E-commerce security standards and loopholes.
Srinivasan, S.
INTRODUCTION
The Internet offers tremendous opportunity for merchants around the
world to sell their products online. However, the anonymous and open
nature of public communication networks has presented serious challenges
for securing personal and bankcard information over the Internet. U.S.
businesses are seeking opportunities worldwide by using the Internet to
open up unreachable foreign markets. According to Internetstats.com,
nearly 134 million Americans are online today compared to 118 million
last year. Cap Gemini USA estimates that roughly 55,000 new users are
going online every day. With this much growth in online use the natural
beneficiary is online commerce. Industry's role in this regard then
is to provide confidence for the customers that the transactions online
are secure.
Standards play a significant role in securing the transactions on
the Internet. Standards provide interoperability, connectivity,
consistency of applications, transparent data exchange, distributed open
environments, improved information sharing, security, and lower costs to
users and software providers. The banking industry estimates that it
costs approximately $1.07 per transaction. Surprisingly, without costly
branches and human interaction, the cost per transaction using online
will be one cent. With such a profound cost differential the businesses
are slowly going to gravitate towards electronic transactions, with
sufficient incentives to attract customers for online usage. U.S.
Internet Council estimates that the capacity of the Internet backbone to
carry information is doubling every 100 days in order to meet this added
volume. Compared to a growth rate of only 10% in voice communications,
the data traffic is rising at the rate of 125%. This phenomenal growth
can be directly attributed to the expected $1.3 trillion e-commerce
sales by 2003.
EMERGING INTERNET STANDARDS
Some of the newer and popular Internet standards include Secure
Electronic Transactions (SET), Enhanced Data Encryption Standard (DES),
Secure Sockets Layer (SSL), Secure HyperText Transfer Protocol (S-HTTP),
and Secure Multipurpose Internet Mail Extensions (S/MIME).
Secure Electronic Transactions (SET)
Secure Electronic Transactions (SET) is a standardized,
industry-wide protocol designed to safely transmit sensitive personal
and financial information over public networks. Jointly developed by
MasterCard and Visa International, SET uses RSA encryption and
authentication technologies to enable secure payment transactions (RSA,
2000). SET uses RSA with 1024 bit keys. The RSA algorithm is the most
scrutinized, tested, and trusted public key algorithm. The SET protocol
contains state-of-the-art cryptographic technology that provides on-line
transaction security that is equivalent or superior to the safeguards in
present physical, mail and telephone card transactions.
To meet the security needs of bank card transactions over public
networks, the Secure Electronic Transaction (SET) protocol uses
cryptography and related technology to provide confidentiality of
information about financial data, to ensure payment integrity, and to
authenticate merchants, banks, and cardholders during SET transactions.
The level of security incorporated into SET is based on RSA's
Public-Key Cryptosystem, which has been proven over the last 10 years as
the most commercially viable, widely used security technology available.
The RSA Cryptosystem is used in over 100 million copies of messaging,
groupware, email, and Internet-based applications. In this context it is
worth noting the following.
[GRAPHIC OMITTED]
With these many sources for online access around the world, the
e-commerce industry has to guarantee security of transactions. Otherwise
unscrupulous elements will try to take advantage and bring down the
entire e-commerce industry. The stakes are enormous.
The SET protocol defines four main entities involved in a SET
transaction: the Cardholder, the Merchant, the payment Gateway, and the
Certificate Authority (Keen, 2000). Message integrity and authentication
are achieved in the SET protocol through digital signatures. The
confidentiality of messages in the SET payment environment is
accomplished through encryption of the payment information using a
combination of public key and secret key algorithms. The RSA Public Key
Cryptosystem is the public-key algorithm used in SET and the symmetric
key algorithm is DES (Data Encryption Standard). The SET protocol is
also designed to allow for more complex transactions such as returning
goods and obtaining a credit, or reversing an authorization for an
amount when goods cannot be shipped. The key aspect of SET is that no
physical card is required for processing SET transactions. Digital
signatures help facilitate the transactions.
Data Encryption Standard (DES)
The Data Encryption Standard (DES) was published in 1977 as an
encryption standard for U.S. Government applications. It was based on an
encryption standard known as Lucifer cipher. When DES was adopted as a
federal standard, its expected life was ten years. The DES is an U.S.
national standard and de facto international standard. DES security is
based on repeated bit permutations within a 64-bit block of text, where
the permutations are derived from the specific DES key. Benchmarks have
shown that a DES can encrypt about 300 kbps. The fastest DES chips are
designed to encrypt data with one key and not to test many keys against
the same block of cipher text.
Over the years, there have been several different attempts to crack
DES. Although DES can only be cracked through brute force, the
increasing speed and sophistication of computer processing power has
rendered the standard insecure. Exhaustive key search remains the
fastest known attack against the DES. But improvements in technology,
leading to the potential for faster key search machines, now pose a
greater threat to the use of single-key DES.
