E-Business Systems Architecture Ahmed Salah [email protected].
-
Upload
joan-mcgee -
Category
Documents
-
view
217 -
download
1
Transcript of E-Business Systems Architecture Ahmed Salah [email protected].
E-Business FundamentalsE-Business Systems Architecture
Ahmed [email protected]
Contents
E-commerce Architecture Three-tier client/server architecture Peer-to-peer architecture
Basic security issuesE-payment systems
Three-Tier Client/Server Arch.
Customer Seller
WebBrowser
HTTP Web-Application
Server
Product-Data bank
Customer-Data bank
Data Server
Tier 1 Tier 2 Tier 3
First tier : user system interface where user services (such as session, text input, dialog, and display management) reside.
Middle tier : application that controls transactions and shares business logic, computations, and a data retrieval engine.
Third tier : database management server.
Three-Tier Client/Server Arch.
WebBrowser
HTTP
Customer Seller
Product-Data bank
Customer-Data bank
Data Server
Tier 1 Tier 2 Tier 3
WebServer
ApplicationServer
Three-Tier Client/Server Arch.
WebBrowser HTTP
Customer Seller
Product-Data bank
Customer-Data bank
Data Server
Tier 1 Tier 3
Data
Application logic
Presentation
Web application
WebServer
Tier 2
Tier 1
Tier 2
Tier 3
Basic E-Commerce Operations
Create a Web site including an order form
Web site can E-mail or fax ordersProcess orders and payments
offline
Fast, easy, and cheap to setupData is not secure
Client Server
Orders
Basic E-Commerce Operations
Convert to a Merchant Server (storefront)
Get server Certificate for SSLSignup with a Payment Gateway
ClientBrowser
MerchantServer
Orders
Payment Gateway
Basic E-Commerce Operations
Web-
ApplicationServer
CatalogPage
Generation
OrderData
Capture
Static Web pages
Catalog data
Order data
Credit CardInfo.
More Advanced E-Commerce
Systems are more complicated:Separate applications by function
Catalog Content management Transaction processing
Split implementations for security
More Advanced E-Commerce
Web Server
Customer Mgmt.
Catalog database
Customer data
Order data
Catalog Application
Payment data
Order Capture
Order Processing DataMgmt.
Payment Processing
Fulfillment
Customer Service
Static Web pages
ApplicationServer
EC Application’s Elements
Products (physical or digital) /services
Website, catalog, content management
Marketing Getting ordersPaymentFulfillmentCustomer services Integration
EC Application Functionalities
Attract Interact Act React
•Marketing
Generateand keepcustomerinterest
Convertinterest to
ordersManageOrders
ServiceCustomers
•Catalog sales•Content mgmt.
•Order capture•Payment•Fulfillment
•After-sale services
•Order tracking
•Web site design
Basic Security Issues
“On the Internet, no one knows you’re a dog!”
Major Security Concepts
Authentication: how do sender/receiver prove their identities.
Authorization : when and which users can gain access to parts of the system.
Integrity : assure that information is not altered or corrupted.
Privacy and confidentiality : assure that your information is not shared without your knowledge.
Security Techniques
Passwords Firewall Cryptography Mathematics based methods to encrypt and decrypt
data. Secret key or symmetric encryption (algorithms : DES,
Triple DES, AES) Public key or asymmetric encryption (algorithm :RSA) Digital Signature, Digital Certificate (authentication
techniques based on encryption) Protocols : SSL (Secure Sockets Layer), SET (Secure
Electronic Transaction)
Security Policy
Evaluate risks and identify: Resources to protect▪ information, programs, etc.
Legitimate access requirements Threats and type of attacks Access paths to protect▪ Internet, dial-up ports, physical, etc.
E-Payment Systems
Paying with credit cards online Consumers were extremely reluctant to use
their credit card numbers on the Web This is changing because:▪ Many of people more aware of security
measures that should be taken to avoid fraud.▪ 85% of the transactions that occur on the Web
are B2B rather than B2C (credit cards are rarely used in B2B transactions)
E-Payment Systems - cont.
Four parties involved in e-payments Issuer▪ Customers must obtain e-payment accounts
from an issuer▪ Issuers are usually involved in authenticating a
transaction and approving the amount involved Customer/payer/buyer Merchant/payee/seller Regulator
E-Payment Systems - cont.Key issue of
trust must be addressed PAIN▪ Privacy▪ Authentication
and authorization▪ Integrity▪ Nonrepudiation
Characteristics of successful e-payment methods Interoperability and
portability Security Ease of use Transaction fees
Security for E-Payments
Public key infrastructure (PKI) a scheme for securing e-payments using
public key encryption and various technical components
Foundation of many network applications: Supply chain management Virtual private networks Secure e-mail Intranet applications
Security for E-Payments (cont)
Public key encryptionEncryption (cryptography)-The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time consuming for an unauthorized person to unscramble (decrypt).
Security for E-Payments (cont)
All encryption has four basic parts: Plain text▪ an unencrypted message in human-readable
form Cipher text▪ a plaintext message after it has been encrypted
into unreadable form Encryption algorithm▪ the mathematical formula used to encrypt the
plaintext into ciphertext and vice versa Key▪ the secret code used to encrypt and decrypt a
message
Security for E-Payments (cont)
Two major classes of encryption systems: Symmetric (private key)▪ Used to encrypt and decrypt plain text▪ Shared by sender and receiver of text
Asymmetric (public key)▪ Uses a pair of keys▪ Public key to encrypt the message▪ Private key to decrypt the message
Security for E-Payments (cont)
Public key encryption method of encryption that uses a pair of
keys▪ a public key to encrypt a message and a private
key (kept only by its owner) to decrypt it, or vice versa
Private key▪ secret encryption code held only by its owner
Public key▪ secret encryption code that is publicly available
to anyone
Private Key Encryption
Public Key Encryption
Key Sizes & Time to Try All Possible Keys
Security for E-Payments (cont.)
