Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010138987 | HF5548.3 S534 2003 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
The continued growth of e-commerce mandates the emergence of new technical standards and methods that will securely integrate online activities with pre-existing infrastructures, laws and processes. Protocols for Secure Electronic Commerce, Second Edition addresses the security portion of this challenge. It is a full compendium of the protocols for securing online commerce and payments, serving as an invaluable resource for students and professionals in the fields of computer science and engineering, IT security, and financial and banking technology.
The initial sections provide a broad overview of electronic commerce, money, payment systems, and business-to-business commerce, followed by an examination of well-known protocols (SSL, TLS, WTLS, and SET). The book also explores encryption algorithms and methods, EDI, micropayment, and multiple aspects of digital money.
Like its predecessor, this edition is a general analysis that provides many references to more technical resources. It delivers extensive revisions of previous chapters, along with new chapters on electronic commerce in society, new e-commerce systems, and the security of integrated circuit cards.
Table of Contents
1 Overview of Electronic Commerce | |
Abstract | p. 1 |
1.1 What Is Electronic Commerce? | p. 1 |
1.2 Categories of Electronic Commerce | p. 3 |
1.2.1 Examples of Business-to-Business Commerce | p. 4 |
1.2.2 Examples of Business-to-Consumer Commerce | p. 5 |
1.2.3 Examples of Neighborhood Commerce and Payments to Automatic Machines | p. 7 |
1.2.4 Examples of Peer-to-Peer Commerce | p. 8 |
1.3 The Influence of the Internet | p. 8 |
1.3.1 Some Leading Examples | p. 8 |
1.3.2 Internet and Transactional Security | p. 9 |
1.3.3 Putting the Internet in Perspective | p. 11 |
1.4 Infrastructure for Electronic Commerce | p. 13 |
1.5 Network Access | p. 15 |
1.5.1 Wireline Access | p. 16 |
1.5.2 Wireless Access | p. 16 |
1.5.3 Traffic Multiplexing | p. 17 |
1.6 Consequences of E-Commerce | p. 21 |
1.6.1 Clients | p. 21 |
1.6.2 Suppliers | p. 22 |
1.6.3 Substitutes | p. 22 |
1.6.4 New Entrants | p. 23 |
1.6.5 Banks | p. 24 |
1.6.6 Role of Governments | p. 24 |
1.7 Summary | p. 25 |
Questions | p. 25 |
2 Money and Payment Systems | |
Abstract | p. 27 |
2.1 The Mechanisms of Classical Money | p. 27 |
2.2 Instruments of Payment | p. 29 |
2.2.1 Cash | p. 31 |
2.2.2 Checks | p. 33 |
2.2.3 Credit Transfers | p. 37 |
2.2.4 Direct Debit | p. 40 |
2.2.5 Interbank Transfers | p. 41 |
2.2.6 Bills of Exchange | p. 42 |
2.2.7 Payment Cards | p. 42 |
2.3 Types of Dematerialized Monies | p. 46 |
2.3.1 Electronic Money | p. 46 |
2.3.2 Virtual Money | p. 47 |
2.3.3 Digital Money | p. 48 |
2.4 Purses and Holders | p. 49 |
2.4.1 Electronic Purses and Electronic Token (Jeton) Holders | p. 49 |
2.4.2 Virtual Purses and Virtual Jeton Holders | p. 50 |
2.4.3 Diffusion of Electronic Purses | p. 51 |
2.5 Transactional Properties of Dematerialized Currencies | p. 53 |
2.5.1 Anonymity | p. 54 |
2.5.2 Traceability | p. 55 |
2.6 Overall Comparison of the Means of Payment | p. 55 |
