E-Business FundamentalsE-Business Systems Architecture

Ahmed Salahahmed.salah@mcit.gov.eg

Contents

E-commerce Architecture Three-tier client/server architecture Peer-to-peer architecture

Basic security issuesE-payment systems

Three-Tier Client/Server Arch.

Customer Seller

WebBrowser

HTTP Web-Application

Server

Product-Data bank

Customer-Data bank

Data Server

Tier 1 Tier 2 Tier 3

First tier : user system interface where user services (such as session, text input, dialog, and display management) reside.

Middle tier : application that controls transactions and shares business logic, computations, and a data retrieval engine.

Third tier : database management server.

Three-Tier Client/Server Arch.

WebBrowser

HTTP

Customer Seller

Product-Data bank

Customer-Data bank

Data Server

Tier 1 Tier 2 Tier 3

WebServer

ApplicationServer

Three-Tier Client/Server Arch.

WebBrowser HTTP

Customer Seller

Product-Data bank

Customer-Data bank

Data Server

Tier 1 Tier 3

Data

Application logic

Presentation

Web application

WebServer

Tier 2

Tier 1

Tier 2

Tier 3

Basic E-Commerce Operations

Create a Web site including an order form

Web site can E-mail or fax ordersProcess orders and payments

offline

Fast, easy, and cheap to setupData is not secure

Client Server

Orders

Basic E-Commerce Operations

Convert to a Merchant Server (storefront)

Get server Certificate for SSLSignup with a Payment Gateway

ClientBrowser

MerchantServer

Orders

Payment Gateway

Basic E-Commerce Operations

Web-

ApplicationServer

CatalogPage

Generation

OrderData

Capture

Static Web pages

Catalog data

Order data

Credit CardInfo.

More Advanced E-Commerce

Systems are more complicated:Separate applications by function

Catalog Content management Transaction processing

Split implementations for security

More Advanced E-Commerce

Web Server

Customer Mgmt.

Catalog database

Customer data

Order data

Catalog Application

Payment data

Order Capture

Order Processing DataMgmt.

Payment Processing

Fulfillment

Customer Service

Static Web pages

ApplicationServer

EC Application’s Elements

Products (physical or digital) /services

Website, catalog, content management

Marketing Getting ordersPaymentFulfillmentCustomer services Integration

EC Application Functionalities

Attract Interact Act React

•Marketing

Generateand keepcustomerinterest

Convertinterest to

ordersManageOrders

ServiceCustomers

•Catalog sales•Content mgmt.

•Order capture•Payment•Fulfillment

•After-sale services

•Order tracking

•Web site design

Basic Security Issues

“On the Internet, no one knows you’re a dog!”

Major Security Concepts

Authentication: how do sender/receiver prove their identities.

Authorization : when and which users can gain access to parts of the system.

Integrity : assure that information is not altered or corrupted.

Privacy and confidentiality : assure that your information is not shared without your knowledge.

Security Techniques

Passwords Firewall Cryptography Mathematics based methods to encrypt and decrypt

data. Secret key or symmetric encryption (algorithms : DES,

Triple DES, AES) Public key or asymmetric encryption (algorithm :RSA) Digital Signature, Digital Certificate (authentication

techniques based on encryption) Protocols : SSL (Secure Sockets Layer), SET (Secure

Electronic Transaction)

Security Policy

Evaluate risks and identify: Resources to protect▪ information, programs, etc.

Legitimate access requirements Threats and type of attacks Access paths to protect▪ Internet, dial-up ports, physical, etc.

E-Payment Systems

Paying with credit cards online Consumers were extremely reluctant to use

their credit card numbers on the Web This is changing because:▪ Many of people more aware of security

measures that should be taken to avoid fraud.▪ 85% of the transactions that occur on the Web

are B2B rather than B2C (credit cards are rarely used in B2B transactions)

E-Payment Systems - cont.

Four parties involved in e-payments Issuer▪ Customers must obtain e-payment accounts

from an issuer▪ Issuers are usually involved in authenticating a

transaction and approving the amount involved Customer/payer/buyer Merchant/payee/seller Regulator

E-Payment Systems - cont.Key issue of

trust must be addressed PAIN▪ Privacy▪ Authentication

and authorization▪ Integrity▪ Nonrepudiation

Characteristics of successful e-payment methods Interoperability and

portability Security Ease of use Transaction fees

Security for E-Payments

Public key infrastructure (PKI) a scheme for securing e-payments using

public key encryption and various technical components

Foundation of many network applications: Supply chain management Virtual private networks Secure e-mail Intranet applications

Security for E-Payments (cont)

Public key encryptionEncryption (cryptography)-The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time consuming for an unauthorized person to unscramble (decrypt).

Security for E-Payments (cont)

All encryption has four basic parts: Plain text▪ an unencrypted message in human-readable

form Cipher text▪ a plaintext message after it has been encrypted

into unreadable form Encryption algorithm▪ the mathematical formula used to encrypt the

plaintext into ciphertext and vice versa Key▪ the secret code used to encrypt and decrypt a

message

Security for E-Payments (cont)

Two major classes of encryption systems: Symmetric (private key)▪ Used to encrypt and decrypt plain text▪ Shared by sender and receiver of text

Asymmetric (public key)▪ Uses a pair of keys▪ Public key to encrypt the message▪ Private key to decrypt the message

Security for E-Payments (cont)

Public key encryption method of encryption that uses a pair of

keys▪ a public key to encrypt a message and a private

key (kept only by its owner) to decrypt it, or vice versa

Private key▪ secret encryption code held only by its owner

Public key▪ secret encryption code that is publicly available

to anyone

Private Key Encryption

Public Key Encryption

Key Sizes & Time to Try All Possible Keys

Security for E-Payments (cont.)

