AKG/ e COMMERCE.

E-Commerce

Traditional commerce , an overview Process involved in traditional commerce, before selling and / or buying can be divided into two major parts. They are, manufacturers or companys point of view and customers point of view. Financial institutes play a key role by transferring funds between buyers and sellers, also financial support to both there by earning their profit by providing convenience to seller and buyer. Final goal of seller is to sell his/her product with profit and for buyer is to buy the best reliable product for minimum cost. Hence both parties (buyer and seller) must converge at a common point for satisfactory transactions. Before buying consumer must identify the need, search for the product and has to find out the buying options by traditional means. This certainly lot of time and energy which can be saved by digitized transactions. Electronic commerce When one think of the electronic commerce even though final goal remains the same as that of the traditional commerce, but the way in which they function in order to improve the performance is different. Its basically the change in media, of course, like the transportation has changed from bullock carts to supersonic plane. In todays fast changing world even the individual customer can conduct business online through internet. As information sharing is the major part of the commerce industries, networking has given boost to e- Commerce. This change in view point has opened door for new opportunities. Electronic commerce includes transactions that supports revenue generation, such as generating demands, offering sales & supports etc. along with the transactions including buying and selling. Electronic commerce built on the structure of traditional commerce adds flexibility due to networking.

The major advantages of e commerce Better departmental interactions. This could be the information sharing within the companies or between the companies working together for better performance. Improved customer relations . Commercial activities on electronic network eliminates time, place and principal constraints. For ex : if acustomer wants to buy a book of his choice he need not go around searching for the book, instead he can do the same inside the closed doors, thanks to e Commerce. And also the publishers need not have physical stores to sell their books. Customer support system can be achieved throughout the day. Orders can be placed or accepted at any time, anywhere. Networking facilitates the customer and the manufacturers to come closer wherever they are by eliminating the middle man hurdles. Whole world is a village, Global world in its true sense. The result of this is drastic reduction in overhead cost, instant response there by time, energy and also the money can be saved. COMPARISON BETWEEN TRADITIONAL AND ELECTRONIC COMMERCE Let us examine the simple task when an employee of a company wants to buy a Pc for his office. Company

AKG/ e COMMERCE.
Generate request for PC including the specifications.

Approval process has to pass through one or more than one person depending upon the cost involved, the position and or right of the person.

Once sanctioned, request passes on to the purchasing department. Identify the item & supplier: Selection of appropriate model & supplier, with the help of office supply catalog. The person in the purchasing department has to check more than one catalog and contact the suppliers to find out the availability, present cost or may be latest version.

Issue a purchase order, fax or mail it to the supplier.

SUPPLIER Verify the credit and sale history of the ordering company. Check the ware house for inventory, find out when it can be delivered to the desired location, within the time frame. Once the supplier is satisfied, then Create an transportation and inform the warehouse. Create an invoice for the PC and mail it. Finally PC reaches the office & the company pays the bill for PC by some standard means. Once the above given processes are digitized (if not, most of the steps) business can be done Online in eCommerce. Certainly e- Commerce results in reduction of procedural overheads, hence better performance at reduced cost and time.

BROAD VIEW OF e- Commerce What is E Commerce ? E Commerce in its simplest form can be defined as the application of computer and computer networks for modern business purposes. Or in other words it is a modern business methodology that addresses the needs of Organizations Merchants & Consumers, in order to # reduce cost # Improve the quality of goods & services # Increase the speed of service & delivery # Search and retrieve information in support of human and corporate decision making.

THE INTERNET

HIERARCHY

Networking consists of Internet form a hierarchy. Hierarchy is broadly classified into 5 stages from the top level to bottom level.

AKG/ e COMMERCE.

1) Back Bone : - It is the high speed back bone network, the majority of internet traffic is funneled into the back bone through the network access point (NAPs). 2) Network access points(NAPs):- These are maintained by sprint, MFS, Pac bell & others, located at strategic areas. 3) Regional networks:- Independently created national and/ or regional networks, normally tied into the NAPs but some service providers have made their own arrangements for exchanging internet traffic. Few of the service providers are , Sinet, UU net and SURA net etc. 4 & 5) Lower level consists of regional , district and individual networks found on large organization, ex, university campus, and business complex. Networks share a common communicating protocols known as Transmission Control Protocols & Internet Protocols (TCP/IP) respectively. These standards of rules are formed for smooth and secure operation of internet.

BASIC

BLOCKS

OF e COMMERCE

Credit card digital cash EDI etc. Security E mail , web FAQS (Frequently Asked Questions) Services E- mail web Stared databases. Online catalogs Network communities Shipping infrastructure.
Distribution Production

Databases, Multimedia Authority, Information, Production, Manufacturing. Internet Value added networks Cable TV Telephone networks

Network

The success of e- commerce depends on the network infrastructure. The network infrastructure includes , Internets, cable television, telecommunication networks, private corporate networks etc.

Service Infrastructure

Focuses on

payment , Customer support & security

Production Infrastructure Focuses on

Companys products,whether it is soft or hard goods etc.

AKG/ e COMMERCE.

4
Focuses on Delivery & after sale service to customers.

Distribution Infrastructure

Network : It is the part and parcel of e- commerce, which forms the physical link between the organizations and / or individuals.

Network layers & TCP/IP protocols Technologies are specified by protocols means , rules that determine every thing about the way a network functions. All such internet technologies forms the network infrastructure. These protocols include How to access the network How to divide the data into packets for transmission through a cable. How to recognize the electric signals on a network for corresponding data.

Packets:- Is the fundamental grouping of data for transmission on a digital network. A pack consists of series of bits that include control informations for transmitting that data, as well as data itself. A seven layered model has been created by International Standards Organizations (ISO) that defines basic network functions. This model is called OSI reference model. Important principles of the OSI reference model are Open systems concept:- This allows exchange of data at that level by two different network systems supporting the functions of a related layer. Peer- to Peer communications: Data created by one layer in the model and transmitted to the other device on the network will not be altered by intervening layers. The layers add to the data found in a packet to perform their assigned tasks. Layer Application Functions Information TCP/IP protocols FTP, HTTP, SNMP, DNS

What is the data to be Application messages transferred ?

Presentation

How does the data Encrypted look like ? compressed Session messages Multiple packets Packets Frames

data,

Session Transport Network Data link Physical

Partner ? Where to send ? Route to be followed Each step in the route How to use

TCP, UDP IP, ARP Internet, PPP Physical writing

the Bits

medium for each step

AKG/ e COMMERCE.
?

When protocols are designed, specifications are set, how a protocol exchange data with a protocol, layered above or below it are governed by protocol suites. Protocols: TCP/IP: Transmission control protocol/ Internet protocol: It defines, How data is to be divided into packets for transmission across a network. How applications can transfer files & send e mail ?

These protocols provide all the necessary functionality for protective network even if they do not fit in to all seven layers of OSI model.

