With the development of Internet, e-commerce has gradually become a new mode for people to conduct business activities. More and more people use the Internet for business activities. The development prospect of e-commerce is very attractive, and its security problems have become more and more prominent. How to establish a safe and convenient e-commerce application environment and provide adequate protection for information has become a topic of great concern to businesses and users.

An important technical feature of e-commerce is the use of information technology to transmit and process business information. Therefore, e-commerce security can be divided into two parts as a whole: computer network security and business transaction security.

* Computer network security includes computer network equipment security, computer network system security, database security, etc. Characterized in that, aiming at the possible security problems of the computer network itself, a network security enhancement scheme is implemented to ensure the security of the computer network itself.

* Business transaction security Pay close attention to various security issues arising from the application of traditional businesses on the Internet. On the basis of computer network security, how to ensure the smooth progress of e-commerce process. That is, to realize the confidentiality, integrity, identifiability, unforgeability and non-repudiation of e-commerce.

Computer network security and business transaction security are actually inseparable, and they complement each other and are indispensable. Without computer network security as the foundation, business transaction security is like a castle in the air, and there is no way to talk about it. Without the security guarantee of business transactions, even if the computer network itself is secure, it still cannot meet the unique security requirements of e-commerce.

Computer network security

1. Potential security risks of computer networks

Do not perform security configuration related to the operating system.

No matter what operating system is adopted, there will be some security problems under the default installation conditions. Only by carrying out relevant and strict security configuration for the security of the operating system can we achieve a certain degree of security. Don't think that it is safe to install the operating system by default with a strong password system. Vulnerabilities and "backdoors" of network software are the first choice targets of network attacks.

There is no CGI program code audit.

If it is a general CGI problem, it is a little easier to prevent it. However, many websites or CGI programs specially developed by software vendors have serious CGI problems. For e-commerce websites, there will be serious consequences such as malicious attackers using other people's accounts for online shopping.

Denial of service (DoS) attack

With the rise of e-commerce, the real-time requirements of websites are getting higher and higher, and the threat of DoS or DDoS to websites is increasing. Attacks aimed at network paralysis are more effective, more destructive, faster and wider than any traditional means of terrorism and war, while the attacker himself has little risk and even disappears before the attack begins, making it impossible for the other party to retaliate. The attacks on Yahoo and Amazon in February this year proved this point.

Improper use of safety products

Although many websites have adopted some network security devices, these products have not played their due role due to their own problems or usage problems. Many security vendors' products require high technical background of configuration personnel, which exceeds the technical requirements of ordinary network management personnel. Even if the manufacturer initially installed and configured the users correctly, once the system changes, when the settings of related security products need to be changed, many security problems will easily occur.

Lack of strict network security management system

The most important thing about network security is to attach great importance to it ideologically. The internal security of a website or LAN needs a complete security system to guarantee it. Establishing and implementing a strict computer network security system and strategy is the basis for truly realizing network security.

2. Computer network security system

A comprehensive computer network security architecture includes network physical security, access control security, system security, user security, information encryption, secure transmission and management security. Make full use of all kinds of advanced host security technology, identity authentication technology, access control technology, password technology, firewall technology, security audit technology, security management technology, system vulnerability detection technology and hacker tracking technology to establish multiple strict security lines between attackers and protected resources, which greatly increases the difficulty of malicious attacks and increases the amount of audit information, and can be used to track intruders.

When implementing network security precautions:

* First of all, we should strengthen the security of the host itself, do a good job in security configuration, install security patches in time, and reduce loopholes;

* Secondly, we should regularly scan and analyze the network system with various system vulnerability detection software, find possible security risks and repair them in time;

* Establish perfect access control measures from router to user, install firewall, and strengthen authorization management and authentication;

* Strengthen data backup and recovery measures by using data storage technologies such as RAID5;

* Establish necessary physical or logical isolation measures for sensitive equipment and data;

* Encrypt sensitive information transmitted on public * * * networks;

* install anti-virus software and strengthen the overall anti-virus measures of the intranet;

* Establish detailed security audit logs to detect and track intrusion attacks, etc.

Network security technology appeared with the birth of the network, but it didn't attract attention until the end of 1980s, and developed rapidly abroad in 1990s. In recent years, frequent security incidents have attracted great attention of computer security circles in various countries, and computer network security technology is also changing with each passing day. More and more mature security technologies, such as security core system, VPN security tunnel, identity authentication, network underlying data encryption, and active monitoring of network intrusion, have greatly strengthened the overall security of computer networks from different levels. The security kernel system can realize a complete or relatively complete security system, which is consistent with the traditional network protocol. Based on the cryptographic core system, it supports different types of security hardware products, shields the influence of security hardware changes on upper-level applications, realizes various network security protocols, and provides various secure computer network applications on this basis.

