Development of an E-commerce Site with Smartcard Payment Mechanism
Transcript of Development of an E-commerce Site with Smartcard Payment Mechanism
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
1/79
Development of an E-commerce Site
with Smartcard Payment Mechanism
Christopher S. Lacey
MEng Electronic Systems Engineering
with Management Studies
Supervisor: Mr. P J Miller
Electronic Engineering
School of Engineering and Applied Science
Aston University
Submitted: May 2001
Chris Lacey / Aston University, 2000 - 2001.To contact the author, see www.cslacey.co.uk/proect
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
2/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Acknowledgements
The author wishes to express his gratitude to the followig:
Mr. P J Miller ad !r. J " # $illiams of the S%hool of &gieerig ad "pplied S%ie%e'
"sto (iversity' for providig ogoig advi%e ad assista%e for the duratio of the
pro)e%t.
Mr. J $ard ad Mr. P Trevis also of the S%hool of &gieerig ad "pplied S%ie%e'
"sto (iversity' for providig te%hi%al support.
*ita%hi Smart +ommer%e divisio for the doatio of smart%ard e,uipmet ad
developmet software- spe%ifi%ally' Mr. J riffiths for providig te%hi%al support ad to
Mr. # &vas for arragig sposorship.
Mr. M Meyerstei of /T +ellet for providig iformatio ad sour%e %ode with respe%t to
Modex value trasfer.
%a+e 1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
3/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Contents
Acknowledgements...............................................................................................................1
Contents.................................................................................................................................2
Table o !igures...................................................................................................................."
1 Synopsis.............................................................................................................................#
2 $ntroduction......................................................................................................................%
2.1 +otext........................................................................................................................
2.1.1 "ppli%ability of Smart%ard Te%hology...............................................................
2.2 #e,uiremets.............................................................................................................10
2.2.1 &le%troi% +ash..................................................................................................10
2.2.2 Persoal Profile..................................................................................................10
2.2. &3+ommer%e $eb Site.......................................................................................11
2. 4verview of #eport...................................................................................................11
& Ser'er(Side )esign $ssues..............................................................................................12
.1 +hoi%e of $eb Server...............................................................................................12
.2 Server3Side Pro%essig..............................................................................................12
. Maitaiig State......................................................................................................1
.5 !atabase....................................................................................................................16
.5.1 !atabase Trasa%tios........................................................................................16
.6 &%rypted +ommui%atio........................................................................................17
.6.1 Publi% ad Private 8eys 9"symmetri% +ryptography.......................................17
.6.2 !igital +ertifi%ates.............................................................................................17
.6. SS; ad +ertifi%ate "utheti%atio....................................................................1ueries...............................................................................................................22
5.5 Server3Side Java "ppli%atio....................................................................................2
5.6 SS;............................................................................................................................25
+ Client(Side )esign $ssues...............................................................................................2+
6.1 *ypertext Mar?up ;aguage 9*TM;.....................................................................26
6.1.1 =rames................................................................................................................27
6.1.2 =orms..................................................................................................................2ields?ad for a meas to be provided for ;ii< a web site to retrie'e
this data.
"dditioally' provisio had to be made for a user to ;iii< update his proile inormation
whene'er necessary' ad to ;i'< speciy preerences as to whether= and how oten= a
3$@ should be re:uested beore sensiti'e inormation is released.
The ob)e%tive to develop a persoal profile was ot part of the origial pro)e%t
spe%ifi%atio. @t was ta?e o at the re,uest of *ita%hi' providers of smart%ard readers ad
developmet software for the pro)e%t.
%a+e 10
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
12/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
2.2.3 E-Commerce Web Site
The %ore fu%tios provided by ay &3%ommer%e site are to ;i< allow users to browse or
search within a database o items or ser'ices= ;ii< select those re:uired or purchase
and place into a 'irtual >shopping basket?' ad ;iii< >check out? by authorising 'aluetranser to the 'endor.
"dditioally' for this pro)e%t' it was e%essary to ;i'< utilise the electronic cash and
personal proile systemspreviously des%ribed.
#%) *verview of 'eport
Three fudametal %ompoets to the overall system %learly emerge' amely Server,
ClientadSmartcard. The followig %hapters deal with these idividually: for ea%h' a
Design Isses%hapter des%ribes ad )ustifies the ma)or %o%eptual de%isios made' ad a
Implementation%hapter outlies ?ey methods by whi%h the desig was realised.
The method by whi%h value trasfer was a%hieved is des%ribed separately i
! Cryptographic Challenge and "esponse Cycle' as it ivolves the server' %liet ad
smart%ard e,ually' ad %aot be satisfa%torily des%ribed for ea%h %ompoet i isolatio.
The su%%ess of the pro)e%t is the evaluated' ad possibilities for future developmet
idetified. =ially' %o%lusios are draw from the fidigs made.
%a+e 11
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
13/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
) Server-Side Design $ss!es
)%" Choice of +eb Server
!ifferet permutatios of operatig system ad web server software were assessed' ad i
may %ases evaluated through istallatio' test' ad review of their a%%ompayig
do%umetatio.
(A@K servers ted to be highly regarded for their reliability ad stability' he%e iitially
appeared to be a attra%tive optio for deploymet. *owever' at the time whe this
assessmet of alteratives was beig %odu%ted' Modex was iteded to be the meas by
whi%h paymets would be made withi the site' ad it was therefore assumed that a
smart%ard reader would be eeded o the server i order to fa%ilitate %ard3to3%ard value
trasfers. The ma)ority of su%h devi%es are supplied oly with $idows drivers 3 (A@K
alteratives are geerally slow to materialise ad are usually usupported 3 ad as su%h the
de%isio was made to sele%t $idows AT Server as the platform upo whi%h the web
server should ru.
The "pa%he *TTP Server ad Mi%rosoftBs @teret @formatio Server 9@@S were the
%riti%ally %ompared' the latter fially beig sele%ted due to the fa%t that its ative s%riptiglaguage 9"SPa was ui,ue i providig support for istatiatio of $idows +4Mb
ob)e%ts' thus permittig %ommui%atio with the smart%ard reader via vedor3supplied
%ompoets. Darious modules providig "SP support for "pa%he were lo%ated ad tested'
but these were foud to possess i%omplete feature sets 3 oe of them providig +4M
support.
)%# Server-Side Processing" &3%ommer%e site obviously re,uires some degree of server3side pro%essig over ad
above simply relayig stati% %otet at the re,uest of browsers 3 for example' supplyig
pages whi%h show produ%ts that mat%h a userBs sear%h %riteria. The de%isio was made to
utilise @@SBs ilie s%riptig %apabilities to perform the ma)ority of server3side pro%essig'
as this te%hi,ue uses the appli%atioBs memory spa%e to pro%ess the s%ripts' draiig fewer
resour%es tha usig +@%' with whi%h a ew pro%ess eeds to be %reated to serve every
separate page re,uest.a"%tive Server Pagesb+ompoet 4b)e%t Model%+ommo ateway @terfa%e
%a+e 12
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
14/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
@@S is %apable of supportig a umber of differet s%riptig laguages 9D/S%ript ad
JS%riptaas stadard' Perl ad other alteratives by deploymet of appropriate modules.
Ao oe laguage appeared to offer ay parti%ular advatage' he%e D/S%ript was %hose
solely be%ause this appears to be the most %ommo %hoi%e amogst users of "SP' ad thus
more do%umetatio ad support is available for it.
)%) Maintaining State
The proto%ol via whi%h web pages are re,uested ad served 9*TTPb isstateless' i that
ea%h page re,uest is effe%tively a isolated evet whereby a %oe%tio is maitaied
betwee %liet ad server for the trasmissio of a sigle file oly. Aavigatig to a
parti%ular page by eterig its (#;%
ito the address bar of a browser or by sele%tig ahyperli? %auses a T+Pd%oe%tio to be made to port 0 of the appropriate host' followed
by a istru%tio of the form:
GET /filename.html HTTP/1.0
"ssumig the file re,uested is available' the web server the respods by trasmittig the
page ba%? to the %liet' ad the %oe%tio betwee the two ma%hies is immediately
released.
The stateless ature of *TTP demads that %osideratio be give to how some form of
persiste%e be %reated withi the system. +learly' for a &3%ommer%e site' it is desirable
for a user to move betwee several pages' browsig ad sear%hig for items' ad addig
those whi%h are re,uired to a virtual Eshoppig bas?etF. @t is obviously e%essary for the
sele%tios made to be retaied for at least the duratio of the userBs visit to the site' ad
preferably also betwee su%%essive visits.
Darious extesios to *TTP' whi%h are ow mature ad supported by the vast ma)ority of
browsers' provide meas to over%ome this problem. The most established method is
?ow as#$$% Athentication' whereby the web server iserts the followig headers ito
its iitial respose to a page re,uest:
WWW-Authenticate: Basic
HTTP/1.0 401 Unauthorie!
aMi%rosoftBs implemetatio of &+M"S%ript 9Javas%riptb*ypertext Trasfer Proto%ol%(iform #esour%e ;o%atordTrasmissio +otrol Proto%ol
%a+e 1(
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
15/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
/rowsers supportig *TTP autheti%atio will the prompt the user for a userame ad
password' %a%he this iformatio' ad retrasmit it withi the headers of every subse,uet
page re,uest to that site. +ose,uetly' by observig the userame ad password
a%%ompayig ea%h page re,uest' the server %a as%ertai whi%h user is beig served ad
modify the %otets of the iformatio retured a%%ordigly.
" alterative to this te%hi,ue is to use coo&ies' whi%h are small text files %reated by the
browser o the userBs system upo the re,uest of the server. The iformatio to be stored
withi these files is set to the %liet withi the respose *TTP headers' ad this is the
retrasmitted by the browser withi the headers of every subse,uet page re,uest to the
same site. +ose,uetly' by usig %oo?ies to store a ui,ue idetifier for a parti%ular user'
page resposes %a be persoalised by the server a%%ordigly.
