UNIT-II (15hrs)

Approaches to Safe Electronic Commerce . Overview – Secure Transport Protocols – Secure

Transaction – Secure Electronic Payment Protocol (SEPP) – Secure Electronic Transaction (SET)

Approaches To Safe Electronic Commerce: Overview

Security is an essential part of any transaction that takes place over the internet.

Customers will lose his/her faith in e-business if its security is compromised.

Following are the essential requirements for safe e-payments/transactions :

 Confidentiality − Information should not be accessible to an unauthorized person. It should

not be intercepted during the transmission.

 Integrity − Information should not be altered during its transmission over the network.

 Availability − Information should be available wherever and whenever required within a

time limit specified.

 Authenticity − There should be a mechanism to authenticate a user before giving him/her an

access to the required information.

 Non-Repudiability − It is the protection against the denial of order or denial of payment.

Once a sender sends a message, the sender should not be able to deny sending the message.
Similarly, the recipient of message should not be able to deny the receipt.

 Encryption − Information should be encrypted and decrypted only by an authorized user.

 Auditability − Data should be recorded in such a way that it can be audited for integrity
requirements.

Measures to Ensure Security

The major security measures are :

 Encryption − It is a very effective and practical way to safeguard the data being transmitted
over the network. Sender of the information encrypts the data using a secret code and only
the specified receiver can decrypt the data using the same or a different secret code.

 Digital Signature − Digital signature ensures the authenticity of the information. A digital
signature is an e-signature authenticated through encryption and password.

 Security Certificates − Security certificate is a unique digital id used to verify the identity of
an individual website or user.

Encryption
Digital Signature

A person creates a digital signature using a private key to encrypt the signature. At the same time,
hash data is created and encrypted. The recipient uses the signer's public key to decrypt the
signature.

Security Certificates
Security relates to three general areas:

 Secure file/information transfer

 Secure transaction
  Secure enterprise network

Secure transport protocols:

 The secure sockets layer system from Netscape communication and the secure hypertext
transfer protocol from commerce net offer Secure means of transferring information
through the internet and the world wide web.

 SSL and S-HTTP Allow the client and server to execute all encryption and decryption of web
transaction automatically and transparently to the end user.

S-HTTP:

 S-HTTP (http://wwe.eit.com ) is a secure extension of HTTP developed by the commerce vet

consortium. 16

 S-HTTP offers security techniques and encryption with RAS methods, along with Other
payment protocols.

 For secure transport S-HTTP support end to end secure transition by incorporation
cryptographic enhancements to be used for data transfer at the application level this is in
contrast to existing HTTP authorization mechanisms.

 S-HTTP incorporated public-key cryptography from RSA data security in addition to

supporting traditional shared secret password and Kerberos based security system.
  The RSA data security cipher used by S-HTTP utilized two Keys files encrypted by one can
only be decrypted by application of the other key the recipient decrypts it with the private
key.

Secure Socket Layer (SSL)

This protocol was developed by Netscape communications and it is a security protocol that provides
privacy over the internet.

It is the most commonly used protocol and is widely used across the industry.

The protocol allows client /server applications to communicate in a way that data transmissions
cannot be altered or disclosed.

It meets following security requirements −

 Authentication

 Encryption

 Integrity

 Non-reputability

"https://" is to be used for HTTP urls with SSL, where as "http:/" is to be used for HTTP urls without
SSL.

Secure Hypertext Transfer Protocol (SHTTP)

 HTTPS stands for Hyper Text Transfer Protocol Secure.

 It could be a combination of the Hypertext Transfer Protocol with the SSL to supply
encrypted communication over the web server.

 SHTTP extends the HTTP internet protocol with public key encryption, authentication, and
digital signature over the internet.

 Secure HTTP supports multiple security mechanism, providing security to the end-users.

 SHTTP works by negotiating encryption scheme types used between the client and the
server.
Secure Transaction:

It is a secure protocol developed by MasterCard and Visa in collaboration. Theoretically, it is the best
security protocol. It has the following components −

 Card Holder's Digital Wallet Software − Digital Wallet allows the card holder to make secure
purchases online via point and click interface.

 Merchant Software − This software helps merchants to communicate with potential

customers and financial institutions in a secure manner.

 Payment Gateway Server Software − Payment gateway provides automatic and standard
payment process. It supports the process for merchant's certificate request.

 Certificate Authority Software − This software is used by financial institutions to issue digital
certificates to card holders and merchants, and to enable them to register their account
agreements for secure electronic commerce.

 For secure payment, internet hardware (software vendors have made a variable of an noun
cements in the past couple of years related to the support for the most popular security
payment protocols.

The secure transport protocols previously discussed support secure transaction.

For secure payment, internet hardware (software vendors have made a variable of an noun cements
in the past couple of years related to the support for the most popular security payment protocols.

Three methods have evolved in the recent past.

  Netscape Communications Corporation and Microsoft Corporation have promoted their
respective payment protocols and installed them in world wide web browsers and servers.

 SEPP have been championed by master card and Netscape and by other supporters; the
American national standards institute (ANSI) is fast – tracking SEPP as a standards for the
industry.

