First Internet Security, then Internet Commerce

Internet security has technological solutions,but the true potential of electronic commerce is still locked away.

by / September 30, 1997 0
Once the Internet looked like an all-American small town. The neighbors had no reason to lock their doors, they knew each other and often just dropped in for a visit.

Nearly three decades later, the Internet has become an appliance for everyday life, accessible to everyone from anywhere -- with an estimated 40 million users worldwide, resembling the city of Los Angeles. And if Los Angeles residents are using alarms, heavy duty locks, private security and dogs to protect their belongings, is it any wonder that Internet users employ antivirus software, firewalls and encryption to protect their data and privacy?

No other area of the Internet has experienced quite as much attention as security and for good reason. For example, an anonymous organization recently sent e-mail to 2,300 customers of ESPN Sportszone and -- two of the most popular Web sites -- saying that their credit card numbers had been accessed. The message included the last eight digits of the recipients' credit card numbers. Both quickly upgraded their security systems.

Clearly, security concerns are the number one challenge to the acceptance of electronic data exchange. Online transactions promise to become an increasingly important component of state and national economies. By the year 2000, electronic commerce is predicted to become a component of the economy worth tens of billions of dollars. However, security concerns must be allayed first.

Fortunately, recent technologies, together with several bills under consideration by Congress, promise more secure solutions.

According to the Clinton administration's A Frame for Global Economic Commerce, there are five basic principles of information security. They include: privacy, integrity, authenticity, confidentiality and nonrepudiation.


In case you haven't heard, some Web sites you visit install a "cookie," which basically spies on you, reporting back to the original Web site when you visit it again. Cookie files compile data on which Web sites you visit, and choices you make. Other personal information can also be extracted, according to some sources. And that's only one example of new, technology-based invasions of privacy.

In an increasingly networked and nosy world, Americans have begun demanding careful and responsible management of electronic data. A Frame for Global Economic Commerce suggests privacy principles that rest on the fundamental precepts of awareness and choice:

* Data-gatherers should inform consumers what information they are collecting, and how they intend to use such data.

* Data-gatherers should provide consumers with meaningful ways to limit use or reuse of personal information.

Recently, concerns have arisen over information collected from children. The Federal Trade Commission requires companies that operate Internet Web sites to obtain parental consent before releasing data on children to a third party. However, there is no way to verify compliance.

A bill introduced by Rep. Billy Tauzin (R-Louisiana), chairman of the House Commerce Committee's telecomunications subcommittee, would bar companies from disclosing, or using without consent, medical and financial records -- as well as government information such as Social Security numbers -- that are available online.

Privacy Products

Luckman Interactive's Anonymous Cookie for Internet Privacy offers an "anonimizer" mode that, according to the company, immediately disables all cookie directories or files, giving users more control over their privacy. According to Luckman Interactive, users can switch to this mode by simply clicking on the program's icon and selecting the desired mode. The anonimizer is still in beta version. For further information, contact>.

Another privacy protector is a site-labeling program called TRUSTe. TRUSTe icons inform Web site visitors how the site uses or exchanges information collected from visitors. TRUSTe's premier members include: AT&T, Tandem Corp., CyberCash, Wired Ventures, Oracle, IBM, MatchLogic, Netscape, InterNex and Land's End. More information about the TRUSTe program can be found at its Web site address, .

Another technology developed by the World Wide Web Consortium is called the Platform for Privacy Preferences (P3). The preferences in P3 are in users' hands rather than on the Web site. Visitors customize their program and require certain privacy practices to be used. The software provides informed consent for the user, handles the negotiations, and examines whether the terms are acceptable to the visitor.

Another privacy protector is the "Open Profile System," being developed by Netscape, Microsoft and others. The Open Profile System resembles P3 in some respects, in that users tune their privacy preferences on their own browsers.


After privacy, other concerns include integrity, authenticity, confidentiality and nonrepudiation. Integrity ensures that data has not been modified, added to, or deleted during its usage, storage or transmission. Identification and authenticity assure both sender and receiver of one another's identity. Nonrepudiation means being able to prove the integrity of data, who sent it, and that it was actually delivered.

Encryption answers the need for privacy, integrity, authenticity, confidentiality and nonrepudiation. Cryptography secures data using numeric keys and mathematical algorithms. Symmetric cryptography uses the same key to encrypt and decrypt the data. Asymmetric, or public-key, cryptography uses a key pair, one of which is available to the public, and one of which is kept by the message originator.

Encryption Products

Secure Sockets Layer (SSL), a protocol developed by Netscape Communications, provides authentication as well as encryption, and is used for Internet transmission.

Private Communications Technology (PCT) is another protocol from Microsoft to provide secure transactions over the Internet. Web servers and browsers are expected to support all the popular security protocols.

Initially, SSL vs. PCT raised compatibility issues. However, Netscape and Microsoft, together with other companies, are developing a protocol called Transport Layer Security (TLS). The partnership of competitors shows the extent of concern in the business community that government regulators may impose rules cracking down on privacy intrusions by Internet companies.

TLS is expected to hit the consumer market within "a few months," said Netscape's security product manager, David Andrews.