$he %oo?ies first %ame ito existe%e 9i Aets%ape Aavigator 2.0' they were viewed
with suspi%io by some users who regarded the a%t of text files beig saved o their ow
ma%hies as a se%urity threat. The fa%t that these files %otai textual data whi%h is
maaged by the browser' oly ever set to the site whi%h origially %reated it' ad ever
exe%uted' has %aused this attitude to be o loger widely held' ad although users %a still
%hoose to re)e%t them' all browsers i %ommo use today siletly a%%ept %oo?ies by default.
@ additio' %reatio of the %o%ept of Esessio %oo?iesF whi%h exist i the browser
pro%essBs volatile memory' ad thus remai i existe%e oly util the program is %losed'
have served to provide a te%hi,ue for providig persiste%e to whi%h few are opposed.
@ geeral' %oo?ies are used mu%h more widely tha *TTP "utheti%atio' ad as su%h the
appeara%e of the browserBs logi box is ow rarely witessed ad %a be dis%o%ertig for
iexperie%ed users. @ additio' be%ause the maer i whi%h the userame ad password
are re,uested is ui,ue to ea%h idividual browser' it would ot be possible to provide a
%osistet me%haism for loggig i usig a smart%ard should this method be employed for
user idetifi%atio. +ose,uetly' despite the small possibility of user re)e%tio' it was
de%ided that the less %otroversial Esessio %oo?ieF be used to provide logi fa%ilities to the
site' together with a explaatio of the se%urity issues ivolved.
"dditioally' it was de%ided to provide the optio for %reatig a permaet %oo?ie to
provide automati% logi to the site.
%a+e 1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
16/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
)%, Database
There was a %lear eed for the existe%e of a database o the server' whi%h would %otai
iformatio relatig to the produ%ts or servi%es available for sale o the site 9 e.g.
des%riptio' pri%e ad sto%? iformatio.
@ additio' it was believed to be desirable for the database to be the lo%atio i whi%h the
%otets of usersB Eshoppig bas?etsF was held. @t would be possible for the sessio %oo?ie
%reated o the %lietBs ma%hie to retai this iformatio- however' be%ause %oo?ie data is
trasmitted with every page re,uest' use of a server3side database miimises the amout of
data beig trasferred' ad thus the speed of respose. "dditioally' it permits the %otets
of bas?ets to be remembered idefiitely 9i.e.betwee visits.
" large umber of differet database produ%ts are available' all with their ow parti%ular
advatages ad disadvatages. "ssessmet of whi%h was the most suitable for a
&3%ommer%e site would be depedet upo fa%tors su%h as the expe%ted server load' ad a
detailed evaluatio of alteratives was ot %osidered to be withi the s%ope or budget of
this pro)e%t. (se of a stadard ,uery laguage ad abstra%tio layer to %oe%t to the
database 9spe%ifi%ally' S>; via a 4!/+a%oe%tio was therefore deemed essetial' so
that the uderlyig egie %ould be repla%ed should it be%ome e%essary 9easig migratio
to a heavy3duty 4ra%le database should server load es%alate' for example.
3..1 !atabase Transactions
+ertai operatios that may eed to be %arried out o the database are %omprised of a
umber of separate a%tios 3 su%h as the pro%ess of %he%?ig out' where ea%h produ%t
pur%hased must be deleted from the userBs bas?et ad a %orrespodig re%ord made
elsewhere to authorise dispat%h.
@t is importat to esure that' i the evet of a error or problem o%%urrig o the server'
the etire operatio would fail or su%%eed as a sigle uit 9 i.e.either allof the %ompoet
a%tios would be %ompleted' or noneof them. Su%h a operatio is said to be atomic.
@ order to a%hieve this re,uiremet' it was de%ided to use trasa%tioal features withi the
database whereby a trasa%tio is %omme%ed immediately before the first %riti%al
operatio ad committedfollowig the fial oe. Should ay step i the trasa%tio fail'
all other steps are automati%ally rolled ba%?' thus preservig %osiste%y of the data.
a4b)e%t !atabase +oe%tio
%a+e 1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
17/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
The database egie also esures that partial results of i%omplete operatios are ever
obtaied by other %o%urret pro%esses 9e.g.other "SP page re,uests by lo%?ig the
relevat fields for the duratio of the trasa%tio. !ue to the fa%t that trasa%tios oly
appear to be re,uired for re%ords ad fields spe%ifi% to idividual users' o problems
should o%%ur with the database beig made uavailable to other users of the site.
)% Encrypted Comm!nication
+ommui%atio via the @teret is iheretly ise%ure' as data trasferred over it is ope to
eavesdroppig at may differet poits. +ose,uetly' there is a eed for ay system
whi%h ivolves the trasmissio of sesitive iformatio 9su%h as %redit %ard umbers to
provide meas for e%ryptig %ommui%atio betwee server ad %liet ad to assure usersof the true idetity of the site with whi%h they are dealig' he%e the ratioale behid
deployig SS;a.
3.".1 P#blic and Pri$ate %eys &Asymmetric Cryptography'
$he used for e%ryptio' publi% ad private ?eys are aalogous to padlo%?s ad their
?eys' whereby iformatio %a be e%rypted usig a publi% ?ey 9lo%?ed with a padlo%?
su%h that it %a oly be de%rypted usig its asso%iated private ?ey 9ulo%?ed with its ?ey.
+ose,uetly' publi% ?eys %a be widely distributed to eable ayoe to e%rypt
iformatio i the ?owledge that it %a oly be de%rypted by the holder of the asso%iated
private ?ey.
"dditioally' however' data e%rypted usig the private ?ey %a be de%rypted by ayoe i
possessio of the asso%iated publi% ?ey. @f meaigful iformatio %a be extra%ted usig
the publi% ?ey' oe %a be %ertai that oly the holder of the private ?ey %ould have
e%rypted it iitially 9i.e.the origi of the data is assured. This te%hi,ue forms the basis
for digital sigature systems.
3.".2 !igital Certificates
@ order for asymmetri% %ryptography to be used effe%tively' it is e%essary for the holder
of a publi% ?ey to be %ertai that the ?ey is i fa%t asso%iated with the private ?ey owed by
the iteded re%ipiet. (sig te%hi,ues su%h as @P spoofig' it might be possible to
mas,uerade uder the idetity of aother user or server ad supply a differet publi% ?ey
whi%h would allow uauthorised a%%ess to iformatio e%rypted with it.
aSe%ure So%?et ;ayer
%a+e 1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
18/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
@ order for the true ower of a publi% ?ey to be determied' Certification Athorities
9+"Bs su%h as Derisig ad Thawte have bee established to a%t as trusted third parties
whi%h will verify the idetity of a perso or orgaisatio before providig them with a
digital certificate. Su%h %ertifi%ates are wrappers %otaiig textual iformatio
%o%erig the owerBs idetity' together with the a%tual publi% ?ey. The wrapper itself is
siged usig the +"Bs private ?ey whi%h gives ayoe proof of its autheti%ity. The +"sB
publi% ?eys' re,uired to verify %ertifi%ates as beig valid' are supplied as stadard withi
all %ommo web browsers ad web server software.
3.".3 SS( and Certificate A#thentication
SS; is a stadard te%hi,ue used for se%ure data ex%hage o the @teret ad o private
etwor?s. Typi%ally' a web server will preset a browser with its digital %ertifi%ate whi%h
will a%t as proof of its idetity' ad %otai its publi% ?ey usig whi%h data set to it %a be
e%oded.
"s @teret @formatio Server ad the ma)ority of maistream browsers support SS;' the
de%isio was made to apply for a suitable digital %ertifi%ate from a ?ow +"' ad to ma?e
use of SS; for the trasmissio of address ad %redit %ard iformatio to the server.
%a+e 1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
19/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
, Server $mplementation
Please refer to the a%%ompayig +!3#4M to view the %ommeted %ode ad other files
%reated to implemet the system 9H$ebB dire%tory for "SP %ode' HServerB dire%tory for
"%%ess database ad Java appli%atio sour%e.
,%" ASP Synta&
" des%riptio of "SP sytax ad usage is ot withi the s%ope of this do%umet. *owever'
the reader may beefit from ?owig that dire%tives are distiguished from stadard
*TM; %ode by beig surrouded by "#ad #$delimiters. @ additio' the "%--&.. --$
tag is used for spe%ifyig for server3side i%ludes.
.1.1 Code Con$ention
$ithi this se%tio' highlighted text will be used to distiguish server3side istru%tios
from *TM; %ode' where e%essary. +ommets withi %ode will be show i gree.
,%# Separation of Code and Presentation
"SP ilie s%riptig 9where pre3pro%essor istru%tios are embedded amogst stadard
*TM; tags is ot well suited to separatig %ode from presetatio iformatio. *owever'
where possible' user redire%ts ad fu%tio libraries were utilised to isolate sigifi%at %ode
blo%?s to Ededi%atedF s%ript files.
.2.1 The need for inline code embedding
@ some situatios' it was however essetial to embed %ode i the middle of a *TM;
page' as i the %ase of a produ%t listig 3 illustrated by the followig pseudo%ode:
Pa'e hea!er HT(): Title* Ta+le hea!er* etc.FOR EACH Pro!uct that matches selection criteria
,e ta+le ro,e ta+le cellPrint Pro!uct name,e ta+le cellPrint Pro!uct rice
NEXT Pro!uctPa'e footer
Figure 4.1: Pseudocode indicating use of inline scripting
%a+e 1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
20/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
.2.2 )#nction (ibraries
@ order to miimise the %ode %otet of pages' ad to redu%e %odig repetitio' a umber
of libraries were %reated %otaiig related fu%tios 9e.g.those pertaiig to database
a%%ess. These were i%luded' whe re,uired' by use of server3side i%ludes' as show ithe followig example:
"# )A,GUAGE B2crit #$"%--&inclu!e file3../st!li+.as3--$"%--&inclu!e file3../!+li+.as3--$
"html$"hea!$"lin5 rel3st6lesheet3 href3main.css3$"/hea!$"+o!6$
"$7urrent or!er total: "stron'$"#'etBas5etTotal89#$"/stron'$"/$
etc...
