NECESSITY, MEANING AND MEANS
Commerce depends on confidence and so for commercial reasons, business must
ensurethe security and integrity of the electronic transactions
and records. Establishing trust is necessary for the long-term business
relationship in commercial transactions. Establishing trust involves
gaining respect for the parties involved in the transaction, the
payment mechanism employed, and the technology used to communicate
instructions about the transaction.
When the transactions are carried out in traditional physical form, one knows
the face of the person with whom he is dealing, knows the voice
of the person, knows the jurisdiction of the place where the contractual
obligations can be enforced.
The non-territorial and intangible nature of E-Commerce raises questions as
regards the adequacy and efficiency of the existing law enforcement
mechanism that are still geared to tackle situations concerning
tangible products and limited to national legislation/jurisdiction.
The legal, administrative and technological mechanisms are needed
to identify the faceless companies on the net. Security and control
solutions have to be employed at both transaction and system level.
Security has three main objectives.
· Confidentiality - to prevent
unintentional disclosure of information
· Integrity - to prevent modification
of the information
· Availability - to prevent
withholding of information
The basic means to ensure securities are
(i) Authentication - it is the verification of an individual's claimed
identity. Some of the common means used are passwords, tokens,
smart cards, biometric devices etc. Biometrics techniques involves
verification of the identity of an individual based on physical
or behaviour characteristics.
(ii) Authorisation - It is a privilege control and determines whether
an authenticated user is permitted to use specific resources. Resources
typically include datafiles, operator commands, Input Output devices
etc. The specific rule regarding access, creation, modification
and deletion ensures proper authorisation and safeguard integrity
of the data and information.
(iii) Administration - It translates business policy decisions into a format
that the new technology driven system can use.
(iv) Auditing and Accountability - Audit has to ensure and verify that authentication
and authorisation rules are producing the intended results. Effective
auditing processes can be built into the operating system, application
system and back-end system to generate routine audit log.
(v) Data & Database Integrity - Databases stores and maintains business
records of the enterprises. The Database system should prevent data
corruption, modification and deletion.
(vi) Firewalls - are hardware and software based system that provide security
to resources (such as web site) attached to network.
CRYPTOGRAPHY & DIGITAL SIGNATURE
Cryptography protects the integrity of data and transactions from incidental,
unintentional or malicious tampering of the same during transmission
on the open networks. Cryptography uses an algorithm to transform
data in order to render it unintelligible to anyone who does not
have the 'key' necessary for decryption of the data. Cryptography
provides mechanisms for establishing the validity of a claimed identity
of a user, or another entity and preventing an individual or entity
from denying having performed a particular action i.e. Non-repudiation.
The technique protects the sender and the receiver from third party
interference, however, it does not protect the sender and the receiver
from each other.
A digital signature is a means to bind information to the originator of a transaction.
A digital signature is created by a complex series of cryptographic
events and processes. A digital signature is easy to verify and
difficult to counterfeit. A digital signature by itself does not
guarantee that the sender of the message is who it purports to be.
A digital certificate issued and authenticated by a trusted certificate
authority is necessary if the identity of the sender also needs
to be guaranteed. The most commonly used form of digital signature
generation is through the use of public key cryptography. The public
key encryption is based on two keys, a public key to encrypt the
data and a private key to decrypt the data. Users wanting to receive
confidential information can freely announce their public key, which
is then used by the sender to encrypt data to be sent to them. Only
the holder of the corresponding private key can decrypt the data.
