E-Commerce – Definition • Electronic commerce is an emerging concept that describes the process of buying and selling or exchanging of products

, services and information via computer networks including the internet

E-Commerce – classification • A common classification of EC is by the nature of transaction: – – – Business-to-business (B2B): electronic market transactions that take place between organizations Business-to-consumer (B2C): retailing transactions with individual shoppers – typical shopper at Amazon.com is a consumer Consumer-to-consumer (C2C): consumer sells directly to consumers, examples individuals selling in classified ads, auction sites allowing individuals to put up items for auction – e.g, e-bay Consumer-to-Business (C2B): individuals who sell products or services to organizations and those who seek sellers and conclude a transaction Intrabusiness (organizational) EC: all internal organizational activities involving exchange of goods, services or information, selling corporate products to employees, online training and cost reduction activities Non-business EC: academic institutions, not-for-profit organizations, religious/social organizations and government agencies using EC to improve their operations, customer service and reduce expense

– –

Basics • • • • • • Web client- machine that initiates internet request Web server – machine that services internet request Brower - software at the client side to interact with web data Intranet – an internal network of computers confined to a single place Extranet – when two or more intranets are connected with each other, they form an Extranet – e.g, Virtual Private Network Internet – a global network of networks

Client-Server Mode

What is the Web? • • • • The Web is a protocol that uses the internet as the communication structure The web links documents stored in computers that communicate on the internet Based on Hypertext Transfer Protocol (HTTP) . date. A network can be anything from a simple collection of computers at one location connected through a connectivity media to the internet (a global network of networks) 2.native protocol of WWW designed for making web page requests HTTP is a FOUR step process per transaction HTTP Connection 1. Most LANs consist of many clients and a few servers LAN setup . request. Client downloads page 4. status etc. What is a network? 1. Sever accepts request – Sends page as HTTP 3. Local Area Network (LAN) is a server-based network confined to a particular area/place 3. Server breaks the connection Side Effects of http transfers • • • • • A record is left of all web transaction Resides in log files generated at the server Good news : user data recorded Bad news: what about user privacy? Common log file (CLF) format – identity. Client – – Makes a HTTP request for a web page Makes a TCP/IP connection 2.

7 layer architecture ISO OSI model TCP/IP Stack Mapped To OSI Model OSI Model TCP/IP Stack TCP/IP Protocol Stack Members HTTP=Used for web page requests Telnet=Terminal Emulation Protocol – connects a local computer with a remote computer FTP=File Transfer Protocol .OSI Network Model 1.provides an interface and services for file transfer over the network – upload from local to remote & vice versa SMTP=Simple Mail Transport Protocol – provides e-mail services on the internet TCP=Transmission Control Protocol – connection-oriented transport protocol . International Organization for Standards (ISO) 2. In 1970’s came ISO’s OSI model – a conceptual model for network communications 3.Open System Interconnection Reference Model 4. OSI .

1011 1111 is equal to 191 in decimal .So. 128-191 is the range of class B networks  Network number starting with 110 -1100 0000 is equal to 192 in decimal .0111 1111 is the biggest number equal to 127 in decimal . 224-255 is the range of class D & E networks Special multicast and experimental groups  Only first byte tells network class Name Resolution .1000 0000 is equal to 128 in decimal .B.1101 1111 is equal to 223 in decimal .C.UDP=User Datagram Protocol – connectionless transport protocol IP=Internet Protocol – provides basis for IP addressing on the network ARP=Address Resolution Protocol – maps IP address to MAC hardware address RIP=Routing Information Protocol – Routing protocol used by routers to determine the best path for packets on the network Look again at binary addresses????  Classes of networks – A. 0-127 is the range of class A networks  Network number starting with 10 .D and E  Network number starting with 0 .So.So. 192-223 is the range of class C networks  Network number starting with 111 So.

MAC Address • • • • • • • Consists of 12 hexadecimal characters 090017A9B2EF 09:00:17:A9:B2:EF 09-00-17-A9-B2-EF A pattern of 48 bits is available 2 48 unique MAC addresses possible Institute of Electrical and Electronic Engineers (IEEE) administers the allocation of MAC addresses Email Security • • email is one of the most widely used and regarded network services currently message contents are not secure – – may be inspected either in transit or by suitably privileged users on destination system note: In virtually all distributed environments. But current email services are roughly like "postcards”. Email Security Enhancements • – • confidentiality protection from disclosure authentication – of sender of message • message integrity – protection from modification • non-repudiation of origin protection from denial by sender . electronic mail is the most heavily used network-based application. anyone who wants could pick it up and have a look as its in transit or sitting in the recipients mailbox.

use SHA-1 to generate 160-bit hash of message 3. receiver uses RSA with sender's public key to decrypt and recover hash code 5. Phil Zimmermann. Pretty Good Privacy (PGP) • • • • • • widely used de facto secure email developed by Phil Zimmermann selected best available crypto algs to use integrated into a single program on Unix. there grows a demand for authentication and confidentiality services. What we want is something more akin to standard mail (contents protected inside an envelope) if not registered mail (have confidence about the sender of the mail and its contents). now also have commercial versions available note: The Pretty Good Privacy (PGP) secure email program. PC. That is. PGP Operation – Authentication 1. PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. Macintosh and other systems originally free. is a remarkable phenomenon. signed hash with RSA using sender's private key. who selected the best available crypto algorithms to use & integrated them into a single program. the “classic” security services listed are desired. sender creates message 2. and is attached to message 4. in both free & commercial versions. It runs on a wide range of systems.note: With the explosively growing reliance on electronic mail for every conceivable purpose. Largely the effort of a single person. has grown explosively and is now widely used. receiver verifies received message using hash of it and compares with decrypted hash code Authentication only. sender generates message and 128-bit random number as session key for it . PGP Operation – Confidentiality 1.

