Web Server
The Advanced Guide for
World Wide Web Information Providers
Nancy J. Yeager
Robert E. McGrath
National Center for Supercomputing Applications
Morgan Kaufmann Publishers, Inc.
`- -- -' -. -- -- '
`Morgan Kaufmann Publishers, Inc.
Digital Commerce:
Risks, Requirements,
and Technologies
Whether you are a Web service provider or a casual Web user, it is important to understand
`your level of risk in using a secure Web service. This chapter will aid you in that
`task by defining requirements for secure services, describing security-enabling
`technologies, and presenting a method to evaluate a secure Web service. Lastly,
ments and methods we have defined.
`ments and methods we have defined.
`The Web was designed and is highly successful as an easy-to-use method for
`distributing public information. The Web is wide open. All information on the
`Web is public, and the Web is built upon a public network, the Internet. Many
`commercial Web services contain catalogs of products, services, and prices, and
`corporations use the Web to distribute information widely. Many users now
`want to take the technology one step further, to disseminate information in a
`controlled way. To do this, they need to incorporate confidentiality and access
`control to a subset of their Web documents. The same security mechanisms that
`restrict access to a set of documents to qualified .individuals could be used to
`popularize commercial transactions over the Web. These mechanisms can also
`be used to address online privacy issues, such as protecting the confidentiality of
`medical records or credit ratings.
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
tem. The introduction of security mechanisms can never totally eliminate all
risk; it can only diminish risks to an acceptable level. Any consideration of secu
rity must begin with risks: what are the risks and how can they be addressed?
`rity must begin with risks: what are the risks and how can they be addressed?
`Besides reducing risks, security technologies aim to increase confidence and
`trust in the system. Customers will not use a system if they do not trust it to
`safeguard their assets and interests.
`Who will be liable when the security services fail in a commercial Web
`service-the service provider or the customer? The answer for commercial Web
`services is still, as yet, undefined. However, as has been seen in similar electronic
`commerce systems, the service provider may be liable, in varying degrees, for
the technological failures of the system (Anderson 1994; Gifford et al. 1995).
Whether you are the customer or the service provider, liability is serious busi
ness, and your risks warrant a closer analysis.
In order to begin analyzing the risk incurred by digital commerce or secure
Web systems, let's first look at the process of a real-world commercial transac
tion model.
`8.1 A Familiar Model for Commercial
`Transactions: Credit Cards
`When credit cards were first introduced, many doubted that the general public
`would trust such a mechanism for commerce. Today the Web is at the same point
`in its commercial evolution: no one knows whether it will be widely accepted as
`a vehicle for commerce.
`In a credit card transaction, the ownership of a credit card identifies an indi(cid:173)
`vidual for the purpose of the commercial transaction. The owner has possession
`of the card and his or her signature matches the one that is signed on the receipt
`of goods. As we look at commercial transactions of all kinds we will find that
authorized to use the card-
`authorized to use the card-
`is the most crucial measure for assessing a secure
`transaction of any kind. The better the identification process, the less the risk
`assumed by the service provider or customer.
`In the case of credit cards, some merchants and customers have abbreviated
nature. For example, when the customer presents only the number (the proof of
possession) of the card over the telephone, there is little way to bind the autho
rized user's identity with ownership of the card. Abbreviating the identification
`rized user's identity with ownership of the card. Abbreviating the identification
`process in this way decreases the effectiveness of the mechanism and increases
`the risk of an illegal transaction. If a signature is not required, it is much easier
`8.2 Identifying Yourself
for a disreputable third party to intercept the credit card number (and expira
tion date) and purchase goods and services; therefore, the risk of loss due to
fraud is greatly increased. Today credit card companies accept the liability for
`stolen card numbers, provide help to customers with stolen card numbers, and
`charge more for their services to businesses that accept credit card numbers over
`the phone. The convenience of telephone transactions outweighs the risk of
`losses due to fraud. However, the business, and ultimately the customer, pays
`more for this added convenience.
