Download Chapter 15

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Web of trust wikipedia , lookup

Authentication wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Computer recycling wikipedia , lookup

Signals intelligence wikipedia , lookup

Electronic authentication wikipedia , lookup

Certificate authority wikipedia , lookup

Digital signature wikipedia , lookup

3-D Secure wikipedia , lookup

Transcript
Electronic Marketing
Chapter 15
Security on the E-commerce Site
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
A Survey of Cryptography
• Cryptography results in the creation of cryptographic
methods, known as cryptosystems:
– Symmetric cryptosystems use the same key (secret key), to
encrypt (scramble) and decrypt (unscramble) a message
– Asymmetric or Public Key cryptosystems, use two keys - one
key (public key) to encrypt a message and a different key
(private key) to decrypt it
• Symmetric cryptosystems are the easier of the two to
implement, since only one key is required
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Digital Certificate
• Authentication is the digital process of verifying that people
or entities are whom or what they claim to be
• Digital certificates are in effect virtual fingerprints, or retinal
scans that authenticate the identity of a person or thing in a
concrete, verifiable way
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Digital Certificate
• A typical digital certificate is a data file of information,
digitally signed and sealed using RSA encryption
techniques, that can be verified by anyone and includes:
– The name of the holder and other identification information,
such as e-mail address
– A public key, which can be used to verify the digital signature
of a message sender previously signed with the matching
mathematically unique private key
– The name of the issuer, or Certificate Authority
– The certificate’s validity period
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Digital Certificate
• To create a digital certificate for an individual, the identity of
the person, device, or entity that requests a certificate must
be confirmed. This is typically accomplished through a
combination of the following:
– Personal presence
– Identification documents
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Digital Certificate
• Digital certificates may be distributed online. Typical means
of distributing certificates include:
– Certificate accompanying signature
– Directory service
• The decision to revoke a certificate is the responsibility of
the issuing company
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Sockets Layer (SSL)
• SSL was introduced in 1995 by Netscape as a component of
its popular Navigator browser and as a means of providing
privacy with respect to information being transmitted
between a user’s browser and the target server, typically
that of a merchant
• SSL establishes a secure session between a browser and a
server
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Sockets Layer (SSL)
• A channel is the two-way communication stream established
between the browser and the server, and the definition of
channel security indicates three basic requirements:
– The channel is reliable
– The channel is private
– The channel is authenticated
• By virtue of SSL’s requirement of Transmission Control
Protocol (TCP) as the transport mechanism, channel
reliability is inherent
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Sockets Layer (SSL)
• This encryption is preceded by a “data handshake” and has
two major phases:
– The first phase is used to establish private communications,
and uses the key-agreement algorithm
– The second phase is used for client authentication
• Limits of SSL
– While the possibility is very slight, successful cryptographic
attacks made against these technologies can render SSL
insecure
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Electronic Transaction (SET)
• In 1996, MasterCard and Visa announced the development
of a single technical standard for safeguarding payment
card purchases made over open networks called Secure
Electronic Transaction (SET).
• Since 1996, both Visa and MasterCard have continued their
search for better security to reassure online consumers and
merchants. To this end, both now have special programs
that allow a cardholder to set a password to protect their
card from unauthorized use. This process protects both the
consumer and the merchant.
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Electronic Transaction (SET)
• SET sought to bolster confidence by mitigating the security
risks in SSL
• SET ensured that merchants were authorized to accept
credit card payments, thus reducing risks associated with
merchant fraud
• SET ensured that the purchaser was an authorized user of
the payment card
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Electronic Transaction (SET)
• While the goal of SSL is to reduce the likelihood of
communication interception, the goal of SET is to reduce
the likelihood of fraud
• SET provides the special security needs of electronic
commerce with the following:
– Privacy of payment data and confidentiality of order
information transmission
– Authentication of a cardholder for a branded bank card
account
– Authentication of the merchant to accept credit card payments
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Electronic Transaction (SET)
• The purchasing process
– A merchant applies for, and receives, an account with an
issuing bank, just as they would apply for a normal credit card
merchant account
– A consumer makes an application to an issuing bank for a
digital credit card, which is a digital certificate that has been
personalized for the credit card-holder
– After the consumer receives her digital credit card, she adds it
to her browser wallet
– The consumer browses the Web at a particular site and at
checkout time, the Web site asks for the shopper’s credit card
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Electronic Transaction (SET)
• The process continued…
– Instead of typing in the credit card number, the browser wallet
is queried by the Web site SET software and, following
selection of the appropriate credit card and entry of its
password by the consumer, the bank-issued digital credit card
is submitted to the merchant
– The merchant receives the digital credit card in a digital
envelope
– The merchant software then sends the SET transaction to a
credit card processor (also known as a “payment gateway
application” or “acquirer”) for verification
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Electronic Transaction (SET)
• The process continued…
– The financial institution performs functions on the transaction
including authorization, credit and capture (voiding and refund)
reversals
– Following successful processing, the merchant, cardholder,
and credit card processors are all advised electronically that
the purchase has been approved
– Following this notification, the cardholder is debited and the
merchant is paid through subsequent capture transactions
– The merchant can then ship the merchandise, knowing that the
customer transaction is approved
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Electronic Transaction (SET)
• Limitations of SET and SSL
– A downside of both SSL and SET protocols is that they both
require the use of cryptographic algorithms that place
significant loads on the computer systems involved in the
commerce transaction
– For the low and medium e-commerce applications, there is no
additional server cost to support SET over SSL
– For the large e-commerce server applications, support of SET
requires additional hardware acceleration in the range of a 5 to
6% increase in server costs
– For small payment gateway applications using SET, hardware
acceleration is also required
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo
Secure Electronic Transaction (SET)
Thus, the conclusion is that SET has a definitive security
component that very clearly represents an advance in
technology over SSL, and that any deficits that may be related
to performance will quickly be rendered minor as hardwarebased processing technology rapidly advances
Electronic Marketing: Integrating Electronic
Resources into the Marketing Process, 2e
5/24/2017
2004
Joel Reedy and Shauna Schullo