International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
34
Increasing Security Reliability in E-Commerce Platform through Customer Tracker and Code Inclusion
1
2
Chukwurah E.E
Mbachu C.B.
1,&2
Department of Electrical and Electronic Engineering, Anambra State University, Uli.Anambra State, Nigeria
Email: 1 messiahmessiah9@yahoo.com
dambac614@gmail.com2
Abstract
E-commerce is fast growing media by which businesses and other market forms are achieved without the physical
presence of the individuals in the business. Some exiting e-commerce platforms suffer from file inclusion vulnerability
which allows an attacker to include a file, usually through a script on the web server and this occurs due to the use of usersupplied input with weak validation. These platform output the contents of the file, execute codes on the client side, web
servers while creating the possibility of cross site scripting (XSS), denial of service (DoS) and data theft/manipulation.
This paper developed a customer tracker and code inclusion analytics (CT-CIA) that monitors the http request of the
customer as well as the browser system details. When these are collected, it is sent to the e-commerce analytics servers in
the form of a long list of parameters attached to a single-pixel image request. The data contained in the request is the data
sent to the e-commerce analytics server, which then generates the processed inclusion code for reliable customer
transaction. The flowchart descriptions and process procedures are detailed while arguing that the approach offers
excellent protection against some methodologies in terms of cost, flexibility, reliability, and intelligence.
Keywords: Customer Tracker (CT), Code Inclusion Analytics (CIA), Hybrid Encryption, Cloud E-commerce Audit,
Feedback Security, SMS System.
IJOART
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
35
1. Introduction
1.1. Background Study
The viability of e-commerce is threatened with various forms of vulnerabilities.confidentiality, integrity, authenticity, access control, privacy,
availability, authorization and accountability are serious issues facing the e-commerce ecosystem [1]. This is because users access the ecommerce accounts by simply logging and shopping without an effective security checks and verification procedures. When the e-commerce
platform runs on the Cloud, this computing approach moves the application software and databases to the large datacentres, where the
management of the data and services are not trustworthy [2]. According to [2], this unique attribute, however, poses many new security
challenges. The challenges include but not limited to accessibility vulnerabilities, virtualisation vulnerabilities, web application
vulnerabilities such as SQL (Structured Query Language) injection and cross-site scripting, physical access issues, privacy and control issues
arising from third parties having physical control of data, issues related to identity and credential management, issues related to data
verification, tampering, integrity, confidentiality, data loss and theft, issues related to authentication of the respondent device or devices and
IP spoofing.
Users need to be assured of their transactions on the e-commerce platforms so as to encourage online transaction paradigm. It should be be
noted that the advent of cloud internet system has facilitated a quantum leap in online presence as more business consignment and
individuals are engaging in more versatile bulk money businesses that the traditional trading security does not guarantee and the globalization
of the world as a global village has made trading online a honey comb. The rapid development of the e-commerce has prompted transaction
security issues to become object of attention. The transmission of information such as the account names, passwords, details of financial
transactions and other requests from the e-commerce portal to the web server, must remain confidential. It is on this note that the information
needs to be transmitted privately, securely and correctly between the e-commerce service provider and the customers. It is therefore important
that the ever increasing population of online marketers be guarded and secured against fraud associated with online businesses. This can be
achieved by incorporating securities that will identify usernames and passwords, generates transaction codes for users and a feedback SMS
security system via mobile phones, show list of users and enable cloud audit at any point in time, also be able to disable users for any
evidence of wrong use of transaction codes or activities likely to be fraud. The E-commerce visitor tracking (EVT) is the analysis of visitor
behaviour on a E-commerce platform under the jurisdiction of assigned privileges. In this case, the forensic analysis of an individual visitor's
behaviour may be used to provide an audit logs and preferences; either during a visit or in the future. In this work, the context understanding
a web site visitor’s behaviour in order to identify buying intentions is very vital.
