Secure transaction processing is a software issue that deals with the server software, and interaction with the user's client. A company would not have control over an external user and therefore cannot guarantee security on the users end. At best, a company can make a recommendation as to the software and version the user should be using. On the positive side, Netscape and Internet Explorer, occupying approximately 95% of the browser market support the security features discussed below.

     Server software is something an IS team can control and once security features of the host itself are established, as with firewall previously discussed, secure transactions are simply knowing the features you need. From there, several vendors such as Microsoft, Netscape, and BSDI / Apache have a variety of alternative.

     But how does one get information to this server without prying eyes finding out what is being sent?  Encryption is the method of garbling data (text or binary) to make it unreadable by any unauthorized individual.  Using jargon common to cryptographers, encryption takes a source file or message in human-readable text or "plaintext" and encodes it into an unreadable format or "ciphertext."  The idea is to encode the message so that anyone intercepting it, or receiving it other than the desired recipient, will find it impossible to decode.

     Conceptually, encryption is simple.  An individual (or client, a browser perhaps) has a key or table that is used encode the data.  This key is commonly a bit string, and is only to be held by the person sending the message and the desired recipient.  When the message reaches its proper destination, the recipient applies the encryption key and decodes the message.  This is called secret key encryption.

     In a paper entitled New Directions in Cryptography published in 1976 by Whitfield Diffie and Martin Hellman, an alternative to secret key encryption was proposed.  The new method, called public key cryptography, uses two keys instead of one.  The first is a key that is made available publicly and is used to encrypt messages.  The second is held in private.  The idea is that anyone can encode data and send it to the owner of the private key.  If the private key is kept private, only that individual will be able to decode the message.

     Discussing keys and bit patterns gives a rough overview of encryption, but it’s the algorithms that create and apply the key that determine the security of the cipher.  Several algorithms are commonly seen as parts of Web security solutions.  RSA is the most common, but DES (Data Encryption Standard). IDEA (international Data Encryption Algorithm), El Gamal and variants, and LUC all find their place somewhere.

     RSA is a public-key encryption method commonly used in Netscape browsers and servers as well as Internet Explorer.  RSA keys are based on the property that it is difficult to find the prime factors of a number when two large primes are multiplied.  This algorithm is patented and due to its security, is not exportable from the United States.  DES is a complex secret key cipher that is a federal standard, and is again non-exportable.  IDEA is another algorithm similar to DES, but is somewhat faster and is licenced for noncommercial use.  El Gamal is a public key algorithm. One of it’s variants, Schnorr’s, was chosen by the National Institute of Standards and Technology as a Digital Signature (a means of verifying the source of the message) standard. The last is LUC.  This is an algorithm similar to RSA that was developed in New Zealand in 1991 by Peter Smith.  Although the mathematics used in LUC is more complex, it claims to be more secure than RSA.  Despite the wide variety of choices, no group can agree on an international standard.  This has implications and solutions discussed later.

     When preparing a business for secure internet commerce there are several issues to consider:

	How do I authenticate users to make sure they are who they claim to be? Standard Web protocols such as TCP/IP and HTTP make impersonating a person or an organization relatively simple. If a person connects to a site claiming to be run by a respected retailer, how can that consumer be sure?
	How can I perform authentication without sending user names and passwords across the network in the clear?
	How can I provide single-user login services to avoid costly user name and account maintenance for all the servers (Web, proxy, directory, mail, news, and so on) across the enterprise? Can I provide single-user login without compromising security or incurring high administrative costs?
	How can I provide single-user login services to avoid costly user name and account maintenance for all the servers (Web, proxy, directory, mail, news, and so on) across the enterprise? Can I provide single-user login without compromising security or incurring high administrative costs?

     Several standards have made headway in solving these problems. SSL (Secure Sockets Layer) is a protocol that makes use of cryptography to transfer information securely. SSL is a protocol used by specially enabled browsers and servers. The protocol uses public-key encryption techniques to handle message privacy, message integrity (authenticating the user), and mutual authentication (prevention of impostors). This is the protocol we are most concerned with. Others like S/MIME handle email transactions, but our focus is Web delivery.