2.7 The Practice of Dematerialized Money | p. 57 |
2.7.1 Protocols of Systems of Dematerialized Money | p. 57 |
2.7.2 Direct Payments to the Merchant | p. 62 |
2.7.3 Payment via an Intermediary | p. 62 |
2.8 Banking Clearance and Settlement | p. 65 |
2.8.1 United States | p. 66 |
2.8.2 United Kingdom | p. 67 |
2.8.3 France | p. 68 |
2.9 Summary | p. 69 |
Question | p. 70 |
3 Algorithms and Architectures for Security | |
Abstract | p. 71 |
3.1 Security of Commercial Transactions | p. 71 |
3.2 Security of Open Financial Networks | p. 72 |
3.3 Security Objectives | p. 73 |
3.4 OSI Model for Cryptographic Security | p. 75 |
3.4.1 OSI Reference Model | p. 75 |
3.4.2 Security Services: Definitions and Locations | p. 75 |
3.5 Security Services at the Link Layer | p. 78 |
3.6 Security Services at the Network Layer | p. 79 |
3.7 Security Services at the Application Layer | p. 82 |
3.8 Message Confidentiality | p. 83 |
3.8.1 Symmetric Cryptography | p. 83 |
3.8.2 Public Key Cryptography | p. 84 |
3.9 Data Integrity | p. 86 |
3.9.1 Verification of the Integrity with a One-Way Hash Function | p. 87 |
3.9.2 Verification of the Integrity with Public Key Cryptography | p. 88 |
3.9.3 Blind Signature | p. 91 |
3.9.4 Verification of the Integrity with Symmetric Cryptography | p. 91 |
3.10 Identification of the Participants | p. 94 |
3.10.1 Biometric Identification | p. 94 |
3.10.2 Summary and Evaluation | p. 100 |
3.11 Authentication of the Participants | p. 102 |
3.12 Access Control | p. 104 |
3.13 Denial of Service | p. 106 |
3.14 Nonrepudiation | p. 108 |
3.14.1 Time-Stamping and Sequence Numbers | p. 109 |
3.15 Secure Management of Cryptographic Keys | p. 110 |
3.15.1 Production and Storage | p. 110 |
3.15.2 Distribution | p. 111 |
3.15.3 Utilization, Withdrawal, and Replacement | p. 111 |
3.15.4 Key Revocation | p. 112 |
3.15.5 Deletion, Backup, and Archiving | p. 112 |
3.15.6 Comparison between Symmetric and Public Key Cryptography | p. 112 |
3.16 Exchange of Secret Keys: Kerberos | p. 113 |
3.16.1 Message (1)--Request of a Session Ticket | p. 114 |
3.16.2 Message (2)--Acquisition of a Session Ticket | p. 114 |
3.16.3 Message (3)--Request of a Service Ticket | p. 115 |
3.16.4 Message (4)--Acquisition of the Service Ticket | p. 115 |
3.16.5 Message (5)--Service Request | p. 116 |
3.16.6 Message (6)--Optional Response of the Server | p. 117 |
3.17 Public Key Kerberos | p. 117 |
3.17.1 Where To Find Kerberos? | p. 118 |
3.18 Exchange of Public Keys | p. 118 |
3.18.1 Diffie-Hellman Exchange | p. 118 |
3.19 ISAKMP (Internet Security Association and Key Management Protocol) | p. 119 |
3.20 SKIP (Simple Key Management for Internet Protocols) | p. 121 |
3.21 Key Exchange Algorithm | p. 121 |
3.22 Certificate Management | p. 122 |
3.22.1 Basic Operation | p. 125 |
3.22.2 Description of an X.509 Certificate | p. 126 |
3.22.3 Certification Path | p. 128 |
3.22.4 Hierarchical Certification Path | p. 128 |
3.22.5 Nonhierarchical Certification Path | p. 131 |
3.22.6 Cross-Certification | p. 131 |
3.22.7 Online Management of Certificates | p. 133 |
3.22.8 Banking Applications | p. 133 |
3.22.9 Example: VeriSign | p. 134 |
