E-commerceVíctor E. Ríos

Abstract

● E-commerce is a very important tool for business, the benefits generated by e-commerce are inclusively raising the economies of some countries. The transactions made in e-commerce applications use information such as bank accounts, credit cards numbers and general information about the parties involved, therefore when the applications are being designed the security must be in the designer's mind. In this work, I explain the importance of e-commerce security as well as the protocols associated with it.

Contents

● Electronic commerce● Secure E-commerce protocol● Public Key Infrastructure● Digital Signatures and Certificates● Secure Socket Layer● Pretty Good Privacy● Secure Electronic Transaction

Introduction to e-commerce

● E-commerce (electronic commerce) consists in buying and selling products or services by electronic means, using principally Internet as the mean for transactions.

Benefits

● e-commerce:– Disappears geophysical barriers.

– Allows companies to enhance their supply chain operation.

– Expands the customer base.

– Creates a competitive advantage.

– Reduces costs of production.

– Allows to trade continuously.

Types of e-commerce

● Business-to-Consumer (B2C)● Business-to-Business (B2B)● Business-to-Government (B2G)● Consumer-to-Consumer (C2C)

Business-to-Consumer (B2C)

● Companies selling goods and/or services to people in general, the end-users.

● For selling physical goods, the companies offers its products using a website with storefront, online catalogs in websites.

E-tail

● E-tail is the business of selling goods directly to people using electronic means.

● Although Internet is an insecure channel, it is the main channel used to sell this products, through the World Wide Web.

www.etail.com

Business-to-Business (B2B)

● Business-to-business (B2B) refers to the commerce transactions between business.

● The volume of B2B transactions is higher than the B2C transactions, because the supply chain involves more transactions than a single B2C transaction.

Business-to-Government (B2G)

● Business-to-Government refers to selling goods or services to the different government levels.

Consumer-to-Consumer (C2C)

● The consumer-to-consumer commerce involves transactions between consumers through some trusted third party.

● The third party organizes the transaction and receives something from the transaction.

● The transactions can be online auctions.

Security in e-commerce

● The security is fundamental to provide the confidence that e-commerce requires.

● The e-commerce protocol is divided in phases. The phases need some security measures to protect the process.

Schmid's e-commerce model.

● Information phase:– The parties find partners, compare the offers,

specify the trade relation and choose the products to be traded.

● Contracting phase:– The parties sign a contract.

● Delivery phase:– The payment and the delivery are done.

Security measures in E-commerce transaction phases

E-commerce security requirements

● Access Control● Privacy/Confidentiality● Authentication● Non-Repudiation● Integrity● Availability● Supports man-in-the-middle attacks.

Public Key Infrastructure (PKI)

● Establishing an infrastructure that supports the public key encryption satisfy the requirement of authentication.

● The PKI allows the system to distribute and use public keys and digital certificates.

● One of the algorithms used for public key encryption is RSA.

Public Key Infrastructure

Public Key Infrastructure

● The PKI allows parties to communicate through insecure channels, such as Internet, even without having a previous knowledge of the other party.

● This process requires certificates and digital signatures. A secure e-commerce protocol also provides certificates and a .

● A certificate authority (CA) issues the certificates to customers or merchants.

Certificates

● For a secure e-commerce protocol, the certificate schema of the customer and the merchant contains:– Certificate holder's name and ID, certificate holder's

public key information, certificate serial number, key usage limitation definition, certificate policy information, certificate validity period, certificate issuer's name and ID.

● The certificate is encrypted by private key of a CIA (Certificate Issue Authority).

Google certificate

Digital Signatures

● The digital signatures also complies the requirements of authentication and integrity.

● By encrypting a value with the sender's private key the only way to get back the message is decrypting the ciphertext received with the sender's public key.

Secure Socket Layer (SSL)

● Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) provide a secure communication between the parties involved.

● SSL/TLS are used in operations that involve information exchange, such as the e-commerce transactions.

● SSL/TLS employees digital certificates and PKI to provide authentication. The information is sent in packets through different routes.

Secure Socket Layer (SSL)

● Specify algorithms for the communication.● Public key exchange:

– RSA, Diffie-Hellman, DSA, Fortezza.

● Provides certificates based authentication.● Symmetric encryption:

– RC4, AES, DES, Triple DES, IDEA.

● Hash functions: MD5, SHA.

Pretty Good Privacy (PGP)

● Phil Zimmermann (1991)● Pretty good privacy satisfies the confidentiality

and authentication requirements.● The other services provided by PGP are

compression, e-mail compatibility and segmentation.

PGP Authentication

● The first party generates a message.● From this message the sender obtains a 160-bits

hash code using SHA-1.● The hash code is encrypted with the sender's

private key (digital signature) and is concatenated with the message. The result is compressed.

● Then symmetric encryption is applied. The session key is encrypted using the receiver's public key and is added to the ciphertext.

PGP Authentication

● The receiver decrypts the ciphertext using the private key and the session key.

● The text is decompressed.● The encrypted hash code is decrypted using the

sender's public key.● A new hash is generated with the rest of the message

and SHA-1.● The new hash code and the received hash code are

compared. If the two match, the message is accepted.

Pretty Good Privacy

PGP Confidentiality

● The sender creates a message to be transmitted and a 128-bit session key.

● The message is encrypted with the session key.● The session key is encrypted with the receiver

public key and is attached to the encrypted message.

● The receiver decrypts the session key and then decrypts the ciphertext to obtain the message.

Attacks: Frauds

● The e-commerce security sometimes can't protect users against frauds or identity thefts.

● Frauds:– The merchandise is not sent.

– The products are of lesser value than advertised.

– All relevant information about a product is not made public.

● Auction frauds: shill bidding, bid shielding.

Attacks

● Attacks to SSL/TLS:– Password interception.

– BEAST (Browser Exploit Against SSL/TLS Attack), based on chosen ciphertext attack.

– Timing attacks.

● Attacks to PGP:– Passive attacks and keypress snooping.

– The Trojan Horse is still effective.

– PGP is highly vulnerable to chosen ciphertext attacks.

Future works

● The secure e-commerce protocol can handle only one transaction at a time.

● There are some requirements that are not fulfilled by the established protocols, replay threats and the frauds cannot be handled by this cryptographic functions.

Conclusion

● E-commerce is a great way to trade. E-commerce allows a company to reach new markets and increase its sales. Nevertheless, the information exchange requires a strong protection against threats. The cryptographic techniques provides the protection that the data management requires. In this work, I presented the main practices used to protect the information against third parties.

References

● Yasin, S., Haseeb, K., Jalal, R. (March 2012) Cryptography Based E-Commerce Security: A Review. International Journal of Computer Sciences Issues, Vol. 9, Issue 2, No. 1.

● Al-Slamy, N. (May 2008) E-commerce Security. International Journal of Computer Science and Network Security, Vol. 8, No. 5.