Figure 4.2: ASP code showing use of function libraries and server-side includes
"SP does ot support the %o%ept of ElibrariesF as su%h- the Li%lude dire%tive simply
%auses the %otets of the refere%ed do%umet to be pla%ed at that poit withi the file.
+ose,uetly' %are had to be ta?e to avoid dupli%atio of variable ad fu%tio ames
a%ross multiple libraries' as should more tha oe ever be i%luded i a do%umet'
%ofusio would result. Suitably des%riptive ames were therefore used for fu%tios ad
EglobalF variables that might eed to be refere%ed exterally- ad Elo%alF variables were
prefixed with a %ommo idetifier 9e.g. dbC for database variables' as show i the
example below:
"#im o+;7onn* !+str7onn* !+strer.7reate?+;ect83A?B.7onnection39!+str7onn 32,2mart(ar5et@ata+ase2mart(ar5et@Usa@PW@3o+;7onn.?en8!+str7onn9
unction isEmt6=28!+str
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
21/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
"s opposed to embeddig *TM; represetig the user message withi large amouts of
"SP %ode' these messages were %reated i separate pages' ad *TTP redire%t resposes
set to the %liet' %ausig it to re,uest the appropriate Esu%%essF or EfailureF page after
pro%essig of the form was %omplete. =or example' the followig s%ript is a extra%t from
the "SP s%ript %alled o submissio of the E"dd ew userF form:
D7hec5 to see if user alrea!6 eCists in !ata+aseuserECists ,ot isEmt6=2832E)E7T Username =?( Accounts WHE=E Usern ...
f =euest83assor!39 "$ =euest83assor!F39 ThenDPassor!s !o not match!+finalise89=esonse.=e!irect83a!!user!iffass.as3 urlAen!9
Elsef username33 ?r assor!33 ?r forename33 ?r surname33 Then
DEssential fiel! left +lan5!+finalise89=esonse.=e!irect83a!!userincomlete.as3 urlAen!9
Elsef userECists ThenDUser alrea!6 eCists!+finalise89=esonse.=e!irect83a!!usereCists.as3 urlAen!9
ElseD? to insert user into !ata+ase!+ECecute83,2E=T ,T? Accounts 8Username*Passor!*orename*2ur ...!+finalise89
=esonse.=e!irect83a!!usersuccess.html39En! f
Figure 4.4: !tract fro" adduser.asp showing use of user redirects
@ this %ase' if the two passwords etered by the user do ot mat%h' he is forwarded to
EadduserCdiffpass.aspF- if ay essetial fields are left bla?' he is forwarded to
EadduserCi%omplete.aspF' ad so o.
%a+e 20
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
22/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
,%) Database Str!ct!re
" Mi%rosoft "%%ess database was used for storig user ad produ%t iformatio- this
produ%t beig %hose solely for its ease of availability 9see '.( Data)ase Design Isses.
.3.1 +elationships
/eig a relatioal database' it is possible to defie relatioships that exist betwee fields i
differet tables. Su%h usage efor%es referential integrity3 by defiig the stru%ture at
su%h a low level' faulty %ode or iterfa%es are preveted from eterig ivalid data ito the
database' allowig problems to be re%ogised more easily ad thus assistig i debuggig.
The tables %reated' ad relatioships betwee fields are as show below. Primary ?eys are
idi%ated i bold.
Figure 4.%: &atabase structure
.3.2 Tables
The Accountstable %otais a re%ord for ea%h registered user' %omprisig userame ad
password' real ame' ad the shippig address most re%etly etered 9i.e.for the %urret
trasa%tio. 3roducts %otais the full list of items available' ea%h beig assiged a
%ategory from the list defied i Categories. These %ategories are used withi the
browsig pro%ess 3 the user beig able to view all relevat produ%ts by sele%tig the
re,uired %ategory from a dyami%ally %reated drop3dow list withi his web browser.
%a+e 21
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
23/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
/asketsbrigs together user ad produ%t iformatio 9from Accountsad 3roducts'
respe%tively to idi%ate the items sele%ted by users to be i their Eshoppig bas?etsF.
$ithi "%%ess' the relatioships defied betwee fields %a oly be of the type
4e3to3May' as show 9e.g.a produ%t may oly be assiged to oe %ategory' but a
%ategory may be assiged to may produ%ts. @ order to provide a May3to3May
relatioship for the shoppig bas?ets 9a user may sele%t may produ%ts' ad a produ%t may
be sele%ted by may users' /asketsis re,uired to a%t as a*nction ta)le' possessig two
primary ?eys to esure ui,ueess oly of the %ombiatios of 9Produ%t@!'(serame
tuples 9i.e. it is possible for multiple re%ords to exist with the same Produ%t@!' providig
the (serame differs for ea%h su%h re%ord- ad vi%e3versa.
4%e a pur%hase is made' produ%ts 9refere%ed by Produ%t@! are EmovedF to the)ispatchestable' whi%h would be used by the shippig departmet to arrage for
despat%h. &a%h re%ord relates to oe produ%t oly' to allow idividual %ompoets of a
order to be %osidered separately. *e%e' wheever suffi%iet sto%? was available' a
delivery %ould be made' ad the re%ord deleted from the system. The Aame ad "ddress
fields relate to the shippig details etered durig the %he%?out stage' ad are ot stored
elsewhere i the system to esure o permaet re%ord is made of them' for user priva%y
reasos.
Card3aymentsrepresets the list of %redit %ard trasa%tios that have bee pro%essed. @
the %ase of this system' a %redit %ard trasa%tio is deemed to have bee su%%essfully
%arried out o%e a etry for it is made ito this table. 4bviously' i a real &3%ommer%e
site' trasa%tio authorisatio would be made by a ba? or %learig house 3 etry of data
ito this table' however' simulates this pro%ess.
.3.3 ,#eries
/asketuery ad /asketSubtotalsare +eries%reated withi the database. &ffe%tively'
these are read3oly tables whi%h are dyami%ally %reated by the server.
/asketuerydefies a li? betwee its Produ%t@! field ad that of 3roductsad thus
provides the data re,uired for the server s%ript to display details of a userBs bas?et 9without
eed for it to perform its ow %ross3refere%ig to obtai produ%t des%riptio' for
example.
%a+e 22
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
24/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
/asketSubtotalsli?s its (serame field to that of /asketuery' ad %al%ulates the total
%ost of produ%ts withi ea%h userBs bas?et by defiig the Subtotal field to be a
expressio of the form:
2u+total: 2um8IBas5etalue* schallen'e9reemt=esonsessmart7hallen'e.reemt=esonse8s>alue*
schallen'e* sri>atee69
En! unctionFigure 4.': ASP code to call (pree"pt)esponse* "ethod in +ava application
*ere' H+S;.Smart@!+hallegeB was the idetifier 9+;S@!b used to register the Java applet
as a +4M %ompoet o the server 9via the J"D"#& utility.
aDirtual Ma%hieb+lass @!
%a+e 2(
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
25/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
,% SS/
" free EtestF server %ertifi%ate was obtaied from the Derisig +"' ad usig this' SS; was
su%%essfully %ofigured withi @@S. *owever' due to the fa%t that su%h test %ertifi%ates
expire after two wee?s ad the diffi%ulty of obtaiig repeat issues' SS; was ot deployed
withi the fiished system. This should ot be regarded as demeaig its e%essity i ay
way 3 should a release system ever be %reated' a suitable server %ertifi%ate would eed to be
pur%hased' ad SS; re3eabled.
%a+e 2
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
26/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Client-Side Design $ss!es
%" 0yperte&t Mark!p /ang!age 10TM/2
"ll web pages are ultimately passed to a browserBs rederig egie as *TM;' this beig
a appli%atio of SM;a. @ their simplest form' *TM; do%umets %osist of a basi%
blo%? of text' iterspersed with %otrol %odes 9HtagsB of the form addressN..OaddressN to
idi%ate the ature or desired appeara%e of the Emar?ed upF text. Tags also exist for
providig hyperli?s to other pages' displayig images' embeddig Java applets' providig
form %ompoets to re%eive user iput' ad so o.
The laguage is offi%ially maaged by the $+b' who defie the %omplete list of tags' their
usage' ad the maer i whi%h user agets 9i.e.web browsers should reder %otet.
*owever' *TM; has bee i a %ostat evolutioary pro%ess si%e its i%eptio-
%ose,uetly differet browsers support differet versios of the laguage ad very few
have ever %orre%tly supported the stadard i its etirety. "dditioally' vedors have
attempted to provide eha%emets via their ow proprietary additios 9for example'
Aets%ape AavigatorBs bli?N ad Mi%rosoft @teret &xplorerBs mar,ueeN tags.
(ser agets are re,uired to hadle tags whi%h they do ot re%ogise by simply igorigthem' ad as su%h' %areful desig permits adva%ed features to be implemeted
trasparetly 3 providig eha%ed fu%tioality to those browsers whi%h support it' but
still permittig users of less well featured browsers to view the basi% iformatio preset
o the page. @teret usage statisti%s suggest that over 6%of users view pages with a
browser whi%h supports *TM; 5.0 9revised "pril 11- %ose,uetly it was de%ided that
this versio be used as the basis for developig the site' whilst esurig that older browsers
9supportig *TM; .22ad earlier be %apable of providig %ore fu%tioality' albeit with
a less refied appeara%e ad user iterfa%e. Proprietary features have bee avoided
%ompletely.
!iffere%es i usersB system %ofiguratios 9e.g.s%ree resolutio' %olour depth' fot
availability' ad i the iterpretatio ad implemetatio of the *TM; stadard withi
browsers' mea that the maer i whi%h web pages will appear %a ever be %ompletely
predi%table. !espite the temptatio to do so' %osiderable effort was made to avoid
aStadard eeraliIed Mar?up ;aguageb$orld $ide $eb +osortium%Sour%e: browserwat%h.iteret.%om
%a+e 2
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
27/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
desigig the site for use o parti%ular browsers ad systems' istead ma?ig %orre%t use of
*TM; to esure that the site be a%%essible from all platforms 3 both those %urretly i
existe%e ad those oly )ust emergig' su%h as E$eb TDF ad other embedded systems.
