Please explain some important concepts of e-commerce security.

Research on Security Problems and Countermeasures of E-commerce

No 1 1 of 2005 (85 in total)

-

Peng and Bai Zhenwu

(Hunan Changsha Hunan Economic Management Cadre College 4 10004)

While e-commerce has changed people's business model, security issues have also become the focus of increasing attention. This paper analyzes the problems existing in the application of e-commerce, and puts forward the main security measures that should be taken in e-commerce from the angles of computer network security and business transaction security.

Keywords e-commerce; Network security; Transaction security; Encryption; Certification; draft

China library classification number TP393 document identification number A1008-11(2005)11-0/62-02.

Date of receipt: August 5, 2005

Author's brief introduction Peng (1972—), female, from Shaoyang, Hunan, lecturer of Hunan Economic Management Cadre College, research interests: network security and e-commerce.

With the development of Internet, e-commerce has gradually become a new mode for people to conduct business activities. Compared with the traditional business model, e-commerce has the characteristics and advantages of convenience and efficiency. But at present, the global trade volume through e-commerce channels is still only a small part of the global trade volume in the same period. The reason is that e-commerce is a complex system engineering, and its realization also depends on the gradual solution and improvement of many social problems to technical problems. Among them, e-commerce security is the core and key problem that restricts the development of e-commerce, and e-commerce security technology has also become the focus of attention and research from all walks of life.

First, e-commerce security issues

Ensuring the security of transaction data is the key of e-commerce system. Due to the openness of the Internet itself, e-commerce systems are facing various security threats. At present, the main security risks of e-commerce are as follows:

(1) impersonates a legitimate user. Attackers steal the identity information of legitimate users by illegal means, and trade with others by pretending to be legitimate users to obtain illegal benefits.

(2) stealing information. Attackers illegally intercept and monitor data on the transmission channel of the network by physical or logical means, thus obtaining sensitive information in communication.

(3) tampering with information. Attackers may tamper with the information on the network after intercepting it, such as modifying the message order and time, injecting forged messages, etc. , thus making the information lose its authenticity and integrity.

(4) denial of service. Attackers block legally accessed information, services or other resources, for example, one service port is abused and other users cannot work normally.

(5) Deny the information sent. Some users may maliciously deny the information they sent to shirk their responsibilities.

(6) Illegal invasion and virus attack. Computer networks are often attacked by illegal intrusions and destroyed by computer viruses.

An important technical feature of e-commerce is the use of computer technology to transmit and process business information. Therefore, e-commerce security can be divided into two parts: computer network security and business transaction security.

Second, computer network security measures

The contents of computer network security include computer network equipment security, computer network system security, database security and so on. Characterized in that, aiming at the possible security problems of the computer network itself, a network security enhancement scheme is implemented to ensure the security of the computer network itself.

Computer network security measures mainly include three aspects: protecting network security, protecting application service security and protecting system security. All aspects should be combined with physical security, firewall, information security, Web security, media security and so on.

(1) Protect network security. Network security is to protect the security of communication process between network-side systems of all business parties. Ensuring confidentiality, integrity, authentication and access control is an important factor in network security. The main measures to protect network security are as follows:

(1) Overall plan the security strategy of the network platform.

(2) Formulate network security management measures.

(3) Use a firewall.

(4) Record all activities on the network as much as possible.

(5) Pay attention to the physical protection of network equipment.

(6) Test the vulnerability of the network platform system.

(7) Establish a reliable identification and discrimination mechanism.

(2) Protect application security. Protecting application security mainly refers to the security protection measures established for specific applications (such as Web servers and online payment special software systems), which are independent of any other security protection measures of the network. Although some protection measures may be the substitution or overlap of network security services, such as the encryption of network payment and settlement packets by Web browsers and Web servers at application level, all of which are IP layer encryption, many applications have their own specific security requirements.

Because the application layer in e-commerce has the strictest and most complicated requirements for security, it is more inclined to take various security measures at the application layer than at the network layer.

Although the security of network layer still has its special position, people can't rely on it to solve the security problem of e-commerce application. Security services on the application layer can involve authentication, access control, confidentiality, data integrity, non-repudiation, Web security, EDI and network payment.

(3) Protect system security. Protecting system security refers to security protection from the perspective of the overall e-commerce system or online payment system, which is interrelated with the hardware platform, operating system and various application software of the network system. System security involving online payment and settlement includes the following measures:

(1) Check and confirm unknown security vulnerabilities in installed software, such as browser software, e-wallet software, payment gateway software, etc.

(2) The combination of technology and management makes the system have the minimum penetration risk. If the connection is allowed after multiple authentications, all the access data must be audited and the system users must strictly manage it.

(3) Establish detailed security audit logs to detect and track intrusion attacks.

Three. Security measures for commercial transactions

The security of business transactions closely revolves around various security issues arising from the application of traditional business on the Internet. On the basis of computer network security, how to ensure the smooth progress of e-commerce process.

All kinds of business transaction security services are realized through security technology, mainly including encryption technology, authentication technology and e-commerce security protocol.

(1) encryption technology. Encryption technology is a basic security measure adopted in e-commerce, and both parties can use it in the information exchange stage as needed. Encryption technology is divided into two categories, namely symmetric encryption and asymmetric encryption.

