set cryptography and e-commerce
TRANSCRIPT
-
8/3/2019 SET Cryptography and E-commerce
1/37
Secure Electronic Transactionsin E-Commerce
Cryptography & Electronic Commerce
Due Date 13th
Feb 2006
Peter Davies B.Sc - 05004306
MSc Information Security & Computer Crime
-
8/3/2019 SET Cryptography and E-commerce
2/37
University of Glamorgan Cryptography & Electronic Commerce
2
AbstractThis report has been prepared to critically examine the various techniques and protocols
for providing a secure method of electronic communication with an aim to making
electronic commerce a more viable concept.
By examining present e-commerce practices, this report will demonstrate how Secure
Electronic Transaction (SET) as a protocol will enable businesses and end-users to make
payments online with the assurance that security was a main design requirement.
Using modern cryptographic, certification and authentication techniques, this report will
identify using an introduction to the SET protocol how in the future transactions will besecured.
-
8/3/2019 SET Cryptography and E-commerce
3/37
University of Glamorgan Cryptography & Electronic Commerce
3
ContentsAbstract............................................................................................................................... 2
Contents .............................................................................................................................. 3
Introduction......................................................................................................................... 5Why do we need web security ........................................................................................ 7
Security Vs Availability.................................................................................................. 9
Available Protocols & Authentication Techniques........................................................... 10
Existing Infrastructure .................................................................................................. 10Internet Protocol........................................................................................................ 12
Transmission Control Protocol ................................................................................. 13
Transport Layer Security Solutions (SSL / TLS / PCT)........................................... 13Protocol Failures........................................................................................................... 14
SET Secure Electronic Transactions.............................................................................. 16
What is SET? ................................................................................................................ 16
History....................................................................................................................... 16Overview................................................................................................................... 17
Versions of the Protocol............................................................................................ 17
Requirements ............................................................................................................ 17Certification Principles ................................................................................................. 18
One-way or Two-way Certification .......................................................................... 19
Certificate Revocation List (CRL)............................................................................ 19X.509 Certificate Revocation Lists........................................................................... 20
SET in Detail................................................................................................................. 21
Participants................................................................................................................ 21Software Components............................................................................................... 22
Hashing Principle...................................................................................................... 23Making a Purchase.................................................................................................... 23Shopping Online with SET....................................................................................... 26
SET Extensions............................................................................................................. 27
Elliptic Curve Cryptography..................................................................................... 27
Chip and PIN............................................................................................................. 27Biometrics ................................................................................................................. 28
Version 2 Details........................................................................................................... 29
Functionality Enhancements..................................................................................... 29Encryption Alternatives ............................................................................................ 29
Certification Enhancements...................................................................................... 29
Order Enhancements................................................................................................. 29Payment Enhancements ............................................................................................ 29
Transaction Processing Enhancements ..................................................................... 29
Non-repudiation Facilities ............................................................................................ 30
SSL - Secure Socket Layer ....................................................................................... 30SET - Secure Electronic Transactions ...................................................................... 30
Other Protocols ......................................................................................................... 30
Conclusion ........................................................................................................................ 31
-
8/3/2019 SET Cryptography and E-commerce
4/37
University of Glamorgan Cryptography & Electronic Commerce
4
Needs of e-buyers and e-vendors.................................................................................. 31
In Terms of the Technical Details of the Protocol........................................................ 31Infrastructure required to support it .............................................................................. 32
Application to Business ................................................................................................ 32
Summary....................................................................................................................... 34
References......................................................................................................................... 35Bibliography ................................................................................................................. 35
Journals ......................................................................................................................... 36Footnotes....................................................................................................................... 36
-
8/3/2019 SET Cryptography and E-commerce
5/37
University of Glamorgan Cryptography & Electronic Commerce
5
IntroductionIn the year 2000 it was estimated that 384 trillion dollars1 was transferred electronically
throughout Europe alone. Although this is an enormous figure, retail electronic commerce
(e-commerce) barely generates a quarter of a percent of this global sales amount. Despitethe dotcom bomb failure of the late nineties, a steady increase in the number of users
online resulted in a huge surge of electronic purchases which could mainly be attributed
to the fact that we now have fifty-five percent (12.9 million) of Britains households
connected to the Internet2. The same National Statistics Omnibus Survey reported that
sixty-three percent of people aged 25 to 44 had bought or ordered goods, tickets or
services online.
As well as this mammoth increase, as users of a global community, they are becoming
more and more aware of security threats to themselves, and more importantly, the
security of the information such as credit card details they leave with online retailers (e-
tailors). Deloittes 2004 Global Security Survey3
revealed that eighty-three percent ofsurvey respondents acknowledged that their systems had been compromised in the past
year, compared to thirty-nine percent in 2003. Furthermore, forty percent of respondents
whose systems were attacked said they sustained financial losses.
To demonstrate the reality of these statistics, more and more businesses are converting
their legacy sales systems to more bleeding-edge online equivalents. As a result, webapplication development techniques must be implemented to create a visual front-end to
these shops. Whether or not the developers know of the flaws they introduce, it is
difficult to manage a myriad of open source products such as the Secure Socket Layerprotocol (SSL) over which they have no direct control, and in some cases, no
understanding of how it works.
The present-day common protocol for secure online communication is Secure Socket
Layer (SSL) which in its simplest form provides end to end encryption between browser
and server. The majority of household users are not aware of this protocol but understand
that when the browser has a padlock in the bottom right-hand corner their transaction issecure. The problem with this protocol is not with its design, more with how it is applied
on the Internet. Take for example the scenario of an online merchant selling some
products. On purchasing one of these products, the merchant believes that the credit carddetails they obtained will be captured and processed securely, but at no point can the
merchant prove that a user has entered their own card details. The merchant also cant
guarantee the security of the machine that contains the credit card details.
This is the basis of the principles behind Secure Electronic Transaction (SET); aiming to
create a standardised mechanism for secure electronic commerce.
-
8/3/2019 SET Cryptography and E-commerce
6/37
University of Glamorgan Cryptography & Electronic Commerce
6
Secure Electronic Transaction as a series of protocols has been designed to introducenon-repudiation into a SSL style environment, that is, to solve the problem of proving a
single user instigated an action through a clear audit trail. In a more generalised sense,
Merkow, Mark S., Jim Breithaupt, and Ken L. Wheeler in their bookBuilding SET
Applications for Secure Transactions (1998) describe how this new technology willaffect our lives:
Secure Electronic Transactions (SET) will help make the new "industrial
revolution" a reality in the 21st century, this time without smokestacks or
assembly lines
and now provides the mechanism to unleash explosive and unlimited global
commerce the likes of which the world has never before seen.
