Chapter Seven

E-Commerce Security Technology

Learning Objectives :

After reading this chapter learners should able to:

Understand the concepts of e-security.

Explain the major threats of e-security.

Describe the techniques and tools of a secure e-commerce.

Understand the communication channel security measures.

Understand the client and server computer security measures.

7.1. Overview of Online E-Commerce Security

E-commerce is a powerful tool for business transformation that allows companies to enhance their
supply-chain operation, reach new markets, and improve services for customers as well as for providers.
Implementing the E-commerce applications that provide these benefits may be impossible without a
coherent, consistent approach to E-commerce security. E-commerce has presented a new way of doing
transactions all over the world using internet.

Security is the basic need to secure information on internet.E-commerce transaction between customer
and merchant can include different requests. The high degree of confidence is needed in authenticity
and privacy of such transactions can be difficult to maintain where they are exchanged over an
untrusted public network such as the Internet. It also pertains to any form of business transaction in
which the parties interact electronically rather than by physical exchanges or direct physical contact. A
security objective is the contribution to security that a system is intended to achieve.

E-commerce is conducted on global network that is Internet which is untrusted. Therefore

confidentiality is required during transaction and sending information should be kept secure against all
type of threats.The successful functioning of E-commerce security depends on a complex
interrelationship between several applications development platforms, database management systems,
and systems software and network infrastructure. The Effective E-commerce security involves five basic
elements/ these are:

Access Control.
Privacy/Confidentiality.

Authentication.

Non -repudiation.

Integrity.

.Access Control

The first and most obvious network security concern addresses access control. In physical security, the
term access control refers to the practice of restricting entrance to a property, a building, or a room to
authorized persons. Physical access control can be achieved by a human (a guard, bouncer, or
receptionist), through mechanical means such as locks and keys, or through technological means such as
a card access system.

There are several technologies that can be used to control access to intranet and internet resources.
Access control includes authentication, authorization and audit. It also includes measures such as
physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption,
social barriers, and monitoring by humans and automated systems. In any access control model, the
entities that can perform actions in the system are called subjects, and the entities representing
resources to which access may need to be controlled are called objects. Subjects and objects should
both be considered as software entities, rather than as human users: any human user can only have an
effect on the system via the software entities that they control.

Authentication

This is the ability to say that an electronic communication (whether via email or web) does genuinely
come from who it purports to. Without face-to-face contact, passing oneself off as someone else is not
difficult on the internet. Forging the “From:” field in an email header is a trivial matter, and far more
sophisticated attacks are standard fare for hackers.

Authentication can be provided in some situations by physical tokens (such as a drivers license), by a
piece of information known only to the person involved (eg. a PIN), or by a physical property of a person
(finger prints or retina scans). Strong authentication requires at least two or more of these. A digital
certificate provides strong authentication as it is a unique token (the certificate itself) and requires a
password (something known only to the owner) for its usage.

Privacy

In online commerce, privacy is the ability to ensure that information is accessed and changed only by
authorized parties. Typically this is achieved via encryption. Sensitive data (such as credit card details,
health records, sales figures etc.) are encrypted before being transmitted across the open internet – via
email or the web. Data which has been protected with strong 128-bit encryption may be intercepted by
hackers, but cannot be decrypted by them within a short time. Again, digital certificates are used here to
encrypt email or establish a secure HTTPS connection with a web-server. For extra security, data can
also be stored long-term in an encrypted format.

Authorization

Authorization allows a person or computer system to determine if someone has the authority to request
or approve an action or information. In the physical world, authentication is usually achieved by forms
requiring signatures, or locks where only authorized individuals hold the keys.

Authorization is tied with authentication. If a system can securely verify that a request for information
(such as a web page) or a service (such as a purchase requisition) has come from a known individual, the
system can then check against its internal rules to see if that person has sufficient authority for the
request to proceed.

In the online world, authorization can be achieved by a manager sending a digitally signed email (an
email stamped by their personal digital certificates). Such an email, once checked and verified by the
recipient, is a legally binding request for a service. Similarly, if a web-server has a restricted access area,
the server can request a digital certificate from the user’s browser to identify the user and then
determine if they should be given access to the information according to the server’s permission rules.