*owever' due to the fa%t that aroud 6 of web site hits are made usig Mi%rosoft
@teret &xplorer or Aets%ape Aavigator' the site was rigorously tested usig these two
browsers to esure a ituitive ad aestheti%ally pleasig servi%e for the ma)ority of
%ustomers.
".1.1 )rames
#$M frames allo athors to present docments in mltiple vies, hich may )e
independent indos or s)indos. Mltiple vies offer designers a ay to &eep certain
information visi)le, hile other vies are scrolled or replaced.F1
The de%isio was made to employ frames to provide a persistet toolbar for easily
avigatig aroud the site 9providig li?s to browse produ%ts' view shoppig bas?et' log
out' et%.' as illustrated below. "dditioally' be%ause the toolbar frame remais i
existe%e for the duratio of a visit' this was deemed the best pla%e to embed the %liet3side
Java applet for %ommui%atig with the smart%ard.
Toolbar
Frame
- Lo+ in- Lo+ out- o"e- 3asket- #hop
etc.
Main Frame
&ispla$s selected page
Figure %.1: ,ain fra"e structure
Similarly' a additioal frameset withi the mai frame itself was %osidered most
appropriate for eablig users to sear%h for ad browse %ategories of produ%ts o the site:
Toolbar
Frame
- Lo+ in- Lo+ out- o"e- 3asket
- #hopetc.
Search Frame
Select categor$ nter search ter"
Products Frame
&ispla$s products "atching
search criteria
Figure %.2: rowsesearch products fra"e structure
%a+e 2
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
28/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
&a%h frame withi a frameset displays the %otets of a separate *TM; page' he%e a
frameset do%umet itself is fairly small 3 typi%ally defiig oly the stru%ture' layout ad
(#;s of the idividual frames. @t is also possible' however' to provide %otet withi
oframesN..OoframesN tags whi%h is redered by browsers that do ot support frames.
This fa%ility was used to provide li?s to the most relevat page 9e.g.the Ewel%omeF page
withi the opeig frameset- ad all pages withi the site were desiged to provide a
alterative route to ea%h page' should the stati% toolbars be abset. ;i?s were used i
prefere%e to repetitio of %otet withi the oframesN se%tio i order to ease
maitea%e of the site 9updates would otherwise re,uire %hages to be made i two
pla%es' ad i order to prevet ue%essary amouts of data from beig trasferred to the
ma)ority of users who would be usig frames.
".1.2 )orms
An #$M form is a section of a docment containing normal content, mar&p, special
elements called /controls0 1chec&)oxes, radio )ttons, mens, etc.2, and la)els on those
controls. Users generally /complete0 a form )y modifying its controls 1entering text,
selecting men items, etc.2, )efore s)mitting the form to an agent for processing.31
/eig the oly method for obtaiig feedba%? from a user i a web appli%atio' forms were
%learly re,uired for su%h a%tios as sele%tig %ategories of produ%ts to view' ad submittig
sear%h %riteria' ,uatities ad shippig details to the server.
&a%h %otrol is give a ui,ue ame' ad upo submissio' ?ey3value pairs of the form
9%otrol ame' %otrol state are passed to the server either withi the headers of the *TTP
re,uest 9the HP4STB method' or as a suffix to the (#; 9the H&TB method thus:
htt://.aston.ac.u5/Lforenamefre!surname+lo''s
Some browsers pla%e a upper limit upo the legth of a (#;' %ostraiig the umber of
?ey3value pairs that %a be trasmitted usig &T. "dditioally' this method is %learly
usuitable for trasmittig sesitive iformatio as the (#; 9i its etirety is li?ely to be
%learly displayed withi the userBs address bar' ad may well be %a%hed by the browser
adOor a proxy server. =or these reasos' it was de%ided that P4ST be used for the
submissio of almost all forms withi the site. This te%hi,ue also has the advatage of
%ausig the iformatio set to the server to be e%rypted if a SS; asessio is used. The
aSe%ure So%?et ;ayer
%a+e 2
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
29/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
oly ex%eptio to this de%isio was for the submissio of produ%t %ategory or sear%h
%riteria to the Eshow produ%tsF page 3 i this %ase' oly a small amout of iformatio is
ever trasmitted 9%ategory ame or sear%h term' ad the availability of (#;s of the form:
htt://.ser>er.com/ro!ucts.asLcate'or6stationer6htt://.ser>er.com/ro!ucts.asLsearchtermens
provides a ituitive meas for others to provide li?s to parti%ular produ%t pages o the
site. "lso' as the respose obtaied from a parti%ular %ategory or sear%h term is li?ely to
%hage ifre,uetly 9oly whe ew produ%ts are added' it would be safe for a server or
browser to %a%he the page retured' refere%ed by its exteded (#;.
".1.3 Client-side Scripting
The vast ma)ority of browsers used today possess a s%riptig egie whi%h permits
%liet3side %ode to be ru withi the browser eviromet 9e.g.Aets%ape Aavigator .0 ad
later' @teret &xplorer .0 ad later' ad 4pera .0 ad later. (sage of this s%riptig
%apability %a provide %osiderable beefits to both %liet ad server 3 for example' it %a
be used to validate forms before they are submitted to the server' prevetig the user from
wastig time waitig for a respose whe the form data is ivalid' redu%ig etwor? traffi%
ad relievig server load.
*owever' despite the fa%t that s%ripts ru i a EsadboxF' a plethora of se%urity EholesF
have bee dis%overed i the ma)or browsers durig re%et years' allowig s%ripts to
observe or modify elemets of the exteral system to whi%h they should ot be permitted
a%%ess. $hilst the vedors have typi%ally bee ,ui%? to provide pat%hes to %orre%t su%h
problems' some users have lost %ofide%e i %liet3side s%riptig ad have disabled it
withi their browsers. +ose,uetly' it is ot possible to rely upo this te%hology for
a%hievig %ore fu%tioality.
"s a result' the de%isio has bee made to utilise %liet s%riptig for the o3essetial tas?
of esurig form data is valid before submissio 9i additio to server3side validatio' ad
as the oly meas for providig a iterfa%e betwee the %liet3side Java applet ad
%ompoets o the web page. (se of the smart%ard is ot essetial for a%%essig ad usig
the site' he%e this' agai' does ot detra%t from %ore fu%tioality.
The stadard *TM; s%riptig laguage i use today is &+M"S%ript' origially developed
by Aets%ape 9as JavaS%ript' ad offered for stadardisatio i "utum 17. "ll browsers
%a+e 2
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
30/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
whi%h support %liet3side s%riptig support this laguage' he%e this was the atural %hoi%e
for use withi the pro)e%t.
".1. !ynamic T(
!yami% *TM; 9H!*TM;B provides a eha%ed user experie%e by permittig
%liet3side s%ripts to modify the appeara%e of the web page o%e retrieved from the server'
allowig 3 for example 3 ob)e%ts to be moved ad hidde i respose to parti%ular evets.
The method by whi%h su%h dyami% a%tivity is a%hieved differs mar?edly betwee
browsers' however. May do ot support ay form of !*TM;' whilst the two most
%ommoly used produ%ts 9Aets%ape Aavigator 5 ad @teret &xplorer 5O6 possess su%h
radi%ally differet do%umet ob)e%t models that ay form of dyami% user iterfa%e
effe%tively eeds to be writte twi%e 3 o%e for ea%h browser. !espite the publi%atio of a
stadardised !4Maby the $+' it is oly with the re%et release of Aavigator 7 that
some form of %ommoality betwee the Aets%ape ad Mi%rosoft produ%ts has bee
re%ogisable.
+ose,uetly' !*TM; has ot bee employed at all withi this pro)e%t 3 due to the
authorBs per%eptio that it offers little beefit to the ed user' ad his relu%ta%e to exped
%osiderable effort over learig ad supportig o3stadard' proprietaryimplemetatios.
%# Cascading Style Sheets 1CSS2
Separatio of %otet from style is geerally regarded as desirable' due to the fa%t that the
role of providig ad maitaiig iformatio 9H%otetB is very differet from that of
desigig a aestheti%ally pleasig ad logi%al user iterfa%e. *istori%ally' *TM; has
blurred the boudaries betwee the two 3 a page will typi%ally %otai iformatio' perhaps
se%tioed usig des%riptive tags su%h as addressN' together with formattig %ommads
su%h as fot siIeQBRBN 9to i%rease text siIe.
+SS provides a meas for defiig style i a separate lo%atio from the mai *TM; body
9usually i a separate file etirely' ad offers a far ri%her set of %ommads to defie
appeara%e. =or database3ba%?ed sites' where the uderlyig data is already separately
maitaied withi the database' +SS provides the advatage of allowig multiple pages to
a!o%umet 4b)e%t Model
%a+e 2
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
31/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
li? to a sigle stylesheet' thus allowig %hages to be made a%ross the site by ma?ig )ust
oe set of modifi%atios.
The ma)ority of %urret browsers support +SS ;evel 159@teret &xplorer .0 ad later'
Aets%ape 5.0 ad later' he%e it was de%ided that they be used throughout the site. Pages
viewed o a o3supportig browser might appear less attra%tive' but would retai full
fu%tioality.
%) Client-Side .ava Applet
@ order for %ommui%atio with the smart%ard to be effe%ted' the eed be%ame apparet
for the %reatio of a itermediate program whi%h was %apable of iterfa%ig both with the
web browser ad also with the smart%ard reader atta%hed to the %omputer. +liet3side
s%riptig te%hology is i%apable of a%hievig the latter dire%tly' he%e the most obvious
meas for a%hievig this was to %reate a Java applet that would be %apable of ruig
withi the Java Dirtual Ma%hies 9DMBs preset i the ma)ority of maistream browsers.