Few important applications are FTP :- File Transfer Protocol used for file transfer. HTTP:- Hyper Text Transfer Protocols: It determines how a file such as HTML document is transferred from server to client. HTTP is for world wide web. HTML: Hyper Text Mark up Language: Is the standard set of codes. World wide web for visible interface on the internet makes use of HTML code. This technology is known as HTTP. Browser looks at HTML to determine type of display (text and / or graphics), HTTP determines how a file (ex, HTML document) is to be transferred from server to client. SNMP: Simple Network Management Protocol: For controlling the network devices, such as routes, bridges & switching hubs. DNS: Domain Naming Services: It is responsible for converting numeric IP address into names that can be remembered easily by the users. SMTP: Simple Mail Transfer Protocol: Used for e- mail transfer between the servers. PoP, IMPA: Post Office Protocol: Internet Mail Access Protocols; are used to handle the retrieval of messages. MIME: Multimedia Internet Mail Extension even though Pop & IMMe are originally designed for text only mail, MIME , extends the capabilities of e mail messaging. MIME complaint messages can consists of a) graphics b)video or sound clips & c) other types of multimedia. It is important for secure transfer of different types of commercial transaction on the Internet. Transport layer: UDP : - User Datagram Protocol or TCP can be used to determine the maximum transmission packet size. TCP is used when 100 percent transmission reliability is required, UDP under stringent situations. The advantages of Internet

AKG/ e COMMERCE.
The internet is an open system The internet itself does not belong to anyone. The world wide web.

The internet is open: Darwins theory of survival of the fittest apply here, due to open environment of internet protocols anyone can use them to write software implementations that can be used with other computers & networks running the internet protocols. Obviously, only the best is going to survive long. The results of this competitions are, lower cost better performance better affordability & increase in the spread of user

Internet does not belong to anyone Advantages of the openness of the Internet, user need not belong to any special group. No special fees. Not necessary to become anyones customer to access any Internet contents. Examine the case of a telephone user. He / she has to pay 1)initial service charge for connection & commission 2) monthly bill depending on the no. of calls. There is no special charges based on who contacts whom on phone. Similarly internet user have to pay fees to ISP (Internet Service Provider) for initial service, & for contact time, but these fees does not depend on what he / she access to. Connectivity through internet allows connected individuals to brows any freely available content, without regard to memberships.

World Wide Web Is the networked hypertext document? The purpose is to use a markup language to create a document, relaying on function oriented labels that define how a part of a document behaves (known as tags) instead of traditional word processing formatting options to control the document display. Web documents can be created in such a way that a person using virtually any brand of computer (character based or graphical user interface) can access virtually any information, connected to a World Wide Web server. The client software started by user connects to a home page and then can surf on to other web documents by establishing links on home page and other connected pages, which results in world wide web of connections between information services on the internet. The world wide web of connections between information services on the Internet. The World Wide Web standards are defined by protocol specifications. The developers use these protocols to implement the web browser & web server programs. The interaction

AKG/ e COMMERCE.

between browser & server is defined by HTTP. Locating a specific resource on a computer is complicated the user need to search through the operating system directories, folders, & files. Uniform Resource Locator (URL) protocol specifies how individual resources are to be identified with in the World Wide Web.

SOME SECURITY THREATS & SOLUTIONS Threat Security Function Technology

Data intercepted , read Encryption or modified illicitly.

Encoder

data

to Symmetric Asymmetric encryption

and

prevent tempering

Falsely identity with Authentication an intention of fraud

Identity verification of Digital signature both receiver sender &

Unauthorized user on Firewall one network gains

Filters and prevents Firewalls; certain traffic from Virtual private nets entering the network or server

access to another

Techniques and solutions for e- Commerce security As security of business transaction is the widely cited issue with online transaction, number of security techniques and solutions adhering to well and predefined security standards are available in market. All these techniques and solutions of various vendors are not complementing to each other. Integration of these techniques in the business process will result in safe business transaction maintaining the integrity and confidentiality of data. The following section introduce some of the most common solution techniques in e commerce security. Message Security Encryption is a cryptographic technology to scramble the data with a key so that no one can make sense of it while its being transmitted. When data reaches its destination, the information is unscrambled (decrypted) using same or different key. There are two types of crypto systems : secret key and public key. In secret key cryptography, also referred to as symmetric cryptography, the same key is used for both encryption and decryption. The most popular secret key crypto system in use today is known as DES, the Data Encryption Standard. IBM developed DES in the middle 1970s and it has federal standard ever since 1976. In public- key cryptography, each user has a public key and a private key. The public key is made public while the private key remains secret. Encryption is performed with the public key while decryption is done with the private

AKG/ e COMMERCE.

key. The RSA public key cryptosystem is the most popular form of public key cryptography. RSA stands for Rivest, Shamir, and Adleman, the inventors of the RSA cryptosystem. How encryption works ? Encrypton or encoding information helps prevent it by unauthorized user. Both the sender and the receiver have to know what set of rules (called cipher) was used to transform original information in to its cipher text (code) form- cipher text. Simple cipher might to be add an arbitrary number of characters to all the character in the message. Ex:- say Udupa is the original name Irida is the cipher text (Arbitrary no. chosen is 12) 1 2 3 4 5 6 7 8 9 10 11 12 ABCDEFGHI JKLMNOPQRST UVWXYZ To decrypt (decode) Irido, First , start counting from letter I & replace the letter I in the coded text with the letter which comes after the count 12. So, I is replaced by U, similarly for other letters to get back the original name Udupa . It is clear from the above example that both the sender & recipient has to know the arbitrary number chosen in order to encrypt & decrypt the original message. Basically encryption has two parts. Algorithm A cryptographic algorithm is a mathematical function. Key string of digit. In the above example counting forward (to decrypt) & backward (encrypt) is the algorithm part. Key used here is 12. Cryptographic algorithm combines the plain text or other intelligible information with a string of digit called keys to produce unintelligible cipher text. But some encryption algorithms does not use a key. Encryption on key based system offers two important advantages. It is difficult to come up with new- algorithm each time to communicate privately with new correspondent . By using a key, same algorithm can be used with many people with different key for each correspondent. It is easy to change the key in case of any mal practice rather than going for a new algorithm.

The number of keys each algorithm can support depends on the number of bits in the key. Ex 8 bit key allows only 256 possible numeric combinations, each key is called a key of 28. Hence more the digits (bit length) more the possible keys and more difficult to crack an encrypted message. For example, to unlock a physical number lock of one digit number (0 to 9), one has to try the numbers between zero and nine, at one stage the lock gets unlocked. If it is a three digit decimal number, the possible combinations vary from 000 999. Similarly if a 100 bit (binary) key were used on a computer which is capable of guessing one million keys every second could still take many centuries to discover the right key hence the security of the

AKG/ e COMMERCE.

encryption algorithm correlates with the length of the key. Trying each possible key to find the right one to get back original message is called Brute force method.

Methods of encryption
Secret key or symmetric encryption Public key or asymmetric encryption.

Secret key : in this scheme , both the sender and recipient possess the same key, to encrypt and decrypt the data. Draw backs Both parties must agree upon a shared secret key. If there are n correspondent one have to keep track of n- different secret keys. If the same key is used by more than one correspondent, common key holders can read each others mail. Symmetric encryption schemes are also subjected to authenticity problems. Because, sender & recipient have same secret key identity of originator or recipient cannot be proved. Both can encrypt or decrypt the message.

PUBLIC KEY CRYPTOGRAPHY

This scheme operates on double key called pair of keys , one of which is used to encrypt the message and only the other one in the pair is used to decrypt. This can be viewed as two part, one part of the key pair, called private key known only by the designated owner, the other part, called the public key, is published widely but still associated with owner.

Encrypting & Decrypting

Data encrypted with public key can only be decrypted with private key. Data encrypted with private key can only be decrypted with public key.