The Internet has gradually integrated into all aspects of human society, and the struggle between network protection and network attack will be more intense. This puts forward higher requirements for network security technology. The future network security technology will involve all levels of computer network, but the protection technology around e-commerce security will become the focus in the next few years, such as identity authentication, authorization check, data security and communication security, which will have a decisive impact on e-commerce security.

Business transaction security

When many traditional business methods are applied to the Internet, it will bring many security problems, such as traditional loan and loan card payment/guarantee scheme and data protection method, electronic data exchange system, daily information security management and so on. Although e-commerce has been widely used for only a few years, many companies have introduced corresponding software and hardware products. Because of the various forms of e-commerce, the security issues involved are also different, but in the process of internet e-commerce transactions, the most core and key issue is the security of transactions. Generally speaking, business security has the following security risks:

Steal information

Because no encryption measures are taken, data information is transmitted in clear text on the network, and intruders can intercept the transmitted information on the gateway or router where the data packet passes. Through stealing and analyzing for many times, we can find out the rules and formats of information, and then get the content of transmitted information, which leads to the leakage of information transmitted on the network.

Tampering with information

After mastering the format and rules of information, intruders modify the information data transmitted on the network in the middle, and then send it to the destination through various technical means and methods. This method is not new, and this work can be done on the router or gateway.

pretend to be

Because of mastering the data format and tampering with the transmitted information, attackers can pretend to be legitimate users to send false information or take the initiative to obtain information, which is usually difficult for remote users to distinguish.

malicious damage

Because the attacker can access the network, he may modify the information in the network, master the confidential information on the network, and even sneak into the network, with very serious consequences.

Therefore, the secure transaction of e-commerce mainly guarantees the following four aspects:

Information secrecy

Business information in the transaction needs to be kept confidential. For example, the account number and user name of a credit card cannot be known by others, so encryption is generally needed in information dissemination.

The certainty of trader's identity

The two sides of online transactions are probably strangers, thousands of miles apart. To make the transaction successful, we must first be able to confirm the identity of the other party. For merchants, it is necessary to consider that the client can't be a liar, and customers will worry that the online shop is not a black shop playing tricks. Therefore, it is the premise of the transaction to confirm the identity of the other party conveniently and reliably.

undeniable

Due to the ever-changing business conditions, once the transaction is reached, it cannot be denied. Otherwise, it will inevitably harm the interests of one party. Therefore, all links in the communication process of electronic transactions must be undeniable.

Nonmodifiability

The transaction documents cannot be modified, otherwise the commercial interests of one party will be damaged. Therefore, electronic transaction documents should also be unchangeable to ensure the seriousness and fairness of commercial transactions.

Security measures in e-commerce transactions

In the early electronic transactions, some simple security measures were adopted, including:

* Partial orders: In online transactions, omit the most critical data such as credit card number and transaction amount, and then inform by phone to prevent leakage.

* Order confirmation: after the transaction information is transmitted online, the transaction is confirmed by email.

In addition, there are other methods, all of which have certain limitations, which are troublesome to operate and cannot be truly safe and reliable.

In recent years, in order to meet the security requirements of electronic transactions, IT industry and financial industry have introduced many effective standards and technologies for secure transactions.

The main protocol standards are:

* Secure Hypertext Transfer Protocol (S-HTTP): It relies on the encryption of key pairs to ensure the security of transaction information transmission between websites.

* Secure Sockets Layer Protocol (SSL): a secure transaction protocol proposed by Netscape, which provides encryption, authentication services and message integrity. Use SSL in Netscape Communicator and Microsoft IE browser to complete the required secure transaction operation.

* Secure Transaction Technology (STT): proposed by Microsoft, STT separates authentication and decryption in the browser to improve the security control ability. Microsoft adopted this technology in Internet Explorer.

* Secure Electronic Transaction Protocol (SET)

1In June, 1996, IBM, MasterCard International, Visa International, Microsoft, Netscape, GTE, VeriSign, SAIC and Terisa issued an announcement on the standard set jointly formulated by * * *. At the end of May, 1997, set specification version 1.0 was released, covering the transaction protocol, information confidentiality, data integrity, data authentication and data signature of credit cards in e-commerce transactions.