3.22.10 Procedures for Strong Authentication | p. 138 |
3.22.11 Certificate Revocation | p. 140 |
3.22.12 Attribute Certificates | p. 141 |
3.22.13 Audits | p. 143 |
3.23 Encryption Cracks | p. 143 |
3.24 Summary | p. 146 |
3.25 Appendix I: Principles of Symmetric Encryption | p. 147 |
3.25.1 Modes of Algorithm Utilization for Block Encryption | p. 147 |
3.25.2 Examples of Symmetric Block Encryption Algorithms | p. 153 |
3.26 Appendix II: Principles of Public Key Encryption | p. 155 |
3.26.1 RSA | p. 156 |
3.26.2 Public Key Cryptography Standards (PKCS) | p. 157 |
3.26.3 Pretty Good Privacy (PGP) | p. 159 |
3.26.4 Elliptic Curve Cryptography (ECC) | p. 159 |
3.27 Appendix III: Principles of the Digital Signature Algorithm (DSA) | p. 161 |
3.28 Appendix IV: Comparative Data | p. 162 |
3.28.1 Performance Data for JSAFE 1.1 | p. 163 |
3.28.2 Performance for S/WAN | p. 164 |
3.28.3 Performance for BSAFE 3.0 | p. 165 |
3.28.4 Performance for BSAFE 4.1 | p. 166 |
Questions | p. 166 |
4 Business-to-Business Commerce | |
Abstract | p. 173 |
4.1 Overview of Business-to-Business Commerce | p. 174 |
4.2 Examples of Business-to-Business Electronic Commerce | p. 177 |
4.2.1 A Short History of Business-to-Business Electronic Commerce | p. 177 |
4.2.2 Banking Applications | p. 178 |
4.2.3 Aeronautical Applications | p. 178 |
4.2.4 Applications in the Automotive Industry | p. 179 |
4.2.5 Other Examples | p. 180 |
4.2.6 Effect of the Internet | p. 180 |
4.3 Business-to-Business Electronic Commerce Platforms | p. 181 |
4.4 Obstacles Facing Business-to-Business Electronic Commerce | p. 182 |
4.5 Business-to-Business Electronic Commerce Systems | p. 184 |
4.5.1 Generation and Reception of Structured Data | p. 185 |
4.5.2 Management of the Distribution | p. 187 |
4.5.3 Management of Security | p. 187 |
4.6 Structured Alphanumeric Data | p. 187 |
4.6.1 Definitions | p. 188 |
4.6.2 ANSI X12 | p. 189 |
4.6.3 EDIFACT | p. 190 |
4.6.4 Structural Comparison between X12 and EDIFACT | p. 195 |
4.7 Structured Documents or Forms | p. 195 |
4.7.1 SGML | p. 197 |
4.7.2 XML | p. 198 |
4.7.3 Integration of XML with Alphanumeric EDI | p. 198 |
4.8 EDI Messaging | p. 203 |
4.8.1 X.400 | p. 203 |
4.8.2 Internet (SMTP/MIME) | p. 204 |
4.9 Security of EDI | p. 206 |
4.9.1 X12 Security | p. 207 |
4.9.2 EDIFACT Security | p. 208 |
4.9.3 IETF Proposals | p. 216 |
4.9.4 Protocol Stacks for EDI Messaging | p. 220 |
4.9.5 Interoperability of Secured EDI and S/MIME | p. 221 |
4.9.6 Security of XML Exchanges | p. 223 |
4.10 Relation of EDI with Electronic Funds Transfer | p. 223 |
4.10.1 Funds Transfer with EDIFACT | p. 226 |
4.10.2 Funds Transfer with X12 | p. 228 |
4.11 Electronic Billing | p. 228 |
4.12 EDI Integration with Business Processes | p. 228 |
4.13 Standardization of the Exchanges of Business-to-Business Electronic Commerce | p. 230 |
4.13.1 EDI/EDIFACT | p. 230 |
4.13.2 XML/EDI Integration | p. 234 |
4.13.3 XML | p. 235 |
4.14 Summary | p. 236 |
Questions | p. 236 |
5 SSL (Secure Sockets Layer) | |
Abstract | p. 239 |
5.1 General Presentation of the SSL Protocol | p. 239 |
5.1.1 Functional Architecture | p. 240 |
5.1.2 SSL Security Services | p. 241 |
5.2 SSL Subprotocols | p. 243 |