The rest of the report has been divided into sections covering areas of general security on
the Internet, current protocols and authentication techniques. It then finally discusses SETwith aim to provide a general introduction to the protocols involved for anybodywishing to learn more about the subject. The main objective of this report is to develop a
greater understanding of SET and its position within todays e-commerce infrastructure,
and as a result it will need to highlight the technologies presently required to make secureelectronic transactions on the World Wide Web.
-
8/3/2019 SET Cryptography and E-commerce
7/37
University of Glamorgan Cryptography & Electronic Commerce
7
Why do we need web security
More and more businesses are deciding to complete electronic transactions online,
whether through bank facilities or simply selling goods online. Each transactionalsituation should have a risk assessment carried out within the organisation to discoverareas of risk and potential security loop holes that may cause harm to the company.
Within this assessment, risk should be weighed against the potential cost of a security
incident/breach, and thus this now introduces two levels to risk assessment:
1. What do we protect against?a. password disclosure leading to masquerade attackb. social engineering attacksc. theft of credit details
2. What are the possible consequences?a. loss of some businessb. loss of credibilityc. gain of liability
As commented earlier, potential risks must be weighed against its consequence, for
instance it would not be feasible to secure an online shopping cart system if the cost ofsecuring the item outweighed that of the potential security breach, thus it may not be
feasible to protect. But in reality, security breaches are whole business problems and
for an online shop to be compromised and credit details lost, would as a result be
detrimental to the reputation of the organisation.
One generally accepted approach to follow is suggested by Fites, et. al. [Fites 1989] and
subsequently summarised by the 1997 Site Security Handbook (RFC2196) that includesthe following steps4.
1. identify what you are trying to protect2. determine what you are trying to protect it from3. determine how likely the threats are4. implement measures which will protect your assets in a cost-effective manner5. review the process continuously and make improvements each time a weakness is
found
-
8/3/2019 SET Cryptography and E-commerce
8/37
University of Glamorgan Cryptography & Electronic Commerce
8
Under every circumstance the organisation should base their objectives around theconcept of authorisation, which is describing who is allowed to access whatand in what
manner5. This concept of authorisation is drawn from the CIA model, which has been
developed from a need for standardisation. Its three main sections that describe its
acronym are
6
:
Confidentialityprotecting information from unauthorised access and disclosure
Integritysafeguarding the accuracy and completeness of information and processing
methods
Availability
ensuring that information and services are available to authorised users
Only after understanding the weaknesses within the current e-commerce system, can wedevelop new protocols and authentication techniques to counteract the threats. Thus, after
understanding and applying the CIA trust model it is possible for a business to determine
which security architecture to implement. The protocols and non-repudiationcharacteristics of these technologies will be examined later in this report.
There are basically nine different threats to security on the Internet as identified by
numerous security expertsi:
1. Denial Of Service preventing access to a particular system2. Eavesdropping listening to a particular transmission3. Masquerade pretending to be someone else4. Modification using a combination of 1,2,3 to change data5. Traffic Analysis monitoring how much data is transferred6. Replay transmitting multiple copied packets7. Repudiation claiming you never sent anything8. Social Engineering attacking the weakest element, humans9. External Factors poor programming, protocol design
The Internet is particularly vulnerable from, or can facilitate, the majority of the above
threats due to the inherently insecure nature of the Internet Protocol (IP). The data withina datagram (including the header information) is sent in plain text and at the same time
the information within a datagram is never validated therefore you cannot prove a
particular user sent any specific piece of data. The Internet Protocol and its specificrelevance to e-commerce will be described later in this report.
iThis list is a collaboration of lecture notes from Blyth, A and Young, A subsequently summarised
-
8/3/2019 SET Cryptography and E-commerce
9/37
University of Glamorgan Cryptography & Electronic Commerce
9
Security Vs Availability
When developing web applications such as shopping carts, the developer and the clientneed to agree at which level they are willing to accept that there is a conflict between the
business requirements and the security requirements. In essence one must takeprecedence over the other, where the agreed trade off is the decision on which one ofthese should take precedence and why.
An example of security versus availability in the context of this report is the downtimeof the server running the shopping cart application. If a user tries to access the resources
that it needs but these are not available due to downtime, then the business could start
losing clients because the service they seek to access is not available. Because the
Internet provides 24 hour business access from anywhere in the World it is likely thatthese clients would then go elsewhere to obtain the service they require.
For a company to deploy a security infrastructure it needs to take in to considerationmany factors that may affect its business. If too much emphasis is placed on the security
of a web-based application, availability could then become an issue, but the aim of such
protocols such as SSL (secure socket layer) or SET (secure electronic transaction) is tointroduce a mechanism for compromise. If the security of the transmission between the
server and the users browser is secured using encryption, businesses can then
concentrate on maintaining availability.
When implementing security into web applications we need to ask what affect the new
security infrastructure will have on the business operation. Case in hand, will it affect the
networks in terms of service or working practices? For example with a payment
infrastructure in place, you now have a single point of failure, a target which if it wereattacked, would prevent the business from operating. At this stage you would be
considering redundant servers, with advanced Intrusion Detection Systems (IDS) to helpidentify potential security threats. If the payment gateway is external to the organisation,
such as with a third party, the business would need to examine the Service Level
Agreement (SLA) to determine what assurances are given in case the payment gatewaysown systems are attacked (for instance, a denial of service attack).
-
8/3/2019 SET Cryptography and E-commerce
10/37
University of Glamorgan Cryptography & Electronic Commerce
10
Available Protocols & Authentication Techniques
Existing Infrastructure
At the beginning of this report it was identified that businesses should use risk assessmentand as a result we need to consider a range of solutions that could solve the problems
identified. By taking into account all the solutions available it will be possible to assesseach one based on its strengths and weaknesses and how it may or many not fit within an
organisations structure.
Using the distinguishing factors of each solution it would become easier to see how it
could be applied within an organisation. For example, the following three scenarios
provide an overview of several current technologies:
1. Choose Public Key Infrastructure (PKI) if you need the following facilities
o non-repudiationo scalability
2. Choose SSL Digital Certificates if you needo secure online transactionso existing infrastructure
3. Choose SET if you needo secure online transactionso non-repudiationo integrity of transmitted data
Whether or not a new technique is developed for creating a secure means of purchasing
goods online, the system has to be built on a pre-existing network infrastructure called
TCP/IP.
