ch15 by wanghonghx

VIEWS: 11 PAGES: 17

									           Electronic Marketing




                                                                    Chapter 15
                                                           Security on the E-commerce Site

Electronic Marketing: Integrating Electronic                                       2004
Resources into the Marketing Process, 2e       1/21/2011               Joel Reedy and Shauna Schullo
                                 A Survey of Cryptography



• Cryptography results in the creation of cryptographic
  methods, known as cryptosystems:

       – Symmetric cryptosystems use the same key (secret key), to
         encrypt (scramble) and decrypt (unscramble) a message
       – Asymmetric or Public Key cryptosystems, use two keys - one
         key (public key) to encrypt a message and a different key
         (private key) to decrypt it
• Symmetric cryptosystems are the easier of the two to
  implement, since only one key is required


Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                                               Digital Certificate



• Authentication is the digital process of verifying that people
  or entities are whom or what they claim to be

• Digital certificates are in effect virtual fingerprints, or retinal
  scans that authenticate the identity of a person or thing in a
  concrete, verifiable way




Electronic Marketing: Integrating Electronic                                     2004
Resources into the Marketing Process, 2e              1/21/2011      Joel Reedy and Shauna Schullo
                                               Digital Certificate



• A typical digital certificate is a data file of information,
  digitally signed and sealed using RSA encryption
  techniques, that can be verified by anyone and includes:

       – The name of the holder and other identification information,
         such as e-mail address
       – A public key, which can be used to verify the digital signature
         of a message sender previously signed with the matching
         mathematically unique private key
       – The name of the issuer, or Certificate Authority
       – The certificate’s validity period
Electronic Marketing: Integrating Electronic                                     2004
Resources into the Marketing Process, 2e              1/21/2011      Joel Reedy and Shauna Schullo
                                               Digital Certificate



• To create a digital certificate for an individual, the identity of
  the person, device, or entity that requests a certificate must
  be confirmed. This is typically accomplished through a
  combination of the following:

       – Personal presence
       – Identification documents




Electronic Marketing: Integrating Electronic                                     2004
Resources into the Marketing Process, 2e              1/21/2011      Joel Reedy and Shauna Schullo
                                               Digital Certificate



• Digital certificates may be distributed online. Typical means
  of distributing certificates include:

       – Certificate accompanying signature
       – Directory service
• The decision to revoke a certificate is the responsibility of
  the issuing company




Electronic Marketing: Integrating Electronic                                     2004
Resources into the Marketing Process, 2e              1/21/2011      Joel Reedy and Shauna Schullo
                              Secure Sockets Layer (SSL)



• SSL was introduced in 1995 by Netscape as a component of
  its popular Navigator browser and as a means of providing
  privacy with respect to information being transmitted
  between a user’s browser and the target server, typically
  that of a merchant

• SSL establishes a secure session between a browser and a
  server




Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                              Secure Sockets Layer (SSL)



• A channel is the two-way communication stream
  established between the browser and the server, and the
  definition of channel security indicates three basic
  requirements:
       – The channel is reliable
       – The channel is private
       – The channel is authenticated
• By virtue of SSL’s requirement of Transmission Control
  Protocol (TCP) as the transport mechanism, channel
  reliability is inherent

Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                              Secure Sockets Layer (SSL)



• This encryption is preceded by a “data handshake” and has
  two major phases:

       – The first phase is used to establish private communications,
         and uses the key-agreement algorithm
       – The second phase is used for client authentication
• Limits of SSL

       – While the possibility is very slight, successful cryptographic
         attacks made against these technologies can render SSL
         insecure

Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                  Secure Electronic Transaction (SET)



• In 1996, MasterCard and Visa announced the development
  of a single technical standard for safeguarding payment
  card purchases made over open networks called Secure
  Electronic Transaction (SET).

• Since 1996, both Visa and MasterCard have continued their
  search for better security to reassure online consumers and
  merchants. To this end, both now have special programs
  that allow a cardholder to set a password to protect their
  card from unauthorized use. This process protects both the
  consumer and the merchant.

Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                  Secure Electronic Transaction (SET)



• SET sought to bolster confidence by mitigating the security
  risks in SSL

• SET ensured that merchants were authorized to accept
  credit card payments, thus reducing risks associated with
  merchant fraud

• SET ensured that the purchaser was an authorized user of
  the payment card




Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                  Secure Electronic Transaction (SET)



• While the goal of SSL is to reduce the likelihood of
  communication interception, the goal of SET is to reduce
  the likelihood of fraud

• SET provides the special security needs of electronic
  commerce with the following:
       – Privacy of payment data and confidentiality of order
         information transmission
       – Authentication of a cardholder for a branded bank card
         account
       – Authentication of the merchant to accept credit card payments

Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                  Secure Electronic Transaction (SET)



• The purchasing process
       – A merchant applies for, and receives, an account with an
         issuing bank, just as they would apply for a normal credit card
         merchant account
       – A consumer makes an application to an issuing bank for a
         digital credit card, which is a digital certificate that has been
         personalized for the credit card-holder
       – After the consumer receives her digital credit card, she adds it
         to her browser wallet
       – The consumer browses the Web at a particular site and at
         checkout time, the Web site asks for the shopper’s credit card

Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                  Secure Electronic Transaction (SET)



• The process continued…
       – Instead of typing in the credit card number, the browser wallet
         is queried by the Web site SET software and, following
         selection of the appropriate credit card and entry of its
         password by the consumer, the bank-issued digital credit card
         is submitted to the merchant
       – The merchant receives the digital credit card in a digital
         envelope
       – The merchant software then sends the SET transaction to a
         credit card processor (also known as a “payment gateway
         application” or “acquirer”) for verification

Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                  Secure Electronic Transaction (SET)



• The process continued…
       – The financial institution performs functions on the transaction
         including authorization, credit and capture (voiding and refund)
         reversals
       – Following successful processing, the merchant, cardholder,
         and credit card processors are all advised electronically that
         the purchase has been approved
       – Following this notification, the cardholder is debited and the
         merchant is paid through subsequent capture transactions
       – The merchant can then ship the merchandise, knowing that the
         customer transaction is approved

Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                  Secure Electronic Transaction (SET)


• Limitations of SET and SSL
       – A downside of both SSL and SET protocols is that they both
         require the use of cryptographic algorithms that place
         significant loads on the computer systems involved in the
         commerce transaction
       – For the low and medium e-commerce applications, there is no
         additional server cost to support SET over SSL
       – For the large e-commerce server applications, support of SET
         requires additional hardware acceleration in the range of a 5 to
         6% increase in server costs
       – For small payment gateway applications using SET, hardware
         acceleration is also required

Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo
                  Secure Electronic Transaction (SET)



Thus, the conclusion is that SET has a definitive security
component that very clearly represents an advance in
technology over SSL, and that any deficits that may be related
to performance will quickly be rendered minor as hardware-
based processing technology rapidly advances




Electronic Marketing: Integrating Electronic                           2004
Resources into the Marketing Process, 2e       1/21/2011   Joel Reedy and Shauna Schullo

								
To top