An important technical feature of e-commerce is the use of computer technology to transmit and process business information. Therefore, the countermeasures for e-commerce security issues can be divided into two parts: computer network security measures and business transaction security measures.
1. Computer network security measures
Computer network security measures mainly include three aspects: protecting network security, protecting application service security, and protecting system security. Each aspect must consider physical security, firewalls, information security, Web security, media security, etc.
(1) Protect network security.
Network security is to protect the security of the communication process between network-side systems of business parties. Ensuring confidentiality, integrity, authentication and access control are important factors in network security. The main measures to protect network security are as follows:
(1) Comprehensively plan the security strategy of the network platform.
(2) Develop network security management measures.
(3) Use a firewall.
(4) Record all activities on the network as much as possible.
(5) Pay attention to the physical protection of network equipment.
(6) Test the vulnerability of the network platform system.
(7) Establish a reliable identification and identification mechanism.
(2) Protect application security.
Protecting application security is mainly a security protection measure established for specific applications (such as web servers and online payment software systems). It is independent of any other security protection measures on the network. Although some protective measures may be a substitute or overlap of network security services, such as the encryption of network payment and settlement information packets by web browsers and web servers at the application layer, which are encrypted through the IP layer, many applications also have their own specific Security requirements.
Since the application layer in e-commerce has the most stringent and complex security requirements, it is more likely to adopt various security measures at the application layer rather than at the network layer.
Although security at the network layer still has its specific place, people cannot rely entirely on it to solve the security of e-commerce applications. Security services at the application layer can involve the security of applications such as authentication, access control, confidentiality, data integrity, non-repudiation, Web security, EDI and network payment.
(3) Protect system security.
Protecting system security refers to security protection from the perspective of the overall e-commerce system or online payment system. It is interrelated with the network system hardware platform, operating system, various application software, etc. System security involving online payment and settlement includes the following measures:
(1) Check and confirm unknown security vulnerabilities in installed software, such as browser software, electronic wallet software, payment gateway software, etc. .
(2) The combination of technology and management ensures that the system has minimal penetration risk. Connection is allowed only after passing multiple authentications, all access data must be audited, and system users must be strictly security managed.
(3) Establish detailed security audit logs to detect and track intrusion attacks, etc.
2. Business transaction security measures
Business transaction security closely focuses on various security issues that arise when traditional commerce is applied on the Internet. On the basis of computer network security, how to ensure the smooth progress of the e-commerce process.
Various business transaction security services are implemented through security technology, mainly including encryption technology, authentication technology and e-commerce security protocols.
(1) Encryption technology.
Encryption technology is a basic security measure adopted in e-commerce. Both parties to the transaction can use it during the information exchange stage as needed. Encryption technology is divided into two categories, namely symmetric encryption and asymmetric encryption.
(1) Symmetric encryption.
Symmetric encryption is also called private key encryption, that is, the sender and receiver of information use the same key to encrypt and decrypt data. Its biggest advantage is that it has fast encryption/decryption speed and is suitable for encrypting large amounts of data, but key management is difficult. Confidentiality and message integrity can be achieved by encrypting confidential information and sending a message digest or message hash with the message if the communicating parties can ensure that the private key has not been compromised during the key exchange phase. value to achieve.
(2) Asymmetric encryption.
Asymmetric encryption, also known as public key encryption, uses a pair of keys to complete encryption and decryption operations respectively. One of them is published publicly (i.e., the public key), and the other is kept secretly by the user (i.e., the private key). ). The process of information exchange is: Party A generates a pair of keys and discloses one of them as a public key to other trading parties. Party B, who obtains the public key, uses the key to encrypt the information and then sends it to Party A. The party then uses its own private key to decrypt the encrypted information.
(2) Authentication technology.
Authentication technology is a technology that uses electronic means to prove the identity of the sender and receiver and the integrity of their files, that is, to confirm that the identity information of both parties has not been tampered with during transmission or storage.
(1) Digital signature.
Digital signatures, also called electronic signatures, can authenticate, approve and validate electronic documents just like presenting a handwritten signature.
The implementation method is to combine the hash function and the public key algorithm. The sender generates a hash value from the message text and encrypts the hash value with its own private key to form the sender's digital signature; then , send this digital signature as an attachment to the message together with the message to the recipient of the message; the recipient of the message first calculates the hash value from the original message received, and then uses the sender’s public secret key to decrypt the digital signature attached to the message; if the two hash values ??are the same, the receiver can confirm that the digital signature belongs to the sender. The digital signature mechanism provides an identification method to solve problems such as forgery, denial, impersonation, and tampering.
(2) Digital certificate.
A digital certificate is a file containing public key owner information and a public key digitally signed by a certificate authority. The main components of a digital certificate include a user public key, plus the user identity of the key owner. Identifier, and trusted third-party signature The third party is generally a certificate authority (CA) trusted by users, such as government departments and financial institutions. The user submits his public key to a public key certificate authority in a secure manner and obtains a certificate, and then the user can make the certificate public. Anyone who needs the user's public key can obtain this certificate and verify the validity of the public key through the associated trust signature. Digital certificates provide a way to verify the identity of each party through a series of data that marks the identity information of the parties to the transaction. Users can use it to identify the identity of the other party.
(3) Security protocols for e-commerce.
In addition to the various security technologies mentioned above, there is also a complete set of security protocols for the operation of e-commerce. More mature protocols include SET, SSL, etc.
(1) Secure Socket Layer Protocol SSL.
The SSL protocol is located between the transport layer and the application layer and consists of the SSL record protocol, the SSL handshake protocol and the SSL alert protocol. The SSL handshake protocol is used to establish a security mechanism before the client and server actually transmit application layer data. When the client and the server communicate for the first time, the two parties reach an agreement on the version number, key exchange algorithm, data encryption algorithm and Hash algorithm through the handshake protocol, then verify each other's identity, and finally use the negotiated key exchange algorithm to generate a Only the two parties know the secret information. The client and the server each generate data encryption algorithm and Hash algorithm parameters based on this secret information. The SSL record protocol encrypts, compresses, and calculates the message authentication code MAC based on the parameters negotiated by the SSL handshake protocol, and then sends it to the other party through the network transport layer. The SSL alert protocol is used to communicate SSL error messages between clients and servers.
(2) Secure electronic transaction protocol SET.
The SET protocol is used to divide and define the rights and obligations between consumers, online merchants, banks and credit card organizations in e-commerce activities, and provides transaction information transmission process standards. SET mainly consists of three files, namely SET business description, SET programmer's guide and SET protocol description. The SET protocol ensures the confidentiality of the e-commerce system, data integrity, and identity legitimacy.
The SET protocol is specially designed for e-commerce systems. It is located at the application layer, and its certification system is very complete and can achieve multi-party certification. In SET's implementation, consumer account information is kept confidential from the merchant. However, the SET protocol is very complex. Transaction data requires multiple verifications, multiple keys, and multiple encryption and decryption. Moreover, in the SET protocol, in addition to consumers and merchants, there are also other participants such as card issuers, acquirers, certification centers, and payment gateways.