key and on receipt the public key of the purchaser is used to decrypt the digital signature.
This proves the customer is genuine. Digital signatures are not widely used currently due
to the difficulty of setting up transactions, but will become more widespread as the
public-key infrastructure (PKI) stabilises and use of certificate authorities increases.The public-key infrastructure (PKI) and certificate authorities
In order for digital signatures and public-key encryption to be effective it is necessary to be
sure that the public key intended for decryption of a document actually belongs to the
person you believe is sending you the document. The developing solution to this problem
is the issuance by a trusted third party (TTP) of a message containing owner identification
information and a copy of the public key of that person. The TTPs are usually referred to
as certificate authorities (CAs)– an example is Verisign (www.verisign.com). The message is
called a certificate. In reality, as asymmetric encryption is rather slow, it is often only a
sample of the message that is encrypted and used as the representative digital signature.
Examples of certificate information are:
user identification data;
issuing authority identification and digital signature;
user’s public key;
expiry date of this certificate;
class of certificate;
digital identification code of this certificate.Virtual private networks
A virtual private network (VPN) is a private wide-area network (WAN) that runs over the
public network, rather than a more expensive private network. The technique by which
a VPN operates is sometimes referred to as tunnelling, and involves encrypting both
packet headers and content using a secure form of the Internet protocol known as IPSec.
VPNs enable the global organisation to conduct its business securely, but using the
public Internet rather than more expensive proprietary systems.Current approaches to e-commerce security
In this section we review the approaches used by e-commerce sites to achieve security
using the techniques described above.Secure Sockets Layer protocol (SSL)
SSLis a security protocol, originally developed by Netscape, but now supported by all
web browsers such as Microsoft Internet Explorer. SSL is used in the majority of B2C
e-commerce transactions since it is easy for the customer to use without the need to
download additional software or a certificate.
When a customer enters a secure checkout area of an e-commerce site SSL is used and
the customer is prompted that ‘you are about to view information over a secure connec-
tion’ and a key symbol is used to denote this security. When encryption is occurring
they will see that the web address prefix in the browser changes from ‘http://’ to
‘https://’ and a padlock appears at the bottom of the browser window.
How does SSL relate to the different security concepts described above? The main facil-
ity it provides is security and confidentiality. SSL enables a private link to be set up
between customer and merchant. Encryption is used to scramble the details of an e-com-
merce transaction as it is passed between the sender and receiver and also when the detailsTECHNOLOGICAL FACTORSCertificates and
certificate
authorities (CAs)
A certificate is a valid
copy of a public key of
an individual or
organisation together
with identification
information. It is issued
by a trusted third party
(TTP) or certificate
authority (CA). CAs
make public keys
available and also issue
private keys.
Virtual private
network
Private network
created using the
public network
infrastructure of the
Internet.
Secure Sockets
Layer (SSL)
A commonly used
encryption technique
for scrambling data as
they are passed across
the Internet from a
customer’s web
browser to a
merchant’s web server.