Benefits of a Universal Security Framework
a report by
Arnd Weber1
How can different types of electronic commerce be secured economically against
different threats? How can it be avoided that players will have a variety of security
instruments on their computers, with different interfaces? How can existing insecure computers be used for producing digital signatures as well as secure implementations compliant with legislation? This paper tries to answer these questions
based on the experiences made with a prototype of a technical and legal security
framework developed by EU-project SEMPER.
1. Threats and the Costs of Special Solutions
Commerce over open networks like the Internet reduces transaction costs. It takes place in
an insecure environment. Therefore, business partners have started using security instruments to address such threats, such as:
?? Authentication
?? Encryption
?? Digital signatures
?? On-line payments
?
There is also a new instrument, called
?
?? Fair exchange
With the latter, the protocol makes sure that both parties obtain what they promised to
each other, e.g., a receipt for an on-line delivery.
Currently it is becoming visible is that players start using a variety of individually secured
applications. Sometimes a smartcard is used for authentication. Other applications use digi1
Arnd Weber has been investigating technologies for legal certainty and confidentiality in
electronic commerce and payments since 1987. He is currently working on the subject
of secure hardware with user input and output for applications such as digital signatures
and encryption. Dr. Weber is a Research Associate at the Institute of Informatics and
Social Sciences, Department of Telematics, of Albert-Ludwigs-Universität, Freiburg,
Germany. He wrote his PhD thesis on the economic and social aspects of the
technologies used in electronic commerce and payments. You can reach him at
<aweber@iig.uni-freiburg.de>.
SEMPER has been EU-project ACTS AC 026 running from 1995-1998 with partners
Commerzbank, Cryptomathic, CWI, DigiCash, Eurocom, Europay International, Fogra
Forschungsgesellschaft Druck, France-Télécom – CNET, GMD, Intracom, KPN
Research, MARIS, Otto Versand, Entrust, SINTEF Telecom and Informatics, the
Universities of Freiburg and Saarbrücken, led by IBM.
To appear in World Market Research Centre (ed.) Business Briefing: Electronic
Commerce, London 2000.
tal signatures. Yet others use new payment instruments, etc. We see one-to-one solutions
emerge, but we expect that they will not scale as each player has many customers and suppliers, i.e. there will globally be millions of companies interacting. An economic usage of
security instruments requires that different business processes be secured cheaply with
whatever security instrument the players wish to use for a certain business process. Products providing security services have certain costs and benefits. Therefore, players will wish
to select between them. It will be economic that players manage them with a single use interface. A framework will reduce the costs of adapting instruments and processes. Only if
workflows are mirrored can fair exchange be used. If the players wish to use digital signatures, it can be anticipated that they will wish to use them across borders, so a matching
global legal framework is necessary, too.
2. The SEMPER Prototype
2.1 The Technical Framework SEMPER
In SEMPER, we developed a design for a solution as shown in Figure 1. For making
transactions, both parties need an implementation of the kernel, some business applications
and security instruments. Service managers in the kernel handle different instances of services, such as different types of pre- and postpayment instruments.
Arrows in Figure 1 mean that a process or instrument needs to be adapted. The kernel has
a special user interface for viewing all security relevant communication. It also uses a
mechanism for identifying trustworthy business applications. We developed a prototype of
such a solution (for the design of the kernel, see the references).
Figure 1: SEMPER Technical Framework
E-mail
Fair Internet Trader
Special Business Application i
Special Business Application n
Commerce Layer Interface
User Interface
SEMPER Kernel
Authentication Encryption Signature Fair Exchange Payment
Instrument i
Instrument n
2
Instrum. i
Instrum. n
Instrum. i
Instrum. n
Instrum. i
Instrum. n
Instrum. i
Instrum. n
2.2 The Legal Framework SECA
The basic idea of the legal framework proposed by SEMPER is that all players who wish
to use digital signatures sign the same agreement, the SEMPER Electronic Commerce
Agreement SECA. This will be done on paper, which is deposited with a third party (typically the so-called certification authority). With this approach, players can bind themselves
to be liable for their digital signatures. The approach works across borders, no matter what
the national digital signature legislation is. The principle makes it possible that every relying
party knows what the rules are. The agreement should allow to opt for using software-only
solutions as well as for more secure or law-compliant solutions. The option to use software-only solutions will increase usability. Players are allowed to use a liability limit per period of time.
3. Experiences
3.1 General
Between 1997 and 1999 semi-standardised, tape-recorded interviews took place with 100
respondents who tested the SEMPER prototype. Participants played the role of buyers or
sellers, performing mail order-like sales and on-line sales of information, using payments
(SET, KPN Chipper stored value card), strong encryption, digitally signed offers and orders, etc. Test persons included Internet merchants, experienced Internet users and experts
in related fields.
Feedback in the areas of authentication, encryption and payment has roughly been as the
reader would anticipate: Players need to authenticate an individual or a server. They require
strong encryption, e.g., for protecting intellectual property or customer data. Regarding online payment, merchants are interested in solutions with low costs and a high degree of
finality. Secure payment turned out to be the major security requirement on the buyer side.
These findings are not presented here, nor the suggestions for improving details of the prototype. We rather only present findings from a few areas, highlighting interest in new aspects (see the references for details).
3.2 Signed Business Documents and SECA
Opinions on Signed Business Documents
?? “If the signature is legally binding, it would eliminate the need to keep separate records
– therefore safe time.”
