ebiz

Q) Which cryptographic system is used in Electronic Cash Transactions?
Ans. Public-key cryptography and digital signatures (both blind and non-blind signatures) make e-money possible. The basic gist is that banks and customers would have public-key encryption keys. Public-key encryption keys come in pairs. A private key known only to the owner, and a public key, made available to everyone. Whatever the private key encrypts, the public key can decrypt, and vice verse.
Banks and customers use their keys to encrypt (for security) and sign (for identification) blocks of digital data that represent money orders. A bank "signs" money orders using its private key and customers and merchants verify the signed money orders using the bank's widely published public key. Customers sign deposits and withdraws using their private key and the bank uses the customer's public key to verify the signed withdraws and deposits
To understand the digital cash let us first view the token system (traditional)

The same system if transferred into digital form is called digital cash or e-cash. In this system, tokens are issued in the form of strings of digits. This digital cash in the form of strings of digits, is both issued and redeemed by banks.
The following diagram shows how person X pays for the Item he purchased from Y in digital cash.
The X’s Bank validates each tokens (currency) on to X’s PC.
When X wants to spend e-cash he only have to transmit the proper amount of tokens to the merchant.
The merchant Y sends that e-cash to his bank for verification and redemption.
To ensure that each token is used only once, the bank records the serial no. of each token as it is spent.

Flow of Digital Cash:

Q) What is E-Cash?
Ans. E-Money is an electronic medium for making payments and is the trend today. It includes credit cards, smart cards, debit cards, electronic funds transfer, and automated clearinghouse (ACH) systems. It is notational money system that may be online or offline, identified or anonymous.
Types of E-cash:
Identified and online: this is unique to credit cards and debit cards transactions. The buyer is clearly identified and the card is validated before payment is made.
Identified and off-line: unique to purchasing by check, American express traveler check, or US postal money order. the merchant asks for ID to make sure the identity of the purchaser is known, but no verification is made against the account.
Anonymous and online: unique to ATMs where the purchaser is anonymous and a purchase is made on the spot for cash.

Anonymous and offline: unique to electronic cash. It includes such transactions as making deposits in one’s a/c via ATM.

Q) What are the different properties of E-Cash?
Ans.(1) Privacy (“Untraceability” or “Anonymity”): A scheme developed by DIGICASH, called blind signature, allows the buyer to obtain e-cash froma bank without the bank being able to correlate the buyer’s name with the issued tokens, like the cash one gets from a bank (or from any other source) does not bear the names of the recipient on it. The bank has to honour the token when it receives from the merchant because of the validation stamp it has, but the bank cannot tell who has made the payment.
(2) Security: E-cash is a secure way of transferring money as it is secured by Public-key cryptography and digital signatures (both blind and non-blind signatures)
(3) Off-line/On-line Operation: In an On-line Operation the validity of the transaction is verified while the transaction is occurring. In an Off-line Operation the validity of the transaction is verified a period of time after the transaction has occurred. Most electronic cash schemes are off-line.
(4) Transferability: The transferability service allows the transfer of coins from individual to individual. This is an optional Electronic Cash service. Most schemes which offer the transferability service would also include a “used by” date which requires the bank to refresh the coin after a period of time.
(5) Divisibility: This is also an optional electronic cash service. A cash scheme which enables the divisibility service allows a coin to be divided into subdivisions. Each subdivision is worth any desired value but all values must add up to the original value.
(6) Hardware Independence: Hardware independent electronic cash schemes do not use any physical condition (i.e. Smart Card, Wallets, etc.) to maintain the security service. Hardware independent schemes rely only on cryptographic methods to ensure the security of the payment scheme.
(7) Scalability: The scalability service is the ability to handle the addition of users and resources without suffering a noticeable loss of performance. In a system where a large circulation of coins is anticipated this service is essential. This is an optional electronic cash service.
(8) Acceptability: The acceptability service allows an anonymous payment scheme with multiple banks to accept coins minted by other banks. It is feasible that within a cash system enabling the acceptability service with multiple banks a customer may withdraw coins from a bank and transfer those coins to a merchant. At the end of the day the merchant should be able to deposit the coins at any bank. The coins need not be deposited at the same bank from which they were withdrawn by the customer.

