1. Confidentiality. E-commerce as a means of trade, its information directly represents personal, corporate or national business secrets. Traditional paper-based trade is through the mail encapsulated letters or through reliable communication channels to send business messages to achieve the purpose of confidentiality. E-commerce is built on a more open network environment (especially the Internet is a more open network), and the maintenance of commercial confidentiality is an important guarantee for the full promotion and application of e-commerce. Therefore, it is necessary to prevent illegal access to information and illegal theft of information in the process of transmission. Confidentiality is generally realized through cryptography to encrypt the transmitted information.
2. Integrity. E-commerce simplifies the trade process, reduces human intervention, and also brings the problem of maintaining the integrity and unity of commercial information of trade parties. Due to accidental errors or fraudulent behavior during data entry, it may lead to differences in the information of trade parties. In addition, loss of information during data transmission, duplication of information or differences in the order in which information is transmitted may also lead to differences in the information of the trading parties. The integrity of the information of the trading parties will affect the trading parties' transaction and business strategies, and maintaining the integrity of the information of the trading parties is the basis of e-commerce applications. Therefore, it is necessary to prevent arbitrary generation, modification and deletion of information, and at the same time to prevent the loss and duplication of information in the process of data transmission and to ensure the unity of the order of information transmission. Integrity can generally be obtained by extracting the information message digest.
3. Authentication. Due to the special nature of the network e-commerce transaction system, business or personal transactions are usually carried out in the virtual network environment, so the identity of the individual or business entity to confirm the e-commerce has become a very important part. The identification of a person or entity provides a guarantee of the authenticity of the identity, i.e., the parties to a transaction are able to confirm the identity of the other party without meeting each other. This means that when a person or entity claims to have a particular identity, the authentication service will provide a way to verify the correctness of the claim, typically through a certificate authority CA and a certificate.
4. Non-repudiation. E-commerce may be directly related to the commercial transactions between the two sides of the trade, how to determine the trade party to carry out the transaction is exactly to carry out the transaction is expected of the trade party this issue is to ensure that e-commerce is the key to the smooth running of e-commerce. In the traditional paper trade, the trading parties through the transaction contract, contract or trade documents and other written documents such as handwritten signature or seal to identify trading partners, to determine the contract, contract, document reliability and prevent the occurrence of repudiation. This is also often referred to as "black and white". In the paperless e-commerce mode, through the handwritten signature and seal for the identification of trading parties has been impossible. Therefore, it is important to provide reliable identification of the individuals, enterprises or countries involved in a transaction during the transmission of the transaction information. Non-repudiation can be obtained by digitally signing the sent messages.
5. Validity. E-commerce in electronic form instead of paper, then how to ensure the validity of this electronic form of trade information is to carry out the premise of e-commerce. E-commerce as a form of trade, the effectiveness of its information will be directly related to the individual, enterprise or national economic interests and reputation. Therefore, it is necessary to control and prevent potential threats arising from network failures, operational errors, application program errors, hardware failures, system software errors and computer viruses, in order to ensure that the trade data are valid at a definite moment and a definite place.
The main technologies in e-commerce security
E-commerce security is the upper application of information security, which includes a wide range of technologies, mainly divided into two categories of network security technology and cryptography, of which cryptography can be categorized into encryption, digital signatures and authentication technology.
1. Network security technology
Network security is the foundation of e-commerce security, a complete e-commerce system should be built on a secure network infrastructure. Network security involves more aspects, such as operating system security, firewall technology, virtual private network VPN technology and a variety of anti-hacking technology and vulnerability detection technology. The most important of these is firewall technology.
Firewall is built on the communication technology and information security technology, it is used to establish a security barrier between the network, according to the specified policy on the network data filtering, analysis and auditing, and to provide effective prevention of various attacks. It is mainly used for Internet access and secure connection between private and public networks.
Currently used in the domestic need to firewall products are some of the major foreign vendors to provide, the domestic research and product development in firewall technology is relatively weak, started late. Due to foreign restrictions on encryption technology and protection, the country can not get the much-needed safe and practical network security systems and data encryption software. Therefore, even the excellent foreign firewall products can not be completely used in the domestic market, at the same time, due to political, military and economic reasons, China should also develop and adopt its own firewall system and data encryption software to meet the huge needs of users and the market, but also for the construction of China's information security infrastructure has a huge role.
