Electronic Commerce - Security Management

. Electronic Commerce -  Security Management

    Cornerstones of Security

    Authenticity

    the sender (either client or server) of a message is who he, she or it claims to be.

    Privacy

    the contents of a message are secret and only known to the sender and receiver.

    Integrity
    the contents of a message are not modified (intentionally or accidentally) during transmission.

    Non-repudiation
    the sender of a message cannot deny that he, she or it actually sent the message.

    Auditabililty

The Audit trail should preserve the same data integrity mechanism that was applied when the message was created. Proof of Non-repudiation should also be preserved. WORM devices used (Write Once Read Many).

In real life we deal with these issues too. Secrecy and integrity  using registered mails, locking the documents up etc.Original documents  address the non-repudiation & Authentication is addressed by recognizing faces,voices, signs etc. However, in the e-world , besides others, various cryptographic techniques are used to address these issues.

8.2 Cryptographic Techniques

    Encryption is the process of transferring information so it is unintelligible to anyone but the intended recipient. Decryption is the process of transforming encrypted information so that it is intelligible again.

    A cryptographic algorithm, also called a cipher, is a mathematical function used for encryption or decryption.

    Key is a number that must be used with the algorithm to produce an encrypted result or to decrypt previously encrypted information. Decryption with the correct key is simple. Decryption without the correct key is very difficult and in cases impossible for all practical purposes.

8.3 Key length and Encryption Strength

The strength of encryption is related to the difficulty of discovering the key, which in turn depends on both the cipher used and the length of the key.

Encryption strength is often described in terms of the size of the keys used to perform the encryption.In general, longer keys provide stronger encryption.

128 (bits) is the recommended length. It’s how many random bits are in the key. If somebody were break this, they would have to guess all 128 bits and that really does take a long time.

The higher the number of bits, the more difficult it is to break. It goes up exponentially fast. So when you increase one bit of key, you’re doubling the amount of time it takes to break it.

Different ciphers may require different key lengths to achieve the same level of encryption strength, on the basis of the algorithm they employ.

Because the ability to surreptitiously intercept and decrypt encrypted information has historically been a significant military asset, the US government restricts export of cryptographic software, including most software that permits use of symmetric encryption keys longer than 40 bits.

8.4 Security Mechanisms

    Cryptographic Techniques

    Symmetric Methods – Only one key. Both the sender and receiver use the same key.

    Asymmetric Methods – Two Keys.  Public & Private. The sender uses his private key to encrypt the message and the receiver uses the public key of the sender to decrypt the message. Since the sender uses his private key , he can’t at a later stage deny having sent the message.

Both  methods used to support Integrity of Message.

8.5 Public Key Infrastructure

The Public and private keys would be issued by a duly approved Certification Authority. As per the IT Act 2000 , there will be a root Certification Authority called the Controller of Certification Authority. It will oversee the functioning of all other Certification Authorities which would have to fulfill the laid down eligibility criterion and obtain licenses. The individual obtaining the keys would be issued a Digital Certificate which, besides his name ,address etc. , would also mention the public key as well as the details of the Certifying Authority.
Digital Certificate

    A certificate is an electronic document used to identify one individual, a server, a company, or some other entity and to associate that entity with a public key.

    Certification Authorities (CAs)  are entities that validate identities and issue certificates. They can be either independent third parties or organisations running their own certificate issuing server software.

In addition to a public key, a certificate always includes the name of the entity it identifies, and expiration date, the name of the CA that issued the certificate, a serial number and other information. Most importantly, a certificate always includes the digital signature of the issuing CA and thus serves as a letter of introduction to users who know and trust the CA but don’t know the entity identified by the certificate.

The Digital Certificate would:-

    Bind a public key to its owner
    Be Issued and digitally signed by a trusted third party
    Be Like an electronic photo-id

Digital Signatures
A digital signature is defined as:-
    Data Appended to, or cryptographic transformation of, a data unit that allows a recipient of data unit to prove the source and integrity of the data unit and to protect against forgery.
The sender of a message applies a hashing algorithm to the original data to get what is called a hash value. The algorithm is called a one way hash because from the value it is not possible to decipher the original message. An alteration of even one character during transmission would give a different hash value and thus would be detected by the receiver when he applies the algorithm to the message and tallies the hash value with that sent by the sender.This helps in ensuring integrity of data.