4ld Java DMBs preveted applets from %odu%tig operatios whi%h were %osidered
potetially harmful' su%h as a%%essig hardware' via a pro%ess ?ow assand)oxing.
*owever' the se%urity model of the Java platform 1.1 does permit su%h operatios to be
%odu%ted uder %ertai %ir%umsta%es 9typi%ally' after see?ig the userBs permissio.
Java 1.1 has bee i existe%e for may years' he%e is implemeted i the vast ma)ority of
browsers used today.
"dditioally' via use of a system %reated by Aets%ape ?ow asiveConnect' it has
be%ome possible for %liet3side s%ripts ruig i browsers to iterfa%e to Java applets
embedded withi the page 3 spe%ifi%ally' by use of the ets%ape.)avas%ript.JS4b)e%t %lass i
the Java %ode' ad the Hmays%riptB attribute i the appletN tag withi the host *TM;.
@t was %learly preferable for the applet to ma?e use of a established stadard to
%ommui%ate with the smart%ard reader' as opposed to ma?ig a dire%t %oe%tio via the
serialOparallel port ad beig tied to oe parti%ular type of devi%e. +ose,uetly' it was
de%ided to ma?e use of a Java3based framewor? ?ow as 4+=a that a%ts as a abstra%tio
layer betwee software ad hardware' ad for whi%h drivers are available for a umber of
devi%es.
a4pe%ard =ramewor?
%a+e (0
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
32/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
3 Client $mplementation
Please refer to the a%%ompayig +!3#4M to view the %ommeted %ode ad other files
%reated to implemet the system 9H$ebB dire%tory for user iterfa%e 9*TM;' +SS ad
images' H+lietB dire%tory for %liet3side Java applet sour%e.
"t the time of writig' the fiished sites were available from
http:OOee 3 p%5.asto.a%.u?Ola%ey%sOs% ad http:OOee 3 p%5.asto.a%.u?Ola%ey%sOsm .
3%" +eb 4ser $nterface
Two separate sites were ultimately %reated 3 oe represetig the %ard issuer
9SmartCentre' ad providig %ard persoalisatio ad top3up fa%ilities- the other 9Aston
SmartMar&et beig the &3%ommer%e site itself whi%h ma?es use of the SmartIDpersoal
profile ad Smart4alletele%troi% %ash fa%ilities.
Pages were %reated usig a text editor 3 developmet tools su%h as Mi%rosoft =rotPage
ad Ma%romedia !reamweaver were avoided' as the %ode they geerate was foud to ma?e
use of proprietary features withi maistream browsers whi%h %a prove problemati% whe
viewed i other eviromets.
@mages were iitially %reated i a ve%tor3based drawig pa%?age' amely +orelKara 2.0'
whi%h allowed for the %reatio of stadard styles ad modifi%atio of graphi%s 9e.g.
elargemet ad rotatio without loss of defiitio. $he the desig pro%ess was
%omplete' ati3aliased images were saved i @=afor buttos ad logos' whi%h is a
%ompressed' o3lossy' format providig a maximum palette of 267 %olours. Photographi%
images were saved usig JP&bformat' whi%h provides 253bit %olour depth' but uses a
lossy %ompressio algorithm 9ma?ig it usuitable for images %otaiig highly defied
edges' su%h as logos.
araphi%al @ter%hage =ormatbJoit Photographi% &xperts roup
%a+e (1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
33/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
/.1.1 SmartCentre Site
Separate pages were %reated for:
%ofigurig the %ard 9eterig persoal data' spe%ifyig se%urity settigs
%hagig the P@A
ublo%?ig the %ard by eterig the %orre%t ublo%? %ode
viewig the bala%e
%reditig 9Htoppig upB the %ard by use of a %redit %ard
repeatig a top up whi%h failed due to a etwor? failure
together with various iformatioal pages' i%ludig su%%essOfailure feedba%? for top3up
attempts.
Most of the pages used forms to obtai user iput' passig the data to the %ard by use of the
%liet3side Java applet. Toppig up ad repeatig top3ups were the oly pages to re,uire
server3side pro%essig of forms 9to geerate the %orre%t %ryptographi% respose- the
remaiig pages wor? %orre%tly if ru lo%ally i a web browser 9 i.e.ot fet%hed from a
server' providig users a meas for %ofigurig their %ards without %oe%tig to the
etwor?' if re,uired.
Figure '.1: For" used to configure personal profile
%a+e (2
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
34/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
=rames were used to provide a easy3a%%ess toolbar' as see i figure 7.1 above' whi%h
also proved to be a suitable stati% lo%atio for embeddig the applet.
/.1.2 Aston Smartar0et Site
Separate pages were %reated for:
%reatig a ew user a%%out
loggig i
viewig shoppig bas?et %otets ad modifyig ,uatities
providig sear%h fa%ilities by %ategory or textually
displayig produ%ts mat%hig the sear%h %riteria
addig a spe%ified ,uatity of a produ%t to the shoppig bas?et
%he%?ig out usig a %redit %ard
%he%?ig out usig Smart$allet
repeatig a Smart$allet trasa%tio that failed due to a system or etwor?
problem
together with various iformatioal pages' i%ludig su%%essOfailure feedba%? for a%tios
su%h as %reatig a ew user ad ma?ig %redit %ard or smart%ard paymets.
"gai' a frameset was %reated to provide a stati% toolbar' although avigatio through
pages was su%h that operatio i a o3frames eviromet is possible.
%a+e ((
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
35/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Figure '.2: Aston S"art,ar/et front page
Figure '.3: Pages to search product database and view results
%a+e (
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
36/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
3%# Client-Side .ava Applet
/.2.1 nterface ethods
The applet %reated provided the followig methods whi%h %a be a%%essed from %liet3side
s%ripts' thus allowig others to implemet SmartIDadSmart4alletfu%tioality ito a
existig site relatively easily:
get/ala%e9 3 returs bala%e as iteger
get=ield9Strig fieldAame 3 returs profile iformatio as strig
set=ield9Strig fieldAame' Strig fieldDalue
debit9it value' Strig +hallege 3 returs %ryptographi% respose as strig
repeat!ebit#espose9 3 returs %ryptographi% respose as strig
prepare+redit9it value 3 returs %ryptographi% %hallege as strig
%redit9Strig #espose 3 returs su%%ess status as boolea
sedPi9it pi
setPi9it pi
setSe%urity9boolea privateSe%' boolea private4%e'
boolea geeralSe%' boolea geeral4%e getSe%urity9 3 returs se%urity settigs as strig of the form E0110F
ublo%?9Strig %ode 3 returs su%%ess status as boolea
begi+oversatio9
ed+oversatio9
Most are fairly self3explaatory' ad %orrespod to the %ore smart%ard fu%tios des%ribed
i !.5 Smartcard 6eatre Set.
Possibilities for fieldAame i get!ield;..
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
37/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
page may be surrouded by beginCon'ersation;
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
38/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
5 Smartcard Design $ss!es
5%" Choice of *perating System
Three multiple appli%atio smart%ard operatig systems are %ommoly i use 3 amely'
SuBs9avaCard' Mi%rosoftBs 4indos for Smartcardsad Maos%oBsMU$:S. The
fu%tioality provided by ea%h appears to be fairly similar 3 the ma)or differe%e i
implemetatios beig the laguage i whi%h developmet ta?es pla%e 9Java' Disual /asi%
ad assembly laguage' respe%tively.
The de%isio was made to sele%t M(;T4S %ards for developmet' solely be%ause this is
the system upo whi%h the "sto (iversity Smart Camps Cardis based. +ose,uetly'
it should be possible for the appli%atios writte for this pro)e%t to be loaded oto a "sto
%ard should a suitable appli%atio load %ertifi%ate be obtaied from the M(;T4S +" a.
5%# Card-Client Comm!nication
@S4
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
39/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
4.2.2 +esponse AP!*5s
#espose "P!(Bs %osist of a optioal data body' followed by a two3byte trailer' as
show i6igre ;.
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
40/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
6 Smartcard $mplementation
Please refer to the a%%ompayig +!3#4M 9H+ardB dire%tory orAppendix ; to view
%ommeted %ode for the %ard applet %reated.
6%" eat!re Set
"s des%ribed i
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
41/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
6.1.1 P +e7#ests
"s a additioal measure of se%urity' the applet was desiged ot to perform EdagerousF
operatios 9su%h as debits ad profile %hages uless the %orre%t P@A is submitted dire%tly
beforehad 9usig istru%tio 0x50.
@ additio' it was made possible for the user to %ofigure the %ard as to whether ad how
ofte 9always' o%e per sessio' or ever P@A etry is re,uired for retrievig profile
iformatio. 4ptios %a be spe%ified for EsesitiveF data 9password ad %redit %ard
umber ad for EgeeralF data 9all other fields.
The four bytes set ad re%eived as se%urity settigs i istru%tios 0x52 ad 0x5
represet four flags privateSe%' private4%e' geeralSe%' geeral4%e. privateSe%
idi%ates whether the %ard should re,uest P@A etry whe retrievig private iformatio'
ad private4%e how ofte this should o%%ur 91 Q o%e per sessio' 0 Q every re,uest.
The settig of the latter is irrelevat if privateSe% is set false. Similarly' geeralSe% ad
geeral4%e spe%ify whether ad how ofte the P@A should be re,uested for the retrieval
of geeral data.
6%# Developmental Process
+odig was %arried out usig a text editor' ad *ita%hiBsMltos Development $oolsused
to %ompile' debug ad load the M"; %ode oto a smart%ard.
Dery basi% fu%tioality was implemeted i the early stages of developmet' with extra
features beig added o%e testig proved that those already i existe%e wor?ed as
iteded. &xtesive use was made of the EMS!TF %ard simulator to isert brea?poits
ito %ode' the trasmit parti%ular "P!(Bs ad step through ea%h lie of the applet. The
system permitted the values of %hose variables to be observed 9Ewat%hedF whilststeppig through the %ode' ad showed the %otets of registers' the sta%? ad the
trasa%tio shadow data area 3 all of whi%h proved ivaluable i idetifyig errors withi
the %ode.
