Protecting Sensitive Information in Electronic Commerce

Abstract

One of the crucial requirements for electronic commerce (e-commerce) systems is to provide adequate data security, which has been defined in terms of five functionalities (Adam, Dogramaci, Gangopadhyay and Yesha, 1998; Adam, Gangopadhyay and Holowczak, 1998; Kalakota and Whinston, 1996): authentication, authorisation, confidentiality, integrity, and non-repudiation. Authentication refers to the ability to prove the identity of a user and is based on verifying information provided by the user against what is known by the system about the user. Methods of authentication include private information such as passwords, physical devices such as smart cards, and biometric characteristics such as fmgerprints. Authorisation involves controlling access to information once authentication is established. Authorisation is accomplished with access control mechanisms for network entities and resources. Confidentiality involves maintaining privacy of information about users. Integrity involves the protection of data from modification, either while in transit or in storage (Bhimani, 1996). e-commerce systems must have the capability of ensuring that data transmissions over networks arrive at their destinations in exactly the same form as they were sent. Changes in data that integrity services must protect against include not only modifications to the data, but additions, deletions and reordering parts of the data (Ford and Baum, 1997). Non-repudiation involves proving the identity of the sender of a message. This prevents a sender from denying the fact that a message (such as a purchase order) was actually sent and taking responsibility for such a message.