E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer...
-
date post
20-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer...
![Page 1: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/1.jpg)
E-Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000
Computer Science,
Hebrew University,
Jerusalem
![Page 2: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/2.jpg)
Index:
Introduction - what is e-commerce, how it work, main components, trends
Security - problems and solutions (RSA, HTTPS, SSL, SET)
SDML – Signed Document Markup Language
![Page 3: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/3.jpg)
A Bit Of History The first E-commerce sales were in… 1886! When a telegraph operator, one Sears
sold watches using the “net” :-) 1994 marks the beginning of the “commercial
age” in the internet. July 1995, AMAZON.COM is founded.
![Page 4: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/4.jpg)
Trading Volume On The Net
1996 -3B $ 1998 -17B $ 2000 - 100B $ 2001 - 200-700B $!! Gateway sales for 4M $ a day through the net. In 1999 the # of net consumers was estimated at
130 M. 51% of the net is commercial. AMAZON has 60M customers in 160 states.
![Page 5: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/5.jpg)
E-Commerce - Definition The processes by which organizations
conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology
Encompasses both business-to-business and business-to-consumer models
![Page 6: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/6.jpg)
E-commerce VS E-business
E-commerce trading products through the web to private consumers. Unknown consumers in open to public stores.
E-business - transaction between firms, banks such as signing contracts, contract offers, etc. the negotiating sides usually know each other well.
![Page 7: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/7.jpg)
E-Commerce Main “factors”
The main “ingredients”: 1 net(preferably secured), some vendors(with SSL supporting
servers), A lot of consumers(with HTTPS supporting
browsers) For the gravy: a database, forms and orders
handling software.
![Page 8: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/8.jpg)
The paying issue
Since consumer/vendor never really meet, payment has to be made with virtual money. coins and bills just won’t fit through the modem connection...
The most popular way is with credit cards: pros- well known, wide spread, easy to use, internationally supported.
But-
![Page 9: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/9.jpg)
The paying issue (cont.) Cons: Not practical for small payments
(under 5 $) due to the commission that the credit cards companies charge.
No privacy, identifies the payer (not so “hot” if your wife finds the sex site bills in the monthly bill…;-) )
He who has the number, have it all! The security problem is a very serious
one that will be discussed later on.
![Page 10: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/10.jpg)
The Paying Issue (Cont.)
E-money: an electronic wallet that the consumer charge with money. eCash-The “coins” are strings containing value and a code, which the customer buy from the bank. When the payer pays, the strings are transmitted to the payee. The payee then confirms the strings with the bank and get real money.
![Page 11: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/11.jpg)
Paying Issue(Cont.)
Pros-effective for small payments, and allows privacy.But-
Cons: complex and not widely supported. The companies behind the two major
protocols are in big financial problems...
![Page 12: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/12.jpg)
Paying Issue(Cont.)
Smart-cards: an hardware device that stores information about the amount of money charged in it (Mondex).
Pros: easy and safe to use. Cons: has to fight the credit cards. More common in Europe then in the U.S
![Page 13: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/13.jpg)
E-Commerce Security
Secured payment transaction system is critical to E-Commerce
The traditional Electronic Data Interchange (EDI) system has been implemented within trusted network only.
EDI is not good for e-commerce systems over wide-open, insecure Internet.
![Page 14: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/14.jpg)
Business-To-Consumer Security (consumer point of view) While purchasing on an e-commerce website
using their credit cards consumers are jeopardizing, because this information might be stolen.
A team of hackers hacked into several websites and then sent a list of names along with their credit card information, including Bill Gates' credit card information, to a broadcasting station (26 Mar. 2000).
![Page 15: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/15.jpg)
Business-To-Consumer Security(company point of view) The success of an e-commerce web site is
built on the trust of its customers. A customer must believe that their information will be protected
Security is a trade-off between access and protection as well as resources and money
e-commerce companies have an ethical obligation to provide a secure web site.
Major problem: confidiality Solution: encryption
![Page 16: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/16.jpg)
Business-To-Business Security In general the parties are engaged in
business, the web is another media allowing them exchange data electronically.
Signing documents, for example, requires to ensure the other party’s identity.
Major problem: verification Solution: authentication
![Page 17: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/17.jpg)
Security – Encryption Using RSA public-key cryptosystem for both encryption and
authentication, without sharing any private keys. encryption and verification done using only public
keys. decryption and signing possible only by someone
in possession of the correct private key. RSA is more and more popularly used in the
Internet commerce systems.
![Page 18: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/18.jpg)
Security Solutions SSL - Secure Sockets Layer SSL is the secure layer inserted between
TCP and HTTP SSL is a protocol intended for secure
communication between a client and a server. enables the customer (client) to be certain of the vendor (server) but not vice versa. For that reason, the use of SSL is often supplemented by passwords for user authentication.
![Page 19: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/19.jpg)
Solutions(Cont.) HTTPS - HTTP Secure
HTTPS on top of SSL, a secure version of HTTP.
