 |
|
|
Internet Commerce It is an accepted fact that we are moving ever more rapidly from an analogue to a digital world. Every household item contains a computer, we listen to digitally mastered music, we need a degree in computer science (or alternatively an eight year old child) to program our video recorders, and the age of electronic commerce beckons. This same trend is also evident in the business environment, of course. A recently published report from O’Reilly Research (Tel. 01264 342988) entitled "The State of Web Commerce", indicates that electronic commerce is among the most significant motivators driving businesses to the Internet. Of 1,038 businesses interviewed: 69% identified Internet-based customer support as critically important or significant 68% identified marketing in the same way 57% cited selling products as their key goal 60% think the Internet represents a new and important channel 51% believe that strategic use of the Internet will increase revenue Unfortunately, in the last couple of years we have seen a great deal of press coverage devoted to Internet security – or rather the lack of it. This makes people wary of losses through electronic crime and credit card fraud, resulting in confusion and worry for those businesses who would otherwise be interested in, and reap a huge benefit from, the adoption of electronic commerce. It is important to put these things into perspective, however. There have always been impediments to business, whether it be highwaymen, shipwrecks, pirates, bank robbers, or white-collar fraudsters. Each new innovation brings a new risk, yet whatever the risk, the business community must learn to adapt, minimise and, at worst, insure against, that risk. At the end of the day, moving the platform from a traditional shop front to the electronic shop front of the Internet does not significantly increase or decrease the overall risk – we simply get a new breed of pirate. What is Electronic Commerce? What exactly is electronic commerce? Most companies which have dipped a toe into the water have so far restricted their on-line activities to electronic advertising and marketing. Users can browse on-line catalogues and other product literature, perhaps even placing an order via the Internet. But when it comes to paying for those goods and services, traditional methods of payment via telephone – usually with credit cards – is used. Going forward, however, it is inevitable that both customer and vendor will want to move towards a completely electronic transaction, involving placing the order for goods or services, providing customer information and arranging or performing payment. This brings the customer into the world of the "virtual shopping mall". Much has been written about the social implications of such an innovation, with the most popular tabloid image that of the sad, lonely individual who never ventures from his home and cannot interact with his fellow man. Whilst there is an element of truth in such an observation, such cases will be few and far between. Instead, we are likely to see huge advantages for the majority of our society. Like it or not, we work more hours today than we ever did (what happened to the dream of technology actually reducing our workload and increasing our leisure hours?). We don’t want to spend our precious spare time trailing round Sainsburys for our mundane weekly shop. Parents with young children do not want to have to get them ready, wrestle them into the car and haul them screaming from their squeaky trolley all around the aisles of Tescos just to acquire a bumper pack of disposable nappies and a box of paracetamol. Instead, we want to be able to acquire such everyday items electronically. We want to be able to create our "virtual shopping basket" of regular weekly items which is stored on-line, added to or subtracted from as required, and paid for via our PC, to be delivered the next day to our door. Far from reducing the quality of our lives, this automates the mundane tasks, leaving us free to concentrate on our leisure activities, or more "productive" shopping expeditions. Because, of course, at the end of the day, people will still go shopping. We cannot resist trying on the clothes, testing the swing of those golf clubs, getting behind the wheel of that new car, or simply scanning the contents of those books we have been meaning to buy. But by shopping for the ordinary, everyday or difficult to find items over the Internet, the shopping trip of the future can be more of a pleasure than a chore. Security Issues Of course, there remains the barrier of security, as we have already mentioned. In a face-to-face transaction, it is very difficult to "fake it". The legitimacy of a major department store is easy to verify – it is huge, it has all the right livery, it contains expensive displays and stock items, and is staffed by real people wearing name tags and corporate uniforms. In addition, the entire transaction is within our view and under our control – we can see the goods we are about to buy, perhaps try them out in the store, we hand over our cash or credit card and can verify that the sales assistant is processing the sale correctly. Things are not quite so straightforward on the Internet. With enough resources thrown behind a Web presence, even the smallest one-man band can appear as grand as Harrods. How, then do customers know they are dealing with legitimate businesses? And how does the business know it is dealing with a legitimate customer? This is a problem in the "real" world too, of course, as the figures for credit card fraud demonstrate quite adequately. However, in a face-to-face