Strong points of this schemes The key can be used in two different ways:1. Message confidentiality can be proved :- The sender uses the recipients public key to encrypt a message, so that only the private key holder (recipient) can decrypt the message , non other. 2. Authenticity of the message originator can be proved : The sender uses his private key to encrypts a message, to which only the sender has access. Any one who is using public key to decrypt the message can be sure of messages origin. 3. Easy to distribute public key.- Public key of the pair can be easily distributed . Ex: through a server.

AKG/ e COMMERCE.

10

Disadvantages:- In commercial transactions, standard procedures are for the buyer to encrypt messages with his private key, while acknowledgements from the merchant, he (merchant) would use the merchants private key, means any one can access to merchants public key and hence able to read it. So steps must be taken to ensure the privacy of sensitive information. Private key is used to encrypt when the authenticity of message originator is important.

Say for example person X would like to send secret message to person Y using public key cryptographic. As only person Y has the private key. Only he can read the message sent by person X. Secret key and Public key length for equal level of security Secret key length Public key length

56 bits 64 bits 80 bits 112 bits 128 bits

384 bits 512 bits 768 bits 1792 bits 2304 bits

Fast Cryptography
Asymmetric cryptography algorithms are computationally slow. To quickly generate a short, message digest, a unique representation of message has come up to encrypt and then to use it as digital signature. one way hash functions fast cryptographic algorithm for generating message digests. It does not use a key in fact it is a formula to convert a message of any length into a single string of digits called a message digest.

Digital Signature:- Each message produces a random message digest using the conversion
formula. Private key is used to encrypt that digest to obtain digital signature. Or in other words encrypted message digest (private key is used for encryption ) called digital signature. encrypt (hash function message digest ) with sender private key Digital signature

Verification of digital signature

AKG/ e COMMERCE.
Say person X is sending the message to person Y Steps: * To send the message (X sends to Y) a) Develop message digest for each message . Using hash function. b) Encrypt the digest using X private key (digital signature) c) Combine the plain text (Xs message) with signature , and send it to person Y through Internet. to receive message (Y receives)

11

a) Decrypt the digital signature with X public key. b) Calculate the message digest using hash function. ( person Y uses the same hash function as that of person X, which was agreed upon before- hand) c) Compare the each message digests are same (one which is sent by X, and the one which is generated by Y) then it is authentic if not signature or message has been tempered. Advantage: Unauthorized persons can access to the public key of person X, but cannot have his (X) hash function, which makes the digital signature authentic. Disadvantage :- As the body of the message is sent as plain text, privacy is not maintained. To overcome this difficulty when privacy is important one could use symmetric algorithm for plain text. Need for digital certificate : Basic aim is to conduct secure and safe electronic transaction. Asymmetric cryptography allows a merchants distribute his (merchants) public key to all his correspondents, may be by e- mail , or server, while keeping the private key secure (confined to himself only). But these key pairs can be generated by any one, third person may generate a pair of key and send that public key to the merchants correspondents, claiming that it has come from the merchant. This allows the third person or party to forge the message in the name of merchant. This is where a certificate authority comes into existence.

Certificate authority Digital certificate is defined as amethod to verify (ex. Public keys) electronically for authenticity. A certificate authority will accept merchant public key, along with some proof of the identity of the merchant who sends it. Others (correspondents) can request for verification of merchants public key from the certificate authority.

Contents of ONES digital certificate It includes Holders name, organization, address. The name of certificate authority. Public key of the holders for cryptographic use. Time limit, these certificate are issued for 6 months to a year long.

AKG/ e COMMERCE.
Class of certificate Digital certificate identification number.

12

Class : based on degree of verification

Class 1: easiest to obtain , it involves the fewest checks on the users back round. (only the name of e mail address are verified ). Class 2 : it includes users drivers licence. Social security number & date of birth along with the other (class 1) Class 3 : in addition to class 2 checks , users credit card check is added. Class 4 : in addition to class 3 checks, users position within the organization is added.

Higher the class, higher the degree of verification and hence higher the fee payable to commercial or governmental certificate authorities. Certificate Revocation List (CRl) is maintained by certificate

authority. So that the user know which certificates are no longer valid. The CRL doesnt include expired certificate, because each certificate has a built in expiration. Certificates lost may be revoked. One encryption system is not ideal for all situations. One can use more than one encryption method. Table below shows few algorithms for encryption used by PGP (Pretty Good Privacy ) Function Message encryption Algorithms used IDEA , RSA Process 1. use IDEA with one time session key generated by sender to encrypt message. 2. Encrypt session key with RSA using recipients public key. 1. Generate has code of messages with MD5 2. Encrypt message digest with RSA using senders private key.

Digital signature

MD5, RSA

FEW SECURITY STANDARDS FOR INTERNET

Spoofing :- this is when one party masquerades as someone else. But remember that the firewalls are not the solution for all the internet security problems. Secures socket layer (SSL)

AKG/ e COMMERCE.

13

THE SSL (secure sockets layer) Handshake protocol was developed by netscape communications corporation to provide security and privacy over the internet. The protocol supports server and client authentication. The ssl protocol is application independent, allowing protocols like HTTP (Hypertext transfer protocol), FTP (file transfer protocol), and telnet to be layered on top of it transparently. The SSl protocol is able to negotiate encryption keys as well as authenticate the server before data is exchanged by the higher level application. The SSl protocols maintains the security and integrity of the transmission channel by using encryption, authentication and message authentication codes. Commonly used security standards are listed in the following section Standard Function Application Secure HTTP (S http) Secure web transaction Browsers,web servers, internet applications. Secure sockets layer (SSl) Secure data packets at network Browsers , web servers, layer internet applications. Secure MIME (S/ MIME) Secure email attachments across multiple platforms Secure wide area nets Point-to-print encryption (S/WAN) between firewalls & routers Secure electronic transaction Secure credit card transactions (SET) The SSL Handshake protocol consists of two phases : e-mail packages with RSA encryption & digital signature. Virtual private networking Smart cards, transaction servers electronic commerce

server authentication and an optional client

authentication. In the first phase, the server, in response to a clients request, sends its certificate and its cipher preferences. The client then generates a master key, which it encrypts with the servers public key, and transmits the encrypted master to the server. The server recovers the master key and authenticates itself to the client by returning a message authenticated with the master key . Subsequent data is encrypted and authenticated with keys derived from this master key. In the optional second phase, the server sends a challenge to the client. The client authenticates itself to the server by returning the clients digital signature on the challenge , as well as its public key certificate. A variety of cryptographic algorithms are supported by SSL. During the handshaking process, the RSA public key cryptosystem is used. After the exchange of keys, a number of cipher are used. These includes RC2, RC4, IDEA, DES and triple DES. The MD 5 message digest algorithm is also used. The public key certificates follow the X. 509 syntax. Major digital certificate vendors use the SSL protocol including veriSign and Thawte.

Secured Electronic transaction (SET) Visa and mastercard have jointly developed the secure electronic transaction (SET) protocol as a method for secure, cost effective bankcard transactions over open networks. SET includes protocols for purchasing

AKG/ e COMMERCE.

14

goods and services electronically, requesting authorization of payment, and credentials (i.e certificates), binding public keys to identities etc. once SET is fully adopted, the necessary confidence in secure electronic transactions such as privacy, integrity and authenticity, which are achieved through certification will be in place, allowing merchants , customers and payment gateways to partake in electronic commerce by enabling the encrypted transactions.