Triple-DES
Triple-DES is based on the existing DES, but has been enhanced by
tripling the key length. The longer key will make it more difficult to
use brute force to crack the code. Triple-DES, a strengthened version of
the DES standard, is an alternative favored by banking and financial
services industries. The new mode of multiple encryption is the
triple-DES external feedback cipher block chaining with output feedback
masking. The aim is to provide increased protection against certain
attacks like dictionary attacks and matching cipher text attacks, which
exploit the short message-block size of DES. The new mode is part of a
suite of encryption modes proposed in the ANSI X9.F.1 triple-DES
standard (X9.52) (Coppersmith, Johnson, & Matyas, 1996).
The use of triple encryption with multiple keys is generally
accepted as the best and most practical method for increasing the
strength of the DES against key search attacks. The two major concerns
that are addressed when standardizing the triple-DES modes are matching
ciphertext attack and dictionary attack. The new method for increasing
the strength of triple-DES mode against these attacks, without having to
change the 64-bit block size of the DES algorithm, uses secret masking
values. It also uses external feedback with Cipher Block Chaining (CBC).
Advanced Encryption Standard (AES)
NIST's Information Technology Laboratory has initiated a
process to develop a Federal Information Processing Standard (FIPS) for
Advanced Encryption Standard (AES) incorporating an Advanced Encryption
Algorithm (AEA). It is initiated that the AES will specify an
unclassified, publicly disclosed encryption algorithm capable of
protecting sensitive government information well into the next century.
The Advanced Encryption Standard will replace DES, which is more than 20
years old. They are looking for a 128-bit block cipher that supports
keys of 128, 192, and 256 bits (NIST, 2000). NIST foresees that a
multi-year transition period will be necessary to move forward any new
encryption standard and that DES will continue to be sufficient strength
for many applications.
RSA has delivered a proposal to the U.S. government for a new and
more secure algorithm, designed by RSA laboratories team led by Ronald
L. Rivest. According to NIST, Advanced Encryption Standard will be
publicly defined, a symmetric block cipher designed so that the key
length may be increased as needed and be implementable in both hardware
and software. Algorithms submitted to NIST will be judged on security,
computational efficiency, memory requirements, hardware and software
suitability, simplicity, flexibility, and licensing requirements
(Corman, 1998). The review process will take several years before the
new standard is finally formalized. As the government's business on
the public networks like Internet increased, the importance for more
security, and higher standards of encryption is necessary.
These three standards together account for majority of the secure
transactions online today. We need to keep in mind the rapid and
sustained growth of the Internet over the years. The following table
shows such a growth:
Year Number of Americans online
1993 90,000
1997 19,000,000
1998 84,000,000
1999 118,400,000
2000 134,200,000
Source: www.internetstats.com
In this scenario the communication industry needs to reassure
people that their transactions online are secure. The DES encryption
schemes have stood the test of time and the newer open standards makes
it easy for the entire world to adopt this scheme. This is essential
today because the electronic commerce is not limited to one country
alone, rather the entire world.
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is a program layer created by Netscape
for managing the security of message transmissions in a network.
Netscape's idea is that the programming for keeping messages
confidential ought to be contained in a program layer between an
application, such as Web browser or HTTP and Internet's TCP/IP
layers. The "sockets" refer to the sockets method of passing
data between a client and a server program in a network or between
program layers in the same computer. Netscape's SSL uses the
public-and-private key encryption system from RSA, which also includes
the use of a digital certificate. The prevalence of Netscape's
servers and browsers in the marketplace today makes SSL easier to use
and the most dominant technology for securing Web sessions.
The Secure Sockets Layer (SSL) is the defacto secure protocol for
e-commerce transactions today. SSL is a layered approach to providing a
secure channel. Although SSL does not provide mechanisms for handling
payment, it offers confidentiality in Web sessions, authentication of
Web servers, and data integrity of the message packet. The easiest
method to test if the site supports SSL mode is by adding an
"s" to the http portion of the URL. If the browser switches to
secure mode, the encryption key will be activated in Netscape.
SSL secures the channel by providing end-to-end encryption of the
data that is sent between a Web client and Web server. SSL provides
authentication through a certification authority (CA). The CA endorses
the identity of the Web site. Most Web browsers today come with a
built-in box that contains a list of certification authorities. When one
hits a Web site over the SSL session, the certificate of registration is
downloaded to the user's Web browser. If the certificate signed
matches the CA's corresponding public key in the browser, the Web
site will be authenticated. SSL helps to detect Web spoofing by
inspecting the certificate of the Web site (Thomas, 2000).
Secure HyperText Transfer Protocol (S-HTTP)
Secure HyperText Transfer Protocol (S-HTTP) is a secure extension
to HTTP which provides a number of security features, including
client/server authentication, spontaneous encryption, transaction
confidentiality, and request/response nonrepudiation. The protocol was
designed to be general enough to provide broad support for a number of
different secure technologies, including symmetric encryption for data
confidentiality, public key encryption for client/server authentication,
and message digests for data integrity. S-HTTP was also designed to be
interoperable with nonsecure HTTP services.
S-HTTP provides the user with the ability to communicate securely
with a Web server by selecting the desired secure properties of the
transaction. S-HTTP supports a vast array of options to enforce the
secure properties, which make S-HTTP flexible, but more difficult to
configure for the Web site developer.
