You are on page 1of 80


E-Commerce is an advanced technology related with commerce and the computer, so first of all you have to understand. What is commerce? Actually the term commerce refers to the exchange of goods or items or commodities and services or application used for money. This is a very famous definition of commerce: It is the exchange or transformation or buying and selling of entities (Goods or Commodities) on a very large scale involving transportation from one place to another . After discussing the commerce, these are need of computer and Internet applications to manage and organize the commerce products and services are the concept of E-Commerce i.e. Electronic Commerce.

Definition: E-Commerce
E-Commerce is associated with a buying and selling of information products & service via computer network today. We define E-Commerce as a business activity which is using electronic medium E-Commerce refers to buying products without ever going to a shop E-Commerce covers activities like delivery of information, products, services and payment through electronic medium.

Origin of E-Commerce:
E-Commerce was derived from E-mail means conducting business online with the help of electronic devices like personal computers, phone lines, fax machine, pagers etc. In the 1950, companies began to use computers to store and process internal transaction records, but the information lows between businesses continued to be paper purchases orders, invoice, cheques, remittance device and other standard forms were used to document transactions. IBM was the first company who use the term internationally. The 1972, IBM used this term as EBusiness and the first successful transaction is held between USA and European Union in 1993 with the invention of personal computers. Electronic commerce (e-commerce) has become a buzzword for business over the last few years. Total E-Commerce Transaction in India1 YearTotal e-commerce transaction1998-1999 131 Crore Rs. 19992000 450 Crore Rs. 2000-2002 1400 Crore Rs. 2006 (Expected) 2300 Crore Rs.

Growth of Internet in India

Years 1997 1998 1999 2000 2001 2002 2003 2004 2005 Internet Subscribers 25 250 359 650 1130 1763 3661 4403 6674 Internet User 45000 200000 1000000 2000000 6668000 10684000 29000000 31723000 52875000

S. No.


E-Commerce It does not involve data at multi points. With E-commerce data goes directly from one to another computer without involving human being.

Traditional The buyer & Seller create purchases order on their system print it or fare it or mail to receiver. The receiver then re-enter the same information on the computer. This will create the error.

Reduce the data error

As time is money, time is directly linked to Initial cost of e-commerce is very saving the money. In it there is a repetition high as compared to paper process Reduce Cost of same work at every level. So it involves a but over a long period of time it is lot of time and if the error is arisen that very effective. will lead to more wastage money. It requires re-entry of data at each level E-Commerce data in the electronic Reduce and requires lot of time. So the peak time is form makes it easy to share it across Paper Work wasted in re-entering and printing of the the organization. reports. In Traditional System, when the buyer E-commerce reduces the processing order in a paper format, the data is recycle time of complete cycles as the entered into the sellers computer and then data is entered the system it is only processing can take place which is a simulating process. time consuming and full commitment.

Reduce Process Cycle Time

E- Commerce Opportunities for Businesses Many businesses need e-commerce software services, to get ceiling advantages of ecommerce areas. Tourism & Travel Sector: Tourism & Travel sector has updated their system with ecommerce services. Consumer can do online reservation of hotel, motel, air ticket and railway ticket etc. Banking Sector: Most of banks changed their working style, means they are giving their service online through respective website. Healthcare Sector: Healthcare sectors are also a large network of expenses of government. So most of healthcare companies are communicate or exchange their service to each other. Stock Sector: In the stock exchange sector, e-commerce services provide Demat Account facilities, customer can analysis over all status of stock areas and can do respective transactions. Financial Sector: In India, Financial Sector is also adopted e-commerce services and users use these services.

Working of E-Commerce: Suppose customer wants to purchases something and he/she is moved to the online transaction server, where all the information is in encrypted form. Once he has placed his order, the information moves through a private gateway to a processing network, where the issuing and acquiring banks can complete or deny the transaction. This process takes only few seconds to execute.
Online Customer Merchant Website


Working of E-commerce

Online Transaction Server

Processing Network

Acquiring Merchant Bank

Issuing Consumer Bank

Advantages of E-Commerce All time processing: Customer can use marketplace every time (Round -the- clock) by the use of E-commerce services. Better Service: Customers can take full satisfaction and better service. Removing mediators: Customer can direct contact with supplier and cutting down mediators. Data of Consumer performance: Using the e-commerce services we find out consumer behavior for example customer likes which sites, products, schemes and mode of payment. Time Saving: Customers can save their time because they can purchase anything through merchant website.

