VARNA FREE UNIVERSITY SECURITY IN E-COMMERCE Prof. Teodora Bakardjieva Objectives of the course To discuss the cryptography and its role in e-commerce. Digital certificate and the foundation for payment system. To discuss method of security, secure sockets layer Vs. secure electronic transaction protocols. What is the Cryptography? It is the result of creation cryptographic methods, known as cryptosystems: Symmetric Cryptosystem: Asymmetric Cryptosystem: Use the same key, or the secret key, to encrypt or scramble and decrypt or unscramble message. Use one key to encrypt a message and a different key to decrypt it. It is also called public key cryptosystems and rely on technology in which two keys, the public key and the private key are use to encrypt or decrypt data. Symmetric cryptosystem are the easier of the two implement, since one key required to encrypt and decrypt the message. Digital Certificate Authentication is the digital process of verifying that people or entities are whom or what they clam to be. Digital certificate are in effect virtual fingerprints, or retinal scans that authenticate the identity of a person in a concrete, verifiable way. A typical digital certificate is a data file or information, digitally signed and sealed by the encrypted using RSA encryption techniques, that can be verified by anyone and includes: The name of holder and other identification information, such as e-mail address. Digital Certificate (cont.) A public key, which can be used to verify the digital signature of a message sender previously signed with the unique private key. The name of issuer, or Certificate Authority. The certificate’s validity period. To create a digital certificate for an individual, the identity of the person, device, or entity that requested a certificate must be confirmed through combination of: Personal Presence. Identification document. Digital Certificate (cont.) Digital certificates may be distributed online, which includes: Certificate accompanying signature. Directory service. The decision to revoke a certificate is the responsibility of the issuing company Secure Sockets Layer (SSL) It is introduced in 1995 by Netscape as a components of its popular Navigator browser and as a means of providing privacy with respect to information being transmitted between a user’s browser and the target server, typically that of a merchant It is used by the most companies to provide security and privacy and establishes a secure session between a browser and a server. Secure Sockets Layer (cont.) A channel is the two way-way communication stream established between the browser and the server, and the definition of a channel security indicates three basic requirements: The channel is reliable. The channel is private. The channel is authenticated. Secure Sockets Layer (cont.) This encryption is preceded by a ‘data handshake’ and has two major phases: The first phase is used to establish private communication, and uses the key-agreement algorithm. The second phase is used for client authentication. Limits of SSL: While the possibility is very slight, successful cryptographic attacks made against these technologies can render SSL insecure. Secure Electronic Transaction (SET) It is developed by Visa and Master card in 1996. It is more secure protocol. The difference between SET and widely used SSL is that SSL does not include customer certificate requiring special software called ‘digital wallet’ at the client site. SSL is built into the browser, so no special software is needed. It is build on reducing risk associated merchant fraud, and ensuring that the purchaser is an authorized user of credit card. Secure Electronic Transaction (cont.) SET did not propagate as fast as most people expected because of its complexity, slow response time, and the need to install the digital wallet into customer computer. SET seek to bolster the confidence in the payment process by ensuring that merchant are authorized to accept credit card payment Secure Electronic Transactions (cont.) SET provides the special security needs of electronic commerce with the followings: Privacy of payment data and confidentiality of of order information transaction. Authentication of a cardholder for a branded bank card account. Authentication of merchant to accept credit card payments. The Purchasing Process Merchant applies and receives an account. Consumer applies to receive digital credit card. When consumer receives credit card, its added to browser wallet. The consumer browser the Web at a particular site. At the check out time, The Web site asks for a credit card. Instead of typing credit card number, the browser wallet is queried by the Web SET software. Purchase Process (cont.) After entry of appropriate password, the digital credit card is submitted to the merchant. The merchant receives digital credit card in a digital envelope. The merchant software then sends the SET transaction to a credit card processor for verification. The financial institution performs functions including authorization, credit and capture(void or refund). Purchase Process (cont.) Following successful processing, the merchant, cardholder, and the credit card processor are all advised electronically that the purchase has been approved. Following this notification, the card holder is debited and the merchant is paid through subsequent payment capture transactions. The merchant can then ship the merchandise, knowing that customer transaction is approved. Limitations of SET and SSL A downside of both SSL and SET protocols is that they both require to use cryptographic algorithms that place significant load on the computer systems involved in commerce transactions. For the low and medium e-commerce applications, there is no additional server cost to support SET over SSL. For the large and medium term e-commerce server application, support of SET requires additional hardware acceleration resulting in 5-6% difference in server cost. Advantages of SET It is an emerging technology has a definite security component that very clearly represents an advance in technology over SSL, and that any deficits that may be related to performance will quickly be rendered minor as hardware-based processing technology rapidly advance. Despite fact that SET is more secure protocol.