`8.2 Identifying Yourself
As we look at commercial transactions of all kinds, we will find that this identi
fication process is the most important measure of effectiveness for secure trans
actions. First an individual asserts or claims an identity and then that assertion
`is verified. This assertion and verification together are called the authentication
`In the human world, the identity of each person is founded on their physical
`existence. When there is a person standing in front of us, we use all our senses to
`identify them, by what they look like, how they sound, what they do and say,
`and so on. On a computer system these natural cues are entirely missing. To the
`computer, a person is just a collection of data; it has no way to tell which body
side the computer. In one sense, the problem of authentication is to come up
with some way that the computer can tell people apart and verify a person's hon
esty when he asserts an identity.
`esty when he asserts an identity.
`Most commercial transactions and secure applications employ some form of
`authentication. There are three factors that can be used in the authentication
`process (Miller 1994):
`1. Knowledge-something a person knows
`2. Possession- something a person owns
`3. Characteristic- something a person is
`All of these may serve to uniquely identify one individual person.
`Many authentication systems operate on two-factor authentication, requiring
`two different sources of identification. The idea, of course, is that when the two
`means of identification match, it is likely that only the right person could supply
`that matching identification.
`Credit card users use two-factor authentication for purchasing goods and
`services: you present a card (possession) and you sign for the purchase (an indi(cid:173)
`vidual's characteristic signature). Automatic teller machines use two-factor
`authentication-you present a bank account card (possession) and input a per(cid:173)
`sonal identification number (PIN) (knowledge).
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`8.2.1 Biometrics
`The last authentication factor, the characteristic, is so well developed that it has
`been recognized as a scientific field. Biometrics is the study of the measurement
`of physiological and behavioral traits. It is used to study human diversity and
`may also be used for identification based on physiological or behavioral traits.
`Biometric methods analyze human physiological traits such as fingerprints,
`size and shape of hand and fingers, and retinal patterns. Biometric methods can
`also analyze behavioral characteristics such as an individual's signature, voice, or
board has been examined as a behavioral biometric identification method.
`board has been examined as a behavioral biometric identification method.
`Physiological measurements are not always convenient or unobtrusive. The
`most positive identification possible is a DNA sample, but it is not reasonable to
ioral biometric techniques may be easier to measure but are subject to more
`ioral biometric techniques may be easier to measure but are subject to more
`variability than physiological biometric techniques. For example, the quality of
`your voice may change if you have a cold and your signature may change as you
mature. No method is perfect, so it is important to consider the likely mistakes
`and their consequences. Biometric identification methods may fail in two ways:
`they may mistakenly confirm an identity when it is the wrong person (a false
`acceptance) and they may mistakenly reject the identity of the right person (a
false rejection) (Miller 1994). Different biometric methods have different likeli
hoods of each type of error, which are expressed in two numbers, the false accep
`tance rate (FAR) and the false rejection rate (FRR). The selection of a biometric
`method must be tailored to each application's security requirements, based on
`the consequences of each type of mistake.
`Consider, for example, the high security requirements of an entrance to a
`military laboratory. We would need a biometric method that could not easily be
metric method to permit authorized applicants to enter the secured facility.
`metric method to permit authorized applicants to enter the secured facility.
`Otherwise, qualified applicants would become frustrated and might eventually
`give up their entrance attempts. In this example, it would be of the utmost
`importance to deny access to unauthorized individuals-our biometric method
`must have a small FAR. If need be, we could tolerate a method that denied access
`to a few authorized applicants; we could always provide them with the phone
or a relatively high FRR. We could select fingerprints as a biometric system for
authentication at our secure site. Fingerprints have a FAR of less than .0001 per
cent and a FRR of 2 to 3 percent. In other words, it is very unlikely that someone
else's fingerprint will be taken to be yours, but the identification system some
times might not recognize your fingerprint as your own.
`times might not recognize your fingerprint as your own.