     During an SSL connection (handshake), communications occur in a slightly different manner than during a standard http (HyperText Transport Protocol) request, the standard protocol for all web content delivery. The first major difference is that the SSL capable server will accept a request on port 443 rather than the http port 80. Upon this request, the client initiates a handshake that establishes the SSL session. After the handshake, communication is encrypted and message integrity checks are performed until the SSL session expires. Considering the different port, the firewall router will have to be configured to handle these connections.

     Netscape servers, Microsoft IIS, and BSDI Stronghold support the SSL protocol. Setting an organization up with one of these software packages is mainly dependant on the platform that it will be running on. Netscape servers and Stronghold run cross platform for the most part. Ports can be found for several flavors of unix and NT server. Microsoft's server is a package that is integrated with NT Server and only runs on that platform. It is the experience of the primary author in dealing with Web design that UNIX based servers are much simpler to maintain and offers greater flexibility.

     The pricing and availability of the above servers are listed on the individual Web sites. In short, Netscape servers cost between $295 for their Fast Track server and $2000 for their Enterprise Pro server. IIS is technically free, but Microsoft receives payment from many hidden costs like NT server itself and additional components to the server. Stronghold is $495 or $595 with included authentication certificate.

     To handle secure transactions and on-line credit card verification, an authentication certificate is required for your site and must be obtained from a 3rd part certificate authority. Verisign Inc., created by Visa International, is one such authority offering their Digital ID's for $290 for the first year, $75 annual renewal. This certificate, being established by a 3rd party, is protection for the consumer so that they are doing business with the retailer they think they are doing business with. Their services extend into the nuts and bolts of on line sales.

     Their method couples some encryption with the added security of not needing to transfer complete payment information. When processing a purchase, the merchant receives a three-tiered message from the customer. This message contains a special decoder key (unscrambler code); the description and price of goods to purchase; and a digital certificate containing the user’s name, partial credit-card number and name of the card issuer. The merchant uses the decoder key to unlock the message, and the certificate to verify the buyer. Note that VeriSign do not require the full credit-card number. This information is handled by VeriSign. Under this system, a card thief would need to get a hold of the credit-card number, and break the decoder key.

     Other companies such as OpenMarket have partnerships with companies that work together to provide certificates, on-line verification, and Shopping Cart systems for actual deployment of products via the Web. Their OM-Secure Link package ($99) acts as the product deployment system which works with a Verisign server certificate. Final transactions are processed by commerce service providers such as AT&T, MCI, First Union, UUNet and others.

     The combination of Digital IDs, a SSL equipped server, and an appropriate verification authority provides a business with a complete and secure commerce solution with the ability to deliver their products via the internet. This is attractive to many businesses because of costs. It reduces the size of a sales department, cost of answering phones, and in some cases, the product can even be delivered via the internet.

     The later concerns listed above involve logging into the server thus restricting access to content. This is useful for on-line subscriptions that have monthly or annual fees, or for secured areas where software can be obtained once it is paid for. This is a function of server configuration, but can be integrated into the commerce system established by the organization. For example, upon paying and verification, the user is given a login and password to access the product. This is easily implemented with server-side scripting in an hour or two.

     Some users will still refuse to make use of the facilities for online commerce that require credit card submission. In light of that, companies should consider alternative payment methods for their products. The first alternative is DigiCash created by DigiCash. This method requires digital cash to make purchases over the internet. Digital cash is equivalent to paper money, which can be obtained by withdrawing from an on-line account with a participating bank. The procedure is to visit the bank’s Web site, present your identity and password, and then make the withdrawal. The withdrawal will be a digital cash equivalent stored on your computer, which can be used to make internet purchases with participating merchants. Ecash payments use the highest-security encryption codes available.

     The second alternative is First Virtual System created by First Virtual Holdings Inc. This system is unique in that the customer’s financial information and credit card numbers are not transmitted on the public internet. This information travels as emails on financial institutions’ secure networks to exchange data. The only information transmitted on the internet are the buyer’s First Virtual code name and virtual pin. Under this system, an intruder needs to gain access to the buyer’s electronic mailbox and obtain two messages one from First Virtual and one from the merchant which are highly unlikely to be intercepted.

     Next we will look at a sample setup for a smaller company with medium traffic Web delivery. An example of this would be a small software company that offers engaging content on their site and sells and delivers their product online.