TCP/IP is a suite of data communications protocols developed around the idea of world-
wide communication. Based on the ISO-OSI seven layer model of allowing applicationsoftware to communicate on different system architectures, the data is sent down the
stack when it is sent to the net, and then up the stack when it is being received from the
network (see diagram on following page). As a result, any e-commerce payment structure
must be capable of using the same network infrastructure for its end-to-end
communication.
All software that is run on an operating system uses the application layer forcommunication. So for purchases online using any of the suggested techniques: PKI, SSL
or SET, requires the use of the existing TCP/IP protocol suite.
-
8/3/2019 SET Cryptography and E-commerce
11/37
University of Glamorgan Cryptography & Electronic Commerce
11
As you can see from the above diagram, the TCP model is difficult to map to an existing
model, especially as it is constructed with only four layers.
When the International Standard Organisation (ISO) developed the Open System
Interconnect (OSI) model, they had hoped that it would be adopted as the standard, butthe TCP/IP system had already been implemented by the American Department of
Defence with an aim to provide interconnectivity over adhering to rigid model
requirements.
The main difference between the two standards is that TCP/IP cannot guarantee that the
data sent will in fact arrive at its destination. To solve this issue, a subsequent protocol
called the User Datagram Protocol (UDP) was added to the suite to provide applicationlevel communication.
Application
Presentation
Session
Transport
Link
Physical
Application
Transport
Network
Data
Link
OSIModelOSIModelOSIModelOSIModel TCPModelTCPModelTCPModelTCPModel
Consistofapplicationsand
processesthatusethe
Internet
Providesend-to-enddata
deliveryservices
Definesthedatagramand
handlestheroutingofdata
Consistsofroutinesfor
accessingphysical
networks
Network
-
8/3/2019 SET Cryptography and E-commerce
12/37
University of Glamorgan Cryptography & Electronic Commerce
12
Internet Protocol
Internet Protocol (IP) is a connectionless protocol in that the datagram is constructed andsent, and the sender has no idea whether it was delivered correctly (as this was a
subsequent development of the Transmission Control Protocol).
Each level within a datagram has a header (above diagram). With IP, this header has
many fields but the most significant are the following that allow routers and switches to
direct the transmitted data to and from its destination:
Source IP address
Destination IP address
Datagram ID
TTL (time to live)
The current IP protocol is running at version 4 providing several billion IP addresses, but
as the growth of the Internet has increased exponentially over the past few years, a newsolution to solve this issue is to be introduced. The IPv6 development has been
introduced to solve some of the flawed entries of the previous version. It provides
streamlined headers removing some of the more superfluous fields and replacing them
with additional support for packet routing, and now with extended address reservation forIP addresses up to 128bits long. This is a substantial increase from version four which
contained several unused fields and support for only 4,294,967,295 unique addresses. The
most important addition to this new version is the built-in security for authentication andencryption solving the previous versions lack of non-repudiation support. Unlike the
present version, IPv6 provides a facility for encryption prior to generation of the
authentication data in the header field. This is achieved using Cipher Block Chaining(CBC) which is part of the Data Encryption Standard (DES).
-
8/3/2019 SET Cryptography and E-commerce
13/37
University of Glamorgan Cryptography & Electronic Commerce
13
Transmission Control Protocol
The Transmission Control Protocol (TCP) is a connection-orientated protocol usinghandshakes to initialise communication using flow control for data transfer. Data is
streamed after a data connection is made, and then it utilises sliding windows techniquesto transport data. Each packet that is transmitted across a network contains a sequencenumber so that it is easy to acknowledge the receipt of one packet, and thus determine if
any packets are missing and need retransmitting.
As can been seen by the diagram on the previous page, TCP packets are encapsulated inthe IP payload, and with each layer you also get a header. For TCP the header is used to
direct data to specific ports for particular applications.
Transport Layer Security Solutions (SSL / TLS / PCT)
As discussed previously, the present version of IP provides no direct encryption processas a result Netscape published the first implementation of Secure Sockets Layer (SSL)
back in 19967. At the time of release, Netscape were the leading web browser vendor and
subsequently SSL became the industry standard. The final release of SSL was version 3,at which stage it was released as an open standard so that it could be improved upon by
the Internet community.
Not wanting to be left out of the browser market, Microsoft developed an incompatible
proprietary protocol called Private Communications Technology (PCT) which was a
direct challenge to SSL version 2. As Netscape were the dominant browser vendor at thetime, the protocol never really took off, despite claims that it had much better security.
When SSL version 3.1 was released it became known as TLS version 1, and quickly
adopted by all major browser vendors. For the purposes of this report, when SSL isdiscussed, the actual transport layer security being used would be the latest TLS version
1.18.
-
8/3/2019 SET Cryptography and E-commerce
14/37
University of Glamorgan Cryptography & Electronic Commerce
14
Protocol Failures
The first item that many protocols fail to achieve is to enhance the procedures already inplace. For example SET improves upon SSL in regards to transactions in almost every
way; however it is still not widely used. The reason for this lack of adoption is becausethe infrastructure it needs to survive is complicated and needs third party assistancewhereas SSL has an infrastructure already in place as it uses items that the Internet
already possesses as its platform (browsers and web servers).
So a sound infrastructure is important, however the infrastructure also needs to be
scalable so that it can be distributed across the Internet. For example this is why PGP
(Pretty Good Privacy) as a certification protocol worked and has become a standard for
both e-mail and general secure electronic communication. PGP only fails for e-commercepurposes because it uses what is classified as a web of trust; allowing any entity to
certify another. This introduces little control over the structure of the trust model, and is
why for e-commerce something hierarchal was developed. Further information on trustmodels appears in the certification section later in this report.
Additionally, the protocol must be vendor independent, for example S/MIME allowsusers to send email messages to other people regardless of their email client. PGP-Mime
however is not supported by all clients and thus has not succeeded to gain common
usage.
So we can see that certain attributes are essential to creating a good protocol, in
particular:
adaptable infrastructure scalability
non-bias to vendors
standards
-
8/3/2019 SET Cryptography and E-commerce
15/37
University of Glamorgan Cryptography & Electronic Commerce
15
As previously described, without some form of data encryption, the TCP/IP protocolscommunicate in plain text. Using software called a sniffer enables you to eavesdrop
on network traffic. The diagram below showing a simplified view of this process.
