1. Confidential. As a means of trade, e-commerce information directly represents the commercial secrets of individuals, enterprises or countries. The traditional paper trade is kept secret by mailing sealed letters or sending commercial messages through reliable communication channels. E-commerce is based on a relatively open network environment (especially the Internet is a more open network), and keeping business secrets is an important guarantee for the comprehensive popularization and application of e-commerce. Therefore, it is necessary to prevent illegal access to information and illegal theft of information during transmission. Privacy is usually achieved by encrypting the transmitted information through encryption technology.
2. Integrity. E-commerce simplifies the trade process, reduces human intervention, and at the same time brings the problem of maintaining the integrity and unity of business information of all parties in trade. Due to unexpected errors or fraud in data entry, the information of the parties may be different. In addition, information loss, information repetition or different information transmission sequence in the process of data transmission will also lead to information differences between the parties to the transaction. The integrity of the transaction information will affect the transaction and business strategy of the transaction party, and maintaining the integrity of the transaction information is the basis of e-commerce application. Therefore, it is necessary to prevent the random generation, modification and deletion of information, prevent the loss and repetition of information in the process of data transmission, and ensure the unity of information transmission order. Integrity can usually be obtained by extracting the abstract of the information message.
3. Certification. Due to the particularity of online e-commerce transaction system, the transactions of enterprises or individuals are usually carried out in a virtual network environment, so the identification of individuals or business entities has become a very important part of e-commerce. Identify the identity of a person or entity to ensure the authenticity of the identity, that is, the two parties to the transaction can confirm each other's identity without meeting. This means that when someone or an entity claims to have a specific identity, the authentication service will provide a way to verify the correctness of its claim, which is usually achieved through a certificate authority CA and a certificate.
4. It is undeniable. E-commerce may be directly related to the commercial transactions between two parties. How to determine the party to be traded is the expected party of the exchange is the key to ensure the smooth progress of e-commerce. In traditional paper trade, both parties identify their trading partners by writing their signatures or seals on written documents such as trading contracts, contracts or trade documents, so as to determine the reliability of contracts, contracts and documents and prevent the occurrence of repudiation. This is what people often say "in black and white". In the paperless e-commerce mode, traders cannot be identified by handwritten signatures and seals. Therefore, in the process of transaction information transmission, it is necessary to provide reliable identification for individuals, enterprises or countries involved in the transaction. Non-repudiation can be obtained by digitally signing the sent message.
5. effectiveness. Electronic commerce replaces paper in electronic form, so how to ensure the validity of this electronic form of trade information is the premise of developing electronic commerce. As a form of trade, the effectiveness of e-commerce information will directly affect the economic interests and reputation of individuals, enterprises or countries. Therefore, it is necessary to control and prevent potential threats caused by network failures, operational errors, application errors, hardware failures, system software errors and computer viruses, so as to ensure that transaction data is valid at a specific time and place.
Main technologies of e-commerce security
E-commerce security is the upper application of information security, which contains a wide range of technologies, mainly divided into two categories: network security technology and cryptographic technology, among which cryptographic technology can be divided into encryption, digital signature and authentication technology.
1. Network security technology
Network security is the basis of e-commerce security, and a complete e-commerce system should be built on a secure network infrastructure. Network security involves the comparison of many aspects, such as operating system security, firewall technology, virtual private network VPN technology and various anti-hacking technologies and vulnerability detection technologies. The most important one is firewall technology.
Firewall is based on communication technology and information security technology. It is used to build a security barrier between networks, filter, analyze and audit network data according to the specified strategy, and provide effective prevention for various attacks. It is mainly used for Internet access and secure connection between private network and public network.
At present, the firewall products used in China are provided by some foreign manufacturers, and the research and product development of firewall technology in China is relatively weak and started late. Due to the restriction and protection of foreign encryption technology, it is impossible to obtain the urgently needed safe and practical network security system and data encryption software in China. Therefore, even foreign excellent firewall products can not be completely used in the domestic market. At the same time, due to political, military and economic reasons, China should develop and adopt its own firewall system and data encryption software to meet the huge demand of users and the market, which will also play a great role in the construction of information security infrastructure in China.
