Because the important technical feature of e-commerce is to use the network to transmit and process business information, e-commerce security mainly includes two aspects: network security and business security. The realization of these security depends on some specific security technologies and follows relevant security protocols.
1 Network security issues
Network security mainly refers to the possible security problems of computers and networks themselves. That is to ensure the availability and security of e-commerce platform. Network security is the basis of e-commerce, and its problems are generally as follows:
1.1 Network security problems caused by potential security risks of the computer itself
The computer uses an operating system that has not been configured with relevant network security. No matter what operating system, there will be some security problems under the default installation conditions, but only after the operating system is installed by default, The idea of security with a long password is unreliable. Because the software vulnerabilities and "back doors" in the computer itself are often the first choice targets of cyber attacks.
1.2 The risk of intruders is reduced, and the stimulation caused by rising profits causes network security problems
Because of the global, open and enjoyable development of the network, anyone can freely access the Internet, including hackers. Intruders and virus makers. They use more and more attack methods, and the threat to e-commerce is becoming more and more obvious. Relatively speaking, the risk of attackers themselves is very small, and they can even disappear without a trace after the attack, making it almost impossible for the other party to retaliate. This makes their activities even more rampant. The attacks on "Yahoo" and "Amazon" in the United States illustrate this point.
1.3 Network security problems caused by improper use of security equipment
Although most websites use network security equipment, some even spend a lot of money, but due to the security equipment itself or use problems, These devices have not played their due or expected role. Many security vendors' products require high technical background of configuration personnel, which often exceeds the technical requirements of ordinary network management personnel. Even if the manufacturers initially installed and configured the users correctly, once the system changes, they need to change the settings of related security equipment, which is easy to cause many security problems. However, network managers in the usual sense are often not competent for such work.
Therefore, when implementing network security precautions, we should do the following: first, strengthen. Install security patches in time to reduce vulnerabilities; Install anti-virus software and software firewall to strengthen the overall anti-virus measures of intranet; Use all kinds of system vulnerability detection software to scan and analyze the network system regularly, find out the possible security risks and fix them in time; Establish perfect access control measures from router to user, install firewall and strengthen authorization management and authentication; Strengthen data backup and recovery measures by using corresponding data storage technology; Necessary physical or logical isolation measures should be established for sensitive equipment and data; Sensitive information transmitted on the public network should be encrypted with a certain intensity; Establish a detailed security audit log to detect and track intrusion attacks. At the same time, make full use of the published laws and regulations on transaction security and computer security to escort e-commerce transactions. Moreover, facing the technical level of ordinary network administrators, joint development and maintenance can be adopted in the construction and maintenance of the network, and the technical level of their own team can be continuously improved and improved through the early construction and maintenance. It is also necessary for network managers to attach great importance to security issues ideologically. Generally, the generation of technology lags behind people's needs, and the establishment and implementation of strict and perfect network security systems and strategies can often replace technologies that are temporarily impossible to achieve. After all, this is the basis for truly realizing network security.
An all-round computer network security architecture usually includes network physical security, access control security, system security, user security, information encryption, secure transmission and management security. The realization of all this depends on various advanced host security technologies, identity authentication technologies, access control technologies, cryptography technologies, firewall technologies, security auditing technologies, security management technologies and system vulnerability detection technologies. Hacker tracking technology. With the application of more and more sophisticated security technologies such as security core system, VPN security tunnel, identity authentication, network underlying data encryption and network intrusion active monitoring, the overall security of computer network has been strengthened from different levels, and a number of strict security lines have been gradually established between attackers and protected resources, which has increased the difficulty of malicious intrusion.
In order to ensure the smooth progress of e-commerce activities, There must be a safe and perfect network system to provide it with stable, reliable and strong support.
2 Business security issues
Business security refers to the security issues reflected in business transactions in the network media, that is, to achieve the confidentiality, integrity, authenticity and non-repudiation of e-commerce information.
