2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved. Chapter 23 – Electronic Commerce and Security Outline 23.1 Introduction 23.2 Shopping-Cart Technology 23.3.1 Case Study: Amazon.com 23.3 Online-Auction Case Study: eBay 23.4 Online Trading 23.4.1 Case Study: E*TRADE 23.5 Other E-Businesses 23.6 Security 23.6.1 Public-Key Cryptography 23.6.2 Secure Sockets Layer (SSL) 23.6.3 Secure Electronic Transaction™ (SET™) 23.6.4 Case Study: Microsoft Authenticode 23.6.5 Online Payments; Case Study: CyberCash™ 23.7 XML and E-Commerce 23.8 Data Mining, Bots and Intelligent Agents 23.8.1 Case Study: Priceline.com 23.8.2 Case Study: Travelocity.com 23.8.3 Case Study: Scour.net 23.8.4 Case Study: Bottomdollar.com 23.9 Case Study: Using Yahoo! Store to Set up an Online Store 23.10 Commerce Server Case Study: Microsoft Site Server Commerce Edition 23.11 E-Commerce Core Technologies 23.12 Future of E-Commerce
51
Embed
2000 Deitel & Associates, Inc. All rights reserved. Chapter 23 – Electronic Commerce and Security Outline 23.1Introduction 23.2 Shopping-Cart Technology.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
Chapter 23 –Electronic Commerce and Security
Outline23.1 Introduction23.2 Shopping-Cart
Technology 23.3.1 Case Study: Amazon.com23.3 Online-Auction Case
Study: eBay23.4 Online Trading 23.4.1 Case Study: E*TRADE23.5 Other E-Businesses23.6 Security 23.6.1 Public-Key Cryptography 23.6.2 Secure Sockets Layer
(SSL) 23.6.3 Secure Electronic
Transaction™ (SET™)
23.6.4 Case Study: Microsoft Authenticode
23.6.5 Online Payments; Case Study: CyberCash™
23.7 XML and E-Commerce23.8 Data Mining, Bots and Intelligent Agents 23.8.1 Case Study: Priceline.com 23.8.2 Case Study: Travelocity.com 23.8.3 Case Study: Scour.net 23.8.4 Case Study: Bottomdollar.com23.9 Case Study: Using Yahoo! Store to Set up an Online Store23.10 Commerce Server Case Study: Microsoft Site Server Commerce Edition23.11 E-Commerce Core Technologies23.12 Future of E-Commerce23.13 Internet Marketing: Increasing Traffic at your Web Site
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.1 Introduction
• In this chapter– Introduce popular e-business models
– Introduce underlying technologies on which these models based
• To conduct e-commerce, merchants need to– Organize online catalogs of products
– Take orders through Web sites
– Accept payments in a secure environment
– Send merchandise to customers
– Manage customer data
– Market sites for potential customers
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.1 Introduction (II)
• E-commerce– Has been conducted by large corporations for decades
• Banking industry uses Electronic Funds Transfer (EFT) to transfer money between accounts
• Many companies use Electronic Data Interchange (EDI) to share information electronically
– Until recently only feasible for large companies
– Internet and WWW make possible for• Small businesses to compete with larger ones
• Business to be conducted 24 hours a day, 7 days a week
• Problem with business over WWW– Inherently insecure medium of communication
– Important to secure network transactions
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.2 Shopping-Cart Technology
• Shopping-Cart– Most common e-commerce model
– Allows customers to accumulate and store lists of items they wish to buy
– Supported by product catalog• Hosted on the merchant server in form of a database
• Database - Collection of information– Product specifications
– Descriptions
– Prices
– Availabilities
– Customer information
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.2.1 Case Study: Amazon.com
Amazon.com• Opened 1994
– Mail-order book retailer with small inventory
• Now more than 10 million customers– Merchandise includes books, music, videos, DVDs, toys
• Uses sophisticated server-side database– Allows customers on client side to search for products– Example of client/server application– Collection of products specs, availability, shipping info,
stock levels, on-order info and other data– Makes product cross-referencing possible
• Personalizes site to service returning customers
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.2.1 Case Study: Amazon.com (II)
• Buying is a simple process– Enter search string or browse recommendations– One click adds item to shopping cart– When ready to place order, proceed to checkout– First-time buyers
• Fill out shipping and billing information
– Return customers• Enter password and computer reuses previously entered info• 1-clicksm system allows customer to order item with 1 click, avoiding
checkout by reusing previous information
• Operates secure server to protect personal information• Amazon.com Associates Program ( affiliate program)
– Encourages other sites to reference customers to Amazon.com
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.3 Online-Auction Case Study: eBay
• Leading online auction company– Posts more than 2 million unique auctions and 250,000
new items each day
– Brings restrictive offline business model to the Internet
• People can buy and sell almost anything– Provides liaison service between parties – no large
inventory
• Fees– Submission fee
– Multitiered final fee
• Uses Database to manage millions of auctions
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.3 Online-Auction Case Study: eBay (II)
• Has spawned new businesses– Use eBay as primary means of selling products