To permit testig of the applet upo the smart%ard itself' the $erminal Simlatorwas used
to upload the applet 9by sele%tio of a suitable load %ertifi%ate' desiged for the
developmet %ards' trasmit "P!(Bs ad view the %ard respose.
%a+e 0
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
42/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
7 Cryptographic Challenge and 'esponse
Cycle
7%" 'e(!irements
Previous desig de%isios di%tated that the oly re%ord of the value stored withi a userBs
wallet was to be o the smart%ard itself 9see
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
43/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
private ?ey for ea%h %ard 9as i SMaS@Mb%ards would redu%e the potetial for su%h
%atastrophi% destru%tio of the systemBs se%urityU
7%) Debit Proced!reThe pro%edure to debit the %ard ivolves the geeratio of a challengeby the server' whi%h
is trasmitted to the %liet together with the value to be debited. The %ard the attempts to
de%rease its bala%e by the amout spe%ified ad 3 if su%%essful 3 digitally sigs the
9%hallege'value data usig its private ?ey. The respose thus geerated %a the be
retured to the server whi%h' usig the same private ?ey as that preset o the %ard' %a
assess whether the %orre%t respose has bee retured ad thus whether the debit
istru%tio was %arried out.
Figure 8.1: &ebit co""unication se9uence
The algorithms typi%ally used to perform digital sigatures are !&S or 3!&S. *owever'
either was ot available o the developmet %ard provided- %ose,uetly' the fu%tio
performed was simply a ex%lusive3or of the 753bit private ?ey with a %o%ateatio of the
53bit %hallege ad the 173bit debit value. +learly' su%h a fu%tio is i o way suitable
for digital sigatures' as it is easily reversible' allowig the private ?ey to be %al%ulated. @f
implemeted o a release %ard' the values would istead be passed to the digital sigature
algorithm provided- ad the same fu%tio used o the server.
&a%h %hallege geerated by the server eeds to be ui,ue 9a nonce' so that the %orre%t
respose %a ever be obtaied by refere%e to histori% data. =or the purposes of this
pro)e%t' use of a 53bit radom umber with over 20 billio possible values' is regarded
alobal System for MobilesbSubs%riber @detity Module
%a+e 2
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
44/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
as beig suffi%iet. !eploymet i the real world may re,uire the use of loger umbers
ad a differet meas for %al%ulatig the o%e' i order to provide higher levels of
se%urity' ad redu%e the possibility of )rte-forceatta%?s from su%%eedig.
7%, Credit Proced!re
=or toppig up the %ard' a similar strategy is used to that employed withi the debit
pro%edure. *owever' i this %ase the %hallege is geerated by the %ard' ad thus a
additioal stage is re,uired for the %hallege to be re,uested' as show:
Figure 8.2: 5redit co""unication se9uence
HvalueB is set to Iero after %ompletio of the top3up to prevet replay of the repose %ausig
multiple %redits.
7% Tolerance to 8etwork ail!res
@ the evet of a etwor? failure' the situatio may arise where value is su%%essfully
debited from the %ard' ad the respose is geerated but ever re%eived by the server.
+ose,uetly' the %ard applet was %oded su%h that the respose' o%e geerated' is stored
i o3volatile memory- ad a %ommad added to the istru%tio set whi%h %auses the %ard
to repeat its last respose. *e%e' this fa%ility %ould be used repeatedly to re3attempt
trasmissio of the respose over the etwor? util su%%essful.
Similarly' i the evet of a etwor? failure prevetig a respose from rea%hig the %ard i
the fial %redit stage' the server eeds to be able to re3trasmit this as may times as
e%essary 9i.e.ta?e resposibility for ma?ig a re%ord of the last respose %al%ulated for
ea%h user.
%a+e (
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
45/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
7%3 Tolerance to System $nterr!ptions
@ the same way that trasa%tios were employed to prevet partial %ompletio of database
pro%esses o the server 9see '.(.5 Data)ase $ransactions' %ards trasa%tios have bee
used to e%ompass the %riti%al a%tios show i6igres !.5ad !.
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
46/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Figure 8.3: &ebit test site
Figure 8.4: 5redit test site
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
47/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
"9 Eval!ation
The author believes the pro)e%t to have bee su%%essful' i meetig ad ex%eedig the
origial aims. " &3%ommer%e site has bee su%%essfully %reated' ad 3 i the abse%e of
suitable spe%ifi%atios from Modex 3 a se%ure smart%ard paymet system has bee %reated
from s%rat%h. "dditioally' a smart%ard persoal profile system has bee %reated i
respose to the re,uest of *ita%hiBs Smart +ommer%e !ivisio.
Several people were as?ed to test the sites %reated' ad feedba%? obtaied from them was
used to refie the user iterfa%e. +osiderable testig has also bee %arried out by the
author to esure the stability of the etire system.
" site was %reated to demostrate the wor?igs of the %redit ad debit pro%edures'
permittig modifi%atios to be made to the data passed to the %ard ad server. "ttempts to
defraud the system 9e.g.by de%reasig the value passed to a %ard for a debit attempt' or
%odu%tig replay atta%?s all failed.
"9%" Pro:ect Costing
The oly dire%t %osts ivolved with the developmet of the system were with respe%t to
smart%ard hardware ad developmet tools 9?idly doated by *ita%hi:
1 @S Smart Mouse smart%ard reader V2.60
2 M(;T4S Test +ards W V20 ea%h V50.00
Total B"&.+
"dditioally' two P+Bs 9a server ad a wor?statio ad various operatig systems ad
pie%es of software 9$idows' Multos !evelopmet Tools' "%%ess were utilised.
The author believes the time spet resear%hig ad developig the system to be i ex%ess
of four hudred hours. "dditioally' aroud twelve hours were spet i %osultatio with
a%ademi% staff ad *ita%hi represetatives- ad approximately three hours with support
staff.
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
48/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
"9%" Possible !t!re Development
Should further time have bee available' it would have bee desirable to address the
followig issues:
1. #emove the eed for the site to be added to the list of Etrusted sitesF ad for full Java
permissios to be expli%itly grated i @teret &xplorer' by providig a versio of the
%liet3side Java applet whi%h was digitally siged usig Mi%rosoftBs sigig
te%hology. "lteratively' resear%h the feasibility of usig SuBs Java Plug3i for
@teret &xplorer' Aets%ape Aavigator ad 4pera to provide a stadard meas for
ruig ad gratig a%%ess rights to %ode.
2. #edu%e the potetial for uauthorised %ard debits by re,uirig debit re,uests to bedigitally siged.
. #edu%e the %omplexity of the istallatio pro%ess re,uired by users' by %reatig a
@stallShield wiIard 9or similar to automate the pro%ess.
5. @%rease the level of user feedba%? provided whe trasa%tios fail by providig a
fuller rage of %ard respose %odes to idi%ate differet errors
6. &sure validatio of *TM; forms o%%urs both o the server side ad the %liet side i
all %ases.
@ the loger term' the pro)e%t %ould be developed further by:
1. Performig server load tests' ad implemetig a system more suited to high volume
traffi% 9e.g.by deployig a 4ra%le database
2. Providig additioal meas for a%%essig the site' e.g.via $"PO$M; o mobile
telephoes
. +reatig %liet3side software to %ofigure the smart%ard ad maage the persoal
profile' without eed for a%%essig the ESmart+etreF web site.
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
49/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
"" Concl!sion
The su%%essful %reatio of smart%ard3based ele%troi% %ash ad persoal profile systems'
ad the itegratio of these ito a fully3fu%tioig &3%ommer%e site' suggest that
smart%ard te%hology does provide a feasible solutio to some of the problems whi%h
prevet &3%ommer%e sites from realisig their full potetial. Spe%ifi%ally' the ed3produ%t
%reated for this pro)e%t provides a portable' se%ure meas for users to store ad trasfer
ele%troi% %ash over the @teret' providig the same beefits that real %ash has over %redit
%ards with respe%t to mi%ropaymets' aoymity ad speed of trasa%tio. "dditioally'
the system allows users to %omplete olie forms rapidly' ad removes the eed for sites to
retai re%ords of persoal data 3 providig beefits i terms of priva%y ad removig the
eed for users to iform umerous sites wheever details %hage.
+urretly' the use of smart%ard te%hology for these purposes is most fudametally
%ostraied by the low umber of %ard readers i geeral use. *owever' the i%reasig
deploymet of smart%ards i ba?ig' ad the i%lusio of smart%ard fa%ilities i $idows
2000' %a oly serve to expedite their i%rease i popularity.
Aevertheless' a umber of other issues have bee idetified whi%h' util resolved' appear
li?ely to limit the utility of smart%ard te%hology with respe%t to &3%ommer%e.
+osiderable diffi%ulties were e%outered i a%%essig the smart%ard from withi the web
browser: the oly meas dis%overed beig by use of a framewor? 94+= whi%h is too
%ompli%ated to istall for the ma)ority of users. "lso' differe%es i the se%urity models of
browsers meat that applets had to be developed whi%h were appli%atio3spe%ifi% or
re,uired %ompli%ated %ofiguratio steps to be %arried out.
"dditioally' the relu%ta%e of Modex @teratioal to provide their spe%ifi%atios to
idividuals with whom they have o %ommer%ial trust agreemet' seems to be idi%ative of
the attitudes of the developers of most ele%troi% %ash systems' ad suggests that strog
%ofide%e still does ot exist i the se%urity of these systems.
$idespread adoptio of smart%ard te%hology for &3%ommer%e will therefore probably ot
o%%ur util a stadard meas for web browsers to iterfa%e with them has bee developed'
ad util a ope stadard exists for the storage ad trasfer of ele%troi% %ash' allowig
deploymet by all.