Integrity

Integrity of information means ensuring that a communication received has not been altered or
tampered with. Traditionally, this problem has been dealt with by having tight control over access to
paper documents and requiring authorized officers to initial all changes made – a system with obvious
drawbacks and limitations. If someone is receiving sensitive information online, he not only wants to
ensure that it is coming from who he expects it to (authentication), but also that it hasn’t been
intercepted by a hacker while in transit and its contents altered. The speed and distances involved in
online communications requires a very different approach to this problem from traditional methods.
One solution is afforded by using digital certificates to digitally “sign” messages. A travelling employee
can send production orders with integrity to the central office by using their digital certificates to sign
their email. The signature includes a hash of the original message – a brief numerical representation of
the message content. When the recipient opens the message, his email software will automatically
create a new hash of the message and compare it against the one included in the digital signature. If
even a single character has been altered in the message, the two hashes will differ and the software will
alert the recipient that the email has been tampered with during transit.

Non-repudiation

Non-repudiation is the ability to guarantee that once someone has requested a service or approved an
action. Non-repudiation allows one to legally prove that a person has sent a specific e-mail or made a
purchase approval from a website. Traditionally non-repudiation has been achieved by having parties
sign contracts and then have the contracts notarized by trusted third parties. Sending documents
involved the use of registered mail, and postmarks and signatures to date-stamp and record the process
of transmission and acceptance. In the realm of e-commerce, non-repudiation is achieved by using
digital signatures. Digital signatures which have been issued by a trusted authority (such as VeriSign)
cannot be forged and their validity can be checked with any major email or web browser software. A
digital signature is only installed in the personal computer of its owner, who is usually required to
provide a password to make use of the digital signature to encrypt or digitally sign their
communications. If a company receives a purchase order via email which has been digitally signed, it has
the same legal assurances as on receipt of a physical signed contract.

7.1.1. Purpose of E-Security and Security Techniques

E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration,
or destruction. While security features do not guarantee a secure system, they are necessary to build a
secure system. The success of e-Commerce depends on the security of data like personal details and
credit card numbers transmitted over the Internet. The main objectives of e-commerce security is :

Data Confidentiality – is provided by encryption / decryption.

Authentication and Identification – ensuring that someone is who he or she claims to be is implemented
with digital signatures.

Access Control – governs what resources a user may access on the system. Uses valid IDs and
passwords.

Data Integrity – ensures info has not been tampered with. Is implemented by message digest or
hashing.

Non-repudiation – not to deny a sale or purchase.

Security measures need to be taken in e-Commerce systems to prevent compromising the systems.
Some of these measures include building firewalls, incorporating cryptography and authentication, and
using secure connections

Firewall

A firewall is hardware and software that are used to secure a private computer network system from
uninvited intruders. A firewall is used to control whether a client is permitted to connect to the private
network it protects.

Cryptography

Cryptography is a science that provides secure communication over vulnerable channels. Cryptography
is fundamental to the success of the Internet and e-Commerce. Governments regulate cryptographic
technology because of its importance to national security.

In cryptography a message, like a credit card number, is encrypted using a key and the encrypted
message is transmitted. The receiver uses the key to decrypt the message and convert it back to its
original form. The basic elements of a cryptographic system are algorithms, protocols and key
management.

An example of key management is the secret-key encryption algorithms. These algorithms are ‘secret’
because only the receiver and sender know the secret key.

Cryptography is used to provide secure transmission of data over the Internet. Private data like credit
card details or digital signatures are encrypted and then transmitted over the Internet. Cryptography can
keep a message secret and act as a gateway for identifying senders and receivers. It provides the secure
electronic transaction technology for credit card transactions on the Internet.

Authentication

Authentication procedures are used to establish the identity of an individual or another computer
system. Authentication procedures can be hardware-or software based. Authentication procedures
make use of personal items of knowledge or possession such as secret names or birth dates. Good
authentication systems make use of two-factor authentication, such as a place name and memorable
date known to the user. Some banking systems make use of three-factor authentication before allowing
customers to make online account transfers.Secure socket layer

The secure socket layer (SSL) is a layer of security between the application and the transport protocol.
The purpose of SSL is to enable secure and reliable data transmission and communication over the
Internet. The SSL provides private connection, making use of encryption and secret-key cryptography.
Authentication in SSL is achieved using public-key cryptography, which consists of a private key that is
never made public chosen by one participant in the data exchange, and a public key chosen by the other
participant in the exchange. Either key may be used for encryption. Reliability of data transmission is
achieved by using secure hash functions like SHA or MD5. Secure hash functions check the integrity of a
message. SSL is commonly used in e-Commerce systems.