?? “For a consumer who buys a food-processor for DM 100, a Visa card is OK. But for
companies, where a purchase of equipment can be worth millions, you better use digital signatures to replace the paper [contracts] used today.”
?? A software provider requiring signed offers: “I outsource software development. It is
very important for me that I have the system at a certain date. Otherwise I may go
bankrupt.”
?? “I don’t want to travel to the Airport for a flight which I booked on-line to discover
that there is no seat for me on the plane! And if it happens I want to have a legal right
to claim compensation.”
3
The availability of evidence was generally appreciated. Respondents pointed out that it will
be essential to record the time a document was signed. We noticed that the incentive for a
buyer to register and sign is low, as long as sellers do not require signed orders. A conclusion would be to start diffusion of digital signature technology with sellers providing digitally
signed documents as a service.
Opinions on SECA
?? “SECA reminds me of the situation of today’s credit card payments: I’m liable as long
as I didn’t report my card loss. This gives a clear understanding and confidence.”
?? “I don’t think that I would agree to obtain a certificate that would allow me to pay any
amount of money. If this certificate is stolen then somebody can sell my house.”
?? “If I am not protected against manipulations my whole existence could go down the
drain.”
?? “Limits would give me a secure feeling. The question is, how to select a limit if one
wishes to make high value transactions.”
Trial participants appreciated the principles of SECA and of liability limits. We noticed that
in particular for very high limits, the relation of limits and insurance needs to be worked out.
3.3 The Fair Internet Trader
Assume a few sellers started accepting digitally signed orders. Now imagine a buyer who
has registered. That person will only be able to sign with these few sellers. Therefore we
thought of making security services more easily usable and developed the “Fair Internet
Trader”. It is an application which allows every Internet user to make contracts spontaneously. As opposed to secure email, the Fair Internet Trader FIT
?? supports forms for offers, order, etc.;
?? has an electronic auditor verifying that forms are filled in properly;
?? displays differences between forms, i.e. if one’s partner made a change;
?? supports liability limits
?? provides for fair exchange of information against receipts; and
?? has an option for on-line payment.
These characteristics have generally been appreciated by the test persons.
Opinions on the Fair Internet Trader
?? (I like) “the idea that it is a piece of standalone software, which everybody can use
with everybody else.”
?? “I like the similarities with traditional business documents.”
?? “The possibility to efficiently revise and negotiate a proposal in several rounds is very
good.”
?? “I love the idea that private people and small companies can do business over the
Internet, without having to invest huge amounts of time and money into a shopping solution. The best part is that I can deliver goods and information on-line, have some
kind of proof for that and that I can even at some stage receive some money through
the Internet.”
4
3.4 User Interface
Trial participants appreciated the concept of having a single unified user interface where all
security-relevant actions from different applications take place. For protection against mimicry, we made its background configurable. For signing, we introduced a red frame to appear as a warning prior to signing.
Opinions on the User Interface
?? “Forms are useful.”
?? “I like the automatic checking of content.”
?? “The `show differences` feature is nice.”
?? “Don’t we have to make sure that displaying white text on a white background is not
possible, or that the print can be too small to read?”
3.5 Framework as a Whole
The economics of the approach became visible to the trial participants.
Opinions on the Framework
?? “A system which needs to be implemented once to the backoffice system and then different payment systems can simply be added.”
?? “Good candidate for electronic commerce solution: Ability to integrate different electronic commerce scenarios with different payment means, different protocols.”
?? “It is the only software I’ve seen which organises all the relevant issues in electronic
commerce.”
?? “The advantage of SEMPER is that the existing tools are incorporated into one tool
that I can use for doing business.”
4. Outlook
The diffusion of the principles of the SEMPER technical framework has already started
with the IBM eTill, handling different types of payments. The eTill has been built into solutions from different vendors of WWW-shops. IBM is also continuing research on fair exchange protocols for developing new products for third party services.
It can be assumed that once digital signatures will be in widespread use, the economics of a
technical framework, reducing efforts for integration and making selections easy, will become apparent. We believe that tools using the symmetric design of SEMPER will increase
the use of such instruments. While the SEMPER prototype had a Commerce Layer verifying documents and supporting payments, for products it would be attractive to have a more
powerful one, supporting more trustworthy business applications as well as non-trustworthy
ones. The more powerful the kernel will be, the cheaper it will be to develop business applications, and the easier will be the handling of transactions, but the higher will be the cost
for developing such a kernel. As long as players use liability limits, trust their scanners and
firewalls that they will keep malicious code out, or insure themselves, solutions on computers as they are can well be used. However, with the increase of electronic commerce,
the values and the risks will increase.
5
Therefore, SEMPER has proposed to display information to be signed on a mobile device,
such as a secure PDA-phone, while the rest of the process remains on the normal computer. Of course, it would also be attractive to have a “Mini-SEMPER” on such a PDAphone and use it for encryption etc. as well. In the long run, mobile as well as office computers, secured against malicious code, will be the best solution, so that business players
cannot be fooled and damaged.
Finally, a legal framework should be used, supporting the global use of both existing computers as well as secure ones.
5. Bibliography
Lacoste, G.; Pfitzmann, B.; Steiner, M; Waidner, M. (eds.): SEMPER Final Report. LNCS, forthcoming
Weber, Arnd: Evaluation of the Enhanced SEMPER Trial. Zürich 1999. Available at
<http://www.semper.org>
See <www.semper.org> or <www.iig.uni-freiburg.de/~aweber> for more information.
The author wishes to express his thanks to all partners in project SEMPER. This work has been partially supported by the EU, but it represents the author’s view.
6