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
50/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
'eferences
1 #agget ! et al:#$M (.> Specification' revised 1' $+
2 #agget !:#$M '.< "eference Specification' 1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
51/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
;ibliography
+obley ": $he Complete ?ide to 9ava' 1ue
;ie *' /os /: Cascading Style Sheets evel 5' 17' $+
Mit%hell S' "t?iso J:Active Server %ages '.>' 2000' S"MS
#agget ! et al:#$M (.> Specification' revised 1' $+
#agget !:#$M '.< "eference Specification' 1' 1' Maos%o
Mltos Developers ?ide v5.' 1' Maos%o
%a+e 0
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
52/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& "< System *verview
*nternet *n4or"ation #erver
A#% #criptin+ !n+ine
563C Layer
6ata7ase
#erver-si$e8ava App
3rowser
#criptin+ !n+ine
Client-si$e 8ava applet
8ava 9&
#"art*6 Applet
A%*
*nterpreter
5peratin+ #yste" :&ULT5#;
1nternet
PC8SC (ayer
Server 5lient
S"artcard
5pencar$
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
53/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& #< P!blic E&planatory Material
Appendi& #%"< $ntrod!ction to Smart$D and
Smart+allet
elcome to SmartCentre
This site allows %ofiguratio of your Smart$)ad Smartalletapplets.
Smart$)eables you to store ad maitai your persoal profile o your ow smart%ard.
Sites usig Smart$)do ot retai persoal data' su%h as address ad %redit %ard details'
but istead obtai it whe re,uired by ,ueryig your smart%ard. Smart$)will oly release
private iformatio whe you permit it to' givig you full %otrol over how your data is
hadled. "dditioally' by allowig you to update your profile wheever e%essary'
Smart$)removes the eed for iformig umerous sites wheever your details %hage.
Gou %a%ofigureSmart$)or %hage your P@A.
Smartalletprovides a se%ure meas for storig ad trasferrig value over ise%ure
etwor?s' su%h as the @teret. Sites employig Smartalletas a meas of paymet will
be able to debit or %redit your %ard istataeously' avoidig delays iheret withi %redit
%ard %learig systems. Smartalletwill oly permit debits to be made after see?ig your
permissio' ad as there is o eed to had over ay %redit or debit %ard details' there is oris? of your umber beig used ulawfully.
Gou %aview your %urret bala%eortop up your walletusig a %redit or debit %ard.
%a+e 2
http://var/www/apps/conversion/tmp/scratch_2/configsid.htmlhttp://var/www/apps/conversion/tmp/scratch_2/configsid.htmlhttp://var/www/apps/conversion/tmp/scratch_2/setpin.htmlhttp://var/www/apps/conversion/tmp/scratch_2/setpin.htmlhttp://var/www/apps/conversion/tmp/scratch_2/balance.htmlhttp://var/www/apps/conversion/tmp/scratch_2/balance.htmlhttp://var/www/apps/conversion/tmp/scratch_2/topupsw.htmlhttp://var/www/apps/conversion/tmp/scratch_2/topupsw.htmlhttp://var/www/apps/conversion/tmp/scratch_2/configsid.htmlhttp://var/www/apps/conversion/tmp/scratch_2/setpin.htmlhttp://var/www/apps/conversion/tmp/scratch_2/balance.htmlhttp://var/www/apps/conversion/tmp/scratch_2/topupsw.html -
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
54/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& #%#< Privacy Statement for SmartMarket
3ri'acy Statement@ order to ma?e pur%hases from this site' you will eed to register yourself ito our user
database by providig your ame ad %hoi%e of userame ad password. This' ad the
%otets of your shoppig bas?et' is the oly iformatio whi%h SmartMar?et will retai
%o%erig you.
$heever address or %reditO%ard umber iformatio is re,uested' it used to pro%ess the
sigle trasa%tio for whi%h it has bee etered. Ao permaet re%ord is made of this data.
$e re%ommed that you use the Smart$)smart%ard system to maitai your persoal
profile ad use this to fill i our forms ,ui%?ly ad a%%urately.
$heever you log i' we use a Xsessio %oo?ieX to idetify you to our server for the
duratio of your visit. Su%h %oo?ies are small text files whi%h are temporarily stored o
your %omputerYs hard dis?' the %otets of whi%h %a oly be set to the web site whi%h
origially %reated them. "ll sessio %oo?ies are automati%ally destroyed by your browser
whe you %lose it dow.
To remove the eed for loggig i every time you visit our site' you may ti%? the box
amed Xremember my logi usig %oo?iesX to store a permaet %oo?ie o your hard dis?.
$e re%ommed this optio oly if you are usig a persoal ma%hie. ;oggig out from our
site will always destroy all sessio ad permaet %oo?ies.
%a+e (
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
55/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& )< Server $nstallation $nstr!ctions
These istru%tios are spe%ifi% Mi%rosoft $idows AT 5 Server' with the Java Dirtual
Ma%hie' @teret @formatio Server 9with "SP support' ad "%%ess 4!/+ drivers
istalled. !eploymet o other platforms is utested.
1. +opy the web site files 9o +!3#4M' H$ebB dire%tory ito the web root dire%tory of
@@S 9by default' +:Z@etpubZwwwroot or %reate a ew virtual dire%tory to host the files
elsewhere.
2. +opy the "%%ess database 9o +!3#4M' HServerB dire%tory to a lo%atio o the server
that is ot a served web dire%tory. +reate a 4!/+ %oe%tio to this file usig the
"%%ess 4!/+ driver
9+otrol Pael !ata Sour%es 94!/+ System !SA tab "dd...
. +opy the Server3side Java appli%atio to $@AATZJavaZT#(ST;@/ ad register it as a
+4M %ompoet usig the J"D"#& utility 9if ot o system' o +!3#4M' HServerB
dire%tory usig the followig %ommad:
;a>are' /re'ister /class:2mart7hallen'e /ro':72).2mart7hallen'e
5. #eboot the system to %omplete registratio of the +4M %ompoet
Appendi& )%"< $mplementing SS/
SS; is ot re,uired for the su%%essful implemetatio of this system. The followig
pro%edure %a' however' be used to implemet it if re,uired. Mi%rosoft +ertifi%ate Server
will eed to be istalled before pro%eedig.
Appendi 3.1.1 9eneration of Ser$er Certificate
Start theInternet Service Manager9Start 3N $idows AT 5 4ptio Pa%? 3N Mi%rosoft
@teret @formatio Server 3N @teret Servi%e Maager
#ight %li%? o E!efault $eb SiteF 9or virtual dire%tory if %reated' sele%t EPropertiesF
!ire%tory Se%urity tab 3N &dit Se%ure +ommui%atio 3N 8ey Maager
#ight %li%? E$$$F i 8ey Maager' +reate Aew 8ey
=ollow the wiIard to %reate a %ertifi%ate re,uest file' esurig EPut the re,uest i a fileF
is sele%ted o the first s%ree' as automati% trasmissio to a olie authority appears
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
56/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
ot to wor? %orre%tly. 4 the third s%ree' esure the etry for E4rgaisatioF is the
registered ower of the domai withi whi%h the web server resides 9e.g.E"sto
(iversityF for asto.a%.u?. "lso' E+ommo AameF should be the resolved @P
address of the web server 9e.g. ee3p%5.asto.a%.u? 3 if this is u?ow' determie
usig http:OOwww.%lara.etOdialupOsupportOip.shtml .
#e,uest a server %ertifi%ate from a +ertifi%atio "uthority 9e.g.Derisig at
http:OOwww.verisig.%omOsiteOidex.html' followig the olie istru%tios ad
submittig the file geerated by 8ey Maager 9the +S#afile whe re,uested
"fter re%eivig the %ertifi%ate' right %li%? the ew ?ey i 8ey Maager ad sele%t
E@stall 8ey +ertifi%ateF. ;o%ate the %ertifi%ate ad sele%t it. @f the %ertifi%ate re%eived
was embedded as plai text withi a &mail message' it will be e%essary to %opy ad
paste the text betwee 33333/&@A +T@=@+"T&33333 ad
33333&A! +T@=@+"T&33333 ito a ew file with a .p
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
57/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& ,< Client $nstallation $nstr!ctions
These istru%tios are spe%ifi% to Mi%rosoft $idows with @teret &xplorer 6.0 adOor
Aets%ape Aavigator 5..+at2ET 7)A22PATH#7)A22PATH#@7:M?en7ar!M?71.FMli+M+ase-core.;ar
2ET 7)A22PATH#7)A22PATH#@7:M?en7ar!M?71.FMli+M+ase-ot1.;ar
2ET 7)A22PATH#7)A22PATH#@7:M?en7ar!M?71.FMli+Mcsc.;ar
2ET 7)A22PATH#7)A22PATH#@7:M?en7ar!M?71.FMli+Mreference-ser>ices.;ar
Appendi& ,%#< $nternet E&plorer
1. +opy the Hope%ard.propertiesB file istalled by 4+= 9by default' i
+:ZProgram =ilesZJavaSoftZJ#&Z1.2Zlib ito @&Bs Java home dire%tory
9$idowsZJavaZlib
2. "dd the server upo whi%h the site is hosted 9e.g.ee3p%5.asto.a%.u? to the list of
Etrusted sitesF 9Tools @teret 4ptios...Se%urity tab Trusted Sites Sites...
