E-Commerce Unit-4: Network Security

NOTES ON:

E-COMMERCE

Er. Sanjay Kumar Sah

Email: [email protected]

UNIT-4: NETWORK SECURITY

4.1 Introduction
4.2 Data and Message Security
4.3 Reasons for data and message security
4.4 Firewalls and its types
4.5 Antivirus
4.6 Data and Message Security (Secret Key
Cryptography, Public Key
Cryptography)
4.7 Digital Signature, Digital Certificate,
Certificate Authority, Third Party
Authentication, SSL, VPN, SET 2

Er. Sanjay Kumar Sah 1

E-Commerce Unit-4: Network Security

SECURITY
 The internet has made our lives easier and has provided us with lots
of advantages.
▪ It has also put our system’s security at risk of being infected by a
virus, of being hacked, information theft, damage to the system,
and much more.

 With the technology advancement, intruders, hackers and thieves

are trying to harm our computer’s security for monetary gains,
ransom demands, bullying others, invading into other businesses etc.
▪ In order to protect our system from all these risks, security is
important.

 Security in information technology (IT) is defined as the defense of

digital information and IT assets against internal and external,
malicious and accidental threats.
▪ This defense includes detection, prevention and response to
threats through the use of security policies, software tools and IT3
services.

TYPES OF SECURITY
 Security can be classified into following four types:
1. Computer Security:
 Computer security refers to protecting and securing computers
and their related data from unauthorized access, misuse,
theft, information loss, and other security issues.
▪ ensures the Confidentiality, Integrity and Availability (CIA)
of the assets in computer systems.
▪ protects from both software & hardware part of a computer
systems from getting compromised and be exploited.

2. Information Security:
 Information security means protecting system’s information
from theft, illegal use and piracy from unauthorized use.
▪ primarily concerned with making sure that data in any form
is kept secure in terms of preserving its confidentiality, 4
integrity and availability.

Er. Sanjay Kumar Sah 2

E-Commerce Unit-4: Network Security

TYPES OF SECURITY
3. Cyber Security:
 Cyber security means securing the computers, electronic
devices, networks, programs, systems from cyber attacks when
system is connected to the internet.
➢ Information security differs from cybersecurity such that
information security aims to keep data in any form secure,
whereas cybersecurity protects only digital data.
➢ Cybersecurity is the subset of information security.

4. Network Security:
 Network security means securing a network and protecting
the user’s information about who is connected through that
network.
▪ targets a variety of threats and stop them from entering or
spreading on your network. 5
➢ Network security is the subset of cybersecurity.

NETWORK SECURITY
 Network security aims to protect any data that is being sent
through devices in network to ensure that the information is
not changed or intercepted.
▪ protect from unauthorized access, misuse, malfunction,
modification, destruction, or improper disclosure.
▪ includes both hardware and software technologies.

 In this modern era, organizations greatly rely on computer

networks to share information throughout the organization in
an efficient and productive manner.

 Network security refers to any activity designed to protect the

usability and integrity of your network and data.

 Over the network hackers steal, the packets of data through

sniffing and spoofing attacks, man in the middle attack, war
driving etc. and misuse the data for their benefits. 6

Er. Sanjay Kumar Sah 3

E-Commerce Unit-4: Network Security

WHAT IS E-COMMERCE SECURITY?

 With the emerging technology advancements, areas such as
marketing, trading, buying and selling, all these transactions
started to take place online.

 E-commerce is very convenient for everyone. But there is a

higher risk of security issues in e-commerce.

 E-commerce security is the set of guidelines that are designed

to allow safe transactions on the web.

 E-commerce security refers to the steps and protocols in place

to protect the sale and purchase of goods and services online.

 Appropriate e-commerce security measures boost consumer

confidence. 7

SECURITY ISSUES IN E-COMMERCE

 Security is the major concern in the e-commerce industry
because if security is compromised, the customers will
lose faith.

 Without genuine security measures, there is a huge risk

of losing customers data.

 Fraud in digital stores or e-stores are more powerless

when compared to physical brick mortar stores.

 E-commerce security threats and solutions are of

major concern in an e-commerce business.
8

Er. Sanjay Kumar Sah 4

E-Commerce Unit-4: Network Security

SECURITY THREATS
 Security threat is possible danger that might exploit vulnerabilities
in a computer system to breach security and thus cause possible
harm.

 Vulnerability is weakness or flaw in a computer system that can be

exploited by a threat.

 An attack is any attempt to destroy, expose, alter, disable, steal or

gain unauthorizes access to or make unauthorized use of an asset.

 A threat is something that may or may not happen, but has the
potential to cause serious damage.

 A threat can be either intentional or accidental.

▪ Intentional threats are normally due to intelligent persons like
crackers or hackers or criminal organizations.
▪ Accidental threats are due to malfunctioning of computers or
due to natural disasters or due to mistake done by computer users.
9

TYPES OF SECURITY THREATS & ISSUES

1. DOS and DDoS Attacks:
 DOS (Denial of Service) and Distributed Denial of Service
(DDoS) attacks aim to disrupt your website (i.e., makes the
site offline) and affect overall sales.
 It is an attempt to disrupt the traffic on the website until your
website crashes.

2. Password:
 Hackers can easily hack customers passwords through
algorithms and then access the users accounts, which has
sensitive information.
 They can even hack the server and database passwords.

3. Phishing:
 Common phishing techniques include emailing the customers
with fake messages with the action and provide them access to
10
their login information or other personal data which the
hacker can exploit as per his benefit.

Er. Sanjay Kumar Sah 5

E-Commerce Unit-4: Network Security

TYPES OF SECURITY THREATS & ISSUES

4. Man in the Middle Attack:
 Man in the middle is when the communication between server
and client is disrupted.
 When information is altered, which is to be sent to the client,
data gets lost.

5. Financial Frauds:
 Financial fraud has afflicted online businesses since their
inception.
 Hackers make unauthorized transactions and wipe out the
trail costing businesses significant amounts of losses.

6. Spam:
 Emails are highly used mediums for spamming.
 They comments on your blog or contact forms are also an open
invitation for online spammers where they leave infected links
11
in order wait for you to click on such messages.

TYPES OF SECURITY THREATS & ISSUES

7. Brute Force Attacks:
 These attacks target your online store’s admin panel to figure out
your password by brute-force.
 It uses programs that establish a connection to your website and use
every possible combination to crack your password.

8. SQL Injections:
 SQL injections are cyber-attacks intended to access your database by
targeting your query submission forms.
 They inject malicious code in your database, collect the data and
then delete it later on.

