption are:
Ɣ Persons using symmetric key encryption must share a common key prior to
exchange of information.
Ɣ Keys are recommended to be changed regularly to prevent any attack on the
system.
Ɣ A robust mechanism needs to exist to exchange the key between the
communicating parties. As keys are required to be changed regularly, this
mechanism becomes expensive and cumbersome.
Ɣ In a group of n people, to enable two-party communication between any two
persons, the number of keys required for group is n × (n – 1)/2.
Ɣ Length of Key (number of bits) in this encryption is smaller and hence, process
of encryption-decryption is faster than asymmetric key encryption.
Ɣ Processing power of computer system required to run symmetric algorithm is
less.

Challenges of Symmetric Key Cryptosystem

There are two restrictive challenges of employing symmetric key cryptography.
Ɣ Key establishment: Before any communication, both the sender and the
receiver need to agree on a secret symmetric key. It requires a secure key
establishment mechanism in place.
Ɣ Trust issue: Since the sender and the receiver use the same symmetric key,
there is an implicit requirement that the sender and the receiver ‘trust’ each
other. For example, it may happen that the receiver has lost the key to an
attacker and the sender is not informed.
These two challenges are highly restraining for modern-day communication. Today,
people need to exchange information with non-familiar and non-trusted parties. For
example, a communication between online seller and customer. These limitations of
symmetric key encryption gave rise to asymmetric key encryption schemes.

Asymmetric Key Encryption

The encryption process where different keys are used for encrypting and
decrypting the information is known as Asymmetric Key Encryption. Though the keys

Amity Directorate of Distance and Online Education

198 Web-Enabled Business Processes
are different, they are mathematically related and hence, retrieving the plaintext by
Notes
decrypting ciphertext is feasible. The process is depicted in the following illustration:

Asymmetric Key Encryption was invented in the 20th century to come over the
necessity of pre-shared secret key between communicating persons. The salient
features of this encryption scheme are as follows:
Ɣ Every user in this system needs to have a pair of dissimilar keys, private key
and public key. These keys are mathematically related í when one key is
used for encryption, the other can decrypt the ciphertext back to the original
plaintext.
Ɣ It requires to put the public key in public repository and the private key as a
well-guarded secret. Hence, this scheme of encryption is also called Public
Key Encryption.
Ɣ Though public and private keys of the user are related, it is computationally not
feasible to find one from another. This is a strength of this scheme.
Ɣ When Host1 needs to send data to Host2, he obtains the public key of Host2
from repository, encrypts the data, and transmits.
Ɣ Host2 uses his private key to extract the plaintext.
Ɣ Length of Keys (number of bits) in this encryption is large and hence, the
process of encryption-decryption is slower than symmetric key encryption.
Ɣ Processing power of computer system required to run asymmetric algorithm is
higher.
Symmetric cryptosystems are a natural concept. In contrast, public key
cryptosystems are quite difficult to comprehend.
You may think, how the encryption key and the decryption key are ‘related’, and yet
it is impossible to determine the decryption key from the encryption key? The answer lies
in the mathematical concepts. It is possible to design a cryptosystem whose keys have
this property. The concept of public key cryptography is relatively new. There are fewer
public key algorithms known than symmetric algorithms.

Amity Directorate of Distance and Online Education

E-Commerce Security 199

Challenges of Public Key Cryptosystem

Notes
Public key cryptosystems have one significant challenge í the user needs to trust
that the public key that he is using in communications with a person really is the public
key of that person and has not been spoofed by a malicious third party.
This is usually accomplished through a Public Key Infrastructure (PKI) consisting a
trusted third party. The third party securely manages and attests to the authenticity of
public keys. When the third party is requested to provide the public key for any
communicating person X, they are trusted to provide the correct public key.
The third party satisfies itself about user identity by the process of attestation,
notarization, or some other process í that X is the one and only, or globally unique, X.
The most common method of making the verified public keys available is to embed them
in a certificate which is digitally signed by the trusted third party.

Relation between Encryption Schemes

A summary of basic key properties of two types of cryptosystems is given below:
Symmetric Cryptosystems Public Key Cryptosystems

Relation between Keys Same Different, but mathematically related

Encryption Key Symmetric Public

Decryption Key Symmetric Private

Due to the advantages and disadvantage of both the systems, symmetric key and
public key cryptosystems are often used together in the practical information security
systems.

Kerckhoff’s Principle for Cryptosystem

In the 19th century, a Dutch cryptographer A. Kerckhoff furnished the requirements
of a good cryptosystem. Kerckhoff stated that a cryptographic system should be secure
even if everything about the system, except the key, is public knowledge. The six design
principles defined by Kerckhoff for cryptosystem are:
Ɣ The cryptosystem should be unbreakable practically, if not mathematically.
Ɣ Falling of the cryptosystem in the hands of an intruder should not lead to any
compromise of the system, preventing any inconvenience to the user.
Ɣ The key should be easily communicable, memorable, and changeable.
Ɣ The ciphertext should be transmissible by telegraph, an unsecure channel.
Ɣ The encryption apparatus and documents should be portable and operable by
a single person.
Ɣ Finally, it is necessary that the system be easy to use, requiring neither mental
strain nor the knowledge of a long series of rules to observe.
The second rule is currently known as Kerckhoff principle. It is applied in virtually
all the contemporary encryption algorithms such as DES, AES, etc. These public
algorithms are considered to be thoroughly secure. The security of the encrypted
message depends solely on the security of the secret encryption key.
Keeping the algorithms secret may act as a significant barrier to cryptanalysis.
However, keeping the algorithms secret is possible only when they are used in a strictly
limited circle.

Amity Directorate of Distance and Online Education

200 Web-Enabled Business Processes
In modern era, cryptography needs to cater to users who are connected to the
Notes
Internet. In such cases, using a secret algorithm is not feasible. Hence, Kerckhoff
principles became essential guidelines for designing algorithms in modern cryptography.
In the present era, not only business but almost all the aspects of human life are
driven by information. Hence, it has become imperative to protect useful information from
malicious activities such as attacks. Let us consider the types of attacks to which
information is typically subjected to.
Attacks are typically categorized based on the action performed by the attacker. An
attack, thus, can be passive or active.

Passive Attacks
The main goal of a passive attack is to obtain unauthorized access to the
information. For example, actions such as intercepting and eavesdropping on the
communication channel can be regarded as passive attack.
These actions are passive in nature, as they neither affect information nor disrupt
the communication channel. A passive attack is often seen as stealing information. The
only difference in stealing physical goods and stealing information is that theft of data still
leaves the owner in possession of that data. Passive information attack is, thus, more
dangerous than stealing of goods, as information theft may go unnoticed by the owner.

Active Attacks
An active attack involves changing the information in some way by conducting some
process on the information. For example,
Ɣ Modifying the information in an unauthorized manner.
Ɣ Initiating unintended or unauthorized transmission of information.
Ɣ Alteration of authentication data such as originator name or timestamp
associated with information.
Ɣ Unauthorized deletion of data.
Ɣ Denial of access to information for legitimate users (denial of service).

Amity Directorate of Distance and Online Education

E-Commerce Security 201

Notes

Cryptography provides many tools and techniques for implementing cryptosystems

capable of preventing most of the attacks described above.

Assumptions of Attacker
Let us see the prevailing environment around cryptosystems followed by the types
of attacks employed to break these systems.

Environment around Cryptosystem

While considering possible attacks on the cryptosystem, it is necessary to know the
cryptosystem’s environment. The attacker’s assumptions and knowledge about the
environment decides his capabilities.
In cryptography, the following three assumptions are made about the security
environment and attacker’s capabilities.

Details of the Encryption Scheme

The design of a cryptosystem is based on the following two cryptography algorithms:
Ɣ Public Algorithms: With this option, all the details of the algorithm are in the
public domain, known to everyone.
Ɣ Proprietary algorithms: The details of the algorithm are only known by the
system designers and users.
In case of proprietary algorithms, security is ensured through obscurity. Private
algorithms may not be the strongest algorithms as they are developed in-house and may
not be extensively investigated for weakness.
Secondly, they allow communication among closed group only. Hence, they are not
suitable for modern communication where people communicate with large number of
known or unknown entities. Also, according to Kerckhoff’s principle, the algorithm is
preferred to be public with strength of encryption lying in the key.
Thus, the first assumption about security environment is that the encryption
algorithm is known to the attacker.

Amity Directorate of Distance and Online Education

202 Web-Enabled Business Processes
Availability of Ciphertext
Notes
We know that once the plaintext is encrypted into ciphertext, it is put on unsecure
public channel (say e-mail) for transmission. Thus, the attacker can obviously assume
that it has access to the ciphertext generated by the cryptosystem.

Availability of Plaintext and Ciphertext

This assumption is not as obvious as other. However, there may be situations where
an attacker can have access to plaintext and corresponding ciphertext. Some such
possible circumstances are:
Ɣ The attacker influences the sender to convert plaintext of his choice and
obtains the ciphertext.
Ɣ The receiver may divulge the plaintext to the attacker inadvertently. The
attacker has access to corresponding ciphertext gathered from open channel.
Ɣ In a public key cryptosystem, the encryption key is in open domain and is
known to any potential attacker. Using this key, he can generate pairs of
corresponding plaintexts and ciphertexts.

Cryptographic Attacks
The basic intention of an attacker is to break a cryptosystem and to find the plaintext
from the ciphertext. To obtain the plaintext, the attacker only needs to find out the secret
decryption key, as the algorithm is already in public domain.
Hence, he applies maximum effort towards finding out the secret key used in the
cryptosystem. Once the attacker is able to determine the key, the attacked system is
considered as broken or compromised.
Based on the methodology used, attacks on cryptosystems are categorized as
follows:
Ɣ Ciphertext Only Attacks (COA): In this method, the attacker has access to a
set of ciphertext(s). He does not have access to corresponding plaintext. COA
is said to be successful when the corresponding plaintext can be determined
from a given set of ciphertext. Occasionally, the encryption key can be
determined from this attack. Modern cryptosystems are guarded against
ciphertext only attacks.
Ɣ Known Plaintext Attack (KPA): In this method, the attacker knows the
plaintext for some parts of the ciphertext. The task is to decrypt the rest of the
ciphertext using this information. This may be done by determining the key or
via some other method. The best example of this attack is linear cryptanalysis
against block ciphers.
Ɣ Chosen Plaintext Attack (CPA): In this method, the attacker has the text of
his choice encrypted. So, he has the ciphertext plaintext pair of his choice. This
simplifies his task of determining the encryption key. An example of this attack
is differential cryptanalysis applied against block ciphers as well as hash
functions. A popular public key cryptosystem, RSA is also vulnerable to chosen
plaintext attacks.
Ɣ Dictionary Attack: This attack has many variants, all of which involve
compiling a ‘dictionary’. In simplest method of this attack, attacker builds a
dictionary of ciphertexts and corresponding plaintexts that he has learnt over a
period of time. In future, when an attacker gets the ciphertext, he refers the
dictionary to find the corresponding plaintext.

Amity Directorate of Distance and Online Education

E-Commerce Security 203

Ɣ Brute Force Attack (BFA): In this method, the attacker tries to determine the
Notes
key by attempting all possible keys. If the key is 8 bits long, then the number of
possible keys is 28 = 256. The attacker knows the ciphertext and the algorithm,
now he attempts all the 256 keys one by one for decryption. The time to
complete the attack would be very high if the key is long.
Ɣ Birthday Attack: This attack is a variant of brute force technique. It is used
against the cryptographic hash function. When students in a class are asked
about their birthdays, the answer is one of the possible 365 dates. Let us
assume the first student’s birthdate is 3rd Aug. Then to find the next student
whose birthdate is 3rd August, we need to enquire 1.25*¥365 § 25 students.
Similarly, if the hash function produces 64 bit hash values, the possible hash
values are 1.8 × 1019. By repeatedly evaluating the function for different inputs,
the same output is expected to be obtained after about 5.1 × 109 random
inputs.
If the attacker is able to find two different inputs that give the same hash value,
it is a collision and that hash function is said to be broken.
Ɣ Man-in-the-Middle Attack (MIM): The targets of this attack are mostly public
key cryptosystems where key exchange is involved before communication
takes place.
– Host A wants to communicate to host B, hence requests public key of B.
– An attacker intercepts this request and sends his public key instead.
– Thus, whatever host A sends to host B, the attacker is able to read.
– In order to maintain communication, the attacker re-encrypts the data
after reading with his public key and sends to B.
– The attacker sends his public key as A’s public key so that B takes it as if
it is taking it from A.
Ɣ Side Channel Attack (SCA): This type of attack is not against any particular
type of cryptosystem or algorithm. Instead, it is launched to exploit the
weakness in physical implementation of the cryptosystem.
Ɣ Timing Attacks: They exploit the fact that different computations take different
times to compute on processor. By measuring such timings, it is possible to
know about a particular computation the processor is carrying out. For example,
if the encryption takes a longer time, it indicates that the secret key is long.
Ɣ Power Analysis Attacks: These attacks are similar to timing attacks except
that the amount of power consumption is used to obtain information about the
nature of the underlying computations.
Ɣ Fault Analysis Attacks: In these attacks, errors are induced in the
cryptosystem and the attacker studies the resulting output for useful
information.

