1. Stealing and tampering with transaction information, that is, the data transmitted in plain text in online transactions are intercepted and deciphered by illegal intruders, and then illegally tampered with, deleted or inserted, which damages the integrity of information.
The second is information impersonation, that is, illegal network attackers commit fraud by impersonating legitimate users or simulating false information.
Prevention and improvement measures: measures to strengthen data confidentiality, integrity and non-repudiation.
The confidentiality of e-commerce information refers to the characteristic that information will not be leaked to or used by unauthorized users, entities or processes. The integrity of e-commerce information refers to the characteristics that data cannot be changed without authorization. In other words, information remains unchanged, not destroyed or lost during storage or transmission. The non-repudiation of e-commerce information refers to avoiding one party in a transaction from denying that he has carried out a certain transaction; Or one party denies receiving the transaction information sent by the other party.
Main safety technologies:
1. encryption technology is the most basic security technology of e-commerce. Under the current technical conditions, encryption technology is usually divided into symmetric encryption and asymmetric encryption.
(1) Symmetric key encryption: Use the same encryption algorithm, and use the same key for encryption and decryption. If both parties can ensure that the private key is not leaked in the key exchange stage, they can use symmetric encryption method to encrypt confidential information and send the message digest and message hash value with the message to ensure the confidentiality and integrity of the message. Key secure exchange is the core link related to the effectiveness of symmetric encryption. At present, commonly used symmetric encryption algorithms include DES, PCR, IDEA, 3DES and so on. Among them, DES is the most commonly used and adopted data encryption standard by the International Organization for Standardization.
(2) Asymmetric key encryption: Asymmetric encryption is different from symmetric encryption, and its key pair is divided into public key and private key. After the key pair is generated, the public key is made public, while the private key is kept in the hands of the key issuer. Any user who obtains the public key can use this key to encrypt the information and send it to the publisher of the public key. After obtaining the encrypted information, the publisher will decrypt it with the private key corresponding to the public key. At present, the commonly used asymmetric encryption algorithm is RSA algorithm. This algorithm has been recommended by the Technical Subcommittee of Data Encryption of the International Organization for Standardization as an asymmetric key data encryption standard.
Among symmetric and asymmetric encryption methods, symmetric encryption has the advantages of fast encryption speed (usually 10 times faster than asymmetric encryption) and high efficiency, and is widely used in the encryption of a large number of data. However, the fatal disadvantage of this method is that the transmission and exchange of keys also face security problems, and keys are easy to be intercepted. Moreover, if you communicate with a large number of users, it is difficult to manage a large number of key pairs safely, so there are some problems in the wide application of symmetric encryption. The advantage of asymmetric key is that it solves the problem that the number of keys in symmetric encryption is too large to manage and the cost is high, and there is no need to worry about the leakage of private keys in transmission, so the security performance is better than that of symmetric encryption technology. But the disadvantage of asymmetry is that the encryption algorithm is complex and the encryption speed is not ideal. At present, the practical application of e-commerce is often a combination of the two.
2. Identity authentication technology. At present, only encryption technology is not enough to ensure the security of e-commerce transactions, and identity authentication technology is another important technical means to ensure the security of e-commerce. The realization of identity authentication includes digital signature technology, digital certificate technology and so on.
(1) digital signature technology
Encrypted information only solves the problem of confidentiality in the process of information transmission, and other means are needed to prevent others from tampering with or destroying the transmitted information, to ensure the integrity of the information and to ensure the non-repudiation of the information sender. This means a digital signature. Digital signature technology is an identity authentication technology. Digital signatures on digitized documents are similar to handwritten signatures on paper and cannot be forged. The receiver can verify that the document really comes from the signer and the document has not been modified after signing, thus ensuring the authenticity and integrity of the information.
The current digital signature is based on public key system, which is another application of public key encryption technology. There are similarities between digital signature and written document signature. Using digital signature, you can confirm the following two points: the information was sent by the signer; This information has not been modified from the date of publication to the date of receipt. At present, there are three main digital signature methods, namely: RSA signature, DSS signature and Hash signature. These three algorithms can be used separately or together.
(2) Digital certificate technology
In the public-private key system, the private key is only known by the sender of the information, and the matching public key is public, which can ensure the confidentiality of the transmitted information, but it does not solve the distribution method of the public key. Digital signature guarantees that the information is sent by the signer and that the information has not been modified from sending to receiving, but it cannot guarantee the authenticity of the signer's identity. Therefore, a measure is needed to manage the distribution of public keys and ensure the authenticity of public keys and entity identity information related to public keys. This measure is digital certificate. Digital certificates are generally issued by authoritative, credible and willful third-party institutions, namely CA. Digital certificate is a key management medium in public key system, which binds the public key with the entity identity information and contains the digital signature of the certification authority. Digital certificate is used for the distribution and transmission of public keys in e-commerce, which proves that the identity of e-commerce entities matches the public keys.