9. Trojan Horses:
 Admins and customers might have Trojan Horses downloaded on
their systems.
 It is one amongst the worst network security threats where attackers
use these programs to swipe sensitive information from their
computers with ease. 12

Er. Sanjay Kumar Sah 6

E-Commerce Unit-4: Network Security

RISKS INVOLVED IN E-COMMERCE

 E-commerce business has given a lot of exposure and access to
a larger audience.
 It was certainly not possible to achieve through conventional
retailing methods.
 However, it has also made business owners and customers
prone to serious security threats.
 The seven most inevitable threats to e-commerce include:
1. Online security breach
2. Client disputes and refunds
3. Violation of Intellectual property
4. Low SEO ranking
5. Credit cards scams
6. Poor customer service
7. Weak authentication methods
 These are some of the many risks that are holding you back
from maximizing your true potential. 13

1. ONLINE SECURITY BREACH

 Your e-commerce business is
vulnerable to online security
breaches and cyber-attacks.

 Some of these online security

risks can include phishing,
website hacking, and
unprotected web services.

 There are many hackers who can breach the network of a

company and access sensitive information.

 Therefore, it is necessary that your e-commerce website14

security is very strong.

Er. Sanjay Kumar Sah 7

E-Commerce Unit-4: Network Security

2. CLIENT DISPUTES AND REFUNDS

 One of the biggest problems
with online shopping in the
e-commerce industry is that
clients are now able to claim
refunds on disputed orders.

 Most of the time dispute arises when the product never

arrives, and the amount has been charged from
customer's account.

 Sometimes the customer gets charged twice and

sometimes the product description does not match the
actual product. 15

3. VIOLATION OF INTELLECTUAL PROPERTY

 Violation of intellectual
property is also one of
the common security
threats of e-commerce
business.

 Protection of IP is very important in the e-commerce

industry and includes website logos, content, taglines,
products and other images and icons.

 Violation of copyright rules and intellectual property can

cause you a huge loss. 16

Er. Sanjay Kumar Sah 8

E-Commerce Unit-4: Network Security

4. LOW SEO RANKING

 SEO means Search Engine
Optimization.

 Out of many e-commerce threats,

SEO and digital marketing of your
business can also become a serious
risk.

 Google keeps on changing its algorithms and it drastically

affects your ranking.

 Low SEO ranking means low traffic to your website which

ultimately results in a smaller number of sales.

 Therefore, you need to focus on the digital marketing of your17

e-commerce business too.

5. CREDIT CARD SCAMS

 Suspicious transactions
and stolen credit card
information are
common risks of e-
commerce business.

 Hackers or anybody can use a stolen credit card to make

an online transaction.

 Your online security should be strong and tight enough to

catch a doubtful transaction.
18

Er. Sanjay Kumar Sah 9

E-Commerce Unit-4: Network Security

6. POOR CUSTOMER SERVICE

 Poor customer service or
experience can be a serious
turn off for the customers.
Eventually, it can hurt your
business.

 It includes many loopholes ranging from your rude and

unprofessional customer service agents to not up to date
inventory management.

 Wrong deliveries can also make you lose business.

19

7. WEAK AUTHENTICATION METHODS

 If you have weak and very
basic authentication
methods, then you are
prone to more cyber-
attacks.

 If you are authenticating a user by ID and password only

then there are chances that this information can be
stolen.

 You need strong authentication methods for your online20

security that can resist attacks.

Er. Sanjay Kumar Sah 10

E-Commerce Unit-4: Network Security

SECURITY IN E-COMMERCE
 Increase in the use of e-commerce has led to higher
security measures also increasing security issues in
online transactions.

 Huge number of customer data including sensitive

information such as credit card information, bank
accounts, personal information etc. are at risk.

What happens in case if the information is misused?

 A good e-commerce website security ensures the

following functions of the CIA triad: confidentiality,
integrity, and availability. 21

1. CONFIDENTIALITY
 Confidentiality ensures that data is accessed only by
authorized individuals.
▪ Confidentiality is maintaining the secrecy or privacy of
message.

 This term covers two related concepts:

i. Data Confidentiality:
▪ Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.
▪ Confidentiality is the protection of information or data from
any unauthorized users.

ii. Privacy:
▪ Assures that individuals control or influence what
information related to them may be collected and stored.
▪ Privacy means both the sender and the receiver expects 22
confidentiality.

Er. Sanjay Kumar Sah 11

E-Commerce Unit-4: Network Security

2. INTEGRITY
 Data integrity means that the data must arrive at the receiver
exactly as it was sent, it must not be changed or altered.

 Guarding against improper information modification or destruction.

▪ It ensures that information is reliable as well as accurate.
▪ No changes in the data content during transmission, either
maliciously or accident, in a transit.

 This term covers two related concepts:

i. Data Integrity:
▪ Assures that information (both stored and in transmitted packets)
and programs are changed only in a specified and authorized
manner.

ii. System Integrity:

▪ Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent
23
unauthorized manipulation of the system.

3. AVAILABILITY
 Availability means information should be consistently
and readily accessible for authorized parties.

 This principle ensures systems, applications and data are

available and accessible to authorized users when they
need them.
▪ Ensures that data is both available and accessible to
satisfy business needs.
▪ Assures that systems work promptly and service is not
denied to authorized users.

 Networks, systems and applications must be constantly

up and running to ensure critical business processes are24
uninterrupted.

Er. Sanjay Kumar Sah 12

E-Commerce Unit-4: Network Security

4. AUTHENTICATION
 Authentication is a procedure to identify one user to
another.

 The property of being genuine and being able to be

verified and trusted; confidence in the validity of a
transmission, a message, or message originator.
▪ This means verifying that users are who they say they
are.

 It usually verifies that the message which is to be

conveyed must reach the correct destination.
▪ User has to authenticate or prove his identity to the
system.
▪ The system has to confirm the identity. 25

▪ Authentication is a two-way process.

5. NON-REPUDIATION
 Non-Repudiation means that the receiver must be able to
prove that the received message has come from a specific
sender.
▪ Provides protection against denial by one of the entities
involved in a communication of having participated in all or
part of the communication.

 When you send a registered email or any other email, the

recipient won’t be able to deny that the email has been
delivered.

 In the same manner a legal document requires the witness to

sign so that he cannot deny doing so.

 So, in brief, non-repudiation is assurance that it cannot be 26

denied by anyone.

Er. Sanjay Kumar Sah 13

E-Commerce Unit-4: Network Security

E-COMMERCE SECURITY CONCERNS

 Security concerns in e-commerce can be divided into two broad
categories:
1. Client Server Security:
▪ It uses various authentication and authorization methods to
make sure that only valid user and programs have access to
information resources such as databases.
▪ Access control mechanisms are enabled to ensure that only
authorized users are allowed to use resources.

2. Data and Transaction Security:

▪ It ensures the privacy and confidentiality in electronic
message and data packets.
▪ It includes authentication of remote users in network
transaction for online payments.
▪ Different preventive measures like encryption approaches 27
are used to achieve data and transaction security.