Practicality of Attacks
The attacks on cryptosystems described here are highly academic, as majority of
them come from the academic community. In fact, many academic attacks involve quite
unrealistic assumptions about environment as well as the capabilities of the attacker. For
example, in chosen ciphertext attack, the attacker requires an impractical number of
deliberately chosen plaintext-ciphertext pairs. It may not be practical altogether.
Nonetheless, the fact that any attack exists should be a cause of concern,
particularly if the attack technique has the potential for improvement.

Amity Directorate of Distance and Online Education

204 Web-Enabled Business Processes
In the second unit, we discussed the fundamentals of modern cryptography. We
Notes
equated cryptography with a toolkit where various cryptographic techniques are
considered as the basic tools. One of these tools is the Symmetric Key Encryption where
the key used for encryption and decryption is the same.
In this unit, we discuss this technique further and its applications to develop various
cryptosystems.

Earlier Cryptographic Systems

Before proceeding further, you need to know some facts about historical
cryptosystems.
Ɣ All of these systems are based on symmetric key encryption scheme.
Ɣ The only security service these systems provide is confidentiality of
information.
Ɣ Unlike modern systems which are digital and treat data as binary numbers, the
earlier systems worked on alphabets as basic element.
These earlier cryptographic systems are also referred to as Ciphers. In general, a
cipher is simply just a set of steps (an algorithm) for performing both an encryption, and
the corresponding decryption.

Caesar Cipher
It is a monoalphabetic cipher wherein each letter of the plaintext is substituted by
another letter to form the ciphertext. It is a simplest form of substitution cipher scheme.
This cryptosystem is generally referred to as the Shift Cipher. The concept is to
replace each alphabet by another alphabet which is ‘shifted’ by some fixed number
between 0 and 25.
For this type of scheme, both sender and receiver agree on a ‘secret shift number’
for shifting the alphabet. This number which is between 0 and 25 becomes the key of
encryption.
The name ‘Caesar Cipher’ is occasionally used to describe the Shift Cipher when
the ‘shift of three’ is used.

Process of Shift Cipher

Ɣ In order to encrypt a plaintext letter, the sender positions the sliding ruler
underneath the first set of plaintext letters and slides it to LEFT by the number
of positions of the secret shift.
Ɣ The plaintext letter is then encrypted to the ciphertext letter on the sliding ruler
underneath. The result of this process is depicted in the following illustration for
an agreed shift of three positions. In this case, the plaintext ‘tutorial’ is
encrypted to the ciphertext ‘WXWRULDO’. Here is the ciphertext alphabet for a
Shift of 3.

Ɣ On receiving the ciphertext, the receiver who also knows the secret shift,
positions his sliding ruler underneath the ciphertext alphabet and slides it to
RIGHT by the agreed shift number, 3 in this case.
Ɣ He then replaces the ciphertext letter by the plaintext letter on the sliding ruler
underneath. Hence, the ciphertext ‘WXWRULDO’ is decrypted to ‘tutorial’. To

Amity Directorate of Distance and Online Education

E-Commerce Security 205

decrypt a message encoded with a Shift of 3, generate the plaintext alphabet

Notes
using a shift of ‘–3’ as shown below.

Security Value
Caesar Cipher is not a secure cryptosystem because there are only 26 possible
keys to try out. An attacker can carry out an exhaustive key search with available limited
computing resources.

Simple Substitution Cipher

It is an improvement to the Caesar Cipher. Instead of shifting the alphabets by some
number, this scheme uses some permutation of the letters in alphabet.
For example, A.B…..Y.Z and Z.Y……B.A are two obvious permutation of all the
letters in alphabet. Permutation is nothing but a jumbled up set of alphabets.
With 26 letters in alphabet, the possible permutations are 26! (Factorial of 26) which
is equal to 4 × 1026. The sender and the receiver may choose any one of these possible
permutation as a ciphertext alphabet. This permutation is the secret key of the scheme.

Process of Simple Substitution Cipher

Ɣ Write the alphabets A, B, C, ..., Z in the natural order.
Ɣ The sender and the receiver decide on a randomly selected permutation of the
letters of the alphabet.
Ɣ Underneath the natural order alphabets, write out the chosen permutation of
the letters of the alphabet. For encryption, sender replaces each plaintext
letters by substituting the permutation letter that is directly beneath it in the
table. This process is shown in the following illustration. In this example, the
chosen permutation is K, D, G, ..., O. The plaintext ‘point’ is encrypted to
‘MJBXZ’.
Here is a jumbled Ciphertext alphabet, where the order of the ciphertext letters
is a key.

Ɣ On receiving the ciphertext, the receiver, who also knows the randomly chosen
permutation, replaces each ciphertext letter on the bottom row with the
corresponding plaintext letter in the top row. The ciphertext ‘MJBXZ’ is
decrypted to ‘point’.

Security Value
Simple Substitution Cipher is a considerable improvement over the Caesar Cipher.
The possible number of keys is large (26!) and even the modern computing systems are
not yet powerful enough to comfortably launch a brute force attack to break the system.
However, the Simple Substitution Cipher has a simple design and it is prone to design
flaws, say choosing obvious permutation, this cryptosystem can be easily broken.

Monoalphabetic and Polyalphabetic Cipher

Monoalphabetic cipher is a substitution cipher in which for a given key, the cipher
alphabet for each plain alphabet is fixed throughout the encryption process. For example,
Amity Directorate of Distance and Online Education
206 Web-Enabled Business Processes
if ‘A’ is encrypted as ‘D’, for any number of occurrence in that plaintext, ‘A’ will always get
Notes
encrypted to ‘D’.
All of the substitution ciphers, we have discussed earlier in this unit, are
monoalphabetic; these ciphers are highly susceptible to cryptanalysis.
Polyalphabetic cipher is a substitution cipher in which the cipher alphabet for the
plain alphabet may be different at different places during the encryption process. The
next two examples, Playfair and Vigenere Cipher are polyalphabetic ciphers.

Playfair Cipher
In this scheme, pairs of letters are encrypted, instead of single letters as in the case
of simple substitution cipher.
In playfair cipher, initially a key table is created. The key table is a 5 × 5 grid of
alphabets that acts as the key for encrypting the plaintext. Each of the 25 alphabets must
be unique and one letter of the alphabet (usually J) is omitted from the table as we need
only 25 alphabets instead of 26. If the plaintext contains J, then it is replaced by I.
The sender and the receiver deicide on a particular key, say ‘tutorials’. In a key table,
the first characters (going left to right) in the table is the phrase, excluding the duplicate
letters. The rest of the table will be filled with the remaining letters of the alphabet, in
natural order. The key table works out to be:

Process of Playfair Cipher

Ɣ First, a plaintext message is split into pairs of two letters (digraphs). If there is
an odd number of letters, a Z is added to the last letter. Let us say we want to
encrypt the message “hide money”. It will be written as:
HI DE MO NE YZ
Ɣ The rules of encryption are:
– If both the letters are in the same column, take the letter below each one
(going back to the top if at the bottom)
T U O R I

A L S B C
‘H’ and ‘I’ are in same column, hence take letter below them to
D E F G H
replace. HI ĺ QC
K MN P Q

V WX Y Z

Amity Directorate of Distance and Online Education

E-Commerce Security 207

– If both letters are in the same row, take the letter to the right of each
Notes
one (going back to the left if at the farthest right)
T U O R I

A L S B C
‘D’ and ‘E’ are in same row, hence take letter to the right of them to
D E F G H
replace. DE ĺ EF
K M N P Q

V W X Y Z

– If neither of the preceding two rules are true, form a rectangle with the two
letters and take the letters on the horizontal opposite corner of the
rectangle.

Using these rules, the result of the encryption of ‘hide money’ with the key of
‘tutorials’ would be:
QC EF NU MF ZV
Decrypting the Playfair cipher is as simple as doing the same process in reverse.
Receiver has the same key and can create the same key table, and then decrypt any
messages made using that key.

Security Value
It is also a substitution cipher and is difficult to break compared to the simple
substitution cipher. As in case of substitution cipher, cryptanalysis is possible on the
Playfair cipher as well, however it would be against 625 possible pairs of letters (25 × 25
alphabets) instead of 26 different possible alphabets.
The Playfair cipher was used mainly to protect important, yet non-critical secrets, as
it is quick to use and requires no special equipment.

Vigenere Cipher
This scheme of cipher uses a text string (say, a word) as a key, which is then used
for doing a number of shifts on the plaintext.
For example, let’s assume the key is ‘point’. Each alphabet of the key is converted to
its respective numeric value: In this case,
p ĺ 16, o ĺ 15, i ĺ 9, n ĺ 14, and t ĺ 20.
Thus, the key is: 16 15 9 14 20.

Process of Vigenere Cipher

Ɣ The sender and the receiver decide on a key. Say ‘point’ is the key. Numeric
representation of this key is ‘16 15 9 14 20’.
Ɣ The sender wants to encrypt the message, say ‘attack from south east’. He will
arrange plaintext and numeric key as follows:

Amity Directorate of Distance and Online Education

208 Web-Enabled Business Processes

Notes

Ɣ He now shifts each plaintext alphabet by the number written below it to create
ciphertext as shown below:

Ɣ Here, each plaintext character has been shifted by a different amount – and
that amount is determined by the key. The key must be less than or equal to
the size of the message.
Ɣ For decryption, the receiver uses the same key and shifts received ciphertext in
reverse order to obtain the plaintext.

Security Value
Vigenere Cipher was designed by tweaking the standard Caesar cipher to reduce
the effectiveness of cryptanalysis on the ciphertext and make a cryptosystem more
robust. It is significantly more secure than a regular Caesar Cipher.
In the history, it was regularly used for protecting sensitive political and military
information. It was referred to as the unbreakable cipher due to the difficulty it posed to
the cryptanalysis.

Variants of Vigenere Cipher

There are two special cases of Vigenere cipher:
Ɣ The keyword length is same as plaintect message. This case is called Vernam
Cipher. It is more secure than typical Vigenere cipher.
Ɣ Vigenere cipher becomes a cryptosystem with perfect secrecy, which is called
One-time pad.

One-time Pad
The circumstances are:
Ɣ The length of the keyword is same as the length of the plaintext.
Ɣ The keyword is a randomly generated string of alphabets.
Ɣ The keyword is used only once.

Security Value
Let us compare Shift cipher with one-time pad.

Shift Cipher í Easy to Break

In case of Shift cipher, the entire message could have had a shift between 1 and 25.
This is a very small size, and very easy to brute force. However, with each character now
having its own individual shift between 1 and 26, the possible keys grow exponentially for
the message.

Amity Directorate of Distance and Online Education

E-Commerce Security 209

One-time Pad í Impossible to Break

Notes
Let us say, we encrypt the name “point” with a one-time pad. It is a 5 letter text. To
break the ciphertext by brute force, you need to try all possibilities of keys and conduct
computation for (26 × 26 × 26 × 26 × 26) = 265 = 11881376 times. That’s for a message
with 5 alphabets. Thus, for a longer message, the computation grows exponentially with
every additional alphabet. This makes it computationally impossible to break the
ciphertext by brute force.

Transposition Cipher
It is another type of cipher where the order of the alphabets in the plaintext is
rearranged to create the ciphertext. The actual plaintext alphabets are not replaced.
An example is a ‘simple columnar transposition’ cipher where the plaintext is written
horizontally with a certain alphabet width. Then the ciphertext is read vertically as shown.
For example, the plaintext is “golden statue is in eleventh cave” and the secret
random key chosen is “five”. We arrange this text horizontally in table with number of
column equal to key value. The resulting text is shown below.