5.2.1 SSL Exchanges | p. 244 |
5.2.2 Synopsis of Parameters Computation | p. 247 |
5.2.3 The Handshake Protocol | p. 249 |
5.2.4 The ChangeCipherSpec Protocol | p. 258 |
5.2.5 The Record Protocol | p. 258 |
5.2.6 The Alert Protocol | p. 259 |
5.2.7 Summary | p. 261 |
5.3 Example of SSL Processing | p. 261 |
5.3.1 Assumptions | p. 262 |
5.3.2 Establishment of a New Session | p. 263 |
5.3.3 Processing of Application Data | p. 270 |
5.3.4 Connection Establishment | p. 271 |
5.4 Performance Acceleration | p. 274 |
5.5 Implementations | p. 276 |
5.6 Summary | p. 277 |
Questions | p. 278 |
Appendix 5.1 Structures of the Handshake Messages | |
A5.1 Messages of the Handshake | p. 279 |
6 TLS (Transport Layer Security) and WTLS (Wireless Transport Layer Security) | |
Abstract | p. 285 |
6.1 From SSL to TLS | p. 285 |
6.1.1 Start of the Encryption of Transmitted Data | p. 286 |
6.1.2 The Available Cipher Suite | p. 286 |
6.1.3 Computation of MasterSecret and the Derivation of Keys | p. 286 |
6.1.4 Alert Messages | p. 288 |
6.1.5 Responses to Record Blocks of Unknown Type | p. 289 |
6.2 WTLS | p. 290 |
6.2.1 Architecture | p. 290 |
6.2.2 From TLS to WTLS | p. 292 |
6.2.3 Service Constraints | p. 299 |
6.3 Summary | p. 305 |
Questions | p. 306 |
7 The SET Protocol | |
Abstract | p. 307 |
7.1 SET Architecture | p. 308 |
7.2 Security Services of SET | p. 311 |
7.2.1 Cryptographic Algorithms | p. 312 |
7.2.2 The Method of the Dual Signature | p. 314 |
7.3 Certification | p. 316 |
7.3.1 Certificate Management | p. 316 |
7.3.2 Registration of the Participants | p. 320 |
7.4 Purchasing Transaction | p. 326 |
7.4.1 SET Payment Messages | p. 327 |
7.4.2 Transaction Progress | p. 329 |
7.5 Optional Procedures in SET | p. 337 |
7.6 SET Implementations | p. 338 |
7.7 Evaluation | p. 339 |
7.8 Summary | p. 341 |
Questions | p. 341 |
8 Composite Solutions | |
Abstract | p. 343 |
8.1 C-SET and Cyber-COMM | p. 343 |
8.1.1 General Architecture of C-SET | p. 344 |
8.1.2 Cardholder Registration | p. 346 |
8.1.3 Distribution of the Payment Software | p. 348 |
8.1.4 Purchase and Payment | p. 348 |
8.1.5 Encryption Algorithms | p. 351 |
8.1.6 Interoperability of SET and C-SET | p. 352 |
8.2 Hybrid SSL/SET Architecture | p. 353 |
8.2.1 Hybrid Operation SET/SSL | p. 356 |
8.2.2 Transaction Flows | p. 358 |
8.2.3 Evaluation of the Hybrid Mode SET/SSL | p. 361 |
8.3 3-D Secure | p. 362 |
8.3.1 Enrollment | p. 364 |
8.3.2 Purchase and Payment Protocol | p. 365 |
8.3.3 Clearance and Settlement | p. 367 |
8.3.4 Security | p. 368 |
8.4 Payments with CD-ROM | p. 369 |
8.5 Summary | p. 370 |
Questions | p. 370 |
9 Micropayments and Face-to-Face Commerce | |
Abstract | p. 371 |
9.1 Characteristics of Micropayment Systems | p. 372 |
9.2 Potential Applications | p. 373 |
9.3 Chipper | p. 374 |
9.4 GeldKarte | p. 376 |
9.4.1 Registration and Loading of Value | p. 377 |
9.4.2 Payment | p. 377 |
9.4.3 Security | p. 380 |
9.5 Mondex | p. 381 |
9.5.1 Loading of Value | p. 382 |
9.5.2 Payment | p. 382 |
9.5.3 Security | p. 383 |
9.5.4 Pilot Experiments | p. 384 |
9.6 Proton | p. 384 |
9.6.1 Loading of Value | p. 385 |
9.6.2 Payment | p. 385 |
9.6.3 International Applications | p. 386 |