IJOART
In this research, customer tracking and code inclusion algorithm (CT-CIA) is a useful approach to combat web vulnerabilities. The
background encryption security system in the proposed e-commerce system is based on hybrid XAMP MD5 Random curve cryptography
running on the secure socket layer (SSL), which protects the users and administrators on the e-commerce platform. The E-commerce design
uses a secured administrator interface (customer tracker) that shows list of customer's logins, enables cloud audit at any point in time, can
disable customers when there is element of ambiguity and generates transaction codes i.e. a number generated during registration which
will be sent to the users e-mail or phone via SMS, the user will in turn provide the same code in transaction ID window, after the login
window, this serves as feedback security or extra layer security in the system .The result of the new security scheme randomly generates and
secures the login details dynamically on the server during, authentication, authorization, and verification phases. This form of security is
designed to give any user of this portal confidence and reliability to carry out any transaction on e-commerce platform.
1.2.Our Contribution
Many useful security models have been introduced by researcher, but the unique property of the proposed E-comer CT-CIA is the customers
tracker, cloud audit and transaction code generation that will be sent via SMS to the customers mobile line, this serves as feedback security
which is an extra layer security. This work then explores the intelligent analytics of the CT-CIA to bring about a secure e-commerce event
driven philosophy.
2 .Related Works
In [3], Google Analytics has been developed which works by the inclusion of a block of JavaScript code on pages in a website. In their work,
when users on a website view a page, this JavaScript code references a JavaScript file which then executes the tracking operation for
Analytics. The tracking operation retrieves data about the page request through various means and sends this information to the Analytics
server via a list of parameters attached to a single-pixel image request.
In [4], the authors presented a design of a new security protocol using hybrid cryptographic algorithm for on line transaction. This captured
the combination of both symmetric and asymmetric cryptographic techniques. This protocol provides three cryptographic primitives (such as
integrity, confidentiality and authentication) which will be achieved with the help of Elliptic Curve Cryptography, Dual-RSA algorithm and
Message Digest MD5. Similarly, In [5], the author proposed a framework based on smart card that allows partners to realize secure
transactions. The proposed solution use smart cards to store keys and perform cryptographic algorithms. Their approach is an e-business
framework based on smart card technology. In this case, Keys, certificates and digital signatures are stored in the card. The card also
performs the on-board cryptography operations. Also, the work in [6], and [7] all focused on Cryptographic Algorithms to secure ecommerce transactions. Possible vulnerabilities as found in all e-payments e.g E-commerce PayPAL have been identified in Figure 1.
According to [8], the three top web site vulnerabilities include:
i. SQL Injection: This uses SQL to change the meaning of database command. (Refer to Figure 2).
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
ii.
iii.
-
36
Browser sends malicious input to server
Bad input checking leads to malicious SQL query
Cross-site request forgery (CSRF): This leverages user session at victim server. (Refer to Figure 3).
Bad web site sends browser request to good web site, using credentials of an innocent victim
Cross-site scripting (XSS): This injects malicious scripts into trusted contexts. (Refer to Figure 4a, b).
Bad web site sends innocent victim a script that steals information from an honest web site.
IJOART
Figure 1: Web Reported Vulnerabilities With Detection Rates [8]
Figure 2: SQL Injection [8]
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
37
Figure 3: Cross-Site Request Forgery [8]
IJOART
Figure 4a: Reflected Cross-Site Scripting [8]
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
38
Figure 4b: Stores Cross-Site Scripting And Reflected XSS [8]
IJOART
The major problem faced by consumers in an online transaction is the security vulnerability identified previously. The insecurity is due to the
fact that 1.
2.
3.
Most of the platforms lack the benefits of validation code inclusion as a service (VCIaaS).
Most of the platforms build weak self-inclusive SQL commands. The use of parameterized and prepared SQL is usually lacking.
Most works do not use Object-relational mapping ORM framework. This is programming technique for converting data between
incompatible type systems in object-oriented programming languages. This creates, in effect, a application object database that can
be used from within the programming language. There are both free and commercial packages available that perform objectrelational mapping, although some programmers opt to create their own ORM tools.
Figure 5: ORM Framework
4.
Secret Validation Token such as < input type=hidden value=23a3af01b> has not been explored in most cases.
5.
Referer Validation such as in facebook (Referer: http://www.facebook.com/home.php) is still the most used validation login
procedure but when wrongly implemented, SQL injection could threatened it.
6.