Other Advantages: It reduces the cost of product. It reduces the paper work as the whole work is done electronically. The product is directly supplied to the customer because all orders and enquiries are processed online. These eliminate the need for whole seller and retailers and bring down the price of cost. Improved customer relationship may be achieved by fast dissipation of information. E-commerce minimizes the time taken from order to delivery. Provides better, fast and effective linkage with the clients. Enhances the organization product & market analyze as the organization gets faster feedback from the customer. E-commerce helps create knowledge markets. Small groups inside big firms can be funded with seed money to develop new ideas. E-commerce helps people work together. E-commerce is 24 x 7 operation and global to reach.

Disadvantages of E-Commerce: 1. Lack of Customer awareness: Mostly peoples have no knowledge about electronic communication like Internet, computer etc. So they are not able to transaction electronically. 2. Not for small business: Small business men do not want to take any extra burden because they have no knowledge of e-commerce functions. 3. Not supported all type of business: Some types of businesses are not fit for e-commerce services. 4. Legal formalities: If you want to use e-commerce service in your business so you have to do some legal formalities like authorization and authentication etc.

Other Disadvantage: High risk of Internet Startup organization E-Commerce is not free Security Problem Customer Relation Problem Data integrity problem Customer satisfaction problem

Main goals of E-Commerce To understand what are the need of consumer, merchant & organization. How quality & quantity of goods improve. How speed of services increase. Requirement for E-Commerce Improved Customer Services Origin New Business Opportunity Enhanced Speed & Accuracy of Product Product Cost Saving

Improved Customer Services: Now a days consumers want better service so e-commerce services provide communication between consumer & companies. Consumer can make online complain to company. Origin New Business Opportunity: The biggest network between consumers & companies, can origin new business opportunity like infinite possibilities for business to develop and increase their consumer base. Enhanced Speed & Accuracy of Product: By the use of ECommerce services we can reduce human errors and other problem like duplication of proceedings. This perfection in speed and accuracy, plus the easier access to documents and information will effect in increase in production. Product Cost Saving: Despite the fact that we can reduce the cost of product because we can already reduce human error by the use of e-commerce services and the cost on sending the information to partners etc are reduced.

What is required in order to conduct E-Commerce?

We require a commercial website like etc. We require product or services, which you want to sell through respective website. We need e-shopping cart or purchases order form. We need current credit card account which will be accepted e-payment. If you plan to process credit cards in real time over the Internet, you need an online payment gateway. Securing this gateway you need secure socket layer (SSL).

* Website: It is collection of web pages, which are linked each other. ** E- Shopping Cart: A piece of software that keeps a record of the choices you making during an online buying session. *** Gateway: It is a software program used to connect two networks using different Protocols so that they cam transfer data between the two network. **** Electronic Fund Transfer (EFT): It is transfer of money between financial institutions over secure private networks.

E-Commerce Framework It is clear that e-commerce application will be built on existing infrastructure myriad of computer, communication, network and connection software framing the nascent information superhighway. E-Commerce Application: 1. Supply chain Management 2. On-line Banking 3. Procurement & Purchasing 4. On-line Marketing & Advertisement 5. Home Shopping Figure shows variety of possible e-commerce applications, including both inter organizational & consumer oriented example none of these uses would be possible without each of the building blocks in the infrastructure.

Common business services Infrastructure /Security/Authentication/Electronic Payment The messaging & information distribution Infrastructure (EDI, E-mail) Multimedia content & Network Publishing Infrastructure The information superhighway infrastructure (Telecomm., Cable TV, wireless network, Internet Public Policy legal & Privacy Issues (Cyber Law, IT Act 2000) Technical Standard for edocument s, multimedia & Network Protocols

Building Blocks in the infrastructure: 1. Common business services blocks are use to facilitate the buying & selling process. 2. Messaging and Information distribution blocks are providing as a means of sending & retrieving information. We frequently send & retrieve the information so these are facilities of E-commerce. 3. Multimedia content and network publishing blocks are use to creating a product and a means to communication about it. The e-commerce related website has the information about the products and its design. 4. The information superhighway blocks are very foundation for providing the highway system along which all e-commerce. The Two pillars supporting all e-commerce applications & infrastructure are just a Indispensable. 1.Public Policy, to govern such as universal access privacy and information pricing. 2.Technical Standard- To dictate the nature of information publishing, user interface and transport in the interest of compatibilities across the entire network. Information can be access by any type of devices which consumer choose & support any type of Operating System.

Shopping Services 1.Shopping Services provided by independent business who send representative to store comparison shop for specific products. A shopping service is hired by contract and will compare competitive prices or prices for the same item in competitive stores, depending on the request and needs of the client. 2. Shopping Service offered to cable television subscriber where consumer can buy products (Usually at discount) that are displayed on a special shopping services channel. 3. Shopping Service offered to subscribers of personal information services for home computer use. For example: A Company provides on-line information to subscribers. Among the many services offered by this company is one called products, Guides, etc. From which consumers may shop and select purchases right from their own computer terminals.

