national research council canada conseil national de recherches canada institute for institut de...

National ResearchCouncil Canada

Conseil nationalde recherches Canada

Institute for Institut de technologieInformation Technology de l'information

Canada

E-Commerce:Hype, Hope… Help Needed

Larry KorbaNational Research Council of Canada

Larry.Korba@iit.nrc.cahttp://www.iit.nrc.ca

Definition and Caveats

Definition:

Caveats:• Not an E-Commerce “Course”• Research Perspective• Highlights

Electronic Commerce - the secure exchange of goods, services and information electronicallyForester Research

Electronic Commerce - the secure exchange of goods, services and information electronicallyForester Research

Outline

E-Commerce Today

Future of E-Commerce• Now… Near Future

Selected Challenges• Only a Few!

Conclusions

SETSET Business-BusinessBusiness-Business Agent- Based E-CommerceAgent- Based E-Commerce

E-Commerce AnywhereE-Commerce AnywhereIP ProtectionIP Protection PKIPKI

E-Commerce Today…..

Big Money Assumption, “Hi Tech”

Other Attractive Internet Words: Java, Agents, Security!

EC Today: Why is it so ?Business-to-Consumer

• Internet Hype• Lower Costs• Market Expansion?

Business-to-Business• Now and in Future• Growth

EC Today: Why Hot: Lower Telecommunication Costs

0

50

100

150

200

250

300

1930 1940 1950 1960 1970 1980 1990 2000

Cost of a 3 Minute Phone Call From New York to London

EC Today: Why Hot: Internet Growth

Extraordinary Growth in Internet Access

0

20

40

60

80

100

120

1950 2000

RadioTVPCWeb

EC Today: Why Hot? B-C, B-B Growth

0

20

40

60

80

100

120

140

160

180

1997 2000

Business toBusiness

Business toConsumer

EC Today: Challenges

It Works Quite Well, But….

Many “Standards”, Products

Threats• Common Threats• Threats to Buyers• Threats to Sellers• Threats to Financial Institutions

EC Today: “Standards”, Products

SSL <=> SET

Many products to chose from

Credit Card Transaction Providers

Commerce Servers• IBM, Microsoft, Inex, Bestware, MANY MORE

Middleware• Shareware, Cold Fusion….

Databases• SQL, DB2, Oracle, Access…

Web Portals

Consultants

EC Today: Common Threats

• Insider Fraud• Software Security Holes

• All O/S & Applications • Good Security Hard to Build• Software Complexity• Security as an Add-On

• Installation/Set Up Errors• Shopping Cart Exposure

EC Today: Threats to Buyers

• Hijacking, Spoofing• Denial of Service• Loss of Privacy• Fraudulent Credit Card Use

EC Today: Threats to Sellers

• Fake Order Flood• Site Impersonation• Site Alteration• Denial of Service

EC Today: Threats to Financial Institutions, Transaction Providers• Any Kind of Loss

• $– Credit Card Fraud

• Information• Service Obstruction

Future Challenges of E-CommerceWhat is happening in Research

Standardization

Trust

Business-to-Business

Agent-Based E-Commerce• Automation• Learning

Copyright Protection• Electronic Distribution

E-Commerce Anywhere

Future Challenges: Research

Research Competition

Words to get Funding (or to get Published):• Electronic Commerce• Security• Agent• Java• Ontology...

Standardization

Many Acronyms….

Development Times, Costs, Interoperability

OM

G/ C

BO

X.509

XML/ EDI

OBI

OTP

OFX

CIP

PK

I

RSA

PKIX

OPS

SET

SSL

IMS

ECM

L

ICE

Trust and Electronic Commerce

Biometry

• Many Technologies

Determining trustworthiness of Transaction Participants

• e.g. Auction Sites.

Research

• Distributed Trust

– Web Browsers, Agents

• Models for Trust, Formalisms

• E-Commerce and Group work applications

Biometry...

Technologies

• Iris, Face, Fingerprint, Hand Geometry, Typing, Handwriting, Voice

Must work well

• No False Positives: I Got IN!!!

• No False Negatives: Let Me IN!

Must NOT Lose Biometric Data!

• Irreplaceable…

• Once stolen, gives access to the store…

• Single Sign On for Everything...

