SEMPER: A Security Framework for the Global Electronic Marketplca Jian Zheng [email protected] Nov. 30, 1998.

SEMPER: A Security Framework for the Global

Electronic Marketplca Jian Zheng

[email protected]

Nov. 30, 1998

Context

• Introduction

• The Security Marketplace

• Model of Electronic Commerce

• SEMPER Architecture

• The Field Trial

• Reference

Context

• IntroductionIntroduction

Introduction• The Emerging Electronic Commerce

– by 2000, over 25B will conducted via Internet

• Such an electronic marketplace requires security and establishing sufficient trust

• Current Achievements:– payment, cryptography, intellectual property rights

protection

– however, they did not integrate the different solution in a consistent way

Introduction(cont’d)

• SEMPER(Security Electronic Marketplace for Europe) – proposes an open security framework that

should provide an integrated, complete and global electronic marketplace

– backed by the European Commission – technically led by IBM Zurich Research Lab

Context

• The Security MarketplaceThe Security Marketplace

The Security Marketplace

• Requirements– The traditional business “terms” and

“requirements” should be appropriately translated into electronic terms

– trust should be restored on such an insecure media (Internet)

– the recovery of transaction and the resolution of dispute must be guaranteed

The Security Marketplace(cont’d)• Fundamental Issues

– the systems must address the complete set of issues raised by E-commerce

– users must be able to trust their system– these systems should be fully interoperable– E-commerce needs to be backed by a legal framework

which is transparent and predictable for users– there is a network for registration, certification and key

distribution

The Security Marketplace(cont’d)

• Current Status– three waves on the Internet business

• web sites for promoting and marketing

• digital libraries and online catalogs

• possible to authenticate, user can browse, place the order and pay for them; secure payment with credit card based on SSL and SET

– however, no generally accepted model and architecture for building E-commerce

The Security Marketplace(cont’d)

• SEMPER Objectives– addresses the complete problem of E-commerce

over insecure networks– based on a business model consisting of

“tranfers” and “fair exchanges”– goal: develop an open and comprehensive

security framework for building the secure marketplace

Context

• Model of Electronic CommerceModel of Electronic Commerce

Model for E-commerce

• Model– two-party E-commerce: describes business

scenarios in terms of sequences of “transfers” and “exchanges” of data with decisions based on the success of these actions

– similar to the dialogues of interactive EDI

Model for E-commerce(cont’d)

Model for E-commerce(cont’d)

• Basic Concepts– “transfer”: One party sends a package of

business items to one or more business parties. The sending party specifies the security requirements.

– “exchange”: A simultaneous exchange of packages of business items among two parties.

Model for E-commerce(cont’d)

• Basic Concepts(cont’d)– “business items”:

• credentials

• statements

• money

Model for E-commerce(cont’d)

Transfer/Exchange

Money Credential Information

Nothing(i.e., transfer)

Payment Certificatetransfer

Informationtransfer

Money Air moneyexchange

Fair paymentwith receipt

Fair purchase

Credential Same as … Fair contractsigning

Fairconditionalaccess

Information … in upper… …right half Fairinformationexchange

Context

• SEMPER ArchitectureSEMPER Architecture

SEMPER Architecture

• Structured in layers

• the highest layer deals with commercial issues only

• the lowest layer deals with low-level security primitives and other supporting services

SEMPER Architecture(cont’d)

SEMPER Architecture(cont’d)

SEMPER Architecture(cont’d)

• Commerce Service– directly implements protocols of business

scenarios– implements the flow of control– includes some more general use services– can also securely download new services

SEMPER Architecture(cont’d)

• Exchange Service– handle and package business items– transfer and fair exchange of packages– each type of items is managed by a separate

manager which provides the unified services based on integrating existing implementations

• payment manager

SEMPER Architecture(cont’d)

SEMPER Architecture(cont’d)

• Supporting Service– provides user preference management,

persistent object storage, communication, crypto services, access control, etc.

SEMPER Architecture(cont’d)

• Multi-party security– buyers, service

providers, banks, CA authorities, notary public

• Trust hierarchy– browser/server

– Signed business application

– Commerce layer

– System kernel

SEMPER Offers Security Services for Today and Tomorrow

• Basic Services– Authentication

– Signed offer

– Signed order

– Payment

– Signed delivery

• Advanced Services– Fair exchange– Security document

handling• certified mail• contract signing• credentials

– New payment instructments

– Anonymity– Resolution of dispute

Context

• the Field Trialthe Field Trial

The Field Trial

• EUROCOM– offer multimedia courseware in the area of

telecommunications– implements online purchases of multimedia

courses

The Field Trial(cont’d)

• FOGRA– distribute information to their members on a

subscription basis and sell consultancy to non-members

– use SEMPER for online purchase and processing of subscription s well as sales of consultancy

The Field Trial(cont’d)

• OTTO VERSAND– one of the largest mail-order retailer world wide– online order of goods– online order of tickets and other credentials

Context

• ReferenceReference

Reference

• SEMPER Home Page– http://www.semper.org

• SEMPER public reports– http://www.semper.org/info

• Security Research Droup at IBM Zurich Research Lab– http://www.zurich.ibm.com/Technology/

Security/

Reference(cont’d)• Field Trials

– Actimedia (F) - satellite pictures on ATM networ• http://www.ippolis.fr/mediatronics/ActimedF.html

– Acri (F) - CD-ROMs on the Internet• http://www.acri.fr/

– Gecap / Bowne (F) - software localisation• http://www.gecap.de/

– Viajes Eroski / Enyca (E) - travel• http://grupoeroski.mcc.es/home_ing.html