 STT (http://www.visa.com/vista-stt/index.html) was developed jointly by visa and Microsoft

as methods to secure bankcard transaction over open net network.

 STT user cryptography to secure confidential information transfer, ensure payment integrity,
and authenticate both merchants and cardholders confidentiality of information is ensured
by the use of digital signature; cardholder account authentication is ensured and merchant
credentials and interoperability is ensured by the use of specific protocols and message
formats.

 SET has emerged recently as a convergence of the previous standards and has a lot in
common with SEPP.

 SET is expected to be rapidly incorporated into industrial – strength “merchant ” already

available from net cape , Microsoft, IBM, and other software sellers.

Security electronic payment protocol (SEPP):

SEPP is an open, vendor-neutral, license free specification that secures on-line transactions.

It provides a standard for presenting credit card transactions on the Internet.

Some of the companies that have developed SEPP are IBM, Netscape, CyberCash and MasterCard.

There are several major business requirement addressed by SEPP :

 To enable confidentially of payment information

 To ensure integrity of all payment data transmitted

 To provide authentication that a credit holder is the legitimate owner of a card

 To provide authentication that a merchant can accept master card payments with an
acquiring member financial institution

SEPP Process:

1. SEPP assumes that the cardholder and merchant have been communicating in order to
negotiate terms of a purchase and generate an order.

2. These processes may be conducted via a WWW browser;

3. These operations may be performed through the use of email via the user’s review of a
paper or CD-ROM catalogue or other mechanisms.
 4. SEPP is designed to support transaction activity exchanged in both interactive (on-line) and
non interactive (off-line) modes.

The elements involved in electronic commerce are;

 Cardholder:

this is authorized holder of a bank card supported by on issue and register to perform electronic
commerce

 Merchant :

This is a merchant of goods services and or e-products who accepts payment for them electronically
and line may provide selling service and are electronic delivery of items for sale (e.g., E-product)

 Acquirer:

This is a (master card member) financial institution that supports merchant by providing service for
processing credit card based transaction

 Certificate management system:

This is a agent of one or more bankcard associations that provides for the creation and distribution
of a electronic certificates for merchants acquires and cardholder.

 Bank net:

This represents the existing network which interfaces acquirers, issuers, and the certificate
management systems.

Messages for SEPP-compliant processing of payment transactions

i. Purchase order request

ii. Authorization request

iii. Authorization response

iv. Purchase Order Inquiry

v. Purchase order Inquiry Response

Additional messages for online customer

a. Initiate

b. Invoice

c. Purchase order response(with Purchase order status)

d. Messages for offline (i.e. e-mail) transactions or transaction sent to merchant not on-line
with the acquirer
e. Purchase order response (acknowledgement without authorization)

SEPP PROCESS DIAGRAM

The merchant send an authorization request to the acquirer .the acquirer performs the following
tasks;

ü Authenticates the merchant

ü Verifies the acquirer/merchant relationship

ü Decrypts the payment instruction from the buying cardholder.

ü Validate that the buying cardholder certificate matches the account number used in the purchase

ü Validates consistency between merchant's authorization request and the cardholder's payment
instruction data

ü Formats a standard authorization request to the issues and receives the response ü Responds to
the merchant with validates authorization request response.

Secure Electronic Transaction(SET):

Secure electronic transaction (SET) was an early communications protocol used by e-commerce
websites to secure electronic debit and credit card payments. Secure electronic transaction was
used to facilitate the secure transmission of consumer card information via electronic portals on the
Internet.

The following list depicts key function of the specification .

  Provide for confidential payment information and enable confidentiality of order
information that is transmitted with payment information.

 Ensure integrity for all transmitted data.

 Provide authentication that a buyer is a legitimate user of a branded(e.g., Visa, MasterCard,

American Express)bankcard account.

 Ensure the use of the best security practice and design techniques to protect all legitimate
parties in an electronic commerce transaction .

 Ensure the creation of a protocol that is neither depend on transaction port security
mechanisms nor prevent their use.

 Facilitate and encourage interoperability across software and network providers. Set offers
buyers more security than is available in the commercial market instead of providing
merchants with access to credit card numbers SET encodes the numbers so only the
consumer and financial institution have access to them.

 A similar process takes place for the merchant at the time of the purchase each parties SET
compliant software validates both merchant and cardholder before any information is
exchanged.

 SET is a combination of an application level protocol and recommended procedures for

handling credit card transaction over the Internet.

 SET based system will be a comfort level of web shopping for both merchant and consumer.

SET PROTOCOL COMPONENTS

 SET will be provide online vendors with seamless, fraud-resistant way to handle activities
ranging from displaying goods on-line, to settling credit card transaction via back office link
to banks.

 SET requires that an individual possess a digital certificate for each credit card that he or she
plans to use.

 The requirement may cause some management concerns for those user with more than one
credit card.

 RSA data security has introduced a developer kit that compiles with SET .the kit helps
developers build SET capable application without building from scratch and in supported by
vendors.

 SET does not use full text encryption because it would require too much processing time.