Presentation on theme: "Chapter 3 Electronic Commerce I’m not sure I want anything to do with the world-wide web."— Presentation transcript:
Chapter 3 Electronic Commerce I’m not sure I want anything to do with the world-wide web.
Presentation Outline I.Electronic Commerce II.Security for Electronic Commerce III.Security Issues for Public Key Encryption Systems IV.Encryption Technology in Electronic Commerce V.Assurance and Privacy in E-Commerce Transactions
I. Electronic Commerce A.Three Categories of Networks B.The Internet C.Intranets D.Client Server Technology
A. Three Categories of Networks Local Area Networks (LANs) – Network spanning a single site. Metropolitan Area Networks (MANs) – Networks spanning a single city or metropolitan area. Wide Area Networks (WANs) – Networks that span at least two metropolitan areas.
B. The Internet Electronic highway with no central command or control structure. TCP (Transmission Control Protocol) IP (Internet Protocol) TCP is a protocol for dividing electronic messages into packets of information and then reassembling these packets at the receiving end. IP addresses specify the location of a computer on the internet. Alias names are often used in place of IP addresses. www.bodhop.ais vs. 188.8.131.52
C. Intranets In-house networks that use internet type protocols. Firewalls limit access from outsiders by filtering incoming information to be sure it is from an authorized source (often certain IP addresses). Proxy servers are typically used on the inside of a firewall to serve as filters for all outgoing requests for information. For example, blocking employee access to a game site.
D. Client-Server Technology A server is a robot-type program that constantly runs on some computer and exchanges information with users (clients) who request it. Examples include: FTP servers for exchanging files Web servers for browsing the World Wide Web Mail servers Commerce servers for secure business transactions
II. Security for Electronic Transactions Encryption involves using a password or digital key to scramble a readable message into an unreadable message. Types of encryption systems include: A.Secret Key Encryption B.Public Key Encryption C.Hybrid Systems or Digital Envelopes D.Digital Signatures E.Digital Time Stamps
A. Secret Key Encryption Secret key is used for both encrypting and decrypting message. Problem is that the secret key may be intercepted while it is being transmitted to the recipient. Sender Message Recipient
B. Public Key Encryption A message is encrypted using the recipient’s public key. Only the recipients private key can decrypt it. Removes problem of having to send a secret key along with the message. Sender encrypts message with recipients public key. Message Recipient decrypts message with their own private key.
C. Digital Envelopes (A Hybrid System) Secret key is used for both encrypting and decrypting message. The recipients public key is used to encrypt the secret key. No one can use the secret key to open the message unless they have a copy of the recipient’s private key to decode the secret key. Sender Message Recipient After encoding the message, the secret key is encoded with recipient’s public key.
D. Digital Signatures A digital signature occurs when someone encrypts a message with their own private key. Anyone can use that person’s public key to determine that they sent the message. May also make use of a message digest (see page 79)
E. Digital Time Stamps The message to be digitally time stamped is digested, and the digest is sent to a digital time-stamping service (DTS). The DTS attaches a time-stamp to the digest and then adds its digital signature to the two. Anyone can verify the date by decrypting the digital signature of the DTS using its public key. With this approach, the DTS timestamps the message without learning its contents.
III. Security Issues For Public Key Encryption Systems A.Cryptanalysis B.Key Management C.Ways in Which Company Privacy May Be Violated.
A. Cryptanalysis Cryptanalysis involves the analyzing of encrypted messages in an attempt to decode them without legitimate access to the keys.
B. Key Management Each user should create their own public and private keys. Certifying authorities should issue digital certificates attesting that a particular public key belongs to a certain person or organization. All keys should have an expiration date so hackers will not have time to figure out how to break the key’s coding. Certificate revocation lists provide lists of public keys that have expired before their expiration date. A certificate signing unit is a tamperproof box for storing private keys. Contents are destroyed if box is tampered with.
C. Ways In Which Company’s Can Be Violated Encrypted messages can be decoded by guessing the plaintext code. Attacker checks guess by using the intended recipient’s public key to encode the guess to see if it matches the encoded message. Factoring attacks breaking prime number codes. Computers that contain sensitive key information can be broken in to. Former employees may use keys that have been discontinued.
IV. Encryption Technology in Electronic Commerce A.Digital Cash B.Blinded Digital Cash C.Virtual Cash on the PC D.Virtual Cash in Electronic Cards E.Virtual Private Networks
A. Digital Cash Digital cash is created when a bank attaches its digital signature to a note promising to pay the bearer some amount of money. The digital signature may include: Bank’s name and address Dollar value of note Unique serial number Date of note creation Expiration date of note
B. Blinded Digital Cash Blinding permits a bank to issue digital cash so that it is unable to link the payer and payee. S.N. 22222 Bank’s Digital Signature S.N. 11111 Bank’s Digital Signature Blinded Note 2. Bank Signs Note Alice 1. Alice creates a note that includes a blinding factor 3. Bank returns note to Alice after attaching a digital signature. 4. Alice removes the blinding factor before spending the note.
C. Virtual Cash on the PC User acquires digital cash (from a financial institution), which is then stored in the electronic wallet. Money is received or spent out of the wallet.
D. Virtual Cash in Electronic Cards Memory cards – cash balance is stored and and updated using the card. Shared-key cards – a card using secret-key encryption for all communications. Signature transporting cards – a form of shared-key card in which digital cash notes are transferred to the register upon payment. Signature-creating cards – cards allowing the generation of digital signatures for the purpose of writing electronic checks.
Remote Users Private Network Decryption Encryption Encrypted messages over the Internet Plaintext Messages E. Virtual Private Network A virtual private network (VPN) combines encryption technology with Internet communications to allow remote users belonging to a private network to communicate securely over a public network such as the Internet. Remote users first pass through a type of hardware or software gateway that automatically encrypts and decrypts data. Sending or receiving data over a VPN is known as tunneling.
V. Assurance and Privacy in E-Commerce Transactions A.Procedures for Transaction Processing B.E-Commerce and Privacy
A. Procedures for Transaction Processing CPA’s and CA’s may undergo specialized training to evaluate websites for WebTrust. The WebTrust symbol on a website provides assurance regarding: 1.Information protection – merchant follows its policies and procedures for protecting private customer information. 2.Business practice disclosure – merchant adequately discloses its business practices. 3.Transaction integrity – merchant follows procedures to ensure proper user identification, validation, data accuracy, completeness, and timeliness. There is also proper disclosure of all billing and shipping terms..
B. E-Commerce and Privacy Merchants can place cookies (merchant site information) on your computer when you visit their web site. Merchants can also examine cookies on a person’s computer to discover other web sites that a person has visited. I can tell you the web sites this computer has visited.
Summary Network categories, internet, intranet, client servers Encryption and cryptanalysis The Use of Encryption in E-Commerce (digital cash, virtual cash, virtual private networks) WebTrust Cookies