The ciphertext is obtained by reading column vertically downward from first to last
column. The ciphertext is ‘gnuneaoseenvltiltedasehetivc’.
To decrypt, the receiver prepares similar table. The number of columns is equal to
key number. The number of rows is obtained by dividing number of total ciphertext
alphabets by key value and rounding of the quotient to next integer value.
The receiver then writes the received ciphertext vertically down and from left to right
column. To obtain the text, he reads horizontally left to right and from top to bottom row.
Digital data is represented in strings of binary digits (bits) unlike alphabets. Modern
cryptosystems need to process this binary strings to convert in to another binary string.
Based on how these binary strings are processed, a symmetric encryption schemes can
be classified into:

Block Ciphers
In this scheme, the plain binary text is processed in blocks (groups) of bits at a time;
i.e., a block of plaintext bits is selected, a series of operations is performed on this block
to generate a block of ciphertext bits. The number of bits in a block is fixed. For example,
the schemes DES and AES have block sizes of 64 and 128 respectively.

Amity Directorate of Distance and Online Education

210 Web-Enabled Business Processes
Stream Ciphers
Notes
In this scheme, the plaintext is processed one bit at a time, i.e., one bit of plaintext is
taken, and a series of operations is performed on it to generate one bit of ciphertext.
Technically, stream ciphers are block ciphers with a block size of one bit.

The basic scheme of a block cipher is depicted as follows:

A block cipher takes a block of plaintext bits and generates a block of ciphertext bits,
generally of same size. The size of block is fixed in the given scheme. The choice of
block size does not directly affect the strength of encryption scheme. The strength of
cipher depends upon the key length.

Block Size
Though any size of block is acceptable, following aspects are borne in mind while
selecting a size of a block.
Ɣ Avoid very small block size: Say a block size is m bits. Then the possible
plaintext bits combinations are 2m. If the attacker discovers the plaintext blocks
corresponding to some previously sent ciphertext blocks, then the attacker can
launch a type of ‘dictionary attack’ by building up a dictionary of plaintext/
ciphertext pairs sent using that encryption key. A larger block size makes
attack harder as the dictionary needs to be larger.
Ɣ Do not have very large block size: With very large block size, the cipher
becomes inefficient to operate. Such plaintexts will need to be padded before
being encrypted.
Ɣ Multiples of 8-bit: A preferred block size is a multiple of 8 as it is easy for
implementation as most computer processor handle data in multiple of 8-bits.

Amity Directorate of Distance and Online Education

E-Commerce Security 211

Padding in Block Cipher

Notes
Block ciphers process blocks of fixed sizes (say 64-bits). The length of plaintexts is
mostly not a multiple of the block size. For example, a 150-bit plaintext provides two
blocks of 64-bits each with third block of balance 22-bits. The last block of bits needs to
be padded up with redundant information so that the length of the final block equal to
block size of the scheme. In our example, the remaining 22-bits need to have additional
42 redundant bits added to provide a complete block. The process of adding bits to the
last block is referred to as padding.
Too much padding makes the system inefficient. Also, padding may render the
system insecure at times, if the padding is done with same bits always.

Block Cipher Schemes

There is a vast number of block ciphers schemes that are in use. Many of them are
publically known. Most popular and prominent block ciphers are listed below.
Ɣ Digital Encryption Standard (DES): The popular block cipher of the 1990s. It
is now considered as a ‘broken’ block cipher, due primarily to its small key size.
Ɣ Triple DES: It is a variant scheme based on repeated DES applications. It is
still a respected block ciphers but inefficient compared to the new faster block
ciphers available.
Ɣ Advanced Encryption Standard (AES): It is a relatively new block cipher
based on the encryption algorithm Rijndael that won the AES design
competition.
Ɣ IDEA: It is a sufficiently strong block cipher with a block size of 64 and a key
size of 128-bits. A number of applications use IDEA encryption, including early
versions of Pretty Good Privacy (PGP) protocol. The use of IDEA scheme has
a restricted adoption due to patent issues.
Ɣ Twofish: This scheme of block cipher uses block size of 128-bits and a key of
variable length. It was one of the AES finalists. It is based on the earlier block
cipher Blowfish with a block size of 64-bits.
Ɣ Serpent: A block cipher with a block size of 128-bits and key lengths of
128-bits, 192-bits, or 256-bits, which was also an AES competition finalist. It is
a slower but has more secure design than other block cipher.
In the next sections, we will first discuss the model of block cipher followed by DES
and AES, two of the most influential modern block ciphers.
Feistel Cipher is not a specific scheme of block cipher. It is a design model from
which many different block ciphers are derived. DES is just one example of a Feistel
Cipher. A cryptographic system based on Feistel cipher structure uses the same
algorithm for both encryption and decryption.

Encryption Process
The encryption process uses the Feistel structure consisting multiple rounds of
processing of the plaintext, each round consisting of a “substitution” step followed by a
permutation step.
Feistel Structure is shown in the following illustration:

Amity Directorate of Distance and Online Education

212 Web-Enabled Business Processes

Notes

Ɣ The input block to each round is divided into two halves that can be denoted as
L and R for the left half and the right half.
Ɣ In each round, the right half of the block, R, goes through unchanged. But the
left half, L, goes through an operation that depends on R and the encryption
key. First, we apply an encrypting function ‘f’ that takes two input í the key K
and R. The function produces the output f(R, K). Then, we XOR the output of
the mathematical function with L.
Ɣ In real implementation of the Feistel Cipher, such as DES, instead of using the
whole encryption key during each round, a round-dependent key (a subkey) is
derived from the encryption key. This means that each round uses a different
key, although all these subkeys are related to the original key.
Ɣ The permutation step at the end of each round swaps the modified L and
unmodified R. Therefore, the L for the next round would be R of the current
round. And R for the next round be the output L of the current round.
Ɣ Above substitution and permutation steps form a ‘round’. The number of
rounds are specified by the algorithm design.
Ɣ Once the last round is completed, then the two sub-blocks, ‘R’ and ‘L’ are
concatenated in this order to form the ciphertext block.

Amity Directorate of Distance and Online Education

E-Commerce Security 213

The difficult part of designing a Feistel Cipher is selection of round function ‘f’. In
Notes
order to be unbreakable scheme, this function needs to have several important
properties that are beyond the scope of our discussion.

Decryption Process
The process of decryption in Feistel cipher is almost similar. Instead of starting with
a block of plaintext, the ciphertext block is fed into the start of the Feistel structure and
then the process thereafter is exactly the same as described in the given illustration.
The process is said to be almost similar and not exactly same. In the case of
decryption, the only difference is that the subkeys used in encryption are used in the
reverse order.
The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential. If these are
not swapped, then the resulting ciphertext could not be decrypted using the same algorithm.

Number of Rounds
The number of rounds used in a Feistel Cipher depends on desired security from the
system. More number of rounds provides more secure system. But at the same time,
more rounds mean the inefficient slow encryption and decryption processes. Number of
rounds in the systems thus depends upon efficiency-security trade-off.
The Data Encryption Standard (DES) is a symmetric key block cipher published by
the National Institute of Standards and Technology (NIST).
DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The
block size is 64-bit. Though key length is 64-bit, DES has an effective key length of
56-bits, since 8 of the 64-bits of the key are not used by the encryption algorithm
(function as check bits only). General Structure of DES is depicted in the following
illustration:

Amity Directorate of Distance and Online Education

214 Web-Enabled Business Processes
Since DES is based on the Feistel Cipher, all that is required to specify DES is:
Notes
Ɣ Round function
Ɣ Key schedule
Ɣ Any additional processing í Initial and final permutation

Initial and Final Permutation

The initial and final permutations are straight Permutation boxes (P-boxes) that are
inverses of each other. They have no cryptography significance in DES. The initial and
final permutations are shown as follows:

Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key
to the rightmost 32 bits to produce a 32-bit output.

Amity Directorate of Distance and Online Education

E-Commerce Security 215

Ɣ Expansion Permutation Box: Since right input is 32-bit and round key is a
Notes
48-bit, we first need to expand right input to 48 bits. Permutation logic is
graphically depicted in the following illustration:

Ɣ The graphically depicted permutation logic is generally described as table in

DES specification illustrated as shown:

Ɣ XOR (Whitener): After the expansion permutation, DES does XOR operation
on the expanded right section and the round key. The round key is used only in
this operation.
Ɣ Substitution Boxes: The S-boxes carry out the real mixing (confusion). DES
uses 8 S-boxes, each with a 6-bit input and a 4-bit output. Refer the following
illustration:

Ɣ The S-box rule is illustrated below:

Amity Directorate of Distance and Online Education

216 Web-Enabled Business Processes

Notes

Ɣ There are a total of eight S-box tables. The output of all eight s-boxes is then
combined into 32-bit section.
Ɣ Straight Permutation: The 32-bit output of S-boxes is then subjected to the
straight permutation with rule shown in the following illustration:

Key Generation
The round key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The
process of key generation is depicted in the following illustration:

Amity Directorate of Distance and Online Education

E-Commerce Security 217

Notes

The logic for Parity drops, shifting, and Compression P-box is given in the DES
description.

DES Analysis
The DES satisfies both the desired properties of block cipher. These two properties
make cipher very strong.
Ɣ Avalanche effect: A small change in plaintext results in the very grate change
in the ciphertext.
Ɣ Completeness: Each bit of ciphertext depends on many bits of plaintext.
During the last few years, cryptanalysis have found some weaknesses in DES when
key selected are weak keys. These keys shall be avoided.
DES has proved to be a very well designed block cipher. There have been no
significant cryptanalytic attacks on DES other than exhaustive key search.
The speed of exhaustive key searches against DES after 1990 began to cause
discomfort amongst users of DES. However, users did not want to replace DES as it
takes an enormous amount of time and money to change encryption algorithms that are
widely adopted and embedded in large security architectures.
The pragmatic approach was not to abandon the DES completely, but to change the
manner in which DES is used. This led to the modified schemes of Triple DES
(sometimes known as 3DES).
Amity Directorate of Distance and Online Education
218 Web-Enabled Business Processes
Incidentally, there are two variants of Triple DES known as 3-key Triple DES
Notes
(3TDES) and 2-key Triple DES (2TDES).

3-key Triple DES

Before using 3TDES, user first generates and distributes a 3TDES key K, which
consists of three different DES keys K1, K2 and K3. This means that the actual 3TDES
key has length 3 × 56 = 168 bits. The encryption scheme is illustrated as follows:

The encryption-decryption process is as follows:

Ɣ Encrypt the plaintext blocks using single DES with key k1.
Ɣ Now, decrypt the output of step 1 using single DES with key k2.
Ɣ Finally, encrypt the output of step 2 using single DES with key k3.
Ɣ The output of step 3 is the ciphertext.
Ɣ Decryption of a ciphertext is a reverse process. User first decrypt using k3, then
encrypt with k2, and finally decrypt with k1.
Due to this design of Triple DES as an encrypt-decrypt-encrypt process, it is
possible to use a 3TDES (hardware) implementation for single DES by setting k1, k2, and
k3 to be the same value. This provides backwards compatibility with DES.
Second variant of Triple DES (2TDES) is identical to 3TDES except that k3 is
replaced by k1. In other words, user encrypts plaintext blocks with key k1, then decrypt
with key k2, and finally encrypt with k1 again. Therefore, 2TDES has a key length of
112-bits.
Triple DES systems are significantly more secure than single DES, but these are
clearly a much slower process than encryption using single DES.
The more popular and widely adopted symmetric encryption algorithm likely to be
encountered nowadays is the Advanced Encryption Standard (AES). It is found at least
six times faster than triple DES.

Amity Directorate of Distance and Online Education

E-Commerce Security 219

A replacement for DES was needed as its key size was too small. With increasing
Notes
computing power, it was considered vulnerable against exhaustive key search attack.
Triple DES was designed to overcome this drawback but it was found slow.
The features of AES are as follows:
Ɣ Symmetric key symmetric block cipher
Ɣ 128-bit data, 128/192/256-bit keys
Ɣ Stronger and faster than Triple DES
Ɣ Provide full specification and design details
Ɣ Software implementable in C and Java

Operation of AES
AES is an iterative rather than Feistel cipher. It is based on ‘substitution-permutation
network’. It comprises of a series of linked operations, some of which involve replacing
inputs by specific outputs (substitutions) and others involve shuffling bits around
(permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence,
AES treats the 128-bits of a plaintext block as 16-bytes. These 16-bytes are arranged in
four columns and four rows for processing as a matrix.
Unlike DES, the number of rounds in AES is variable and depends on the length of
the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds
for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is
calculated from the original AES key.
The schematic of AES structure is given in the following illustration:

Encryption Process
Here, we restrict to description of a typical round of AES encryption. Each round
comprise of four sub-processes. The first round process is depicted below:

Amity Directorate of Distance and Online Education

220 Web-Enabled Business Processes

Notes

Byte Substitution (Sub-bytes)

The 16 input bytes are substituted by looking up a fixed table (S-box) given in design.
The result is in a matrix of four rows and four columns.