Information Services: Information Service pronounced as separate letters, and short for Information Systems or Information Services. For many companies, Information System or Services is the name of the department responsible for as IT and Management Information System. Information System Support different types of decision at different levels of the organizational hierarchy. Major types of information system include structural databases and information management software that can include the following; Transaction Process System (TPS) Enterprise Collaboration System (ECS) Management Information System (MIS) Decision Support System (DSS) Executive Support System (ESS)

EDI is the electronic transfer of information between two trading partners systems using a set of transactions that have been adopted as a national or international standard for the particular business function.
Electronic Data Interchange (EDI) is a set of standards for structuring information that is to be electronically exchanged between and within businesses, organizations, government entities and other groups, without human involvement. An inter-company, application-to-application communication of data in standard format for business transactions.

EDI Semantic layer

Application Level services

EDIFACT business form standards EDI Standard layer ANSIX12 Business form standards

EDI Transport layer

Electronic Mail Point to Point

X 435, MIME Multipurpose Internet Mail Extensions FTP TELNET HTTP

World Wide Web

Physical Layer

Dial up lines, Internet, I-way

Working of EDI
EDI just seeks to take a form from a business application, translates that data into a standard electronic format, and transmit it. At the receiving end, the standard format is untranslated into a format that can be read by the recipient s application. Hence output from one application becomes input to another through computer-tocomputer exchange of information.

Implementation Of EDI
EDI implementation starts with the agreement between company and its trading partner. The two parties decide which standard will be used, the nature of information to be exchanged, the network carrier, and the mode of transmission. An efficient EDI system would take the input only once and will manage the rest without intervention of trading partner s application and with no additional steps to slow the process. EDI relies on the use of standards for the structure and interpretation of electronic business transaction.

EDI Implementation includes:

Common EDI standards which dictates syntax and standardize on the business language. It basically specify transaction sets-complete sets of business transaction (invoice, a purchase order etc). Trading partners must use a common standard, to reduce errors and ensure accurate translation of data, regardless of the computer system involved. Translation software sends message between the trading partners, integrates data into and from existing computer applications, and translates among EDI message standards.

Trading partner s are a firm s customer and suppliers with whom business is conducted. Bank s to facilitate payment and remittance. EDI value added network services VAN is a third party service provider that manages data communications networks for businesses that exchange electronic data with other businesses.

E-mail 1


Structure of e-mail is simple & easiest way of sending & receiving mail via a network communication. Either at the sending end or at the receiving end, the data are composed by, reply by or interpreted by humans. In e-mail there is no need of any specific standard to which users has to follow. The message is compared by a human and/or a replay is composed by a human and /or interpreted by a human. It is not provided much security features the EDI documents provides. To use this features of internet the users have not need any complex information. They use it by only receiver & self e-mail ID address. No any third party verification no any legal aspects, no any authentication are needed to the user for sending the data or receiving the data.

The structure of EDI is more complex. Comparing email. There is typically no human involvement in the processing of the information, as the interface has software to software. EDI must follow the some EDI standard without EDI standard transact between trading parties not take place. The interchange is composed by software for interpretation by other software. EDI provides security aspects to its customers by providing some legal issues. EDI is based on four layer of architecture & at each layer there is variety of services provided. EDI provides security, confidentially, authority on data.

EDI saves a company money and time by providing an alternative to, or replacing information flows that require a great deal of human interaction and materials such as paper documents, meetings, faxes, etc. Makes possible to business in Global Marketplace as it overcomes the problem of different time zones. Allows to cope up with growing avalanche of paperwork like purchase orders, invoices, confirmation notice, shipping receipts, and other documents by more work automation to occur.

Introduced a highly competitive electronic commerce environment as many retailers and manufactures can now easily recognize and meet their customer s need much faster than the past. EDI minimize the time companies spend to identify and resolve inter business problems. Many problems come from data-entry errors which could be eliminated by EDI. Improve customer services by enabling the quick transfer of documents and a marked decrease in errors.