`The requirements of military security are completely different from the needs
`of commerce. What are the requirements for digital commerce? First, costs must
`8.3 The Web, Security, and the Internet
`be kept reasonable. And second, customer satisfaction and convenience are
`paramount concerns. The service provider cannot afford to aggravate even a
`small number of customers or it will lose their business. Incorrectly rejecting the
`identity of a customer is very bad for business. So, unlike the military example,
`digital commerce demands a very low FRR. Furthermore, even a reliable method
`must be very quick and must be inexpensive enough to be widely used. It is better
venient or expensive identification method.
`venient or expensive identification method.
`Most biometric methods cannot be used in digital commerce because they
`are either too expensive for the service provider or too inconvenient or too slow
tion system for use by banks for account and credit card verification. The sys
tem's cost is not prohibitive, only $1000. Banks have been slow to use this bio
metric method, though, because they are afraid their customers would not
`metric method, though, because they are afraid their customers would not
`tolerate the system's FRR of their perfectly legitimate transactions (Miller 1994).
`8.3 The Web, Security, and the Internet
We have seen in Chapter 7 that there are no privacy guarantees on the Internet
today. With the right tools and a bit of technical expertise, someone can eaves
drop on conversations and capture data. For this reason, conducting digital com
merce transactions on a public network like the Internet is risky business. But
`each day U.S. banks securely transfer a trillion dollars electronically (Adam
`1992). How is this done securely? Typically, commercial transaction services,
`like electronic banking applications, operate over private networks, such as their
`own leased networks or the networks that make up the telephone system. The
`privacy of the standard telephone service today relies on the physical security of
the network-
the fact that no one can easily tap the telephone line. So these pri
vate networks are a more secure place to conduct transactions.
`This section considers the requirements for digital commerce: what must be
`done to make the Internet a viable business environment. Imagine you are the
purchase a chemical called phenol as a raw material for your manufacturing process
from your major supplier, Victor Chemical Company. VCC is an advanced com
pany; it has a Web page that displays its entire product line, complete with cata
`pany; it has a Web page that displays its entire product line, complete with cata(cid:173)
`log numbers, availability, and current prices.
`Recently, Victor enhanced its online Web service with the capability to place
`chemical orders via its Web service. As a regular customer of Victor Chemical,
`you have a standing credit account number. The Web service displays a form,
credit card number or standing account number. This form is sent over the net
work to Victor's Web server, as explained in Chapter 3. Your order is received at
`work to Victor's Web server, as explained in Chapter 3. Your order is received at
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`File Options
`(Yi!;!QLGnemical On-line Ca~]Qg Orders
`i!LttB;(lwww.vcc.CQm/orders.htm '
`:.:· ·:i·ii
`Victor Chemical On-line Catalog Orders
`This catalog contains the latest products and prices for Victor Chemical Company.
`Use the on-line form to place orders.
`To place an order, please fill in the following information:
`Total Price:
`Account number:
`iSubmit Query I
`- '•
`.-;: A[C:.:.;.~·~" ".'·: .-
`I.:< I
`[B".i'i:'kh Forward I ~Home I iOpen ... 1
`Figure 8.1 Placing a purchase order via the Web.
ing as you transmit your account number and what are the risks? Is it safe to use
`ing as you transmit your account number and what are the risks? Is it safe to use
`this new facility?
To answer this question, it is easiest to break the problem down into its com
ponents. We must look at how secure the message is upon creation, transmis
sion, and receipt: the end-to-end security of the transaction. The Web forms
`service is a Web application running on top of an insecure public network, the
`So your credit account number could be captured as it is transmitted to
`Victor's Web server. Additionally, someone may be able to masquerade as you
`on your computer and send bogus messages. The receiver would have no way to
`tell that the message was not legitimate.
`8.4 Interim Digital Commerce Services for the Web
Even if nothing unusual occurs, many transactions on the Internet are trace
able. The sources and destinations of the messages can be discovered by snoop
ers. This in itself may deter the use of the Internet for some purposes. People
`often do not want their business transactions monitored.