transaction, the shop assistant can attempt to assess the appearance of a customer, judge the body language, watch the fluency of the signature, and match the signature to that on the card with reasonable care and accuracy. The opportunity for fraud is greatly increased when the potential fraudster can hide behind a PC, from where fake payment or personal details can be provided easily. Privacy is another issue. When purchasing from a store, we can remain fairly anonymous by paying for an item with cash, but this can never be an option with electronic commerce. To date in our dealings on the Internet too, we have been able to hide behind aliases and anonymous postings in order to conceal our true identity where required. Indeed, the Internet depends on that feature in order to maintain the level of outspokenness which is its trademark, and which is surely worth preserving. In stark contrast, however, the whole issue of security revolves around the ability to prove beyond a shadow of a doubt that we are who we say we are, and that we have the means to pay for the goods we are ordering. Without the ability to verify the identity of a potential customer, the Internet will never realise its potential as a universal backbone of commerce and communications. After all, neither merchant nor customer is likely to feel comfortable exposing himself to the electronic equivalent of the guy wearing a pair of tights over his head! This requires that we provide a number of personal details – at the very least or name and address – together with some sort of unique ID (which can range from a simple password or PIN number to an elaborate smart card or biometric readout) in order to provide concrete proof of our identity. Once the vendor has these details, of course, it is fair to assume that there will be a degree of manipulation in the name of marketing – perhaps storing our shopping habits and preferences in some gigantic database. The customer thus needs to be sure that such personal details will be stored securely, and not made available to third parties without prior written consent. Finally, if all else fails there is the legal angle. Assuming that some form of fraud or inappropriate disclosure of personal details has taken place during an electronic transaction, what are the indemnifying factors that protect both merchant and customer? The non-computerised trading world has never been 100 per cent secure, and most people understand the sort of protection they can expect when using a credit card – if someone makes off with your card, the issuer makes good on its promise to protect both you and the merchant. Of course, the card companies know that they have to write off four or five per cent of their profits to fraud, but this level of write-off is perfectly acceptable given the increase in business they get by allowing customers to use their cards with impunity. This relationship is why the whole system works as well as it does, and it needs to be mirrored on the Web. It is unlikely that electronic commerce will enjoy wide market acceptance unless the extent of end-user liability is clearly understood by both parties. Of course the hit taken by the card issuers for fraud is likely to be even higher, but then so are the potential gains from a whole new market. Crime Prevention But we are getting ahead of ourselves here – already talking about the inevitability of fraud when we really need to be discussing how we can prevent it from happening. At the end of the day, consumer confidence is the key to the success of the electronic marketplace, and this confidence is born of two things. The first is the guaranteed indemnity of which we have already spoken, and the second is the assumption that the system is inherently secure. As customers, we all know that banks can be held up, but we are equally confident that such an event is an extremely rare occurrence. So we need to be sure that the systems behind the Internet bank and the electronic mall are also resistant to all but the most determined attack – the equivalent of half a dozen guys in ski masks with guns, a few pounds of plastic explosive and a couple of fast getaway cars. No system can ever be 100 per cent secure, but it has to be secure enough to deter the casual hacker – we don’t want some spotty adolescent spiriting away our hard earned dosh from his bedroom using nothing more than a cheap PC, a modem and a few lines of code he downloaded from the "Hackers ’R’ Us" Web site. Traditional EDI (Electronic Data Exchange) applications assume that the parties transmitting data are already well known to each other, or that the data is being transmitted over a secure channel or network (often a private link). This assumption does not work when dealing over the Internet, where there are literally millions of users, with identities being added, changed and deleted all the time. It is also quite obviously unwise to assume that the Internet is a secure channel that is tamper-proof. A different approach is therefore required. Electronic Commerce Today One of the most significant findings of The State of Web Commerce report from O’Reilly mentioned earlier, is the census of fully-enabled servers capable of secure communications. Of 648,613 publicly visible Web servers surveyed, 525, 915 responded to standard HTTP requests on port 80, identifying themselves as normal Web servers. When those same servers were queried on port 443, only 65,407 (around one in ten) responded with HTTPS (ordinary HTTP, but exchanged over an SSL-encrypted session). However, among these, only 3,239 offered a valid digital certificate signed by a trusted third party. If we