See below for an example of an EDIFACT message used to answer to a product availability request: UNB+IATB:1+6XPPC+LHPPC+940101:0950+1' UNH+1+PAORES:93:1:IA' MSG+1:45' IFT+3+XYZCOMPANY AVAILABILITY' ERC+A7V:1:AMD' IFT+3+NO MORE FLIGHTS' ODI' TVL+240493:1000::1220+FRA+JFK+DL+400+C' PDI++C:3+Y::3+F::1' APD+74C:0:::6++++++6X' TVL+240493:1740::2030+JFK+MIA+DL+081+C' PDI++C:4' APD+EM2:0:1630::6+++++++DA' UNT+13+1' UNZ+1+1' ' is a segment terminator + is a data element separator : is a component data element separator ? is a release character Back

Types of E-Commerce Model Row material Producer Manufacturer Distributed Retailer Business to Consumer Consumer Business to Business



Example of Website

Business to Consumer,, Goods or service sells direct to, consumers., Goods or service sells between, business and other businesses,

Business to Business

Business Government

to Goods or service government agencies.



Goods or service sells between, Consumer to Consumer consumers and other consumers Consumer to Business Consumers fix cost of their goods or service for other consumer

Business to Business Model: This type of B2B model requires two or more business entities interacting with each other. It means commercial activity between companies through the Internet as a medium currently, the vast majority of e-business is B2B in nature. Many B2B sites are company and industry specific, catering to users, or are a combination of forward and backward integration.B2B models can save your company money. There are following advantages of B2B model: Reduce the cost of paperwork Manage the inventory more efficiently Obtaining lower prices on some suppliers Direct interaction with customers Focused on sales promotion Building customer loyalty Saving in distribution cost

The B2B electronic commerce can be following type: Supplier Oriented Buyer Oriented Intermediary Oriented Supplier Oriented: In this type of B2B electronic commerce, a supplier sets up the electronic market place no. of customer or buyer has to interact with the supplier at its electronic marketplace. Typically, it is done by a dominant supplier in the domain of products its supplies. Buyer Oriented: In this type of B2B electronic commerce, major business with high volume purchases capacity create an electronic commerce market place for purchases and gaining by starting a site on their own. The online e-commerce market place is used by the buyer for placing request for quotations and carrying out the entire purchases process. Intermediary Oriented: In this type of B2B E-Commerce, a third party set up the electronic commerce marketplace and attracts both the buyer and seller business to interact with each other.

Business to Consumer Model: This model clearly focused on individual buyers and so is referred to as having Business to Consumer (B2C) model. B2C, E-Commerce offers consumers the capabilities to browse, select and but merchandise online from a wider variety of seller and at better prices. The B2C electronic commerce transaction is best suited for the following types of transaction: Goods that can be easily transformed into digital format, such as book, music, videos and software packages. Highly rated branded items or item with return security. Items sold in packet that can not be opened even in physical stores. Items that follow standard specification.

Working of B2C E-Commerce model: B2C model is about managing the entire process, but just using technology as an order processing and customer support. Here we are explaining the working of B2C model in greater detail. a) Visiting the virtual market: The customer visits the market by browsing the online catalogue. Online catalogue is a very organized manner of displaying products and their related information such as price, description, and availability. We can easily find right product by using a keyword search engine. Customer registers: The customer has to register with companys web site. This allows the customer to avail of the shops complete services. By this registration process customer becomes a part of the companys growing database that can be further use for data mining and knowledge management. Customer purchases products: By using a shopping cart system, order details, shipping charges, taxes, additional charges and total price are presented in an organized manner. The customer can even change the quantity of a certain product.

Vendor process the order: The vendor then processes the order form that is received by the customer and dills up the necessary forms. Processing of credit card: Payment gateway or banks are used to validate the credit card of the customer. various other methods can be also used such as debit cards, prepaid cards, and e-cash or bank-to-bank transfers. Operations management When the order is passed to the logistics department, the traditional business operation is still in used. Things like inventory management, total quality management (TQM), warehousing, optimization and project management should still be incorporated even though it is an e-business.

Shipment and delivery The product is then shipped to the customer. The customer can track the order/delivery as virtual shops have a delivery tracking module on the web site. Customer receives the product Finally product is received by the customer, and is verified. The system should then tell the firm that order has been successfully delivered. After-sales service: After the sale, the firm has to make sure that it maintains a good relationship with its customers. This is possible by using customer relationship management (CRM).

We can also summarize the working of B2C model by following steps: First of all customer identifies its need. Then customer searches for the product or services. Customer selects a vendor and negotiates a price. Customer receives the products or services. Customer makes payment for received product. Customer gets services and warranty clams.

Consumer to Consumer Model: In C2C e-commerce model, consumers sell directly to other consumers via online classified advertisements and auctions or by selling personal services or expertise online, actually the In this category electronic tools and internet infrastructure are employed to support transaction between individuals. Traditional economic activities corresponding to classified advertisement and auctions of personal possessions form the basis for the category. Much of the transaction in this category correspond to small gift items, craft merchandise and similar items that are normally sold through flea markets or bazaars, where individuals sell their goods to other individuals at a market determined prices. Let analyzed to consider consumer to consumer (C2C) business models.