VPN also makes a guarantee of network security, one of the technologies, which refers to the establishment of a private network in the public **** network, the data through the establishment of a good virtual security channel in the public **** network propagation. Enterprises only need to rent a local data line, connected to the local public information network, its branches around the world can be securely transferring information between each other; at the same time, enterprises can also use the public information network dial-up access equipment, so that their users dial up to the public information network, can be connected to enter the corporate network. The use of VPN has the benefits of saving costs, providing remote access, scalability, ease of management and realize the benefits of comprehensive control, is the current and future trend of the development of enterprise networks.
2. Encryption technology
Encryption technology is an important means of ensuring the security of e-commerce, many cryptographic algorithms have now become the basis of network security and business information security. Cryptographic algorithms use secret keys (secret keys) to encrypt sensitive information, and then send the encrypted data and keys (to be secure) to the receiver, the receiver can use the same algorithms and pass the key to decrypt the data, so as to obtain sensitive information and ensure the confidentiality of network data. Using another cryptographic technology called digital signature (digital signature) can simultaneously ensure the integrity and authenticity of network data. The use of cryptography can achieve the needs of e-commerce security, to ensure the confidentiality of business transactions, integrity, authenticity and non-repudiation.
While cryptography only became popular during World War II and is only now being widely used in network security and e-commerce security, its origins date back thousands of years, and its ideas are still in use today, only with added mathematical sophistication in the process.
Encryption techniques include private-key encryption and public-key encryption. Private key encryption, also known as symmetric key encryption, that is, the sender and receiver of information with a key to encrypt and decrypt the data, the current commonly used private key encryption algorithms, including DES and IDEA. The biggest advantage of symmetric encryption technology is that the encryption/decryption speed is fast, and it is suitable for encrypting large amount of data, but the key management is difficult. Symmetric encryption technology requires that the communicating parties exchange keys beforehand, and when there are many system users, for example, in an online shopping environment, merchants need to transact with thousands of shoppers, if a simple pair of stale key encryption technology is used, the merchant needs to manage thousands of keys to communicate with different objects, and in addition to the storage overhead, the key management is a nearly impossible problem to solve; in addition, how do the two parties exchange keys? Through traditional means? Over the Internet? Either way, the problem of security of key delivery is encountered. In addition, in environments where keys are typically changed frequently, or more extremely, where a different key is used for each transmission, symmetric techniques for both key management and distribution are far from adequate.
Public key encryption, also known as asymmetric key encryption system, which requires the use of a pair of keys to complete the home encryption and decryption operations, respectively, a public release, known as the public key (Public-Key); the other by the user to keep their own secret, known as the private key (Private-Key). The sender of the message encrypts with the Public-Key, while the receiver of the message decrypts with the Private-Key. The encryption process is mathematically guaranteed to be an irreversible process, i.e., a message encrypted with a public key can only be decrypted with the private key paired with the public key. Commonly used algorithms are RSA, ElGamal, etc. The public key mechanism is flexible, but the encryption and decryption speed is much slower than the symmetric key encryption
In order to make full use of the advantages of public key cryptography and symmetric cryptographic algorithms, to overcome their shortcomings, and to solve the problem of replacing the key every time the transmission is made, a hybrid cryptosystem is proposed, which is known as the electronic envelope (envelope) technology. The sender automatically generates a symmetric key, sends the message with the symmetric key plus the key, and transmits the generated ciphertext together with the symmetric key encrypted with the receiver's public key. The recipient decrypts the encrypted key with its secret key to obtain the symmetric key and uses it to decrypt the ciphertext. This ensures that each transmission can be made with a different key selected by the sender, which better guarantees the security of data communication.
Using a hybrid cryptosystem provides both confidentiality assurance and access control. Encrypting a large amount of input data using a symmetric encryption algorithm provides confidentiality assurance, and then encrypting the symmetric key using a public key. If you want multiple recipients to be able to use the information, you can simply encrypt a copy of the symmetric key with the public key for each recipient, thus providing access control.
