Unit 3

E-Commerce Application Services

The application services layer of e-commerce will be comprised of existing and

future applications built on the innate architecture.
Three distinct classes of electronic commerce application can be distinguished:
customer to business, business-to-business, and intra organization.

Consumer to Business Transaction

• In contrast with the more traditional business-to-consumer model, the C2B
(consumer-to-business) model allows businesses to extract value from
consumers – and vice versa.
• In the C2B model, businesses profit from the willingness of consumers to
name their own price or contribute data or marketing to the company,
while consumers profit from flexibility, direct payment, or free or reduced-
price products and services.
• C2B business models include reverse auctions, in which customers name
the price for a product or service they wish to buy.
• Another form of C2B occurs when a consumer provides a business with a
fee-based opportunity to market the business's products on the
consumer's blog. For example, food companies may ask food bloggers to
include a new product in a recipe, and review it for readers of their blogs.
• The C2B model has flourished in the Internet age because of ready
access to consumers who are "plugged in" to brands. Where the business
relationship was once strictly one-directional, with companies pushing
services and goods to consumers, the new bi-directional network has
allowed consumers to become their own businesses.

Business to Business Transaction

• We call this category market-link transaction. Here, businesses,
governments, and other organizations depend on computer -to- computer
communication as a fast, an economical, and a dependable way to
conduct business’ transactions.
• Small companies are also beginning to see the benefits of adopting the
same methods.
• Business-to-business transactions include the use of EDI and electronic
mail for purchasing goods and services, buying information and consulting
services, submitting requests for proposals, and receiving proposals.
• Examine this scenario. The current accounts payable process occurs
through the exchange of paper documents. Each year the trading partners
exchange millions of invoices, checks, purchase orders, financial reports,
and other transactions. Most of the documents are in electronic form at
their point of origin but are printed and key-entered at the point of receipt.
The current manual process of printing, mailing is costly, time consuming,
and error-prone. Given this situation and faced with the need to reduce
costs, small businesses are looking toward electronic commerce as a
possible savior.

Security on the web

Vaibhav Desai (SDJ International College, Surat)

 • No e-commerce system can guarantee 100-percent protection for your
credit card, but you're less likely to get your pocket picked online than in a
real store.
• Although Internet security breaches have received a lot of press attention,
most vendors and analysts argue that transactions are actually less
dangerous in cyberspace than in the physical world.
• For merchants, E-commerce is actually safer than opening a store that
could be looted, burned, or flooded.
• The difficulty is in getting customers to believe that E-commerce is safe for
them. Consumers don't really believe it yet, but experts say E-commerce
transactions are safer than ordinary credit card purchases.
• Ever since the 1.0 versions of Netscape Navigator and Microsoft Internet
Explorer, transactions can be encrypted using Secure Sockets
Layer(SSL), a protocol that creates a secure connection to the server,
protecting the information as it travels over the Internet.
• SSL uses public key encryption, one of the strongest encryption methods
around. A way to tell that a Web site is secured by SSL is when the URL
begins with https instead of http.
• Browser makers and credit card companies are promoting an additional
security standard called Secure Electronic Transactions (SET). SET
encodes the credit card numbers that sit on vendors' servers so that only
banks and credit card companies can read the numbers.

Cryptography
• Cryptography is a means of transforming data in a way that renders it
unreadable by anyone except the intended recipient.
• Every modern computer system uses modern cryptographic methods to
secure passwords stored and provides the trusted backbone for e-
commerce.

plaintext ciphertext plaintext

Encryption Decryption

• Encryption algorithm also called a cipher

• Cryptography has evolved so that modern encryption and decryption use secret keys

• Cryptographic algorithms can be openly published

• Only have to protect the keys

plaintext ciphertext plaintext

Encryption Decryption

Key KA Key KB

Vaibhav Desai (SDJ International College, Surat)

Encryption: scrambling a message or data using a specialized cryptographic
algorithm.
Plaintext: the message or data before it gets encrypted.
Ciphertext: the encrypted (scrambled) version of the message.
Cipher: the algorithm that does the encryption.
Decryption: the process of converting ciphertext back to the original plaintext.
Cryptanalysis: the science of breaking cryptographic algorithms.
Cryptanalyst: a person who breaks cryptographic codes; also referred to as “the
attacker”.