How Does One Can Bid? First user has to register as the member of ebay. This registration is free of cost and takes only few minutes. The user can then enter the auction field by using his user ID and password. The user has to carefully look for what he is biding on. Then user can enter maximum bid in the bid box at the bottom of the page and click on the Review Bid button now ebay will bid on behalf of the user, up to his maximum bid. The credit card should be placed on file with ebay. The seller, for his part, can sit back and watch the auction. Security Every ebay purchases is covered by insurance, free of charge under the terms of ebays program. If a user paid for an item and did not receive it, ebay will reimburse buyers up to $ 200. The seller also given the opportunity to inspect and approve a returned item before the buyer gets the refund.

Consumer-to-Business (C2B) The consumer to business model also called as reverse auction or demand collection model that enables buyers to name their own price, often binding, for specific good or service generating demand. The website collects the demand bids and then offers the bids to the participating sellers. Examples of C2B e-business models are and

Case Study: TATA Steel

Established in 1907 at Jamshedpur, the company is one of Indias best known symbols of industrial growth. It represents the countys single largest, integrated steel works in the private sector, with a market share about 13 percent. The company is Indias single largest exporter high-quality, value-added steel products. It is the producer of one of the cheapest HR coils in the world. A blue-chip company, Tata Steel Limited has successfully raised $ 100 million through Euro bonds. The company offers a diverse range of products and services. These include HR/CR coils and sheets, tubes, construction bars, forging quality steel rods, structural strips and bearings, steel plant and material handle equipment, Ferro alloy and other minerals, software for process controls, and cargo handling services. Sister companies offer tinplate, wires, rolls, refectories, project management services, and material handling equipment.

The Company has technological and strategic tie-ups with world leaders such as Thyssen, Nippon Steel, Hitachi, Posdata, SMS, Krupp Stahl, and McKinsey. E-Business Tata Steel established e-business through its website

Building a trusting, long lasting, and mutually beneficial relationship with their customers has been Tata Steels fundamental belief and driving force. This has formed the cornerstone of all their initiatives. In line with this, their latest offering is the self-help customer service. Their site offers you a collection of reports on an online basis anywhere-anytime, easy to read directly from their SAP R/3 system. As a valued customer, you can now access information ranging from your order status to delivery status, invoices to credit notes, payment dues to credit status, and many more, through exclusively tailored reports.

E-procurement The e-procurement site is Tata Steels Business to Business (B2B) procurement platform. Among the many forward looking initiative being undertaken by Tata Steel to tap the tremendous opportunities offered by Information Technology, especially the Web, e-procurement is one of them being used to conduct business with the suppliers. The suppliers of Tata Steel, who would become e-partners, are expected to reap lot of benefits through this system. E-Auction and Tenders The Tata Iron & Steel company was founded by the visionary Indian industrialist Jameshedji Nusserwanji Tata in 1907. today , the company consists of steel works at Jamshedpur with own captive collieries at Jharia and West Bokaro and ore mines and quarries at Noamundi and Joda. It has a wide product range that includes billets, structural bars, strips, tubes and bearings, H-R coil, GP sheets and plants. The Secondary Products Profit Centre focuses its attention on marketing of products which are secondary to the companys main business. It encompasses selling of steel scrap used and rejected material, by products, raw materials from works, under size and extra generation from their collieries, and obsolete capital equipment and spares. The division has its headquarters at Jamshedpur and the marketing office at Kolkotta.

Case Discussion 1. What are the advantages of having a website for e-sale? 2. What are the advantages of having a website for e-procurement? 3. Find out the difference between the Tata Steel website and the Sail Website. Which site is more professional?

Unit-II, E-Security
Nowadays, we are conducting our business over public network. We exchange lots of confidential data such as credit card numbers, financial records, and other important information. So security and confidentiality are essential before businesses can conduct financial transactions over the Internet. The lack of data security on the Internet has become a complex issue, as E-commerce is growing fast. So ESecurity becomes a major concern. In this chapter we discuss about security threats, client-server security, message-data security, network security and web security.

E-Security can be divided into following parts: Client-server network security Data & transaction security Web Security Client-server network security: Client-server security ensures that only authorized users can access the information. This type of mechanism includes password protection, encrypted smart cards, biometrics system and firewalls. Followings are security problems in clientserver security. Physical Security: When an unauthorized user gain physical access to computer. This is a common problem in case of network, as hackers gain access to network systems, and they can guess passwords of various users.