DATA AND MESSAGE SECURITY

 The several reasons contribute to the insecurity:
▪ Eavesdropping and acting under false identity is simple.
▪ Stealing data is undetectable in most cases.

 Popular PC operating systems offer little or no security

against virus or other malicious software, which means that
users cannot even trust the information displayed on their
own screens.

 Therefore, if the security and privacy problems are addressed,

e-shoppers will be converted into e-buyers, and the e-
commerce will be pushed a big step forward.

 E-commerce transaction security issues can be divided into

two types: Data and Message Security. 28

Er. Sanjay Kumar Sah 14

E-Commerce Unit-4: Network Security

DATA SECURITY
 The terminology “Data Security” refers to the protective
measures of securing data from unapproved access and
data corruption throughout the data lifecycle.

 Today, data is an important asset to any organization

and thereby, it is essential to safeguard it from online
criminals.

 In the process, they deploy data security solutions which

include tokenization, data encryption, and key
management practices that protect data.

 It is of principal importance at a time when people are

considering banking and other Financial transactions by29
PCs.

MESSAGE SECURITY
 Secure transmission is concerned with the techniques and
practices that will guarantee protection from eavesdropping
and intentional message modification.

 Threats to message security fall into three categories:

Confidentiality, Integrity and Authentication.

1. Message Confidentiality:
 Confidentiality is maintaining the secrecy or privacy of
message.
 Cryptography can be the better choice for maintaining the
privacy of information, which traditionally is used to protect
the secret messages.
 Similarly, privacy of resources i.e., resource hiding can be
maintained by using proper firewalls.
 Confidentiality is important for users involving sensitive data
such as credit card numbers. 30

Er. Sanjay Kumar Sah 15

E-Commerce Unit-4: Network Security

MESSAGE SECURITY
2. Message Integrity:
 Integrity ensures the correctness as well as
trustworthiness of data or resources.
 Integrity mechanisms fall into two classes, prevention
mechanisms and detection mechanisms.

3. Message Authentication:
 Authentication is a mechanism whereby the receiver of a
transaction or message can be confident of the identity of
the sender and/or integrity of the message.
 Authentication in e-ecommerce basically requires the
user to prove his or her identity for each requested
service. 31

REASONS FOR DATA & MESSAGE SECURITY

 The reasons for data and message security are as
follows:
▪ Ensure Business Continuity, prevent loss of
revenue.
▪ Avoid Data Breaches and Misuse.

▪ Prevent Unauthorized Access and

Manipulation.
▪ Protect the Assets.

▪ Protect Customer’s Privacy.

▪ Maintaining and Improving Brand Value.

▪ Competitive Advantage over other Businesses.32

Er. Sanjay Kumar Sah 16

E-Commerce Unit-4: Network Security

E-COMMERCE SECURITY SOLUTIONS

 E-commerce stores with ideal security have some features in
common.

 They don’t economize on robust hardware; they don’t rely too

heavily on third-party apps or plugins like adobe flash.

 E-commerce security is the set of guidelines that are designed

to allow safe transactions on the web.

 E-commerce security refers to the steps and protocols in place

to protect the sale and purchase of goods and services online.

 Appropriate e-commerce security measures boost consumer

33
confidence.

FIREWALLS
 A firewall is a software utility or hardware device that acts as a filter
for data entering or leaving a network or computer.

 It can help to protect your network by filtering traffic and blocking

outsiders from gaining unauthorized access to the private data on
your computer.

 Firewall decides whether to allow or block specific traffic according

to security rules.
▪ Firewall is a security system which protects the system from
intruders and hackers.
▪ It lets secure connections pass through and blocks harmful threats
and traffic.

 Not only does a firewall block unwanted traffic, but it can also help
block malicious software from infecting your computer.

 Example: You could think of a firewall as a security guard that 34

decides who enters or exits a building.

Er. Sanjay Kumar Sah 17

E-Commerce Unit-4: Network Security

FIREWALLS
 A firewall works like a traffic guard at your computer’s entry point,
or port.

 Based on a defined set of security rules it accepts, rejects or drops

that specific traffic.

Accept : allow the traffic

Reject : block the traffic but reply with an “unreachable error”
Drop : block the traffic with no reply

Internet

Organization
Network

35

HOW DOES A FIREWALL WORK?

 To start, a firewalled system analyzes network traffic based on rules.

 A firewall only welcomes those incoming connections that it has been

configured to accept.

 It does this by allowing or blocking specific data packets — units of

communication you send over digital networks — based on pre-
established security rules.

 Only trusted sources, or IP addresses, are allowed in.

 IP addresses are important because they identify a computer or source,

just like your postal address identifies where you live.

36

Er. Sanjay Kumar Sah 18

E-Commerce Unit-4: Network Security

FIREWALLS IN E-COMMERCE
 The business models which deal with the customers on the
internet and allow them to buy and sell things over the same
require a stringent security service.

 Since millions of people are involved in daily transactions on

the e-commerce website, it becomes extremely crucial for the
administrators to ensure safe transactions.

 If the firewall security on the e-commerce website is not

healthy, hackers may find their way inside the servers which
may lead to loss of data, capital, and trust.

 Firewall can secure and protects network of both sides, client

sides and server sides and deliver only useful content.

 E-commerce websites receive a lot of incoming traffic, so it’s

essential to install a firewall to ensure your site's safety. 37

TYPES OF FIREWALLS
1. Software Firewall:
 Software firewall is a program and set of codes that
install in computer or system.
▪ Software firewall is an intangible product.

 These firewalls are in-built in the operating system and

can distinguish between the programs on the computer
system.

 In case of attack software firewall hide open ports and

will deflect incoming attacks.

 Software firewall also aware and warn from suspicious

outgoing traffic. 38

Er. Sanjay Kumar Sah 19

E-Commerce Unit-4: Network Security

TYPES OF FIREWALLS
2. Hardware Firewall:
 It is a tangible product or devices that secure system and
PC from outer threads, viruses, malware and many more
harmful viruses.

 A hardware Firewall is the one that intervenes between

the two independent connected networks.

 Basically, the router is used for hardware firewalls, but

any other security product can also use.

 Hardware firewall is placed between your PC and the

39
outside world.

FUNCTIONS OF A FIREWALLS
1. Packet-Level Filtering (Network Layer Filtering):
 The network layer uses the source IP address and destination IP address to
route and deliver the data packet across the network.
▪ Forwards or Discards the packet based on set of rules.
▪ Configured to filter packets going in both directions .
▪ These IP addresses are present in every data packet.
▪ So, these addresses can be used to configure a firewall to filter the traffic.

➢ Advantage of a packet filtering firewall is its simplicity. Also, packet filters

typically are transparent to users and are very fast.

