Security on the E-Commerce Site
-
Upload
joel-brown -
Category
Documents
-
view
225 -
download
0
Transcript of Security on the E-Commerce Site
-
8/13/2019 Security on the E-Commerce Site
1/17
-
8/13/2019 Security on the E-Commerce Site
2/17
Cryptography results in the creation of cryptographicmethods, known as cryptosystems:
Symmetric cryptosystems use the same key (secret key), toencrypt (scramble) and decrypt (unscramble) a message
Asymmetric or Public Key cryptosystems, use two keys - onekey (public key) to encrypt a message and a different key(private key) to decrypt it
Symmetric cryptosystems are the easier of the two toimplement, since only one key is required
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
3/17
Authentication is the digital process of verifying that peopleor entities are whom or what they claim to be
Digital certificates are in effect virtual fingerprints, or retinalscans that authenticate the identity of a person or thing in a
concrete, verifiable way
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
4/17
A typical digital certificate is a data file of information,digitally signed and sealed using RSA encryptiontechniques, that can be verified by anyone and includes:
The name of the holder and other identification information,
such as e-mail address A public key, which can be used to verify the digital signature
of a message sender previously signed with the matchingmathematically unique private key
The name of the issuer, or Certificate Authority
The certificates validity period
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
5/17
-
8/13/2019 Security on the E-Commerce Site
6/17
Digital certificates may be distributed online. Typical meansof distributing certificates include:
Certificate accompanying signature
Directory service
The decision to revoke a certificate is the responsibility of
the issuing company
12/28/20132004
Joel Reedy and Shauna Schullo
-
8/13/2019 Security on the E-Commerce Site
7/17
SSL was introduced in 1995 by Netscape as a component ofits popular Navigator browser and as a means of providingprivacy with respect to information being transmittedbetween a users browser and the target server, typically
that of a merchant SSL establishes a secure session between a browser and a
server
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
8/17
A channel is the two-way communication streamestablished between the browser and the server, and thedefinition of channel security indicates three basicrequirements:
The channel is reliable The channel is private
The channel is authenticated
By virtue of SSLs requirement of Transmission ControlProtocol (TCP) as the transport mechanism, channel
reliability is inherent
12/28/20132004
Joel Reedy and Shauna Schullo
-
8/13/2019 Security on the E-Commerce Site
9/17
This encryption is preceded by a data handshake and hastwo major phases:
The first phase is used to establish private communications,and uses the key-agreement algorithm
The second phase is used for client authentication Limits of SSL
While the possibility is very slight, successful cryptographicattacks made against these technologies can render SSL
insecure
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
10/17
In 1996, MasterCard and Visa announced the developmentof a single technical standard for safeguarding paymentcard purchases made over open networks called SecureElectronic Transaction (SET).
Since 1996, both Visa and MasterCard have continued theirsearch for better security to reassure online consumers andmerchants. To this end, both now have special programsthat allow a cardholder to set a password to protect theircard from unauthorized use. This process protects both the
consumer and the merchant.
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
11/17
SET sought to bolster confidence by mitigating the securityrisks in SSL
SET ensured that merchants were authorized to acceptcredit card payments, thus reducing risks associated with
merchant fraud SET ensured that the purchaser was an authorized user of
the payment card
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
12/17
While the goal of SSL is to reduce the likelihood ofcommunication interception, the goal of SET is to reduce thelikelihood of fraud
SET provides the special security needs of electroniccommerce with the following: Privacy of payment data and confidentiality of order
information transmission
Authentication of a cardholder for a branded bank card account
Authentication of the merchant to accept credit card payments
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
13/17
-
8/13/2019 Security on the E-Commerce Site
14/17
The process continued Instead of typing in the credit card number, the browser wallet
is queried by the Web site SET software and, followingselection of the appropriate credit card and entry of itspassword by the consumer, the bank-issued digital credit card
is submitted to the merchant The merchant receives the digital credit card in a digital
envelope
The merchant software then sends the SET transaction to acredit card processor (also known as a payment gateway
application or acquirer) for verification
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
15/17
The process continued The financial institution performs functions on the transaction
including authorization, credit and capture (voiding andrefund) reversals
Following successful processing, the merchant, cardholder, and
credit card processors are all advised electronically that thepurchase has been approved
Following this notification, the cardholder is debited and themerchant is paid through subsequent capture transactions
The merchant can then ship the merchandise, knowing that the
customer transaction is approved
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
16/17
Limitations of SET and SSL A downside of both SSL and SET protocols is that they both
require the use of cryptographic algorithms that place significantloads on the computer systems involved in the commerce
transaction For the low and medium e-commerce applications, there is no
additional server cost to support SET over SSL
For the large e-commerce server applications, support of SETrequires additional hardware acceleration in the range of a 5 to 6%increase in server costs
For small payment gateway applications using SET, hardwareacceleration is also required
12/28/2013
-
8/13/2019 Security on the E-Commerce Site
17/17
Thus, the conclusion is that SET has a definitive securitycomponent that very clearly represents an advance in technologyover SSL, and that any deficits that may be related toperformance will quickly be rendered minor as hardware-based
processing technology rapidly advances
12/28/2013