Overview

1
Overview

• Electronic Commerce
• Underlying Technologies
• Cryptography
• Network Security Protocols
• Electronic Payment Systems
• Credit card-based methods
• Electronic Cheques
• Anonymous payment
• Micropayments
• SmartCards

2
Commerce

• Commerce Exchange of Goods / Services
• Contracting parties Buyer and Seller
• Fundamental principles Trust and Security
• Intermediaries
• Direct (Distributors, Retailers)
• Indirect (Banks, Regulators)
• Money is a medium to facilitate transactions
• Attributes of money
• Acceptability, Portability, Divisibility
• Security, Anonymity
• Durability, Interoperability

3
E-Commerce Summary

• Automation of commercial transactions using
  computer and communication technologies
• Facilitated by Internet and WWW
• Business-to-Business EDI
• Business-to-Consumer WWW retailing
• Some features
• Easy, global access, 24 hour availability
• Customized products and services
• Back Office integration
• Additional revenue stream

4
E-Commerce Steps

• Attract prospects to your site
• Positive online experience
• Value over traditional retail
• Convert prospect to customer
• Provide customized services
• Online ordering, billing and payment
• Keep them coming back
• Online customer service
• Offer more products and conveniences
• Maximize revenue per sale

5
E-Commerce Participants
6
E-Commerce Problems
Snooper
Unknown customer
Unreliable Merchant
7
E-Commerce risks

• Customer's risks
• Stolen credentials or password
• Dishonest merchant
• Disputes over transaction
• Inappropriate use of transaction details
• Merchants risk
• Forged or copied instruments
• Disputed charges
• Insufficient funds in customers account
• Unauthorized redistribution of purchased items
• Main issue Secure payment scheme

8
E-Commerce Security

• Authorization, Access Control
• protect intranet from hordes Firewalls
• Confidentiality, Data Integrity
• protect contents against snoopers Encryption
• Authentication
• both parties prove identity before starting
  transaction Digital certificates
• Non-repudiation
• proof that the document originated by you you
  only Digital signature

9
Encryption (shared key)
m message k shared key
- Sender and receiver agree on a key K - None
else knows K - K is used to derive encryption key
EK decryption key DK - Sender computes and
sends EK(Message) - Receiver computes
DK(EK(Message)) - Example DES Data Encryption
Standard
10
Public key encryption
m message sk private secret key pk public key

• Separate public key pk and private key sk
• Private key is kept secret by receiver
• Dsk(Epk(mesg)) mesg and vice versa
• Knowing Ke gives no clue about Kd

11
Digital signature
Sign sign(sk,m) Dsk(m) Verify Epk(sign(sk,m))
m Sign on small hash function to reduce cost
12
Signed and secret messages
pk2
m
pk1
Verify-sign Encrypt(pk1)
sign(sk1, m)
Epk2(Dsk1(m))
Encrypt(pk2)
Decrypt(sk2)
First sign, then encrypt order is important.
13
Digital certificates
How to establish authenticity of public key?
Register public key
Download public key
14
Certification authority
15
E-Payments Secure transfer

• SSL Secure socket layer
• below application layer
• S-HTTP Secure HTTP
• On top of http

16
SSL Secure Socket Layer

• Application protocol independent
• Provides connection security as
• Connection is private Encryption is used after
  an initial handshake to define secret (symmetric)
  key
• Peer's identity can be authenticated using public
  (asymmetric) key
• Connection is reliable Message transport
  includes a message integrity check (hash)
• SSL Handshake protocol
• Allows server and client to authenticate each
  other and negotiate a encryption key

17
SSL Handshake Protocol

• 1. Client "Hello" challenge data, cipher specs
• 2. Server "Hello" connection ID, public key
  certificate, cipher specs
• 3. Client "session-key" encrypted with server's
  public key
• 4. Client "finish" connection ID signed with
  client's private key
• 5. Server "verify" client's challenge data
  signed with server's private key
• 6. Server "finish" session ID signed with
  server's private key
• Session IDs and encryption options cached to
  avoid renegotiation for reconnection

18
S-HTTP Secure HTTP

• Application level security (HTTP specific)
• "Content-Privacy-Domain" header
• Allows use of digital signatures / encryption
• Various encryption options
• Server-Browser negotiate
• Property cryptographic scheme to be used
• Value specific algorithm to be used
• Direction One way/Two way security

19
E-Payments Atomicity

• Money atomicity no creation/destruction of money
  when transferred
• Goods atomicity no payment w/o goods and
  viceversa.
• Eg pay on delivery of parcel
• Certified delivery the goods delivered is what
  was promised
• Open the parcel in front of a trusted 3rd party