Shiftrows
Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are
re-inserted on the right side of row. Shift is carried out as follows:
Ɣ First row is not shifted.
Ɣ Second row is shifted one (byte) position to the left.
Ɣ Third row is shifted two positions to the left.
Ɣ Fourth row is shifted three positions to the left.
Ɣ The result is a new matrix consisting of the same 16 bytes but shifted with
respect to each other.

MixColumns
Each column of four bytes is now transformed using a special mathematical function.
This function takes as input the four bytes of one column and outputs four completely
new bytes, which replace the original column. The result is another new matrix consisting
of 16 new bytes. It should be noted that this step is not performed in the last round.

Addroundkey
The 16 bytes of the matrix are now considered as 128-bits and are XORed to the
128-bits of the round key. If this is the last round, then the output is the ciphertext.
Otherwise, the resulting 128-bits are interpreted as 16 bytes and we begin another
similar round.

Amity Directorate of Distance and Online Education

E-Commerce Security 221

Decryption Process
Notes
The process of decryption of an AES ciphertext is similar to the encryption process
in the reverse order. Each round consists of the four processes conducted in the reverse
order:
Ɣ Add round key
Ɣ Mix columns
Ɣ Shift rows
Ɣ Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel
Cipher, the encryption and decryption algorithms need to be separately implemented,
although they are very closely related.

AES Analysis
In present-day cryptography, AES is widely adopted and supported in both
hardware and software. Till date, no practical cryptanalytic attacks against AES have
been discovered. Additionally, AES has built-in flexibility of key length, which allows a
degree of ‘future proofing’ against progress in the ability to perform exhaustive key
searches.
However, just as for DES, the AES security is assured only if it is correctly
implemented and good key management is employed.
In this unit, we will discuss the different modes of operation of a block cipher. These
are procedural rules for a generic block cipher. Interestingly, the different modes result in
different properties being achieved which add to the security of the underlying block
cipher.
A block cipher processes the data blocks of fixed size. Usually, the size of a
message is larger than the block size. Hence, the long message is divided into a series of
sequential message blocks, and the cipher operates on these blocks one at a time.

Electronic Code Book (ECB) Mode

This mode is a most straightforward way of processing a series of sequentially listed
message blocks.
Ɣ The user takes the first block of plaintext and encrypts it with the key to
produce the first block of ciphertext.
Ɣ He then takes the second block of plaintext and follows the same process with
same key and so on so forth.
The ECB mode is deterministic, that is, if plaintext block P1, P2, …, Pm are
encrypted twice under the same key, the output ciphertext blocks will be the same.
In fact, for a given key technically, we can create a codebook of ciphertexts for all
possible plaintext blocks. Encryption would then entail only looking up for required
plaintext and select the corresponding ciphertext. Thus, the operation is analogous to the
assignment of code words in a codebook, and hence gets an official name í Electronic
Codebook mode of operation (ECB). It is illustrated as follows:

Amity Directorate of Distance and Online Education

222 Web-Enabled Business Processes

Notes

Analysis of ECB Mode

In reality, any application data usually have partial information which can be
guessed. For example, the range of salary can be guessed. A ciphertext from ECB can
allow an attacker to guess the plaintext by trial-and-error if the plaintext message is within
predictable.
For example, if a ciphertext from the ECB mode is known to encrypt a salary figure,
then a small number of trials will allow an attacker to recover the figure. In general, we do
not wish to use a deterministic cipher, and hence the ECB mode should not be used in
most applications.

Cipher Block Chaining (CBC) Mode

CBC mode of operation provides message dependence for generating ciphertext and
makes the system non-deterministic.

Operation
The operation of CBC mode is depicted in the following illustration. The steps are as
follows:
Ɣ Load the n-bit Initialization Vector (IV) in the top register.
Ɣ XOR the n-bit plaintext block with data value in top register.
Ɣ Encrypt the result of XOR operation with underlying block cipher with key K.
Ɣ Feed ciphertext block into top register and continue the operation till all
plaintext blocks are processed.
Ɣ For decryption, IV data is XORed with first ciphertext block decrypted. The first
ciphertext block is also fed into to register replacing IV for decrypting next
ciphertext block.

Amity Directorate of Distance and Online Education

E-Commerce Security 223

Analysis of CBC Mode

Notes
In CBC mode, the current plaintext block is added to the previous ciphertext block,
and then the result is encrypted with the key. Decryption is thus the reverse process,
which involves decrypting the current ciphertext and then adding the previous ciphertext
block to the result.
Advantage of CBC over ECB is that changing IV results in different ciphertext for
identical message. On the drawback side, the error in transmission gets propagated to
few further block during decryption due to chaining effect.
It is worth mentioning that CBC mode forms the basis for a well-known data origin
authentication mechanism. Thus, it has an advantage for those applications that require
both symmetric encryption and data origin authentication.

Cipher Feedback (CFB) Mode

In this mode, each ciphertext block gets ‘fed back’ into the encryption process in
order to encrypt the next plaintext block.

Operation
The operation of CFB mode is depicted in the following illustration. For example, in
the present system, a message block has a size ‘s’ bits where 1 < s < n. The CFB mode
requires an initialization vector (IV) as the initial random n-bit input block. The IV need not
be secret. Steps of operation are:
Ɣ Load the IV in the top register.
Ɣ Encrypt the data value in top register with underlying block cipher with key K.
Ɣ Take only ‘s’ number of most significant bits (left bits) of output of encryption
process and XOR them with ‘s’ bit plaintext message block to generate
ciphertext block.
Ɣ Feed ciphertext block into top register by shifting already present data to the
left and continue the operation till all plaintext blocks are processed.
Ɣ Essentially, the previous ciphertext block is encrypted with the key, and then
the result is XORed to the current plaintext block.
Ɣ Similar steps are followed for decryption. Pre-decided IV is initially loaded at
the start of decryption.

Amity Directorate of Distance and Online Education

224 Web-Enabled Business Processes
Analysis of CFB Mode
Notes
CFB mode differs significantly from ECB mode, the ciphertext corresponding to a
given plaintext block depends not just on that plaintext block and the key, but also on the
previous ciphertext block. In other words, the ciphertext block is dependent of message.
CFB has a very strange feature. In this mode, user decrypts the ciphertext using
only the encryption process of the block cipher. The decryption algorithm of the
underlying block cipher is never used.
Apparently, CFB mode is converting a block cipher into a type of stream cipher. The
encryption algorithm is used as a key stream generator to produce key stream that is
placed in the bottom register. This key stream is then XORed with the plaintext as in case
of stream cipher.
By converting a block cipher into a stream cipher, CFB mode provides some of the
advantageous properties of a stream cipher while retaining the advantageous properties
of a block cipher.
On the flip side, the error of transmission gets propagated due to changing of
blocks.

Output Feedback (OFB) Mode

It involves feeding the successive output blocks from the underlying block cipher
back to it. These feedback blocks provide string of bits to feed the encryption algorithm
which act as the key stream generator as in case of CFB mode.
The key stream generated is XOR-ed with the plaintext blocks. The OFB mode
requires an IV as the initial random n-bit input block. The IV need not be secret.
The operation is depicted in the following illustration:

Counter (CTR) Mode

It can be considered as a counter-based version of CFB mode without the feedback.
In this mode, both the sender and receiver need to access to a reliable counter, which
computes a new shared value each time a ciphertext block is exchanged. This shared
counter is not necessarily a secret value, but challenge is that both sides must keep the
counter synchronized.

Amity Directorate of Distance and Online Education

E-Commerce Security 225

Operation
Notes
Both encryption and decryption in CTR mode are depicted in the following
illustration. Steps in operation are:
Ɣ Load the initial counter value in the top register is the same for both the sender
and the receiver. It plays the same role as the IV in CFB (and CBC) mode.
Ɣ Encrypt the contents of the counter with the key and place the result in the
bottom register.
Ɣ Take the first plaintext block P1 and XOR this to the contents of the bottom
register. The result of this is C1. Send C1 to the receiver and update the
counter. The counter update replaces the ciphertext feedback in CFB mode.
Ɣ Continue in this manner until the last plaintext block has been encrypted.
Ɣ The decryption is the reverse process. The ciphertext block is XORed with the
output of encrypted contents of counter value. After decryption of each
ciphertext, block counter is updated as in case of encryption.

Analysis of Counter Mode

It does not have message dependency and hence a ciphertext block does not
depend on the previous plaintext blocks.
Like CFB mode, CTR mode does not involve the decryption process of the block
cipher. This is because the CTR mode is really using the block cipher to generate a key
stream, which is encrypted using the XOR function. In other words, CTR mode also
converts a block cipher to a stream cipher.
The serious disadvantage of CTR mode is that it requires a synchronous counter at
sender and receiver. Loss of synchronization leads to incorrect recovery of plaintext.
However, CTR mode has almost all advantages of CFB mode. In addition, it does
not propagate error of transmission at all.

Public Key Cryptography

Unlike symmetric key cryptography, we do not find historical use of public key
cryptography. It is a relatively new concept.

Amity Directorate of Distance and Online Education

226 Web-Enabled Business Processes
Symmetric cryptography was well suited for organizations such as governments,
Notes
military, and big financial corporations were involved in the classified communication.
With the spread of more unsecure computer networks in last few decades, a
genuine need was felt to use cryptography at larger scale. The symmetric key was found
to be non-practical due to challenges it faced for key management. This gave rise to the
public key cryptosystems.
The process of encryption and decryption is depicted in the following illustration:

The most important properties of public key encryption scheme are:

Ɣ Different keys are used for encryption and decryption. This is a property which
set this scheme different than symmetric encryption scheme.
Ɣ Each receiver possesses a unique decryption key, generally referred to as his
private key.
Ɣ Receiver needs to publish an encryption key, referred to as his public key.
Ɣ Some assurance of the authenticity of a public key is needed in this scheme to
avoid spoofing by adversary as the receiver. Generally, this type of
cryptosystem involves trusted third party which certifies that a particular public
key belongs to a specific person or entity only.
Ɣ Encryption algorithm is complex enough to prohibit attacker from deducing the
plaintext from the ciphertext and the encryption (public) key.
Ɣ Though private and public keys are related mathematically, it is not feasible to
calculate the private key from the public key. In fact, intelligent part of any
public key cryptosystem is in designing a relationship between two keys.
There are three types of Public Key Encryption schemes. We discuss them in
following sections.

RSA Cryptosystem
This cryptosystem is one of the initial system. It remains most employed
cryptosystem even today. The system was invented by three scholars Ron Rivest, Adi
Shamir, and Len Adleman and hence, it is termed as RSA cryptosystem.

Amity Directorate of Distance and Online Education

E-Commerce Security 227

We will see two aspects of the RSA cryptosystem, firstly generation of key pair and
Notes
secondly encryption-decryption algorithms.

Generation of RSA Key Pair

Each person or a party who desires to participate in communication using
encryption needs to generate a pair of keys, namely public key and private key. The
process followed in the generation of keys is described below:
Ɣ Generate the RSA modulus (n)
– Select two large primes, p and q.
– Calculate n = p * q. For strong unbreakable encryption, let n be a large
number, typically a minimum of 512-bits.
Ɣ Find derived number (e)
– Number e must be greater than 1 and less than (p í 1)(q í 1).
– There must be no common factor for e and (p í 1)(q í 1) except for 1. In
other words, two numbers e and (p – 1)(q – 1) are co-prime.
Ɣ Form the public key
– The pair of numbers (n, e) form the RSA public key and is made public.
– Interestingly, though n is part of the public key, difficulty in factorizing a
large prime number ensures that attacker cannot find in finite time the two
primes (p and q) used to obtain n. This is strength of RSA.
Ɣ Generate the private key
– Private Key d is calculated from p, q, and e. For given n and e, there is
unique number d.
– Number d is the inverse of e modulo (p – 1)(q – 1). This means that d is
the number less than (p – 1)(q – 1) such that when multiplied by e, it is
equal to 1 modulo (p – 1)(q – 1).
– This relationship is written mathematically as follows:
ed = 1 mod (p í 1)(q í 1)
The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.

Example
An example of generating RSA Key Pair is given below. (For ease of understanding,
the primes p and q taken here are small values. Practically, these values are very high).
Ɣ Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 × 13 = 91.
Ɣ Select e = 5, which is a valid choice since there is no number that is common
factor of 5 and (p í 1)(q í 1) = 6 × 12 = 72, except for 1.
Ɣ The pair of numbers (n, e) = (91, 5) forms the public key and can be made
available to anyone whom we wish to be able to send us encrypted messages.
Ɣ Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output
will be d = 29.
Ɣ Check that the d calculated is correct by computing:
de = 29 × 5 = 145 = 1 mod 72
Ɣ Hence, public key is (91, 5) and private keys is (91, 29).