ROLE OF VIRTUAL PRIVATE NETWORK (VPN) Virtual private network is a low cost and flexible alternative to closed and leased line connections between remote company sits or between vendors, suppliers, and mobile employees and the company using public network internet. As all of us know the internet is not that very stable all the time and reliable, to bet on this method for e- commerce business without proper security measures involves high degree of risk. Most of the VPN implementing vendors use a specialized form of encrypted internet transaction. This allows a secure channel to be established between two systems for the purpose of electronic data interchange using complex and proprietary encryption and authentication techniques. Commonly used protocol for this internet protocol security (IPSec) : A set of protocol standard developed by the internet engineering task force (IETF) which provides standards for authentication, privacy and data integrity. One should choose the appropriate solution keeping in mind which vendor gives the good protection against unauthorized disclosure of data, reliability in determining the identity of the communicating party and system by which data is protected from unauthorized modification. In addition to above requirements the following the following factors influences the selection of VPN vendors. Right architecture based on connectivity between router to router, firewall to firewall, load balancing, VPN client. Thin / thick client. Encapsulation Encryption types and accelerators. Some of the VPN implementing vendors are : Cisco systems, Verisign security services, Timestep corporation (which produces Ipsec complaint secure virtual private network solutions), DotPN, AT & T world network and mistral networks. And audits method of queuing access in a non threading manner. There are degrees of paranoia between these positions. The second is : what level of monitoring , redundancy, and control organization needs ? Having established the acceptable risk level by resolving the first issue, one can from a checklist of what should be monitored, permitted, and denied. In other words, organization should start by figuring out your overall objectives, and then combine requirement analysis with a risk assessment, and plan for implement.

AKG/ e COMMERCE.

15

To ensure communications are private and not altered by third party, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the internet, is not justifying the expense or effort , but convincing management that its safe to do so. A firewall provides not only real security it often plays an important role as security blanket for management. In market lot of software vendors are in this firewall business. Price and features vary. To name few of them are : Access master Netwall firewall from Bullsoft provides scalables load balancing and high availability. Axents raptor enterprise firewall for windows NT, solaris, and HP UX. Cisco PIX is another dedicated firewall appliance provides full protection for a companys internal network . IBMS e Network features filtering proxy, and circuit level gateway architecture to control internet communications. Internet dynamics conclave firewall application protects information on the internet and intranets, and allow access control down to the web page level. Lucent intern networks secure network combines ascends firewall and encryption techniques for network protection. NETWORK SECURITY Firewall Introduction Corporate networks are built assuming certain levels of trust in how the information passing through them is accessed and used. When they are hooked into public networks, like the Internet, a safer and more intelligent route leads security administrators to trust no one on the outside. Firewall that protectsnetwork and system vulnerabilities on systems to the Internet, as well as for private networks. Here is an attempt to explain security technologies used to defend against attacks initiated from both within and without an organization. This will examine the pieces of the security puzzle to see how to best fit them together for effective defenses and coverage. Several security methods that are used wherever the Internet and corporate networks intersect, these include the uses of : Routers Firewalls Intrusion Detection Systems (IDSs) Vulnerability Assessment Tools (Scanners, etc)

Basic Security Infrastructures The basic design for a secure network infrastructure. As you see, the infrastructure relies upon layers of devices that serve specific purposes, and provide multiple barriers of security that protect, detect, and respond to network attacks, often in real time. Routers A router is anetwork traffic managing device that sits in between sub networks and routes traffic intended for, or emanating from, the segments to which its attached. Naturally, this makes them sensible

AKG/ e COMMERCE.

16

places to implement packet filtering rules, based on security policies that are already developed for the routing of network traffic. Packet Filtering Straight Packet Filtering mechanisms allow communication originating from one side or the other. To enable two way traffic, you must specify a rule for each direction. Packet filtering firewalls identify and control traffic by examining the source, destination and port.

What is Firewall ?
A firewall insulates a private network from a public network using carefully established controls on the types of request they will route through to the private network for processing and fulfillment. For example, an HTTP request for a public Web page will be honored, whereas an FTP request to a host behind the firewall may be dishonored. Firewalls typically run monitoring software to detect and thwart external attacks on the site, and are needed to protect internal corporate networks. Firewalls appear primarily in two flavors; Application level gateways and Proxy servers

Other uses of firewalls include technologies such as Virtual Private Network that use the Internet to tunnel private traffic without the fear of exposure. Defining firewalls A slightly more specific definition of a firewall comes from William Cheswick and Steven Bellovin, two engineers with AT & T who wrote the classic Firewalls and Internet Security (Addison Wesley, 1994 ). They based the book on their experience developing a firewall to protect AT & T connections to the Internet. Cheswick and Bellovin define a firewall as acollection of components or a system placed between two networks and possessing the following properties: All traffic from inside to outside, and vice versa, must pass through it

Only authorized traffic, as defined by the local security police, is allowed to pass through it ; and the system itself is higly resistant to penetration.

Firewall is a mechanism used to protect a trusted network from an untrusted network, usually while still allowing traffic between the two. Typically, the two networks in question are an organizations internal trusted network and the untrusted network Internet. However, nothing in the definition of a firewall ties the concept to the Internet. Internet is the world wide network of networks that uses TCP/IP for communications. Internet is define as any connected set of networks. Although many firewalls are currently deployed between the Internet and internal networks , there are good reasons for using firewalls in any Internet, or Intranet, such as a companys WAN.

AKG/ e COMMERCE.

17

Another approach to firewalls views them as both policy and the implementation of that policy interms of network configuration. Physically , afirewall comprises one or more host systems and routers, plus other security measures such as advanced authentication in place of static passwords. A firewall may consist of several different components, including filters, or screens, that block transmission of certain classes of traffic, and a gateway, which is a machine or set of machines relaying services between the internal and external networks by means of proxy applications. The intermediate area occupied by the gateway often refer to as the demilitarized zone (DMZ). Internet Traffic All Internet traffic (data transported by the TCP/ IP protocol suite) from inside to outside and vice versa , must pass through a firewall. A protocol is aformal description of messages to be exchanged and rules to be followed in order for two or more systems to exchange information in a manner that both parties will understand. The TCp/ IP protocol suite, officially referred to as the Internet Protocol Suite in Internet standards documents, gets its name from its two most important protocols, TCP and IP. Network applications present data to TCP, the Transmission Control Protocol. TCP divides the data into chunks, called packets, and gives each one a number. These packets could represent text, graphics, sound or video anything digital that the network can reassembled correctly at the receiving end. Thus, each packet consists of content, or data and the information that the protocol needs to do its work, called the protocol header. TCP then presents the data to the Internet Protocol, or IP, the Purpose of which is to provide basic host to host communication. IP attaches to the packet, in a protcol header, the address from which the data comes and the address of the system to which it is going. IP is technically referred to as an unreliable datagram service. In this context, the rather alarming term unreliable simply means that upper level protocols should not depend upon IP to deliver the packet every time. IP always does its best to make the delivery to the requested destination host, but if it fails for any reason, it just drops the packet. This is where the higher level protocol, TCP , comes in. TCP uses the sequence numbers to reassemble the packets in the right order and request retransmission of any packets that got lost along the way. It can do this even if some of the packets take different routes to reach their their destination, which makes the combination of TCP/IP a very reliable protocol. TCP use another piece of information to make ensure that the data reaches the right application when it arrives at asystem. This is the port number. Lying within the range 1 to 65535. The number does not represent a physical port, like the serial port to which a modern or mouse might be attached, but is more like a regional memeory address. Ports 1 to 1, 023 are reserved for server applications, although servers can use higher port numbersa s well. Higher port numbers are dynamically assigned to client applications as needed. Some applications use standard port numbers; for example, an FTP program will connect to port 21 on the FTP server. Thus, dat to be transmitted by TCP / IP has a port from which it is coming and a port to which it

AKG/ e COMMERCE.