SET 2.0 is expected to be released this year, which adds some additional transaction requirements. This version is from backwards compatibility, so the software conforming to SET 1.0 does not need to be upgraded unless it needs new trading requirements. The main goal of SET specification is to ensure payment security, determine the interoperability of applications, and make them accepted by the global market.

Among all these secure transaction standards, the SET standard has attracted wide attention from all walks of life by promoting the use of credit cards to pay for online transactions. It will become the industrial standard of online transaction security communication protocol, and is expected to further promote the Internet e-commerce market.

The main safety technologies are:

Virtual private network

This is a special network for Internet transactions, which can establish a secure channel (or tunnel) between two EDI systems. It is different from credit card transaction and customer sending order transaction, because in VPN, the data communication between the two parties is much larger and both parties are familiar with it. This means that complex special encryption and authentication technologies can be used, and it is not necessary to uniformly encrypt and authenticate all VPNs as long as both parties acquiesce. The existing or developing data tunnel system can further increase the security of VPN, thus ensuring the confidentiality and availability of data.

Digital authentication

Digital authentication can electronically prove the identity of the sender and receiver of information, the integrity of documents (such as the invoice has not been modified), and even the validity of data media (such as recordings and photos). With the increasing application of encryption technology in e-commerce, people hope to have a trusted third party to digitally authenticate related data.

At present, digital authentication is generally realized by one-way hash function, which can verify the integrity of data of both parties to a transaction. Java JDK 1. 1 can also support several one-way hash algorithms. In addition, the S/MIME protocol has made great progress and can be integrated into products, so that users can access E? The information sent by mail is signed and authenticated. At the same time, businesses can also use PGP(Pretty Good Privacy) technology, which allows trusted third parties to control keys. Visible, digital authentication technology will have broad application prospects, it will directly affect the development of e-commerce.

encrpytion tachniques

The most important thing to ensure the security of e-commerce is to use encryption technology to encrypt sensitive information. Now some private key encryption (such as 3DES, IDEA, RC4 and RC5) and public key encryption (such as RSA, SEEK, PGP and EU) can be used to ensure the confidentiality, integrity, authenticity and non-repudiation of e-commerce. However, the widespread use of these technologies is not an easy task.

There is a famous saying in the field of cryptography: encryption technology itself is excellent, but it is often not ideal to implement. Although there are many encryption standards now, what people really need is a standard encryption system developed for enterprise environment. The diversification of encryption technology provides people with more choices, but it also brings a compatibility problem. Different enterprises may adopt different standards. In addition, encryption technology has always been controlled by the state. For example, the National Security Agency (NSA) restricts the export of SSL. At present, businesses in the United States can generally use 128-bit SSL, but the United States only allows the algorithm of exporting encryption keys below 40 bits. Although 40-bit SSL also has a certain encryption strength, its security factor is significantly lower than that of 128-bit SSL. It is reported that recently, someone in California successfully cracked 40-bit SSL, which caused widespread concern. Unfortunately, it is difficult for countries outside the United States to make full use of SSL in e-commerce. Shanghai E-commerce Security Certificate Management Center introduced 128-bit SSL algorithm to make up for the domestic vacancy, and adopted digital signature and other technologies to ensure the security of e-commerce.

CertifiCAtion body (ca)

The implementation of online secure payment is the premise of the smooth development of e-commerce, and the establishment of security certification center (CA) is the central link of e-commerce. The purpose of establishing CA is to strengthen the management of digital certificates and keys, enhance the mutual trust of all parties in online transactions, improve the security of online shopping and online transactions, control the risks of transactions, and thus promote the development of e-commerce.

In order to promote the development of e-commerce, it is first necessary to determine the identities of all parties in online transactions (such as cardholders, merchants, payment gateways of acquiring banks, etc.). ), the corresponding digital certificate (DC) represents its identity, and the digital certificate is managed by an authoritative and fair certification body. Certification institutions at all levels are established hierarchically from top to bottom according to the root certification center (Root CA), brand certification center (Brand CA) and payment gateway certification center (cardholder card CA, merchant CA or payment gateway CA) of cardholders, merchants or acquirers.

The basic functions of e-commerce security certification center (CA) are:

* Generate and save public and private keys, digital certificates and their digital signatures that meet the requirements of security authentication protocols.

* Verify digital certificates and digital signatures.

* Managing digital certificates, focusing on certificate revocation management, while pursuing automatic management (non-manual management).

* Establish application interface, especially payment interface. Whether CA has a payment interface is the key to support e-commerce.