Web browsers access a Web server that supports SSL will be required to use HTTPS protocol in URL that looks like this:
https://iPier.com/SSL.html
![Page 20: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/20.jpg)
Solutions (Cont.)SET Secure Electronic Transactions SET protocol is used by VISA and MasterCard. uses RSA public-key cryptography for encryption and
authentication. Three Participants Cardholder. Credit card user - buyer. Merchant: Seller. Payment Gateway : Server that processes
payment information. Plus Certificate Authority : Authority that issues
certificates to three types of participants.
![Page 21: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/21.jpg)
SET (Cont.)
SET protocol has three important features: 1. All sensitive information sent between the three participants are encrypted. 2. All three participants are required to authenticate themselves with certificates. 3. The merchant doesn't see the customer's card number in plaintext. The three feature actually make Internet commerce
more secure than traditional credit card transactions.
![Page 22: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/22.jpg)
SET (Cont.) Dual Digital Signature digital signature encryption, the process
that "locks" online documents so that they can't be tampered
SET uses dual digital signature for encrypting the message using the sender’s private key, and the recipient can verify the originality of the message received – authentication.
![Page 23: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/23.jpg)
SSL vs. SET
SSL - provides a simple encrypted connection between the client's computer and merchant's server over Internet and authentication for the merchant's server with its digital certificate from a certificate authority
Requires to install a web server support SSL, obtain and assign a digital certificate from a certificate authority.
Fairly easy to be implemented, has been built into major web servers and browsers.
![Page 24: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/24.jpg)
SSL vs. SET (Cont.)
Is SSL really secure? It is more secure than phone and postal
mail delivery. But the security ends at merchant's site. It does not keep the credit-card numbers
out of the merchant's hands!
![Page 25: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/25.jpg)
SSL vs. SET (Cont.)
SET - The last feature (merchant never sees the customer's card number in plaintext) makes Internet commerce more secure than traditional credit card transaction and it is also more secure than SSL.
To implement SET in e-commerce on Internet, it requires the SET special software implemented widely in client's web browser. It is a big challenge to make such software widely available to the Internet community.
![Page 26: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/26.jpg)
![Page 27: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/27.jpg)
Dealing With Security Problems
The online sale sites try to deal with the security problem and the uneasiness that it causes with consumers in various ways-
trying to make security as good and OBVIOUS as possible.
Avoid keeping any consumers’ sensitive data on the web (e.g credit card number)
![Page 28: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/28.jpg)
Dealing With Security Problems(Cont.) Making the sale on the net, but getting the
details off line. Confirming identity with a onetime
password, and acquiring the details from a secured “middle men”.
Examples:
![Page 29: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/29.jpg)
4SALE-OBVIOUS Security
To be able to buy you first have to register as a member with a user name and a password.
A data base saves all the members information-address, phone #, and credit card #.
Privacy policy and the fact that the site uses SSL protocol are underlined and impossible to miss
![Page 30: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/30.jpg)
4SALE(Cont.)
Pros-very easy to use- fast with very little fuss.
Cons-your details are all alone in the big cold web, just waiting for some big bad wolf to offer them a candy...
![Page 31: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/31.jpg)
NETACTION - No Database
No registering or membership- you insert your details just when you want to use the vendors services.
Pros-no details are kept in a long lived database, so no one can steal them.
Cons- very slow and tiring procedure that u have to repeat every time. Data IS kept for some time in the system after all.
![Page 32: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/32.jpg)
OLSALE-2 Stages
You register as a member, but you don’t need to leave any sensitive information. If a purchase is made, the vendor contact you offline to fill up the missing details.
Pros-online procedure is fast and easy. As safe as ordering a pizza.
Cons- demands that you will be accessible. As safe as ordering a pizza...
![Page 33: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/33.jpg)
SHOPY-using OTP
You acquire a one time password system from a “middle man”. And register once with him.
Instead of filling your personal details, you send an OTP generated by the system (in this case- a card). The OTP may include details on the sum of money as well.
![Page 34: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/34.jpg)
SHOPY-using OTP(Cont.)
Pros-easy enough to use. Details are kept offline-less vulnerable.
Cons-you need to get the system first, and the system is not widely supported by vendors. Your details are available to a third party.Just one step behind smartCards (credit cards are still involved)
![Page 35: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/35.jpg)
Still One Basic Problem
All the above methods take care of the basic risk (and common fear) of someone tapping the lines/breaking into the data base.
Not taking care of the case that the vendor himself is the crook.
![Page 36: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/36.jpg)
SDML - Signed Document Markup Language SDML was developed by the Financial
Services Technology Consortium (FSTC). The signatures become part of the SDML
document and can be verified by the recipients as the document travels through the business process.
example of a signed electronic document
![Page 37: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/37.jpg)
SDML (Cont.) SDML enables: Verifiability of Origin - recipient can authenticate
that the document was created by a specific person or institution, and that the signature was not forged or created by an impostor.
Integrity - A document recipient can determine that the document has not been altered in any way since it was signed.
Accountability - recipient can prove to a third party that the document was created by the signer.
![Page 38: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/38.jpg)
SDML Document Structure(Cont.) Each document is comprised of a number of
blocks, each block contains some common field (elements), and also contains fields that are specific to the type of block.
