SET - 1 Reg.No: St. Josephs College of Engineering Model Examinations II - March -2011 SUBJECT BRANCH : E-COMMERCE : M.C.

.A Answer all the Questions PART A: (10 * 2 = 20 marks) 1. What is the role of internet in e-commerce? Internet can be used for advertising goods and services and transacting one-off deals. It has applications for both business-to-business and business-to-customer. 2. What is a secured web server? A secure WWW server must support some type of security protocol. The two most important of these are S-HTTP and SSL. 3. What is meant by secure electronic transaction protocol? Secure Electronic Transaction (SET) was a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network in a secure fashion. 4. List the steps to set up an account for a virtual payment system? Process of opening First Virtual (FV) Account for customer a. Send the Registration Form with: Email address, frequently accessed-Notification address (CC)-Phone Number -Postal Address b. An e-mail will be received from FV with Account number and an application number c. Applicant will call a Toll Free Number through which the credit card number will be entered by the applicant as guided by the IVR d. FV responds by email and issues a modified A/C ID and debits $2 for the cost of setting up the A/C CODE: MC 9271 SEM : IV MAX.MARKS:100

DURATION : 3 hours

5. What are the advantages of online commerce trading?

Reliability, security, simplicity, acceptability. 6. State the advantages of digital currencies? Minimum risk Limited Liability!, Through multiple service providers, Regardless of socio economic status , Cost effective, Speed of transaction, Anonymity & traceability of payments, Flexibility to change denominations, Convertibly of currency , Innovative. 7. Define Smart cards. A smart card, chip card, or integrated card (ICC), is any pocket-sized card with embedded integrated circuits. a. Memory cards contain only non-volatile memory storage components, and perhaps dedicated security logic. b. Microprocessor cards contain volatile memory and microprocessor components. Uses technology to enhance facilities and to improve on the antifraud c. The chip on the card includes cryptographic keys for enhanced security d. Signature of static card data, a value generated when issued using PKI and validated by POS 8. Differentiate online jobs from real-time jobs. Real time systems record transactions into the database immediately. One real time system are banks--you withdraw from your checking account via the ATM. Your checking account immediately records that transaction and lowers your balance. On line systems get data uploaded hourly, daily--whatever the business requirements are. Trending and analysis is usually done with this data. 9. List the threats implicated in electronic payment system. Complex cryptographic algorithms prevent double spending Anonymity is preserved unless double spending is attempted Serial numbers can allow tracing to prevent money laundering Does not prevent double spending, since the merchant or consumer could be at fault 10. List the steps involved in selling through cyber cash. Customer opens account with cyber cash, gives credit card number and gets a PIN Special software on customer side sends PIN, signature, transaction amount to merchant Merchant forwards to cyber cash server that completes credit card transaction Pros: credit card # not shown to server, fast Cons: not for micro transactions PART B: (5 * 16 = 80 marks)

11. a) Discuss in detail the digital currencies and the payment system. Digital currencies and payment systems Commerce servers are intended to protect transaction data being sent over the internet. Digital currencies and other types of digital payment mechanisms to carry value in a protected digital form over the internet. Two approaches are taken by companies offering this type of services One is to link a customer payment method(credit card, checking, account). Merchants selling to a participating customer can then authenticate payment information through the service - descriptions OR b) With a suitable case study explain the different stages involved in credit card processing. Problem: communicate credit card and purchasing data securely to gain consumer trust Authentication of buyer and merchant Confidential transmissions Systems vary by type of public-key encryption type of symmetric encryption message digest algorithm number of parties having private keys number of parties having certificates 1. Consumer buys e-cash from Bank 2. Bank sends e-cash bits to consumer (after charging that amount plus fee) 3. Consumer sends e-cash to merchant 4. Merchant checks with Bank that e-cash is valid (check for forgery or fraud) 5. Bank verifies that e-cash is valid 6. Parties complete transaction: e.g., merchant present e-cash to issuing back for deposit once goods or services are delivered 12. a) Discuss in detail how the payment systems are done using offline transactions and online transactions. To contract with some other company-electronic mall operator- Internet service provider-or some other organization-to manage servers, orders-company itself must use some method or methods of accepting and processing orders.-As has been mentioned, the simplest method of doing direct business online on the Internet is to set up a secure