For Example:
 The IP addresses of the two computers are 10.10.10.10 and 20.20.20.20.
 On a path that connects both the computers a firewall is placed.
 When the first computer sends a data packet to the second computer, the way
the firewall is configured determines whether the packet will reach the second
computer or not.
 The firewall may be configured to disallow the computer of IP address
20.20.20.20 to host the data packets of the computer having the IP address
10.10.10.10. 40

Er. Sanjay Kumar Sah 20

E-Commerce Unit-4: Network Security

FUNCTIONS OF A FIREWALLS
2. Circuit-Level Filtering (Transport Layer Filtering):
 This is more complex than packet-level filtering.

 This type of firewall filters the traffic based on port numbers

that identify the destination application.

 A feature known as the three-way handshake process is used

to guarantee data delivery.

 Sender computer sets up a temporary connection with the

computer receiving the data in this process.

 Firewalls can be configured in such a way that:

▪ A firewall can allow or deny a packet based on its
destination port number.
▪ A firewall can approve outgoing and return traffic. 41

FUNCTIONS OF A FIREWALLS
3. Application-Level Filtering (Application Layer
Filtering):
 This is the advanced level of filtering.

 Application layer protocols such as HTTP and FTP are used to

filter data through this process.

 It can also stop the traffic temporarily for more advanced

investigation or actions.

 Both packet and service level filtering is used in application-

level filtering for network security.

 Configuring a software firewall for application-level filtering

can slow down your computer.
42
 So, use this configuration only for a hardware firewall.

Er. Sanjay Kumar Sah 21

E-Commerce Unit-4: Network Security

CRYPTOGRAPHY
 Cryptography is technique of securing information and
communications through use of codes so that only those
person for whom the information is intended can
understand it and process it.
▪ Thus, preventing unauthorized access to information.

 The prefix “crypt” means “hidden” and suffix “graphy”

means “writing”.

43

CRYPTOGRAPHY
 In cryptography, the techniques which are used to protect
information are obtained from mathematical concepts and
algorithms to convert messages in ways that make it hard to
decode it.

 When transmitting electronic data, the most common use of

cryptography is to encrypt and decrypt email and other plain-
text messages.

Plain Text:
▪ Plaintext or cleartext is unencrypted information.

Cipher Text:
▪ Ciphertext is encrypted text.
▪ Plaintext is what you have before encryption, and ciphertext
44

is the encrypted result.

Er. Sanjay Kumar Sah 22

E-Commerce Unit-4: Network Security

CRYPTOGRAPHY
Encryption:
 Encryption means that the sender converts the original
information into another form and sends the
unintelligible message over the network.

Decryption:
 Decryption reverses the Encryption process in order to
transform the message back to the original form.

➢ A good encryption/decryption technique is used to achieve

privacy to some extent.
➢ This technique ensures that the eavesdropper cannot
45
understand the contents of the message.

FEATURES OF CRYPTOGRAPHY
1. Confidentiality:
 Information can only be accessed by the person for whom it is
intended and no other person except him can access it.

2. Integrity:
 Information cannot be modified in storage or transition
between sender and intended receiver without any addition to
information being detected.

3. Non-repudiation:
 The creator/sender of information cannot deny his or her
intention to send information at later stage.

4. Authentication:
 The identities of sender and receiver are confirmed.
 As well as destination/origin of information is confirmed. 46

Er. Sanjay Kumar Sah 23

E-Commerce Unit-4: Network Security

TECHNIQUES USED FOR CRYPTOGRAPHY

 The simplest method uses the symmetric or "secret key"
system.
 Here, data is encrypted using a secret key, and then both the
encoded message and secret key are sent to the recipient for
decryption.
The problem?
 If the message is intercepted, a third party has everything
they need to decrypt and read the message.
 To address this issue, cryptologists devised the asymmetric or
"public key" system.
 In this case, every user has two keys: one public and one
private.
 Senders request the public key of their intended recipient,
encrypt the message and send it along.
 When the message arrives, only the recipient's private key will
decode it — meaning theft is of no use without the
corresponding private key. 47

TYPES OF ENCRYPTION/DECRYPTION
 There are two types of Encryption/Decryption techniques:
▪ Privacy with secret key Encryption/Decryption

▪ Privacy with public key Encryption/Decryption

48

Er. Sanjay Kumar Sah 24

E-Commerce Unit-4: Network Security

1. SECRET KEY ENCRYPTION/DECRYPTION

 Also known as Symmetric Key Cryptography.

 It is an encryption system where the sender and receiver

of message use a single common key to encrypt and
decrypt messages.

 In Secret Key Encryption/Decryption technique, the

algorithm used for encryption is the inverse of the
algorithm used for decryption.

 In secret key encryption/decryption algorithm, the secret

code is used by the computer to encrypt the information
before it is sent over the network to another computer.

 The strength of symmetric key cryptography depends 49

upon the number of key bits.

 It is relatively faster than asymmetric key cryptography.

 There arises a key distribution problem as the key has to be

transferred from the sender to receiver through a secure
channel.

 The most popular symmetric key cryptography system is Data

50
Encryption System (DES).

Er. Sanjay Kumar Sah 25

E-Commerce Unit-4: Network Security

2. PUBLIC KEY ENCRYPTION/DECRYPTION

 Also known as Asymmetric Key Cryptography.

 Under this system a pair of keys (a private key and a

public key) are used to encrypt and decrypt
information.

A public key is used for encryption and a private key

is used for decryption.

 The public key is available to the public while the

private key is kept by each individual.

 It solves the problem of key distribution as both

parties uses different keys for encryption/decryption.
51

 It is not feasible to use for decrypting bulk messages as it

is very slow compared to symmetric key cryptography.

 The most commonly used public key algorithm is known52

as RSA.

Er. Sanjay Kumar Sah 26

E-Commerce Unit-4: Network Security

SECRET KEY VS PUBLIC KEY ENCRYPTION

Basis for Secret Key Encryption Public Key Encryption
Comparison
Define Secret Key Encryption is defined as Public Key Encryption is defined as
the technique that uses a single the technique that uses two
shared key to encrypt and decrypt the different keys for encryption and
message. decryption.
Efficieny It is efficient as this technique is It is inefficient as this technique is
recommended for large amounts of used only for short messages.
text.
Another name It is also known as Symmetric Key It is also known as Asymmetric Key
encryption. Encryption.
Speed Its speed is high as it uses a single Its speed is slow as it uses two
key for encryption and decryption. different keys, both keys are related
to each other through the
complicated mathematical process.

Algorithms The Secret key algorithms are DES, The Public key algorithms are
3DES, AES & RCA. Diffie-Hellman, RSA.
Purpose The main purpose of the secret key The main purpose of the public key
53
algorithm is to transmit the bulk algorithm is to share the keys
data. securely.