In early electronic transactions, Some simple security measures have been adopted. For example, the most critical data in online transactions, such as credit card number and transaction amount, are told by telephone to prevent leakage, and the transaction is confirmed by other means after online transactions to ensure its authenticity and non-repudiation. These methods are not only inconvenient to operate, but also have certain limitations. It can't achieve its real security.
2.1 Several security risks that are common in business security
2.1.1 Stealing information
The information is transmitted in plaintext or near plaintext on the network because the corresponding encryption measures are not adopted or the encryption intensity is not enough. Intruders intercept the information being transmitted on the equipment or line where the data packet passes. By analyzing and comparing the parameters of the stolen data, Find out the format and rules of information, and then get the content of the transmitted information, which leads to the leakage of consumer information, account passwords and business secrets.
2.1.2 Tampering with information
When the intruders master the format and rules of information, they intercept and modify the information in network transmission through various technical methods and means and then send it to the original designated destination, thus destroying the authenticity of the information. By changing the order of information flow, Changing the content of the information, deleting some parts of the information, or even inserting some additional contents into the information, makes the receiver make wrong judgments and decisions.
2.1.3 Information counterfeiting
Because the attacker has mastered the data format and can tamper with the passed information, he can further impersonate a legitimate user to obtain and send the information, which is usually difficult for the remote receiver or sender to distinguish. Common methods include forging the order documents of users and merchants. Obtaining or modifying the permission to use related programs, etc.
2.1.4 Information destruction
Because the attacker has invaded the network, he has obtained the permission to modify the information in the network, such as modifying or even deleting the existing confidential information in the network. The consequences are very serious.
2.2 Requirements for business security
2.2.1 Confidentiality of information
Business information in transactions must follow certain confidentiality rules, because its information often represents the country. Business secrets of enterprises and individuals. In the past, traditional paper trade used mail packaging or reliable communication channels to transmit business information to achieve the purpose and requirements of confidentiality. However, e-commerce was built on a relatively open internet environment, and the network itself it relied on won e-commerce because of the market formed by open interconnection. Therefore, in this new supporting environment, It is necessary to use corresponding technologies and means to continue and improve the confidentiality of information. Generally, password technology is used to achieve it.
2.2.2 Integrity of information
It is undeniable that the emergence of e-commerce has replaced most of people's complicated labor with computers, and also integrated and simplified all links in enterprise trade in the form of information systems. However, the opening of the network and the automation of information processing have also made it possible to maintain the integrity of commercial information of all trading parties. There is a problem with unification. Due to unexpected errors in data input (such as computer crash and power failure during automatic processing, etc.), the information of all trading parties may be inconsistent. In addition, man-made or natural information loss (such as data packet loss) during data transmission, Information duplication or difference in the order of information transmission (such as network congestion and retransmission) It will also lead to different information of trading parties, and the integrity of all kinds of information of trading parties will inevitably affect the trading and business strategies in the course of trading. Therefore, maintaining the integrity of information of trading parties is an essential foundation for e-commerce applications. Integrity can generally be obtained by extracting the abstract of information messages.
2.2.3 Non-repudiation of information < P > There will be a phenomenon of transaction repudiation in trading. If the sender of the message denies having sent the message after the sending operation is completed, or on the contrary, the receiver does not admit having received the message after receiving the message. Therefore, how to determine that the transaction information received by any party in the transaction is sent by his partner and the other party itself has not been counterfeited, It is the guarantee for the harmonious and smooth progress of e-commerce activities. The guarantee of information can be obtained by digitally signing the sent message. The identification of identity is generally achieved by the method of certificate authority CA and certificate. It is not easy for two parties who have never met before and are thousands of miles apart to become partners.
Of course, there are still many requirements in e-commerce activities, such as the limitation of transaction information. It is believed that various technologies and laws and regulations will emerge in the development of e-commerce to standardize people's needs and help them realize, so as to ensure the seriousness and fairness of e-commerce transactions.
3 Security technologies of e-commerce
3.1 Encryption technology
Encryption technology is an important means to ensure the security of e-commerce. In order to ensure the security of e-commerce, encryption technology is used to encrypt sensitive information and ensure the confidentiality, integrity, authenticity and non-repudiation service of e-commerce.