6.7 Encryption and Decryption

Once the key pair has been generated, the process of encryption and decryption are
relatively straightforward and computationally easy.

Amity Directorate of Distance and Online Education

228 Web-Enabled Business Processes
Interestingly, RSA does not directly operate on strings of bits as in case of
Notes
symmetric key encryption. It operates on numbers modulo n. Hence, it is necessary to
represent the plaintext as a series of numbers less than n.

6.7.1 RSA Encryption

Ɣ Suppose the sender wish to send some text message to someone whose
public key is (n, e).
Ɣ The sender then represents the plaintext as a series of numbers less than n.
Ɣ To encrypt the first plaintext P, which is a number modulo n. The encryption
process is simple mathematical step as:
C = Pe mod n
Ɣ In other words, the ciphertext C is equal to the plaintext P multiplied by itself e
times and then reduced modulo n. This means that C is also a number less
than n.
Ɣ Returning to our Key Generation example with plaintext P = 10, we get
ciphertext C:
C = 105 mod 91

6.7.2 RSA Decryption

Ɣ The decryption process for RSA is also very straightforward. Suppose that the
receiver of public key pair (n, e) has received a ciphertext C.
Ɣ Receiver raises C to the power of his private key d. The result modulo n will be
the plaintext P:
Plaintext = Cd mod n
Ɣ Returning again to our numerical example, the ciphertext C = 82 would get
decrypted to number 10 using private key 29:
Plaintext = 8229 mod 91 = 10

6.8 RSA Analysis

The security of RSA depends on the strengths of two separate functions. The RSA
cryptosystem is most popular public key cryptosystem, the strength of which is based on
the practical difficulty of factoring the very large numbers.
Ɣ Encryption Function: It is considered as a one-way function of converting
plaintext into ciphertext and it can be reversed only with the knowledge of
private key d.
Ɣ Key Generation: The difficulty of determining a private key from an RSA public
key is equivalent to factoring the modulus n. An attacker, thus, cannot use
knowledge of an RSA public key to determine an RSA private key unless he
can factor n. It is also a one-way function, going from p and q values to
modulus n is easy but reverse is not possible.
If either of these two functions are proved non one-way, then RSA will be broken. In
fact, if a technique for factoring efficiently is developed then RSA will no longer be safe.
The strength of RSA encryption drastically goes down against attacks if the number
p and q are not large primes and/ or chosen public key e is a small number.

Amity Directorate of Distance and Online Education

E-Commerce Security 229

6.8.1 ElGamal Cryptosystem Notes

Along with RSA, there are other public key cryptosystems proposed. Many of them
are based on different versions of the Discrete Logarithm Problem.
ElGamal cryptosystem, called Elliptic Curve Variant, is based on the Discrete
Logarithm Problem. It derives the strength from the assumption that the discrete
logarithms cannot be found in practical time frame for a given number, while the inverse
operation of the power can be computed efficiently.
Let us go through a simple version of ElGamal that works with numbers modulo p. In
the case of elliptic curve variants, it is based on quite different number systems.

6.8.2 Generation of ElGamal Key Pair

Each user of ElGamal cryptosystem generates the key pair through as follows:
Ɣ Choosing a large prime p. Generally, a prime number of 1024- to 2048-bits
length is chosen.
Ɣ Choosing a generator element g.
– This number must be between 1 and p í 1, but cannot be any number.
– It is a generator of the multiplicative group of integers modulo p. This
means for every integer m co-prime to p, there is an integer k such that
gk = a mod n.
For example, 3 is generator of group 5 (Z5 = {1, 2, 3, 4}).
N 3n 3n mod 5
1 3 3
2 9 4
3 27 2
4 81 1
Ɣ Choosing the private key. The private key x is any number bigger than 1 and
smaller than p í 1.
Ɣ Computing part of the public key. The value y is computed from the
parameters p, g and the private key x as follows:
y = gx mod p
Ɣ Obtaining public key. The ElGamal public key consists of the three
parameters (p, g, y).
For example, suppose that p = 17 and that g = 6 (It can be confirmed that 6 is a
generator of group Z17). The private key x can be any number bigger than 1
and smaller than 71, so we choose x = 5. The value y is then computed as
follows:
y = 65 mod 17 = 7
Ɣ Thus, the private key is 62 and the public key is (17, 6, 7).

Encryption and Decryption

The generation of an ElGamal key pair is comparatively simpler than the equivalent
process for RSA. But the encryption and decryption are slightly more complex than RSA.

Amity Directorate of Distance and Online Education

230 Web-Enabled Business Processes
ElGamal Encryption
Notes
Suppose sender wishes to send a plaintext to someone whose ElGamal public key
is (p, g, y), then:
Ɣ Sender represents the plaintext as a series of numbers modulo p.
Ɣ To encrypt the first plaintext P, which is represented as a number modulo p.
The encryption process to obtain the ciphertext C is as follows:
– Randomly generate a number k;
– Compute two values C1 and C2, where:
C1 = gk mod p
C2 = (P * yk) mod p
Ɣ Send the ciphertext C, consisting of the two separate values (C1, C2), sent
together.
Ɣ Referring to our ElGamal key generation example given above, the plaintext
P = 13 is encrypted as follows:
– Randomly generate a number, say k = 10
– Compute the two values C1 and C2, where:
C1 = 610 mod 17
C2 = (13 * 710) mod 17 = 9
Ɣ Send the ciphertext C = (C1, C2) = (15, 9).

ElGamal Decryption
Ɣ To decrypt the ciphertext (C1, C2) using private key x, the following two steps
are taken:
– Compute the modular inverse of (C1)x modulo p, which is (C1) – x,
generally referred to as decryption factor.
– Obtain the plaintext by using the following formula:
C2 × (C1) – x mod p = Plaintext
Ɣ In our example, to decrypt the ciphertext C = (C1, C2) = (15, 9) using private
key x = 5, the decryption factor is:
15–5 mod 17 = 9
Ɣ Extract plaintext P = (9 × 9) mod 17 = 13.

ElGamal Analysis
In ElGamal system, each user has a private key x. and has three components of
public key í prime modulus p, generator g, and public Y = gx mod p. The strength of
the ElGamal is based on the difficulty of discrete logarithm problem.
The secure key size is generally > 1024-bits. Today, even 2048 bits long key are
used. On the processing speed front, Elgamal is quite slow; it is used mainly for key
authentication protocols. Due to higher processing efficiency, Elliptic Curve variants of
ElGamal are becoming increasingly popular.

6.9 Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography (ECC) is a term used to describe a suite of
cryptographic tools and protocols whose security is based on special versions of the
discrete logarithm problem. It does not use numbers modulo p.

Amity Directorate of Distance and Online Education

E-Commerce Security 231

ECC is based on sets of numbers that are associated with mathematical objects
Notes
called elliptic curves. There are rules for adding and computing multiples of these
numbers, just as there are for numbers modulo p.
ECC includes variants of many cryptographic schemes that were initially designed
for modular numbers such as ElGamal encryption and Digital Signature Algorithm.
It is believed that the discrete logarithm problem is much harder when applied to
points on an elliptic curve. This prompts switching from numbers modulo p to points on
an elliptic curve. Also an equivalent security level can be obtained with shorter keys if we
use elliptic curve-based variants.
The shorter keys result in two benefits:
Ɣ Ease of key management
Ɣ Efficient computation
These benefits make elliptic-curve-based variants of encryption scheme highly
attractive for application where computing resources are constrained.

RSA and ElGamal Schemes – A Comparison

Let us briefly compare the RSA and ElGamal schemes on the various aspects.
RSA ElGamal
It is more efficient for encryption. It is more efficient for decryption.
It is less efficient for decryption. It is more efficient for decryption.
For a particular security level, lengthy keys For the same level of security, very short keys
are required in RSA. are required.
It is widely accepted and used. It is new and not very popular in market.

6.10 Cryptography Digital Signatures

Digital signatures are the public key primitives of message authentication. In the
physical world, it is common to use handwritten signatures on handwritten or typed
messages. They are used to bind signatory to the message.
Similarly, a digital signature is a technique that binds a person/entity to the digital
data. This binding can be independently verified by receiver as well as any third party.
Digital signature is a cryptographic value that is calculated from the data and a
secret key known only by the signer.
In real world, the receiver of message needs assurance that the message belongs
to the sender and he should not be able to repudiate the origination of that message. This
requirement is very crucial in business applications, since likelihood of a dispute over
exchanged data is very high.

6.11 Model of Digital Signature

As mentioned earlier, the digital signature scheme is based on public key
cryptography. The model of digital signature scheme is depicted in the following
illustration:

Amity Directorate of Distance and Online Education

232 Web-Enabled Business Processes

Notes

The following points explain the entire process in detail:

Ɣ Each person adopting this scheme has a public-private key pair.
Ɣ Generally, the key pairs used for encryption/decryption and signing/verifying
are different. The private key used for signing is referred to as the signature
key and the public key as the verification key.
Ɣ Signer feeds data to the hash function and generates hash of data.
Ɣ Hash value and signature key are then fed to the signature algorithm which
produces the digital signature on given hash. Signature is appended to the
data and then both are sent to the verifier.
Ɣ Verifier feeds the digital signature and the verification key into the verification
algorithm. The verification algorithm gives some value as output.
Ɣ Verifier also runs same hash function on received data to generate hash value.
Ɣ For verification, this hash value and output of verification algorithm are
compared. Based on the comparison result, verifier decides whether the digital
signature is valid.
Ɣ Since digital signature is created by ‘private’ key of signer and no one else can
have this key; the signer cannot repudiate signing the data in future.
It should be noticed that instead of signing data directly by signing algorithm, usually
a hash of data is created. Since the hash of data is a unique representation of data, it is
sufficient to sign the hash in place of data. The most important reason of using hash
instead of data directly for signing is efficiency of the scheme.
Let us assume RSA is used as the signing algorithm. As discussed in public key
encryption unit, the encryption/signing process using RSA involves modular
exponentiation.
Signing large data through modular exponentiation is computationally expensive
and time-consuming. The hash of the data is a relatively small digest of the data. Hence,
signing a hash is more efficient than signing the entire data.

6.12 Importance of Digital Signature

Out of all cryptographic primitives, the digital signature using public key
cryptography is considered as very important and useful tool to achieve information
security.

Amity Directorate of Distance and Online Education

E-Commerce Security 233

Apart from ability to provide non-repudiation of message, the digital signature also
Notes
provides message authentication and data integrity. Let us briefly see how this is
achieved by the digital signature:
Ɣ Message authentication: When the verifier validates the digital signature
using public key of a sender, he is assured that signature has been created
only by sender who possess the corresponding secret private key and no one
else.
Ɣ Data integrity: In case an attacker has access to the data and modifies it, the
digital signature verification at receiver end fails. The hash of modified data and
the output provided by the verification algorithm will not match. Hence, receiver
can safely deny the message assuming that data integrity has been breached.
Ɣ Non-repudiation: Since it is assumed that only the signer has the knowledge
of the signature key, he can only create unique signature on a given data. Thus,
the receiver can present data and the digital signature to a third party as
evidence if any dispute arises in the future.
By adding public key encryption to digital signature scheme, we can create a
cryptosystem that can provide the four essential elements of security namely í Privacy,
Authentication, Integrity, and Non-repudiation.

Encryption with Digital Signature

In many digital communications, it is desirable to exchange encrypted messages
than plaintext to achieve confidentiality. In public key encryption scheme, a public
(encryption) key of sender is available in open domain, and hence anyone can spoof his
identity and send any encrypted message to the receiver.
This makes it essential for users employing PKC for encryption to seek digital
signatures along with encrypted data to be assured of message authentication and
non-repudiation.
This can archived by combining digital signatures with encryption scheme. Let us
briefly discuss how to achieve this requirement. There are two possibilities,
sign-then-encrypt and encrypt-then-sign.
However, the cryptosystem based on sign-then-encrypt can be exploited by receiver
to spoof identity of sender and sent that data to third party. Hence, this method is not
preferred. The process of encrypt-then-sign is more reliable and widely adopted. This is
depicted in the following illustration:

Amity Directorate of Distance and Online Education

234 Web-Enabled Business Processes

Notes

The receiver after receiving the encrypted data and signature on it first verifies the
signature using sender’s public key. After ensuring the validity of the signature, he then
retrieves the data through decryption using his private key.
The most distinct feature of Public Key Infrastructure (PKC) is that it uses a pair of
keys to achieve the underlying security service. The key pair comprises of private key
and public key.
Since the public keys are in open domain, they are likely to be abused. It is, thus,
necessary to establish and maintain some kind of trusted infrastructure to manage these
keys.

