E-commerce or electronic commerce is a part of e-business. It
entails purchasing, selling or exchanging of goods, services or information using
computer networks such as internet. All the transactions are done
electronically without limitations of boundaries or time. E-commerce can be B2B
(business to business), B2C(business to consumer), C2B(consumer to business)
and C2C(consumer to consumer). The companies and various organisations create
websites for the purpose of selling their products or services online.
In traditional business, there
are specific sales hours, you are physically confined to a specific
geographical region and have to maintain
a shop or office from where you can start sales. However, as far as e-commerce
is concerned, you are open to the world 24X7, need an internet service, delivery time is
reduced, you enjoy global reach, allows reduced inventories and is actually the
cheapest means of doing business. E-commerce actually enables people in IIIrd
world countries and even those residing in remote villages to enjoy services
which were not available to them a few years ago.
In such a set up, where
business is carried on among consumers and organisations and even between
organisations, security becomes an important factor. Some of the security
issues are:
1.CONFIDENTIALITY ---- Information transmitted should not be tapped
and decoded by anyone.
2.INTEGRITY ---- The original document should not be prone to any
changes.
3. AVAILABILITY ---- Information transmitted should be available
whenever required that too within pre-established time constraints.
4. AUTHENTICITY ---- When a message is received, it should be possible
to verify if the document so received is from the same person.
5. NON-REPUDABILITY ---- Once the message is sent, the sender should
not, at a later date, be able to deny
having sent the message.
As a solution to security
concerns mentioned above, there are some international organisations to take care of them like CERT(Computer Emergency Response Team), SANS INSTITUTE(System Administrator, Audit, Network and Security Institute).
Cryptography is one of
the many efforts to deal with security issues. Cryptography is a technique
of converting any message into unintelligible form so that if any unauthorised person intercepts the
message, he would not be able to understand anything. Cryptography is actually
thousands of years old and was used to hide secrets of science and other
religious secrets. It includes ENCRYPTION (process of making
information unintelligible to unauthorised person) and DECRYPTION (reversing encryption to make the message readable
again).
Main
elements of encryption are:
1. PLAIN TEXT ---- It is the message that is to be encrypted.
2. CIPHER ---- It means cryptographic algorithm which are designed
to make public key(key used for
encryption) different from private key(key
used for decryption).
3. CIPHERTEXT ---- It is the
encrypted message. Security depends upon how difficult it is to break the
algorithms. For example, the data is believed to be safe if the cost and time required to break the algorithm is greater
than the value of the encrypted data.
There
are two basic types of cryptographic systems ----
1. SYMMETRIC ENCRYPTION or SECRET-KEY ENCRYPTION or SINGLE KEY ENCRYPTION
---- It involves use of single key
shared by both the sender and the receiver of the message. The sender encrypts the
message with the key and sends it to the recipient. The recipient decrypts it by
using a copy of the same key used to encrypt it. A widely used method of secret
key encryption is DES(Data Encryption
Standard). However, symmetric
encryption is not practical for e-commerce as it involves thousands of
customers every day. It is fine for sending a private e-mail to your friend.
Also, both parties share the same key. So, it is possible that one party
creates a message with shared secret key and later falsely claims that it had
been sent by the other party.
2. ASYMMETRIC ENCRYPTION or PUBLIC-KEY ENCRYPTION ---- It uses a pair
of asymmetric keys for encryption and decryption. Each pair of keys consists of
a ''public key'' and a ''private key''. The private key is not distributed and kept secret while the public key
is distributed widely and made public. The data which is encrypted with
public key can be decrypted only with private key. Similarly, the data
encrypted with the private key can be decrypted only with the public key. So,
this asymmetry makes this type of cryptography extremely useful and
authentication is achieved.
However, one disadvantage with this type of
encryption is that it is relatively
slow. So, it if the message is a long one, the whole message should not be
encrypted. To take care of this drawback, DIGITAL
SIGNATURES are used.
PGP(Pretty
Good Privacy) is the name of a popular cryptographic
system which is available for general public use.
Techniques
used for cryptography are ----
1. SUBSTITUTION ---- In this, each letter in the message is replaced
by another to make the message un-understandable. For instance, letter ''b'' in
the message is replaced with letter ''g''.
2. TRANSPOSITION ---- It is based on scrambling the letters in the
message. A ''transposition system'' writes a message row by row and then this
message is rewritten column by column to make it scrambled.
E.g. ''
Do not send it today.''
D
|
O
|
N
|
O
|
T
|
S
|
E
|
N
|
D
|
I
|
T
|
T
|
O
|
D
|
A
|
Y
|
DTDOOSIDNETAONTY -
Encryption
algorithms can be defeated by using a combination of mathematics and
computer knowhow and so many encrypted
messages also can be deciphered even without knowing the key. Such a type of
attack is called ''cryptanalysis''. ''Quantum
computing'' deals with development of cryptographic algorithms but can also
be used to find flaws in the cryptographic algorithms and to launch attacks!
ü DIGITAL SIGNATURES
----- Digital Signatures means any letters, numbers, symbols, images, character
or their combination thereof, in electronic form, applied to an electronic
document, which can ensure authenticity, integrity and non-repudiation. It uses
public-key cryptography. One advantage of ''public-key encryption'' is authentication ----- that the recipient
of the decrypted message knows that it was sent by the owner of the private
key. But since encrypting messages with a private key is relatively slow
process ( particularly if message is a long one). So, a system of ''digital signatures'' is used. Digital
signatures help to:
ü verify
authenticity of the message
ü verify
claimed identity of sender
ü verify
message integrity
ü ''hash functions''
operate on large messages. They generate ''message
digests'' of fixed and comparatively smaller lengths. If any change is made
on the message, it will cause the message digest to be different, thus
strengthening authentication.
In case of portal sites, the
interaction takes place between businessman and customer. It is possible that
the supplier has portal site but no goods to supply and he gets credit card
details of the consumer, thereby cheating him. To avoid this, there is a need
for third parties like ''VeriSign'' (of
America), to authenticate the supplier. These third parties are also called
''Certification Authority".
A certification authority is defined to be a trusted public/private
body that attests the association of a particular individual with his
corresponding public key. A certification authority signs digital certificates
with its private key. Certification authorities are supposed to issue the
certificate after proper enquiry, otherwise they may be held liable under
different laws.
Owners of public keys submit them to a
certification authority. They also give their proof of identity to the
certification authority. The certification authority signs and then issues a
certificate which verifies that the public key attached to the certificate
belongs to the concerned party. Today,
''digital certificates'' have made
electronic transactions more secure.
***************************************************