. rat full permissios to Java %ode origiatig from trusted sites
9Trusted Sites +ustom ;evel... Java Permissios' sele%t E+ustomF-
Java +ustom Settigs... &dit Permissios #u (siged +otet' sele%t
E&ableF
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
58/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& ,%)< 8etscape 8avigator
1. +opy the Hope%ard.propertiesB file istalled by 4+= 9by default' i
+:ZProgram =ilesZJavaSoftZJ#&Z1.2Zlib ito Aets%apeBs Java home dire%tory
9+:ZProgram =ilesZAets%apeZ(sersZuserameN as H.ope%ard.propertiesB
2. +opy the !;; H4+=P+S+1.!;;B istalled by 4+= 9by default' i
+:Z4pe+ardZ4+=1.2Zlib to Aets%apeBs Java library dire%tory 9+:ZProgram
=ilesZAets%apeZ+ommui%atorZProgramZ)avaZbi
. @stall the %ertifi%ate for the E"stoF +ertifi%atio "uthority 9used to %reate the
%ertifi%ate with whi%h the applet was siged' as opposed to pur%hasig oe by
draggig the Hx60.%a%ertB file 9o +!3#4M' H+lietOASB dire%tory ito the browserwidow' ad followig the olie istru%tios
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
59/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& < Server Code
Appendi& %"< ASP E&les
Appendi ".1.1: (ibrary for calling cryptographic f#nctions &s;atee6 3111QNR4NQFS4RSSNSO3
Dnclusion of this li+rar6 ill automaticall6 instantiate the ser>er ;a>a 7?( comonentim ssmart7hallen'e2et ssmart7hallen'e 2er>er.7reate?+;ect8372).2mart7hallen'e39
DGenerate a resonse to a car!Ds challen'e for tou 8i.e. authorise the cre!it9unction create=esonse8s>alue* schallen'e9
create=esonse ssmart7hallen'e.create=esonse8s>alue* schallen'e*
sri>atee69En! unction
D7alculate the eCecte! resonse from a car! to in!icate reuire! !e+it occurre!unction reemt=esonse8s>alue* schallen'e9
reemt=esonsessmart7hallen'e.reemt=esonse8s>alue* schallen'e* sri>atee69
En! unction
DGenerate a challen'e for the !e+it roce!ureunction create7hallen'e
create7hallen'essmart7hallen'e.create7hallen'e89En! unction
D=elease connection to 7?( comonentunction sfinalise
2et ssmart7hallen'e nothin'En! unction#$
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
60/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi ".1.2: Ser$er-side $alidation for registering a #ser &add#ser.asp'
"# )A,GUAGE B2crit #$"%--&inclu!e file3../st!li+.as3--$"%--&inclu!e file3../!+li+.as3--$"#
im urlAen!* userECists* username* assor!* forename* surnameusername=euest83username39assor!=euest83assor!39forename=euest83forename39surname=euest83surname39
urlAen! 3Lusername3 username 3assor!3 assor! 3forename3 forename 3surname3 surname
D7hec5 to see if user alrea!6 eCists in !ata+aseuserECists ,ot isEmt6=2832E)E7T Username =?( Accounts WHE=E UsernameD3 username 3D39
f =euest83assor!39 "$ =euest83assor!F39 ThenDPassor!s !o not match!+finalise89=esonse.=e!irect83a!!user!iffass.as3 urlAen!9
Elsef username33 ?r assor!33 ?r forename33 ?r surname33 ThenDEssential fiel! left +lan5!+finalise89=esonse.=e!irect83a!!userincomlete.as3 urlAen!9
Elsef userECists ThenDUser alrea!6 eCists!+finalise89=esonse.=e!irect83a!!usereCists.as3 urlAen!9
ElseD? to insert user into !ata+ase!+ECecute83,2E=T ,T? Accounts 8Username*Passor!*orename*2urname9 A)UE2 8D3
username 3D*D3 assor! 3D*D3 forename 3D*D3 surname 3D939!+finalise89=esonse.=e!irect83a!!usersuccess.html39
En! f#$
%a+e
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
61/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi ".1.3: =alidating card5s debit response &sca#thorise.asp'
"# )A,GUAGE B2crit #$"%--&inclu!e file3../st!li+.as3--$"%--&inclu!e file3../!+li+.as3--$"%--&inclu!e file3../ccli+.as3--$
"%--&inclu!e file3../sli+.as3--$"#im eCecte!=es* actual=es* transactionalue* +as5etTotal* name* a!!ressactual=es=euest83car!=esonse39 D=etrie>es car!Ds resonse to cr6to'rahic challen'e+as5etTotal'et,umericBas5etTotal89
D?+tain information for current transaction from !ata+ase...!+alues 'reater than 2martWalletDs maCimum +alance are not ossi+le!+finalise89=esonse.=e!irect83sceCcess.as39
Elsef actual=eseCecte!=es An! +as5etTotaltransactionalue ThenD=esonse o+taine! from car! is correct* an! >alue of +as5et contentsDhas not chan'e! since challen'e as issue!o+;7onn.Be'inTrans DBe'in !ata+ase transaction +ecause chec5in' out of each item
Dan! for'ettin' eCecte! resonse must +e atomicurchaseBas5et89!+ent rela6 attac5s
o+;7onn.7ommitTrans D7ommit transaction!+finalise89=esonse.=e!irect83scsuccess.as39
Else!+finalise89=esonse.=e!irect83scfail.as39
En! f#$
%a+e 0
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
62/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& %#< Server-Side .ava Applicationimort ;a>a.io.K@imort ;a>a.math.K@
u+lic class 2mart7hallen'e
final int (aC7ar!Balance NO000@
u+lic 2trin' create7hallen'e89 Bi'nte'er numFON ne Bi'nte'er83FON39@ Bi'nte'er result ne Bi'nte'er83039@ int ran!om@ for 8int i0@ i"N@ i9 //(a5e a lar'e ran!om num+er +6 result result.multil68numFON9@ //concatanatin' se>eral ran!om 8int9 8FONK(ath.ran!om899@ //ran!om +6tes 8maC >alue of +6teFON9 result result.a!!8 ne Bi'nte'er8nte'er.to2trin'8ran!om99 9@ V return result.to2trin'89@ V
u+lic 2trin' create=esonse8int >alue* 2trin' challen'e* 2trin' ri>atee69 Bi'nte'er numFON ne Bi'nte'er83FON39@
Bi'nte'er result ne Bi'nte'er83039@ Bi'nte'er challen'e,um ne Bi'nte'er8challen'e9@ Bi'nte'er challen'eTest ne Bi'nte'er8challen'e9@ Bi'nte'er ri>atee6,um ne Bi'nte'er8ri>atee69@ +6te tCBloc5IJ ne +6teIRJ@ for 8int iQ@ i$0@ i--9 tCBloc5IiJ 8+6te9 challen'eTest.remain!er8numFON9.intalue89@ challen'eTest challen'eTest.!i>i!e8numFON9@ V if 8tCBloc5IQJ8+6te98>alue#FON9 tCBloc5INJ8+6te98>alue/FON99 //alue em+e!!e! in challen'e is same as that secifie! 8in D>alueD arameter9 //therefore return correct resonse... resultchallen'e,um.Cor8ri>atee6,um9@ return result.to2trin'89@ V
u+lic 2trin' reemt=esonse8int >alue* 2trin' challen'e* 2trin' ri>atee69 Bi'nte'er numFON ne Bi'nte'er83FON39@ Bi'nte'er result ne Bi'nte'er83-139@ Bi'nte'er challen'e,um ne Bi'nte'er8challen'e9@ if 8>alue " (aC7ar!Balance9 +6te tCBloc5IJ ne +6teIRJ@ //etermine +6tes that ill actuall6 +e transmitte! to car!... tCBloc5IQJ 8+6te98>alue#FON9@ tCBloc5INJ 8+6te98>alue/FON9@ for 8int iO@ i$0@ i--9 tCBloc5IiJ 8+6te9 challen'e,um.remain!er8numFON9.intalue89@ challen'e,um challen'e,um.!i>i!e8numFON9@ V Bi'nte'er tCBloc5,um ne Bi'nte'er8tCBloc59@ Bi'nte'er ri>atee6,um ne Bi'nte'er8ri>atee69@ result tCBloc5,um.Cor8ri>atee6,um9@ V
return result.to2trin'89@ V
V
%a+e 1
-
8/12/2019 Development of an E-commerce Site with Smartcard Payment Mechanism
63/79
!-co""erce #ite with #"artcar$ %ay"ent &echanis" Appen$i' () #erver *nstallation *nstructions
Appendi& 3< Client Code
Appendi& 3%"< 0TM/ and ECMAScript E&les
Appendi /.1.1: *sing client-side >a$a applet ;ith forms &configsid.html'
"html$"hea!$"lin5 rel3st6lesheet3 href3sc.css3 t6e3teCt/css3$"scrit lan'ua'e3;a>ascrit3 t6e3teCt/;a>ascrit3$function 'etiel!s89 >ar in* sec2ettin's* 'eneral2ec* 'eneral?nce* ri>ate2ec* ri>ate?nce arent.tool+ar.!ocument.smart.+e'in7on>ersation89@ !ocument.userform.username.>aluearent.tool+ar.!ocument.smart.'etiel!83username39@ !ocument.userform.assor!.>aluearent.tool+ar.!ocument.smart.'etiel!83assor!39@ !ocument.userform.forename.>aluearent.tool+ar.!ocument.smart.'etiel!83forename39@ !ocument.userform.surname.>aluearent.tool+ar.!ocument.smart.'etiel!83surname39@ !ocument.userform.a!!ress.>aluearent.tool+ar.!ocument.smart.'etiel!83streeta!!ress39@ !ocument.userform.ton.>aluearent.tool+ar.!ocument.smart.'etiel!83ton39@
!ocument.userform.count6.>aluearent.tool+ar.!ocument.smart.'etiel!83count639@ !ocument.userform.ostco!e.>aluearent.tool+ar.!ocument.smart.'etiel!83ostco!e39@ !ocument.userform.cc,um+er.>aluearent.tool+ar.!ocument.smart.'etiel!83cc,um+er39@ sec2ettin's3C3 arent.tool+ar.!ocument.smart.'et2ecurit689@ arent.tool+ar.!ocument.smart.en!7on>ersation89@ ri>ate2ecsec2ettin's.charAt819@ ri>ate?ncesec2ettin's.charAt8F9@ 'eneral2ecsec2ettin's.charAt89@ 'eneral?ncesec2ettin's.charAt849@ !ocument.userform.ri>atePinI0J.chec5e! 88ri>ate2ec3139 8ri>ate?nce30399@ !ocument.userform.ri>atePinI1J.chec5e! 8ri>ate?nce3139@ !ocument.userform.ri>atePinIFJ.chec5e! 8ri>ate2ec3039@ !ocument.userform.'eneralPinI0J.chec5e! 88'eneral2ec3139 8'eneral?nce30399@ !oc