9.7 Harmonization of Electronic Purses | p. 386 |
9.7.1 Authentication of the Purse by the Issuer | p. 387 |
9.7.2 Loading of Value | p. 388 |
9.7.3 Point-of-Sales Payments | p. 388 |
9.8 Summary | p. 389 |
Questions | p. 389 |
10 Remote Micropayments | |
Abstract | p. 391 |
10.1 Security without Encryption: First Virtual | p. 392 |
10.1.1 Buyer's Subscription | p. 392 |
10.1.2 Purchasing Protocol | p. 392 |
10.1.3 Acquisition and Financial Settlement | p. 394 |
10.1.4 Security | p. 394 |
10.1.5 Evaluation | p. 395 |
10.2 NetBill | p. 395 |
10.2.1 Registration and Loading of Value | p. 395 |
10.2.2 Purchase | p. 396 |
10.2.3 Financial Settlement | p. 401 |
10.2.4 Evaluation | p. 401 |
10.3 KLELine | p. 402 |
10.3.1 Registration | p. 403 |
10.3.2 Purchase and Payment | p. 403 |
10.3.3 Financial Settlement | p. 406 |
10.3.4 Evaluation | p. 406 |
10.3.5 Evaluation and Evolution | p. 407 |
10.4 Millicent | p. 408 |
10.4.1 Secrets | p. 409 |
10.4.2 Description of the Scrip | p. 409 |
10.4.3 Registration and Loading of Value | p. 411 |
10.4.4 Purchase | p. 412 |
10.4.5 Evaluation | p. 414 |
10.5 PayWord | p. 415 |
10.5.1 Registration and the Loading of Value | p. 416 |
10.5.2 Purchase | p. 417 |
10.5.3 Financial Settlement | p. 419 |
10.5.4 Computational Load | p. 419 |
10.5.5 Evaluation | p. 421 |
10.6 MicroMint | p. 421 |
10.6.1 Registration and Loading of Value | p. 422 |
10.6.2 Purchase | p. 422 |
10.6.3 Financial Settlement | p. 422 |
10.6.4 Security | p. 422 |
10.6.5 Evaluation | p. 424 |
10.7 eCoin | p. 424 |
10.8 Comparison of the Different First-Generation Remote Micropayment Systems | p. 425 |
10.9 Second-Generation Systems | p. 427 |
10.9.1 Prepaid Cards Systems | p. 427 |
10.9.2 Systems Based on Electronic Mail | p. 427 |
10.9.3 Minitel-like Systems | p. 430 |
Questions | p. 431 |
11 Digital Money | |
Abstract | p. 433 |
11.1 Building Blocks | p. 434 |
11.1.1 Case of Debtor Untraceability | p. 434 |
11.1.2 Case of Creditor Untraceability | p. 438 |
11.1.3 Mutual Untraceablity | p. 438 |
11.1.4 Description of Digital Denominations | p. 439 |
11.1.5 Detection of Counterfeit (Multiple Spending) | p. 442 |
11.2 DigiCash (Ecash) | p. 445 |
11.2.1 Registration | p. 446 |
11.2.2 Loading of Value | p. 446 |
11.2.3 Purchase | p. 447 |
11.2.4 Financial Settlement | p. 448 |
11.2.5 Delivery | p. 448 |
11.2.6 Evaluation | p. 449 |
11.3 NetCash | p. 449 |
11.3.1 Registration and Value Purchase | p. 450 |
11.3.2 Purchase | p. 450 |
11.3.3 Extensions of NetCash | p. 451 |
11.3.4 Evaluation | p. 454 |
11.4 Summary | p. 455 |
Questions | p. 456 |
12 Dematerialized Checks | |
Abstract | p. 457 |
12.1 Classical Processing of Paper Checks | p. 458 |
12.1.1 Checkbook Delivery | p. 458 |
12.1.2 Check Processing | p. 458 |
12.2 Dematerialized Processing of Paper-Based Checks | p. 459 |
12.2.1 Electronic Check Presentment | p. 460 |
12.2.2 Point-of-Sale Check Approval | p. 461 |
12.2.3 Check Imaging | p. 461 |
12.3 NetCheque | p. 462 |
12.3.1 Registration | p. 463 |
12.3.2 Payment and Financial Settlement | p. 464 |
12.4 Bank Internet Payment System (BIPS) | p. 466 |
12.4.1 Types of Transactions | p. 466 |
12.4.2 BIPS Service Architecture | p. 467 |
12.5 eCheck | p. 470 |