18

is going, plus an IP source and destination address. Firewalls can use these address to control the flow of information. Firewalls as Filters When TCP/IP sends data packets on their merry way, the packets seldom go straight from the host system that generated them to the client that requested them. Along the way they normally pass through one or more routers. In this, TCP/IP transmissions differ from LAN communications , which broadcast over a shared wire. Early efforts to enable computers to communicate with each other over long distances used telephone lines and switches to connect calls from one specific computer to another in a remote location. A connection between two computers might pass through several switches until it reached its final destination. When LANs emerged, it made sense for all the computers on one LAN to have access to the machine that had access to the remote connection, thus creating a WAN. LAN protocols, however, were incompatible with X.25, and the machine hosting the connection to the WAN tended to get overworked. Next came a special type of switch called a router, which could take over the work of making external connections, and could also convent LAN protocols, specifically IP, into WAN protocols. Routers have since evolved into specialized computers. The typical router is about the same size as a VCR, although smaller models and rack mounted units for major interconnections have entered the market. Basically, routers look at the address information in TCP/IP packets and direct them accordingly. Data packets transmitted over the Internet from the Web browser on a PC in Florida to A Web server in Pennsylvania will pass through numerous routers along the way, each of which makes decisions about where to direct the traffic. Suppose the Web browser is on a PC on a LAN with a PPP connection to an Internet Service Provider (ISP). A router, or a computer acting as router , will likely the packets out from the LAN to the ISP. Routers at the ISP will send the data to a backbone provider, which will route it, often in several hops, to the ISP that serves the machine that hosts the Web site. Routers make their routing decisions based on tablets of data and rules. It is possible to manipulate these rules by means of filters so that, for example, only data from certain addresses may pass through the router. In effect, this turns a router that can filter packets into an access-control device, or firewall. If the router can generate activity logs, this further enhances its value as security device.

Firewalls as Gateways Internet firewalls are often referred to as secure Internet gateways. Like the gates in a medieval walled city, they control access to and from the network. In firewall parlance , a gateway is a computer that provides relay services between two networks. A firewall may consist of little more than a filtering router as the controlled gateway. Traffic goes to the gateway instead of directly entering the connected network. The gateway machine then passes the data, in accordance

AKG/ e COMMERCE.

19

with access control policy, through a filter, to the other network or to another with access control policy, through a filter, to the other network or to another gateway machine connected to the other network. Firewalls as Control Points by concentrating access control, firewalls become a focal point for the enforcement of security policy. Some firewalls take advantage of this to provide additional security services, including traffic encryption and decryption. In order to communicate in encryption mode, the sending and receiving firewalls must use compatible encrypting systems. Nevertheless it is a powerful feature, enabling the creation of virtual private networks (VPN) as a lower cost alternative to a leased line or a value added network (VAN).

Internal Firewalls. While the phenomenal growth of Internet connections has understandably focused attention on Internet firewalls, modern business practices continue to underscore the importance of internal firewalls. Mergers , acquisitions, reorganizations, joint ventures and strategic partnerships all place additional strains on security as the scope of the networks reach expands. Some one outside the organization may suddenly need access to some, but not all, internal information. Multiple networks designed by different people, according to different rules, must somehow trust each other. In these circumstances, firewalls play an important role in enforcing access control policies between networks and protecting trusted networks from those that are untrusted. In a WAN that must offer any to any connectivity, other forms of application level security can protect sensitive data. However, segregating the networks by means of firewalls greatly reduces many of the risks involved; in particular, firewalls can reduce the threat of internal hacking that is, unauthorized access by authorized users, a problem that consistently outranks external hacking in information security surveys.By adding encryption to the services performed by the firewall, a site can create very secure firewall to firewall connections. This even enables wide area networking between remote locations over the Internet.

Firewalls and policy The various configurations of filters and gateways help when planning a firewall defence, but the system administrator must not lose sight of the broader definition of a firewall as an implementation of security policy. A firewall is an approach to security; it helps implement a larger security policy that defines the services and access to be permitted. In other words, a firewall is both policy and the implementation of that policy in terms of network configuration, host systems and routers, as well as other security measures such as advanced authentication in place of static passwords. Types of Network Policy Two levels of network policy directly influence the design, installation and use of a firewall system.

AKG/ e COMMERCE.

20

Network service access policy is at higher level, Issue specific policy : that defines those services to be allowed or explicitly denied from the restricted network. This policy also proscribes the way in which these services will be used, and the conditions for exceptions to this policy. Firewall design policy :- is a lower level policy that describes how the firewall will actually go about restricting the access and filtering the services as defined in the network service access policy.

Typically, firewall implement one of two general network service access policies: Either allowing access to the Internet from the site but allowing no access to the site from the Internet; or Allowing some access from the Internet, but only to selected systems such as information servers and email servers. Some firewalls also implement network service access policies that allow certain users access from the Internet to selected internal hosts, but only if necessary and only when combined with advanced authentication. At the highest level, the overall organizational policy might state the following principles: Information is vital to the economic well being of the organization Every cost effective effort will be made to ensure the confidentiality, integrity, authenticity, availability and utility of the organizations information. Protecting the confidentiality, integrity and availability of these information resources is apriority and a job responsibility for all employees at all levels of the company. All information processing facilities belonging to the organization will be used only for authorized purposes. Below this statement of principles come site specific policies covering physical access to the property, general access to information systems and specific access to services on those systems. The firewalls network service access policy is formulated at this level. For a firewall to function, as the company desires , the network service access policy provides a balance between protecting the network from known risks on the one hand and providing users reasonable access to network resources on the other.

Firewall Design Policy The firewall design policy is specific to the firewall and defines the rules used to implement the network service access policy. The company must design the policy in relation to, and with full awareness of, issues such as the firewalls capabilities and limitations , and the threats and vulnerabilities associated with TCP/IP. As mentioned earlier, firewalls generally implement one of two basic design policies : Permissive approach :- Permit any service unless it is expressly denied ; or Restrictive approach :- Deny any service unless it is expressly permitted.

AKG/ e COMMERCE.

21

Firewalls that implement the first policy (the permissive approach) allow all services to pass into the site by default, with the exception of those services that the service access policy has identified as disallowed. Firewalls that implement the second policy (the restrictive approach) deny all services by default, but then pass those services that have been identified as allowed. This restrictive second policy follows the classic access model used in all areas of information security. The permissive first policy is less desirable, since it offers more avenues for circumventing the firewall. With this approach, users could access new services not currently addressed by the policy. For example, they could run denied services at non standard TCP/ UDP ports that are not specifically mentioned by the policy.

A look at traditional payment methods

A list of few payment methods are Cash Debit cards Travellers cheque Credit cards Money orders Barter system Personal cheque Bank draft Tokens etc.

These models of payments are used these days by customers, organizations have their own instruments, including purchase orders, lines of credit etc. The requirements of financial transaction include confidentiality, privacy, integrity and authentication for both form of commerce (traditional and or electronic). Established traditional mode of payment schemes are designed to meet this requirements. But the task of e commerce to provide electronic payment system to meet all the requiments and yet users must find it simple and familiar or in other words, theoretically , mode of payment by traditional and on the internet must look alike, even though the implementation (media) is totally different , so that the users adaptability is good. Methods for meeting all these requirements on the Internet are not yet in place.