`8.4 Interim Digital Commerce Services for
`the Web
`Despite the lack of security guarantees, many people want to use the Internet for
`commerce today, so several creative schemes have sprung up to circumvent the
`Internet security problems (Cain and McGrath 1995; Werner and DeAngelis
`1995; Sefferud 1995). In many of these systems, an Internet commerce service
`acts as a go-between for the business and the customers, collecting the customers'
`credit card information over the telephone.
In one system (Werner and DeAngelis 1995), the customer shopping on the
Web fills out the Web form with their desired purchases, their phone number,
`and a time when they will be available at the given phone number to supply their
`credit card information. The business collects the order and then either calls the
`customer back manually or uses a programmed voice robot to call the customer
`at the specified time to collect the customer's credit card number. This scheme is
nient for the customer.
`nient for the customer.
`In another scheme (Sefferud 1995), an internet commerce broker (ICB) acts
`as a go-between, collecting the credit card information of customers, collecting
`payment from the customers for purchases, and crediting the seller's account
`(see Figure 8.2). Here's how the scheme works:
`1. The customer registers (over the phone) with the ICB and supplies credit
`card information. The ICB assigns the customer an ICB account number.
`Thereafter, the customer uses his ICB account number to make purchases.
`2. As a customer places a transaction with a seller, he supplies his ICB account
`3. The seller reports the transaction to the ICB.
`4. The seller may validate the customer's ICB account number with the ICB
`before (or after) sending the purchased item to the customer.
`5. The requested item, typically a document, is sent to the customer.
`6. After the ICB receives the transaction report from the seller, it sends
`electronic mail to the customer asking for verification that they purchased
`the item.
`7. The customer confirms via electronic mail that they did indeed purchase
`the item.
`8. The ICB charges the customer's credit card account for the purchased item.
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`- - - - E-mail
`- - - - Secure phone network
`Figure 8.2 Interim digital commerce services on the Web.
This system is tailored to selling information, or "information commerce"
transactions not involving the purchase of physical goods or services. This would
`mean customers could purchase many documents on the Web, each for a small
`charge. The ICB collects all the transactions during a payment cycle. At the end
`of a payment cycle, the ICB bills the customer in the conventional way by calling
`a credit card processor over secure phone lines. The ICB then transfers remu(cid:173)
`nerations into the seller's ICB account. The seller bears the risk of nonpayment
`by the customer. Deadbeat customers run the risk of having their accounts ter(cid:173)
`minated by the ICB. This system assumes that the phone and electronic-mail
`services over the Internet are trustworthy. We have learned that Internet services
`like electronic mail are not necessarily secure.
`8.5 Requirements for Digital Commerce
`These schemes have limited usefulness in the long term. They fall short in
`customer convenience and they do not provide what we suspect businesses really
`want to offer: spontaneous, secure commercial transactions via the Web. Let's
`take a closer look at the requirements for such a system.
`8.5 Requirements for Digital Commerce
`Let's return to the example of the Victor Chemical Company's Web service and
`summarize the security requirements we would want and expect from a Web
`service. The system must provide three important assurances: confidentiality,
`authenticity, and message integrity. It would also be desirable to have the option
to execute spontaneous secure transactions and to use anonymous (cash) trans
actions.
1. Confidentiality The Web service must ensure that private transactions can't
be captured and read by others. No one should be able to eavesdrop on
our conversation and capture the account number we are transmitting in
`connect to the Victor Chemical Web order form and purchase goods in
`our name.
`2. Authenticity The Web service must ensure that "we are who we say we are."
`Both parties must be confident of each other's identity. Without this assur(cid:173)
`ance, someone could make illegal purchases in our name or masquerade
`as the Victor Chemical Company's Web server and collect our credit
`account number as we submit our order form.
`3. Message integrity The Web service must ensure that the message received is
`actually the message sent. It must not be possible to intercept and alter
`part or all of our order as it is transmitted over the network.