12.5.1 Payment and Settlement | p. 470 |
12.5.2 Representation of eChecks | p. 473 |
12.6 Comparison of Virtual Checks with Bankcards | p. 474 |
12.7 Summary | p. 476 |
Questions | p. 477 |
13 Security of Integrated Circuit Cards | |
Abstract | p. 479 |
13.1 Overview | p. 479 |
13.1.1 Classification of Smart Cards and Their Applications | p. 480 |
13.1.2 Integrated-Circuit Cards with Contacts | p. 482 |
13.1.3 Contactless Integrated-Circuit Cards | p. 482 |
13.2 Description of Integrated-Circuit Cards | p. 484 |
13.2.1 Memory Types | p. 484 |
13.2.2 Operating Systems | p. 485 |
13.3 Standards for Integrated-Circuit Cards | p. 486 |
13.3.1 ISO Standards | p. 486 |
13.3.2 EMV (EuroPay, MasterCard, Visa) | p. 487 |
13.4 Security of Microprocessor Cards | p. 489 |
13.4.1 Security during Production | p. 489 |
13.4.2 Physical Security of the Card during Usage | p. 492 |
13.4.3 Logical Security of the Card during Usage | p. 493 |
13.4.4 Examples of Authentication | p. 496 |
13.4.5 Evaluation | p. 503 |
13.5 Multiapplication Smart Cards | p. 504 |
13.5.1 File System of ISO/IEC 7816-4 | p. 504 |
13.5.2 The Swedish Electronic Identity Card | p. 506 |
13.5.3 Management of Applications in Multiapplication Cards | p. 506 |
13.6 Integration of Smart Cards with Computer Systems | p. 509 |
13.6.1 OpenCard Framework | p. 510 |
13.6.2 PC/SC | p. 511 |
13.7 Limits on Security | p. 512 |
13.7.1 Logical (Noninvasive) Attacks | p. 512 |
13.7.2 Physical (Destructive) Attacks | p. 513 |
13.7.3 Attacks due to Negligence in the Implementation | p. 513 |
13.7.4 Attacks against the Chip-Reader Communication Channel | p. 514 |
13.8 Summary | p. 515 |
Questions | p. 517 |
14 Systems of Electronic Commerce | |
Abstract | p. 519 |
14.1 SEMPER | p. 519 |
14.1.1 SEMPER Architecture | p. 520 |
14.1.2 Payment Terminology in SEMPER | p. 522 |
14.1.3 The Payment Manager | p. 523 |
14.2 CAFE | p. 523 |
14.3 JEPI | p. 526 |
14.4 PICS and P3P | p. 526 |
14.5 Analysis of User Behavior | p. 527 |
14.6 Fidelity Cards | p. 528 |
14.7 Quality of Service Considerations | p. 529 |
14.8 Summary | p. 530 |
Questions | p. 531 |
15 Electronic Commerce in Society | |
Abstract | p. 533 |
15.1 Communication Infrastructure | p. 534 |
15.2 Harmonization and Standardization | p. 536 |
15.3 Issuance of Electronic Money | p. 537 |
15.4 Protection of Intellectual Property | p. 538 |
15.5 Electronic Surveillance and Privacy | p. 539 |
15.6 Filtering and Censorship | p. 543 |
15.7 Taxation of Electronic Commerce | p. 544 |
15.8 Fraud Prevention | p. 545 |
15.9 Archives Dematerialization | p. 545 |
Questions | p. 547 |
Web Sites | |
General | p. 549 |
Standards | p. 549 |
Encryption | p. 550 |
Kerberos | p. 550 |
Certification | p. 551 |
Biometrics | p. 551 |
General | p. 551 |
Standards Organizations | p. 552 |
Products | p. 552 |
EDIFACT | p. 553 |
XML | p. 554 |
Integration XML/EDIFACT | p. 554 |
SSL/TLS/WTLS | p. 555 |
SET | p. 555 |
Purses | p. 555 |
Micropayments | p. 556 |
Smart (Microprocessor) Cards | p. 556 |
Electronic and Virtual Checks | p. 557 |
SEMPER | p. 558 |
Labeling Organizations | p. 558 |
Organizations | p. 559 |
Acronyms | p. 561 |
References | p. 575 |
Index | p. 597 |