A layered protocol model for electronic payment

Policy Data Flow Mechanism

AKG/ e COMMERCE.

22

Policy :- this includes refund policies and liabilities included by customers, merchants and financial institutions.

Data Flow :- The requirements for storage of data communication between the parties. This includes not only the data flow for payments themselves but also for refunds, account enquiries and settlements.

Mechanisms :- The methods by which the necessary security requirements for messages and stored data are achieved.

All three levels are interdependent , since policy depends on data flow and data flow depends on mechanism. Normal payment protocol models Cash :- It consists of a token, which may be authenticated independently by the issues. This is achieved through the use of self automating tokens on temper proof hardware. Cheque :- Cheques are payment instruments, whose validity requires reference to the issuer. Card :- Card payment schemes provide a payment mechanism through the existing credit card payment infrastructure. Such schemes have many structural similarities to cheque models except that solutions are constrained by that structure. A key feature of card payment systems is that every transactions carries insurance.

Gateway :- It is a software program used to connect two networks using different protocols so that they can transfer data between the two. Before transferring , the program converts the data into protocol compatible form. SSL :- Secure Socket Layer, like S HTTP.

An understanding of credit cards payment schemes on internet What is Web browser ? A software program that allows one to connect with the network servers in order to access HTML documents and their associated medis files and to follow links from document to document, or page to page. The server may be a network or Internet. Helper applications (such as wallet) can be incorporated with the browser to handle special types file and applications.

AKG/ e COMMERCE.

23

Wallet :- A helper application for a web browser used to pass an encrypted credit card number from a buyer through the sales merchants.

Credit cards can be handled intwo ways Sending unencrypted credit card numbers over Internet (Non secure) Encrypting the credit card numbers before sending over Internet. This also sub divided according to what is encrypted . (Encryption level) CGI (Common Gateway Interface) is aform of scripting on the server side, maintained by the credit company (ex : Like cyber cash or veritone) for authentication or approval. Web Server :- A software program that manages data at the web site, control access to that data, and responds to requests from web browsers. The credit card transaction sequence The consumer presents preliminary proof of his ability to pay by presenting his credit card number to the merchant. The merchant verifies this with the bank, and creates a purchase slip for the consumer to endorse. The merchant then uses this endorsed slip to collect funds from the bank. And a next billing cycle the consumer receives a statement from the bank with a record of transaction. Over the Internet also, credit card payment follows the same sequence with added steps to provide safe and secure transactions and authentication of both buyer and seller. This has led to a variety of systems for using credit cards over Internet. Two distinguishing features of these systems are The level of security they provide for transactions, & The software required on both (customer and seller ) sides of the transactions. System is designed to work with HTTP web server. The scripts, normally written in the Perl coding language are often used to exchange data between a web server and database. If the entire transmission is encrypted, the merchant has to decrypt to complete a purchase order. A trusted third party can be used to separately decrypt the credit card information for authorization of the purchase. Hence only third party (authorization agency) have the customer credit card number who does not give his number to the merchant, but only authenticates. It gives the protection against the fraud.

Cyber cash, Verifone and First Virtual Payment Schemes As row data transmitted across a network is not secure, security protocols such as SSL are used on the network for secure communication. Cyber cash, Verifone or First virtual are some of them who provides the systems to protect against merchant fraud. Cyber cash and Verifone use a helper wallet for the web browser, and pass encrypted credit card number through the merchant to its own processor / server for

AKG/ e COMMERCE.

24

authentication. First virtual issues a virtual PIN to the customer who then uses it in place of the credit card number. After receiving the sales information from the merchant , first virtual converts to the virtual PIN to the credit card account number to clear the purchase. First Virtual uses E mail to obtain the customers approval of the purchase before issuing are authorization to the merchant.

Steps involved 1. From the customer, encrypted credit card number and the digital signature are sent to the merchant . [Digital signature => Message digest + encryption ] 2. From the merchants encrypted message is sent to third party encryption software. 3. Third party requests for check (credit card authenticity and A/C position ) from credit card processors. 4. Credit card processors ask for verification (check requested by step 3 from customers bank ). 5. Bank gives the authorization to credit card processors. 6. Credit card processors give the signal to the third party (processor) ok in case of correct credit card number and sufficient funds to make a purchase of his/ her desire, if not not ok. 7. Verified information is sent to merchant by third party. 8. Merchant sends the purchase information to customer only after receiving the OK signal from the third party.

SET and JEPI There are two significant standards in the works that will make the interoperability of electronic wallet and credit card transactions simpler. Secured Electronic Transactions (SET):- Developed by a consortium led by master card and visa. It is a combination of protocol designed for use by other applications (such as web browsers) and recommended procedures (standards) for handling credit card transactions over Internet. It is designed for cardholders, merchants, banks and other card processors. It uses digital certificates to ensure the identities of parties involved in purchase and also encrypts credit card and purchase information before transmission on the internet. Joint Electronic Payments Initiative (JEPI) :-By world Wide Web consortium and commerce net it is an attempt to standardize the payment negotiations. It is used on client and merchant side. On client side, it serves as an interface that enables web browser and wallets, to use a variety of protocols. On the merchant side (server side), it acts between the network and transport layers to pass off the incoming transactions to the proper transport protocol, like E mail vs HTTP, and proper payment protocl, like SET. Advantage JEPI makes it easier for the buyer to use a single application and single interface. It is easier for the merchant to support the variety of payment systems that are in use.

AKG/ e COMMERCE.
Electronic Cheque

25

Basically a paper cheque is a message to a consumers bank to transfer funds from his / her account to someone to someone else account. Paper cheque procedure: The message (cheque , DD etc) is sent through the receiver to the paying authority (bank like). Paying authority verify the message and identity before transferring the fund. Cancelled paper massage (cheque, DD etc) is returned to the sender and can be used as proof of payment.

Electronic cheque has all the same features as a paper cheque. It functions as a message to the senders bank to transfer funds, the message is given to the receiver, who inturn endorses the cheque and presents it to the bank to obtain funds.

Following two provides the electronic cheque for online payment. Financial Services Technology Corporation (FSTC) Cyber Cash.

Superiority of electronic cheque over paper cheque: Customer (sender of cheque to web merchant to pay for his item) can encrypt his/ her account number with banks public key there by not revealing account number to the web merchant. Digital certificates can be used to authenticate the payer, payers bank and bank account. (SET protocol)

Cyber Cash Electronic cheque It is an extrension of their wallet for credit cards, unlike the cyber cash credit card system, through, cyber cash will not serve as an internediate party for processing cheques, instead these functions will be handled directly by banks. The cyber cash electronic cheque system does not provide multiple payment options. FSTC System It is a consortium of banks and cleaning houses that has designed an electronic cheque. The model is based on traditional paper cheque. Electronic cheque works electronically with a digital signature for signing and endorsing. FSTC offer users a choice of payment instruments that allow them to designate an electronic cheque as a certified cheque or an electronic charge card slip for greater flexibility. Electronic cheques can be delivered either by direct transmission over a network or by e mail. In both case, existing banking channels can clear payments over their network. This leads to a convenient integration of the existing banking infrastructure and the Internet. FSTC plans for electronic cheques including money transfer and transactions involving the national automated clearing house association for transferring funds between banks, business could use the FSTC scheme to pay invoices from other businessers.

AKG/ e COMMERCE.