Netscape -- in an effort to bring the benefits of virtual private networks (VPNs) to the Web and make SSL an attractive option for secure, low-cost WAN connections -- will use Hi/fn's Lempel-Ziv-Stac (LZS) compression technology for use in its implementation of SSL. Microsoft, on the other hand, licensed a modified form of LZS called Microsoft Point-to-Point Compression (MPPC) that is incompatible with LZS, raising again the operability concern between different systems. MPPC will be included in Windows NT 5.0. Currently, neither Windows 95 nor NT support LZS.

In February 1996, MasterCard and VISA teamed with other financial services companies to create a security protocol for safeguarding payment-card purchases made over public networks, including the Internet.

VISA and MasterCard said they agreed on a set of technical standards for secure electronic transactions, called SET 1.0. The two companies are already running pilot programs to test the standards in 25 countries, and hope to introduce the standard to the general market at the end of this year.

SET 1.0 specifications were published May 1997. Widespread availability of SET-compliant software is expected by December.

GTE is the first certification authority (CA) to issue digital certificates under the SET 1.0 specification.

MasterCard International and VISA International co-hosted "Promise of SET" in San Francisco, an effort to making it a global standard as the payment standard for shopping on the Internet -- providing financial institutions, merchants and consumers a secure means of electronic commerce at a time of dramatic growth.

Digital certificates -- the digital equivalent to an ID card -- are extremely precise and make counterfeiting difficult. Most are based on an algorithm discovered in 1977 by MIT professors Ron Rivest, Adi Shamir and
Leonard Adleman (RSA). By encrypting messages -- the RSA algorithm allows only the intended recipient to read it. Using RSA-based cryptography software, such as Pretty Good Privacy, users can create a digital signature by encrypting messages with a combination of numbers -- called a secret key -- which is then safely stored away in the owner's computer. The recipient of the encrypted messages can then decode the sender's message with the software. Digital signatures are extremely difficult to counterfeit, and if the message is altered, the signature can no longer be verified.

Certificate Authorities (CA) provide reliable distribution of public keys and prevent digital impostors, verifying that a public key belongs to the real owner. CA companies conduct background checks of the organization or person, and then sign the organization's key with its own master key.

The digital certificate is sent along with an encrypted message to verify the sender's identity. The recipient uses the public key of the CA to decrypt the sender's public key attached to the message. Then the sender's public key is used to decrypt the actual message.

IBM recently claimed the development of a public key encryption system that is far more secure than today's public/private key cryptography or DES (Digital Encryption Standard). The manager of computer science at IBM's Almaden Lab, Ashok Chandra, described it as "being more scientific than practical, at this time." Today the best encryption technology is Triple DES, a 128-bit encryption key.

For additional information, contact IBM's Mike Ross at 408/927-1283.


Several factors have hindered the adoption of widespread encryption. In addition to the development of various competing standards that stifle the advancement and use of digital signatures, the U.S. government -- concerned that cryptography can also be used by drug dealers, terrorists or organized crime -- has limited export of strong encryption, severely hampering U.S. companies in competition with overseas companies.

Sun Microsystems Inc. -- responding to customer demands for stronger encryption -- is planning to sell a very strong Russian-developed encryption, called PC Sunscreen SKIP E+, to its foreign customers.

The government has also proposed escrowed public-key encryption, which privacy advocates liken to locking up one's house and giving a copy of the key to the government.

In July, the House International Relations Committee voted to relax U.S. export controls on computer encoding technology, and rejected an amendment that would have allowed the president to maintain strict export controls on the grounds of national security.

The bill "Security and Freedom through Encryption" (SAFE) -- sponsored by Rep. Bob Goodlate (R-Virginia) -- was expected to pass the House of Representatives late this year, with 250 co-sponsors, representing about 57 percent of the House.

The administration and many law enforcement agencies oppose relaxing controls.

A broader bill in the Senate -- the Secure Public Networks Act, S909, backed by Arizona Republican John McCain and Nebraska Democrat Bob Kerrey -- was approved by the Senate Commerce Committee.

The McCain-Kerrey bill would allow free export of medium-strength encryption, with keys up to 56-bits long, and establish a board to consider raising the limit in the future, the president would have the authority to overrule for reasons of national security. The FBI and other law enforcement agencies warn that the proliferation of strong encryption overseas will complicate the task of keeping tabs on international criminals and terrorists.

The Potential

The potential for economic commerce is immensely promising -- a wide-open world market for the first time. The technology for secure electronic data exchange already exists, and moving forward is mainly a matter of implementation and improved public perception.

Electronic commerce is similar to early attempts to tell time. The great civilizations of the world -- Egypt, Greece and Rome -- had various technologies such as the sundial and water clock, but they lacked the concept of a 24-hour day, and tried to divide day and night evenly into equal units of time. The inconsistencies of latitude and season also thwarted them, and the task -- as they had envisioned it -- was impossible.

Today, we have technology for electronic commerce, but our concept may not be large enough. The essential concepts of electronic commerce -- the swift exchange of electronic symbols for valuable products and services -- may change our world even more profoundly than the 24-hour day.