therefore approach the question of commerce-readiness with consumer confidence in mind, then only 3,239 – or roughly one half of one per cent of sites surveyed – meet the two criteria (encryption and third-party signed certificates) established for fully-enabled secure communications. Another key point to bear in mind is that 60 per cent of those sites are currently using strong encryption (128 bit as opposed to exportable 40 bit), and almost 94 per cent of those are located in North America. This is hardly surprising given the American regulations prohibiting the export of products incorporating strong cryptography. Despite the EU initiative to establish an international cryptographic infrastructure, together with the recent appearance of "home grown" strong cryptography products, the fact remains that the majority of the software we use today comes from the US. Although there are plenty of airtight encryption systems developed in Europe, they do tend to be more expensive than their US counterparts and it is often impractical to add them to a network that already has a large installed base of US equipment. Before January 1997, US companies were only allowed to ship encryption products based on 56 bit DES out of the US if they were going to foreign subsidiaries (more than 50 per cent US-owned) or to banks. The American-imposed export restrictions were therefore often seen as a major barrier to the widespread adoption of electronic commerce outside the US, given that 40 bit encryption is seen as too weak for commercial use in connection with financial transactions. Now, however, there are signs of improvement in this situation. An executive order – regarding Administration of Export Control on Encryption Products – took effect in the US on January 1, 1997, effectively allowing all vendors to begin shipping 56 bit key encryption products world-wide providing they agree to add Key Recovery to their products within two years. Once fully compliant with the US Government-imposed Key Management Infrastructure (KMI), vendors are then at liberty to begin exporting stronger encryption, using unlimited key lengths. Key Recovery works by embedding the keys used to encrypt the message within the message itself in a "Key Recovery Field", which is then encrypted using yet another public key provided by a Key Recovery Centre (KRC). The private key is held only by the KRC, and in theory can only be used to recover keys on presentation of a court order. At the moment, products incorporating Key Recovery can make use of one of three proprietary, dynamic key management protocols – Internet Security Association/Key Management Protocol (ISA/KMP) Oakley (backed mainly by Cisco); Simple Key Exchange Internet Protocol (SKIP), backed by Sun; and Photuris Session Key Management Protocol, backed by Radguard. Also known as "Key Escrow", or "Trusted Third Party", Key Recovery has been slammed by most of its likely users due to the potential for the criminal element to target Key Recovery Centres in an attempt to gain access to thousands of sets of data in a single swoop. KRC’s provide an extremely valuable single point of failure for the system as a whole, made worse by the proposal that some KRC’s would use a single key for many users. There is also the feeling, of course, that it does not make commercial sense to allow any third party – even a "trusted" one – to hold keys which could provide access to our most sensitive corporate data. A Solution For a Paranoid World Amazingly enough, there is an answer. Internet SmartWare (Tel. 0181 574 9545) is a UK company specialising in Internet security products, and which is the sole UK distributor for V-One’s SmartGate product. In April this year, it became the first vendor to gain authorisation to supply European companies with strong US encryption technology. Although initially restricted to 56 bit encryption, V-One is already well down the road on the KMI initiative, and it will not be long before the use of 128 bit keys (and beyond) is possible outside the US. Another vital breakthrough is the ability to bypass the much-criticised Trusted Third Party method of Key Recovery and implement Trusted First Party instead. Under the terms of KMI, end-users are still required to furnish their keys to Government agencies on presentation of a court order, but the Trusted First Party system allows companies to run their own Key Recovery Centres internally, thus maintaining complete control over all their data, together with the associated public and private keys. This will undoubtedly provide a boost to sales of SmartGate, which provides a vital part of the e-commerce jigsaw – that of a secure, authenticated and encrypted link from client to server across a potentially insecure network such as the Internet. Many users are beginning to come up against the limitations of traditional firewalls, making it difficult to expand the usage of the Internet into other areas of the organisation. The problem is that they were originally built as one-way devices, designed to block all incoming connections and effectively keep people out. With the advent of Internet commerce, however, it is increasingly important to allow effective two-way conversations to occur between two authorised parties through an otherwise secure firewall. The issue now becomes how to provide a secure, fine-grained access-control and encryption channel between specific users and applications outside the firewall and the e-commerce application software behind the firewall. This needs to happen in order to support client-server applications across the Internet, but it needs to happen in such a way that allowing