Software Security: When program/software is compromised into doing things they should not. Example: "rlogin" hole in the IBM RS6000 workstations, which enabled a cracker to create a root shell or super user access mode. This could be used to delete the complete file system or a file of password or create a own new account. Inconsistent Usage: When a system administrator assembles the system by combination of Hardware and Software such that the system is seriously flawed from a security point of view. This type of problem is becoming common as software becomes more complex.

To overcome above security threats, various protection methods are given. This protection method is also called authorization or access control. Protection methods are: Trust-based security Security through Passwords Schemes Biometric System Trust-based security: Trust based security tells to trust everyone and do nothing extra for protection and there is not access restriction on any kind of data access. All users work in a network can shared information, this approach assume that no any user make an expensive break as detection of files or modification of data or unauthorized access of data. Now a days this approach do not work, it used in past.

Security through Obscurity: Any network can be secure as long as nobody outside its management group is allowed to find out any thing about its operational details. For this they can hide account password details in binary files or script so that nobody will ever find them. But its usefulness is minimal in the UNIX world. Where users are free to move around the file system, have a great understanding of programming techniques. They can easily guess at the bits of knowledge considered confidential. These bypass the whole basis of techniques and make this method of security useless. Password Schemes: One security is password schemes. However it can also break when we use some common words or names for password. 1)The simplest method used by most hackers is dictionary comparison. Comparing a list of encryption user passwords against a dictionary of encryption common words. This scheme often works because users tend to choose relatively simple or familiar words as passwords as passwords. 2)As a solution we use mixed-case passwords containing at least one non alphanumeric character and change passwords every 30 to 60 days 3)We can also include one-time passwords, smart card randomized tokens. This scheme provides high level security.

Biometric System: Biometric system involve some identical aspects which related to human body such as compare the finger prints, palm prints and voice recognition. Biometric Systems are very expensive to implement. Biometric System use one to one relationship and one to many relationships. Client-Server Security Threats: Client-Server security threats can be divided into two major categories. Threats to client Threats to server

Threats to client: Client threats mostly arise from malicious data or code, malicious code refers to viruses, worms, Trojan horses and deviant. Virus: Virus is a code segment that replicate by attaching copies of itself to existing executable (EXE files). The new copy of the viruses is executed when users executes the host programs, some viruses displaying a text string or delete all files on the hard disk on a specified date. Trojan Horse: A program that performs a desired task but also performs unexpected functions. For example editing program for multi-user system. This program could be modified to randomly delete one of the users files or create new file or edit existing file or program. Trojan horse examples include BackOrifice, VBS/Freelink, and Backdoor G. WORM: It is a self-replicating program that a self continued and does not need any host program to execute. Clients must scan for malicious data and executable program fragment that are transferred from the server to the client. WORM examples include VBS/Loveletter and Happy99.

Threat to servers: Threat to server consist unauthorized modification of source data. Unauthorized eavesdropping Denial of services Modification of incoming data packets.

Eavesdropping: Hackers can use electronic eavesdropping to trap user names & unencrypted password sent over that network. It is difficult to delete that some one is eavesdropping encryption can prevent eavesdropping from obtaining data traveling over unsecured network. Denial of Services: In this type of threats, a user can render the system unusable for legitimate users by hogging a resources or destroying the resources so that they cannot be used. The two most common types of these attacks are:

1) Service Overloading

2) Messaging Overloading

Service Overloading: One can easily overload a www server by writing a small loop that sends requests continually for a particular file for example: A home page. Message Overloading: Occurs when some one sends a very large file to a message box every few minutes. The message box rapidly grows in size & begins to occupy all space on the disk and increase the no. of receiving process on the recipients machine and causing a disk crash.

Packet Replay: Refer to the recording & retransmission of message packets in the network. Hacker could replay genuine authentication sequences message to gain access to a secure system.

Packet Modification: It is an integrity threats that involve modifying a message packet or destroyed the message packet. In many cases, packet information not only be modified, but its contents may be destroyed before legitimate users can see them.

IP Spoofing: IP spoofing is a technique where an attacker tries to gain unauthorized access through a false source address to make it appear as though communication have originated in a part of the network with high privileges.