20
Anonymity of purchaser
21
Payment system types

• Credit card-based methods
• Credit card over SSL - First Virtual
  -SET
• Electronic Cheques
• - NetCheque
• Anonymous payments
• - Digicash - CAFE
• Micropayments
• SmartCards

22
Encrypted credit card payment

• Set secure communication channel between buyer
  and seller
• Send credit card number to merchant encrypted
  using merchants public key
• Problems merchant fraud, no customer signature
• Ensures money but no goods atomicity
• Not suitable for microtransactions

23
First virtual

• Customer assigned virtual PIN by phone
• Customer uses PIN to make purchases
• Merchant contacts First virtual
• First virtual send email to customer
• If customer confirms, payment made to merchant
• Not goods atomic since customer can refuse to pay
• Not suitable for small transactions
• Flood customers mailbox, delay merchant

24
Cybercash

• Customer opens account with cybercash, gives
  credit card number and gets a PIN
• Special software on customer side sends PIN,
  signature, transaction amount to merchant
• Merchant forwards to cybercash server that
  completes credit card transaction
• Pros credit card not shown to server, fast
• Cons not for microtransactions

25
SETSecure Electronic Transactions

• Merge of STT, SEPP, iKP
• Secure credit card based protocol
• Common structure
• Customer digitally signs a purchase along with
  price and encrypts in banks public key
• Merchant submits a sales request with price to
  bank.
• Bank compares purchase and sales request. If
  price match, bank authorizes sales
• Avoids merchant fraud, ensures money but no goods
  atomicity

26
Electronic Cheques

• Leverages the check payments system, a core
  competency of the banking industry.
• Fits within current business practices
• Works like a paper check does but in pure
  electronic form, with fewer manual steps.
• Can be used by all bank customers who have
  checking accounts
• Different from Electronic fund transfers

27
How does echeck work?

• Exactly same way as paper
• Check writer "writes" the echeck using one of
  many types of electronic devices
• Gives" the echeck to the payee electronically.
• Payee "deposits" echeck, receives credit,
• Payee's bank "clears" the echeck to the paying
  bank.
• Paying bank validates the echeck and "charges"
  the check writer's account for the check.

28
Anonymous payments
5. Deposit token at bank. If double spent reveal
identity and notify police
1. Withdraw money cyrpographically encoded tokens
merchant
customer
3. Send token after adding merchants identity
4. Check validity and send goods
2. Transform so merchant can check validity but
identity hidden
29
Problems with the protocol

• Not money atomic if crash after 3, money lost
• if money actually sent to merchant returning to
  bank will alert police
• if money not sent not sending will lead to loss
• High cost of cryptographic transformations not
  suitable for micropayments
• Examples Digicash

30
Micropayments on hyperlinks

• HTML extended to have pricing details with each
  link displayed when user around the link
• On clicking, browser talks to E-Wallet that
  initiates payment to webserver of the source site
• Payment for content providers
• Attempt to reduce overhead per transaction

31
Micropayments NetBill

• Customer merchant have account with NetBill
  server
• Protocol
• Customer request quote from merchant, gets quote
  and accepts
• Merchant sends goods encrypted by key K
• Customer prepares signs Electronic Purchase
  Order having ltprice, crypto-checksum of goodsgt
• Merchant countersigns EPO, signs K and sends both
  to NetBill server
• NetBill verifies signatures and transfers funds,
  stores K and crypto-checksum and
• NetBill sends receipt to merchant and K to
  customer

32
Recent micropayment systems
Company
Payment
Unique
system
code
Compaq
Millicent
mcent
IBM
IBM payment
mpay
system
France
Micrommerce
microm
Telecom
33
Smartcards

• 8-bit micro, lt 5MHz, lt 2k RAM, 20k ROM
• Download electronic money on a card wallet on a
  card
• Efficient, secure, paperless, intuitive and
  speedy
• Real and virtual stores accept them
• Less susceptible to net attacks since
  disconnected
• Has other uses spanning many industries, from
  banking to health care

34
Mondex

• Smart card based sales and card to card transfers
• Money is secured through a password and
  transactions are logged on the card
• Other operation and features similar to
  traditional debit cards
• Card signs transaction so no anonymity
• Need card reader everywhere
• Available only in prototypes

35
Summary

• Various protocols and software infrastructure for
  ecommerce
• Today credit card over SSL or S-HTTP
• Getting there
• smart cards,
• digital certificates
• Need
• legal base for the entire ecommerce business
• global market place for ecommerce

36
Electronic Commerce-Definition

• Using electronic methods and procedures to
  conduct all forms of business activity including
  governance.

