Technology Infrastructure for

Electronic Commerce

Olga Gelbart
[email protected]
THE GEORGE WASHINGTON UNIVERSITY
based on Prof. Lance Hoffman’s Lecture on Network Infrastructure for Electronic Commerce
 Snapshots of the Electronic
Commerce World
 Yesterday - EDI
 Today - getting our toes wet, what this course is
about
 Tomorrow - Metadata, machine understandable
information on the Web.
– Catalog information
– Intellectual property information
– Endorsement Information
– Privacy information
– see www.w3c.org/pics and www.w3c.org/p3p
How Did We Get Here?
 Before the Internet
– History of Commerce and Money
– Elements of payment systems
 The Start of the Internet
– Predecessor Networks
– Timeline of Significant Events
 The Internet Today
– What is the Internet?
– How Does the Internet Work?
– Differences from Original Net
– Differences from Traditional World Out There
 The Internet in the Future
 What is the Internet?
 On October 24, 1995, the FNC unanimously passed a resolution defining
the term Internet. This definition was developed in consultation with
members of the internet and intellectual property rights communities.
RESOLUTION: The Federal Networking Council (FNC) agrees that the
following language reflects our definition of the term "Internet". "Internet"
refers to the global information system that -- (i) is logically linked together
by a globally unique address space based on the Internet Protocol (IP) or
its subsequent extensions/follow-ons; (ii) is able to support
communications using the Transmission Control Protocol/Internet Protocol
(TCP/IP) suite or its subsequent extensions/follow-ons, and/or other IP-
compatible protocols; and (iii) provides, uses or makes accessible, either
publicly or privately, high level services layered on the communications
and related infrastructure described herein.

 http://www.fnc.gov/Internet_res.html
 The Internet - connections
•Computers in the backbone connected by a (T3)
data connection (45 megabits/second)
•ISP hosts and other powerful computers connect
using (T1,Broadband) lines
•Leased lines (some businesses)
•Modem dial-up connections
•Cable modems
•ADSL - Asymmetric Digital Subscriber Line
Internet features
 Originally ARPAnet
– MIT, MITRE, SRI, BBN
– Distributed communications even with many
failure points
– Dissimilar computers exchange info easily
– Route around nonfunctioning parts
– 4 sites: SRI, UCLA, UCSB, Univ of Utah
 Hafner and Lyon, Where Wizards Stay Up
Late, Simon & Schuster 1996
 Kahn’s Internet Principles
R. Kahn, Communications Principles for Operating Systems. Internal BBN
memorandum, Jan. 1972.

 Each network must stand on its own and

no internal changes could be required to
connect it to the Internet
 If a transmission failed, try again
 Simple black boxes (later called
“gateways” and “routers” would connect
the networks
 No global control at operations level
 The Internet - development
1962 Licklider, J.C.R., Galactic Network memos
Licklider - MIT to ARPA
ARPANET and successors: open architecture networking
1970s: universities and other DoD contractors connect
packets rather than circuits (note many of the names in
the articles were graduate students then)
1975: 100 sites and e-mail is changing how people collaborate
Late 1970s: New Packet Switching Protocol:
Transfer Control Protocol/Internet Protocol (TCP/IP)
1980: MILNET takes over military traffic
1980s: NSFNet links together NSF researcgers,
Internet protocols incorporated into (BSD) Unix, a widespread operating system
Late 1980s: NSFNet absorbs original ARPANET (for a US university to get NSF
funding for an Internet connection, that connection had to be made available to
all qualified users on campus, regardless of discipline
1995: Commercial backbones replace NSFNet backbone
Usenet
BITNET
Commercial Networks: AOL, Compuserve, etc.
Federal Decisions that Shaped the Internet

 Agencies shared cost of common infrastructure, e.g., trans-

oceanic circuits
 CSNET/NSF (Farber) and ARPA (Kahn) shared infrastructure
without metering
 Acceptable Use Policy - no commercialization. Privately funded
augmentation for commercial uses (PSI, UUNET, etc.), thought
about as early as 1988 KSG conferences sponsored by NSF
 NSF defunded NSF backbone in 1995, redistributing funds to
regional networks to buy from now-numerous, private, long-haul
networks
 NSFNet $200M from 1986-1995
 The Internet - Four Aspects
Leiner, et al., “A Brief History of the Internet”,

http://info.isoc.org/internet/history/brief.html

 Technological Evolution
– Packet Switching
– Scale, Performance, Functionality
 Operations and management of a global
and complex infrastructure
 Social Aspect - Internauts
 Commercialization
 Internet Development Timeline