World Wide Web server-Online security whether it is a secure channel between the customer and the merchants -encryption of some all data sent from one application to another. General approaches Use cryptographic techniques to secure the channel and enable online real time transaction.-Use alternatives secure channel to transmit sensitive data. Implementation includes the following Licensing fee for patented cryptographic tools.-Creation and distribution of new Internet browsers and servers.-Maintenance of public key certification facilities.Increased computing overhead needed to transact business exchanges.-Difficulty in distributing cryptographic technologies OR b) What do you mean by Electronic Funds Transfer? Explain the security protocols that support reliable Electronic Funds Transfer. Any transfer of funds initiated through an electronic terminal, telephone instrument or magnetic tape so as to order, instruct or authorize a financial institution to debit or credit an account. In secure communication over the internet had to find products implementing security at the application level.-Communication had to protect explicit by the user before being sent across the internet.-Two protocols are used S-HTTP(Secure Hypertext Transport Protocol)an extension of the world wide web protocol adds security features. Secure sockets Layer protocol implemented by Netscape communications and also implemented by other web browsers. SSL operates at the transport layer means it can be used for private internet transmissions between systems and programming supports. Master card International and visa International are cooperating in support of secure credit card transactions. Secure HTTP option adds security directly to the applications. Secure sockets Layer adds security to the entire stream of data between server and client.

13 a) How the SSL client and server exchange information in connection with handshake sequence before opening the secure channel. Can be viewed as Four Phases: Phase 1: Establish security capabilities Phase 2: Server Authentication and Key Exchange Phase 3: Client Authentication and Key Exchange Phase 4: Change Cipher Spec and Finish

OR b) List and explain the steps involved in finding SET Requirements. Provide confidentiality of payment and ordering information-Ensure the integrity of all transmitted data-Provide authentication that a cardholder is a legitimate user of a credit card account-Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution. Ensure the use of the best security

practices and system design techniques to protect all legitimate parties in an electronic commerce transaction. Create a protocol that neither depends on transport security mechanisms nor prevents their use- Facilitate and encourage interoperability among software and network providers. 14 a) Write a note on virtual transactions with an example. FV Information Merchant offers product description and pricing on line through FV Compatible Server FV Customer attempts to download offered Information FV asks for A/C ID- Information is sent to the buyer directly from the Merchants server. Merchants server sends an Email to the FV with transaction details like Customer A/C ID-Seller A/C ID-Item-Price FV sends Email to the Customer if he wants to pay for it If, the customer replies YES, then the amount (net of txn charges) is credited to the merchants Bank A/C. If no response is received, no action is taken If no response is received within a specific time, further attempts are made through reminders while no action is taken. FV cancels the customer ID so as to avoid further attempts- FV mandates that frequently used and an exclusive mail address is used by the customer . The transaction details are notified to the participant by the give Email address. -13. If the reply from the buyer is YES, merchant sends message to the FV that a sale is pending with this Customer ID for the Merchant ID and the item at the price for the item. The FV sends Email confirmation message and asks if the customer authorizes the payment.Customer has an option to reply FRAUD because the transaction was not initiated by him and so it amounts to fraudulent action by someone else. The premise of the FV system is that the customers regularly access the Email and so a response MUST be received within the stipulated time. At this point of time customer has 3 options: The customer sends YES reply indicating that the received Information is what h wanted and is as expected. So the payment of price is agreed. The customer sends NO reply indicating The Information is not received- The Information received is a corrupt file- The Information received is not as expected- is an accidental or a duplicate billing The customer sends FRAUD reply indicating a fraudulent use and FV suspends the A/C. So the customer opens a new A/C- Customer is require to check mails regularly as per terms

