E-commerce

Vctor E. Ros

Abstract

E-commerce is a very important tool for business, the

benefits generated by e-commerce are inclusively
raising the economies of some countries. The
transactions made in e-commerce applications use
information such as bank accounts, credit cards
numbers and general information about the parties
involved, therefore when the applications are being
designed the security must be in the designer's mind.
In this work, I explain the importance of e-commerce
security as well as the protocols associated with it.

Contents

Electronic commerce

Secure E-commerce protocol

Public Key Infrastructure

Digital Signatures and Certificates

Secure Socket Layer

Pretty Good Privacy

Secure Electronic Transaction

Introduction to e-commerce

E-commerce (electronic commerce) consists in

buying and selling products or services by
electronic means, using principally Internet as
the mean for transactions.

Benefits

e-commerce:

Disappears geophysical barriers.

Allows companies to enhance their supply chain

operation.

Expands the customer base.

Creates a competitive advantage.

Reduces costs of production.

Allows to trade continuously.

Types of e-commerce

Business-to-Consumer (B2C)

Business-to-Business (B2B)

Business-to-Government (B2G)

Consumer-to-Consumer (C2C)

Business-to-Consumer (B2C)

Companies selling goods and/or services to

people in general, the end-users.
For selling physical goods, the companies
offers its products using a website with
storefront, online catalogs in websites.

E-tail

E-tail is the business of selling goods directly to

people using electronic means.
Although Internet is an insecure channel, it is
the main channel used to sell this products,
through the World Wide Web.

www.etail.com

Business-to-Business (B2B)

Business-to-business (B2B) refers to the

commerce transactions between business.
The volume of B2B transactions is higher than
the B2C transactions, because the supply chain
involves more transactions than a single B2C
transaction.

Business-to-Government (B2G)

Business-to-Government refers to selling goods

or services to the different government levels.

Consumer-to-Consumer (C2C)

The consumer-to-consumer commerce involves

transactions between consumers through some
trusted third party.
The third party organizes the transaction and
receives something from the transaction.
The transactions can be online auctions.

Security in e-commerce

The security is fundamental to provide the

confidence that e-commerce requires.
The e-commerce protocol is divided in phases.
The phases need some security measures to
protect the process.

Schmid's e-commerce model.

Information phase:

Contracting phase:

The parties find partners, compare the offers,

specify the trade relation and choose the products
to be traded.
The parties sign a contract.

Delivery phase:

The payment and the delivery are done.

Security measures in E-commerce

transaction phases

E-commerce security requirements

Access Control

Privacy/Confidentiality

Authentication

Non-Repudiation

Integrity

Availability

Supports man-in-the-middle attacks.

Public Key Infrastructure (PKI)

Establishing an infrastructure that supports the

public key encryption satisfy the requirement of
authentication.
The PKI allows the system to distribute and use
public keys and digital certificates.
One of the algorithms used for public key
encryption is RSA.

Public Key Infrastructure

Public Key Infrastructure

The PKI allows parties to communicate through

insecure channels, such as Internet, even
without having a previous knowledge of the other
party.
This process requires certificates and digital
signatures. A secure e-commerce protocol also
provides certificates and a .
A certificate authority (CA) issues the certificates
to customers or merchants.

Certificates

For a secure e-commerce protocol, the certificate

schema of the customer and the merchant
contains:

Certificate holder's name and ID, certificate holder's

public key information, certificate serial number, key
usage limitation definition, certificate policy information,
certificate validity period, certificate issuer's name and
ID.

The certificate is encrypted by private key of a CIA

(Certificate Issue Authority).

Google certificate

Digital Signatures

The digital signatures also complies the

requirements of authentication and integrity.
By encrypting a value with the sender's private
key the only way to get back the message is
decrypting the ciphertext received with the
sender's public key.

Secure Socket Layer (SSL)

Secure Socket Layer (SSL) and its successor

Transport Layer Security (TLS) provide a secure
communication between the parties involved.
SSL/TLS are used in operations that involve
information exchange, such as the e-commerce
transactions.
SSL/TLS employees digital certificates and PKI to
provide authentication. The information is sent in
packets through different routes.

Secure Socket Layer (SSL)

Specify algorithms for the communication.

Public key exchange:

RSA, Diffie-Hellman, DSA, Fortezza.

Provides certificates based authentication.

Symmetric encryption:

RC4, AES, DES, Triple DES, IDEA.

Hash functions: MD5, SHA.

Pretty Good Privacy (PGP)

Phil Zimmermann (1991)

Pretty good privacy satisfies the confidentiality
and authentication requirements.
The other services provided by PGP are
compression, e-mail compatibility and
segmentation.

PGP Authentication

The first party generates a message.

From this message the sender obtains a 160-bits
hash code using SHA-1.
The hash code is encrypted with the sender's
private key (digital signature) and is concatenated
with the message. The result is compressed.
Then symmetric encryption is applied. The session
key is encrypted using the receiver's public key and
is added to the ciphertext.

PGP Authentication

The receiver decrypts the ciphertext using the private

key and the session key.
The text is decompressed.
The encrypted hash code is decrypted using the
sender's public key.
A new hash is generated with the rest of the message
and SHA-1.
The new hash code and the received hash code are
compared. If the two match, the message is accepted.

Pretty Good Privacy

PGP Confidentiality

The sender creates a message to be

transmitted and a 128-bit session key.
The message is encrypted with the session key.
The session key is encrypted with the receiver
public key and is attached to the encrypted
message.
The receiver decrypts the session key and then
decrypts the ciphertext to obtain the message.

Attacks: Frauds

The e-commerce security sometimes can't

protect users against frauds or identity thefts.
Frauds:

The merchandise is not sent.

The products are of lesser value than advertised.

All relevant information about a product is not made

public.

Auction frauds: shill bidding, bid shielding.

Attacks

Attacks to SSL/TLS:

Password interception.

BEAST (Browser Exploit Against SSL/TLS Attack), based

on chosen ciphertext attack.

Timing attacks.

Attacks to PGP:

Passive attacks and keypress snooping.

The Trojan Horse is still effective.

PGP is highly vulnerable to chosen ciphertext attacks.

Future works

The secure e-commerce protocol can handle

only one transaction at a time.
There are some requirements that are not
fulfilled by the established protocols, replay
threats and the frauds cannot be handled by
this cryptographic functions.

Conclusion

E-commerce is a great way to trade. Ecommerce allows a company to reach new

markets and increase its sales. Nevertheless,
the information exchange requires a strong
protection against threats. The cryptographic
techniques provides the protection that the data
management requires. In this work, I presented
the main practices used to protect the
information against third parties.

References

Yasin, S., Haseeb, K., Jalal, R. (March 2012)

Cryptography Based E-Commerce Security: A
Review. International Journal of Computer
Sciences Issues, Vol. 9, Issue 2, No. 1.
Al-Slamy, N. (May 2008) E-commerce Security.
International Journal of Computer Science and
Network Security, Vol. 8, No. 5.