Q) Various types of E-Payment systems in use.
1. Banking and Financial Payments:
- bank-to bank transfer
- ATMs and Cash dispensers
- bill payment
2. Retailing payments:
- credit cards
- private label credit cards, eg. J.C.Penny Card
- charge cards , eg. American Express
3. Online Electronic Commerce Payments:
- Token based payments: digicash, netcheque, smart cards
- Credit card based payment systems : WWW form based encryption;
Third party authorization number- eg. First Virtual.

Q. What r the risks involved in EPS?
Ans. Although there are many benefits to digital cash, there are also many significant disadvantages. These include fraud, failure of technology, possible tracking of individuals and loss of human interaction.
Fraud over digital cash has been a pressing issue in recent years. Hacking into bank accounts and illegal retrieval of banking records has led to a widespread invasion of privacy and has promoted identity theft.
There is also a pressing issue regarding the technology involved in digital cash. Power failures, loss of records and undependable software often cause a major setback in promoting the technology.
Privacy questions have also been raised; there is a fear that the use of debit cards and the like will lead to the creation by the banking industry of a global tracking system. Some people are working on anonymous ecash to try to address this issue.

Q. How SSL works?
Ans. Secure Sockets Layer (SSL) is the most widely known protocol that offers privacy and good reliability for client-server communication over the Internet. SSL itself is conceptually quite simple: it negotiates the cryptography algorithms and keys between two sides of a communication, and establishes an encrypted tunnel through which other protocols (like HTTP) can be transported. Optionally, SSL can also authenticate both sides of communication through the use of certificates.
SSL is a layered protocol and consists of four sub-protocols:
• SSL Handshake Protocol
• SSL Change Cipher Spec Protocol
• SSL Alert Protocol
• SSL Record Layer The position of the above protocols according to the TCP/IP model has been illustrated on the following diagram in Figure 1.

As the above diagrams shows, SSL is found in the application layer of the TCP/IP model.
How does SSL work? The diagram below, Figure 2, shows the simplified, step-by-step process of establishing each new SSL connection between the client (usually a web browser) and the server (usually an SSL web server).

As you can see from Figure 2, the process of establishing each new SSL connection starts with exchanging encryption parameters and then optionally authenticating the servers (using the SSL Handshake Protocol). If the handshake is successful and both sides agree on a common cipher suite and encryption keys, the application data (usually HTTP, but it can be another protocol) can be sent through encrypted tunnel (using the SSL Record Layer).

Q. Discuss the technological limitations for the growth of e-commerce in India.
Ans. Factors impacting the adoption of e-commerce in different sectors of the economy are examined. The major variables considered include growth in the number of internet connections, telecommunications infrastructure, attitudes and awareness of corporations and individual customers towards e-commerce, growth of the software industry in terms of its relationship to e-commerce, and the role played by the government.

Q. What are electronic cheks? What r there adv.?
Ans. An eCheck is the electronic version or representation of a paper check.
eChecks:
- contain the same information as paper checks contain
- are based on the same rich legal framework as paper checks
- can be linked with unlimited information and exchanged directly between parties
- can be used in any and all remote transactions where paper checks are used today
- enhance the functions and features provided by bank checking accounts
- expand on the usefulness of paper checks by providing value-added information
eChecks work the same way a check does.
the check writer "writes" the eCheck using one of many types of electronic devices and "gives" the eCheck to the payee electronically.
the payee "deposits" the Electronic Check, receives credit, and the payee's bank "clears" the eCheck to the paying bank.
the paying bank validates the eCheck and then "charges" the check writer's account for the check.
eChecks have important new features. They offer:
the ability to conduct bank transactions, yet are safe enough to use on the Internet
unlimited, but controlled, information carrying capability
reduces fraud losses for all parties
automatic verification of content and validity
traditional checking features such as stop payments and easy reconciliation
enhanced capabilities such as effective dating
The eCheck:
can be used by all account holders, large and small, even where other electronic payment solutions are too risky, or not appropriate
is the most secure payment instrument available today
provides rapid and secure settlement of financial obligations
can be used with existing checking accounts
can be initiated from a variety of hardware platforms and software applications

