Basics of E-Commerce BT0054

SET-1
Books ID: B0035

1. What are the difficulties and or issues of e-Commerce? Explain.

Ans: E-Commerce has a scope as wide as an ocean, and there is the implementation
hurdle.
It has difficulties that are:-

High profile failure:

➢ Failure in fulfillment system.

➢ Failure in customer services.
➢ Failure in technology and infrastructure.
➢ Failure in legal compliance.
➢ Failure in fraud control.

Hidden complexities:
The system and services that can fail include

➢ Web server
➢ Database server
➢ Internet services provider(ISP)
➢ Local loop (Connection between web & ISP)
➢ Commerce software
➢ Credit card gateway
➢ Credit card processor
➢ Fulfillment system
Establishment the trust:
Steps involved in simple retail transaction between buyer and seller is given below
➢ Information sharing
➢ Establishing trust
➢ Negotiation deal
➢ Payment and settlement
➢ Procedure and delivery
➢ After sale services

Customer view:

➢ Is the merchant has the authority to sell the product?

➢ Is he charge the right price?

Merchant view:

Cybotech Campus Page 1

Basics of E-Commerce BT0054
➢ Is the consumer or customer has the right to buy?
➢ Is there any social restriction on the item asked?

2. What is Firewall? Explain how it works as a packet filters.

Ans: A firewall is a part of a computer system or network that is designed to block
unauthorized access while permitting authorized communications. It is a device or set of
devices which is configured to permit or deny computer applications based upon a set
of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combination of both.

Firewalls are frequently used to prevent unauthorized Internet users from accessing
private networks connected to the Internet, especially intranets. All messages entering
or leaving the intranet pass through the firewall, which examines each message and
blocks those that do not meet the specified security criteria.

There are several types of firewall techniques:

1. Packet filter: Packet filtering inspects each packet passing through the network
and accepts or rejects it based on user-defined rules. Although difficult to
configure, it is fairly effective and mostly transparent to its users. It is susceptible
to IP spoofing.
2. Application gateway: Applies security mechanism to specific application such
as FTP and Telnet servers. This is very effective, but can impose a performance
degradation.
3. Circuit-level gateway: Applies security mechanism when a TCP or UDP
connection is established. Once the connection has been made, packet can flow
between the hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The
proxy server effectively hides the true addresses.

3. What are the methods used for encryption?

Ans: Two methods are used for encryption

 Secret key or symmetric encryption.

 Public key or asymmetric encryption.
Secret key: In this type of encryption scheme, both the sender and
recipient possess the same key, to encrypt and decrypt the data.

Cybotech Campus Page 2

Basics of E-Commerce BT0054
Drawbacks

➢ Both parties must agree upon a shared secret key.

➢ If there are “n” correspondent one have to keep track of n-different
secret keys. If the same key is used by more than one
correspondent, common key holders can read each other’s mail.
➢ Symmetric encryption schemes are also subjected to authenticity
problems. Because, sender & recipient have the same secret key
identify of originator or recipient cannot be proved. Both can encrypt
or decrypt the massage.

Publi key or Asymmetric encryption: Public-key cryptography is a

cryptographic approach which involves the use of asymmetric key
algorithms instead of or in addition to symmetric key algorithms. Unlike
symmetric key algorithms, it does not require a secure initial exchange of
one or more secret keys to both sender and receiver. The asymmetric key
algorithms are used to create a mathematically related key pair: a secret
private key and a published public key. Use of these keys allows protection
of the authenticity of a message by creating a digital signature of a
message using the private key, which can be verified using the public key.
It also allows protection of the confidentiality and integrity of a message, by
public key encryption, encrypting the message using the public key, which
can only be decrypted using the private key.

Public key cryptography is a fundamental and widely used technology

around the world. It is the approach which is employed by many
cryptographic algorithms and cryptosystems. It underlies such Internet
standards as Transport Layer Security (TLS) (successor to SSL), PGP, and
GPG.