MALICIOUS SOFTWARE
 Malicious software, commonly known as malware, is any
software designed to cause harm to a computer system.
 Malware can be in the form of worms, viruses, Trojans,
spyware, adware and rootkits, etc.
▪ which steal protected data, delete documents or add
software not approved by a user.

1. Viruses:
 A computer virus is a piece of software that inserts itself
into one or more files and then performs some harmful
action.
 Whenever the infected computer comes into contact with
an uninfected piece of software, a fresh copy of the virus54
passes into the new program.

Er. Sanjay Kumar Sah 27

E-Commerce Unit-4: Network Security

MALICIOUS SOFTWARE
2. Worms:
 A worm is a program that can replicate itself and send copies
from computer to computer.
▪ Network worm programs use network connections to spread
from system to system.
 Upon arrival, the worm may be activated to replicate and
propagate again.

3. Trojan Horse:
 A Trojan horse is a program or command procedure containing
hidden code that, when invoked, performs some unwanted or
harmful function.
 A Trojan horse is any malware which misleads users of its
true intent to fool a user into thinking it's a harmless file.
▪ Looks like genuine, designed to trick the users. 55

ANTIVIRUS
 Antivirus software also known as anti-malware is a computer
program used to prevent, detect, and remove malware.

 Once installed, most antivirus software runs automatically in the

background to provide real-time protection against virus attacks.
▪ Do not allow a virus to get into the system.

 Antivirus is a program that helps to secure various systems by

scanning, detecting and removing viruses, malware, computer
worms, and so on.
▪ Detection: Once the infection has occurred, determine that it has
occurred and locate the virus.
▪ Identification: Once detection has been achieved, identify the
specific virus that has infected a program.
▪ Removal: Once the specific virus has been identified, remove all
traces of the virus from the infected program and restore it to its
original state.
56
 There are several free and paid antivirus software programs.

Er. Sanjay Kumar Sah 28

E-Commerce Unit-4: Network Security

ANTIVIRUS IN E-COMMERCE
 Hackers can use stolen credit card information to place
orders from anywhere in the world.

 An antivirus or an anti-fraud software can help you with

this serious e-commerce issue.

 They use sophisticated algorithms to flag any malicious

transactions to help you can take further action.

 They provide a fraud risk score which can help

proprietors determine if a certain transaction is
legitimate.

 Some of the commonly used antiviruses are Avira, AVG,57

NOD32, Kaspersky, Antivirus.

FEATURES OF AN EFFECTIVE ANTIVIRUS

 The following features of any antivirus are to be looked for when
decide on installing one:
▪ Proactive scanning for malwares and deleting once detected.

▪ Default-Deny Protection: Default-Deny protection that is

implemented to prevent the entry of suspicious files by default.

▪ Containment Technology: Validates and authorizes the

programs that are executable and ensures that the processes are
run without effecting the regular operations of the system.

▪ Host Intrusion Protection System (HIPS): This feature works

on a protocol-based intrusion prevention system that oversees all
the application and program activities that are processed in the
system.
▪ This prevents the malware from infecting the operating system, 58
registry keys or personal data or system memory.

Er. Sanjay Kumar Sah 29

E-Commerce Unit-4: Network Security

ADVANTAGES & DISADVANTAGES OF ANTIVIRUS

Advantages:
 Device is protected against viruses, Trojans, worms, spyware,
adware, rootkits, and keyloggers.
 In cases of accidentally click a phishing link or any such malicious
link, it will protect device and data.
 Antivirus software protects confidential information from hackers as
well.
 It can save thousands of dollars in computer repair costs every year.
 Antivirus software can help in eliminating spam emails as well.

Disadvantages:
 Since antivirus software comes in large sizes, device can experience
lag.
 Few antivirus software can come without inbuilt firewall provision.
 This can increase the chances of device being attacked.
59
 Thus, to ensure safety, make sure that antivirus software comes
with firewall protection.

DIGITAL SIGNATURE
 A digital signature is an authentication mechanism that
enables the creator of a message to attach a code that acts as a
signature.
▪ A technique which is used to validate the authenticity and
integrity of the message.
▪ Authentication, integrity, and non-repudiation can be
achieved by using a digital signature.

 A digital code (generated and authenticated by public key

encryption) which is attached to an electronically transmitted
document to verify its contents and the sender's identity.

 Typically, the signature is formed by taking the hash of the

message and encrypting the message with the creator’s private
key.

 The basic idea behind the Digital Signature is to sign a 60

document when we send a document electronically.

Er. Sanjay Kumar Sah 30

E-Commerce Unit-4: Network Security

DIGITAL SIGNATURE IN E-COMMERCE

 Digital signatures are used in e-commerce, software
distribution, financial transactions and other situations that
rely on forgery or tampering detection techniques.

 Digital signature plays a huge role in the security of e-

commerce because its technology makes it easier to obtain
user signatures on documents.

 For the safety of e-commerce companies, they need to ensure

that the people purchasing from them are not cyber-criminals
and authorized to use the paying methods they are presenting.

 The Digital Signatures are encrypted messages with specific

private keys that allow authentication.

 The signature connects to the data so that, if the data is

changed, the signature is automatically invalidated. 61

HOW A DIGITAL SIGNATURE WORKS?

 The process of digitally signing your document would go
something like this:
▪ First, you should copy the document and paste it into an e-
mail note.
▪ Second, you use a special software to obtain a mathematical
summary (commonly known as a message hash) of the
contract.
▪ Thirdly, you will use a private key that you purchased from
a trusted public-private key authority for encrypting the
message hash.
▪ Lastly, you send your document with the message hash as
your digital signature.

 The digital signature can be used for signing any form of

electronic document whether or not the message is encrypted.

 The digital signature is protected with a digital certificate that

62
authenticates it.

Er. Sanjay Kumar Sah 31

E-Commerce Unit-4: Network Security

HOW A DIGITAL SIGNATURE WORKS?

 Digital signatures are based on Public Key

infrastructure.
 By this mechanism, two keys are generated, a Public
Key and Private Key.
 The private key is kept by the signer, and it should be
kept securely.
 On the other hand, the receiver must have the public key63

to decrypt the message.

STEPS IN A DIGITAL SIGNATURE

 The use of digital signatures usually involves two processes,

one performed by the signer and the other by the receiver of 64
the digital signature.

Er. Sanjay Kumar Sah 32

E-Commerce Unit-4: Network Security

1. CREATION OF A DIGITAL SIGNATURE

 The signer demarcates what needs to be signed, and this
information is known as the “message”.
 The hash function in the signatory’s software calculates
the hash result/digital fingerprint unique to the
“message”.
 The Signer’s software further encrypts the hash result to
a digital signature using the Signer’s private key.
 The digital signature created is unique to the message
and the private key used to construct it.
 The digital signature will be attached to its message and
stored or distributed with the message.
 Because a digital signature is unique to its message, it is
beneficial to maintain a reliable link to its message. 65

2. VERIFICATION OF A DIGITAL SIGNATURE

 The recipient receives the digital signature with its
message.
 Applies Signer’s public key to the digital signature.