• Must remain up and running continuously– High-availability computing
• Attempts to minimize site down time
– Continuous-availability computing• Attempts to eliminate site down time
– Fault-tolerant systems• Use redundancy
– Failure to keep site running can be costly if not fatal
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.4 Online Trading
• Fast-growing area of e-commerce– Accounted for 30% all securities trades - second half of 1998
– Accounted for 37% all securities trades - first half of 1999
– Putting pressure on major Wall St. firms to offer online trading
• Stock trades– Used to be handled only through brokers – paid commissions
– As online trading grows• Number of brokers will shrink
– Online trading fees nominal compared to broker commissions
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.4.1 Case Study: E*TRADE
• Founded 1982 to offer online stock quotes to major firms• Created trading Website
– Individual investors can manage investments without brokers
• Allows customers to buy, sell and research– Stocks
– Mutual funds
– Bonds
– Other securities
• Cheaper and faster than offline trading• Offers mock stock trading games with fake money
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.5 Other E-businesses• E-commerce forcing traditional offline companies to
move into e-business• Dell Computer Corporation
– 1984: mail-order catalog business
– Today, sells more than $30 million through Website every day
– Approximately two thirds online sales are business to business• Total Internet B-to-B transactions could reach $1 trillion by 2004
• ebates.com– Example of hobby turned into profitable business
– No product – affiliate of online retailers
– Simplifies process of finding rebates on online merchandise and cashing them in
– Makes money through selling banner ads
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6 Security
• Privacy issue– Would you transmit sensitive info if third parties could tap it?
• Integrity issue– How can you determine if info you send was altered by hacker?
• Authentication issue– How do you confirm company receiving your info is reputable?
• Non-repudiation issue– How do you legally prove message was sent?
• These important questions will be addressed in this section
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography
• Channels over which data passes in Internet not secure– Any private information must be protected
• Data can be encrypted
• Cryptography– Transforms data by using key to make data
incomprehensible to all except intended receivers
– Unencrypted data called plaintext
– Encrypted data called ciphertext
– Only intended receivers should have corresponding key to decrypt ciphertext into plaintext
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography (II)
• Symmetric cryptography (secret-key cryptography)– Used in past by organizations requiring secure environment
– Same secret key used both to encrypt and decrypt message
• Process1. Sender encrypts message with secret key
2. Sends message and secret key to recipient
3. Recipient decrypts message using secret key
• Flaws– Privacy and integrity of message can be compromised
• If key intercepted as passed over insecure channels
– Cannot authenticate which party created message
– Different key required for each person to whom messages sent
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography (III)
• Public-key cryptography – asymmetric cryptography– Higher degree of security
– Uses two related keys:• Public key – freely distributed
• Private key – kept secret by owner
– If public key used to encrypt message only corresponding private key can decrypt it
• Process1. Sender uses receivers public key to encrypt message
2. Receiver decrypts message using receiver’s private key
– No one else knows private key• Even if message intercepted, cannot be decrypted by outside party
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography (IV)
• Digital signature– Developed to be used in public-key cryptography
– Solves problems of authentication and integrity
– Legal proof of sender’s identity, difficult to forge
• To create– Sender runs original message through a hash function
• Mathematical calculation which gives message a hash value
• Hash value known as message digest
– Chance two message will have same message digest statistically insignificant
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography (V)
• Digital signature process1. Sender uses private key to encrypt message digest, creating
digital signature, authenticating sender
2. Sender uses receivers public key to encrypt message
3. Receiver uses sender’s public key to decipher digital signature, reveal message digest
4. Receiver uses own private key to decipher original message
5. Receiver applies hash function to original message
– If hash value of original message matches message digest in signature
• Message has integrity – has not been altered in transmission
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography (VI)
• Problems with Public-key cryptography– Anyone with set of keys can potentially pose as the sender
– Example: how do you know if site you are sending information belongs to merchant and not third party
• Public Key Infrastructure (PKI)– Adds digital certificates to process for authentication
• Digital certificate– Issued by a certification authority (CA)