VPN is also one of the technologies to ensure network security. It refers to the establishment of a private network in the public network, and the data is spread in the public network through the established virtual security channel. Enterprises only need to rent a local data line to access the local public information network, and branches can safely transfer information to each other; At the same time, enterprises can also use the dial-up access equipment of the public information network to let their users dial into the public information network, and then they can connect to the enterprise network. Using VPN has the advantages of cost saving, remote access, strong expansibility, easy management and complete control, which is the trend of enterprise network development at present and in the future.
2. Encryption technology
Encryption technology is an important means to ensure the security of e-commerce, and many cryptographic algorithms have now become the basis of network security and business information security. The encryption algorithm encrypts sensitive information with a key, and then sends the encrypted data and key to the receiver (in a secure way). The receiver can use the same algorithm and the transmitted key to decrypt the data, thus obtaining sensitive information and ensuring the confidentiality of network data. By using another encryption technology called digital signature, the integrity and authenticity of network data can be guaranteed at the same time. The use of cryptographic technology can meet the needs of e-commerce security and ensure the confidentiality, integrity, authenticity and non-repudiation of business transactions.
Although cryptography only became popular during the Second World War, it is now widely used in network security and e-commerce security, but its origin can be traced back to thousands of years ago, and its idea is still in use, only adding mathematical complexity in the process of processing.
Encryption technology includes private key encryption and public key encryption. Private key encryption, also known as symmetric key encryption, means that the sender and receiver of information use a key to encrypt and decrypt data. At present, the commonly used private key encryption algorithms are DES and IDEA. The biggest advantage of symmetric encryption technology is its fast encryption/decryption speed, which is suitable for encrypting a large number of data, but the key management is difficult. Symmetric encryption technology requires both parties to exchange keys in advance. When there are many users in the system, for example, in the environment of online shopping, merchants need to trade with thousands of shoppers. If simple old key encryption technology is adopted, businesses need to manage thousands of keys to communicate with different objects. Apart from storage overhead, key management is almost an impossible problem. In addition, how do the two parties exchange keys? By traditional means? Through the internet? Any one will encounter the security problem of key transmission. In addition, in the environment, the key usually changes frequently, and more extreme, different keys are used for each transmission, so the key management and distribution of symmetric technology is far from meeting the requirements.
Public key encryption, also known as asymmetric key encryption system, needs to use a pair of keys to complete family secrets and decryption operations respectively. One is public release, called public key. The other is kept by the user himself in secret, called the private key. The sender of information uses public key encryption, while the receiver of information uses private key decryption. The encryption process is guaranteed to be irreversible by mathematical means, that is, the information encrypted with the public key can only be decrypted with the private key paired with the public key. Commonly used algorithms are RSA, ElGamal and so on. The public key mechanism is flexible, but the encryption and decryption speed is much slower than that of symmetric key encryption.
In order to make full use of the advantages of public key cryptography and symmetric cryptography, overcome their shortcomings and solve the problem of changing keys every time, a hybrid cryptosystem, the so-called electronic envelope technology, is proposed. The sender automatically generates a symmetric key, adds the information sent by the key to the symmetric key, and sends the generated ciphertext together with the symmetric key encrypted with the public key of the receiver. The receiver decrypts the encrypted key with its secret key to obtain a symmetric key and uses it to decrypt the ciphertext. This ensures that each transmission can be carried out with a different key selected by the sender, which better ensures the security of data communication.
Using hybrid cryptosystem can provide confidentiality guarantee and access control at the same time. Using symmetric encryption algorithm to encrypt a large number of input data can provide confidentiality guarantee, and then using public key to encrypt symmetric key. If you want to make information available to multiple recipients, you can encrypt their symmetric keys with each recipient's public key, thus providing access control functions.