Data and Message Security: This type of transaction security is divided in two parts: I) Data Security II) Message or Transaction Security Data Security: Data security generally suffers from packet sniffing. Sniffing attack begin when a computer is compromised to sharing some data or program. Cracker starts to install packet sniff into data that monitors the networks sniffer program to attack on network traffic, telnet, FTP, or rlogin sessions: session that legitimate user initiate to gain access to another system. The session contains the login ID, password and name of the person that are logging into other machines, all this type of necessary information a sniffer needs to login into machine. Message Security: Threats to message security fall into three categories: a) Confidentiality b) Integrity c) Authentication

a) Message Confidentiality: Message confidentiality means when a message passes between client and the server on a public network, third parties can view and intercept this data. Confidentiality is important for user sensitive data such as credit card number. This requirement will be amplified when some other types of data such as employee records, government files and social security number, begin traversing the nature. b) Message Integrity: Content of transaction must be unmodified during transport. It must be clear that no one has added, delete or modified any part of the message. Error detection codes or checksum, sequence number, and various encryption techniques are methods to ensure integrity of information. Sequence number prevents recording, loss or replaying of message by an attacker. Encryption technique such as digital signature can detect modification of a message. c) Message Sender authentication It is important that clients authenticate themselves to servers and servers authenticate to clients in many e-commerce application. It means both the parties have to authenticate to each other. Authentication in e-commerce basically requires the users to prove his or her identify for each requested service. Third-party authenticate services must exist within a distribution network environment where a sender can not be trusted to identification itself correctly to a receiver. Digital certificate is used for this purpose.

Some Security threats and Solutions Threats Security Function Technology and

Data intercepted, Encryption read or modified illicitly False identify with Authentication an intension of fraud Unauthorized user Firewall on one network gains access to another

Encoder data to Symmetric prevent Asymmetric tempering encryption Identity verification both sender receiver of &

Digital signature

Filter and prevents Firewalls: certain traffic Virtual private from entering the nets network or server

Encryption is the important technique for data and messaging security: Encryption is a cryptography technology to scramble (encrypted) the data with a key so that no one can make sense of it while its being transmitted. When data reaches its destination, the information is unscramble (decrypted) using same or different key. Let consider following term that is use to understand the concept of encryption. Cryptography: The terms used commonly in a cryptography system are as follows: Intruder: Intruder is a person who is not authorized to access the information or the network. Plain Text: Intelligible message that is to be converted into unintelligible message (Encrypted message). Cipher Text: Message in an encrypted form.

Example: (Encrypt Form) (Decrypt Form) Algorithm Cipher Text Algorithm Plain Text Next Two Word Iqqfu Previous Two word Goods Previous One Word rzkdr Next One word Sales

Plain Text Goods Sales

Encryption: Technique of converting plain text into cipher text. Decryption: Technique of converting cipher text to plain text. Algorithm: A cryptography algorithm is a mathematical function. Key: String of digits.

There are two types of cryptography or methods of encryption

Secret Key or Private Key or Symmetric key Cryptography

Public Key or Asymmetric key Cryptography

Secret Key Cryptography: In this scheme, both the sender and recipient possess the same key to encrypt and decrypt the data.

Original Message Secret Key Encrypt

Encrypted Message


Encrypted Message Secret Key Decrypt

Original Message

secret key cryptography

Drawbacks of Secret Key Cryptography: Both parties must agree upon a shared secret key. If there are n correspondent one have to keep track of n-different secret keys. If the same key is used by more than one correspondent, common key holders can read each others mail. Symmetric encryption schemes are also subjected to authenticity problems. Because, sender and recipient have same secret key identity of originator or recipient can not be proved. Both can encrypt or decrypted the message.

Public-Key Cryptography:
Asymmetric Cryptography
Ms Stela generates a key value (usually a number or pair of related numbers) which she makes public. Ms Stela uses her public key (and some additional information) to determine a second key (her private key). Ms Stela keeps her private key (and the additional information she used to construct it) secret.

Mr. Bob (or John, or anyone else) can use Ms Stela public key to encrypt a message for Ms Stela . Ms Stela can use her private key to decrypt this message. No-one without access to Ms Stela private key (or the information used to construct it) can easily decrypt the message.

Public Key Cryptography This scheme operates on double key called pair key one of which is used to encrypt the message and only the other one in the pair is used decrypt. This can viewed as two parts, one part of the key pair, called private key known only by the designated by the owner, the other part, called the public key, is published widely but still associated with owner.
Original Message
Encrypt with public key of Receiver

Encrypted Message


Decrypt with Private key of receiver

Encrypted Message

Original Message

Schematic diagram of Asymmetric Encryption

An Example: Internet Commerce

Mr. Bob wants to use his credit card to buy some brownies from Ms Stela over the Internet. Ms Stela sends her public key to Bob. Mr. Bob uses this key to encrypt his creditcard number and sends the encrypted number to Ms Stela. Ms Stela uses her private key to decrypt this message (and get Mr. Bobs creditcard number).

