The core and key issue of e-commerce development is the security of transactions. Due to the openness of the Internet itself, online transactions are facing various dangers, and corresponding security control requirements are put forward.
1. 1 information confidentiality
Business information in the transaction needs to be kept confidential. If you know the account number and user name of the credit card, you may be stolen. If the information of ordering and payment is known by competitors, you may lose business opportunities. Therefore, in the information dissemination of e-commerce, encryption is generally needed.
1.2 certainty of trader's identity
The two sides of online transactions are probably strangers, thousands of miles apart. To make the transaction successful, we must first be able to confirm the identity of the other party. For merchants, it is necessary to consider that the parties can't be liars, and customers will worry that online stores are not fraudulent black shops. Therefore, it is the premise of the transaction to confirm the identity of the other party conveniently and reliably.
1.3 Non-repudiation
Due to the ever-changing business conditions, once the transaction is reached, it cannot be denied. Otherwise, it will inevitably harm the interests of one party.
1.4 unmodifiable
The document of the transaction cannot be modified. If it can change the contents of the document, then the transaction itself is unreliable, and customers or businesses may suffer losses. Therefore, electronic transaction documents should also be irrevocable to ensure the seriousness and fairness of the transaction.
2. Relevant standards and implementation methods of e-commerce security transactions.
2. 1 secure transaction prototype
In the early stage of e-commerce, some simple security measures were adopted, including:
(1) Partial billing: omit the most critical data such as credit card number and transaction amount during online transaction, and then inform by phone to prevent leakage.
(2) Order confirmation: after the transaction information is transmitted online, the transaction is confirmed by email.
(3) Online service: In order to ensure the security of information transmission, online service is provided by using the intranet provided by the enterprise.
All the methods mentioned above have certain limitations, which are troublesome to operate and cannot be truly safe and reliable.
2.2 the development of safe trading standards
In recent years, the IT industry and the financial industry have jointly launched many more effective standards for secure transactions. Mainly includes:
(1) Secure Hypertext Transfer Protocol (S-HTTP): It relies on the encryption of key pairs to ensure the security of transaction information transmission between websites.
(2) Secure Sockets Layer (SSL Protocol) is a secure communication protocol introduced by Netscape, which encrypts the whole session between computers and provides encryption, authentication services and message integrity. It can provide strong protection for credit cards and personal information. Use SSL in Netscape Communicator and Microsoft IE browser to complete the required secure transaction operation. In SSL, public key and private key are adopted.
(3) Secure Transaction Technology (STT): proposed by Microsoft, STT separates authentication and decryption in the browser to improve the security control ability. Microsoft will adopt this technology in ie browser.
(4) Secure Electronic Transaction Protocol (SET): SET protocol is a specification jointly launched by VISA and MasterCard in May 1997. SET is mainly used to solve the transaction of payment by credit card between users, merchants and banks, so as to ensure the confidentiality of payment information, the integrity of payment process, the legal identity and operability of merchants and cardholders. The core technologies in SET mainly include public key encryption, electronic digital signature, electronic envelope, electronic security certificate and so on.
At present, the official SET text covers the transaction agreement, information confidentiality, data integrity, digital authentication and digital signature of credit cards in e-commerce transactions. This standard is recognized as the standard of the global internet, and its transaction form will become the norm of "e-commerce" in the future.
Payment system is the key to e-commerce, but the future trend of key technologies supporting payment system has not yet been determined. Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) are two important communication protocols, and each protocol provides a means of payment through the Internet. But who will lead the future? Will SET replace SSL immediately? Will SET die be complicated? Can SSL really meet the needs of e-commerce? We can see the following points:
SSL provides a secure connection between two machines. Payment systems are usually built by transmitting credit card numbers on SSL connections, while online banking and other financial systems are usually built on SSL. Although the credit card payment method based on SSL has promoted the development of e-commerce, if e-commerce is to be widely developed successfully, a more advanced payment system must be adopted. SSL is widely used because it is built into most Web browsers and Web servers and is easy to apply.
SET and SSL have no similarities except RSA public key algorithm. In both cases, RSA is also used to achieve different security goals.
SET is a protocol based on message flow, which is mainly designed and published by mainstream manufacturers such as MasterCard and Visa, and is used to ensure the security of bank card payment transactions on the public network. SET has been widely used and experimentally tested in the world, but most consumers who buy it online don't really use it.