 Recovers hash signature from the digital signature.

 Computes the new hash result of the original message

using the same hash function used by the signatory to
create digital signatures.
 Hash result compared to the above two steps.

 Once the hash result is verified to be identical, it means

that the message has not changed.
 If not identical, it means that the message faced
alteration, or that the signature came from elsewhere.
66

Er. Sanjay Kumar Sah 33

E-Commerce Unit-4: Network Security

ADVANTAGES OF DIGITAL SIGNATURE

1. Speed:
 Businesses no longer have to wait for paper documents to be sent by
courier.
 Contracts are easily written, completed, and signed by all concerned
parties in a little amount of time no matter how far the parties are
geographically.

2. Costs:
 Using postal or courier services for paper documents is much more
expensive compared to using digital signatures on electronic documents.

3. Security:
 The use of digital signatures and electronic documents reduces risks of
documents being intercepted, read, destroyed, or altered while in
transit.

4. Authenticity:
 An electronic document signed with a digital signature can stand up in
67
court just as well as any other signed paper document.

ADVANTAGES OF DIGITAL SIGNATURE

5. Tracking:
 A digitally signed document can easily be tracked and located
in a short amount of time.

6. Non-Repudiation:
 Signing an electronic document digitally identifies you as the
signatory and that cannot be later denied.

7. Imposter prevention:
 No one else can forge your digital signature or submit an
electronic document falsely claiming it was signed by you.

8. Time-Stamp:
 By time-stamping your digital signatures, you will clearly
68
know when the document was signed.

Er. Sanjay Kumar Sah 34

E-Commerce Unit-4: Network Security

DISADVANTAGES OF DIGITAL SIGNATURE

1. Expiry:
 Digital signatures, like all technological products, are
highly dependent on the technology it is based on.
 In this era of fast technological advancements, many of
these tech products have a short shelf life.

2. Certificates:
 In order to effectively use digital signatures, both senders
and recipients may have to buy digital certificates at a
cost from trusted certification authorities.

3. Software:
 To work with digital certificates, senders and recipients
have to buy verification software at a cost. 69

DISADVANTAGES OF DIGITAL SIGNATURE

4. Law:
 In some states and countries, laws regarding cyber and
technology-based issues are weak or even non-existent.
 Trading in such jurisdictions becomes very risky for those
who use digitally signed electronic documents.

5. Compatibility:
 There are many different digital signature standards and
most of them are incompatible with each other, and this
complicates the sharing of digitally signed documents.

70

Er. Sanjay Kumar Sah 35

E-Commerce Unit-4: Network Security

DIGITAL CERTIFICATE
 A Digital Certificate is an electronic "password" that allows a person,
computer or organization to exchange data securely over the internet using the
public key infrastructure (PKI).
▪ Digital Certificate is also known as a public key certificate or identity
certificate.

 The information a digital certificate contains is as follows.

▪ Subject name (name of the user)
▪ Public key (photograph and signature)
▪ Serial number (number of digital certificate)
▪ Other data like email, phone, etc. (users some personal information)
▪ Validity i.e., Valid from and Valid to (validity of a particular digital
certificate)
▪ Issuer name (who issues a digital certificate for a user)

 A digital certificate authenticates the web credentials of the sender and lets the
recipient of an encrypted message know that the data is from a trusted source (or
a sender who claims to be one).

 A digital certificate is issued by a certification authority (CA). 71

▪ The most common digital certificate standard is X.509 Certificate.

CERTIFICATE AUTHORITY (CA)

 A trusted agency that issues digital certificates is known for
certificate authority.

 A certificate authority (CA) should be the trusted one; hence in

many countries, the government decides that who should and
should not be a CA.

 CA verifies identity and legitimacy of company or individual

that requested the certificate and if the verification is
successful, CA issues signed certificate.

 CA is responsible for managing all aspects of digital certificate

issuance, publication, revocation, renewal etc.

 Verisign and Entrust are some of the famous certificate 72

authorities in the world.

Er. Sanjay Kumar Sah 36

E-Commerce Unit-4: Network Security

WHAT DOES DIGITAL CERTIFICATE PROVIDE?

❑ Identification/Authentication: The persons/entities with whom we
are communicating are really who they say they are.

❑ Confidentiality: The information within the message or transaction is

kept confidential. It may only be read and understood by the intended
sender and receiver.

❑ Integrity: The information within the message or transaction is not

tampered with accidentally or deliberately in route without all parties
involved being aware of the tampering.

❑ Non-Repudiation: The sender cannot deny sending the message or

transaction, and the receiver cannot deny receiving it.

❑ Access Control: Access to the protected information is only realized by

the intended person or entity.

➢ All the above security properties can be achieved and implemented

through the use of Public Key Infrastructure (in particular Digital 73
Certificates).

IMPORTANCE OF DIGITAL CERTIFICATE

❑ There are billions of emails, which are transferred over
the web every day.
▪ A certificate is used as an attachment to the email for
security purposes to verify the authenticity of the
sender.

❑ For online banking, the digital certificate is an important

variable of trust.
▪ It also ensures the protection of sensitive data.

❑ To void the threats of online fraud and identity theft, the

CA has provided the digital certificate, which is
reassurance for the millions of internet users and casual74
web surfers.

Er. Sanjay Kumar Sah 37

E-Commerce Unit-4: Network Security

DIGITAL SIGNATURE VS. DIGITAL CERTIFICATE

Digital Signature Digital Certificate
It verifies the identity of the ownership
It verifies the identity of the document.
of an online medium.
It is issued after the background check
It is issued to a specific individual by
of the applicant by the Certificate
an authorized agency.
Authority(CA).
It ensures that two parties who are
It ensures that the signer cannot non-
exchanging the information are
repudiate the signed document.
secured.
It works on DSS (Digital Signature It works on the principles of public-key
Standard) cryptography standards.
The digital signature uses a
It contains personal information to help
mathematical function (Hashing
in identifying the trace of the owner.
function).
It is an attachment to a document that It is a medium to prove the holder’s
can be viewed as a signature. identity for a particular transaction.
It ensures the sender and the receiver 75
It builds the trust between the user
have the same document containing the
and the business (Certificate holder).
same data.

THIRD-PARTY AUTHENTICATION
 Authentication means verifying the identity of someone who wants to
access data, resources, or applications.

 Third-party authentication is often called federated authentication or

delegated authentication.