The only solution to the above scenario is to implement SSL or IPSEC to encryptnetwork traffic. By encrypting the traffic it still wont avoid the possibility of a man inthe middle attack, it will simply prevent examination of the data that is captured. To
illustrate this further, if an attacker could break the encryption through a brute-forcepassword crack, the data revealed would most likely be out-of-date, and therefore useless.
Alice Bob
Eve
Hub
DataCommunication
UnknowntoAliceandBob,
Eveislisteningtoall
transmittedtrafficonthe
network.
Eve
EncryptedEncryptedEncryptedEncryptedDataCommunicationDataCommunicationDataCommunicationDataCommunication
Evecanstilllistenfor
trafficbutcannolonger
interpretthedata.
Alice
Hub
Bob
-
8/3/2019 SET Cryptography and E-commerce
16/37
University of Glamorgan Cryptography & Electronic Commerce
16
SET Secure Electronic TransactionsThe following detail has been collated from three main sources to try and help explain
how SET is implemented and to demonstrate which participants are involved.
The main criticism of this report topic is the lack of readable documentation on either the
Internet or in printed form, but despite this brick wall, there were several useful
resources I have found:
The first book Using SET for Secure Electronic Commerce written by Drew,
Grady N. (1998) provides an extremely coherent description of the inner-
workings of SET.
The second book Building SET Applications for Secure Transaction written by
Merkow, Mark S., Breithaupt, Jim, and Wheeler, Ken L. (1998) gives a more
technical approach to setting SET in a business environment.
The final source of SET related material was obtained from various lectures notes
written by Young, Andrew (2001) at the University of Salford.
What is SET?
History
Originally SET was joint specification between VISA and MasterCard but there were
also many other organisations involved in developing the infrastructure including
Microsoft, IBM, Netscape and VeriSign. The SET project started development back in1996 and was officially proposed as a standard in February that year.
Prior to the formal specification of SET, there were initially two contenders for the
development of a secure method of transaction online. These separate developments
were:
1. Secure Transaction Technology (STT) developed by VISA and Microsoft in 19952. Secure Electronic Payment Protocol (SEPP) developed by MasterCard, Netscape
and IBM around the same time as STT
The main concern brought to attention by the Internet Engineering Task Force (IETF)was that the two systems were incompatible and that despite both claiming that they wereopen source, neither could be endorsed by the IETF because the standardisation process
was performed outside their control. Finally, the banks forced the two groups to develop
what we now classify as version 1.0 of SET, which itself was released on May 31st
1997.
-
8/3/2019 SET Cryptography and E-commerce
17/37
University of Glamorgan Cryptography & Electronic Commerce
17
Overview
SET is a protocol for allowing secure transactions to take place on the Internet. It is based
on the idea that the merchant and the end-user dont directly transfer funds, but they use a
third party (payment gateway). It provides a set of protocols and formats that allow users
to securely use the existing credit card payment infrastructure on the Internet.
Defined by the SET protocol is a series of messages with content and format as specified
by the Abstract Syntax Notation One (ASN.1) for communication between each of theparticipants. ASN provides a mechanism for describing the complex objects within theSET architecture, just like object-orientated programming (OOP) has helped enhance
software development.
Versions of the Protocol
Version 1 of the protocol is discussed here; at the end of this report, various extensions
will be examined, together with the proposed version 2 (which itself incorporates some of
the extensions).
Requirements
Based mainly on business requirements, the IETF determined that for the SET protocol to
work it should satisfy the following:
Confidentiality of payment and ordering information
Integrity of transmitted data
Authentication that cardholder is a legitimate user of the card account
Authentication that a merchant can accept credit card transactions
Open, vendor-independent and interoperable to protect all participants
The bullets above are primarily based around the CIA model discussed during the
introduction of this report. Each point is fairly reliant on the use of digital certificates for
proving a user is who they say they are. The following section will describe how simple
certification works, and how trust models can be developed by understanding therelationships between each of the entities.
-
8/3/2019 SET Cryptography and E-commerce
18/37
University of Glamorgan Cryptography & Electronic Commerce
18
Certification Principles
A certificate is basically a signed statement that something is true, and in a technicalsense provides the following facilities:
a document that is un-forgeable
a document that is tamperproof
As an Internet based technology, both SSL and SET use its principles for determining
who wrote message during some form of communication (e-mail, website security).
The idea of having a certificate relies on the principle that you trust the entity that gives
you a certificate. This reciprocates up a hierarchy with each Certificate Authority (CA)
trusting the CA above them; this can be demonstrated in the diagram below.
What this diagram shows is that as the user we trust only the CA above ourselves(yellow circle), and by implication we do not trust the Other CA (green circle) because
our own CA does not trust it (only the preceding CA in blue does). This type of rule is
specified in a Certificate Practice Statement (CPS) which provides a meaning to thecertificate describing how it is going to be checked for validity.
For example, a software tool called Pretty Good Privacy (PGP) provides a Public KeyInfrastructure (PKI) capable of generating certificates that say we are who we say we
are. In summary, a certificate is a signed statement that user X is the holder of public key
Y.
USER (X) HAS PUBLIC KEY (Y)
-
8/3/2019 SET Cryptography and E-commerce
19/37
University of Glamorgan Cryptography & Electronic Commerce
19
One-way or Two-way Certification
Certification can work in two ways in regard to who trusts who:
One-way Certification Two-way Certification
One way certification is used when you have two departments like in the diagram above.
Each department has its own Certification Authority, providing digital certificates to the
members of the department.
In the above example, the Computer Science CA has a higher level of security (as
determined by the CPS). The ISelS department has been issued with a lower level ofsecurity, so we have what could be described as one-way certification, where by principle
you do not certify any department with a lower security level than yourself.
What this implies is that User 2 can be cross-certified by the Computer Science CA, butUser 1 cannot be certified by the ISelS CA because its CPA stipulates that it will not
certify a user in a CA with a lower security level. In essence, it would not be upholding
its agreement if it allowed its subscribers to become vulnerable in any way.
Two-way certification would work in a similar fashion but both CAs would have equal
security levels, allowing both sides to cross-certify the other.
Certificate Revocation List (CRL)
Every CA has a list of revoked or withdrawn certificates which it signs itself. Thislist allows a user to check the validity of a certificate before accepting it or not. Often
CRLs are updated approximately every 24 hours or using a protocol called Online
Certificate Status Protocol (OCSP), the CRL is published and updated constantly so that auser can at any time query the list (online) and ask is this certificate valid now?. This
means a user can make an instant decision on whether to trust a certificate or not.
