Security on the E-commerce Site

12/28/2013

Cryptography results in the creation of cryptographic methods, known as cryptosystems:

Symmetric cryptosystems use the same key (secret key), to encrypt (scramble) and decrypt (unscramble) a message Asymmetric or Public Key cryptosystems, use two keys - one key (public key) to encrypt a message and a different key (private key) to decrypt it

Symmetric cryptosystems are the easier of the two to implement, since only one key is required

12/28/2013

Authentication is the digital process of verifying that people or entities are whom or what they claim to be Digital certificates are in effect virtual fingerprints, or retinal scans that authenticate the identity of a person or thing in a concrete, verifiable way

12/28/2013

A typical digital certificate is a data file of information, digitally signed and sealed using RSA encryption techniques, that can be verified by anyone and includes:

The name of the holder and other identification information, such as e-mail address A public key, which can be used to verify the digital signature of a message sender previously signed with the matching mathematically unique private key The name of the issuer, or Certificate Authority The certificates validity period

12/28/2013

To create a digital certificate for an individual, the identity of the person, device, or entity that requests a certificate must be confirmed. This is typically accomplished through a combination of the following:

Personal presence Identification documents

12/28/2013

Digital certificates may be distributed online. Typical means of distributing certificates include:

Certificate accompanying signature Directory service

The decision to revoke a certificate is the responsibility of the issuing company

12/28/2013

2004 Joel Reedy and Shauna Schullo

SSL was introduced in 1995 by Netscape as a component of its popular Navigator browser and as a means of providing privacy with respect to information being transmitted between a users browser and the target server, typically that of a merchant SSL establishes a secure session between a browser and a server

12/28/2013

A channel is the two-way communication stream established between the browser and the server, and the definition of channel security indicates three basic requirements:

The channel is reliable The channel is private The channel is authenticated

By virtue of SSLs requirement of Transmission Control Protocol (TCP) as the transport mechanism, channel reliability is inherent

12/28/2013

2004 Joel Reedy and Shauna Schullo

This encryption is preceded by a data handshake and has two major phases:

The first phase is used to establish private communications, and uses the key-agreement algorithm The second phase is used for client authentication While the possibility is very slight, successful cryptographic attacks made against these technologies can render SSL insecure

Limits of SSL

12/28/2013

In 1996, MasterCard and Visa announced the development of a single technical standard for safeguarding payment card purchases made over open networks called Secure Electronic Transaction (SET). Since 1996, both Visa and MasterCard have continued their search for better security to reassure online consumers and merchants. To this end, both now have special programs that allow a cardholder to set a password to protect their card from unauthorized use. This process protects both the consumer and the merchant.

12/28/2013

SET sought to bolster confidence by mitigating the security risks in SSL SET ensured that merchants were authorized to accept credit card payments, thus reducing risks associated with merchant fraud SET ensured that the purchaser was an authorized user of the payment card

12/28/2013

While the goal of SSL is to reduce the likelihood of communication interception, the goal of SET is to reduce the likelihood of fraud SET provides the special security needs of electronic commerce with the following:

Privacy of payment data and confidentiality of order information transmission Authentication of a cardholder for a branded bank card account Authentication of the merchant to accept credit card payments

12/28/2013

The purchasing process

A merchant applies for, and receives, an account with an issuing bank, just as they would apply for a normal credit card merchant account A consumer makes an application to an issuing bank for a digital credit card, which is a digital certificate that has been personalized for the credit card-holder After the consumer receives her digital credit card, she adds it to her browser wallet The consumer browses the Web at a particular site and at checkout time, the Web site asks for the shoppers credit card

12/28/2013

The process continued

Instead of typing in the credit card number, the browser wallet is queried by the Web site SET software and, following selection of the appropriate credit card and entry of its password by the consumer, the bank-issued digital credit card is submitted to the merchant The merchant receives the digital credit card in a digital envelope The merchant software then sends the SET transaction to a credit card processor (also known as a payment gateway application or acquirer) for verification

12/28/2013

The process continued

The financial institution performs functions on the transaction including authorization, credit and capture (voiding and refund) reversals Following successful processing, the merchant, cardholder, and credit card processors are all advised electronically that the purchase has been approved Following this notification, the cardholder is debited and the merchant is paid through subsequent capture transactions The merchant can then ship the merchandise, knowing that the customer transaction is approved

12/28/2013

Limitations of SET and SSL

A downside of both SSL and SET protocols is that they both require the use of cryptographic algorithms that place significant loads on the computer systems involved in the commerce transaction For the low and medium e-commerce applications, there is no additional server cost to support SET over SSL For the large e-commerce server applications, support of SET requires additional hardware acceleration in the range of a 5 to 6% increase in server costs For small payment gateway applications using SET, hardware acceleration is also required

12/28/2013

Thus, the conclusion is that SET has a definitive security component that very clearly represents an advance in technology over SSL, and that any deficits that may be related to performance will quickly be rendered minor as hardware-based processing technology rapidly advances

12/28/2013