3.1.1 Status quo of encryption technology
Like many IT technologies, encryption technologies emerge one after another, providing people with many choices, but at the same time it also brings a problem-compatibility, and different enterprises may adopt different standards. < p Encryption technology has always been controlled by the state. For example, the export of SSL is restricted by the National Security Agency (NSA). At present, enterprises in the United States can generally use 128-bit SSL, but the United States only allows the export of algorithms with encryption keys below 4 bits. Although 4-bit SSL also has certain encryption strength, However, its security factor is obviously much lower than that of 128-bit SSL. It is a pity that it is difficult for countries outside the United States to make full use of SSL in e-commerce. At present, the 128-bit SSL algorithm introduced by Shanghai E-commerce Security Certificate Management Center in China has made up for this vacancy in China. It also brings broad prospects for China's e-commerce security.
3.1.2 Common encryption technology
Symmetric key cryptography: Symmetric cryptography is developed from traditional simple transposition instead of passwords, and encryption modes can be divided into two categories: sequential cryptography and block cryptography.
Asymmetric encryption algorithm: also known as public key cryptography, is characterized by having two keys, namely public key and private key. The two must be used in pairs to complete the whole process of encryption and decryption. This technology is especially suitable for data encryption in distributed systems, and is widely used in networks. The public key is made public, which is used for data encryption by the data source, while the corresponding private key used for decryption is kept by the receiver of the data.
Irreversible encryption algorithm: It is characterized in that the encryption process does not need a key, and the encrypted data cannot be decrypted. Only when the same data is input and compared by the same irreversible encryption algorithm can the same encrypted data be obtained. Because it has no key, there is no problem of key storage and distribution, but because of its heavy encryption calculation workload, it is usually only in the case of limited data. For example, the encryption of password information in computer system.
3.1.3 Encryption technology commonly used in e-commerce field
Digital Abstraction: also known as secure Hash coding method. This coding method uses one-way Hash function to "abstract" plaintext to be encrypted into a string of 128-bit ciphertext, which is also known as digital fingerprint and has a fixed length, and the ciphertext results of different plaintext abstracts are different. But the same plaintext keeps the same abstract.
Digital signature: Digital signature is a combination of digital digest and public key algorithm. Its main way is that the sender of the message generates a 128-bit hash value (or message digest) from the message text. The sender encrypts this hash value with his own private key to form the sender's digital signature. Then this digital signature will be sent to the receiver of the message together with the message as an attachment. The receiver of the message first calculates the 128-bit hash value (or message digest) from the received original message, and then decrypts the digital signature attached to the message with the public key of the sender. If the two hash values are the same, Then the receiver can confirm that the digital signature is the sender. The authentication and non-repudiation of the original message can be realized through the digital signature, which effectively prevents the denial of the signature and the impersonation of the improper signer.
Digital timestamp is a security measure taken for the time information of the transaction file. The online security service project is provided by a special organization. Timestamp is an encrypted voucher document, which includes: the abstract of the file to be stamped, The date and time when the file was received by the digital time stamp service, and the digital signature of the digital time stamp service.
Digital certificate: A digital certificate, also known as a digital certificate, is used to confirm a user's identity and access rights to network resources by electronic means, mainly including personal certificate, enterprise (server) certificate, There are three kinds of software (developer) credentials.
3.2 Identity authentication technology
On the network, the identification information (such as name, ID number, etc.) of the applicant user is tied together with his public key through an authoritative and impartial third-party organization-the authentication center, which is used to verify and determine his user identity on the network. The aforementioned digital timestamp service and the issuance of digital certificates, It is also completed by this authentication center.
3.3 Payment Gateway Technology < P > Payment Gateway is usually located between the public network and the traditional banking network (or between the terminal and the charging system). Its main functions are: to decrypt the data packets from the public network and repackage the data according to the communication protocol within the banking system; Receive the response message from the inside of the banking system, convert the data into the data format transmitted by the public network and encrypt it. The payment gateway technology mainly completes the functions of communication, protocol conversion and data encryption and decryption, and can