-
8/3/2019 SET Cryptography and E-commerce
20/37
University of Glamorgan Cryptography & Electronic Commerce
20
X.509 Certificate Revocation Lists
X.509 is a specification for the format of a certificate and adds detail to a regular
certificate that can hold various fields for storing information about the subject (user),
and the certification authority (CA).
V3 of the X.509 standard provides extensions such as constraints on when and how thecertificate can be used, for example, you have an extension called PATH_LENGTH (we
will call this pl for short). This allows a CA to trust only the next CA along (when pl=0)or the next two (when pl=1). Any CA beyond the pl is rejected which provides an
excellent means of controlling who in the hierarchy of trust can actually be certified.
Another extension is called NAME_CONSTRAINT and this allows instant checking on the
name of certification authority to determine certification rights.
-
8/3/2019 SET Cryptography and E-commerce
21/37
University of Glamorgan Cryptography & Electronic Commerce
21
SET in Detail
Participants
Having briefly explained the requirements of SET, it is essential to understand the roles
of the individual participants within the process as described by Drew (1998).
Card Holder
In SET, the card holder is the same as any normal person wishing to use their cardto purchase goods in a shop.
Merchant
This is the business that wishes to sell goods online, but unlike a normal shopthe transaction would be electronic, with no customer physically present.
Issuer
The issuer is the organisation that provides the card holder with the payment card.
Acquirer
The acquirer is a financial organisation that processes the card holders paymentcard on behalf of the merchant. The purpose for which is to obtain payment
authorisation from the issuer.
Payment GatewayWorking on behalf of the acquirer, the payment gateway processes the card,
bridging the gap between electronic purchases and the existing credit cardnetworks.
Certificate Authority
The certification authority provides a trust model for all participants, providing amechanism for identifying who users say they are (see previous section).
The relationships of these participants can be better described using a diagram (below)showing the SET process against the traditional card not present (CNP) in dark orange.
Original source, Secure Electronic Transaction LLC
-
8/3/2019 SET Cryptography and E-commerce
22/37
University of Glamorgan Cryptography & Electronic Commerce
22
Software Components
As previously described, SET requires specific software components to allow all of theparticipants to communicate in a secure and efficient manner. For example, a user cannot
physically swipe their card at the merchants request, so a digital wallet is created thatperform this comparative behaviour. The specific software components are:
1. the digital wallet the front-end for the card holder2. the merchant server the merchants SET software3. the certificate authority handles all of the SET participants certificates4. the payment gateway bridges the merchant with its acquirers legacy systems
The diagram below demonstrates where the software components sit in conjunction withthe participants that were described on the previous page.
The diagram above represents the process described on the previous page mapped against
the individual software components. In simple form this can be described as:
1. the issuer provides the card holder with a wallet, thus certifying s/he is who theysay they are
2. the acquiring bank certifies that the merchant is who they say they are3. on making a purchase the information is sent to the gateway for processing, where
payment is removed from the card holder and deposited in the merchants account
Issuing Banks Acquiring Banks
Card Holder Merchant
Certificate Authority
Digital Wallet Merchant Server
Certificate Authority
Gateway
Internet
Internet
Internet
Financial Network
-
8/3/2019 SET Cryptography and E-commerce
23/37
University of Glamorgan Cryptography & Electronic Commerce
23
Hashing Principle
The best solution for signing a document is to create a fixed hash of the document
which produces a block of cipher text. The user then signs the hash and it means that asigned summary has been generated. The chances of having two hash functions that
generate the same output are very remote.
One problem with the hash function is that its susceptible to brute force attacks. Recent
indications show that certain well-known hash functions (such as MD5) have beensubsequently broken though cryptographic techniques that finds collisions (multiple
hash values with the same message) within a given digest.9
There are various solutions to developing secure hash functions for the function ofcreating digital signatures. For example, the diagram below demonstrates that by taking
several fields such as: user name, password, timestamp and a random number, you can
generate a hash value that is pretty much impossible to reverse.
One-WayHash Function
User Name
User Password
Timestamp
Random Number
Protected
Password
Making a Purchase
Without going into too much detail regarding the technical operations of the dual
signature, SET basically separates the purchase and order information in a way that it is
still linked and only the relevant parties receive what they need (need to know basis).
The client will send both purchase information (PI) and order information (OI) to the
merchant, however the merchant cannot read the purchase information (which is
viewable by the bank only), but knows its certified because of the dual signaturemessage digest which is created for each of the following:
-
8/3/2019 SET Cryptography and E-commerce
24/37
University of Glamorgan Cryptography & Electronic Commerce
24
Purchase Information Message Digest (called a PIMD)
Order Information Message Digest (called a OIMD)
Using dual signatures, PI (payment information) is hashed together with the hash of the
OI (order information) creating a POMD (payment order message digest).
So using the diagram above as an example, the merchant would receive:
Order Information, PIMD & Dual Signature (POMD)
The merchant would then use a PG (payment gateway) subsequently creating aPR (purchase request) see diagram below.
The order information is visible, so the merchant has what it needs, they cannot read thepurchase information as the credit cards are secure and the transaction is linked together
via the dual signature, so this offers non-repudiation facilities to all parties involved.
And in more detail we can see that in the diagram above, by using a combination of
cryptography techniques specifically DES and RSA (Data Encryption Standards, and the
public key algorithm developed by Rivest, Shamir, Adleman), the merchant will receive a
Purchase Request (PR) which contains all the details required to determine the validity ofthe order.
OI
PI
HASH
HASH
HASH
OIMD
PIMD
ENCDual Signed
POMD
-
8/3/2019 SET Cryptography and E-commerce
25/37
University of Glamorgan Cryptography & Electronic Commerce
25
SSL however does not offer any of these services, or any similar services, to buyers andvendors on the Internet. For example all transactions that occur between buyer and
vendor only have one secure channel and that is between User and Merchant, the rest of
the process is out of the hands of the individual as the merchant now has the relevant
information to charge that individual. However it is at the merchants discretion how itdeals with this contact to the bank, and how they store the details afterwards (ignoring
what the Data Protection Act stipulates). Additionally with SSL we do not actually knowwho we are dealing with as the certificate could have been forged, or obtained through
social engineering.ii
SSL creates a channel from A (Client) to B (Merchant) and authenticates and creates a
secure channel between the two parties. However, how can A truly know who B is unless
they know they are dealing with a reputable company with well known brand names such
as Dell or say Amazon?