All blocks that must be protected from tampering and all blocks that must be authenticated are signed using a digital signature, contained in a signature block.
The digital signature uses one of the standard digital signature algorithms, such as MD5/RSA
or SHA/DSS.
![Page 39: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/39.jpg)
SDML Document Structure(Cont.) The concept of the SDML electronic document is
that it is a flexible structure. Separating signatures, certificates, actual data, etc., into separate blocks allows a rich, complex document to be built from these "primitives,"
while retaining a standard format which can be parsed and verified according to a standard syntax definition, which allows it to be easily transmitted by a variety of methods (e-mail, file transfer, storage media, etc.).
![Page 40: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/40.jpg)
Electronic Document Definition A document consists of one or more
enclosed documents. Each enclosed document is built inside a
<sdml-doc> tag structure.
Inside a document are one or more blocks <sdml-doc docname="cccccccc"
type="cccccccc"> </sdml-doc>
![Page 41: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/41.jpg)
Electronic Document Definition(Cont.) docname - document name, assigned by the
software creating the document. If multiple SDML documents are being created at as part of one file or transmission, document names should be unique. This name should contain a maximum of 64 characters.
type - used by the receiving software to ensure that it has received the correct type of document, that it knows how to process. chosen from a list of pre-defined types, or may be types agreed upon by the sending and receiving parties.
![Page 42: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/42.jpg)
Electronic Document Definition(Cont.) except that the latter agreed-upon types may
not conflict with any pre-defined types. To prevent such conflict between pre-
defined, standardized document types, and privately agreed-upon types, all privately agreed-upon document types should be prefixed with the characters "p-" (meaning private).
type="p-autoloan"
![Page 43: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/43.jpg)
Block Definitions Each SDML block starts and ends with one of the
following sets of block tags: <action> </action> describing the action to be
performed by the recipient <signature> </signature> signatures and hashes
of other blocks <cert> </cert> public key certificate <attachment> </attachment> associated
document attached to an SDML document <message> </message> informational message,
such as an error report
![Page 44: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/44.jpg)
Block Common Field Definitions
Common fields: Each of the blocks contains some field definitions which are common to all block types, as follows:
<blkname>ccccccc <crit>true|false <vers>nnn.nnn blkname (required) - character string
which assigned creating by software creating. must be unique within a document.
![Page 45: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/45.jpg)
Block Common Field Definitions (Cont.) crit – (optional) boolean flag used to determine if
a block is critical, meaning the receiving software must be able to process the block.. If critical and can not process it, must abort it or handle exception.
vers - (optional) number which indicates the version of the block, used by receiving software to determine if it is capable of parsing/processing a block. If the version number is not specified, it is assumed to be 1.0.
![Page 46: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/46.jpg)
Action Block Definition action block example function (required) character string chosen
from a set of commands or verbs specific to the application or type of document being sent.
reason (required) the reason that the document is being transmitted to the recipient.
process – original, fully process resend – process only if it’s not duplicate test – don’t fully process
![Page 47: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/47.jpg)
Action Block Definition (Cont.) info - informational only, don’t processed. return - being sent back to the originator as
a returned item.
the document will usually contain a <message> block indicating the reason for the return.
![Page 48: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/48.jpg)
Signature Block Definition signature block example contains a digital signature for another block, or
set of block required whenever a block must be authenticated,
or tamper-proofed. contains the reference to the certificate block
containing the public key used to verify the signature
contains many fields, in general the blocks signed, the actual hashing, the ref to the public key, the algoritm used for signing etc.
![Page 49: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/49.jpg)
certificate block example blkname (required) since the <cert> block
is signed by the authority issuing the electronic token, it is not changeable at runtime by SDML-generating software. must be guaranteed to be unique for all subsequent documents.
certtype (required) this field indicates the type of certificate contained in the block
Certificate Block Definition
![Page 50: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/50.jpg)
Certificate Block Definition(Cont.) certissuer (required) the unique
distinguished name of the issuer of the certificate.
certserial (required) The unique certificate serial number assigned by the issuer of the certificate.
certdata (required) the hexadecimal-encoded binary value
![Page 51: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/51.jpg)
Attachment Block Definition attachment block example This block contains any document that is to be
attached to the SDML electronic document astatus (optional) indicates whether the
attachment is temporary (stripped of when transmitted to third party) or permanent. If omitted, it defaults to temporary.
adata (required) any data may be contained in the Attachment block, between the <adata> and </adata> tags.
![Page 52: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/52.jpg)
Message Block Definition message block example block contains error messages and return
information that indicates the reason that the attached SDML document was not processed successfully.
retcode (required) reason why the attached document was returned.
msgtext (required) a textual message explaining why the document was returned.
msgdata (optional) any other data that may be associated with the message, e.g., a report or bank statement.
![Page 53: E- Commerce and the security problem. Nitsan Avivi Tsila Ben-Moshe SDBI – Fall 2000 Computer Science, Hebrew University, Jerusalem.](https://reader035.fdocuments.in/reader035/viewer/2022062516/56649d485503460f94a22e5e/html5/thumbnails/53.jpg)
References
http://www.w3.org/ W3C - SDML http://www.ipier.com e-commerce
online course