Key Management
It goes without saying that the security of any cryptosystem depends upon how
securely its keys are managed. Without secure procedures for the handling of
cryptographic keys, the benefits of the use of strong cryptographic schemes are
potentially lost.
It is observed that cryptographic schemes are rarely compromised through
weaknesses in their design. However, they are often compromised through poor key
management.
There are some important aspects of key management which are as follows:
Ɣ Cryptographic keys are nothing but special pieces of data. Key management
refers to the secure administration of cryptographic keys.
Ɣ Key management deals with entire key lifecycle as depicted in the following
illustration:

Amity Directorate of Distance and Online Education

E-Commerce Security 235

Notes

Ɣ There are two specific requirements of key management for public key
cryptography.
– Secrecy of private keys. Throughout the key lifecycle, secret keys must
remain secret from all parties except those who are owner and are
authorized to use them.
– Assurance of public keys. In public key cryptography, the public keys
are in open domain and seen as public pieces of data. By default, there
are no assurances of whether a public key is correct, with whom it can be
associated, or what it can be used for. Thus, key management of public
keys needs to focus much more explicitly on assurance of purpose of
public keys.
The most crucial requirement of ‘assurance of public key’ can be achieved through
the public key infrastructure (PKI), a key management systems for supporting public key
cryptography.

6.13 Public Key Infrastructure (PKI)

PKI provides assurance of public key. It provides the identification of public keys and
their distribution. An anatomy of PKI comprises of the following components.
Ɣ Public Key Certificate, commonly referred to as ‘digital certificate’.
Ɣ Private Key Tokens.
Ɣ Certification Authority.
Ɣ Registration Authority.
Ɣ Certificate Management System.

Digital Certificate
For analogy, a certificate can be considered as the ID card issued to the person.
People use ID cards such as a driver’s license and passport to prove their identity. A
digital certificate does the same basic thing in the electronic world, but with one
difference.
Amity Directorate of Distance and Online Education
236 Web-Enabled Business Processes
Digital Certificates are not only issued to people but they can be issued to
Notes
computers, software packages or anything else that need to prove the identity in the
electronic world.
Ɣ Digital certificates are based on the ITU standard X.509 which defines a
standard certificate format for public key certificates and certification validation.
Hence, digital certificates are sometimes also referred to as X.509 certificates.
Public key pertaining to the user client is stored in digital certificates by The
Certification Authority (CA) along with other relevant information such as client
information, expiration date, usage, issuer, etc.
Ɣ CA digitally signs this entire information and includes digital signature in the
certificate.
Ɣ Anyone who needs the assurance about the public key and associated
information of client, he carries out the signature validation process using CA’s
public key. Successful validation assures that the public key given in the
certificate belongs to the person whose details are given in the certificate.
The process of obtaining Digital Certificate by a person/entity is depicted in the
following illustration.

As shown in the illustration, the CA accepts the application from a client to certify his
public key. The CA, after duly verifying identity of client, issues a digital certificate to that
client.

6.14 Certifying Authority (CA)

As discussed above, the CA issues certificate to a client and assist other users to
verify the certificate. The CA takes responsibility for identifying correctly the identity of the
client asking for a certificate to be issued, and ensures that the information contained
within the certificate is correct and digitally signs it.

Key Functions of CA
The key functions of a CA are as follows:

Amity Directorate of Distance and Online Education

E-Commerce Security 237

Ɣ Generating key pairs: The CA may generate a key pair independently or

Notes
jointly with the client.
Ɣ Issuing digital certificates: The CA could be thought of as the PKI equivalent
of a passport agency í the CA issues a certificate after client provides the
credentials to confirm his identity. The CA then signs the certificate to prevent
modification of the details contained in the certificate.
Ɣ Publishing certificates: The CA need to publish certificates so that users can
find them. There are two ways of achieving this. One is to publish certificates in
the equivalent of an electronic telephone directory. The other is to send your
certificate out to those people you think might need it by one means or another.
Ɣ Verifying certificates: The CA makes its public key available in environment
to assist verification of his signature on clients’ digital certificate.
Ɣ Revocation of certificates: At times, CA revokes the certificate issued due to
some reason such as compromise of private key by user or loss of trust in the
client. After revocation, CA maintains the list of all revoked certificate that is
available to the environment.

Classes of Certificates
There are four typical classes of certificate:
Ɣ Class 1: These certificates can be easily acquired by supplying an e-mail
address.
Ɣ Class 2: These certificates require additional personal information to be
supplied.
Ɣ Class 3: These certificates can only be purchased after checks have been
made about the requestor’s identity.
Ɣ Class 4: They may be used by governments and financial organizations
needing very high levels of trust.

Registration Authority (RA)

CA may use a third party Registration Authority (RA) to perform the necessary
checks on the person or company requesting the certificate to confirm their identity. The
RA may appear to the client as a CA, but they do not actually sign the certificate that is
issued.

Certificate Management System (CMS)

It is the management system through which certificates are published, temporarily or
permanently suspended, renewed, or revoked. Certificate management systems do not
normally delete certificates because it may be necessary to prove their status at a point in
time, perhaps for legal reasons. A CA along with associated RA runs certificate
management systems to be able to track their responsibilities and liabilities.

Private Key Tokens

While the public key of a client is stored on the certificate, the associated secret
private key can be stored on the key owner’s computer. This method is generally not
adopted. If an attacker gains access to the computer, he can easily gain access to private
key. For this reason, a private key is stored on secure removable storage token access to
which is protected through a password.

Amity Directorate of Distance and Online Education

238 Web-Enabled Business Processes
Different vendors often use different and sometimes proprietary storage formats for
Notes
storing keys. For example, Entrust uses the proprietary .epf format, while Verisign,
GlobalSign, and Baltimore use the standard .p12 format.

Hierarchy of CA
With vast networks and requirements of global communications, it is practically not
feasible to have only one trusted CA from whom all users obtain their certificates.
Secondly, availability of only one CA may lead to difficulties if CA is compromised.
In such case, the hierarchical certification model is of interest since it allows public
key certificates to be used in environments where two communicating parties do not have
trust relationships with the same CA.
Ɣ The root CA is at the top of the CA hierarchy and the root CA’s certificate is a
self-signed certificate.
Ɣ The CAs, which are directly subordinate to the root CA (For example, CA1 and
CA2) have CA certificates that are signed by the root CA.
Ɣ The CAs under the subordinate CAs in the hierarchy (For example, CA5 and
CA6) have their CA certificates signed by the higher-level subordinate CAs.
Certificate authority (CA) hierarchies are reflected in certificate chains. A certificate
chain traces a path of certificates from a branch in the hierarchy to the root of the
hierarchy.
The following illustration shows a CA hierarchy with a certificate chain leading from
an entity certificate through two subordinate CA certificates (CA6 and CA3) to the CA
certificate for the root CA.

Amity Directorate of Distance and Online Education

E-Commerce Security 239

Verifying a certificate chain is the process of ensuring that a specific certificate chain
Notes
is valid, correctly signed, and trustworthy. The following procedure verifies a certificate
chain, beginning with the certificate that is presented for authentication:
Ɣ A client whose authenticity is being verified supplies his certificate, generally
along with the chain of certificates up to Root CA.
Ɣ Verifier takes the certificate and validates by using public key of issuer. The
issuer’s public key is found in the issuer’s certificate which is in the chain next
to client’s certificate.
Ɣ Now if the higher CA who has signed the issuer’s certificate, is trusted by the
verifier, verification is successful and stops here.
Ɣ Else, the issuer’s certificate is verified in a similar manner as done for client in
the above steps. This process continues till either trusted CA is found in
between or else it continues till Root CA.
Nowadays, the networks have gone global and information has taken the digital
form of bits and bytes. Critical information now gets stored, processed and transmitted in
digital form on computer systems and open communication channels.
Since information plays such a vital role, adversaries are targeting the computer
systems and open communication channels to either steal the sensitive information or to
disrupt the critical information system.
Modern cryptography provides a robust set of techniques to ensure that the
malevolent intentions of the adversary are thwarted while ensuring the legitimate users
get access to information. Here, in this unit, we will discuss the benefits that we draw
from cryptography, its limitations, as well as the future of cryptography.

6.15 Cryptography – Benefits

Cryptography is an essential information security tool. It provides the four most
basic services of information security:
Ɣ Confidentiality: Encryption technique can guard the information and
communication from unauthorized revelation and access of information.
Ɣ Authentication: The cryptographic techniques such as MAC and digital
signatures can protect information against spoofing and forgeries.
Ɣ Data Integrity: The cryptographic hash functions are playing vital role in
assuring the users about the data integrity.
Ɣ Non-repudiation: The digital signature provides the non-repudiation service to
guard against the dispute that may arise due to denial of passing message by
the sender.
All these fundamental services offered by cryptography has enabled the conduct of
business over the networks using the computer systems in extremely efficient and
effective manner.

Cryptography – Drawbacks
Apart from the four fundamental elements of information security, there are other
issues that affect the effective use of information:
Ɣ A strongly encrypted, authentic, and digitally signed information can be difficult
to access even for a legitimate user at a crucial time of decision-making. The
network or the computer system can be attacked and rendered non-functional
by an intruder.

Amity Directorate of Distance and Online Education

240 Web-Enabled Business Processes
Ɣ High availability, one of the fundamental aspects of information security,
Notes
cannot be ensured through the use of cryptography. Other methods are
needed to guard against the threats such as denial of service or complete
breakdown of information system.
Ɣ Another fundamental need of information security of selective access control
also cannot be realized through the use of cryptography. Administrative
controls and procedures are required to be exercised for the same.
Ɣ Cryptography does not guard against the vulnerabilities and threats that
emerge from the poor design of systems, protocols, and procedures. These
need to be fixed through proper design and setting up of a defensive
infrastructure.
Ɣ Cryptography comes at cost. The cost is in terms of time and money:
– Addition of cryptographic techniques in the information processing leads
to delay.
– The use of public key cryptography requires setting up and maintenance
of public key infrastructure requiring the handsome financial budget.
Ɣ The security of cryptographic technique is based on the computational difficulty
of mathematical problems. Any breakthrough in solving such mathematical
problems or increasing the computing power can render a cryptographic
technique vulnerable.

6.16 Future of Cryptography

Elliptic Curve Cryptography (ECC) has already been invented but its advantages
and disadvantages are not yet fully understood. ECC allows performing encryption and
decryption in a drastically lesser time, thus allowing a higher amount of data to be passed
with equal security. However, as other methods of encryption, ECC must also be tested
and proven secure before it is accepted for governmental, commercial, and private use.
Quantum computation is the new phenomenon. While modern computers store data
using a binary format called a “bit” in which a “1’ or a “0” can be stored; a quantum
computer stores data using a quantum superposition of multiple states. These multiple
valued states are stored in “quantum bits” or “qubits”. This allows the computation of
numbers to be several orders of magnitude faster than traditional transistor processors.
To comprehend the power of quantum computer, consider RSA-640, a number with
193 digits, which can be factored by eighty 2.2GHz computers over the span of 5 months,
one quantum computer would factor in less than 17 seconds. Numbers that would
typically take billions of years to compute could only take a matter of hours or even
minutes with a fully developed quantum computer.
In view of these facts, modern cryptography will have to look for computationally
harder problems or devise completely new techniques of archiving the goals presently
served by modern cryptography.

6.17 Watermark
A watermark is an identifying image or pattern in paper that appears as various
shades of lightness/darkness when viewed by transmitted light (or when viewed by
reflected light, atop a dark background), caused by thickness or density variations in the
paper. Watermarks have been used on postage stamps, currency, and other government
documents to discourage counterfeiting. There are two main ways of producing

Amity Directorate of Distance and Online Education

E-Commerce Security 241

watermarks in paper; the dandy roll process, and the more complex cylinder mould
Notes
process.
Watermarks vary greatly in their visibility; while some are obvious on casual
inspection, others require some study to pick out. Various aids have been developed,
such as watermark fluid that wets the paper without damaging it. Watermarks are often
used as security features of banknotes, passports, postage stamps, and other
documents to prevent counterfeiting (see security paper).
A watermark is very useful in the examination of paper because it can be used for
dating, identifying sizes, mill trademarks and locations, and determining the quality of a
sheet of paper.
Encoding an identifying code into digitized music, video, picture, or other file is
known as a digital watermark.

