security on the e-commerce site

8/13/2019 Security on the E-Commerce Site

1/17


2/17

Cryptography results in the creation of cryptographicmethods, known as cryptosystems:

Symmetric cryptosystems use the same key (secret key), toencrypt (scramble) and decrypt (unscramble) a message

Asymmetric or Public Key cryptosystems, use two keys - onekey (public key) to encrypt a message and a different key(private key) to decrypt it

Symmetric cryptosystems are the easier of the two toimplement, since only one key is required

12/28/2013


3/17

Authentication is the digital process of verifying that peopleor entities are whom or what they claim to be

Digital certificates are in effect virtual fingerprints, or retinalscans that authenticate the identity of a person or thing in a

concrete, verifiable way

12/28/2013


4/17

A typical digital certificate is a data file of information,digitally signed and sealed using RSA encryptiontechniques, that can be verified by anyone and includes:

The name of the holder and other identification information,

such as e-mail address A public key, which can be used to verify the digital signature

of a message sender previously signed with the matchingmathematically unique private key

The name of the issuer, or Certificate Authority

The certificates validity period

12/28/2013


5/17


6/17

Digital certificates may be distributed online. Typical meansof distributing certificates include:

Certificate accompanying signature

Directory service

The decision to revoke a certificate is the responsibility of

the issuing company

12/28/20132004

Joel Reedy and Shauna Schullo


7/17

SSL was introduced in 1995 by Netscape as a component ofits popular Navigator browser and as a means of providingprivacy with respect to information being transmittedbetween a users browser and the target server, typically

that of a merchant SSL establishes a secure session between a browser and a

server

12/28/2013


8/17

A channel is the two-way communication streamestablished between the browser and the server, and thedefinition of channel security indicates three basicrequirements:

The channel is reliable The channel is private

The channel is authenticated

By virtue of SSLs requirement of Transmission ControlProtocol (TCP) as the transport mechanism, channel

reliability is inherent

12/28/20132004

Joel Reedy and Shauna Schullo


9/17

This encryption is preceded by a data handshake and hastwo major phases:

The first phase is used to establish private communications,and uses the key-agreement algorithm

The second phase is used for client authentication Limits of SSL

While the possibility is very slight, successful cryptographicattacks made against these technologies can render SSL

insecure

12/28/2013


10/17

In 1996, MasterCard and Visa announced the developmentof a single technical standard for safeguarding paymentcard purchases made over open networks called SecureElectronic Transaction (SET).

Since 1996, both Visa and MasterCard have continued theirsearch for better security to reassure online consumers andmerchants. To this end, both now have special programsthat allow a cardholder to set a password to protect theircard from unauthorized use. This process protects both the

consumer and the merchant.

12/28/2013


11/17

SET sought to bolster confidence by mitigating the securityrisks in SSL

SET ensured that merchants were authorized to acceptcredit card payments, thus reducing risks associated with

merchant fraud SET ensured that the purchaser was an authorized user of

the payment card

12/28/2013


12/17

While the goal of SSL is to reduce the likelihood ofcommunication interception, the goal of SET is to reduce thelikelihood of fraud

SET provides the special security needs of electroniccommerce with the following: Privacy of payment data and confidentiality of order

information transmission

Authentication of a cardholder for a branded bank card account

Authentication of the merchant to accept credit card payments

12/28/2013


13/17


14/17

The process continued Instead of typing in the credit card number, the browser wallet

is queried by the Web site SET software and, followingselection of the appropriate credit card and entry of itspassword by the consumer, the bank-issued digital credit card

is submitted to the merchant The merchant receives the digital credit card in a digital

envelope

The merchant software then sends the SET transaction to acredit card processor (also known as a payment gateway

application or acquirer) for verification

12/28/2013


15/17

The process continued The financial institution performs functions on the transaction

including authorization, credit and capture (voiding andrefund) reversals

Following successful processing, the merchant, cardholder, and

credit card processors are all advised electronically that thepurchase has been approved

Following this notification, the cardholder is debited and themerchant is paid through subsequent capture transactions

The merchant can then ship the merchandise, knowing that the

customer transaction is approved

12/28/2013


16/17

Limitations of SET and SSL A downside of both SSL and SET protocols is that they both

require the use of cryptographic algorithms that place significantloads on the computer systems involved in the commerce

transaction For the low and medium e-commerce applications, there is no

additional server cost to support SET over SSL

For the large e-commerce server applications, support of SETrequires additional hardware acceleration in the range of a 5 to 6%increase in server costs

For small payment gateway applications using SET, hardwareacceleration is also required

12/28/2013


17/17

Thus, the conclusion is that SET has a definitive securitycomponent that very clearly represents an advance in technologyover SSL, and that any deficits that may be related toperformance will quickly be rendered minor as hardware-based

processing technology rapidly advances

12/28/2013

security on the e-commerce site

Documents