 In the third-party authentication systems, the password or encryption

key itself never travels over the network.
▪ Rather an authentication server maintains a file of obscure facts
about each registered user.

 At the log-on time, the server computes a token.

▪ The server then transmits an encrypted message containing the token,
which can be decoded with the user’s key.
▪ The message contains an authentication token that allows users to log
on to the network services.

 Third-party authentication allows users to log in to SGD (Secure Global

76
Desktop) if they have been authenticated by an external mechanism.

Er. Sanjay Kumar Sah 38

E-Commerce Unit-4: Network Security

THIRD-PARTY AUTHENTICATION
 Third-party authentication has three main advantages:

❑ First, the authentication process is facilitated.

▪ You do not have to worry about authenticating individual users but
just about interacting with a trusted external service.

❑ Secondly, it reduces password fatigue – the stress associated with

having too many accounts and entering passwords frequently.
▪ Some people use LastPass and feel frustrated when understanding
that they have a lot of saved passwords, which number can be even
400!
▪ For instance, an area technology specialist will probably have more
passwords than an average Internet user, but even a regular
Internet user has dozens, or even hundreds of accounts.

❑ Thirdly, third-party authentication is done “without noise and dust, and

danger”: it allows your site to run faster, with the use of existing
credentials.
▪ If users see that they need to create another pair of “username and
77
password”, they often simply leave the web page.

SECURE SOCKET LAYER (SSL)

 Secure Sockets Layer (SSL) is a standard protocol used for the secure
transmission of documents over a network.
▪ The word socket refers to the mechanism of transferring data between a client
and server over a network.

 When using SSL for secure Internet transactions, a Web server needs an SSL
certificate to establish a secure SSL connection.

 SSL certificate is a digital certificate that authenticates a website's identity and

enables an encrypted connection.
▪ SSL is a security protocol that creates an encrypted link between a web server
and a web browser.

 Companies and organizations need to add SSL certificates to their websites to

secure online transactions and keep customer information private and secure.
▪ In short, SSL keeps internet connections secure and prevents criminals from
reading or modifying information transferred between two systems.

 When you see a padlock icon next to the URL in the address bar, that means SSL
protects the website you are visiting.
78

Er. Sanjay Kumar Sah 39

E-Commerce Unit-4: Network Security

NEED OF SSL CERTIFICATE

 Websites need SSL certificates to keep user data secure, verify ownership of the
website, prevent attackers from creating a fake version of the site, and convey
trust to users.

 An SSL certificate helps to secure information such as:

▪ Login credentials
▪ Credit card transactions or bank account information
▪ Personally identifiable information — such as full name, address, date of
birth, or telephone number
▪ Legal documents and contracts
▪ Medical records
▪ Proprietary information

 SSL certificates help keep online interactions private and assure users that the
website is authentic and safe to share private information with.

 HTTPS is the secure form of HTTP, which means that HTTPS websites have
their traffic encrypted by SSL.
▪ Most browsers tag HTTP sites – those without SSL certificates – as "not
secure.” 79

SSL ARCHITECTURE

1. SSL Handshake Protocol:

 This protocol allows the server and client to authenticate
each other and to negotiate an encryption and MAC
algorithm and cryptographic keys to be used to protect 80
data sent in an SSL record.

Er. Sanjay Kumar Sah 40

E-Commerce Unit-4: Network Security

SSL ARCHITECTURE
2. SSL Record Protocol:
 The SSL Record Protocol provides basic security services
to higher layer protocols.

3. SSL Change Cipher Spec Protocol:

 Change Cipher Spec messages are used in SSL to
indicate that the communication is shifted from
unencrypted form to encrypted form.
 Or, in other words, the other communicating party is
informed about the security mechanism being used.

4. SSL Alert Protocol:

 The Alert Protocol is used to convey SSL related alerts to
the peer entity. 81

SSL IN E-COMMERCE
 For all the e-commerce websites, it is mandatory to have SSL
certificates to facilitate secure connections as these certifications are
very useful in authenticating identity of online retail business and
securing data at the checkout.
 These certificates also safeguards the customers from financial
online frauds.

Have you ever visited an online store, only to exit because its data
wasn’t secure?
 Unfortunately, many website owners are unaware of the steps to
take to gain customers’ trust.
 If they see that your site isn’t encrypted, for example, they’ll stay far
away.
 An SSL certificate ensures that confidential user information is
stored safely and securely.
 It encrypts your information to prevent it from getting into the
hands of hackers and malware.
 Information such as names, passwords and email addresses stays 82
safe when a business has an SSL certificate.

Er. Sanjay Kumar Sah 41

E-Commerce Unit-4: Network Security

HOW DO SSL CERTIFICATES WORK?

 It uses encryption algorithms to scramble data in transit, which
prevents hackers from reading it as it is sent over the connection.

 The process works like this:

1. A browser or server attempts to connect to a website (i.e., a web
server) secured with SSL.
2. The browser or server requests that the web server identifies
itself.
3. The web server sends the browser or server a copy of its SSL
certificate in response.
4. The browser or server checks to see whether it trusts the SSL
certificate. If it does, it signals this to the webserver.
5. The web server then returns a digitally signed acknowledgment
to start an SSL encrypted session.
6. Encrypted data is shared between the browser or server and the
webserver.

➢ While it sounds like a lengthy process, it takes place in milliseconds.

83

SSL CERTIFICATE LOOK LIKE

84

Er. Sanjay Kumar Sah 42

E-Commerce Unit-4: Network Security

VIRTUAL PRIVATE NETWORK (VPN)

 A VPN is a technology that creates a safe and encrypted
connection over a less secure network (i.e. internet) from a
device to a network.
▪ A VPN is a way to extend a private network using a public
network.

 The encrypted connection helps ensure that sensitive data is

safely transmitted.
▪ It prevents unauthorized people from eavesdropping on the
traffic and allows the user to conduct work remotely.

 VPN technology is widely used in corporate environments.

▪ A VPN extends a corporate network through encrypted
connections made over the Internet.
▪ Because the traffic is encrypted between the device and the
network, traffic remains private as it travels.
85
▪ An employee can work outside the office and still securely
connect to the corporate network.

WHY DO YOU NEED A VPN SERVICE?

 Surfing the web or transacting on an unsecured Wi-Fi network
means you could be exposing your private information and browsing
habits.

 That’s why a virtual private network, better known as a VPN, should

be a must for anyone concerned about their online security and
privacy.

 Think about all the times you’ve been on the go, reading emails
while in line at the coffee shop, or checking your bank account while
waiting at the doctor’s office.

 Unless you were logged into a private Wi-Fi network that requires a
password, any data transmitted during your online session could be
vulnerable to eavesdropping by strangers using the same network.

 The encryption and anonymity that a VPN provides helps protect

your online activities: sending emails, shopping online, or paying 86
bills.
 VPNs also help keep your web browsing anonymous.