After the hash value is calculated by the sender, he encrypts it with his private key. The resultant value is called the digital signature. It may be observed that the digital signature of a person, unlike the manual signature, is not unique. It varies according to the message to  be sent. The receiver decrypts with the senders public key and obtains the hash value calculated at the senders end. Simultaneously,  the receiver applies the same hashing algorithm to the message and calculates the hash value of the received message. If the two hash values tally, it means the message is as it was sent.

Since the sender “signs” the message with his private key, which is known only to him, he can’t deny having sent the message.

The whole process can be represented diagramatically as follows:- 

   
    .
8.6 Firewalls

    A firewall is either a hardware device (such as router) or a software package running on a specially configured computer that sits between a secured network (Cos. Internal network) and an unsecured network (the Internet). The firewall performs several important tasks including preventing unauthorised access to the internal network, limiting incoming & outgoing traffic, authenticating users, logging traffic information and producing reports.
    The fundamental role of a firewall is to monitor all the traffic that flows between the two networks. If the firewall does its job properly, an intruder will never reach the internal / protected network.

8.7 Electronic Payment Systems
    e-Cash
    e-Cheque
    Credit Cards
    Debit Cards
    Charge Cards
8.7.1    e-Cash
Obtaining Electronic Cash

    The consumer requests his or her bank to transfer money to the e-mint to obtain electronic cash
    The consumer bank transfers money from the consumer’s account to the e-mint
    The e-mint sends electronic cash to the consumer. The consumer saves the electronic cash on a hard drive or a smart card

Purchasing with Electronic Cash

This phase is executed whenever the consumer desires to make a purchase with electronic cash. It can take place at any time after the consumer has obtained electronic cash from the e-mint. A consumer can make purchases more than once as long as he or she does not run out of electronic cash.

    The consumer selects the goods and transfers the electronic cash to the merchant
    The merchant provides the goods to the consumer

Redeeming Cash by the Merchant

    The merchant transfers the electronic cash to the e-mint. Alternatively, the merchant may send the electronic cash to its bank, and the bank in turn redeems the money from the e-mint
    The e-mint transfers money to the merchant’s bank for crediting the merchant’s account.

Types of e-cash

    Identified e-cash : contains information revealing the identity of the person who originally withdrew the money from the Bank. Identified e-cash enables the Bank to trace the money as it moves through the economy.
    Anonymous e-cash: It works just like real paper cash. No transactions trail.
    There are two types of e-cash :On-line e-cash and Off-line e-cash.
    On-line means one needs to interact with a bank to conduct a transaction with a third party
    Offline means one can conduct a transaction without having to directly involve a bank.

Problem of Double-Spending

    Since e-money is just a bunch of bits, a piece of e-money is very easy to duplicate. As the copy is indistinguishable from the original, counterfeiting would be impossible to detect.

    Real e-money systems must be able to prevent or detect double spending.

8.7.2    e-cheques
Puchasing Goods

    The  consumer accesses the merchant server, and the merchant server presents its goods to the consumer.
    The consumer selects the goods and purchases them by sending an electronic cheque to the merchant.
    `The merchant may validate the electronic cheque with its bank for payment authorisation.
    Assuming the cheque is validated, the merchant closes the transaction with the consumer.

Depositing cheques at the Merchant’s Bank

    The merchant electronically forwards the cheques to its bank.
    The merchant’s bank forwards the electronic cheques to the clearing house for cashing.
    The clearing house works with the consumer’s bank, clears the cheque, and transfers money to the merchant’s bank, which updates the merchant’s account.
    At a later time, the consumer’s bank updates the consumer with the withdrawal information.

Executive Guide to E-business

Definition of E-business

E-Business refers generally to all forms of transactions relating to commercial activities, involving both organisations & individuals that are based upon the processing and transmission of digitised data, including text, sound and visual images.

E-Commerce

It comprises of:-

-    Delivery of information, products/services, and payments through electronic means.
-    Online capability of buying & selling goods over the internet.
-   
2.    Types of e-commerce

The different types of  items traded electronically are:-

    Tangible goods

    Digital goods e.g.software, music / audio, text (news, research), pictures, video

    Services    e.g. stock trades, airline tickets, insurance

3.    Why e-Commerce

Benefits to an Organisation

    Lower Costs
    Higher Reach
    Efficient & Productive Processes
    Better Customer Service & Satisfaction
    Cross-Selling

Benefits to Customers

    Increased Choice & Competitive Purchase
    Anywhere, Anytime Commerce
    Lower costs due to reduction of intermediaries’ margins
    Well informed basis of transaction

4.    Participants in E-business (From an Organisation’s Perspective)

    External Parties

    Customer
    Supplier
    Government

    Supporting Parties

    Certification Authority (has the trust of all parties)
    Financial Institution

5.    E-Business segments

    B2B
    B2C
    B2E
    C2C
    B2G

5.1Business-to-Business (“B2B”) segment

    In this segment, the entire range of activities like  order processing & fulfillment, inventory valuation, material management, payment processing, financial reporting & taxation etc. can be carried out using Internet & Intranet based technologies. Significant B2B players on the net are General Motors, Ford & Wal Mart.