Digital signatures an identifying code that can be used to

authenticate the identity of the sender of a message or document

Used to:▪ Authenticate the identity of the sender of a

message or document▪ Ensure the original content of the electronic

message or document is unchanged

Security for E-Payments (cont.)

Digital Signatures—how they work:

1. Create an e-mail message with the contract in it

2. Using special software, you “hash” the message, converting it into a string of digits (message digest)

3. You use your private key to encrypt the hash of your digital signature

Security for E-Payments (cont.)

4. E-mail the original message along with the encrypted hash to the receiver

5. Receiver uses the same special software to hash the message they received

6. Receiver uses your public key to decrypt the message hash that you sent. If their hash matches the decrypted hash, then the message is valid

Security for E-Payments (cont.)

Digital certificates verification that the

holder of a public or private key is who he or she claims to be

Certificate authorities (CAs) third parties that issue

digital certificates

Name : “Richard”key-Exchange Key :Signature Key :Serial # : 29483756Other Data : 10236283025273Expires : 6/18/04Signed : CA’s Signature

Security for E-Payments (cont.)

Secure socket layer (SSL) protocol that utilizes standard certificates

for authentication and data encryption to ensure privacy or confidentiality

Transport Layer Security (TLS) as of 1996, another name for the Secure

Socket Layer protocol

Electronic Cards and Smart Cards

Payment cards: electronic cards that contain information that can be used for payment purposes Credit cards—provides holder with credit to

make purchases up to a limit fixed by the card issuer

Charge cards—balance on a charge card is supposed to be paid in full upon receipt of monthly statement

Debit card—cost of a purchase drawn directly from holder’s checking account (demand-deposit account)

Electronic Cards and Smart Cards (cont.)

The Players Cardholder Merchant (seller) Issuer (your bank) Acquirer (merchant’s financial institution,

acquires the sales slips) Card association (VISA, MasterCard) Third-party processors (outsourcers

performing same duties formerly provided by issuers, etc.)

Online Credit Card Processing

Electronic Cards and Smart Cards (cont.)Credit card

gateway an online

connection that ties a merchant’s systems to the back-end processing systems of the credit card issuer

Virtual credit card an e-payment

system in which a credit card issuer gives a special transaction number that can be used online in place of regular credit card numbers

Electronic Cards and Smart Cards (cont.)

Security risks with credit cards Stolen cards Repudiation by the customer: authorizes a

payment and later denies it Theft of card details stored on merchant’s

computer: isolate computer storing information so it cannot be accessed directly from the Web

Electronic Cards and Smart Cards (cont.)

Purchasing cards Special purpose payment cards issued to a

company’s employees to be used solely for purchasing specific materials and services up to a preset dollar limit

Electronic Cards and Smart Cards (cont.)

Benefits of using purchasing cards Productivity gains Bill consolidation Preferred pricing Management reports Control

Participants & Process of Using a Purchasing Card

Smart Cards

Smart card an electronic card containing an embedded

microchip that enables predefined operations or the addition, deletion, or manipulation of information on the card

Smart Cards (cont.)

Categories of smart cards Contact card▪ a smart card containing a small gold plate on the

face that when inserted in a smart-card reader makes contact and so passes data to and from the embedded microchip

Contactless (proximity) card▪ a smart card with an embedded antenna, by

means of which data and applications are passed to and from a card reader unit or other device

Smart Cards (cont.)

Securing smart cards Theoretically, it is possible to “hack” into a

smart card▪ Most cards can now store the information in

encrypted form▪ Same cards can also encrypt and decrypt data

that is downloaded or read from the card Cost to the attacker of doing so far exceeds

the benefits

Smart Cards (cont.)

Important applications of smart card use: Financial Information technology Health and social welfare Transportation Identification

E-Cash and Innovative Payment Methods

E-cash the digital equivalent of paper currency

and coins, which enables secure and anonymous purchase

Micropayments small payments, usually under $10

E-Cash and Payment Card Alternatives (cont.)

Mobile paymentsVodafone “m-pay bill” system that enables wireless subscribers to use their mobile phones to make their payments

Qpass (qpass.com)Charges to qpass account, are charged to a specified credit card on a monthly basis

E-Loyalty and Reward Programs

Loyalty programs online B2C sites spend hundreds of dollars

acquiring new customers Payback only comes from repeat customers

who are likely to refer other customers to a site

Electronic script a form of electronic money (or points), issued

by a third party as part of a loyalty program; can be used by consumers to make purchases at participating stores

Person-to-Person Payments

Person-to-person (P2P) payments e-payment schemes (such as paypal.com)

that enable the transfer of funds between two individuals

Repaying money borrowed Paying for an item purchased at online

auction Sending money to students at college Sending a gift to a family member

Global B2B Payments

Letters of credit (LC) a written agreement by a bank to pay the

seller, on account of the buyer, a sum of money upon presentation of certain documents

Electronic Letters of Credit (LC)

Benefits to sellers Credit risk is

reduced Payment is

highly assured Political/country

risk is reduced

Benefits to buyer Allows buyer to

negotiate for a lower purchase price

Buyer can expand its source of supply

Funds withdrawn from buyer’s account only after the documents have been inspected by the issuing bank

E-Checking

E-check: the electronic version or representation of a paper check Eliminate need for expensive process

reengineering and takes advantage of the competency of the banking industry

eCheck Secure (from vantaguard.com) and checkfree.com provide software that enables the purchase of goods and services with e-checks

Used mainly in B2B

Assignment

Choose a successful EB site: Can you describe how the site is secured? Describe the website e-payment system