3. Digital signature
Hash function, also known as message digest, hash function or hash function, is often used for digital signature. Its input is a variable-length input and returns a fixed-length string, which is called the input hash value (message digest).
In daily life, the document is usually signed to ensure its authenticity and validity, and the signer can be restrained to prevent it from denying, and the document and signature are sent as the basis for future verification. In the network environment, electronic digital signature can be used as simulation, thus providing undeniable services for e-commerce.
Combining hash function with public key algorithm can not only provide data integrity, but also ensure the authenticity of data. Integrity ensures that the transmitted data has not been modified, and the authenticity guarantee is a hash generated by a legal person, not forged by others. The combination of these two mechanisms can produce a so-called digital signature.
According to the mutually agreed hash algorithm, messages are calculated to obtain a fixed number of message digest values. Mathematically speaking, as long as any bit of the message changes, the recalculated message digest will definitely be inconsistent with the original value. This ensures that the message will not be changed. Then the sender's private key is used to encrypt the abstract value of the message, and then the ciphertext and the original message are sent to the receiver. The generated message is called digital signature.
After receiving the digital signature, the receiver uses the same hash algorithm to calculate the message digest value, and then compares it with the message digest value decrypted by the sender's public key. If they are equal, it means that the message really comes from the sender, because only the information encrypted with the sender's signature private key can be decrypted with the sender's public key, thus ensuring the authenticity of the data.
Compared with handwritten signature, digital signature has the following advantages in security: digital signature is not only related to the signer's private key, but also to the content of the message, so it is impossible to copy the signer's signature from one message to another, and at the same time, it can prevent tampering with the content of the message.
4. Certification bodies and digital certificates
Both digital signature and public key encryption technology will face the problem of public key distribution, that is, if one user's public key is sent to the other party in need in a safe and reliable way. This requires that the system that manages these public keys must be credible. In such a system, if Alice wants to send some encrypted data to Bob, Alice needs to know Bob's public key. If Bob wants to verify the digital signature of the document sent by Alice, Bob needs to know Alice's public key.
Security measures in e-commerce include the following categories:
(1) Ensure the authenticity of the identities of both parties to the transaction: The commonly used processing technology is identity authentication, which relies on a certificate issued by a trusted institution (CA Certification Center) to identify each other. The purpose is to ensure the accuracy of identity, distinguish the authenticity of participants' identities and prevent camouflage attacks.
(2) Ensure the confidentiality of information: To protect information from being leaked or disclosed to unauthorized persons or organizations, the commonly used processing technologies are data encryption and decryption, and its security depends on the algorithm used and the length of the key. Common encryption methods include symmetric key encryption technology (such as DES algorithm) and public key encryption technology (such as RSA algorithm).
(3) Ensuring the integrity of information: commonly used technologies such as data hashing. Hash algorithm is used to protect data from being created, embedded, deleted, tampered with and replayed by unauthorized users. The typical hash algorithm is one of the one-way hash algorithms developed by the National Security Agency.
(4) Ensure the authenticity of information: The common processing method is digital signature technology. The purpose is to solve the possible fraud between the two communication parties, such as the sender's denial of the information he sent and the receiver's denial of the information he received. Instead of dealing with unknown attackers, it is based on public key encryption technology. At present, there are many available digital signature algorithms, such as RSA digital signature and ELGamal digital signature.
(5) Ensure the non-repudiation of information: It is usually necessary to introduce a certification center (CA) for management, and the CA will issue the key, and the copy of the transmitted file and its signature will be sent to the CA for preservation as the arbitration basis for possible disputes.
(6) Ensure the security of stored information: standardize internal management, use access control rights and logs to encrypt and store sensitive information. When using WWW server to support e-commerce activities, we should pay attention to data backup and recovery, and adopt firewall technology to protect the security of internal network.