Electronic Data Interchange

    Simple way to exchange data between organisations

    EDI’s primary tool is a software which transforms data from and to the defined ASCx12 (Accredited Standards Committee x12)

    EDI begins & ends with business applications which share data but have different methods of viewing & processing them.

    Buyer places order using his own purchasing system. Data received by Suppliers order entry system & used to coordinate delivery from inventory to schedule of manufacturing

    Reduces manual effort/Redundant data entry/Errors

5.1.1 Models of B2B Segment

Catalog model

A catalog model creates value by aggregating suppliers & buyers. It works best in industries characterised by fragmented buyers & sellers, who transact frequently for relatively inexpensive items & in situations where demand is predictable & prices are stable. Examples include Chemdex.com,  PlasticsNet.com etc.

Chemdex. Com serves as an online source of life science products such as biological chemicals . Buyers can browse through online catalogs & place orders online, which are transmitted electronically to the suppliers. Chemdex receives a commission from the sellers for each concluded transaction.

Auction Model

This model is suitable where non-standard products need to be bought or sold among businesses that have very different perceptions of value for the product. The typical examples of this model are iMark for used capital equipment & Adauction for perishable online & print advertising inventory.

Exchange Model

This model creates significant value in markets where demand & prices are volatile by allowing businesses to manage excess supply & peak-load demand. In an exchange, suppliers & customers come together at a single site & arrive at a mutually acceptable price. Paper Exchange in paper & e-Steel in steel are good examples of exchange models.

5.2    Business to Consumer (“B2C”) segment.

This segment comprises marketplace transactions where customers learn about products through online advertising, buy goods or services using credit cards, debit cards etc & receive post-purchase support  through online services. The B2C segment can be used for advertising & selling products, ranging from books or CDs to T-shirts or even computers.
Models in B2C segment

Portal
A portal is the web version of a successful conglomerate that offers everything from search engines, e-mail & chat to travel, stock quotes & shopping. A portal commands the best, stickiest & highest eyeball aggregates on the net ( that is the highest number of visitors who spend sufficient time on the site and have higher recollection of the site), a junction where all congregate to move out to different places.

The business model followed by a portal is simple:

    Create a site that offers easy entry points for Internet surfers to different themes  & topics.
    Use it to draw a large number of customers
    Serve them up to the advertisers
    Also offer them your products to generate e-revenues; and
    Retain the flexibility to do anything & everything the netizens may need tomorrow

Eg: Yahoo!, Altavista, Go and MSN, rediff.com, indiaworld.com, indiainfo.com, 123india.com, etc have gained popularity as the most suave Indian portals

Vortals

Portals which are industry specific or service a niche on the net are known as ‘Vortals’. Vortals offer facilities similar to portals such as search engines, chats, discussions etc but remain restricted in scope to a particular industry / domain, eg Cnet.com, lexsite.com etc

CNet.com caters to the computing & technology industry targeting buyers & sellers of electronic products. Lexsite is a vortal targeted towards the legal community in India and has specialised contents for legal professionals, law students & businesses.
E-tailing

E-tailing is emerging as the fastest growing segment of e-commerce. Some of the major players in the e-tailing segment include amazon.com, jaldi.com, fabmart.com etc
    The trendsetter in this segment has been amazon.com which is an online superstore dealing in books, music, video, software, toys, games, etc. It claims over 13 million customers
    The e-retailing model is already steadily disintermediating second rung retailers in the real world.
Infomediaries

    These are e-commerce models having the essential characteristic of providing specialised & precise information to customers. Its simplest manisfestation is a search engine.
    For instance, CharlesSchwabb.com is the largest online broker in the world providing services such as investment planning tools, industry  & company analysis, daily price charts & company headlines. Its clients include domestic & international individual investors, investment managers & institutions & its revenues include commission from online trades.

Naukri.com is the leading employment infomediary handling nearly 10,000 job advertisements in India. Its revenues include hosting charges paid by recruiting companies, resume hosting & circulation charges paid by job seekers, commission from placement agencies & resume development charges.