Custom HTTP Header is sometimes poorly implemented e.g, X‐Requested‐By: XML Http Request
This work adopted CT-CIA as a Secret Token Validation (STV) in which requests include a hard-to-guess secret. The variations are:
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
-
39
Session identifier
Session-independent token
Session-dependent token
Hash Message Authentication Code (HMAC) of session identifier
3. METHODOLOGY
3.1. ORP Framework/Waterfall Model
This work used the ORP framework in which tasks act on object-oriented (OO) objects that are non-scalar values. In this case, logical
representations of the objects are translated into an atomized form that is capable of being stored in the database, while preserving the
properties of the objects and their relationships so that they can be reloaded as objects when needed. With persistence, storage and retrieval
functionality were implemented. This was applied in CT-CIA proposal. Figure 6 shows the waterfall model applied in deriving Figure 5. It
shows the basic steps towards the implementation and integration of the security scheme.
IJOART
Figure 6: CT-CIA Waterfall Flow Diagram.
3.2. Description of CT-CIA Technique
In this case, the CT-CIA is a conceived Hash Message Authentication Code (HMAC). This was used as a specific construction for calculating
a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As a MAC, it
was used to simultaneously verify both the data integrity and the authentication of a customer transaction message. The work employed the
cryptographic hash function, MD5/SHA-1 for use in the computation of e-commerce HMAC. When adapted to MD5, the resulting MAC
algorithm is referred to as e-commerce HMAC-MD5 but when used in SHA1, this is referred to as HMAC-SHA1 accordingly. The
cryptographic strength of the HMAC depended upon the cryptographic strength of the underlying hash function offered by the database logic,
the size of its hash output, and on the size and quality of the key. In operation, an iterative hash function breaks up a message into blocks of a
fixed size and iterates over them with a compression function. In this case, the MD5 operates on 512-bit blocks. The size of the output of
HMAC is the same as that of the underlying hash function, ie MD5 = 128 bits , and SHA-1= 160bits, respectively.
3.3 Security Algorithm
The security key is given by the operator:
\textit{ CT-CIA} [CK, CM] = H\Big(K\oplus opad)\;||\;H\big((CK \oplus ipad)\;||\; CM \bigr)\Bigr)
Where
H is a cryptographic hash function,
CK is a secret key padded to the right with extra zeroes to the input block size of the hash function, or the hash of the original key if
it is longer than that block size,
CM is the message to be authenticated,
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
40
|| denotes concatenation,
⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),
and ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
This work used the following pseudocode to demonstrate the implementation of the CT-CIA (HMAC) was implemented with MD5. Block
size is 64 (bytes) when using MD5 hash functions.
Function HMAC (key, message)
if (length(key) > blocksize) then
key = hash(key) // keys longer than blocksize are shortened
end if
if (length(key) < blocksize) then
key = key ∥ [0x00 * (blocksize - length(key))] // keys shorter than blocksize are zero-padded (where ∥ is concatenation)
end if
o_key_pad = [0x5c * blocksize] ⊕ key // Where blocksize is that of the underlying hash function
i_key_pad = [0x36 * blocksize] ⊕ key // Where ⊕ is exclusive or (XOR)
return hash (o_key_pad ∥ hash(i_key_pad ∥ message)) // Where ∥ is concatenation
end function
//HMAC_MD5("", "") = 0x74e6f7298a9c2d168935f58c001bad88
//HMAC_SHA1("", "") = 0xfbdb1d1b18aa6c08324b7d64b71fb76370690e1d
//HMAC_SHA256("", "") = 0xb613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad
End.
IJOART
3.4. Proposed Cloud E-Commerce System
It could be recalled that the proposed e-commerce transaction is developed for products and services using waterfall with a reuse model
shown in Figure 6. The system represents a combination of all the basic functionalities of the e-commerce models leveraging the CT-CIA. In
its operation mode, the e-commerce platform depicts a scenario where a user registers on the platform and a code (HMAC) is generated by
the administrator and sent electronically as SMS to the mobile line (mobile phone) in putted in the transaction window. This now enables the
user to place order of products and services base on the administrator role privilege assignment. The main function of customer tracker work
orders is to initiate work, clarify the work to be done, the delivery date and special instruction with audit logs. The tracker ensures that the
work order tracks the progress of the online activity.