7.2. Security for Client Computer

From the user’s point of view, client-side security is typically the major concern. In general, client-side
security requires the use of traditional computer security technologies, such as proper user
authentication and authorization, access control, and anti-virus protection. With regard to
communication services, the client may additionally require server authentication and non-repudiation
of receipt. In addition, some applications may require anonymity (e.g., anonymous browsing on the
Web).

The data analysis on common online banks in shows that the client side security protection for online
banking does need improvement. Most banks use single cipher security setting system is vulnerable to
virus and cyber-attacks. One of the important characteristic of online banking is that it can offer safe and
personalized customer service anytime, anywhere and anyhow. Without sound security protection will
cause online banking transaction fail. Client side safety protection is the weakest part for online banking
service providers. The application of encryption to provide authentication and privacy of online
transactions, strong cryptography provides the basis for achieving access control, transaction
authorization data integrity and accountability.

7.3. Communication Channel Security

Communications security (COMSEC) is that measures and controls taken to deny unauthorized persons
information derived from telecommunications and ensure the authenticity of such telecommunications.

Communications security includes crypto security, transmission security, emission security, traffic-flow
security and physical security of COMSEC equipment.

Crypto security: The component of communications security that results from the provision of
technically sound cryptosystems and their proper use. This includes insuring message confidentiality and
authenticity.

Emission security (EMSEC): Protection resulting from all measures taken to deny unauthorized persons
information of value which might be derived from intercept and analysis of compromising emanations
from crypto-equipment, automated information systems (computers), and telecommunications
systems.

Physical security: The component of communications security that results from all physical measures
necessary to safeguard classified equipment, material, and documents from access thereto or
observation thereof by unauthorized persons.

Transmission security(TRANSEC): The component of communications security that results from the
application of measures designed to protect transmissions from interception and exploitation by means
other than cryptanalysis (e.g. frequency hopping and spread spectrum).

This is measure that protects private information from being disclosed to third parties. One risk
to document confidentiality is eavesdropping by unauthorized third parties who will intercept
documents as they cross the network. The main technological fix in this category is
cryptography, although simpler measures, such as the use of passwords to identify users also
play an important role.

7.4. Security for Server Computers

A server is usually a computer that contains information to be shared with many client systems. For
example, web pages, documents, databases, pictures, video, and audio files can all be stored on a server
and delivered to requesting clients. In other cases, such as a network printer, the print server delivers
the client print requests to the specified printer.

Different types of server applications can have different requirements for client access. Some servers
can require authentication of user account information to verify whether the user has permission to
access the requested data or to use a particular operation. Such servers rely on a central list of user
accounts and the authorizations, or permissions (both for data access and operations), granted to each
user. When using an FTP client, for example, if you request to upload data to the FTP server, you might
have permission to write to your individual folder but not to read other files on the site.

Summary

E-commerce is a powerful tool for business transformation that allows companies to enhance their
supply-chain operation, reach new markets, and improve services for customers as well as for providers.
E-commerce is conducted on global network that is Internet which is untrusted. Therefore
confidentiality is required during transaction and sending information should be kept secure against all
type of threats.

E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration,
or destruction. The successful functioning of E-commerce security depends on a complex
interrelationship between several applications development platforms, database management systems,
and systems software and network infrastructure. The Effective E-commerce security involves access
control, privacy/confidentiality, authentication, non –repudiation and integrity.

Security measures need to be taken in e-Commerce systems to prevent compromising the systems.
Some of these measures include building firewalls, incorporating cryptography and authentication, and
using secure connections.A firewall is hardware and software that are used to secure a private computer
network system from uninvited intruders. A firewall is used to control whether a client is permitted to
connect to the private network it protects.Cryptography is a science that provides secure
communication over vulnerable channels. Cryptography is used to provide secure transmission of data
over the Internet. Private data like credit card details or digital signatures are encrypted and then
transmitted over the Internet.Authentication procedures are used to establish the identity of an
individual or another computer system.Authentication procedures make use of personal items of
knowledge or possession such as secret names or birth dates.

Client-side security is typically the major concern. In general, client-side security requires the use of
traditional computer security technologies, such as proper user authentication and authorization, access
control, and anti-virus protection.

Communications security (COMSEC) is that measures and controls taken to deny unauthorized persons
information derived from telecommunications and ensure the authenticity of such telecommunications.
Communications security includes crypto security, transmission security, emission security, traffic-flow
security and physical security of COMSEC equipment.