SET

Many different proprietary electronic transaction Third Party Solutions

SET: The Answer to Strife in the World!• Open Standard• Eliminates No Card Present Fraud

– Visa/Master Card Like that!• Eliminate Non-Repudiation in Transactions• No Middleman

SET: Challenges

Complicated Protocol = Slow Response

• 3000 Line ASN.1

• 28 Stage Transaction Process

• 6 RSA Encryption Steps (Slow)

Four Part Model

• Interoperability

Constant Evolution

• Standard Fragmentation?

SET <=> Credit Card-Based

Other Possibilities: XML/EDI, Smart SET

Public Key Infrastructure

Cornerstone for Network Security Technology

Issues/Revokes Certificates

Cross Certify Organizations

Generate Certificates for authorized users

Enable SET for EC and other applications

D ire cto ryS y s te m

D ire cto ryS y s te m

D ire cto ryS y s te m

C a rd I s s u in gS y s te m

D ire cto ryS y s te m

C e rt if ica teA u th o rity

D ire cto ryS y s te m

K e y R e co v e ryA u th o rity

D ire cto ryS y s te m

Tim e s ta m pin gA u th o rity

D ire cto ryS y s te m

R e g is t ra t io nA u th o rity

D ire cto ryS y s te m

PK I Us e rA g e n t

L o ca lR e g is t ra t io n

A u th o rity

L o ca lR e g is t ra t io n

A u th o rity

D ire cto ryS y s te m

No ta riza t io nA u th o rity

S e rve r C o m po ne nts

A dm inis tra tio n C o m po ne nts

C lie nt

PKI:Challenges

Non-Trivial to set up

• Cross-Certification

• A lot like Beta Testing Software!

Interoperability Issues

• X.509 v3 Extensions

Network Overhead

Costs

• Infrastructure is one thing, you need to buy the applications

Dealing with Multiple Certificates

Business-to-Business

Factors• Just-In-Time Delivery Requirement

– Reduce Inventory, Cycle Times– Reduced Costs

• International Trade (Globalization, Deregulation)

• Move to Automated Transactions

Business-to-Business: ChallengesDeveloping Trust

• With New Partners• Contract Protocols: Formal, Creative

Low-Cost, Secure Large Transactions

Sharing Minimum Required Operational Information

Company ACompany ACompany BCompany B

Company CCompany C?

Agent-Based E-commerce

Bargain Finder

Negotiator

User Interface

Mobile Agents? Agent A

Agent B

Agent-Based E-commerce: ChallengesTrust

• Agent Code• Agent Environment

Confidentiality/Integrity• Customer/vendor Information

Standards• Agent Communication• Agent Environments• APIs

Intellectual Property Protection

Electronically Transferable IP

Network Distribution:• Lower Cost• Potential Risks

Potential for New Forms of Licensing

IP Protection:Challenges

It’s Hard to Protect IP

• Text

• Graphics

• E-Books

• Software

• 3D Models

Different Restrictions

• Trade

• Exclusivity

• Usage

IP Protection: Examples

Software Protection• Software Copying/Cracking is Epidemic• Hardware (Dongles), Software• Flexible Electronic Licensing Needed

Recording Industry• Analog Copying is Easy• Audio CD copying• MP3 Distribution

E-Commerce Anywhere

Wireless Access • Investors• Business Operators• Service Centres

Convenience

Demand

E-Commerce Anywhere: ChallengesV-Commerce

• Tedious

• Secure? False Negatives

Eavesdropping?

• Electronic

• Human

Replay?

SSL/SET over voice/pager?

Wireless LANs

• Coverage, Implementation0 5 0 100 m

Wireless LAN Implementation

IEEE 802.11 Symmetric Key Available For View!• In Network Dialog Box for

Client• Or Via SNMP from Access

Point

Summary

E-Commerce is here, and Thriving

• Works quite well

Big Money going into E-Commerce

• Researchers

• Developers

Software Implementation Errors

• Prevention

• SW/HW Version Authentication

Electronic Delivery

• Enforcing Copyright Protection

Summary (Continued)

Secure E-Commerce Everywhere• Portable Electronic Wallet• Biometry

E-Commerce Agents• Trust and Privacy• Agent Mobility

Room for Innovation

Resource Page:http://132.246.128.180/ecommerce/ecomlinks.html

Email Address: Larry.Korba@iit.nrc.ca

Resource Page:http://132.246.128.180/ecommerce/ecomlinks.html

Email Address: Larry.Korba@iit.nrc.ca