The two main branches of public key cryptography are:

Public key encryption — a message encrypted with a recipient's public

key cannot be decrypted by anyone except a possessor of the matching
private key -- presumably, this will be the owner of that key and the person
associated with the public key used. This is used for confidentiality.
Digital signatures — a message signed with a sender's private key can be
verified by anyone who has access to the sender's public key, thereby
proving that the sender had access to the private key (and therefore is
likely to be the person associated with the public key used), and the part of

Cybotech Campus Page 3

Basics of E-Commerce BT0054
the message that has not been tampered with. On the question of
authenticity, see also message digest.
An analogy to public-key encryption is that of a locked mailbox with a mail
slot. The mail slot is exposed and accessible to the public; its location (the
street address) is in essence the public key. Anyone knowing the street
address can go to the door and drop a written message through the slot;
however, only the person who possesses the key can open the mailbox
and read the message.

An analogy for digital signatures is the sealing of an envelope with a

personal wax seal. The message can be opened by anyone, but the
presence of the seal authenticates the sender.

A central problem for use of public-key cryptography is confidence (ideally

proof) that a public key is correct, belongs to the person or entity claimed
(i.e., is 'authentic'), and has not been tampered with or replaced by a
malicious third party. The usual approach to this problem is to use a public-
key infrastructure (PKI), in which one or more third parties, known as
certificate authorities, certify ownership of key pairs. Another approach,
used by PGP, is the "web of trust" method to ensure authenticity of key
pairs.

Secret Key Encrypt

(Cipher text)

Internet 1

Original Encrypted
Secret Key Decrypt
Massage
Cybotech Campus
Message Page 4

(Cipher text)
Basics of E-Commerce BT0054

Encrypted Original
Message Message

Recipient

Public Key Encryption

(Cipher Text)

internet

Recipient

Original Message Encrypted

Message
Private Key Decrypt
Cybotech Campus Page 5
Basics of E-Commerce BT0054

Encrypted Original Message

Message

4. Explain credit card payment schemes on Internet.

Ans: Sequence of credit card payment scheme on internet
Cardholder: The holder of the card used to make a purchase; the consumer.

Card-issuing bank: The financial institution or other organization that issued the credit
card to the cardholder. This bank bills the consumer for repayment and bears the risk
that the card is used fraudulently. American Express and Discover were previously the
only card-issuing banks for their respective brands, but as of 2007, this is no longer
the case. Cards issued by banks to cardholders in a different country are known
as offshore credit cards.

Merchant: The individual or business accepting credit card payments for products or
services sold to the cardholder.

Acquiring bank: The financial institution accepting payment for the products or
services on behalf of the merchant.

Cybotech Campus Page 6

Basics of E-Commerce BT0054
Independent sales organization: Resellers (to merchants) of the services of the
acquiring bank.

Merchant account: This could refer to the acquiring bank or the independent sales
organization, but in general is the organization that the merchant deals with.

Credit Card association: An association of card-issuing banks such as Visa,

MasterCard, Discover, American Express, etc. that set transaction terms for merchants,
card-issuing banks, and acquiring banks.

Transaction network: The system that implements the mechanics of the electronic
transactions. May be operated by an independent company, and one company may
operate multiple networks.

Affinity partner: Some institutions lend their names to an issuer to attract customers
that have a strong relationship with that institution, and get paid a fee or a percentage of
the balance for each card issued using their name. Examples of typical affinity partners
are sports teams, universities, charities, professional organizations, and major retailers.

5. Explain internet v/s private nets.

Ans: The protocols are being developed to allow Internet users to reserve

bandwidth for applications, and for prioritized traffic, for example, the Resource
reservation Protocol, or RSVP, has been developed to help reserve bandwidth for
multimedia transmissions such as streaming audio, Video and video conferencing , this
same protocol can be used to priority e-mail for EDI messages or FTP for file transfers.
Routers supporting RSVP are only now becoming available it’ll be some time before a
great deal of the internet routinely supports RSVP. ISPs are also starting to offer their
own end-to-end networks across the United States independently of the Internet’s main
backbone, but still link to it is needed. Aimed at businesses, these networks can be
used to speed along summer Internet traffic. These private commercial networks also
make it easier for companies to form virtual private networks (VPNs) with added
security; replacing private corporate networks can be less costly than leased-line net-
works, even with the additional rates incurred. Private networks also offer another
advantage that they link to the internet, allowing for communication with other partners
and customer without requiring special set ups.

