Y L F M A E T Team-Fly® Security Fundamentals for E-Commerce For quite a long time, computer security was a rather narrow field of studythatwaspopulatedmainlybytheoreticalcomputerscientists,electrical engineers, and applied mathematicians. With the proliferation of open sys- temsingeneral,andtheInternetandtheWorldWideWeb(WWW)inpar- ticular, this situation has changed fundamentally. Today, computer and network practitioners are equally interested in computer security, since they require technologies and solutions that can be used to secure applications related to electronic commerce (e-commerce). Against this background, the field of computer security has become very broad and includes many topics ofinterest.Theaimofthisseriesistopublishstate-of-the-art,highstandard technical books on topics related to computer security. Further information abouttheseriescanbefoundontheWWWbythefollowingURL: http://www.esecurity.ch/serieseditor.html Also, if you(cid:146)d like to contribute to the series and write a book about a topic related to computer security, feel free to contact either the Commis- sioningEditorortheSeriesEditoratArtechHouse. Recent Titles in the Artech House Computer Security Series RolfOppliger,SeriesEditor InformationHidingTechniquesforSteganographyandDigitalWatermarking,Stefan KatzenbeisserandFabienA.P.Petitcolas SecurityFundamentalsforE-Commerce,VesnaHassler SecurityTechnologiesfortheWorldWideWeb,RolfOppliger ForacompletelistingoftheArtechHouseComputingLibrary, turntothebackofthisbook. Security Fundamentals for E-Commerce Vesna Hassler PedrickMoore TechnicalEditor Artech House Boston (cid:149) London www.artechhouse.com LibraryofCongressCataloging-in-PublicationData Hassler,Vesna. SecurityfundamentalsforE-commerce/VesnaHassler;PedrickMoore,technical editor. p. cm.(cid:151)(ArtechHousecomputersecurityseries) Includesbibliographicalreferencesandindex. ISBN1-58053-108-3(alk.paper) 1.Electroniccommerce(cid:151)Securitymeasures.2.Broadbandcommunicationsystems. I.Moore,Pedrick. II.Title. III.Series. HF5548.32.H375 2000 658.8(cid:146)4(cid:151)dc21 00-064278 CIP BritishLibraryCataloguinginPublicationData Hassler,Vesna Securityfundamentalsfore-commerce.(cid:151)(ArtechHousecomputersecurityseries) 1.Businessenterprises(cid:151)Computernetworks(cid:151)Securitymeasures 2.Electronic commerce(cid:151)Securitymeasures 3.Broadbandcommunicationsystems I.Title II.Moore,Pedrick 005.8 ISBN1-58053-406-6 CoverdesignbyWayneMcCaul '2001ARTECHHOUSE,INC. 685CantonStreet Norwood,MA02062 Allrightsreserved.PrintedandboundintheUnitedStatesofAmerica.Nopartofthisbook may be reproduced or utilized in any form or by any means, electronic or mechanical, in- cludingphotocopying,recording,orbyanyinformationstorageandretrievalsystem,with- outpermissioninwritingfromthepublisher. Alltermsmentionedinthisbookthatareknowntobetrademarksorservicemarkshave been appropriately capitalized. Artech House cannot attest to the accuracy of this informa- tion.Useofaterminthisbookshouldnotberegardedasaffectingthevalidityofanytrade- markorservicemark. InternationalStandardBookNumber:1-58053-108-3 LibraryofCongressCatalogCardNumber:00-064278 10987654321 Contents ix 3.2 PublicKeyInfrastructure 53 3.2.1 X.509CertificateFormat 54 3.2.2 InternetX.509PublicKeyInfrastructure 59 3.3 EncodingMethods 61 Part2 ElectronicPaymentSecurity 65 4 ElectronicPaymentSystems 67 4.1 ElectronicCommerce 67 4.2 ElectronicPaymentSystems 68 4.2.1 Off-lineVersusOnline 69 4.2.2 DebitVersusCredit 70 4.2.3 MacroVersusMicro 70 4.2.4 PaymentInstruments 70 4.2.5 ElectronicWallet 75 4.2.6 SmartCards 75 4.3 ElectronicPaymentSecurity 76 5 PaymentSecurityServices 79 5.1 PaymentSecurityServices 79 5.1.1 PaymentTransactionSecurity 81 5.1.2 DigitalMoneySecurity 83 5.1.3 ElectronicCheckSecurity 83 5.2 AvailabilityandReliability 84 6 PaymentTransactionSecurity 85 6.1 UserAnonymityandLocationUntraceability 85 6.1.1 ChainofMixes 86 Tomyfamilies,Ristic¢ andHassler Contents Preface xix Whatiscoveredinthisbook xix Issecurityanobstacletoe-commercedevelopment? xx WhyIwrotethisbook xxi Somedisclaimers xxi Howtoreadthisbook xxi Acknowledgements xxii Part1 InformationSecurity 1 1 IntroductiontoSecurity 3 1.1 SecurityThreats 3 1.2 RiskManagement 4 1.3 SecurityServices 5 1.4 SecurityMechanisms 6 vii viii SecurityFundamentalsforE-Commerce 2 SecurityMechanisms 11 2.1 DataIntegrityMechanisms 11 2.1.1 CryptographicHashFunctions 12 2.1.2 MessageAuthenticationCode 14 2.2 EncryptionMechanisms 15 2.2.1 SymmetricMechanisms 15 2.2.2 PublicKeyMechanisms 24 2.3 DigitalSignatureMechanisms 36 2.3.1 RSADigitalSignature 37 2.3.2 DigitalSignatureAlgorithm 38 2.3.3 EllipticCurveAnalogofDSA 40 2.3.4 PublicKeyManagement 41 2.4 AccessControlMechanisms 41 2.4.1 Identity-BasedAccessControl 42 2.4.2 Rule-BasedAccessControl 43 2.5 AuthenticationExchangeMechanisms 43 2.5.1 Zero-KnowledgeProtocols 44 2.5.2 Guillou-Quisquater 44 2.6 TrafficPaddingMechanisms 45 2.7 MessageFreshness 46 2.8 RandomNumbers 47 3 KeyManagementandCertificates 51 3.1 KeyExchangeProtocols 51 3.1.1 Diffie-Hellman 52 3.1.2 EllipticCurveAnalogofDiffie-Hellman 53