Q. RSA algorithm
In cryptology, RSA is an algorithm for public-key encryption. It was the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is still widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.
The public key consists of the modulus and the public (or encryption) exponent .The private key consists of the modulus and the private (or decryption) exponent which must be kept secret.
For efficiency a different form of the private key can be stored:
and : the primes from the key generation,
and : often called dmp1 and dmq1.
: often called iqmp
All parts of the private key must be kept secret in this form. and are sensitive since they are the factors of , and allow computation of given . If and are not stored in this form of the private key then they are securely deleted along with other intermediate values from key generation.
Although this form allows faster decryption and signing by using the Chinese Remainder Theorem, it is considerably less secure since it enables side channel attacks. This is a particular problem if implemented on smart cards, which benefit most from the improved efficiency. (Start with y = xemodn and let the card decrypt that. So it computes yd(mod p) or yd(mod q) whose results give some value z. Now, induce an error in one of the computations. Then gcd(z − x,n) will reveal p or q.)
Encrypting messages
Alice transmits her public key ( & ) to Bob and keeps the private key secret. Bob then wishes to send message M to Alice.
He first turns M into a number < id="Decrypting_messages" name="Decrypting_messages">Decrypting messages
Alice can recover from by using her private key in the following procedure:
Given , she can recover the original message M.The decryption procedure works because first
.
Now, since
and
Fermat's little theorem yields
and
.
Since and are distinct prime numbers, applying the Chinese remainder theorem to these two congruences yields
.
Thus,
.
A working example
Here is an example of RSA encryption and decryption. The parameters used here are artificially small, but you can also use OpenSSL to generate and examine a real keypair.
1. Choose two prime numbers
p = 61 and q = 53
2. Compute
n = 61 * 53 = 3233
3. Compute the totient
φ(n) = (61 − 1)(53 − 1) = 3120
4. Choose e > 1 coprime to 3120
e = 17
5. Compute such that (d is uniquely determined by e and φ(n))
d = 2753
17 * 2753 = 46801 = 1 + 15 * 3120.
The public key is (n = 3233, e = 17). For a padded message the encryption function is:
.
The private key is (n = 3233, d = 2753). The decryption function is:
.
For example, to encrypt m = 123, we calculate
To decrypt c = 855, we calculate
.

Q) Symmetric-key cryptography
Symmetric cryptography, also called secret key cryptography, is the most intuitive kind of cryptography. It involves the use of a secret key known only to the participants of the secure communication: If Alice wants to send the message securely over a public channel to Bob, she uses the key they agreed on before, to send to Bob. He will decrypt the received ciphertext with the same key to gain access to the message.
Symmetric cryptography can be used to transmit information over an insecure channel as above, but it has also other uses, such as secure storage on insecure media or strong mutual authentication:
Alice and Bob have agreed on a secret key (Shared Secret). If Alice and Bob want to make sure they are communicating with each other over an insecure channel, i.e. prove that they know the secret key, without revealing it to eavesdroppers, they can proceed as follows: They each pick a random number, the challenge: and . Suppose Alice contacted Bob stating she is Alice: Bob sends her and she replies with . Bob can decrypt this information and verify he gets again. Now Bob knows he is communicating with Alice. Then Alice sends him , and he replies with . Alice can now verify she is communicating with Bob. An eventual eavesdropper would not have gained information on from this exchange.
The two symmetric cryptographic algorithms which are widely used in internet protocols today are DES and IDEA.

Asymmetric Cryptography
Asymmetric cryptography, also called public key cryptography, is a relatively new field, The essential difference to symmetric cryptography is that this kind of algorithm uses two different keys for encryption and corresponding decryption.
Each participant in a secure communication owns a unique pair of keys, called public key p and secret key s. The keys p and s are mathematically dependent from each other; a requirement to the asymmetric algorithm being that, while p can be computed easily from s, obtaining s from p is computationally unfeasible. This property allows to make p publicly known, while s must be kept secret by its owner.
This asymmetry of the keys allows novel and very interesting uses of cryptography:
Secure transmission without requiring a shared secret
Suppose Alice wants to send the message m over an insecure channel to Bob, whose public key she knows. She sends him . Bob will compute to obtain the original message. As is known only to Bob and cannot be obtained from known to anyone, this procedure is secure.
Note that for secure transmission to work, the algorithm must have the property
Such algorithms are called reversible, the most frequently used asymmetric algorithm RSA is of this type, it is described below.

Q. E-Wallet
The electronic equivalent of a wallet for e-commerce transactions. Also called an "e-wallet," it holds credit card data and passwords for logging into Web sites. The wallet data may reside in the user's machine or on the servers of the wallet service. When stored in the client machine, the wallet may use a digital certificate that identifies the authorized card holder. Microsoft's Passport, Yahoo! Wallet and Gator's eWallet are examples of digital wallets.Envisioned for Payment ServicesIn the early days of the Web, the digital wallet was also conceived for holding electronic money for various payment services that were emerging. However, except for PayPal, such services never materialized, and the credit card became the primary digital money over the Internet.