remote users to communicate with a protected network via the firewall does not at the same time open a channel which potentially could be exploited by unauthorised users. When linking two sites together across the Internet, we can make use of a feature incorporated within most firewall products currently available called Virtual Private Networks (VPN’s). VPN’s provide a transparent encrypted link between two sites which appears as a simple point to point connection, thus allowing existing applications to use it without modification. The drawback is that it requires a firewall at each end, and is thus only of use when connecting sites or organisations. E-commerce requires that we provide a temporary link between customer and vendor which is equally secure, yet is created and removed dynamically. SmartGate SmartGate includes both a client and a server component which between them manage the authentication, encryption and fine-grained access control between client and server. As its name suggests, SmartGate acts as a gateway to the private network, protecting the privileged resource and only allowing access to users who present a validated pass. The pass, or user credential, is validated by means of a user-token that can range in relative strength from a simple password to smart cards or X.509v3 Certificates. One of the main advantages of SmartGate is its ability to provide strong security services for all TCP applications, giving them a consistent security interface that can be deployed without altering, recompiling, or replacing applications or system software on the desktop. This also allows it to be used in conjunction with other security systems, including firewalls and other forms of software security from any vendor. In addition to being transparent at the application level, SmartGate is also virtually invisible to the user - the only interaction with the security system is by entering a authentication code at the beginning of a secure session. Different methods of authentication can be employed per application, and on a user-by-user basis, including ISO standard smart cards for both authentication and stored data, virtual smart cards, FORTEZZA authentication cards, and X.509v3 digital certificates. The virtual smart card technology used within SmartGate has many of the same properties as a real smart card, but is simply a chunk of encrypted data stored on a user’s hard disk or on a floppy disk. The user’s PIN code, with a settable minimum length, is used as the encryption key for the data stored on the disk, so if the virtual smart card is stolen it will be harder to compromise. Virtual smart cards are a cheap, easy, and fast way to deploy smart card technology today, and to evolve into supporting real smart cards as they become more widely used. The virtual smart card approach works very well for customers that have mobile desktops in that the user travels and brings their complete system with them. On the other hand, real smart cards are a more effective solution for customers that have mobile users who do not carry anything with them other than just the card. Once the SmartPass client software has been installed at the customer’s desktop, the client application communicates directly with SmartPass (treating it at a proxy server on the local machine) which, in turn, communicates with SmartGate over an encrypted link. End-to-end encryption is provided via a 56-bit DES or RC4 mechanism, whilst user authentication is accomplished using a mutual challenge/response authentication for each session that is created. This is a high-security form of secret-key based authentication, chosen for its performance advantages over public key techniques. Of course, secret-key authentication systems require some kind of enrolment process, whereby a user is recognised as a registered user – this is the only way to ensure that each party has a common secret key. SmartGate circumvents the problematic management issues, however, by allowing "dynamic enrolment", in which a virtual smart card is securely exchanged with a user, but is left deactivated until the administrator enables it. The process of creating the user’s keys, exchanging them, and initialising their access control is completely automated and invisible to the user. Environments with more stringent security requirements – such as on-line banking, for instance – may prefer to issue virtual smart cards on floppy disks with predetermined keys, or even use real smart cards, all of which are supported by SmartGate. Summary There has been a great deal of hype surrounding the Internet over the last year or two, and for every positive story there have been a couple of negative ones – usually security related. As we move forward into the world of Internet commerce, it is important to keep things in perspective. Whatever the risks inherent in new technologies and opportunities, business practices must continue to evolve. In order to move forward, we must accept some of those risks, whilst doing our utmost to minimise them as far as is humanly - and technologically - possible. No one product or technology will solve all your security problems, but with numerous vendors rallying behind the key standards, it will hopefully not be too long before we see interoperability between different firewall, encryption and authentication products. In the meantime, as the US stranglehold on the encryption market eases, we don’t have to look too far for a comprehensive solution to our electronic commerce requirements. At the end of the day, the Internet is open and ready for business – are you? |
Security Testing |
Send mail to webmaster
with questions or
|