This is when SSL becomes potentially dangerous as its user centric trust model allowsthe user to make the choice of purchasing. Any merchant can be perceived to betrustworthy by social engineering of the perception (words such as Certified or Valid
on the certificate). Additionally how can B be sure that A is not buying with a fraudulent
credit card? With SET all parties are known and are trusted thus true authentication andnon-repudiation facilities are in place.
iiVeriSign issued two certificates to individuals claiming to be Microsoft by error -
http://amug.org/~glguerin/opinion/revocation.html
-
8/3/2019 SET Cryptography and E-commerce
26/37
University of Glamorgan Cryptography & Electronic Commerce
26
Shopping Online with SET
As described by Drew (1998) in his book on using SET, the process of SET onlyaddresses payment authorisation and transport, order confirmation and inquiry, and
merchant reimbursements. For example, SET cannot deal with the process of goodsdelivery, nor cover the process of product selection on the e-commerce website.
Drew (1998) goes on to explain what areas of online shopping directly deal with SET
(stages in bold are directly provided by SET, the others in italics are performed outsidethe SET protocol):
1. Browsing and ShoppingUsing a shopping cart system, the user browsers the available products on thewebsite and creates a virtual shopping basket of products.
2. Merchant and Goods SelectionIf given the choice of multiple merchants offering similar goods, the user is giventhe option of shopping elsewhere.
3. Negotiation and OrderingThe user selects the products the want and agrees that the selected price the
merchant lists is acceptable.4. Payment Selection
The user (card holder) selects their method of payment
5. Payment Authorisation and TransportThe messages used for the authorisation of payment from the card holder to the
merchant are sent between the correct participants.
6. Payment Confirmation and Inquiry
The merchant or card holder can inquire about the status of a purchase.7. Delivery of GoodsThe merchant having taken an order and payment will ship the purchased
products.
8. Merchant ReimbursementThe merchant is reimbursed by the card holder.
-
8/3/2019 SET Cryptography and E-commerce
27/37
University of Glamorgan Cryptography & Electronic Commerce
27
SET Extensions
Elliptic Curve Cryptography
An Internet Draft document describes the concept of Elliptic Curve Cryptography (ECC)as:
Elliptic Curve Cryptography (ECC) is emerging as an attractive public-key
cryptosystem, in particular for mobile (i.e., wireless) environments. Compared to
currently prevalent cryptosystems such as RSA, ECC offers equivalent security
with smaller key sizes.
Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright,
Transport Layer Security (TLS) Extensions, (September 2005)
Another issue is the potential for catastrophic failures when a single elliptic curve iswidely used.
10
In relation to SET, Drew (1998) explains that the RSA algorithm is replaced by the
Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures, and the
Elliptic Curve Encryption Scheme (ECES) for encryption. The combination of thesecomponents creates an extension to SET called Elliptic Curve Enabled Secure Electronic
Transactions (ECSET).
He also describes there are multiple advantages when such technologies are introduced
into the SET environment:
ECC keys are smaller than RSA keys
Digital signatures in ECSET are smaller
The security implications of an elliptic curve cryptosystem lies in the discrete logarithm
problem, which is as closest you might get to a one-way function.11
Chip and PIN
For SET to function in a debit environment requires the merchant and the paymentgateway to implement some new functions:
Personal Identification Numbers (PINs) Integrated smart card technology
Elliptic Curve Cryptography (as above)
Having PIN verification introduces an extra level of card holder verification, just like the
present Chip and PIN system, where the card holder must be present and supply the PINat the requested moment during the transaction.
-
8/3/2019 SET Cryptography and E-commerce
28/37
University of Glamorgan Cryptography & Electronic Commerce
28
Biometrics
Using a similar principle to the Chip and PIN system, what I propose is that the userswould now be given an electronic fingerprint reader for home / business / merchant use,
which would replace the need for both a PIN and smart card. Having pre-registered theirbiometric details with a bank, this process acts like a digital wallet, with their fingerprintacting like a PIN.
The diagram above is representative of a possible infrastructure (on top of SET and SSL)
designed to show how a user could be authenticated and verified at the moment ofpurchase.
-
8/3/2019 SET Cryptography and E-commerce
29/37
University of Glamorgan Cryptography & Electronic Commerce
29
Version 2 Details
SET version 2 was proposed by a company called SETco LLC (the detail of which wasunavailable at the time of printing) that proposed the integration of several of the
extensions previously explained. As described by Drew (1998) they include:
Functionality Enhancements
Smart cardso Europay, MasterCard, and VISA (EMV)o Multi-application
Debit (PIN system)o PIN for online debito PIN pads (PIN entry not from keyboards)
Encryption Alternatives
Algorithm independence
Hardware vendor support
Separate symmetric key from account information
Certification Enhancements
Smaller certificates
Formatted registration forms
Order Enhancements
Multiple payment instructions (PI) on a single order
Order cancellation Renegotiation of order description (OD)
Delivery receipt for electronic delivery
Payment Enhancements
Payment negotiation
Funds transfer
Purchasing card support
Travel agent business model
Merchant authentication prior to shopping
Transaction Processing Enhancements
Enhanced error messages
Reduced processing loads on applications
-
8/3/2019 SET Cryptography and E-commerce
30/37
University of Glamorgan Cryptography & Electronic Commerce
30
Non-repudiation Facilities
SSL - Secure Socket Layer
SSL does not support any form of non-repudiation. SSL was developed primarily tocreate a secure channel between two parties A and B, and was not invented to deal with
credit card transactions; however, it has become the standard implementation on todays
web browsers. Such is the level on non-repudiation offered by SSL that it would be verydifficult for a merchant to prove in a court of law that the customer purchased the goods.
It can however be enhanced to allow non-repudiation above the SSL layer, but this is not
standard. This may seem to be a contradiction as SSL also uses digital certificateshowever these certificates are not issued by the bank, thus they cannot be linked with the
credit card used, and unlike SET, SSL does not check the validity before completing the
transaction.
SET - Secure Electronic Transactions
SET has non-repudiation facilities built into its architecture to allow customers,merchants and banks the ability to make sure that any party cannot repudiate what they
have purchased or sold. Every part of the transaction is logged and an audit trail is
created. All participants in the system are also known to each other and have toauthenticate with one another. Unlike SSL, the decision on who and who notto trust is
not user centric as each party knows who they are dealing with before hand, and when
the transaction is going through measures are taken to link information with signatures.