Symmetric-Key Cryptography

plaintext ciphertext plaintext

Encryption Decryption

Key KA Key KB=KA

Secure Key Distribution

• Both sender and receiver keys are the same: KA=KB

• The keys must be kept secret and securely distributed

• Thus, also called “Secret Key Cryptography”

• Data Encryption Standard (DES)

The plaintext: ciphertext:

0 1 0 0 0 0 1 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 0 0 1 1 1 0 0 0 0 1 1 0 1 0 0 1
The key:
XOR’d with key
1 1 0 1 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0
1 1 0 1 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0
The ciphertext
yields plaintext
1 0 0 1 0 0 1 0 0 0 1 1 1 0 0 0 0 1 1 0 1 0 0 1
0 1 0 0 0 0 1 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0

Vaibhav Desai (SDJ International College, Surat)

Asymmetric (Public key) Cryptography
• Public key cryptography is an attempt to circumvent the key distribution
problem completely.
• As it turns out, asymmetric algorithms tend to be very inefficient.
• Their main use is in solving the key exchange problem for symmetric
cryptography.

• In asymmetric cryptography, each user has two keys: a public key and a
private key.
• The public key is made public. For example, it may be published on a
Web site.
• The private key must be kept secret. It is never shared with anyone.
• The security of the private key in asymmetric cryptography is as important
as key security in symmetric crypto.

Example:

Alice Bob

• Alice wants to send a message to Bob.

• Alice uses Bob’s public key to encrypt the message.
• The encrypted message is sent over the insecure medium.
• Bob uses his private key to decrypt the encrypted message.
• No one but Bob knows the private key.

Digital Signature
• A digital signature is the electronic signature (Certificate) duly issued by
the Certifying Authority that shows the authenticity of the person signing
the same.
• Digital signatures, a form of electronic signatures, are created and verified
using Asymmetric (Public Key) Cryptography that is based on the concept
of a key pair generated by a mathematical algorithm, the public and private
keys.
• Three elements of DSC (Digital Signature Certificate)
o Subject Name and Other Certificate Extensions. This is
information about the object being certified.

Vaibhav Desai (SDJ International College, Surat)

 o Public Key Information. This is the public key of the entity being
certified. The certificate acts to bind the public key to the attribute
information described above.
o Certifying Authority (CA) Signature. The CA signs the first two
elements and thereby adds credibility to the certificate. People who
receive the certificate check the signature and will believe the
information if they trust that certifying authority.
• Certifying Authorities
o Controller of Certifying Authorities (CCA)

www.cca.gov.in
o Certifying Authority (CA)

Tata Consultancy Services (TCS)

National Informatics Center (NIC)

IDRBT Certifying Authority

SafeScrypt CA Services, Sify Communications Ltd.

(n) Code Solutions CA

MTNL Trust Line

*Customs & Central Excise

E-MUDHRA

Secure Electronic Transaction (SET)

• Credit Cards on the Internet
o Problem: communicate credit card and purchasing data securely to
gain consumer trust

Authentication of buyer and merchant

Confidential transmissions
• Developed by Visa and MasterCard
• Designed to protect credit card transactions
• Confidentiality: all messages encrypted
• Trust: all parties must have digital certificates
• Privacy: information made available only when and where necessary
• Participants in SET

Vaibhav Desai (SDJ International College, Surat)

• Key Features of SET
o Confidentiality of Information

A credit card holder’s personal and payment information is
secured as it travels across the network. An interesting
feature of SET is that the merchant /seller never sees the
credit card number; this is only provided to the issuing bank.
o Integrity of Data

Payment information sent from cardholders to merchants
include order information, personal information and payment
instructions. SET guarantees that these message contents
are not altered in transit.
o Cardholder Account Authentication

SET enables merchants to verify that a cardholder is
legitimate user of a valid card account number. SET uses
X.509v3 digital certificates for this purpose.
o Merchant Authentication

SET enables cardholders to verify that a merchant has a
relationship with a financial institution allowing it to accept
payment cards. SET uses X.509v3 digital certificates for this
purpose.
o

Vaibhav Desai (SDJ International College, Surat)