SET is a very complicated protocol, because it reflects the various relationships between the parties to the card transaction in a very detailed and accurate way. SET also defines the format of encrypted information and the rules for each party to transmit information in the process of completing the card payment transaction. In fact, SET is more than just a technical protocol. It also explains the legal meaning of digital certificates held by all parties, the actions that all parties who want to obtain digital certificates and response information should take, and the responsibility sharing closely related to a transaction.
3, the current means of secure electronic transactions.
In many secure electronic transaction protocols or standards published in recent years, some commonly used methods and means of secure electronic transactions have been adopted. Typical methods and means are as follows:
3. 1 Cryptography
Using cryptography to encrypt information is the most commonly used means of secure transaction. There are two encryption technologies widely used in e-commerce:
(1) public key and private key
This encryption method, also known as RSA coding method, was developed by Rivest, Shamir and Adlernan. It uses the product of the multiplication of two very large prime numbers to encrypt. No matter which of these two prime numbers is first multiplied by the original file code to encrypt the file, the other prime number can be multiplied to decrypt it. But it is very difficult to find another prime number with one prime number. Therefore, this pair of prime numbers is called a key pair. In the application of encryption, the user always discloses a key, so that the person who needs to send letters can encrypt information with his public key and send it to the user. Once the information is encrypted, it can only be decrypted with the private key known to the user. You can find the public key of the person with digital certificate identity on the Internet, or actively transmit the public key to the other party when asking the other party to send a message, thus ensuring the confidentiality and security of information transmitted on the Internet.
(2) Digital Abstracts
This encryption method, also known as SHA: Secure Hash Algorithm (SHA) or MD5 (MD standard of message digest), was designed by Ron Rivest. This coding method uses one-way hash function to "abstract" the plaintext to be encrypted into a series of ciphertexts of 128bit. This series of ciphertexts, also called digital printing, has a fixed length. Different plaintexts are abstracted into ciphertexts, and the results are always different, but the abstracts of the same plaintext must be consistent. In this way, this abstract can be a "fingerprint" to verify whether the plaintext is "true".
The above two methods can be combined, and digital signature is an example of the combination of these two methods.
3.2 digital signature (digital signature)
Signing a written document is a means to confirm the document. Signature has two functions. First, it confirms the fact that the document has been signed, because a person's signature is hard to deny. Second, because the signature is not easy to forge, it confirms the true facts of the document. There are similarities between digital signature and written document signature. Using digital signature can also confirm the following two points:
A. the information was sent by the signer.
B information was not modified during transmission.
In this way, the digital signature can be used to prevent electronic information from being tampered with because it is easy to be modified; Or send information in the name of others; Or send (receive) a letter and deny it.
Digital signature adopts double encryption method to realize anti-counterfeiting and anti-fraud. Its principle is:
The file sent by (1) is encrypted with SHA code to generate a digital summary of 128 bits (see the previous section).
(2) The sender re-encrypts the abstract with his own private key to form a digital signature.
(3) Send the original text and the encrypted abstract to the other party at the same time.
(4) The other party decrypts the digest with the sender's public key and encrypts the received file with SHA code to generate another digest.
(5) Comparing the decrypted digest with the digest generated by re-encrypting the received file at the receiver. If the two are consistent, it means that the information has not been destroyed or tampered with during transmission. Otherwise, otherwise.
3.3 Digital Timestamp
Time is very important information in trading documents. In a written contract, the date of signing the document is as important as the signature to prevent the document from being forged and tampered with.
In electronic transactions, it is also necessary to take security measures for the date and time information of transaction documents, and DTS (Digital Time Stamp Service) can provide security protection for the release time of electronic documents.
Digital Timestamp Service (DTS) is an online security service provided by specialized agencies. Timestamp is an encrypted voucher document, which includes three parts: 1) the summary of the file to be timestamped, 2) the date and time when DTS received the file, and 3) the digital signature of DTS.
The process of time stamp generation is as follows: the user first encrypts the file that needs time stamp with HASH code to form a digest, and then sends the digest to DTS. DTS encrypts (digitally signs) the file after adding the date and time information of receiving the file summary, and then sends it back to the user. The DTS created by Bellcore adopts the following process: when encrypting, abstract information is merged into the data structure of binary tree; Then publish the root value of the binary tree in the newspaper, which provides evidence for the publication time of the literature more effectively. Note that the time when the document is signed in writing is written by the signer himself, but the digital time stamp is not. It was added by the authentication unit DTS according to the time when DTS received the document. Therefore, the time stamp can also be used as the time authentication of scientists' scientific invention documents.
