E-Commerce and E-Payments


"Everything must be assessed in money; for this enables men always to exchange their services, and so makes society posible" Aristotle (384 - 322 B.C.)
Electronic commerce, commonly known as e-commerce or eCommerce, consists of the buying and selling of products or services over electronic systems such as the Internet and other computer networks.
Web-based applications that enable online transactions with business partners, customers, and distribution channels.
Business-to-business (B2B) is a term commonly used to describe electronic commerce transactions between businesses, as opposed to those between businesses and other groups, such as business to (individual) consumers (B2C) or business to government (B2G).

Technical Needs for E-Commerce
  • Telecommunications infrastructure needed
  •  Specialized information systems
  •  Web servers and network servers
  •  Smart card readers
  •  System Security
  •  Security of on-line transactions including payment
  •  Security of computer systems (various attack)
  •  System reliability
  •  Software development tools are evolving and changing rapidly
  •  Lack of standards may pose incompatibility problems
  •  Backward compatibility with existing applications and databases
E-commerce

  • 4 main “actors”:
- consumer
- merchant
- consumer’s bank
- merchant’s bank
  •  E-commerce security. Why?
- Everybody says so
- They do not trust the Internet
- They do not know what is going on at the merchant’s site
- They think that some hands are in their wallets
- They do not trust people in the process


Security Requirements
  • Confidentiality
- unauthorized parties must not see the data transmitted
  • Authentication
- parties must make sure each other’s identity
  • Non-repudiation
- nobody should be able to deny sending a message or initiating a transaction later
- any possible dispute must be resolved fairly
  •  Integrity
- nobody should be able to alter the data while in transit
- if altered, that must be sensed

Security Mechanisms
  • Encryption
- encode the data so that only the intended party could decode
- for confidentiality
  •  Digital Signatures
- a digital information that can be produced only by the sender
- the receiver must be able to verify that signature
- for authentication, non-repudiation, integrity

Classical Payment Instruments
  • Cash Payments
  • Cheques Payments
  • Order Payments/ Credit Transfer
  • Card Payments
Bank Cards


Types of Electronic Payments
Security requirements for E-Payment

  •  Payment authentication
  •  Payment integrity
  •  Payment authorization
  •  Security requirements for E-Payment
  •  Payment confidentiality
  •  Payment availability / reliability
  •  Payer anonymity
  •  Payer transaction untraceability
  •  Confidentiality of payment data
  •  Non-repudiation of payment messages
  •  Freshness of payment messages
Online vs Offline Systems


  •  An online system requires access to a server for each transaction. Example: credit card authorization. Merchant must get code from issuing bank.
  • An offline system allows transactions with no server. Example: cash transaction. Merchants inspects money. No communications needed.
Technology in Security Electronic Payments
  • Encryption with one (secret) Key -symmetric-
- Sender and receiver share the same algorithm
- The algorithm is public
- Eavesdropper sees the ciphertext and the algorithm
- All the security is in the key (none in the algorithm)
- If the eavesdropper learns the key, he can decrypt the ciphertext
- Examples: DES, Triple DES, RC4, RC6, Skipjack, AES


  • Encryption with Two Keys -asymmetric-
-  Different keys for encryption and decryption
-  Eavesdropper sees the ciphertext and one of the keys
-  All of the security is in one key; there is none in the algorithm or in the second key
- Key-1 is the public key; Key-2 is the private key
- Anyone can encrypt messages to a given recipient
- Only the intended recipient can decrypt messages addressed to him
- In the real world, systems use a combination of conventional and public-key cryptography
- Conventional cryptography is used to encrypt messages with a random key
- Public-key cryptography is used to encrypt that random key
- Examples: RSA, Diffie-Hellman, DSA, ECDSA

   Data Integrity
  • Verify that the message content has not been modified, intentionally or accidentally during transmission
  •  A sequence of bits that depends on the content of the message ("finger print") travels with the message to be protected
  •  At the destination, the receiver recalculates the value and compares it with what is received. Any difference indicates tampering
  •  Blind-signature is a special type of signature of a message without knowing the content (used for digital money)
Verification of Integrity with Symmetric Cryptography

 
Verification of Integrity with Public Key
A more common approach is to use the fingerprint (hash) of the message because this reduces the computational load.

Find out more...
Subscribe to: Posts (Atom)