of agreement.-If no response is received from the customer, for repeated attempts, FV cancels A/C and stipulates to open a new A/C OR b) Explain in detail about internet commerce security protocols and discuss how it can operate at different levels with a diagram. S-HTTP is the logical extension of the Hypertext Transfer protocol which is the basis of world wide web.-HTTP defines the interactions between web browsers and web servers.It determining how requests from browsers are handled by web servers. Web browsers sends requests for information stored on a web server.-HTTP did not originally include any security features at all other than those provided by resources access www.-HTTP can be used to provide a more user friendly services to FTP and telnet. Data is requested and delivered across the world wide web using HTTP and SHTTP .Other than that we have two Protocol URL protocol - Consists of three parts1)URL2)HTML 2)The internet host 1)Scheme designation-

and domain name of the resource hosting system -3)The location on that system of the resource document file. Eg) HTTP://www.mcompany.com/home.html HTML uses tags-Security enhancements can be done when sending data,cryptographic option to be negotiated and other options. Secure Sockets Layer(SSL) Adds security and reliability functions to an application, at the application level. But the Browser at one side and server on the other side negotiate their own security -SSL between application and transport layer encrypting data passing between the client and the server Diagram 15 a) Write about the first virtual transaction process and confirm the transactions with reducing merchant risk. Process of opening First Virtual (FV) Account for customer Send the Registration Form with: Name Email address, frequently accessed Notification address (CC) Phone Number Postal Address An e-mail will be received from FV with Account number and an application number Applicant will call a Toll Free Number through which the credit card number will be entered by the applicant as guided by the IVR

FV responds by email and issues a modified A/C ID and debits $2 for the cost of setting up the A/C Diagram explanation. OR b) Explain in detail about InfoHaus electronic payment system. Offers to promote the participants (merchants) information through the browsers / buyers on the Internet through: World Wide Web- ftp -Email distribution Costs little to promote -Merchandise like Recipes-Prose-Poetry-Drawings-Photographs-Shrink wrapped software Exhibits and sells the Information through the InfoHaus services by downloading the product descriptions and the products to the InfoHaus Server Setting up the Store: Is done through web, ftp or Email, Setting up using telnet is recommended for simplicity and use - Login as user ih- Forward details: Business Name- FV A/C ID-Email Address for the FV A/C-Preferred CurrencyPreferred Language- Brief Introduction of the business -Description of Infohaus business max 60 characters- Short textual description yourself and your service. Confirm that you are using X11 window server is running (Work station graphics terminal emulation) Choose the desired option from: N to register as a new Infohaus merchant- C to check in a new item to be sold individually- M to set up a new magazine ( subscription on per volume basis) B to set up a new boxed set (for a set of items as they become available)- 0 to quit Enter product details and wait for the confirmation Send the information product to the Infohaus server, by email or ftp, the later is better

SET - 2 St. Josephs College of Engineering Model Examinations II - March -2011 SUBJECT BRANCH : E-COMMERCE : M.C.A Answer all the Questions PART A: (10 * 2 = 20 marks) 1. How a digital currency does support e-commerce? Universally verification needed) 2. What is the role of internet servers in supporting e-commerce? Server and Browser supports e-commerce in : cryptographic scheme to be usedspecific algorithm to be used- One way/Two way security. 3. State any two reasons which emphasizes on the need for electronic data interchange. Money atomicity- Certified delivery 4. What are the types of online payment systems? E-cash-Electronic wallets-Smart card-Credit card. 5. What is the functionality to be considered for online payment? More efficient, eventually meaning lower prices-Lower transaction costs Anybody can use it, unlike credit cards, and does not require special authorization 6. What is the need for server in e-commerce? The server supports publication of network resources created with the Hypewrtext Markup Language using HTTP to respond to requests for resources over the internet. 7. Define S-HTTP. Application level security Content-Privacy-Domain header: Server-Browser negotiation 8. Define InfoHaus. Public access information warehouse to be used in conjunction with the First Virtual Payment system. accepted-Transferable electronically-Divisible-Non-forgeable,nonstealable-Private-Anonymous (no one can identify the payer-Work off-line (no on-line CODE: MC 9271 SEM : IV MAX.MARKS:100