3. Digital signatures
Digital signatures in the very commonly used is the hash (HASH) function, also known as the message digest (Message Digest), hash function or hash function, etc., whose input is a variable-length input, the return of a fixed-length string, which is referred to as the hash value of the input (Message Digest)
Daily life, usually through the signature of a document to ensure that the document is not a message. In daily life, a document is usually signed to ensure the authenticity and validity of the document, the signatory party can be constrained to prevent its denial behavior, and the document and the signature is sent at the same time as the basis for future verification. In the network environment, electronic digital signatures can be used as a simulation, so as to provide non-repudiation services for e-commerce.
Combining the HASH function with a public key algorithm can provide data integrity while also ensuring data authenticity. Integrity guarantees that the transmitted data has not been modified, while authenticity guarantees that the HASH was generated by a determined legitimate person and not counterfeited by someone else. And combining these two mechanisms produces what is known as a Digital Signature.
The message is computed using a mutually agreed upon HASH algorithm to obtain a fixed number of bits of the message digest (Mes-sage Digest) value. It is mathematically guaranteed that if any bit of the message is changed, the recalculated message digest will not match the original value. This ensures that the message is immutable. The message digest value is then encrypted with the sender's private key, and the ciphertext is then sent to the receiver along with the original message, resulting in a message known as a digital signature.
The receiver receives the digital signature, uses the same HASH algorithm to calculate the digest value of the message, and then compares it with the digest value of the message decrypted with the sender's public key. If they are equal, it means that the message is indeed from the sender, because only information encrypted with the sender's signature private key can be decrypted with the sender's public key, thus ensuring the authenticity of the data.
Digital signatures have the following advantages over handwritten signatures in terms of security: digital signatures are not only related to the signer's private key, but also to the content of the message, so the signer's signature on one message cannot be copied to another, and it also prevents tampering with the content of the message.
4. Certification Authorities and Digital Certificates
For both digital signatures and public key cryptography, there is the problem of distributing public keys, that is, if a user's public key is sent in a secure and reliable way to another party who needs it. This requires that the system that manages these public keys must be trustworthy. In such a system, if Alice wants to send some encrypted data to Bob, Alice needs to know Bob's public key; if Bob wants to check the digital signature of a document sent by Alice, Bob needs to know Alice's public key.
Security measures in e-commerce include the following categories:
(1) to ensure the authenticity of the identities of the two parties to the transaction: the commonly used processing technology is the identity of the authentication, relying on a trusted organization (CA certification center) to issue certificates, and to identify each other. The purpose is to ensure the accuracy of the identity, distinguish the authenticity of the participants' identities, and prevent forgery attacks.
(2) Ensure information confidentiality: to protect information from being leaked or disclosed to unauthorized people or organizations, the commonly used processing techniques are data encryption and decryption, the security of which depends on the algorithms used and the length of the key. Common encryption methods include symmetric key encryption (e.g. DES algorithm) and public key encryption (e.g. RSA algorithm).
(3) to ensure the integrity of the information: commonly used data hashing and other techniques to achieve. Hash algorithms are used to protect data from being created, embedded, deleted, tampered with, and replayed by unauthorized persons (illegal users). Typical hashing algorithms are one of the one-way hashing algorithms developed by the U.S. National Security Agency.
(4) to ensure the authenticity of information: the commonly used means of processing is digital signature technology. The purpose is to solve the communication between the two parties to each other possible fraud, such as sending the user of the information he sent the denial, receiving the user of the information he has received the denial of the information, etc., rather than deal with unknown attackers, the basis of which is the public key encryption technology. Currently, there are more digital signature algorithms available such as RSA digital signature, ELGamal digital signature etc.
(5) to ensure the non-repudiation of information: usually requires the introduction of the certification center (CA) for management, the CA issued the key, the transmission of documents and their signatures of the backup sent to the CA for preservation, as the basis of arbitration of possible disputes.
(6) to ensure the security of stored information: standardize internal management, the use of access control permissions and logs, as well as encrypted storage of sensitive information. When using WWW servers to support e-commerce activities, attention should be paid to the backup and recovery of data, and the use of firewall technology to protect the security of the internal network.