Dandy Roll Process

A perspective view of a dandy roll in accordance with the invention of a conventional

paper-making machine incorporating watermarks into the paper.

A watermark is made by impressing a water-coated metal stamp or dandy roll onto

the paper during manufacturing. While watermarks were first introduced in Fabriano, Italy,
in 1282, the invention of the dandy roll in 1826 by John Marshall revolutionized the
watermark process and made it easier for producers to watermark their paper.
The dandy roll is a light roller covered by material similar to window screen that is
embossed with a pattern. Faint lines are made by laid wires that run parallel to the axis of
the dandy roll, and the bold lines are made by chain wires that run around the
circumference to secure the laid wires to the roll from the outside. Because the chain
wires are located on the outside of the laid wires, they have a greater influence on the
impression in the pulp, hence their bolder appearance than the laid wire lines.
This embossing is transferred to the pulp fibers, compressing and reducing their
thickness in that area. Because the patterned portion of the page is thinner, it transmits
more light through and therefore has a lighter appearance than the surrounding paper. If
these lines are distinct and parallel, and/or there is a watermark, then the paper is termed

Amity Directorate of Distance and Online Education

242 Web-Enabled Business Processes
laid paper. If the lines appear as a mesh or are indiscernible, and/or there is no
Notes
watermark, then it is called wove paper. This method is called line drawing watermarks.

6.18 Cylinder Mould Process

Another type of watermark is called the cylinder mould watermark. A shaded
watermark, first used in 1848, incorporates tonal depth and creates a greyscale image.
Instead of using a wire covering for the dandy roll, the shaded watermark is created by
areas of relief on the roll’s own surface. Once dry, the paper may then be rolled again to
produce a watermark of even thickness but with varying density. The resulting watermark
is generally much clearer and more detailed than those made by the Dandy Roll process,
and as such, Cylinder Mould Watermark Paper is the preferred type of watermarked
paper for banknotes, passports, motor vehicle titles, and other documents where it is an
important anti-counterfeiting measure.
Watermarks on Postage Stamps and Stationery

The Crown CA watermark found on many British Commonwealth stamps.

(seen from the reverse)

In philately, the watermark is a key feature of a stamp, and often constitutes the
difference between a common and a rare stamp. Collectors who encounter two otherwise
identical stamps with different watermarks consider each stamp to be a separate
identifiable issue. The “classic” stamp watermark is a small crown or other national
symbol, appearing either once on each stamp or a continuous pattern. Watermarks were
nearly universal on stamps in the 19th and early 20th centuries, but generally fell out of
use and are not commonly used on modern US issues, but some countries continue to
use them.

Amity Directorate of Distance and Online Education

E-Commerce Security 243

Notes

A US postal stationery envelope from 1883 showing a clear watermark on laid paper.

Some types of embossing, such as that used to make the "cross on oval" design on
early stamps of Switzerland, resemble a watermark in that the paper is thinner, but can
be distinguished by having sharper edges than is usual for a normal watermark. Stamp
paper watermarks also show various designs, letters, numbers and pictorial elements.
The process of bringing out the stamp watermark is fairly simple. Sometimes a
watermark in stamp paper can be seen just by looking at the unprinted back side of a
stamp. More often, the collector must use a few basic items to get a good look at the
watermark. For example, watermark fluid may be applied to the back of a stamp to
temporarily reveal the watermark.
Even using the simple watermarking method described, it can be difficult to
distinguish some watermarks. Watermarks on stamps printed in yellow and orange can
be particularly difficult to see. A few mechanical devices are also are used by collectors
to detect watermarks on stamps such as the Morley-Bright watermark detector and the
more expensive Safe Signoscope. Such devices can be very useful for they can be used
without the application of watermark fluid and also allow the collector to look at the
watermark for a longer period of time to more easily detect the watermark.

Conclusion
By being aware of the typical approach used by attackers as well as their goals, you
can be more effective when applying countermeasures. It also helps to use a goal-based
approach when considering and identifying threats, and to use the STRIDE model to
categorize threats based on the goals of the attacker, for example, to spoof identity,
tamper with data, deny service, elevate privileges, and so on. This allows you to focus
more on the general approaches that should be used for risk mitigation, rather than
focusing on the identification of every possible attack, which can be a time-consuming
and potentially fruitless exercise.
This unit has shown you the top threats that have the potential to compromise your
network, host infrastructure, and applications. Knowledge of these threats, together with
the appropriate countermeasures, provides essential information for the threat modeling
process it enables you to identify the threats that are specific to your particular scenario
and prioritize them based on the degree of risk they pose to your system. This structured
process for identifying and prioritizing threats is referred to as threat modeling.

6.19 Summary
Cryptography deals with the actual securing of digital data. It refers to the design of
mechanisms based on mathematical algorithms that provide fundamental information

Amity Directorate of Distance and Online Education

244 Web-Enabled Business Processes
security services. You can think of cryptography as the establishment of a large toolkit
Notes
containing different techniques in security applications. Cryptanalysis is the sister branch
of cryptography and they both co-exist. The cryptographic process results in the cipher
text for transmission or storage. It involves the study of cryptographic mechanism with
the intention to break them. Cryptanalysis is also used during the design of the new
cryptographic techniques to test their security strengths.
Note: Cryptography concerns with the design of cryptosystems, while cryptanalysis
studies the breaking of cryptosystems.
The primary objective of using cryptography is to provide the following four
fundamental information security services. Let us now see the possible goals intended to
be fulfilled by cryptography.

Confidentiality
Confidentiality is the fundamental security service provided by cryptography. It is a
security service that keeps the information from an unauthorized person. It is sometimes
referred to as privacy or secrecy.
Confidentiality can be achieved through numerous means starting from physical
securing to the use of mathematical algorithms for data encryption.

Data Integrity
It is security service that deals with identifying any alteration to the data. The data
may get modified by an unauthorized entity intentionally or accidently. Integrity service
confirms that whether data is intact or not since it was last created, transmitted, or stored
by an authorized user.
Data integrity cannot prevent the alteration of data, but provides a means for
detecting whether data has been manipulated in an unauthorized manner.
Authentication
Authentication provides the identification of the originator. It confirms to the receiver
that the data received has been sent only by an identified and verified sender.
Authentication service has two variants:
Ɣ Message authentication identifies the originator of the message without any
regard router or system that has sent the message.
Ɣ Entity authentication is assurance that data has been received from a specific
entity, say a particular website.
Apart from the originator, authentication may also provide assurance about other
parameters related to data such as the date and time of creation/transmission.
Non-repudiation
It is a security service that ensures that an entity cannot refuse the ownership of a
previous commitment or an action. It is an assurance that the original creator of the data
cannot deny the creation or transmission of the said data to a recipient or third party.
Non-repudiation is a property that is most desirable in situations where there are
chances of a dispute over the exchange of data. For example, once an order is placed
electronically, a purchaser cannot deny the purchase order, if non-repudiation service
was enabled in this transaction.

Amity Directorate of Distance and Online Education

E-Commerce Security 245

Cryptography Primitives Notes

Cryptography primitives are nothing but the tools and techniques in Cryptography
that can be selectively used to provide a set of desired security services:
Ɣ Encryption
Ɣ Hash Functions
Ɣ Message Authentication Codes (MAC)
Ɣ Digital Signatures
6.20 Check Your Progress
I. Fill in the Blanks
1. In cryptography, what is cipher?
(a) Algorithm for performing encryption and decryption
(b) Encrypted message
(c) Both (a) and (b)
(d) None of the mentioned
2. In asymmetric key cryptography, the private key is kept by __________.
(a) sender
(b) receiver
(c) sender and receiver
(d) all the connected devices to the network
3. Which one of the following algorithm is not used in asymmetric key
cryptography?
(a) RSA Algorithm
(b) Diffie-Hellman Algorithm
(c) Electronic Code Book Algorithm
(d) None of the mentioned
4. In cryptography, the order of the letters in a message is rearranged by
__________.
(a) transpositional ciphers
(b) substitution ciphers
(c) Both (a) and (b)
(d) None of the mentioned
5. What is data encryption standard (DES)?
(a) block cipher
(b) stream cipher
(c) bit cipher
(d) None of the mentioned
6. Cryptanalysis is used __________.
(a) to find some insecurity in a cryptographic scheme
(b) to increase the speed
(c) to encrypt the data
(d) None of the mentioned
7. Which one of the following is a cryptographic protocol used to secure HTTP
connection?
(a) Stream Control Transmission Protocol (SCTP)

Amity Directorate of Distance and Online Education

246 Web-Enabled Business Processes
(b) Transport Layer Security (TSL)
Notes
(c) Explicit Congestion Notification (ECN)
(d) Resource Reservation Protocol
8. Voice privacy in GSM cellular telephone protocol is provided by __________.
(a) A5/2 cipher
(b) B5/4 cipher
(c) B5/6 cipher
(d) B5/8 cipher
9. ElGamal encryption system is __________.
(a) symmetric key encryption algorithm
(b) asymmetric key encryption algorithm
(c) not an encryption algorithm
(d) None of the mentioned
10. Cryptographic hash function takes an arbitrary block of data and returns
__________.
(a) fixed size bit string
(b) variable size bit string
(c) Both (a) and (b)
(d) None of the mentioned
II. True or False
1. The Internet was introduced in 1969 at the Center for European Nuclear
Research.
2. The most popular Internet activity is shopping.
3. The Web is another name for the Internet.
4. The actual, physical network used for international communication is called the
Internet.
5. The most common way to access the Internet is through a provider or host
computer.
6. Some Internet providers offer free Internet access.
7. Regional service providers offer access through standard telephone
connections. Users can access the Internet from almost anywhere within the
country without incurring long-distance telephone charges.
8. Commercial Internet service providers include national, regional, and wireless
service providers.
9. Browsers are programs that provide access to Web resources.
10. Users of the Internet are part of a large client/server network.
11. In the Internet address, “[email protected]”, the domain name is
maryellen.
III. Multiple Choice Questions
1. The Internet was launched in 1969 and was originally called ___________.
2. The most popular Internet activity is ___________.
3. The fastest-growing application for the Internet is ___________.
4. A ___________ program provides access to Web resources.
5. The most widely used Web protocol is ___________.
6. This basic type of e-Commerce ___________ involves the sale of a product or
service to the general public or end-users.

Amity Directorate of Distance and Online Education

E-Commerce Security 247

7. This basic type of e-Commerce ___________involves individuals selling to

Notes
individuals.
8. This basic type of e-Commerce ___________ involves the sale of a product or
service from one business to another.
9. Web ___________ are virtual stores for B2C electronic commerce.
10. In a Web, ___________ sellers post descriptions of products at a website and
buyers submit bids electronically.

6.21 Questions and Exercises

1. What are the different standards used for EDI transactions?
2. What is a business process?
3. What are the different kinds of integration tools used for EDI transactions?
4. Can we make mandatory elements as conditional in a map?
5. Which service uses map in the business process?
6. What are different envelopes used to send an EDI file and how are they used?
7. Where do we configure our trading partners and how do we do it?
8. What is a digital signature?
9. What is ‘DSC’?
10. What is the difference between a ‘digital signature’, a ‘digital certificate’ and a
‘digital signature certificate (dsc)’?
11. Is a digital signature legally valid?
12. Can a document signed with a digital signature be considered as valid
evidence?
13. Why has the usage of digital signatures in India increased dramatically in
recent years?
14. Can two or more people have the same digital signature?
15. Can a digital signature be forged?

6.22 Key Terms

Ɣ ANSI: The American National Standards Institute (ANSI) chartered the
Accredited Standards Committee (ASC) X12 to develop uniform standards for
inter-industry electronic exchange of business transactions, namely electronic
data interchange.
Ɣ AS2: Applicability Statement 2 (Secure communication protocol used for EDI
over the Internet).
Ɣ ASN: Advance Ship Notice. Also known as an “856” transaction.
Ɣ B2B: Business to Business.
Ɣ EAI: Enterprise Application Integration.
Ɣ EDI: Electronic Data Interchange.
Ɣ EDIFACT: An EDI standard mainly used in Europe.
Ɣ ERP: Enterprise Resource Planning.
Ɣ GTIN: Global Trade Item Number.
Ɣ IT: Information Technology.
Ɣ PO: Purchase Order. Also known as an “850” transaction.
Ɣ Trading Partner: Other organizations with which business transactions are
exchanged.

Amity Directorate of Distance and Online Education

248 Web-Enabled Business Processes
Ɣ UPC: Universal Product Code.
Notes
Ɣ VAN: Value Added Network.
Ɣ VMI: Vendor Managed Inventory.
Ɣ WMS: Warehouse Management System.
Ɣ X.12: An EDI standard mainly used in North America.