Smart Cards
Smart cards can be used in many different applications, including
electronic commerce; home banking; access to corporate intranets,
networks, and E-mail programs; and computer and building security. The
cards are also used by transit systems for fare payments on buses,
subways, and toll roads. The new contactless smart card product called
Practical Security can be read from a distance using an infrared signal.
This product will automatically log computer users on or off as they
approach or leave their terminals. Smart card technology will replace
existing passwords and authentication methods in computers and on the
Internet (Sandler, 1998). A serious limitation among proponents of
general-purpose smart cards has been the lack of standards. With all the
different manufacturers and types of cards,
interoperability/functionality does not look like the central focus.
Smart cards are one technology the U.S does not lead because of the
deregulated nature of the U.S. financial and telecommunications
industries. A new blend of Java promises the ability to use a single
card for multiple applications-such as electronic cash, credit, debit
and buying-profile data (Chen, 2000). Java also allows
hardware-independence, such that a single version of Java applet would
run on any Java smart card, and of robust security, permitting a vendor
to insert new applets into the card but minimizing the risk of criminals
breaking into the card's data. The security algorithm in a smart
card is in ROM.
The SSL and Secure HTTP technologies provide a source level
encryption for data thereby assuring the consumer that no data leaves
their computer until it is secured. The Smart Card technology on the
other hand provides a means whereby the consumer an alternative means
for paying for the products and services online and at the same time
limit the potential loss in the event of a security breach. This
alternative is required simply to guarantee faster transaction. The SSL
and Secure HTTP inherently needs to perform additional functions before
the data is transmitted and needs to reverse the process while receiving
data. This requires additional processing time. However, Smart Card has
the information encoded in the card itself thereby the processing time
is reduced. The following table shows the growth of households online
over the years, including a projection for 2004:
Year Number of households in millions
1995 14.9
2000 46.5
2004 90
Source: www.internetstats.com
With an estimated 90 million households trying to send data online
that needs to be secured, Smart Card indeed provides a cost-effective
alternative. The liability reduction of Smart Card comes from the fact
that the worth of a Smart Card at any one time is limited to a few
hundred dollars and it is also well suited for micro-transactions
involving small sums since we saw earlier that it costs a significant
sum per transaction for offline processing.
LOOPHOLES
The loopholes exist in every technology that has been tried so far.
This is inevitable in a fast changing technology. In the
brick-and-mortar world people are able to observe and judge a business
based on their location and size. In the e-commerce world this is not
quite easy. For example, a con artist could easily develop a good web
site similar to a well-known company's site and offer items for
purchase. In the process the site could ask for people's credit
card information and misuse that information. Along similar lines, a
major corporation that wants to make available as much information as
possible to the customers might inadvertently leave a hole in their
computer system. This could be taken advantage of by people and cause
hardship to genuine users as was the case in the recent 'denial of
service attacks' on major web sites. These issues reinforce the
need for building trust among the e-commerce partners (Keen, 2000).
Efforts are already underway to address some of these loopholes. A
new tool called the Security Profile Inspector (SPI) is available to
perform security assessment. This tool can analyze and point out
potential loopholes in system configuration. In addition, this tool can
alert the systems administrator when an intrusion is attempted. Another
such software is Tripwire.
CONCLUSION
We have discussed several methods available for secure Internet
transactions. Extensive deployment of fiber cables and the availability
of high-speed access such as ADSL (Asymmetric Digital Subscriber Line)
have made it possible for people to access the Internet in a secure way.
Moreover, companies like Amazon.com and eBay have given the confidence
to customers for online transactions. Recent trend in e-commerce
indicates that several billion dollars worth of transactions are already
taking place on the Internet. Enhancing security further only helps to
do more business online.
REFERENCES
Chen, Z. (2000) Java Card Technology for Smart Cards: Architecture
and Programmers Guide, Addison-Wesley, MA.
Coppersnith, D., Johnson, D.B., & Matyas, S.M. (1996). A
proposed mode for Triple-DES Encryption. IBM J. RES. DEVELOP, 40(2).
Corman, P. (1998). RSA enters proposal for new U.S. Advanced
Encryption Standard.
http://www.pathfinder.com/money/latest/press/PW/1998April15/130.html.
Keen, P., Ballance, C., Chan, S., & Schrump, S. (2000)
Electronic Commerce Relationships. Upper Saddle River: Prentice Hall
PTR.
NIST. (2000). Triple-DES.
http://csrc.ncsl.nist.gov/cryptval/des.htm RSA. (2000).
http://www.rsasecurity.com
Sandler, N. (1998). Infrared Smart Cards replace Passwords.
http://www. techweb.com/wire/story/TWB19980428S0008.
Sun. (2000). Java Smartcard. http://java.sun.com/products/javacard
Thomas, S. A. (2000). SSL & TLS Essentials: Securing the Web, New
York: John Wiley & Sons.
Acknowledgment: The author wishes to thank Ms. Vasanthi Sunkara for
the help in the preparation of this paper.
Note: An earlier version of this paper was presented at the Allied
Academies Conference in Myrtle Beach, SC, April 6, 2000.
S. Srinivasan, University of Louisville