Security
Security is an essential part of any transaction that takes place over the internet. Customers
will lose his/her faith in e-business if its security is compromised. Following are the essential
requirements for safe e-payments/transactions −

Confidentiality − Information should not be accessible to an unauthorized person. It
should not be intercepted during the transmission.

Integrity − Information should not be altered during its transmission over the network.

Availability − Information should be available wherever and whenever required within
a time limit specified.

Authenticity − There should be a mechanism to authenticate a user before giving
him/her an access to the required information.

Non-Repudiability − It is the protection against the denial of order or denial of
payment. Once a sender sends a message, the sender should not be able to deny
sending the message. Similarly, the recipient of message should not be able to deny
the receipt.

Encryption − Information should be encrypted and decrypted only by an authorized
user.

Auditability − Data should be recorded in such a way that it can be audited for
integrity requirements.
Security Protocols in Internet
Secure Socket Layer (SSL)
It is the most commonly used protocol and is widely used across the industry. It meets
following security requirements −




Authentication
Encryption
Integrity
Non-reputability
"https://" is to be used for HTTP urls with SSL, where as "http:/" is to be used for HTTP urls
without SSL.
Secure Hypertext Transfer Protocol (SHTTP)
SHTTP extends the HTTP internet protocol with public key encryption, authentication, and
digital signature over the internet. Secure HTTP supports multiple security mechanism,
providing security to the end-users. SHTTP works by negotiating encryption scheme types
used between the client and the server.
Secure Electronic Transaction
It is a secure protocol developed by MasterCard and Visa in collaboration. Theoretically, it is
the best security protocol. It has the following components −

Card Holder's Digital Wallet Software − Digital Wallet allows the card holder to make
secure purchases online via point and click interface.

Merchant Software − This software helps merchants to communicate with potential
customers and financial institutions in a secure manner.

Payment Gateway Server Software − Payment gateway provides automatic and
standard payment process. It supports the process for merchant's certificate request.

Certificate Authority Software − This software is used by financial institutions to
issue digital certificates to card holders and merchants, and to enable them to register
their account agreements for secure electronic commerce.
Digital signatures are used to authenticate the identity of the sender. It is like signing a message in
electronic form. A digital signature is a protocol that produces the same effect as a real signature. It
is a mark that only the sender can make and other people can easily recognize that it belongs to the
sender. A digital signature is also used to confirm agreement to a message. A digital signature must
be unforgeable and authentic. In a digital signature process, the sender uses a signing algorithm to
sign the message. The message and the signature are sent to the receiver. The receiver receives the
message and the signature and applies the verifying algorithm to the combination. If the result is
true, the message is accepted otherwise it is rejected.
A conventional signature is like a private key belonging to the signer of the document. The signer
uses it to sign documents. The copy of the signature on a file is like a public key so anyone can use
it to verify a document to compare it to the original signature. In digital signature the signer uses
her private key applied to a signing algorithm to sign the document. The verifier uses the public key
of the signer applied to verifying algorithm to verify the sign. When a document is signed anyone
her public key to sign the document because anyone could forge her signature. Digital signatures
have assumed great significance in the modern world of web-commerce. Many countries have
made provisions for recognizing digital signature as a valid authorization mechanism like paperbased signatures
Digital Certificate
A digital certificate, also known as a public key certificate, is used to cryptographically link
ownership of a public key with the entity that owns it. Digital certificates are for sharing public
keys to be used for encryption and authentication.
Digital certificates include the public key being certified, identifying information about the entity
that owns the public key, metadata relating to the digital certificate and a digital signature of
the public key the certificate issuer created.
The distribution, authentication and revocation of digital certificates are the primary functions
of the public key infrastructure (PKI), the system that distributes and authenticates public keys.
Public key cryptography depends on key pairs: one private key to be held by the owner and
used for signing and decrypting and one public key that can be used for encrypting data sent
to the public key owner or authenticating the certificate holder's signed data. The digital
certificate enables entities to share their public key so it can be authenticated.
Digital certificates are used in public key cryptography functions most commonly for initializing
Secure Sockets Layer (SSL) connections between web browsers and web servers. Digital
certificates are also used for sharing keys used for public key encryption and authentication
of digital signatures.
All major web browsers and web servers use digital certificates to provide assurance that
unauthorized actors have not modified published content and to share keys for encrypting and
decrypting web content. Digital certificates are also used in other contexts, online and offline,
for providing cryptographic assurance and data privacy.
Digital certificates that are supported by mobile operating environments, laptops, tablet
computers, internet of things (IoT) devices, and networking and software applications help
protect websites, wireless networks and virtual private networks.
Digital certificates vs. digital signatures
Public key cryptography supports several different functions, including encryption and
authentication, and enables a digital signature. Digital signatures are generated using
algorithms for signing data so a recipient can irrefutably confirm the data was signed by a
particular public key holder.
Digital signatures are generated by hashing the data to be signed with a one-way
cryptographic hash; the result is then encrypted with the signer's private key. The digital
signature incorporates this encrypted hash, which can only be authenticated, or verified, by
using the sender's public key to decrypt the digital signature and then running the same oneway hashing algorithm on the content that was signed. The two hashes are then compared. If
they match, it proves that the data was unchanged from when it was signed and that the
sender is the owner of the public key pair used to sign it.
A digital signature can depend on the distribution of a public key in the form of a digital
certificate, but it is not mandatory that the public key be transmitted in that form. However,
digital certificates are signed digitally, and they should not be trusted unless the signature can
be verified.
Encryption is the process of taking plain text, like a text message or email, and
scrambling it into an unreadable format — called “cipher text.” This helps protect the
confidentiality of digital data either stored on computer systems or transmitted
through a network like the internet.
When the intended recipient accesses the message, the information is translated
back to its original form. This is called decryption.
To unlock the message, both the sender and the recipient have to use a “secret”
encryption key — a collection of algorithms that scramble and unscramble data back
to a readable format.