VARNA FREE UNIVERSITY

SECURITY IN E-COMMERCE

Prof. Teodora Bakardjieva

Objectives of the course
To discuss the cryptography and its role in
e-commerce.
Digital certificate and the foundation for
payment system.
To discuss method of security, secure
sockets layer Vs. secure electronic
transaction protocols.
What is the Cryptography?
It is the result of creation cryptographic methods,
known as cryptosystems:
 Symmetric Cryptosystem:
 Use the same key, or the secret key, to encrypt or scramble and
decrypt or unscramble message.
 Asymmetric Cryptosystem:
 Use one key to encrypt a message and a different key to
decrypt it. It is also called public key cryptosystems and rely
on technology in which two keys, the public key and the
private key are use to encrypt or decrypt data.
 Symmetric cryptosystem are the easier of the two
implement, since one key required to encrypt and
decrypt the message.
Digital Certificate
Authentication is the digital process of verifying
that people or entities are whom or what they clam
to be.
Digital certificate are in effect virtual fingerprints,
or retinal scans that authenticate the identity of a
person in a concrete, verifiable way.
A typical digital certificate is a data file or
information, digitally signed and sealed by the
encrypted using RSA encryption techniques, that
can be verified by anyone and includes:
 The name of holder and other identification
information, such as e-mail address.
Digital Certificate (cont.)
 A public key, which can be used to verify the digital
signature of a message sender previously signed with
the unique private key.
 The name of issuer, or Certificate Authority.
 The certificate’s validity period.
To create a digital certificate for an individual, the
identity of the person, device, or entity that
requested a certificate must be confirmed through
combination of:
 Personal Presence.
 Identification document.
Digital Certificate (cont.)
Digital certificates may be distributed
online, which includes:
 Certificate accompanying signature.
 Directory service.

The decision to revoke a certificate is the

responsibility of the issuing company
Secure Sockets Layer (SSL)
It is introduced in 1995 by Netscape as a
components of its popular Navigator browser and
as a means of providing privacy with respect to
information being transmitted between a user’s
browser and the target server, typically that of a
merchant
It is used by the most companies to provide
security and privacy and establishes a secure
session between a browser and a server.
Secure Sockets Layer (cont.)
A channel is the two way-way
communication stream established between
the browser and the server, and the
definition of a channel security indicates
three basic requirements:
 The channel is reliable.
 The channel is private.

 The channel is authenticated.

Secure Sockets Layer (cont.)
This encryption is preceded by a ‘data handshake’
and has two major phases:
 The first phase is used to establish private
communication, and uses the key-agreement algorithm.
 The second phase is used for client authentication.
Limits of SSL:
 While the possibility is very slight, successful
cryptographic attacks made against these technologies
can render SSL insecure.
Secure Electronic Transaction
(SET)
It is developed by Visa and Master card in 1996.
It is more secure protocol.
The difference between SET and widely used SSL
is that SSL does not include customer certificate
requiring special software called ‘digital wallet’ at
the client site.
SSL is built into the browser, so no special
software is needed.
It is build on reducing risk associated merchant
fraud, and ensuring that the purchaser is an
authorized user of credit card.
Secure Electronic Transaction
(cont.)
SET did not propagate as fast as most
people expected because of its complexity,
slow response time, and the need to install
the digital wallet into customer computer.
SET seek to bolster the confidence in the
payment process by ensuring that merchant
are authorized to accept credit card payment
Secure Electronic Transactions
(cont.)
SET provides the special security needs of
electronic commerce with the followings:
 Privacy of payment data and confidentiality of
of order information transaction.
 Authentication of a cardholder for a branded
bank card account.
 Authentication of merchant to accept credit
card payments.
The Purchasing Process
Merchant applies and receives an account.
Consumer applies to receive digital credit card.
When consumer receives credit card, its added to
browser wallet.
The consumer browser the Web at a particular site.
At the check out time, The Web site asks for a
credit card.
Instead of typing credit card number, the browser
wallet is queried by the Web SET software.
Purchase Process (cont.)
After entry of appropriate password, the digital
credit card is submitted to the merchant.
The merchant receives digital credit card in a
digital envelope.
The merchant software then sends the SET
transaction to a credit card processor for
verification.
The financial institution performs functions
including authorization, credit and capture(void or
refund).
Purchase Process (cont.)
Following successful processing, the merchant,
cardholder, and the credit card processor are all
advised electronically that the purchase has been
approved.
Following this notification, the card holder is
debited and the merchant is paid through
subsequent payment capture transactions.
The merchant can then ship the merchandise,
knowing that customer transaction is approved.
Limitations of SET and SSL
A downside of both SSL and SET protocols is that
they both require to use cryptographic algorithms
that place significant load on the computer
systems involved in commerce transactions.
For the low and medium e-commerce applications,
there is no additional server cost to support SET
over SSL.
For the large and medium term e-commerce server
application, support of SET requires additional
hardware acceleration resulting in 5-6% difference
in server cost.
Advantages of SET
It is an emerging technology has a definite
security component that very clearly
represents an advance in technology over
SSL, and that any deficits that may be
related to performance will quickly be
rendered minor as hardware-based
processing technology rapidly advance.
Despite fact that SET is more secure
protocol.