`4. Option for spontaneous secure transactions We might prefer to conduct a
`transaction in a secure fashion with whomever we wanted, whenever we
`wanted. We might prefer not to have to register or have a login created on
`each Web server that conducted our transactions.
`5. Option for anonymous transactions Wouldn't it be great if we had a cash
`equivalent in digital electronic form? This service would ensure that your
`purchase couldn't be logged and traced back to you. This is important
`because when each transaction is traceable, it is very easy for computers to
`accumulate large amounts of information about people based on what
`they buy.
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`8.6 Technology to Meet These Requirements
`Today there is a whole range of security applications that meet these security
`service requirements to various degrees: phone cards, ATM cards, security cards
`or smartcards (for office and computer room access), and road toll payment
`card systems. In the future, Web applications for commerce, education, and
`health care will be called upon to meet these security requirements.
`Let's look at the basic technologies that enable computer programs to meet
`these security requirements before we examine the special problems of integrat(cid:173)
`ing these security services into the World Wide Web.
`8.6.1 Cryptography
`Computer applications use cryptographic algorithms to provide a wide range of
`security services. An algorithm is a procedure or set of rules to solve a problem.
`A cryptographic algorithm is, in its simplest form, two sets of rules. One set of
unique; selection of a different key causes the ciphertext produced to be differ
`The other set of rules unscrambles, or decrypts, the messages so that they can
`once again be easily read. Cryptography can be used to protect information by
`restricting access to only a set of authorized individuals-those who have the
`ability to unscramble the message.
`Conceptually, TV cable service providers use a form of cryptography to limit
`access to some of the TV channels they provide. The TV cable service providers
`begin with a pure TV channel signal. They then scramble, or encrypt, the signal.
`This message in an unintelligible form is called ciphertext, and the encryption
`process is a cryptographic algorithm, or a cipher. The scrambled signal is then
`broadcast through the cable company's network to all customers. If the customer
`has paid for the TV channel, the cable company provides to the customer a device
`called a decoder. This decoder decrypts the scrambled TV signal, converting it
`back to the regular signal, and displays it on the TV. Those customers who have
`not paid for the TV channel do not have the correct decoder, and they see only a
`jumbled mess on the pay channel. So pay-per-view cable TV service is restricted
`through cryptography, and what the customer buys is the ability to decode the
`Cryptography has been used in wartime since before the Roman Empire for
`communicating military strategies (Kahn 1967). In classical cryptography, all
acters within a word or phrase are substituted or transposed. Everyone is proba
bly familiar with newspaper cryptograms, in which a message is encoded by sub
stituting letters. An A in the message is changed to a B in the cryptogram, B is
`stituting letters. An A in the message is changed to a B in the cryptogram, B is
`8.6 Technology to Meet These Requirements
`changed to C, and so on. Figure 8.3 shows a simple example of a cryptogram
`constructed by a simple substitution cipher-essentially the same type of code
`used by Julius Caesar two thousand years ago.
Cryptographic experts within a given army devised algorithms for trans
posing and substituting characters in their messages. Naturally, there also
`developed a set of skilled cipher analysts, or cryptanalysts, for capturing and
analysts have proven to be key to winning wars, perhaps most notably World
`analysts have proven to be key to winning wars, perhaps most notably World
`War II (Kahn 1967; Bamford 1983).
Many character-based cryptographic algorithms, such as newspaper cryp
tograms, are easily cracked; that is, they can be deciphered by people other than
the intended recipient. With the advent of computers, the complexity of crypto
graphic algorithms increased dramatically, as did the ability to crack codes.
Cryptography is not based on words or letters of human language when exe
cuted by a computer. Instead, the cryptographic operations and operands are
based on the computer's language: binary numbers, or bits. The bits that repre
sent the contents of a message (text, pictures, audio) are subject to mathematical
operations, such as addition, subtraction, multiplication, and division.
