FACULTY OF ECONOMICS

Electronic Commerce

Chapter # 9
Electronic Commerce Security
 FACULTY OF ECONOMICS
Recommended Book
• Electronic Commerce

by Gary Schneider ,
7th Edition
 FACULTY OF ECONOMICS

Security
• Security involves protecting data so it is not misused or
lost.
• Why Security?
– Failure to deliver goods
– Nonpayment for goods delivered
– Misrepresentation of the merchandise
– Hidden charges
– Fake bidding
– Credit card fraud
 FACULTY OF ECONOMICS

Internet security
• Consumers entering highly confidential information
• Number of security attacks increasing
• Availability
– Computer systems continually accessible
 FACULTY OF ECONOMICS
• Authentication Security requirements
– A method to verify the sender and receiver identity
• Encryption
– A process of making messages unreadable except by those who are
authorized or authenticate
• Integrity
– Ensuring that information will not be accidentally or maliciously
altered or destroyed during transmission
• Privacy
– information not read by third party
• Non repudiation
– Merchant deny after payment received from customer.
– Customer deny after Goods delivered by Merchant.
 FACULTY OF ECONOMICS

Security Schemes
• Need to have security schemes in order to achieve security
– Public key cryptography
– Private key cryptography
– Digital Signature

Cipher Text
Plain Text
FACULTY OF ECONOMICS

Security schemes (Terminology)

• Cryptography
– The art of writing in secrete character, used to secure information

1) Ancient Cryptosystems
– Substitution Cipher (UNIVERSITY VOJWFSTJUZ)
• Every occurrence of a given letter is replaced by a different letter

– Transposition Cipher (CONVOCATION CNOAIN OVCTO)

• Shifts the ordering of letters

2) Modern cryptosystems
• Transform data by using a key (string of digits, acts as a password)
• Digital, based on bits not the alphabet
• Key length – length of string used to encrypt and decrypt
FACULTY OF ECONOMICS

Private Key Cryptography

• Symmetric Key or Secret Key Cryptography
• Same Key (Private Key) is used by sender and Receiver
• Both sender and Receiver are authentic because of private key
 FACULTY OF ECONOMICS
Problems with secret-key cryptography
• Key must be transmitted to receiver (Internet is not secure)
• Different key for every receiver (Costly)
• Key distribution centers used to reduce these problems
– Generates session key and sends it to sender and receiver encrypted with
the unique key
 FACULTY OF ECONOMICS

Public Key Cryptography

• Asymmetric key cryptography
• Use two inverse keys
– Public key and Private key
• If public key encrypts only private can decrypt and vice versa
• Encrypted with public key and private key
– Proves identity while maintaining security (RSA algorithm www.rsasecurity.com)
FACULTY OF ECONOMICS
Public Key Cryptography
• Problem (Only one party in communication is authentic)
• SolutionAuthentication with a public-key algorithm
 FACULTY OF ECONOMICS
Digital signature
• Used for authentication of senders and message integrity
• Steps
– sender
• Run the message through hashing function to get message digest and
encrypt it using private key called digital signature
• Encrypt the message through receiver public key
• Send encrypted message and digital signature and hashing function to the
receiver
– Receiver
• Decrypt the message using receiver private key
• Decrypt the Digital signature using sender public key
• run the hashing function to get the message and compare
 FACULTY OF ECONOMICS
Key Agreement Protocols
– Process by which parties can exchange keys
– Use public-key cryptography to transmit symmetric keys
• Digital envelope
– Encrypted message
using symmetric key
– Symmetric key
encrypted with the
public key
FACULTY OF ECONOMICS

Certificate authority
• It is a institution or a trusted third party such as VeriSign.
• Issues digital certificates
 FACULTY OF ECONOMICS
Secure Sockets Layer(SSL)
• Developed by Netscape Communications

• Used to secure communication on the internet but does not protect once stored on
receivers server

• Built into many web browsers like Netscape, Internet Explorer

• It operates between internet TCP/IP

• A sender message is passed to a socket that interprets the message in TCP/IP.

TCP/IP at the receiving end then passes the message to the socket at the receiver
end which converts the message back into its original form.

• Use public key cryptography and digital certificate to authenticate server.

 FACULTY OF ECONOMICS
Secure Electronic Transaction™ (SET™)
• SET protocol
– Designed to protect e-commerce payments
– SET Certifies customer, merchant and merchant’s bank by using
Digital Certificate
– Requirements
• Merchants must have a digital certificate and SET software
• Customers must have a digital certificate and digital wallet
– Digital wallet
• Stores credit card information and identification
– Merchant never sees the customer’s personal information
• Sent straight to banks
 FACULTY OF ECONOMICS
Secure Electronic transaction (how it works)
– Merchant SET software sends the order information and the merchants digital certificate to the
customer digital wallet, thus activating the wallet software.
– The customer select the credit card to be used for the transaction. The credit card and order
information are encrypted using merchants bank public key and sent to the merchant along
with the customer digital certificate.
– The merchant then forwards the information to the merchants bank to process the payment.
– Only the merchant's bank can decrypt the message.
– The merchant's bank sends the amount of purchase and its own certificate to the customer
bank for approval.
– The consumer bank sends authorization back to merchant's bank which sends credit card
authorization to the merchant. And the merchant sends a confirmation order to the customer.