3.4.1. System Elements
In the proposed system model, the key factors include:
i. Cloud Super Admin Authentication Sa
ii. Dedicated Administrator Aarg[Da]
iii. Cloud Customers Cc1,Cc2,............Ccn
iv. Cloud Audit [Sales Audit]
v. Shopping/Order/billing
vi. Customer code generator
3.4.2. Architectural/ Operational Mechanism
In this architecture, the super admin Sa on the cloud portal assigns subsidiary administrators which are depicted Dedicated Administrator
Da1, Da2..............Dan, that coordinates and monitor the activities of numerous registered cloud customers Cc1,Cc2,............Ccn.. From user
perspective, the cloud customers who are legitimately registered are authenticated using HMAC in context and an immediate transaction code
will be generated from the Customers Code Generator and this will be sent as SMS via the customer's mobile number or e-mail. The access
control authentication and encryption algorithm intelligently grants or denies access to platform domain based on the logon and customer
transaction Code status of the cloud customer .The status control serves to enforce discipline on either DA or Cc, while the cloud audit stores
and displays customers transactions information when desired at any point in time in the cloud logs for all DA and Cc. Figure 7 illustrates the
proposed model.
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
41
IJOART
Figure7.Proposed model for the CES
3.4.3 IMPLEMENTATION
The system accepts new registration or prompts for a new registration. Essentially, it is either a customer
logs in or registers before initiating any transaction on the CES. Figure 8 shows CES user interface. The descriptive flow
charts used to develop the entire system model are presented below
Figure 8.E-commerce Cloud Portal (User Interface)
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
42
IJOART
Figure 9 E-commerce Cloud Portal (Login Interface)
Figure 10: E-commerce Cloud Portal (Registration Interface)
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
43
IJOART
Figure 11.E-commerce Cloud Super Admin Interface
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
44
IJOART
Figure 12. E-Commerce Cloud Register Admin Interface
Figure. 13 E-commerce Cloud Customer Info DB
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
45
IJOART
Figure 14: E-commerce Cloud Audit Log Interface
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
46
IJOART
Figure 15: E-commerce Cloud Assigned Administrators Interface
Figure 16: E-commerce Cloud Assigned Administrators Interface
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
47
This work used adobe dream weaver as the integrated development environment with a visual editor that supports Web
technologies such as CSS, JavaScript, and various server-side scripting languages and frameworks including ASP (ASP
JavaScript, ASP VBScript, ASP.NET C#, and ASP.NET VB), Code Fusion, Scriptlet, and PHP. The IDE was configured
with My SQL server in XAMP control panel which has integrated supports for Apache server and MySQL database. In
this work, entire program using the design phase of the SDLC waterfall model with Reuse model was tested using
different data and system platform.
Before the proposed e commerce was made fully operational, it was thoroughly tested on a local host server while
debugging and ensuring there is no syntax errors syntax errors giving rise to successful compilations while testing with
real user test data. After several tests, the reliability of the system was ascertained while making the necessary
documentation. In this research, the e commerce model was designed to run on the high performance data centre network
infrastructure comprising a MikroTik server with local host HP Envy m4 window8 running Apache, MySQL and CS4
adobe Dreamweaver IDE.
IJOART
Figure17 .CES user registration pictorial Framework
Figure 18.CES login Interface pictorial Framework
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
48
Figure 19 CES Shoping Cart (users accepted )
IJOART
Figure 20 CES login Interface( Denying access)
These at a glance show the major display that shows the level of dependability being projected to make security in ecommerce reliable.
4 .Results and Discussion
The display of the user interface was in line with the design flow charts. The flowcharts for the e-ecommerce system
model show the level of reliability of customer’s security. Figure 7 the e-commerce design, in which security was tested
yield satisfactory results. The design of the HMAC specification was observed to eliminate attacks on e-commerce system
based on the key with a hash function. The security of HMAC using MAC = H(key ∥ message) is very robust and reliable.