26

Advantages of FSTC FSTC system, consumers can have variety of different payments (cheques, certified cheque, ATM and so on ) using a single interface that gathers all transactions in to a single account log. Consumer only has to deal with his bank, not a number of financial institutions to make these different types of payments.

Anonymity can be preserved Scheme (developed by Digicash), called blind signature, allows the buyer to obtain e cash from a bank without the bank being able to correlate the buyers named with the issued tokens, like the cash one get from bank (or from any other source) does not bear the names of the recipient on it. The bank has to honor the token when it receives from the merchant because of the validation stamp it attached, but bank cannot tell who made the payment.

Advantages Best suited for small transactions. Anonymity can preserved using blind signature. Digital cash can be issued in very small denominations that can be used to pay for very small transactions. The low cost of e transactions makes it feasible for merchants to charge small amount without losing profits. Authentication is not an issue. Who pays is not important as long as an merchant gets his payment.

Disadvantages String encryption scheme adds to the processing overheads of the system, and may slow it down Hence for large transaction, where security needs are high, this system (digital cash) is not effective.

Classification of e- Commerce market The market, depending upon the types of transactions one can broadly classify it into 1. Business to business [B2B] commerce :- Transactions between the business communities 2. Business to consumer [B2C] :- Transactions between the business communities (say merchant) and consumer.

Business to Business use of the Internet, especially for commercial transactions differ from the way a consumer conducts the business on the Internet. Business buyers are typically time constrained to accomplish a job or task in hand or in other words business buyers have little time for online browsing. This

AKG/ e COMMERCE.

27

market is relatively established as compared to business to consumer market. Business to consumer market is larger than the online consumer market . Amount of merchandise purchased electronically by business through EDI, e mail , and propriety order entry is much greater than online commercial networks.

Value Chain and Market space Any company to survive in the market has to improve its performance continuously as per the need of the hour and keeping further developments in mind. Some of the activities to meet the above requirements are, design production marketing fulfillment customer support

These activities depend upon support structure which include, Procurement Human Resource Management Technology development Firm infrastructure

Value Chain :- Each of the activities that add value to the product and service that is provided by the firm is called value chain. Traditional Value Chains :- For example hard goods, information is used as part of the support structure to help other activities to add value and it remains internal to the company . Virtual Value Chain:- means the activities performed with information rather than something physical like the raw materials used to manufacture bicycle. Because of the early accessibility of information in the world of e commerce, has led to new type of value chain virtual value chain. Facility provided to share the information, such as Frequently Asked Questions (FAQ), search able questions with customer support, voice mail or web site (if Internet is used), improve the customer relations, resulting in indirect gain. These activities enhance the company performance by adding value based on new type of information sharing Virtual Value chain. Business can adopt their value adding processes to the virtual value chain in three stages: Viewing or keeping an eye on the physical operations by means of information. Mirroring or substituting virtual value activities for physical one. Forming new relations, manager can now use information in their virtual value chain which helps to add value in new ways.

AKG/ e COMMERCE.

28

This virtual value chain helps to visualize relationships between links in the value chain. CAD/CAM (Computer assisted deviser/ Computer assisted manufacture) can be used to realize a physical system. Work in information driven market, such as utilizing only virtual value chains and the product they create, has led to a new term for the market where electronic market is conducted called the market space. It consists of the transition from physically defined markets to markets based on, and controlled by the information. By participating in the market space, business can establish tighter and more dynamic links with partners. Marketing :The Internet can become an ideal vehicle for initiating and strengthening relationships between business and their customers. Two ways to build relationships that are important to electronic commerce are, On line community where groups of users interact with each other largely. Via electronic means Intermediate and integrators to help both buyers and sellers with large number of possible interactions found on the Internet.

Role of Intermediaries (Middlemen) Intermediaries have played a valuable economic role, even before the rise of the Internet and electronic commerce. But with the rise of e commerce / or Internet has provided new potential for middlemen. By providing communication and transaction infrastructure, the Internet enables intermediaries to lower their transaction costs & also a global base of operations, distance is not the barrier. Main roles of intermediaries are, Support buyers in identifying their needs and in finding an appropriate seller. Provide an efficient means of exchanging between both the parties. Execute the business transaction. Assist in after sale support.

As Internet grows, web site proliferates & the role of intermediaries and integrators expand. Intermediaries form virtual value chain Intermediaries serve an integrating function for customers and business alike. For ex:- an intermediary might focus on a particular market in a comprehensive way and would therefore deal only with certain companies, tracking their products and inventories.

Framework for business values Combined value chains = Physical value chain + Virtual value chain. When it comes to virtual value chain, its activities can be divided into five groups. Gathering Organizing

AKG/ e COMMERCE.
Selecting Synthesizing Distributing

29

Each of these activities adds value to the physical value chain resulting in a combined value chains or value chain matrix. A good look at the value chain matrix, indicate that there are number of locations in any business process to add value oe to improve the process, which will result in saving money and time while improving the performance, a two way gain. Certainly this change is the result of virtual value chain. The very idea is to adopt the virtual value chain to extract maximum value from the market space. Inorder to do so changes are for, to improve the organization product promotions, new Sales channels, direct savings, customer services. Transform the organization customer relations, organizational learning, Information sharing. Redefine the organization new products, new business models or organization.

E commerce business issues As one plan his/her strategy to incorporate electronic commerce into business, he/she should be prepared for a number of issues. These issues are : Organizational issue :- Building infrastructure for sharing information, Knowledge management, Intermediaries, Maintaining flexibility, Flattening the organization. Implementation of e commerce technology require infrastructure charges. Information management is crucial and may necessitate changes in the information infrastructure. Intermediaries can help to restore incompatibilities avoiding the need for frequent short term changes. Intermediaries can also handle data access control. Use of electronic systems to share data and avoid duplication of efforts. A comprehensive communication network makes it possible for a flexible organization to respond.

Implementations issue:Using pilot projects, Automation processes, Planning for expansion & rapid growths using data warehouses, setting up work flow applications. The Internet brings new considerations for information systems. Early prediction of some problems may be obtained by pilot projects but not all the problems. Some problems will be apparent only on full scale implementation then one need automated procedure to tackle the problem. For ex: hand coding HTML pages works for small web site in their initial stages of availability but as the web grows, new features are included, and hence the need for automated procedures to create web pages. Relational databases and object-oriented approaches can help expansion and growth.

AKG/ e COMMERCE.
Use of data warehousing and data mining techniques helps to facilitate customization.

30

Propriety solutions are created when necessary and can be replaced with commercial solutions when available.

It is necessary to integrate the process with existing accounting systems whether one support micro transactions & or subscriptions.

Marketing issues:- Promoting two way interactive communications, profiling customers, segmentations, defining and maintaining communities of interest, push and pull information flow. The objectives of effective marketing are listed below : Able to reach at small groups and online communities. Effective marketing needs consumer information with good scope for privacy. Build customer loyalty by creating communities of interest. Detailed profiles can be used to make promotions relevant to customers. As the Internet has become a powerful interactive communication medium, traditional push and pull marketing is transformed on to net. Advertising through medium, such as Internet, requires a different approach from traditional print and broadcasting advertising. Checklists are helpful to support customer initiated information pull.

Legal issue:- Taxation, Customer & Corporate privacy. Export controls on cryptographic products etc. The most sophisticated issues of all ! Legal issues are still remain to be resolved. Law enforcement and government officials are concerned about the use of encryption & anonymous methods of payment. Privacy issues have legal as well as marketing ramifications. Taxation issues are complicated by the decentralized nature of the Internet. Encryption export laws, and its jurisdiction is with the commerce department.