Books ID: B0045

6. Explain the following security attacks

Cybotech Campus Page 7

Basics of E-Commerce BT0054
a) IP Spoofing b) Denial of Service Attack.

Ans: a) IP Spoofing- IP spoofing hides your IP address by creating IP packets that

contain bogus IP addresses in an effort to impersonate other connections and hide your
identity when you send information. IP spoofing is a common method that is used by
spammers and scammers to mislead others on the origin of the information they send.

Use of IP spoofing

IP spoofing is used to commit criminal activity online and to breach network security.
Hackers use IP spoofing so they do not get caught spamming and to perpetrate denial
of service attacks. These are attacks that involve massive amounts of information being
sent to computers over a network in an effort to crash the entire network. The hacker
does not get caught because the origin of the messages cannot be determined due to
the bogus IP address.

IP spoofing is also used by hackers to breach network security measures by using a

bogus IP address that mirrors one of the addresses on the network. This eliminates the
need for the hacker to provide a user name and password to log onto the network.

b) Denial of Service Attack- A denial-of-service attack (DoS attack) or distributed

denial-of-service attack (DDoS attack) is an attempt to make a computer resource
unavailable to its intended users. Although the means to carry out, motives for, and
targets of a DoS attack may vary, it generally consists of the concerted efforts of a
person or people to prevent an Internet site or service from functioning efficiently or at
all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or
services hosted on high-profile web servers such as banks, credit card payment
gateways, and even root nameservers. The term is generally used with regards to
computer networks, but is not limited to this field, for example, it is also used in
reference to CPU resource management.
One common method of attack involves saturating the target (victim) machine with
external communications requests, such that it cannot respond to legitimate traffic, or
responds so slowly as to be rendered effectively unavailable. In general terms, DoS
attacks are implemented by either forcing the targeted computer(s) to reset, or
consuming its resources so that it can no longer provide its intended service or
obstructing the communication media between the intended users and the victim so that
they can no longer communicate adequately.
Denial-of-service attacks are considered violations of the IAB's Internet proper use
policy, and also violate the acceptable use policies of virtually all Internet Service
Providers. They also commonly constitute violations of the laws of individual nations.
7. Explain the limitations and weakness of e-Commerce security measures.

Ans:

Cybotech Campus Page 8

Basics of E-Commerce BT0054
8. Explain the methods used in Random key ganeration.

Ans: A practical and secure crypto system needs keys that cannot be

guessed. There should be no way for an outsiders to predict what keys are being used,
or even to guess approximately which keys might have been used. A good key
generator will produce keys that cannot be guessed even if attackers know how the
generator works.
Many procedures called pseudorandom number generators (PRNGs), which generate
hard-to-predict sequences of numbers. For true randomness you must seed these
procedures with initial value. A good PRNG is not enough by itself to produce effective
keys. The generation process must be seeded by a random number that is sufficiently
hard to guess. We need a random technique to generate a random seed value so we
can generate a series of fandom numbers. In practice there are three computer-based
approaches for producing truly random data:
1. Monitor hardware that generates random data.
2. Collect random data from user interaction.
3. Collect hard-to-predict data from inside the computer.
But we will discuss here about only two methods.
Hardware based random number generation is the best though most costly approach.
The generator is usually an electronic circuit that is sensitive to some random physical
event. Like diode noise or cosmic ray bombardment, and converts the event into an
unpredictable sequence of bits. However their rarity makes it expensive to add them to
a system. User interaction is a very good source of random data, though it can be
inconvenient. People are notoriously bad at doing the same thing twice, and random
data can be collected by tracking interactive human behavior. For example PGP e-mail
package collects keystrokes from the user and measures the time between keystrokes
to produce a random seed value.

9. Write a note on Centralized Flat Key Management scheme

Ans: Instead of organizing the bits of the id in a hierarchical, tree-

based fashion and distributing the keys accordingly, they can also be assigned in a flat
fashion (). This has the advantage of greatly reducing database requirements, and
obviates the sender from the need of keeping information about all participants. It is now
possible to exclude participates without knowing whether they were in the group in the
first place.
The table contains 2W KEYS, two keys for exact bit, corresponding to the two values
that bit can take. The key associated with bit b having value v is referred to as kb.v(“Bit
keys”). While the keys in the table could be used to generate a tree-like keying
structure, they can also be used independently of each other.