Q. Phishing
Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. E-mails can be sent to people on selected lists or on any list, expecting that some percentage of recipients will actually have an account with the real organization.E-Mail Is the "Bait"The e-mail states that due to internal accounting errors or some other pretext, certain information must be updated to continue your service. A link in the message directs the user to a Web page that asks for financial information. The page looks genuine, because it is easy to fake a valid Web site. Any HTML page on the Web can be copied and modified to suit the phishing scheme.Anyone Can PhishA "phishing kit" is a set of software tools that help the novice phisher imitate a target Web site and make mass mailings. It may even include lists of e-mail addresses. How thoughtful of people to create these kits. In the meantime, if you suspect a phishing scheme, you can report it to the Anti-Phishing Working Group at www.antiphishing.org. See pharming and vishing.The "Spear" Phishing VariantSpear phishing is more targeted and personal. The e-mail supposedly comes from someone in the organization everyone knows such as the head of human resources. It could also come from someone not known by name, but with a title of authority such as a LAN administrator. Once one employee falls for the scheme and divulges sensitive information, it can be used to gain access to more of the company's resources.

Q. EDI
(Electronic Data Interchange) The electronic communication of business transactions, such as orders, confirmations and invoices, between organizations. Third parties provide EDI services that enable organizations with different equipment to connect. Although interactive access may be a part of it, EDI implies direct computer-to-computer transactions into vendors' databases and ordering systems.The Internet gave EDI quite a boost. However, rather than using privately owned networks and the traditional EDI data formats (X12, EDIFACT and TRADACOMS), many business transactions are formatted in XML and transported over the Internet using the HTTP Web protocol.

Q. Smart Cards
A credit card with a built-in microprocessor and memory used for identification or financial transactions. When inserted into a reader, it transfers data to and from a central computer. It is more secure than a magnetic stripe card and can be programmed to self-destruct if the wrong password is entered too many times. As a financial transaction card, it can be loaded with digital money and used like a travelers check, except that variable amounts of money can be spent until the balance is zero. Various types of smart cards are- digital money, SIM, Java Card, Ultra Card and contactless smart card.

Q. SET protocol.
Secure Electronic Transactions (SET) is an open protocol which has the potential to emerge as a dominant force in the securing of electronic transactions. Jointly developed by Visa and MasterCard, in conjunction with leading computer vendors such as IBM, SET is an open standard for protecting the privacy, and ensuring the authenticity, of electronic transactions. This is critical to the success of electronic commerce over the Internet; without privacy, consumer protection cannot be guaranteed, and without authentication, neither the merchant nor the consumer can be sure that valid transactions are being made
In the SET protocol, two different encryption algorithms are used – DES and RSA. Using a hashing algorithm, SET can sign a transaction using the sender’s private key. This produces a small message digest, which is a series of values that "sign" a message. By comparing the transaction message and the message digest, along with the sender’s public key, the authenticity of the transaction can be verified.

Q. Firewall
The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise.In the home, a personal firewall typically comes with or is installed in the user's computer (eg Windows Firewall). Personal firewalls may also detect outbound traffic to guard against spyware, which could be sending your surfing habits to a Web site. They alert you when software makes an outbound request for the first time.In the organization, a firewall can be a stand-alone machine (eg firewall appliance) or software in a router or server. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing.
Firewall Techniques
Following are the different methods used to provide firewall protection, and several of them are often used in combination.Stateful InspectionTracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. Network Address Translation (NAT)Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). Packet FilterBlocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." Eg bastion host.Proxy ServerServes as a relay between two networks, breaking the connection between the two. Also typically caches Web pages.

Q. Paypal.
Ans. A Web payment processing service founded in 1998 and acquired by eBay in late 2002. Operating as an independent brand, PayPal, San Jose, CA (www.paypal.com) is used to shop at PayPal-enabled retail sites as well as to send or request money from anyone with an e-mail address. Both personal and business services are offered, and it is widely used as a payment system for online auctions. PayPal offers a complete shopping cart service that can be added to a Web site and enables merchants of all sizes to accept credit cards.A Huge SuccessIn 2002, the company went international, allowing its customers to accept payments in euros and pounds. By 2005, PayPal was available to users in 45 countries and had more than 50 million account members worldwide.