Encryption and Decryption Data encrypted with public key can only be decrypted with private key. Data encrypted with private key can only be decrypted with public key. Strong points of this scheme The key can be used in two different ways: 1. Message confidentiality can be proved: The sender uses the recipients public key to encrypt a message, so that only the private key holder can decrypt the message, non other. 2. Authenticity of the message originator can be proved: The receiver uses his private key to encrypt a message, to which only the sender has access. 3. Easy to distribute public key: Public key of the pair can be easily distributed.

Digital Signature: E-Commerce business transactions for authentication the digital signature are used. The authentications refer the legal, financial & other document related issues. Digital Signature is just like hand written signature which determined presence & absence of authentications. The digital signature consist of two parts Signature in the document: Signer authentication Document Authentication Signer Authentication: A signature should indicate who signed a document, message or record and should be difficult for another person to produce without authorization. Document Authentication: A signature should identify what is signed. Sender can not remove the content of messages after signing it. The receiver can not do any change in the message.

Hash Function: It is a formula that converts a message of a given length into a string of digits called a message digest.
(Hash function Message digest)

Encrypt With sender s private key

Digital Signature

X Working: X sends the message to Y



Sender generates a message. Sender creates a Message digest of the message by using Hash Function. Sender attaches the digital signature to the end of the message. Sender encrypts both message & signature with receivers public key. Receiver decrypts entire message with own private key. Receiver calculates the message digest using hash function. (Receiver uses the same hash function as that of sender used, which was agreed upon before hand)

Certificates Authority
Certificates Authority is an organization or institutions that issue digital certificate to companies and organizations that are accessible via the internet. These certificates are issued for certain period of time and are used as a assurance of the security of a web site. It is also called as trusted third party. CAs is characteristic of many public key infrastructure (PKI) schemes. There are many commercial CAs that charge for their services. There are also several providers issuing digital certificates to the public without any cost. Generally Institutions and governments have their own CAs. CA issues digital certificates which consist a identity of the owner and public key.

Digital Certificate A digital certificate is an electronic identity card that is used for establishing the users credentials when conducting transactions over web. Digital certificate is defined as a method to verify electronically for authenticity. The digital certificate is just like a identity card, such as a drivers license. Digital certificate is issued by number of certificate authorities, digital certificates are used to prove that a website, or a visitor to a website, is the entity or person they claim to be: An electronic credential issued by a certification authority to establish the identity of an organization when doing business on the internet. Contents of digital certificate It includes : y Certificate Holders Name, organization, address. y The name of certificate authority who has issued this certificate. y Public key of the holders for cryptographic use. y Time limit, these certificates are issued for 6 month to a year long. y Digital certificate identification number. Digital certificate contain public key that is used for encrypting messages and digital signature. It also has the digital signature of the certificate authority. By this signature a recipient can verify that the certificate is actual or real. Some time digital certificates conform to a standard, X.509. It can be kept in registries so that authenticating users can look up other users' public keys.

Firewalls: The term firewall is a method of placing a device - a computer or a router-between the network and the internet to control and monitor all traffic between the outside world & the local network. Or we can say firewall is like a barrier between public network (Internet) and private or trusted network. A firewall system is usually located at a gateway point such as a sites connection to the internet. A firewall is simply a barrier between two networks-in most cases an internal network often called the trusted network and case an external network called untrusted. Firewalls examine incoming & outgoing packets according to a set of policies defined by administrator either let them through or block them.

Internet 40,000 networks-no. of hackers?

Enterprises LAN or WAN

Firewall by pass should not be allowed

Firewall secured Internet connection

1 Firewall Policy: There are two basic design policies of firewall. Premises Approach Restrictive Approach Permissive Approach: Allows all the services to pass the site by default, with the exception of those services that the network services access policy has designated as disallowed. Restrictive Approach: A firewall that implement the second policy by default it denies all services, but allow those services that have been designated or identified as allowed. The first policy is desirable, because it offers more a venues for getting around the firewall. Second policy follows the classic access model used in all areas of information security. We have certain services, such as FTP, Archie & RPC that are difficult to filter, for this reason, they may be better suited by a firewall that implements the first policy or permissive approach. The second policy is stronger and safer, but it is more restrictive for users.

Nature of Firewall: Two types of firewalls Static Firewall Dynamic Firewall Static Firewall: Static firewalls are generally pre-configured and they allow or deny the access from the outside world by default. Default allows the inbound traffic, in such a mechanism only the specified user will be denied access to the network of the enterprises. In the default deny policy, only the specific users who display their authentication are permitted to access the network. Dynamic Firewall: The dynamic firewall uses allow and denial of services policy at the network on the time basis. Some service on the network may be allowed and other may be denied for a specific time interval. The configuration of such firewall is slightly more complex.