`Computers use cryptography in the same way as the TV cable service. The
`data generated by a computer program begins as an unscrambled, or plaintext,
message. An encryption algorithm on the sender's computer converts the mes
sage to ciphertext. The message is transmitted over the computer network as
`ciphertext. The receiver decrypts the ciphertext, converting the message back to
`its original plaintext form. This process is illustrated in Figure 8.4.
`When used by computers today, cryptographic algorithms are carefully
`designed ordered sequences of mathematical operations that use one or more
`variables called keys. Enciphering and deciphering operations are based on
`binary-number keys. These keys are inputs to cryptographic algorithms just as
`the seed variable is input to a random number generator (Knuth 1981). The
`unique key chosen makes the result of encrypting data using the algorithm
unique; selection of a different key causes the ciphertext produced to be differ
ent. The whole idea is that the ciphertext is different for each message and for
`each different key. The original message can be recovered from the ciphertext
`only by using the correct key and the same cryptographic algorithm used to
`encipher it.
`Secret message:
`The lark is on the wing.
`Ui f mbs l jt po uif xjoh.
`Figure 8.3 A cryptogram constructed using a letter-by-letter substitution.
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`Sender and
`rece iver use
`' ~~
`pskltij shfdp
`Figure 8.4 Private key cryptography. The encoder and the decoder are identical and use
`the same key.
`Keys can be any size, but typically they are very large numbers. The Data
`Encryption Standard (DES), a widely used cryptographic algorithm, uses a 56-
`bit key. A 56-bit number (25
`' ) can represent a number as large as 7 x 10". To get
`an idea of the size of this number, 10'8 (or 2") is an estimate of the total lifetime
`of the universe expressed in seconds. The entire number of people alive on the
). Some implementations of anoth
Earth is about 5 X 10^9 (5 billion people, or 2^32).
er popular algorithm, the Rivest, Shamir, and Adleman (RSA) algorithm, use
2048-bit keys (Bidzos 1991; Garfinkel 1995; Schneier 1994). Imagine the magni
tude of a number that 2048 bits would represent! If written out in zeros and
`ones, this key would be more than a page long!
`In digital commerce systems, the possession of a key is associated with a user's
`identity- each user may own a unique key. The computers determine who is
`who by the cryptographic key that is presented. Since a person may maintain
more than one role in their life, they may well need a set of keys to use. For exam
`ple, I might use one key to represent my identity as bank president and conduct
`8.6 Technology to Meet These Requirements
a bank transaction on behalf of a bank patron. While at home, I might use
another key to establish my identity as an individual customer of the bank and
withdraw money from my personal account. And I would have an entirely dif
ferent key to borrow books from the library.
`The cryptographic algorithms that we have been discussing belong to a class
`of algorithms called private key cryptography, because the decoding key must be
`kept secret to protect the information. Private key cryptography is one of three
ments for digital commerce. The other two are public key cryptography and
`ments for digital commerce. The other two are public key cryptography and
`hashing algorithms. The next sections look at each of these three classes of
`8.6.2 Private Key Cryptography
Private key cryptography enables computer applications to fulfill the require
ment of confidentiality: private transactions and data can't be captured and read
by others. We have seen how this requirement is fulfilled for the cable TV ser
vice. The encrypted TV signal can be safely sent over public satellite and cable
`channels. If the data is captured on the network, it can't be read because it is
`ciphertext. One would need a decoder with the correct key to read the cipher(cid:173)
`Private key cryptography uses one key, known to both the sender and the
ted message. Data can be recovered from ciphertext only by using exactly the
same key and the same algorithm used to encipher it (National Institute of Stan
dards 1993a). Figure 8.5 shows how this works. Since the key must be kept secret,
`dards 1993a). Figure 8.5 shows how this works. Since the key must be kept secret,
`it is called a private key. The encryption and decryption operations are some(cid:173)
`times described as being symmetric, so private key cryptography is also called a
`symmetric key system.
`8.6.3 Public Key Cryptography
Public key cryptography is used to fulfill the authenticity requirement: "I am
who I say I am." Unlike private key cr

