E-commerce cannot succeed without industrial-strength security in place. Rob Abraham, MD of Usko Communications, reviews some of the options available on the market.
It is becoming increasingly attractive to corporations to be able to run their businesses over the Web. This provides customers with ease of access, speed of use, and the ability to carry out certain activities from the comfort of their own homes. However, there is the thorny issue of security.
There are a number of different layers in the open systems communication stack where security can be implemented. The highest layer is at the application itself. By implementing security here, it is possible to tailor the system to provide the functions needed for specific circumstances. However, this means separate security measures must be employed for separate applications, which can be expensive.
By implementing security lower down the stack, it is possible to cover a range of applications without additional effort. However there may be certain functions needed for particular applications which cannot be provided for. An example is the ability to link the security to specific users, rather than specific machines, or even sites.
Additionally, export and import licences may restrict the areas where encryption is acceptable, making it more difficult to use lower-level security to cover general applications, especially where confidentiality is required.
There are a number of applications where security is of particular importance.
First it may be necessary for information that is input at the client site to be kept secret. This may be personal details about the user or information about their credit cards. The need here is for confidentiality. Also, the application may need proof that the information has been entered by the claimed user, that it has not changed in transit and the ability to be able to prove, at a later date, that it was in fact sent by that user.
These needs are known as data origin authentication, data integrity and non-repudiation, respectively.
Ideally, this security should be provided on the complete link from the user, sitting at the client site, to the actual application server, not simply to the ISP running the Web server.
Examples where these are a major issue:
Banking applications
Buying and selling shares
Purchase ordering
In the example of buying and selling shares, it is important for the stock broker that he should be certain that the request for the buying and selling of shares does come from his client and not from somebody else spoofing the Internet connection. Additionally, in the future, it may be vital to be able to prove that the request did come from the client.
Many companies do not run their own Web server because of the high cost of communications. Therefore they site their Web server at an Internet service provider (ISP). The problem is how much trust they are placing in the ISP, and how vulnerable is the application data on the link from the ISP down to the back-end application server. There are a number of applications which involve obtaining sensitive information from the end-user, especially when a form has to be completed. Generally this information is transmitted from the client site to the Web server, from where it will be transmitted to the back-end server at the company`s site.
Unless a method is found to transmit this data securely between the client (where the end-user is situated) to the back-end server, where the information is actually needed, it is unlikely that particularly sensitive operations can be implemented over the Internet.
SSL security
One method of employing security over the Internet is the Secure Sockets Layer (SSL) protocol, which provides security between the client and the Web server: up to the ISP. It sets up a secure session between these two ends, providing encryption and data integrity on this link. It also provides optional authentication of the server or of both client and server.
However, it leaves the data unprotected once it has reached the ISP site, and there is a risk of exposing sensitive information at the ISP site or in transit back to the company. Neither does it provide non-repudiation on the information sent.
Security is established via a handshake protocol, in which a set of session keys is set up between client and server. This can be done using either a dedicated key establishment algorithm, or by encrypting a master key under the server`s RSA encryption key. Four session keys are set up: two encryption keys and two authentication keys, to provide directional security. Messages are protected using symmetric encryption and by generating a message authentication code (MAC) on the data.
IPSEC
The IP Security Protocol (IPSEC) is being developed as a standard and is an extension to the existing IP networking protocol. Security is implemented so that it is transparent to the application.
Security here is made on a per-packet basis. A choice can be made for each outbound IP packet, whether or not to protect it using IPSEC, and thus only packets to a particular IP address may be protected. Security services offered include data confidentiality, data integrity and message origin authentication.
IPSEC is computationally intensive since it works on a per-packet basis, requiring each packet to be examined to determine whether or not it requires security.
Secure Electronic Transaction
The Secure Electronic Transaction (SET) protocol is a method jointly developed by Visa and Mastercard to secure bankcard transactions over open networks. It is aimed at replacing the current mail order/telephone order transactions (MOTO), but providing a higher level of security than these can offer. It is application-specific.
The architecture involves a number of players. These include entities known as cardholder, merchant, acquirer, issuer and payment gateway, as well as a number of certification authorities. Apart from payment gateway and certification authorities, all the other players exist today. The payment gateway is a device operated by an acquirer, or a designated third party, that processes merchant payment messages (including payment instructions from cardholders). The idea is to take the payment processing away from the merchant so as to reduce the risk of merchant fraud.
Summary
It is important to consider the requirements of the applications when choosing which method of Internet security to employ. The decision msut be made as to the layer at which security is best employed, what services are required, and what overheads will be involved in its deployment. SSL provides good security and ease of use for low-level consumer trading, SET specifically protects credit card details but little else, and IPSEC provides network security for Internet backbones and VPLs.
* Usko Communications recently entered the information security market through the acquisition of the Zergo software agency.
Share
Editorial contacts