E-banking
E-banking offers remote banking facility electronically. An internet banking service typically offers services such as account information, funds transfer within accounts, bill payment, requests,  for cheque books,  stock payment instructions, communication with account manager etc.

E-broking

The capital markets have also been impacted by e-commerce with sites such as E*trade, Ameritrade, etc facilitating online broking. As per Goldman Sachs study, more than US$ 1.5 trillion of assets shall be managed on-line by end 2003.

5.3    Customer to Business (“C2B”) segment

C2B sites enable consumers to set prices and business enterprises bid to offer products and services. The dot coms that best describe this model are priceline.com  & milkar.com. In the Priceline model, customers quote the price that they are willing to pay for a product or service. The products include airline tickets, hotel bookings, car rentals, new vehicles, home finance etc. The quotes are provided by Priceline to participating sellers and in case there is a willing seller, the transaction is concluded.

The Milkar.com  business model aims at facilitating cheaper buying, by aggregating individual purchasing power to get volume discounts. The products offered range from electronics, home and kitchen appliances, luggage, automobiles, fitness equipment, jewellery, software etc.

5.4    Consumer to Consumer  (“C2C”) segment.

This model typically comprises auction sites where sellers can place their products for sale and buyers can bid for them. Both sellers & buyers need to be registered with the auction site. While the sellers need to pay a fixed fee to sell their products, the buyers can bid without a fee. The site brings the buyers and sellers together to conclude deals and charges a commission on the sale proceeds. Some typical e-auction sites include, ebay.com, auctionindia.com, bazee.com, napster, etc
5.5 Business to Government Segment

The Andhra Pradesh Government leads others in providing various services electronically through its web-site  www.aponline.gov.in . An illustrative list is as under:-

    Registeration services -     SSI regn., Marriage regn, Birth regn.

    Certificates-           Income, Caste, Nativity, Birth

    Admissions-         Educational Institutions, Coaching classes

    Licenses/Permits-             Grant / Renewal of wholesale / retail Drug
Sales licenses

    Market Prices-            Of essential commodities like vegetables,                                         oils, pulses etc

    Utilities-                Bill Payments- Electricity, Water,     Telephone Bills, Payment                                       through Credit  Card. E-cheque to be enabled in future.

    Tax Payments-     Income Tax, Sales tax, Property Tax,  Entertainment  
Tax, Road tax

6. Sources of Online Revenues

The major sources of online revenues are as follows:-

  Access Charges

Dial-up access charges tend to be the most significant source of revenue for most ISP business models in the initial stages

  Online Advertising

Online advertising offers much more targeted & effective advertising than conventional advertising, thereby resulting in ever growing online advertising revenues. The main reason for this is that the Internet synthesises a society of potential customers no matter what their physical location is and therefore allows advertisers to deliver direct messages to the desired audience, cost effectively.

Customer Revenues

The main category of online customer revenue earners is the e-retailers. They specialise in providing products and services to online customers and therefore form an integral part of the  B2C transactions. These online customers serve as a source of revenue for the e-retailers.

  Commission

The main earners of commission revenues are the info-intermediaries, which serve as a guide to the online customers in finding the location desired by them. They provide the customers with an automated search service that dissects the entire web in order to provide the customer the required information. These intermediaries in general take the form of search engines and portals.

The info-intermediaries can earn revenue from customers who pay the info-intermediaries subscription charges for gaining access to information and from sellers who reward the info-intermediaries for routing the customers to their sites and away from their competitors. The sellers may also pay for referring prospective buyers to them.

Surrogate revenues

Surrogate revenues refer to revenues earned through payments for hyperlinks and commission on sales undertaken through hyperlinks. These revenues typically arise in a situation where one portal has links established to other portals. Since the linking portal, also known as the ‘click through’ portal, serves as an advertising medium for the linked portals, it shares part of the revenues generated by such portals.

For instance Yahoo! Provides ‘click through’ links to other search engines, portals and sites

Transaction revenues

In a transaction based model, products or services are sold on the web site and the consumers are charged on a per transaction basis or a fixed fee basis. Stock brokers and finance houses are among the typical businesses that use this model to perform transactions on behalf of their customers.

Information subscription revenues

These revenues essentially arise from subscribing to the web site/ portal. Typically, the media industry offers subscriptions of magazines and news papers to its customers either on an unlimited access or time based access.

7. Impediments & Issues in Implementation of E-business

    Security Management
    Costs
    Legal issues
    Lack of skilled Personnel
    Training & Maintenance
    Availability of Bandwidth
    Customers not having PCs / Not being techno-savvy

Private Firewall 7 installation Video