The first generation of CA was established by SETCO Company (founded by Visa & MasterCard), based on SET protocol, serving B? C the hierarchical structure of e-commerce model.

Because of B. The development of B e-commerce mode requires CA's payment interface to be compatible and support B? B and B？ Mode C, which supports online shopping, online banking, online trading and supply chain management, requires transparent, simple and mature security authentication protocols (that is, standardization). Therefore, the second generation CA system based on mixed plane and hierarchical structure of public key infrastructure (PKI) came into being.

In recent years, PKI technology has matured both in theory and application, as well as in the development of various supporting products. International authoritative organizations such as Internet Task Force (IETF), International Organization for Standardization (ISO) and International Telecommunication Union (ITU) have approved, issued and implemented a series of corresponding security standards based on PKI technology.

The main standards used by the second generation security authentication system and payment application interface based on PKI technology are:

Standards issued by Internet Task Force: LDAP (Lightweight Directory Access Protocol), S/MIME (Secure Email Protocol), TLC (Transport Layer Secure Socket Layer Transport Protocol), CAT (Universal Authentication Technology) and GSS-API (Universal Security Service Interface).

The standard approved by the International Organization for Standardization (ISO) or the International Telecommunication Union (ITU) is 9594-8/X.509 (digital certificate format standard).

summary

E-commerce transactions realized on the computer internet must have the characteristics of confidentiality, integrity, authentication, unforgeability and undeniable. A perfect e-commerce system should have the following characteristics on the basis of ensuring the security of its computer network hardware platform and system software platform:

* Strong encryption guarantee

:: Identification and authentication of users and data

:: Confidentiality of stored and encrypted data

:: Reliable online transactions and payments

* Convenient key management

:: Data integrity to prevent denial

The dual requirements of e-commerce for computer network security and business security make the complexity of e-commerce security higher than that of most computer networks, so e-commerce security should be implemented as a security project, not a solution.

Security technology in e-commerce

In order to meet the security requirements of e-commerce, e-commerce system must use security technology to provide reliable security services for participants in e-commerce activities. The specific technologies that can be adopted are as follows:

1. Digital signature technology. "Digital signature" is an image saying that electronic transaction security is realized through cryptographic technology, and it is the main realization form of electronic signature. It tries to solve several basic problems faced by internet transactions: data confidentiality, data not being tampered with, mutual authentication between traders, and the initiator of the transaction cannot deny his own data. "Digital signature" is a kind of electronic signature method with the most common application, the most mature technology and the strongest operability in e-commerce and e-government.

It uses standardized procedures and scientific methods to identify signers and approve electronic data content. It can also verify whether the original text of the file has changed during transmission, and ensure the integrity, authenticity and non-repudiation of the transmitted electronic file.

2. Firewall technology. Firewall is a recently developed technical measure to protect computer network security. It is a barrier to prevent hackers in the network from accessing the organization network, and it can also be called the threshold to control two-way communication. On the network boundary, the corresponding network communication monitoring system is established to isolate the internal and external networks and prevent the invasion of external networks. At present, there are three main types of firewalls: packet filtering firewall, proxy firewall and dual-hole host firewall.

3. Intrusion detection system. Intrusion detection system can monitor and track systems, events, security records, system logs and data packets in the network, identify any unnecessary activities, detect intrusion attacks before intruders do harm to the system, and respond by using alarm and protection systems.

4. Information encryption technology. The purpose of information encryption is to protect the data, files, passwords and control information in the network and protect the data transmitted on the network. There are three common methods of network encryption: link encryption, endpoint encryption and node encryption. The purpose of link encryption is to protect the security of link information between network nodes; The purpose of end-to-end encryption is to protect data from source users to destination users; The purpose of node encryption is to protect the transmission link between source node and destination node. Users can choose the above encryption method according to the network situation.

5. Security authentication technology. The main function of security authentication is information authentication. The purpose of information authentication is to confirm the identity of the sender and verify the integrity of the information, that is, to confirm that the information has not been tampered with during transmission or storage.

6. Anti-virus system. Viruses are stored, spread and infected in the network in a variety of ways, with high speed and different ways, which is very harmful to the website. Therefore, we should use all-round anti-virus products, implement the anti-virus strategy of "layer by layer fortification, centralized control, prevention first, and combination of prevention and killing" to build a comprehensive anti-virus system.

Refer to this information, from Baidu Encyclopedia.

Network security technology can't be explained clearly in one or two sentences.