Exercise 16

Exercise 16: Authentication and Encryption Systems
1. Visit an e-commerce website and survey the mode of payment allowed. Would you trust the site with your business?

The following website http://www.jewellerystore.com.au/ offer ecommerce .the payment are:
1. ALL MAJOR CREDIT CARDS or BANK ACCOUNT FUNDS TRANSFER through PayPal (Australia & all International purchases). All the payment are automatically directed through the PayPal checkout when the payment option is selected . PayPal is a secure and free service.
2. Direct Bank Deposit (Cash deposit, cash transfer, or internet bank transfer - Australia only). Account details will be issued upon checkout.
3. Bank Cheque/Australia Post Money Order. Payee details and postal address will be issued upon checkout.

2. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

Measures that e-commerce sites can provide include
• passwords,
• software security,
• digital certificates from a trusted source

• ABN
• Validation seals
• The published phone numbers of the website have been called and verified as belonging to the web site.
• Verification that the privacy policy of the site
• SSL
• Secured Seals


3. Visit the Verisign web site – what solutions does it offer for e-commerce?

Verisign provided following ecommerce solutions:
• VeriSign® SSL Certificate Services enable secure commerce, communications, and interactions by providing encryption and authentication services to Web sites, intranets, and extranets.
• VeriSign® Identity and Authentication Services strengthen and protect digital identities with a network approach to strong authentication and online fraud detection services.
• VeriSign® Domain Name Services globalize access to the Internet, and VeriSign is the authoritative registry of all .com, .net, .cc, and .tv domain names.
(verisign)

4. Visit the TRUSTe website. Describe what services and solutions are offered?

TRUSTe provides security seals to the business which shows that the business has a secure privacy policy in place. TRUSTe’s Web Privacy Seal builds confidence between businesses and consumers by identifying businesses with reliable online privacy practices. The seal marks companies that adhere to TRUSTe's strict privacy principles, and comply with the TRUSTe Watchdog dispute resolution process. (TRUSTe, 2009)

5. Get the latest PGP software fromhttp://web.mit.edu/network/pgp.html; install it on two machines and encrypt a message on one machine and decrypt it on the other. Report your findings.


The web page is not available.

6. The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?

The other tools for validating legitimate users are:
Digest: Digest authentication is based on a challenge-response authentication model. The user makes a request without authentication credentials and the Web Server replies with a WWW-Authenticate header indicating credentials. Instead of sending the username and password the server challenges the client with random nonce.

NTLM: NTLM Authentication is Microsoft's proprietary NT LAN Manager authentication algorithm over HTTP. It works on Microsoft Internet Explorer only. Integrated Windows authentication works the same way as Message Digest authentication. NTLM[3] is a Microsoft-proprietary protocol that authenticates users and computers based on an authentication challenge and response.
Microsoft Passport: The Passport single sign in service is an authentication service allowing users to create a single set of credentials that will enable them to sign in to any site Referred to as "participating sites" that supports a Passport service.

Forms-Based: Forms based authentication technique is the popular authentication technique on the internet. Conventionally, web applications had users authenticate themselves through a Web form. The user's credentials as captured by this form are submitted to the business logic which determines the authorization level.

(Hacker, 2008)