Other Protocols
Specifically for e-mail communication, S/MIME offers non-repudiation of the origin
again through the use of digital signatures. If a message is sent from Alice to Bob signed
by Alices private key then Bob knows that the message was sent from Alice and only
Alice. Alice can repudiate this saying that someone else stole her key and sent themessage, and she revoked the key before the message was supposed to be sent. However,
if it can be proved that the revocation came afterthe message was sent, then Alice would
not be able to repudiate Bobs claims.
-
8/3/2019 SET Cryptography and E-commerce
31/37
University of Glamorgan Cryptography & Electronic Commerce
31
ConclusionThe introduction to this report stated that a Deloittes 2004 survey found that 40 percent
of respondents whose systems were attacked said they sustained financial losses. The
ASIS Online12 organisation observes this loss of business and tries to address the issue bycreating various guidelines aimed. They comment:
In an age when information is king, a companys very survival may hinge on its
secrets.
If the developers of online e-commerce applications do not have the aptitude and
awareness to make informed decisions regarding a companys security requirements, or aclear understanding of the organisations business, they cannot develop and implement
effective sales systems that maintain customer confidence in the purchasing of goods
form their online marketplace.
Needs of e-buyers and e-vendorsThis is probably the biggest aspect regarding the contradiction between SSL and SET,
and it lies with the wants and needs of both the buyer and merchants respectively.
SSL is now commonly used however it does not provide many of the aspects of functionsthat the buyer or vendor say is important for online transactions. SET was designed
to take into consideration the security of both entities: the buyer and vendor.
SET does two things that are important to online transactions, and these are:
1. Keeps Payment Information (PI) & Order Information (OI) separate but linksthem using a dual signature (concatenation of the two)
2. Offers non-repudiation
In Terms of the Technical Details of the Protocol
SSL may not have been specifically designed to facilitate electronic transactions as itsmain aim was to secure communications from a client to a server; however it has evolved
to become the protocol of choice when securing transactions. This protocol works on the
transport layer of the OSI model and uses session keys known only to the client and theserver thus creating a secure channel between the two.
SET is not actually a protocol as such but more of an application that mandates thealgorithms that it uses, rather than allowing the user to choose as with SSL, which during
the initial handshake hello, allows the user to specify what they are willing to use in
terms of cryptographic algorithms (and at what key strength).
Due to the fact the SET is not a protocol and does not work within current technology
additional items are needed to allow it to work and create secure electronic
-
8/3/2019 SET Cryptography and E-commerce
32/37
University of Glamorgan Cryptography & Electronic Commerce
32
communications between customers and merchants. For example the client and the
merchant must have additional software in order to communicate the payment and orderdetails to each other and also the bank. This means it is not as freely available to
consumers as SSL which is distributed by default in the majority of operating systems.
Not only do they have to download software, they will also be dependant on the merchantsupporting SET. If this is the case then they will not be able to complete their purchase
using their digital wallet.
Infrastructure required to support itThe SSL infrastructure is basically the web and its users; therefore the infrastructure
needed to support its use is already in place. Any user with a web browser has the ability
to conduct secure transactions with merchants willing to sell their products across the
Internet. The emphasis of trust for this infrastructure is placed on the user; it is up to theuser who they trust and who they do not, so the trust model can be classified as user
centric.
Additionally, at the other end of the scale in regards to the merchants, the facilities are in
place for them to buy digital certificates and have them signed by trust worthy CAs such
as VeriSign13
, and then they can partake in secure transactions with customers. Thecommunication between the banks and the merchant are done via traditional channels
such as Card Not Present (CNP).
SET is different, as the current infrastructure would not allow for all the millions of credit
card transactions to be supported. SET needs all parties to be a part of the infrastructure
for it to succeed, from the client all the way through to the issuing bank. As previously
mentioned, special software is needed to support the SET system and thus is not freely
available to all web users, unlike SSL. So for SET to work on the Internet the followingparticipants need to co-operate:
Customers
Merchants
Banks
Certification Authorities
These all have to work together to form a certain environment of trust in order for the
infrastructure to work. Trust is not placed with the user as the system itself chooses who
can and cannotbe trusted by means of a trust hierarchy.
Application to Business
Most businesses will understand computer security from the concepts outlined in thisreport. They believe that security consists of a few firewalls and typically some virus
protection for the mail. Threats and the increase in threat agents have now outgrown
those simple defences.
-
8/3/2019 SET Cryptography and E-commerce
33/37
University of Glamorgan Cryptography & Electronic Commerce
33
As a result, businesses are now required to justify their security expenditure and
activities through means of Return On Investment (ROI) to board level management. Thisleaves the businesses with three major problems14:
1. to build a business case that non-technical staff and management will understand
and support2. to determine the appropriate level of security for the company3. to show that there is a financial return resulting from the investment
This, of course, will prove very difficult to achieve as the security system implemented is
non-profit making, and if working correctly, will simply lower fraudulent transactions.The added expense of spending money on the SET infrastructure will not be apparent to
many executives especially when the majority of present-day SET implementations are
for business-to-business transactions. It is still apparent that if the business does spend a
great deal of money on a SET infrastructure, it has to be because their business modelsells many high-value products (in the 10 - 20 range) to cover the over-heads of the
SET system.
Explaining these security concepts to senior executives would be challenging, but as a
recent article in Security Advisor Middle East7
onReturn On Investmentdiscusses,
mental pictures and diagrams work well. Their suggestion is to use a castle-and-moatanalogy, for example:
Explain that youre building a moat around a castle. Until you get the moat
completely around the castle, youve spent a lot of money with no improvement in
security.
Until youve established a minimum level of protection, youre spending a lot of
money but are still totally vulnerable.
The analogy goes on to explain how digging a shallow moat and having it a mile wide isa waste of money. You would be spending a great deal of money and not getting any
results in return. This is like a form of business insurance; it is necessary to spend money
to insure against losses of material, fire or flood, or personal injury - everyone hopes it
will never happen, but when it does the insurance policy offers some ability to offset theloss.
SET cannot guarantee absolute protection from online fraud, only minimising thedamage, however, to get to this position requires expenditure by the organisation.