The Internet vs. Private Nets So far, the Internet has been able to meet the demands of its users, but 1996 was the first year when some began to question whether the Internet was capable of scaling up further, and whether it could reliably meet the communications demands that will be placed upon it. Highly publicized service outrages from respected Internet service providers, such as Netcom, At & Torldnet etc. part of the Internet, bringing into question the robustness of the Internet for business uses. Stability of Internet must be considered. The protocols are being developed to allow Internet users to reserve bandwidth for applications, and for prioritized traffic, for example, the Resource reservation Protocol, or RSVP, has been developed to help reserve bandwidth for multimedia transmissions such as streaming audio, Video and video conferencing, this same protocol can be

AKG/ e COMMERCE.

31

used to priority e mail for EDI messages or FTP for file transfers. Routers supporting RSVP are only now becoming available it ll be sometime before a great deal of the internet routinely supports RSVP. ISPs are also starting to offer their own end to- end networks across the United States independently of the Internets main backbone, but still link to it is needed. Aimed at businesses, these networks can be used to speed along summer internet traffic. These private commercial networks also make it easier for companies to form virtual private networks (VPNs) with added security, replacing private corporate networks can be less costly than leased line net-works, even with the additional rates incurred. Private networks also offer another advantage that they link to the internet, allowing for communication with other partners and customers without requiring special set ups. Security There are many options for securing communications on the Internet. A great deal of work is being done with public key cryptography, and this will continue to lead in the market place. Nevertheless, there is no single dominant solution in a wide field of options and proposals. Security market has yet to determine the most appropriate level to implement security options. At the moment solutions are available for use at the application level (such as security protocols for e- mail and the web), at the session level (SSL, for example and at lower levels in that network ( securing IP packet level transmissions on the Internet , for instance). Defacto standards are evolving rapidly; SSL for protecting data transmitted over the Web and S/MIME and PGP for protecting e mail messages. Many developers of security products have been focusing narrowly on either their individual applications or on a limited range of applications. More application using cryptography for electronic commerce, have to face multiple digital certificates in different formats at least until some standard is developed. Initiatives, like Crypto API and Intels Common Data Security Architecture (CDSA) are an attempt to provide layered security services that make it easier to share encryption algorithms and digital certificates between applications rather than write the required software from scratch.

Digital cash, Smart cards Digital cash, intended to be the digital equivalent of real cash, each bank issues its own electronic cash tokens that are not compatible with systems used by other banks. Worrying about exchanging digital cash between banks even within the same country would be intolerable. This incompatibility of digital cash systems will remain a problem for consumer to business commerce for the next few years at least, but not for business to business commerce. EDI is a standardized way of transferring purchase and financial information, one that is usually negotiated between business partners before any transactions occur (Of course, the time required to set up EDI has been one of the reasons for it rather limited usage). This approach of negotiating procedures will extend to other businesses as they use EDI over the Internet, and these businesses are likely to follow similar procedures with payment systems

AKG/ e COMMERCE.

32

other than EDI. In the absence of suitable infrastructures for these other payment systems, intermediaries such as Nets Inc. will continue to provide standardized methods of handling financial transactions between buyers and sellers. Digital certificates and public key systems have no pre existing trust network comparable to existing financial infrastructures. Everything needed for the distribution and verification of digital certificates is being built from the ground up. Commercial firms like Cyber Trust, Nortel, and Verisign are issuing digital certificates to individuals as well as businesses, and they have been ramping up their efforts with electronic commerce on the Internet in mind. However a fully developed hierarchy of certificate authorities has yet to be established, furthermore , interoperability between certificate authorities is not guaranteed, as more than one public key algorithm can be, and is, employed. And also Infrastructures must be built to handle a high volume of digital certificates and key pairs.

Smart Cards Although smart cards have been around for more than a decade, they have not yet seen widespread use. Pre paid or stored value cards are currently in use for public telephones, tollbooths, and mass transit systems in the United States and overseas. But the real impact of electronic commerce especially tied to the internet, will come with the development of smart cards that include an embedded microprocessor. These smart cards will not only be used for Internet based purchase, but will also be able to serve as electronic purses that can be used for everyday purchases at stores. The technology to support electronic commerce using smart cards is still being developed and it being filed tested on a limited basis. The Mondex smart cards use the digital cash system developed by David Chaum and Digicash.

Online Catalogs Online catalogs are likely to continue to be an important part of electronic commerce, for both business to consumer commerce and business to business commerce. Dynamically generated custom catalogs search and draw data from corporate database, which will be crucial and standard way of doing things for sometime. Custom catalogs dynamically generated from corporate databases will be the norm. Customers visit a companys web site to find out details about the products and services it offers, so that they can take their decision. When they visit a different Web site, things might be done little differently, but the procedures are generally the same. EDI, Electronic mail, & Micro transactions EDI

AKG/ e COMMERCE.

33

The original electronic commerce applications using networks are commonly referred to as EDI. Many large corporations have implemented EDI, and they are routinely using it with their suppliers to simplify management of their supply chains and the handling of their financial transactions. The Internet offers a low chains and the handling of their financial transactions. The Internet offers a low cost alternative for transmitting EDI data with VAN. By itself, this wont make EDI more appealing to smaller businesses, because they would still need to integrate EDI data with their internal systems, but it will help to further the acceptance of EDI. Using the Internet for EDI is less expensive than private networks . Standard bodies and developers for EDI are extending the standards to simplify negotiations between business partners and to add support for real time EDI. More vendors are offering products to conduct EDI over the Internet. Finally VANs themselves are supporting Internet access for conducting EDI. EDI is being integrated with other software. Electronic mail Although the world Wide Web has received a lot of focus, other Internet based services, such as electronic mail, can be equally important to electronic commerce. For example, EDI VANs routinely use e mail for transferring EDI data between partners. In the past, business have been reluctant to use Internet based e mail for electronic commerce because it lacks the necessary security, directory services , and other options businesses have come to rely on. But thats changing as newer protocols are being developed by the IETF. For instance S/MIME is becoming an ad hoc standard for securing multi part e mail, such as EDI documents , on the Internet. One option thats been missing from Internet e mail is a standardized way to acknowledge receipt of a message. The protocol for this is still being reviewed by the IETF.

Micro transactions Although micro transactions and micro payment schemes have been mentioned a number of times, they are both certainly technologies that are still in their infancy. Limited pilot projects are now underway to test some of the technologies proposed for micro payments. Cyber cash, with its Cyber coin software is the first company to offer a commercial system that supports micro transactions. Funds for these cash transactions typically from 25 are drawn from a consumers existing bank account. Cyber cash has already initiated a number of strategic alliances to support the system. Micro transactions using Cyber coin software are also being tested.

Software Agents One of the hot and perhaps over hyped technologies advanced over the past few years has been software agents, self learning programs that users can instruct to perform acts on their behalf. A variety of uses for software agents have been proposed. Two of immediate interest to electronic commerce are retrieving selected product information and negotiating the sale of an item.

AKG/ e COMMERCE.

34

An internet software agent developed by Arthur Anderson Inc. has already demonstrated the first task : their software agent accesses data from various Web based audio CD dealers to find the best price for a particular selection. Similar agents could be constructed to visit numerous online catalogs extract information on selected products and present that data to the user in a personalized buyers catalog. Sales negotiations are a more complex process and agents capable of performing such tasks are still in the research phase.

AKG/ e COMMERCE.

35