37
E-commerce ? 6 Cs 6 Ps

• Content
• Community
• Commerce
• Context
• Communication
• Collaboration

• Products
• Price
• Packaging
• Penetration
• Protection
• Pace

38
Electronic Commerce-Issues

• Technology
• Infrastructure
• Legal
• Management
• Security
• Trade, Scope Coverage
• Impact on Economy

39
Infrastructure

• Power
• Reliable communication
• Environment
• Human resource
• Interface with suppliers and consumers
• Faith, trust and ethics
• Legal

40
e-Law Global Internet requires Global Laws

• Industrial laws to be transformed to Information
  Age
• Laws to protect value protection and minimum
  ethics in Industrial practices when Government
  transforms itself to be a facilitator

41
Relationship between Information Technology and
Economy
Information Technology and Paradigm Shift of
Economy
Agricultural Society
Knowledge and Information-based Society
Industrial Society
Labor
Farmer
Knowledge Worker
White Collar Worker
Energy
Intermediate Resource
Informatization
Industrialization
Knowledge
Rate of Transformation from Information to
Knowledge
Rate of Yields
Value -Added Rate
Main Resources
Land
Information
Energy
Product
Farm Product
Knowledge
Product
Product Site
Research Institute, University
Factory
Farm
42
Ontological issues

• Definition
• What is electronic money ?
• Relative to traditional money
• Relative to traditional electronic money
• Continuity or upheaval ?
• What should be the basis of definition
• Purpose
• What do you buy ?
• Payment system
• How do you pay ?

43
Technology

• Hardware
• Software
• Firmware
• Communication Networks
• Security
• Smart Cards

44
Role of Technology

• lower transaction costs
• reducing asymmetric information
• 24-hour trading
• borderless global trading network
• improve market efficiency

45
Technology Hype Cycle
46
Internet Commerce Opportunities
Direct Marketing, Selling Service
Corporate Purchasing
Value Chain
Financial Services
Financial Services
47
Smart card Technology
 
48
Smart cards gtMicro e-commerce

• Smart cards in e-banking
• Smart cards in e-transportation
• Smart cards in e-identification
• Smart cards in e-logistics business
• Smart cards in e-personal health care business
• Smart cards in e-insurance

49
Smart Card Issues

• Interoperability
• Selection of Operating System
• Smart Chip supplier
• Card manufacturer and Integrator
• Application software
• Multi Application Support
• National Global Usage

50
International Concerns

• Limited chip and card suppliers(Cost and capacity
  restriction)
• Interoperability between various cards and
  terminal systems
• Europes effort in EMV 2000 specs
• CEPS effort by visa?
• Limitation in Multi application support
• Card remote update and load and delete
  applications

51
Barriers to E-commerce

• An Effective payment mechanism
• User Identification and Authenticity
• Bandwidth
• Local phone charges
• Import/Export issues for physical goods delivery
• Search engine overload
• Fear of distribution of todays Good-distribution
  model

52
E-COMMERCE -SECURITY THREATS

• SPOOFING BY creating illegitimate sites
• UNAUTHORISED DISCLOSURE-intercept transmissions
  on customers sensitive information
• UNAUTHORIZED ACTION- alter original website so
  that it refuses services to potential clients
• DATA ALTERATION- TRANSACTION ALTERED ENROUTE
  EITHER MALICIOUSLY OR ACCIDENTALLY.

53
CERTIFICATION
SEMANTIC ISSUES
TECHNOLOGICAL ISSUES
What is certification what does it denote and
mean? What are the principal concepts and
elements of certification What additional
concepts and notions are expressed and
implied by certification? What is the Intent of
the certification what is it you are trying
to do in certifying something?
How is certification achieved? How are the
prerequisites and context for certification
established? What is it you are certifying?
(Object of certification) Certification
with respect to what? (Business for
certification) What relation must exist
for certification? (Object/basis
relation) What activities/decisions are
prerequisite for certification? How and when
is certification to be conducted?
ADMINISTRATIVE ISSUES
Who does the certification? Who is the recipient
of the certification? What is the significance
of the certification for the certifier? What is
the significance of the certification for the
recipient?
Why certify?
54
Delivering Security Services

• A Merger of Technological and legal view points.
• Consists of
• Confidentiality-Exclusive Knowledge
• Authentication of sender-Who?

• Data Integrity-What were the contents?
• Time stamp- when the message was sent?
• Non-repudiation-Blocks False denial of
• (a) Sending the message
• (b) contents of the message

55
References

• State of the art in electronic payment systems,
  IEEE COMPUTER 30/9 (1997) 28-35
• Internet privacy - The quest for anonymity,
  Communications of the ACM 42/2 (1999) 28-60.
• Hyper links
• http//www.javasoft.com/products/commerce/
• http//www.semper.org/
• http//www.echeck.org/
• http//nii-server.isi.edu/info/NetCheque/
• http//www.ec-europe.org/Welcome.html/
• http//www.zdnet.com/icom/e-business/