-
8/3/2019 SET Cryptography and E-commerce
34/37
University of Glamorgan Cryptography & Electronic Commerce
34
Summary
The original assignment question asked:
At which point is the SET protocol used in a secure online transaction?
Only after completing the research that went into this report do you understand that SET
describes the process of making a complete transaction, from the ordering of the goods
to the final processing of your card details. Admittedly it overlooks the initial productselection and the final delivery, but as a transactional protocol it fulfils its job.
The only foreseeable weaknesses with SET are more to do with the supporting protocols
that it relies on, such as IPv4, DES, MD5 and SSL. If a security flaw is found in one ofthe underlying protocols, SET can only be as secure as these subsidiary components.
The main criticism of this report topic is the lack of readable documentation on either theInternet or in printed form, but despite this brick wall you can lookup each of the
individual components and derive where it would sit in the SET process. It also became
apparent that the only two books available were both published in 1998 and that bothtechnology and cryptographic techniques have improved dramatically in the past 8 years.
-
8/3/2019 SET Cryptography and E-commerce
35/37
University of Glamorgan Cryptography & Electronic Commerce
35
References
Bibliography
Blyth, A & Kovacich, G.L., (2001) Information Assurance [Book] Springer. [Page 99]
Comer D (2000), Internetworking with TCP/IP Volume 1 [Book] Publisher: PrenticeHall, ISBN: 0 13 018380 6
Drew, Grady N. (1999) Using SET for Secure Electronic Commerce. [Book] Publisher:Prentice Hall, ISBN: 0-13-099715-3
Dolan, A., (2004) Social Engineering [Online] SANS Institute. Available From:
http://www.sans.org/resources/popular.php [Accessed 15th Oct 2005].
Denning, D. E., (1999) Information Warfare and Security [Book] Addison Wesley. Part1: Introduction [Page 41]
De Carteret and Vidgen (1995), Data Modelling for Information Systems [Book]
Publisher: Pitman, ISBN: 0-273-60262-4
Fraser, B., (1997) RFC 2196 Site Security Handbook [Online] NWG. Available From:
http://www.faqs.org/rfcs/rfc2196.html [Accessed: 31 October 2005]
Teare D (1999), Designing Cisco Networks [Book] Publisher: Cisco Press, ISBN: 1-
57870-105-8
Merkow, Mark S., Breithaupt, J, and Wheeler, K L. (1998) Building SET Applications
for Secure Transactions [Book] 1st ed. Publisher: Wiley, ISBN: 0-471-28305-3
Mitnick, K. E., (2003) The Art of Deception [Book] Wiley. Chapter 16
Pressman R S. (1997), Software Engineering: A Practitioners Approach [Book]Publisher: McGraw Hill, ISBN: 0 07 709 411 5
SANS, (2001) Password Policy [Online] SANS Institute. Available From:
http://www.sans.org/resources/policies/Password_Policy.pdf [Accessed: 3rd November
2005]
Siyan K (1998), Inside TCP/IP [Book] Publisher: New Riders, ISBN: 1-56205-714-6
Sommerville I (1998), Software Engineering [Book] Publisher: Addison Wesley, ISBN:
0 201 42765 6
-
8/3/2019 SET Cryptography and E-commerce
36/37
University of Glamorgan Cryptography & Electronic Commerce
36
Journals
What drives mobile commerce? Article: Information & Management, Volume 42, Issue 5,
1 July 2005, Pages 719-729, Wu, J.H.; Wang, S.C.
Marketplace and technology standards for B2B e-commerce: progress, challenges, and
the state of the art. Article: Information & Management, Volume 42, Issue 6, 1September 2005, Pages 865-875, Albrecht, C.C.; Dean, D.L.; Hansen, J.V.
Trust and e-commerce: a study of consumer perceptions. Article: Electronic Commerce:
Research and Applications, Volume 2, Issue 3, 1 September 2003, Pages 203-215,
Corbitt, B.J.; Thanasankit, T.; Yi, H.
Footnotes
1Global Payments Industry Metrics, 2000 & 2010 (March 2003) Statistics for Electronic
Transactions [Online] ePayNews.com. Available from:http://www.epaynews.com/statistics/transactions.html [Accessed 16th Jan 2006]
2National Statistics (July 2005)Internet Access [Online] National Statistics. Available
from: http://www.statistics.gov.uk/cci/nugget.asp?id=8 [Accessed 18th Dec 2005].
3Deloitte (2004) Global Security Survey [Online] Deloitte Touche Tohmatsu. Available
from: http://www.deloitte.com/dtt/research/ [Accessed 14th Oct 2005].
4Fraser, B., (1997)RFC 2196 Site Security Handbook[Online] NWG. Available From:
http://www.faqs.org/rfcs/rfc2196.html [Accessed: 31 October 2005]
5Denning, D. E., (1999)Information Warfare and Security [Book] Addison Wesley. Part
1: Introduction [Page 41]
6Blyth, A & Kovacich, G.L., (2001)Information Assurance [Book] Springer. [Page 99]
7 Netscape Online (1996) SSL 3.0 Specification [Online] Netscape, Available from:
http://wp.netscape.com/eng/ssl3/ [Accessed 10th
February 2006]
8 IETF Secretariat (2006) Transport Layer Security (tls) [Online] IETF, Available from:
http://www.ietf.org/html.charters/tls-charter.html [Accessed 11th February 2006]
9Passcracking.ru (2006) Online Rainbow Tables [Online] Available from:
http://passcracking.ru/index.php [Accessed 2nd February 2006]
10Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, (2005)
Transport Layer Security (TLS) Extensions, IETF, draft-ietf-tls-rfc3546bis-02.txt (work
in progress)
-
8/3/2019 SET Cryptography and E-commerce
37/37
University of Glamorgan Cryptography & Electronic Commerce
11RSA Security (2004) What is the dicrete logarithm problem? [Online] RSA Security,
Available from: http://www.rsasecurity.com/rsalabs/node.asp?id=2193 [Accessed 4th Feb
2006]
12
ASIS Online (2004) Chief Security Officer Guidelines [Online] ASIS International.Available from: http://www.asisonline.org/guidelines/guidelineschief.pdf [Accessed 11th
Oct 2005].
13 VeriSign (2006) VeriSign Security, Payments and Communications [Online] VeriSign.
Available from: http://www.verisign.com/[Accessed 29th
Jan 2006]
14 Security Advisor Middle East (2004) Selling Security to the Board[E-Magazine]
Security Advisor Middle East, Issue 8 [Accessed 11th
Oct 2005]