IDEA or 3DES in 64-bit cipher feedback (CFB) mode. using symmetric encryption algorithms CAST-128. The steps used in this process are as shown. Confidentiality only. session key is used to decrypt message note: Another basic service provided by PGP is confidentiality. receiver uses RSA with private key to decrypt and recover session key 5. & attached to msg 4. provided by encrypting messages to be transmitted or to be stored locally as files. The randomly chosen session key used for this is sent encrypted using the recipient’s public RSA key. session key encrypted using RSA with recipient's public key.2. PGP Operation – Confidentiality & Authentication • can use both services on same message – – – create signature & attach to message encrypt both message & signature attach RSA/ElGamal encrypted session key Confidentiality and Authentication PGP Operation – Compression • – – by default PGP compresses message after signing but before encrypting so can store uncompressed message & signature for later verification & because compression is non deterministic . Recent PGP versions also support the use of ElGamal (a Diffie-Hellman variant) for session-key exchange. encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key 3.

It uses radix-64 conversion. Any message longer than that must be broken up into smaller segments. However many electronic mail systems only permit the use of ASCII text. • • • • . PGP also automatically subdivides a message that is too large for a single email. at the beginning of the first segment.g Internet imposes a maximum length of 50. This format also appends a CRC to detect transmission errors.000 octets. See Stallings Appendix 15B for a description.• uses ZIP compression algorithm note: By default PGP compresses the message after applying the signature but before encryption. in which each group of three octets of binary data is mapped into four ASCII characters. and thus consists of a stream of arbitrary 8-bit octets. PGP automatically subdivides a message that is too larger into segments that are small enough to send via E-mail. The compression algorithm used is ZIP. The segmentation is done after all of the other processing including the radix-64 conversion. The signature is generated before compression for the reasons shown. PGP Operation – Email Compatibility • • • • when using PGP will have binary data to send (encrypted message etc) however email was designed only for text hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm – – maps 3 bytes to 4 printable chars also appends a CRC PGP also segments messages if too big Note: When PGP is used. PGP provides the service of converting the raw 8-bit binary stream to a stream of printable ASCII characters. into segments that are small enough to send. which is described in Stallings Appendix 15A. each of which is mailed separately. Segmentation and Reassembly: • Email facilities are often restricted to a maximum message length e. To accommodate this restriction. at least part of the block to be transmitted is encrypted. This has the benefit of saving space both for e-mail transmission and for file storage. Thus the session key component and signature component appear only once.

168-bit Triple-DES generated using ANSI X12. private keys.At the receiving end PGP strip off all of the E-mail headers form the first segment and the second segment and reassembles them into the original block before performing the steps shown in the previous slide.17 generator.17 mode uses random inputs taken from previous uses and from keystroke timing of user note: PGP makes use of four types of keys: one-time session symmetric keys. PGP Operation – Summary PGP Session Keys • need a session key for each message – • • of varying sizes: 56-bit DES. Each session key is associated with a single message and is used only for the purpose of encrypting and decrypting that message. 128-bit CAST or IDEA. need to identify which is actually used to encrypt session key in a message – – • could send full public-key with every message but this is inefficient rather use a key identifier based on key . and passphrase-based symmetric keys. public keys. Random numbers are generated using the ANSI X12. where both the keystroke timing and the actual keys struck are used to generate a randomized stream of numbers. Stallings Appendix 15C discusses PGP random number generation techniques in more detail. PGP Public & Private Keys • since many public/private keys may be in use. with inputs based on keystroke input from the user.

their public-key ring. and one to store the public keys of other known users. the security of this system depends on the security of the password. As in any system based on passwords.their private-key ring. with a key derived by hashing a pass-phrase which the user enters whenever that key needs to be used. PGP Key Rings: • each PGP user has a pair of keyrings: – public-key ring contains all the public-keys of other PGP users known to this user. one to store the users public/private key pairs . A message consists of three components: the message component. and a session key component (optional). indexed by key ID private-key ring contains the public/private key pair(s) for this user.– – • is least significant 64-bits of the key will very likely be unique also use key ID in signatures note: Since many public/private keys may be in use with PGP. You could just send the full public-key with every message. Then only the much shorter key ID would need to be transmitted with any message. which should be not easily guessed but easily remembered . PGP Message Format shows the format of a transmitted PGP message. Rather PGP use a key identifier based on the least significant 64-bits of the key. there is a need to identify which key is actually used to encrypt the session key for any specific message. but this is inefficient. which will very likely be unique. A key ID is also required for the PGP digital signature. PGP uses a pair of data structures. a signature (optional). These keys need to be stored and organized in a systematic way for efficient and effective use by all parties. The private keys are kept encrypted using a block cipher. indexed by key ID & encrypted keyed from a hashed passphrase – • security of private keys thus depends on the pass-phrase security note: Keys & key IDs are critical to the operation of PGP.

PGP Message Reception: then illustrates how these key rings are used in message reception to implement the various PGP crypto services (again ignoring compression and radix-64 conversion for simplicity). .PGP Message Generation: illustrates how these key rings are used in message transmission to implement the various PGP crypto services (ignoring compression and radix-64 conversion for simplicity).

Sign up to vote on this title
UsefulNot useful