(1) symmetric encryption. Symmetric encryption is also called private key encryption, that is, the sender and receiver of information use the same key to encrypt and decrypt data. Its biggest advantage is its fast encryption/decryption speed, which is suitable for encrypting a large number of data, but the key management is difficult. If both parties can ensure that the private key is not leaked in the key exchange stage, then the confidentiality and message integrity can be realized by encrypting the confidential information by this encryption method and sending the message digest or message hash value with the message.

(2) Asymmetric encryption. Asymmetric encryption, also known as public key encryption, uses a pair of keys to complete encryption and decryption operations, one of which is publicly released (that is, the public key) and the other is kept by the user himself (that is, the private key). The process of information exchange is: Party A generates a pair of keys and discloses one of them to other parties as a public key. Party B who obtained the public key encrypts the information and sends it to Party A, and Party A decrypts the encrypted information with its own private key.

(2) Authentication technology. Authentication technology is a technology to prove the identity and file integrity of the sender and receiver by electronic means, that is, to confirm that the identity information of both parties has not been tampered with during transmission or storage.

(1) digital signature. Digital signature, also known as electronic signature, can play the role of authentication, approval and entry into force of electronic documents just like presenting handwritten signature. The realization method is to combine hash function with public key algorithm. The sender generates a hash value from the message body and encrypts the hash value with his own private key to form the sender's digital signature. Then, the digital signature is sent to the receiver of the message together with the message as an attachment of the message; The receiver of the message first calculates the hash value from the received original message, and then decrypts the digital signature attached to the message with the public key of the sender; If the two hash values are the same, the receiver can confirm that the digital signature belongs to the sender. Digital signature mechanism provides an authentication method to solve the problems of forgery, denial, counterfeiting and tampering.

(2) Digital certificate. A digital certificate is a file digitally signed by a certificate authority, which contains information about the owner of the public key and the public key. The main components of a digital certificate include the user's public key, the user identifier of the key owner and the trusted third-party signature. The third party is generally a certification authority (CA) trusted by users, such as government departments and financial institutions. The user submits his public key to the public key certificate authority in a secure way and obtains the certificate, and then the user can disclose the certificate. Anyone who needs the user's public key can get this certificate and verify the validity of the public key through the relevant trust signature. Digital certificate provides a way to verify the identity of the other party through a series of data that marks the identity information of each party in the transaction, and users can use it to identify the identity of the other party.

(3) the security protocol of e-commerce. In addition to the various security technologies mentioned above, there is also a set of security protocols for e-commerce operation. At present, the more mature protocols are SET, SSL and so on.

(1) Secure Sockets Layer Protocol SSL. SSL protocol is located between the transport layer and the application layer, and consists of SSL recording protocol, SSL handshake protocol and SSL alarm protocol. SSL handshake protocol is used to establish security mechanism before client and server actually transmit application layer data. When the client communicates with the server for the first time, the two parties agree on version number, key exchange algorithm, data encryption algorithm and hash algorithm through handshake protocol, and then verify each other's identities. Finally, the negotiated key exchange algorithm is used to generate a secret information that only two parties know. According to this secret information, the client and the server generate data encryption algorithm and hash algorithm parameters respectively. SSL recording protocol encrypts and compresses the data sent by the application layer according to the parameters negotiated by SSL handshake protocol, calculates the message authentication code MAC, and then sends it to the other party through the network transport layer. SSL alert protocol is used to transmit SSL error information between client and server.

(2) Secure electronic transaction protocol set. SET protocol is used to divide and define the rights and obligations among consumers, online merchants, banks and credit card organizations in e-commerce activities, and gives the standard of transaction information transmission process. SET mainly consists of three files, namely, SET business description, SET programmer's guide and SET protocol description. SET protocol ensures the confidentiality, data integrity and identity legitimacy of e-commerce system.

SET protocol is specially designed for e-commerce system. It is located in the application layer, and its authentication system is perfect, which can realize multi-party authentication. In the implementation of SET, consumer account information is confidential to the merchant. However, the SET protocol is very complicated, and the transaction data needs to be verified many times, using multiple keys and encrypting and decrypting many times. Besides consumers and merchants, there are other participants in the SET protocol, such as issuers, acquirers, authentication centers, payment gateways, etc.

Four. conclusion

Computer network security and business transaction security are actually inseparable, and they complement each other and are indispensable. Without computer network security as the basis, business transaction security is impossible. Without the security guarantee of business transactions, even if the computer network itself is secure, it still cannot meet the unique security requirements of e-commerce.

With the development of e-commerce, electronic transaction means are more diversified, and security issues will become more important and prominent. The dual requirements of e-commerce for computer network security and business security make the complexity of e-commerce security higher than that of most computer networks, so e-commerce security should be implemented as a systematic project, not a solution.

refer to

[1] Wang Qian Yang Deli. Research on the security system and technology of e-commerce [J]. Computer Engineering, 2003,29 (1).

[2] Fan Jinning. Security problems of e-commerce and corresponding measures [J]. Science and Technology Information Development and Economy, 2004, 14 (8).

[3] Ke Xinsheng. Online payment and settlement [M]. Electronic Industry Press, 2004.