Cybotech Campus Page 9

Basics of E-Commerce BT0054
The results are very similar to the tree based control from, but the key space is much
smaller: for an id length of w bits, only 2W+1 key are needed, independent of the actual
number of participants. The number of participants is limited to 2w, so a value of 32 is
considered a good choice. To allow for the separation of participants residing; on the
same machine the id space can be extended to 48 bits, thus including port number
information. For ipv6 and calculated ids, a value of 128 sh8ould be chosen to avoid
collisions. This still keeps the number of keys and the size of change messages small.
Besides reducing the storage and communication needed, this approach has the
advantage that nobody needs to keep track of who is currently a member, yet the group
manager is still able to expel an unwanted participant.

10. What is Digital signature? Explain how digital signatures are produced.

Ans: The digital signature is the most novel mechanism provided by modern crypto
technology. It is a mechanism that does not involves secret but it protect data from
undetected change. digital signature associates the data with the owner of a specific
private key.

Digital signatures use a private key to produce a crypto checksum. Crypto checksum
based on conventional secret key techniques can only be verified by people, who are
trusted with the secret key, and the technique cannot tell which key holder actually
produced the crypto checksum. Digital signature are tied to a particular private key, so
we can say safely assume that only the private key holder could have produced the

corresponding digital signature. Anyone with the corresponding public key can validate
the hash or checksum themselves, tying the message’s contents to the holder of the
corresponding private key.

Kamal

Ajay’s
Kamal Comp
PUB Kamal
Public Key
Raman forger

Private
Kamal
Key
Cybotech Campus Page 10
Public Key
Basics of E-Commerce BT0054

Void
Void
Encrypt
Pay Decrypt
Rs 1000 Pay
Rs
1000

Fig: Producing a digital signature

Using RSA to produce a digital signature: Kamal can uniquely sign any message she
sends by encrypting it with her public key. Anyone even Raman the forger, can decrypt
and read it with her public key. But Raman cannot produce an acceptable forgery
without Kamal’s private key. Kamal’s public key will dectypt the message only if her
private key.

Attacks on Digital Signatures

➢ Smooth number attack

➢ Cube root attack
➢ Varying the ciphertext
➢ “Birthday attack” on hash functions

Smooth number attack

A smooth number is the product of reasonably small primes. If Raman the forger has
the collection of Kamal’s signed messages, and the message texts are composed of
small primes or products of small primes, he can use these messages to construct an
“alphabet” of Kamal’s signature values. He can then construct any “signed” message
that uses an existing value, or a product, or power of the values in his “alphabet”
padding the signed value with random, non-zero data easily defeats this.

Cube root attack

If the public key value is 3, then a valid digital signature is generally a cube root. If you
pad on the right with zeroes and then sign, an attacker can generate different text to
sign (zero padded) take its cube root, and add “random” digits to the right to full it up to
the text integer cube root value. This effectively forges the signature.

Varying the ciphertext

Cybotech Campus Page 11

Basics of E-Commerce BT0054
Kamal needs to send a message to Raman, the forger. Nobody but Raman should able
to read the message. She also wants to sign the message to ensure that Raman does
not modify it and pass around a forgery. So, she encrypts the message with Raman’s
public key and then applies her private key to message to sign it. Since the message is
encrypted with his public key and the encrypted version is signed, Raman can modify
the signed message by modifying how his encryption is performed. Since Kamal signed
the encrypted text, her signature does not detect the fact that the transformation from
the plain text to cipher text was modified. Thus the signature still matches, but Raman
can claim that the message really says something different from that Kamal really said.

Kamal protects herself by making it nearly impossible for Raman to construct alternate
messages that produce the same digital signature. The usual approach is to use a hash
function to construct the digital signature. This reduces the problem to one of finding a
second message with the same hash as the first one. Another step Kamal can take is to
sign the message In plaintext before encrypting it, instead of signing the ciphertext
version. However there are occasions where it is worthwhile to be able to validate a
signature without decrypting the underlying data, so signing the plaintext is not always
the best solution.

“Birthday attack” on hash functions

Cybotech Campus Page 12

Basics of E-Commerce BT0054

Cybotech Campus Page 13