DURATION : 3 hours

9. What is meant by Cyber Coin? Stored in CyberCash wallet, a software storage mechanism located on customers computer.Used to make purchases between .25c and $10.PayNow -- payments made directly from checking accounts 10. List the functions and features of e-commerce. Reliability Security Simplicity Acceptability PART B: (5 * 16 = 80 marks) 11. a) Explain in detail how the transactions is done using credit card. Credit card a. Used for the majority of Internet purchases b. Has a preset spending limit c. Currently most convenient method d. Most expensive e-payment mechanism i. i. ii. Charge card f. No spending limit g. Entire amount charged due at end of billing period Payment Acceptance and Processing Processing a Payment Card Order Setting Up Merchant Account Processing Payment Cards Online MasterCard: $0.29 + 2% of transaction value Does not work for small amount (too expensive) Does not work for large amount (too expensive) e. Disadvantages

OR b) Explain the process of payment using E Cash. 1. Consumer buys e-cash from Bank 2. Bank sends e-cash bits to consumer (after charging that amount plus fee) 3. Consumer sends e-cash to merchant 4. Merchant checks with Bank that e-cash is valid (check for forgery or fraud) 5. Bank verifies that e-cash is valid 6. Parties complete transaction: e.g., merchant present e-cash to issuing back for deposit once goods or services are delivered Issues: E-cash must allow spending only once Must be anonymous, just like regular currency Safeguards must be in place to prevent counterfeiting Must be independent and freely transferable regardless of nationality or storage mechanism Divisibility and Convenience Complex transaction (checking with Bank) Atomicity problem

12. a) Compare and Contrast Netscape commerce server with Microsoft internet services. Netscape Netscape Commerce Server SSL Security Breaches Brute Force Attacks Microsoft Microsoft Internet Explorer Microsoft Internet servers OR b) Discuss in detail the methods of online commerce payment systems. Credit card-based methods

Credit card over SSL , First Virtual ,SET Electronic Cheques - NetCheque Anonymous payments - Digicash Micropayments SmartCards - CAFE

13 a) Explain with diagram Secure Sockets Layer functionalities. SSL diagram SSL Record Specification Initiating an SSL session Other SSl Options OR b) Explain about S-HTTP message contents and about security negotiation Headers. S-HTTP S-HTTP Security Features Secure HTTP Data Transport Header Information HTTP Data Secure HTTP Header Lines S-HTTP Message Contents S-HTTP Security Negotiation Headers

14 a) Explain in detail about Cyber Cash Model. Cyber cash Cyber cash Model Cyber cash security considerations Customer protection Using cyber cash Cyber cash availability Cyber cash client application OR b) A company proposes to develop a mobile application, to hold e-cash, info of customers, smart card identities and mandatory information for e-commerce transaction.

Make a require ment analysis and list out the features to be implemented for the same. Draw a sequence diagram to show the purchasing process and the role of security algorithms for the reliable e-commerce transactions. Draw the sequence diagram Identify the objects in the scenario Find the events done by the objects Draw the life line between the objects with respect to the event flow.

15 a) Explain InfoHaus services and security considerations. InfoHaus InfoHaus services Installing an InfoHaus store Security considerations Encryption and cryptography OR b) Explain in detail about online commerce options for consumer and merchant and discuss its functions and features. Consumer choices Merchant choices Choosing functions and features Reliability Security Simplicity Acceptability