6.23 Check Your Progress: Answers

I. Fill in the Blanks
1. ARPANET
2. Communicating with others
3. going shopping
4. browser
5. http://
6. B2C
7. C2C
8. B2B
9. storefronts
10. auction
II. True or False
1. False
2. False
3. False
4. True
5. True
6. True
7. False
8. True
9. True
10. True
11. False
III. Multiple Choice Questions
1. (a) Algorithm for performing encryption and decryption
2. (b) receiver
3. (c) electronic code book algorithm
4. (a) transpositional ciphers
5. (a) block cipher
6. (a) to find some insecurity in a cryptographic scheme
7. (b) transport layer security (TSL)
8. (a) A5/2 cipher
9. (b) Asymmetric Key Encryption Algorithm
10. (a) fixed size bit string

Amity Directorate of Distance and Online Education

E-Commerce Security 249

6.24 Case Study Notes

Security Issues in E-Commerce

Introduction
E-Commerce is defined as the buying and selling of products or services over
electronic systems such as the Internet and to a lesser extent, other computer networks.
It is generally regarded as the sales and commercial function of eBusiness. There has
been a massive increase in the level of trade conducted electronically since the
widespread penetration of the Internet. A wide variety of commerce is conducted via
e-Commerce, including electronic funds transfer, supply chain management, Internet
marketing, online transaction processing, electronic data interchange (EDI), inventory
management systems, and automated data collection systems. US online retail sales
reached $175 billion in 2007 and are projected to grow to $335 billion by 2012 (Mulpuru,
2008).
This massive increase in the uptake of e-Commerce has led to a new generation of
associated security threats, but any e-Commerce system must meet four integral
requirements:
(a) Privacy: Information exchanged must be kept from unauthorized parties.
(b) Integrity: The exchanged information must not be altered or tampered with.
(c) Authentication: Both sender and recipient must prove their identities to each
other.
(d) Non-repudiation: Proof is required that the exchanged information was indeed
received (Holcombe, 2007).
These basic maxims of e-Commerce are fundamental to the conduct of secure
business online. Further to the fundamental maxims of e-Commerce above,
e-Commerce providers must also protect against a number of different external security
threats, most notably Denial of Service (DoS). These are where an attempt is made to
make a computer resource unavailable to its intended users though a variety of
mechanisms discussed below. The financial services sector still bears the brunt of
e-crime, accounting for 72% of all attacks. But the sector that experienced the greatest
increase in the number of attacks was e-Commerce. Attacks in this sector have risen by
15% from 2006 to 2007 (Symantec, 2007).

Privacy
Privacy has become a major concern for consumers with the rise of identity theft
and impersonation, and any concern for consumers must be treated as a major concern
for e-Commerce providers. According to Consumer Reports Money Adviser (Perrotta,
2008), the US Attorney General has announced multiple indictments relating to a
massive international security breach involving nine major retailers and more than
40 million credit and debit card numbers. US attorneys think that this may be the largest
hacking and identity theft case ever prosecuted by the justice department. Both EU and
US legislation at both the Federal and State levels mandates certain organizations to
inform customers about information uses and disclosures. Such disclosures are typically
accomplished through privacy policies, both online and offline (Vail et al., 2008).
In a study by Lauer and Deng (2008), a model is presented linking privacy policy,
through trustworthiness, to online trust, and then to customers’ loyalty and their
willingness to provide truthful information. The model was tested using a sample of 269
responses. The findings suggested that consumers’ trust in a company is closely linked

Amity Directorate of Distance and Online Education

250 Web-Enabled Business Processes
with the perception of the company’s respect for customer privacy (Lauer and Deng,
Notes
2007). Trust in turn is linked to increased customer loyalty that can be manifested
through increased purchases, openness to trying new products, and willingness to
participate in programs that use additional personal information. Privacy now forms an
integral part of any e-Commerce strategy and investment in privacy protection has been
shown to increase consumer’s spend, trustworthiness and loyalty.
The converse of this can be shown to be true when things go wrong. In March 2008,
the Irish online jobs board, jobs.ie was compromised by criminals and users’ personal
data (in the form of CVs) were taken (Ryan, 2008). Looking at the real-time responses of
users to this event on the popular Irish forum, Boards.ie we can see that privacy is of
major concern to users and in the event of their privacy being compromised users
become very agitated and there is an overall negative effect on trust in e-Commerce.
User comments in the forum included: “I’m well p*ssed off about them keeping my CV on
the sly”; “I am just angry that this could have happened and to so many people”; “Mine
was taken too. How do I terminate my acc with jobs,ie”; “Grr, so annoyed, feel I should
report it to the Gardai now” (Boards.ie, 2008).

Integrity, Authentication and Non-repudiation

In any e-Commerce system, the factors of data integrity, customer and client
authentication and non-repudiation are critical to the success of any online business.
Data integrity is the assurance that data transmitted is consistent and correct, that is, it
has not been tampered or altered in any way during transmission. Authentication is a
means by which both parties in an online transaction can be confident that they are who
they say they are and non-repudiation is the idea that no party can dispute that an actual
event online took place. Proof of data integrity is typically the easiest of these factors to
successfully accomplish. A data hash or checksum, such as MD5 or CRC, is usually
sufficient to establish that the likelihood of data being undetectably changed is extremely
low (Schlaeger and Pernul, 2005). Notwithstanding these security measures, it is still
possible to compromise data in transit through techniques such as phishing or man-in-
the-middle attacks (Desmedt, 2005). These flaws have led to the need for the
development of strong verification and security measurements such as digital signatures
and public key infrastructures (PKI).
One of the key developments in e-Commerce security and one which has led to the
widespread growth of e-Commerce is the introduction of digital signatures as a means of
verification of data integrity and authentication. In 1995, Utah became the first jurisdiction
in the world to enact an electronic signature law. An electronic signature may be defined
as “any letters, characters, or symbols manifested by electronic or similar means and
executed or adopted by a party with the intent to authenticate a writing” (Blythe, 2006). In
order for a digital signature to attain the same legal status as an ink-on-paper signature,
asymmetric key cryptology must have been employed in its production (Blythe, 2006).
Such a system employs double keys; one key is used to encrypt the message by the
sender, and a different, albeit mathematically related, key is used by the recipient to
decrypt the message (Antoniou et al., 2008). This is a very good system for electronic
transactions, since two stranger parties, perhaps living far apart, can confirm each
other’s identity and thereby reduce the likelihood of fraud in the transaction.
Non-repudiation techniques prevent the sender of a message from subsequently denying
that they sent the message. Digital Signatures using public key cryptography and hash
functions are the generally accepted means of providing non-repudiation of
communications.

Amity Directorate of Distance and Online Education

E-Commerce Security 251

Technical Attacks Notes

Technical attacks are one of the most challenging types of security compromise an
e-Commerce provider must face. Perpetrators of technical attacks, and in particular
Denial-of-service Attacks, typically target sites or services hosted on high-profile web
servers such as banks, credit card payment gateways, large online retailers and popular
social networking sites.

Denial-of-service Attacks
Denial-of-service (DoS) attacks consist of overwhelming a server, a network or a
website in order to paralyze its normal activity (Lejeune, 2002). Defending against DoS
attacks is one of the most challenging security problems on the Internet today. A major
difficulty in thwarting these attacks is to trace the source of the attack, as they often use
incorrect or spoofed IP source addresses to disguise the true origin of the attack (Kim
and Kim, 2006).
The United States Computer Emergency Readiness Team defines symptoms of
denial-of-service attacks to include (McDowell, 2007):
Ɣ Unusually slow network performance
Ɣ Unavailability of a particular website
Ɣ Inability to access any website
Ɣ Dramatic increase in the number of spam e-mails received
DoS attacks can be executed in a number of different ways including:
Ɣ ICMP Flood (Smurf Attack): It is where perpetrators will send large numbers
of IP packets with the source address faked to appear to be the address of the
victim. The network’s bandwidth is quickly used up, preventing legitimate
packets from getting through to their destination.
Ɣ Teardrop Attack: A Teardrop attack involves sending mangled IP fragments
with overlapping, over-sized, payloads to the target machine. A bug in the
TCP/IP fragmentation re-assembly code of various operating systems causes
the fragments to be improperly handled, crashing them as a result of this.
Ɣ Phlashing: Also known as a Permanent Denial-of-service (PDoS) is an attack
that damages a system so badly that it requires replacement or reinstallation of
hardware. Perpetrators exploit security flaws in the remote management
interfaces of the victim’s hardware, be it routers, printers, or other networking
hardware. These flaws leave the door open for an attacker to remotely ‘update’
the device firmware to a modified, corrupt or defective firmware image,
therefore bricking the device and making it permanently unusable for its
original purpose.

Distributed Denial-of-Service Attacks

Distributed Denial-of-Service (DDoS) attacks are one of the greatest security fear for
IT managers. In a matter of minutes, thousands of vulnerable computers can flood the
victim website by choking legitimate traffic (Tariq et al., 2006). A distributed
denial-of-service attack (DDoS) occurs when multiple compromised systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. The most
famous DDoS attacks occurred in February 2000 where websites including Yahoo,
Buy.com, eBay, Amazon and CNN were attacked and left unreachable for several hours
each (Todd, 2000).

Amity Directorate of Distance and Online Education

252 Web-Enabled Business Processes

Notes Brute Force Attacks

A brute force attack is a method of defeating a cryptographic scheme by trying a
large number of possibilities; for example, a large number of the possible keys in a key
space in order to decrypt a message. Brute Force Attacks, although perceived to be
low-tech in nature, are not a thing of the past. In May 2007, the internet infrastructure in
Estonia was crippled by multiple sustained brute force attacks against government and
commercial institutions in the country (Sausner, 2008). The attacks followed the
relocation of a Soviet World War II memorial in Tallinn in late April made news around the
world.

Non-technical Attacks

Phishing Attacks
Phishing is the criminally fraudulent process of attempting to acquire sensitive
information such as usernames, passwords and credit card details, by masquerading as
a trustworthy entity in an electronic communication. Phishing scams generally are carried
out by e-mailing the victim with a ‘fraudulent’ e-mail from what purports to be a legitimate
organization requesting sensitive information. When the victim follows the link embedded
within the e-mail, they are brought to an elaborate and sophisticated duplicate of the
legitimate organizations’ website. Phishing attacks generally target bank customers,
online auction sites (such as eBay), online retailers (such as amazon) and services
providers (such as PayPal). According to community banker (Swann, 2008), in more
recent times’ cybercriminals have got more sophisticated in the timing of their attacks
with them posing as charities in times of natural disaster.

Social Engineering
Social engineering is the art of manipulating people into performing actions or
divulging confidential information. Social engineering techniques include pretexting
(where the fraudster creates an invented scenario to get the victim to divulge information),
Interactive voice recording (IVR) or phone phishing (where the fraudster gets the victim to
divulge sensitive information over the phone) and baiting with Trojans horses (where the
fraudster ‘baits’ the victim to load malware unto a system). Social engineering has
become a serious threat to e-Commerce security since it is difficult to detect and to
combat as it involves ‘human’ factors which cannot be patched akin to hardware or
software, albeit staff training and education can somewhat thwart the attack (Hasle et al.,
2005).

Conclusion
In conclusion, the e-Commerce industry faces a challenging future in terms of the
security risks it must avert. With increasing technical knowledge, and its widespread
availability on the internet, criminals are becoming more and more sophisticated in the
deceptions and attacks they can perform. Novel attack strategies and vulnerabilities only
really become known once a perpetrator has uncovered and exploited them. In saying
this, there are multiple security strategies which any e-Commerce provider can instigate
to reduce the risk of attack and compromise significantly. Awareness of the risks and the
implementation of multi-layered security protocols, detailed and open privacy policies
and strong authentication and encryption measures will go a long way to assure the
consumer and insure the risk of compromise is kept minimal.

Amity Directorate of Distance and Online Education

E-Commerce Security 253

6.25 Further Readings Notes

1. Internet Commerce: Digital Models for Business, Lawrence et al., Wiley
2. Electronic Commerce: A Manager’s Guide, Kalakota et al., Addison-Wesley
3. Frontiers of Electronic Commerce, Kalakota et al., Addison-Wesley
4. Web Commerce Technology Handbook, Minoli et al., McGraw Hill
5. The Economics of Electronic Commerce, Choi et al., MacMillan
6. Designing Systems for Electronic Commerce, Treese et al., Addison-Wesley

Amity Directorate of Distance and Online Education