Er. Sanjay Kumar Sah 43

E-Commerce Unit-4: Network Security

VPN PRIVACY: WHAT DOES A VPN HIDE?

 A VPN can hide a lot of information that can put your privacy at risk.
 Here are five of them:

1. Your Browsing History:

 It’s no secret where you go on the internet. Your internet service
provider and your web browser can track just about everything you do
on the internet. A lot of the websites you visit can also keep a history.
 Without a VPN, you’ve automatically shared that information and may
start receiving targeted ads that could draw further attention to your
condition.
 Keep in mind your internet service provider may be able to sell your
browsing history. Even so-called private browsers may not be so private.

2. Your IP Address and Location:

 Anyone who captures your IP address can access what you’ve been
searching on the internet and where you were located when you
searched.
 Since a VPN uses an IP address that’s not your own, it allows you to
maintain your online privacy and search the web anonymously. 87

VPN PRIVACY: WHAT DOES A VPN HIDE?

3. Your Location for Streaming:
 You might pay for streaming services that enable you to watch things
like professional sports.
 When you travel outside the country, the streaming service may not be
available.
 A VPN would allow you to select an IP address in your home country.

4. Your Devices:
 Your devices can be prime targets for cyber-criminals when you access
the internet, especially if you’re on a public Wi-Fi network.
 A VPN helps protect the data you send and receive on your devices so
hackers won’t be able to watch your every move.

5. Your Web Activity — To Maintain Internet Freedom:

 A VPN protects against your internet service provider seeing your
browsing history.
 Assuming your VPN provider doesn’t log your browsing history (some
VPN providers do), your VPN can help protect your internet freedom. 88

Er. Sanjay Kumar Sah 44

E-Commerce Unit-4: Network Security

EXAMPLE OF VPN
 Think of a situation where corporate office of a bank is situated in Washington,
USA. This office has a local network consisting of say 100 computers.
 Suppose other branches of the bank are in Mumbai, India, and Tokyo, Japan.

 The traditional method of establishing a secure connection between head office

and branch was to have a leased line between the branches and head office
which was a very costly as well as troublesome job.
 VPN lets us overcome this issue in an effective manner.

89

TYPES OF VPNS
1. Remote Access:
 A remote access VPN securely connects a device outside the
corporate office.
 These devices are known as endpoints and may be laptops, tablets,
or smartphones.
 Advances in VPN technology have allowed security checks to be
conducted on endpoints to make sure they meet a certain posture
before connecting.
 Think of remote access as computer to network.

2. Site-to-Site:
 A site-to-site VPN connects the corporate office to branch offices over
the Internet.
 Site-to-site VPNs are used when distance makes it impractical to
have direct network connections between these offices.
 Dedicated equipment is used to establish and maintain a connection. 90
 Think of site-to-site access as network to network.

Er. Sanjay Kumar Sah 45

E-Commerce Unit-4: Network Security

SECURE ELECTRONIC TRANSACTION (SET)

 Secure Electronic Transaction (SET) is a system that ensures
the security and integrity of electronic transactions done using
credit cards in a scenario.

 SET is not some system that enables payment but it is a

security protocol applied to those payments.

 It uses different encryption and hashing techniques to secure

payments over the internet done through credit cards.

 The SET protocol was supported in development by major

organizations like Visa, Mastercard, Microsoft which provided
its Secure Transaction Technology (STT), and Netscape which
provided the technology of Secure Socket Layer (SSL). 91

SECURE ELECTRONIC TRANSACTION (SET)

 SET protocol restricts the revealing of credit card details to
merchants thus keeping hackers and thieves at bay.

 The SET protocol includes Certification Authorities for making

use of standard Digital Certificates like X.509 Certificate.

 The SET protocol has some requirements to meet, some of the

important requirements are:
▪ It has to provide mutual authentication i.e., customer (or
cardholder) authentication by confirming if the customer is
an intended user or not, and merchant authentication.
▪ It has to keep the PI (Payment Information) and OI (Order
Information) confidential by appropriate encryptions.
▪ It has to be resistive against message modifications i.e., no
changes should be allowed in the content being transmitted.
▪ SET also needs to provide interoperability and make use of
the best security mechanisms. 92

Er. Sanjay Kumar Sah 46

E-Commerce Unit-4: Network Security

COMPONENTS OF SET

93

COMPONENTS OF SET
 It has the following components:
1. Card Holder's Digital Wallet Software:
 Digital Wallet allows the card holder to make secure purchases
online via point and click interface.

2. Merchant Software:
 This software helps merchants to communicate with potential
customers and financial institutions in a secure manner.

3. Payment Gateway Server Software:

 Payment gateway provides automatic and standard payment
process. It supports the process for merchant's certificate request.

4. Certificate Authority Software:

 This software is used by financial institutions to issue digital
certificates to card holders and merchants, and to enable them 94to
register their account agreements for secure electronic commerce.

Er. Sanjay Kumar Sah 47

E-Commerce Unit-4: Network Security

WORKING OF SET
➢ The customer opens an account.
➢ The customer receives a certificate.
➢ Merchants have their own certificates.
➢ The customer places an order.
➢ The merchant is verified.
➢ The order and payment information are sent by
customer.
➢ The merchant requests payment authorization.
➢ The merchant confirms the order.
➢ The merchant ships the ordered item.
➢ The merchant requests payment through payment
gateway. 95

SET FUNCTIONALITIES
1. Provide Authentication:
▪ Merchant Authentication: To prevent theft, SET allows customers to
check previous relationships between merchants and financial
institutions. Standard X.509V3 certificates are used for this verification.

▪ Customer/Cardholder Authentication: SET checks if the use of a

credit card is done by an authorized user or not using X.509V3 certificates.

2. Provide Message Confidentiality:

 Confidentiality refers to preventing unintended people from reading
the message being transferred.
 SET implements confidentiality by using encryption techniques.
 Traditionally DES is used for encryption purposes.

3. Provide Message Integrity:

 SET doesn’t allow message modification with the help of signatures.
96
Messages are protected against unauthorized modification.

Er. Sanjay Kumar Sah 48

E-Commerce Unit-4: Network Security

ADVANTAGES & DISADVANTAGES OF SET

Advantages of SET
 Some of the advantages of SET contain the following:
▪ Information Security: Neither anyone listening in,
nor a merchant can use the information passed during
a transaction for fraud.
▪ Credit card Security: There is no chance for anybody
to steal a credit card.
▪ Flexibility in Shopping: If a person has a phone,
he/she can shop.

Disadvantages of SET
 Some of the disadvantages of SET include:
▪ it's complexity, and
97
▪ high cost for implementation.

FOR YOUR ATTENTION !

Any Questions?
98

Er. Sanjay Kumar Sah 49