Unlike in most encryption schemes, the computational overhead of the CT-CIA is lower as the processor spends little time
generating the inclusion code string. Again, in some existing cryptographic algorithms as seen in literature, their methods
suffer from a serious flaw, in that with most hash functions, it is easy to append data to the message without knowing the
key and obtain another valid MAC (length-extension attack). The alternative, appending the key using MAC = H(message
∥ key), suffers from the problem that an attacker who can find a collision in the (unkeyed) hash function can use it quickly
to compromise the e-commerce system. Using MAC = H(key ∥ message ∥ key) is better, but various security papers have
suggested vulnerabilities with this approach, even when two different keys are used. No known extensions attacks have
been found against the current HMAC specification which is defined as H(key ∥ H(key ∥ message)) because the outer
application of the hash function masks the intermediate result of the internal hash. The values of ipad and opad are not
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
49
critical to the security of the algorithm, but were defined in such a way to have a large Hamming distance from each other
and so the inner and outer keys will have fewer bits in common. The security reduction of HMAC does require them to be
different in at least one bit. This is used to generate the authorization code for the e-commerce transaction via mobile
phone SMS. Table 1 summarises a comparison between the proposed and some existing schemes
Table 1: Comparison between Hybrid cryptographic Schemes and CT-CIA schemes (Performance Evaluation)
Parameter
Hybrid Security
Schemes
CT-CIA
Cryptographic
Security
Secrecy
Fuses
cryptographic
uniqueness with
secrecy
Takes a lot of
computation
resources
caters for secrecy
with least overhead
Comparison
process
This is done easily
with
fewer
computation
resources
User convenience requires
huge Requires
less
effort from the memorization of PINs
user
Vulnerability to It can be hacked With
constant
eavesdropping
if discovered by monitoring,
constant
passwords can never
monitoring,
be discovered
Vulnerability to
Highly
Less vulnerable
brute force attack
vulnerable
IJOART
Countermeasures
Counter attacks Counter attacks on
have not yet been password systems are
documented
well documented
Cost
Effectiveness
Very Expensive
PIN code systems are
relatively cheap
5. CONCLUSION
This research work developed a security integrated e-commerce system that leverages intelligent CT-CIA. This new
Security scheme which is based on hybrid XAMP MD5 Random curve cryptography with customer tracker code
inclusion, addresses the vulnerability in e-commerce domain. This scheme enables customers to carry out reliable and
flexible online transaction with ease. The extra security layer or feedback security guaranteed adequate security for online
transactions. Therefore this new security model is expected that over 80%of business owner will be offing their transaction
via this platform. This design of E-commerce security model reliability application is compactable with all browsers after
following the ORP waterfall methodology. A comparison between the proposed scheme and the generalized cryptographic
schemes shows that the performance of the proposed system is very satisfactory.
References
1. Bela, Genge, Adela Beres, Piroska haller, “A Survey on Cloud-based Software Platforms to Implement Secure
Smart Grids”, In IEEE, 2014.
2. S. Subashini, V. Kavitha , “A survey on security issues in service delivery models of cloud computing “, Journal
of Network and Computer Applications, Elesiver Scidirect. 34 (2011) 1–11.
3. Google Analytics. Online
https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview?hl=en, Retrived on
13th Sept.2015.
Copyright © 2015 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015
ISSN 2278-7763
4.
5.
6.
7.
8.
50
S. Subasree And N. K. Sakthivel, “ Design of A New Security Protocol Using Hybrid Cryptography
Algorithms”, IJRRAS 2 (2), February 2010.
Hakim Fourar-Laidi, “A smart card based framework for securing e-business transactions in distributed
systems”, Journal of King Saud University –Computer and Information Sciences, Computer and Information
Sciences (2013) 25, 1–5 http://dx.doi.org/10.1016/j.jksuci.2012.05.002.
Okafor N. I, Okafor K.C, Udeze C.C. & Onwusuru I. M, “3-Tier E-Comp: A Novel E-Commerce Management
Portal Based On Secured SDLC Approach”, Computing, Information Systems, Development Informatics &
Allied Research ISBN 978-2257-44-7(Print) ISSN 2167-1710 (online) Vol. 4 No. 4 Dec. 2013.Pp.1-11.
Okafor KC, Udeze CC, Okafor CM, ISCLOUD V.1.0: An Interactive Cloud Shopping Cart Based On Software
As A Service Computing Model With Hybrid Cryptographic Algorithm”, International Journal Of Engineering
And Computer Science ISSN:2319-7242 Vol. 2 Issue 6 June, 2013 Page No. 1727-1738.
John Mitchell, “Web Application Security”, CS 155, Spring 2010
IJOART
Copyright © 2015 SciResPub.
IJOART