| E-commeree, based on the increasing Internet, because of its low cost and high efficiency has become a challenge to the traditional commercial mode. More and more people do shopping on Internet and pay bills on Internet, and security becomes one of the most important factors that influence the development of E-commerce. There has been some security requirements in E-business such as the confidentiality of the business, the authentication of the participant and the integrity of the data. Security of E-business will be discussed in this paper and the security analysis of the most popular protocols----SSL and SET will be emphasized on. SSL is one of the earliest security protocols used in E-business. It is developed by Netscape to provide confidential and reliable connection between a client and a server, prevent eavesdropping, tampering, or message forgery. The protocol is composed of two layers. The lower layer, SSL Record Protocol is used for encapsulation of higher-level protocols. The higher layer, SSL Handshake Protocol, laid on SSL Record Protocol, allows the client and server to authenticate each other and to neg9tiate an encryption suite and cryptographic keys before they exchange data. An encryption suite consists of an encryption algorithm and an integrity validating method using keyed MAC. SSL support a series of encryption suites from the strongest triple-DES+SHA- 1 to the weakest no-eneryption+MD5. At first, the client sends the information the server needs to communicate with the client using SSL such as protocol version, encryption suites supported, randomly generated data, and so on. The server then replies the client with the protocol version, selected encryption suite which is the strongest suite they both support, randomly generated data, and other information the client needs to communicate with the server using SSL. The server also sends its certificate to the client who authenticates the server by the certificate presented. If the server has been successfully authenticated, the client creates a pre-master secret, encrypts it with the server抯 public key obtained from the server s certificate, then sends the encrypted pre-rnaster secret to the server. Since only the server can get the pre-rnaster secret by decrypting it with its private key, both the client and the server use the same procedures to produce the symmetric key that they only know started with the same pre-master secret. They use the symmetric key to encrypt bulk data they then exchange, and prevent tampering by inserting a MAC. When using SSL in E-business, communication can be protected according to the encryption suite selected, 搈an in the middle?attack can be avoided. But since SSL is optional to verify the client, in most cases, out of band methods are necessary to be used. In the traditional purchase using SSL, customer s sensitive information is sent to the merchant who uses it to get payment from the bank. Because this mode couldn抰 effectively prevent the merchant deceiving, an improved mode is used in which the customer抯 sensitive information is sent directly to the bank. SSL can抰 protect E-business against attacks to the host system, wild attacks such as simply holding up the messages and discarding them, and DOS attacking. SET is a security protocol developed in 1996 to provide confidential and reliable card-based transactions over unsecure networks such as Internet. According to the actual transaction processes, SET specifies a... |
PDF Full Text Request