Digital signatures an identifying code that can be used to
authenticate the identity of the sender of a message or document
Used to:▪ Authenticate the identity of the sender of a
message or document▪ Ensure the original content of the electronic
message or document is unchanged
Security for E-Payments (cont.)
Digital Signatures—how they work:
1. Create an e-mail message with the contract in it
2. Using special software, you “hash” the message, converting it into a string of digits (message digest)
3. You use your private key to encrypt the hash of your digital signature
Security for E-Payments (cont.)
4. E-mail the original message along with the encrypted hash to the receiver
5. Receiver uses the same special software to hash the message they received
6. Receiver uses your public key to decrypt the message hash that you sent. If their hash matches the decrypted hash, then the message is valid
Security for E-Payments (cont.)
Digital certificates verification that the
holder of a public or private key is who he or she claims to be
Certificate authorities (CAs) third parties that issue
digital certificates
Name : “Richard”key-Exchange Key :Signature Key :Serial # : 29483756Other Data : 10236283025273Expires : 6/18/04Signed : CA’s Signature
Security for E-Payments (cont.)
Secure socket layer (SSL) protocol that utilizes standard certificates
for authentication and data encryption to ensure privacy or confidentiality
Transport Layer Security (TLS) as of 1996, another name for the Secure
Socket Layer protocol
Electronic Cards and Smart Cards
Payment cards: electronic cards that contain information that can be used for payment purposes Credit cards—provides holder with credit to
make purchases up to a limit fixed by the card issuer
Charge cards—balance on a charge card is supposed to be paid in full upon receipt of monthly statement
Debit card—cost of a purchase drawn directly from holder’s checking account (demand-deposit account)
Electronic Cards and Smart Cards (cont.)
The Players Cardholder Merchant (seller) Issuer (your bank) Acquirer (merchant’s financial institution,
acquires the sales slips) Card association (VISA, MasterCard) Third-party processors (outsourcers
performing same duties formerly provided by issuers, etc.)
Online Credit Card Processing
Electronic Cards and Smart Cards (cont.)Credit card
gateway an online
connection that ties a merchant’s systems to the back-end processing systems of the credit card issuer
Virtual credit card an e-payment
system in which a credit card issuer gives a special transaction number that can be used online in place of regular credit card numbers
Electronic Cards and Smart Cards (cont.)
Security risks with credit cards Stolen cards Repudiation by the customer: authorizes a
payment and later denies it Theft of card details stored on merchant’s
computer: isolate computer storing information so it cannot be accessed directly from the Web
Electronic Cards and Smart Cards (cont.)
Purchasing cards Special purpose payment cards issued to a
company’s employees to be used solely for purchasing specific materials and services up to a preset dollar limit
Electronic Cards and Smart Cards (cont.)
Benefits of using purchasing cards Productivity gains Bill consolidation Preferred pricing Management reports Control
Participants & Process of Using a Purchasing Card
Smart Cards
Smart card an electronic card containing an embedded
microchip that enables predefined operations or the addition, deletion, or manipulation of information on the card
Smart Cards (cont.)
Categories of smart cards Contact card▪ a smart card containing a small gold plate on the
face that when inserted in a smart-card reader makes contact and so passes data to and from the embedded microchip
Contactless (proximity) card▪ a smart card with an embedded antenna, by
means of which data and applications are passed to and from a card reader unit or other device
Smart Cards (cont.)
Securing smart cards Theoretically, it is possible to “hack” into a
smart card▪ Most cards can now store the information in
encrypted form▪ Same cards can also encrypt and decrypt data
that is downloaded or read from the card Cost to the attacker of doing so far exceeds
the benefits
Smart Cards (cont.)
Important applications of smart card use: Financial Information technology Health and social welfare Transportation Identification
E-Cash and Innovative Payment Methods
E-cash the digital equivalent of paper currency
and coins, which enables secure and anonymous purchase
Micropayments small payments, usually under $10
E-Cash and Payment Card Alternatives (cont.)
Mobile paymentsVodafone “m-pay bill” system that enables wireless subscribers to use their mobile phones to make their payments
Qpass (qpass.com)Charges to qpass account, are charged to a specified credit card on a monthly basis
E-Loyalty and Reward Programs
Loyalty programs online B2C sites spend hundreds of dollars
acquiring new customers Payback only comes from repeat customers
who are likely to refer other customers to a site
Electronic script a form of electronic money (or points), issued
by a third party as part of a loyalty program; can be used by consumers to make purchases at participating stores
Person-to-Person Payments
Person-to-person (P2P) payments e-payment schemes (such as paypal.com)
that enable the transfer of funds between two individuals
Repaying money borrowed Paying for an item purchased at online
auction Sending money to students at college Sending a gift to a family member
Global B2B Payments
Letters of credit (LC) a written agreement by a bank to pay the
seller, on account of the buyer, a sum of money upon presentation of certain documents
Electronic Letters of Credit (LC)
Benefits to sellers Credit risk is
reduced Payment is
highly assured Political/country
risk is reduced
Benefits to buyer Allows buyer to
negotiate for a lower purchase price
Buyer can expand its source of supply
Funds withdrawn from buyer’s account only after the documents have been inspected by the issuing bank
E-Checking
E-check: the electronic version or representation of a paper check Eliminate need for expensive process
reengineering and takes advantage of the competency of the banking industry
eCheck Secure (from vantaguard.com) and checkfree.com provide software that enables the purchase of goods and services with e-checks
Used mainly in B2B
Assignment
Choose a successful EB site: Can you describe how the site is secured? Describe the website e-payment system