3.4 Digital Certificate (Digital ID)
Digital certificate, also known as digital certificate, is an electronic way to prove a user's identity and access to network resources. In online electronic transactions, if both parties present their respective digital vouchers and use them for transactions, then both parties need not worry about the authenticity of the other party's identity. Digital vouchers can be used for email, e-commerce, groupware, electronic fund transfer and other purposes.
The internal format of digital voucher is stipulated by CCITT X.509 international standard, including the following points:
(1) Name of voucher owner,
(2) the public key of the certificate owner,
(3) the validity period of the public key,
(4) The entity that issued the digital certificate,
(5) the serial number of the digital voucher,
(6) the digital signature of the unit that issued the digital certificate.
There are three types of digital vouchers:
(1) Personal Digital ID: Only one certificate is provided for a user to help him conduct secure transactions online. A personal digital certificate is usually installed in the browser of the client. And conduct trading operations through secure e-mail (S/MIME).
(2) Enterprise (server) certificate (server ID): A certificate is usually provided for the Web server on the Internet, and the enterprise with the Web server can use the website with the certificate to conduct secure electronic transactions. The Web server with credentials will automatically encrypt the information it communicates with the client Web browser.
(3) Software (developer) certificate (Developer ID): Usually, a certificate is provided for the software downloaded on the Internet, which is used for the software combined with Microsoft Authenticode technology (genuine software) so that users can obtain the required information when downloading the software.
Among the above three types of vouchers, the first two are commonly used vouchers, and the third is used in special occasions. Most certification centers provide the first two types of certificates, and certification centers that can provide all kinds of certificates are not common.
3.5 CA: Certificate Authority (CA)
In electronic transactions, whether digital time stamp service (DTS) or digital certificate (Digital ID) is issued, it is not done by the two parties themselves, but by an authoritative and impartial third party. Certificate Authority (CA) is a service organization that undertakes the certification service of online secure electronic transactions, issues digital certificates and confirms the identity of users. Certification center is usually an enterprise service organization, whose main task is to accept the application, issuance and management of digital certificates. The certification center implements the service operation according to CPS (Certification Practice Statement).
The above five aspects introduce the common means of secure electronic transaction, and all kinds of means are often combined to form a relatively comprehensive secure electronic transaction system.
4. Application trends
According to the latest report, China's first secure e-commerce system, Online Booking and Payment System, was put into operation on August 8th 1999 after half a year's trial operation. Its sponsors are jointly sponsored, invested and developed by Shanghai Municipal Government Commercial Committee, Shanghai Post and Telecommunications Administration, China Eastern Airlines Co., Ltd., China Industrial and Commercial Bank Shanghai Branch and Shanghai E-commerce Security Certificate Management Center Co., Ltd.
The system structure adopts online reservation and payment system, which consists of four subsystems: merchant subsystem, customer subsystem, bank payment gateway subsystem and digital certificate authorization and authentication subsystem.
The first application of the merchant subsystem is the website of China Eastern Airlines, which buys airline tickets. Website: www.cea.online.sh.cn; It is the first secure e-commerce website in China.
Customer subsystem is an electronic wallet software installed on PC, and it is a payment tool for credit card holders to spend online. The customer's credit card information and digital certificate must be added to the e-wallet before online consumption can be made.
The payment gateway subsystem usually refers to a set of equipment operated by the acquiring bank, which is used to process the payment information of merchants and the payment instructions issued by cardholders.
The digital certificate authorization and authentication subsystem generates a digital certificate for each transaction participant as a verification tool for the identity of the transaction party.
Its technical feature is that it adopts IBM's e-commerce framework structure and embeds the software and hardware products approved by the National Cryptography Management Committee for encryption/decryption. The e-commerce system has the following characteristics of secure transaction:
1) follows the SET international standard and has the security mechanism stipulated in the SET standard. It is a relatively safe e-commerce system running on the Internet at present.
2) Taking into account the business characteristics of domestic credit cards/savings cards and international credit cards, it has certain China characteristics;
3) Open and interoperable with any e-commerce system certified by SETCO;