• CA is third party that issues certificates to its customers to authenticate subject’s identity and bind the identity to a public key
• Takes responsibility for authentication
– Publicly available, help by CA in certificate repositories
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography (VII)
• Digital certificate signed by CA’s private key• Includes
– Subject (name of company or individual)
– Subject’s public key
– Serial number
– Expiration date
– Authorization of trusted CA
– Other relevant info
• VeriSign, Inc.– One of leaders in online security
– Develops PKI and digital certificate solutions
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography (VIII)Verisign Digital Certificate
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.1 Public-Key Cryptography (IX)
• Many still feel e-commerce is insecure• In reality
– Transactions using PKI and digital certificates are more secure than exchange of information over then phone
– Key algorithms nearly impossible to compromise
• RSA Security, Inc.– Encryption and authentication technologies used by most
Fortune 100 companies
– Encryption products built into more than 450 million copies of popular Internet applications
– Most secure communication on Internet uses RSA products
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.2 Secure Sockets Layer (SSL)
• SSL protocol– Developed by Netscape Communications
– Commonly used to secure Internet and WWW communications
– Built into many Web browsers• Netscape Communicator
• Internet Explorer
– Operates at network level• Between Internet’s TCP/IP communications protocol and the
application software
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.2 Secure Sockets Layer (SSL) (II)
• Standard correspondence over Internet– Sender’s message passed to socket
– Socket interprets message to TCP/IP• Transmission Control Protocol/Internet Protocol
• Standard set of protocols used for communication between computers on the Internet
• Most Internet transmissions sent as set of individual message pieces called packets
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.2 Secure Sockets Layer (SSL) (III)
Standard Internet Communication Process• At sending side
1. Packets of one message numbered sequentially2. Error-control information attached3. TCP routes packets to avoid traffic jams– Each packet may travel different route on the Internet
• At receiving side5. TCP makes sure all packets have arrived6. Determines if packets have arrived with integrity and without
alteration– If packets have been altered: TCP/IP will retransmit packets7. TCP/IP passes message to socket at receiver end8. Socket translates message back into readable form
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.2 Secure Sockets Layer (SSL) (IV)
• Transactions using SSL– Sockets secured using public-key cryptography
– Do not require client authentication
• Process1. Client sends message to server
2. Server responds and sends digital certificate for authentication
3. Client and server negotiate session keys to continue transaction
– Session keys• Symmetric secret keys used for duration of transaction
4. Once keys established – communication proceeds between client and server using session keys and digital certificates
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.2 Secure Sockets Layer (SSL) (V)
• SSL protects info while being passed over Internet• Does not protect private info stored on merchant’s
server• When merchant receives private info
– Often decrypts info and stores it on merchant’s server
• If server insecure and data not encrypted– Outside party could access the information
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.3 Secure Electronic TransactionTM (SETTM)
• SET protocol– Developed by Visa International and Mastercard
– Designed to specifically protect e-commerce payment transactions
– Used digital certificates to authenticate each party• Customer
• Merchant
• Merchant’s bank
– Public-key cryptography used to secure info as passed over the Web
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
23.6.3 Secure Electronic TransactionTM (SETTM) (II)
• Merchant must have– Digital certificate
– Special SET software to process transaction
• Customer must have– Digital certificate
– Digital Wallet software
• Digital Wallet– Stores credit or debit information for multiple cards
– Stores digital certificate verifying cardholder’s identity
– Add convenience to online shopping• Customers do not have to re-enter information for different sites
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.
• SET transaction process– When customer ready to place order1. Merchant’s SET software sends order info and merchant’s
digital certificate to customer’s digital wallet• This activates digital wallet software
2. Credit card and order info encrypted using merchant’s bank’s public key
3. Info sent to merchant along with customer’s digital certificate4. Merchant forwards info to merchant’s bank to process payment5. Merchant’s bank sends amount of purchase and its own digital
certificate to customer’s bank to get approval for transaction• If customer’s charge approved
6. Customer’s bank sends authorization to merchant7. Merchant sends confirmation of order to customer
2000 Deitel & Associates, Inc. All rights reserved. 2000 Deitel & Associates, Inc. All rights reserved.