From “A Brief History of the Internet” by B. Leiner, et al.,

http://info.isoc.org/internet/history/brief.html
Excerpts from
Hobbes’ Internet Timeline
by Robert H. Zakon
http://www.info.isoc.org/guest/zakon/Internet/History/HIT.html
 1957 Sputnik; US forms ARPA
 1962 P Baran, Rand, “On Distributed Communications Networks”, packet switched networks
 1967 Larry Roberts first design paper on ARPAnet
 1969 ARPANet commissioned. First RFC.
 1970 ALOHANet (radio) connected to ARPANet in 1972
 1971 Ray Tomlinson E-mail, BBN
 1972 Telnet specification (RFC 318)
 1973 File transfer specification (RFC 454)
 1977 Mail specification (RFC 733)
 1979 USENet newsgroups. First MUD.
 1981 CSNet
 1982 DoD standardizes on TCP/IP
 1983 Name server developed at University of Wisconsin; users no longer need to remember exact path to other systems
 1983 Berkeley releases 4.2BSD including TCP/IP
 1984 DNS introduced. Now over 1,000 hosts
 1984 Moderated newsgroups on USENET
 1988 Internet worm affects 6,000 of the 60,000 Internet hosts
 1990 EFF founded by Mitch Kapor
 1991 WWW released by CERN (Tim Berners-Lee, developer)
 1991 PGP released by Phil Zimmerman
 1992 ISOC chartered
 1992 “Surfing the Internet” coined by Jean Armour Polly
 1993 US White House goes online
 1993 Internet Talk Radio
 1994 Can now order pizza from Pizza Hut online
 1994 First Virtual bank open for business
 1995 RealAudio
 1995 Netscape third largest ever NASDAQ IPO share value
 1995 Registration of domain names no longer free
 1996 Communications Decency Act passed, challenged in US
 1997 CDA overturned by Supreme Court
Growth of the Internet
From Hobbes’ Internet Timeline at http://info.isoc.org. ...
How Internet Manages Change?
 RFC process
 W3C process
 Now a proliferation of stakeholders
 Debates over control of name space
 Profits to be made and lost
 Commercial vs. Other interests
Trends in Internet Applications
 Internet TV (Web TV + VIATV
Videophone)
 Voice over IP (VoIP)
 Internet telephone
 Internet dashboard (Alpine GPS,
Windows CE in cars)
 Wireless (WAP)
Needed in Electronic Commerce
 Authentication
 Privacy
 Message Integrity
 Non-repudiation

Adapted from Gail Grant

Authentication

 Proving identity
– Passports
– Driver’s licenses
– Credit Cards
– Doctors’ diplomas
Gail Grant
Privacy

 Locks
 Doors
 Perimeter security
 Castles
Gail Grant
M
Y
T
H
R
E
A
L
I
T
Y
Message Integrity


 Wax seals
 Tylenol seals
 Custom seals
 US Mail
Gail Grant
Non-Repudiation

 Handshake
 Notary Public
 Signatures
 Contacts
Gail Grant
 Electronic cash policy issues
 anonymity
– can lead to “perfect” crime
 traceability (accountability)
 security (no electronic muggings)
Certification Authority Functions
 Accept applications for certificates
 Verify the identity of the person or organization
applying for the certificate
 Issue certificates
 Revoke/Expire certificates
 Provide status information about the certificates
that it has issued
 But what do the certificates mean?

Adapted from Gail Grant

 Who Will Be CA’s?
 Specialty firms (VeriSign)
 Government agencies
 Corporations (for employees)
 Telecommunication companies
 Banks
 Internet Service Providers
 Value-Added Networks (VAN’s)
 Whom to trust?
– Hierarchy vs web of trust

Gail Grant
 Who Sells CA Products
and Services?
 Atalla Corporation
 BBN Corporation
 CertCo
 Cylink Corporation
 Entrust Technologies Inc.
 GTE Corporation
 IBM
 Netscape Communications
 VeriSign
 Xcert Software Inc.

July 1997
Legal Issues
 Legislation
 Responsibilities
 Liability
 International Usage
 Certification Practice Statements
Business Issues for CAs
 Business Models
 Risks
 Costs
 In-House vs Out-Sourcing
 Operational Considerations
 Liability
Some Problems
 Untrusted computer systems
 Not all persons are trustable
 Law not clear
 Policy not clear
 Sovereignty challenged:
– Cryptography policy
• Anonymity
• Confidentiality
25300

Untrusted Computer Systems (then)

Malware Example: The Internet Worm
Shut down 6,000 machines, Nov 1988
– Tried three techniques in parallel to spread
• Guess passwords
• Exploit a bug in the finger program
• Use a trapdoor in the sendmail program
– Effects
• serious degradation in performance of affected machines
• affected machines had to be shut down or disconnected from
the internet
– Criminal justice
• Perpetrator convicted January 1990 under 1986
Computer Fraud and Abuse Act; sentenced to
3 years probation, $10,000 fine, and 400 hours of community
service
 Web-Based Computer Systems
SURPRISE DISCLOSURES OF PERSONAL
INFORMATION, AND PROGRAM LAUNCHES
 Cookies
 JAVA (Applet security issues)
 Microsoft
– Word macro viruses
– ACTIVE-X
• QUICKEN surprise bank transfer
– Web-based viruses
 Browser vulnerabilities (recent Netscape 4.x -- have to
disable Java!)
 A final surprise: monitoring tools (e.g.,
SATAN) also used by the enemy
Who are “trustworthy” persons?
 With “everyone” connected by networks, how do you
know who to trust?
 Trusted Third Parties
 Certifying Authorities
 Digital Signatures
– Strong, Trustable Encryption
 Distributed Architecture: Smart Cards
 LAW OF THE NET
 Whose Law? Internet is not a monarchy, democracy, republic, or
dictatorship; rules and formalities are nonexistent
 Jurisdiction, treaties, harmonization of definitions
– CDA Example, Tennessee
 Enforcement
– Elected officials and their designees?
– Internet Service Providers?
– Vigilantes?
• Anti-spam page: http://www.dgl.com/docs/antispam.html
– Agents Launched by Any of the Above?
• Cancelbots
– Netiquette?
 18071

Sovereignty Case study: Cryptography Policy

Government stalling, an impediment to
progress, or cautious reasoning to avoid chaos?
– Constitutional issues
- Law Enforcement
- National Security
– Privacy issues
– Export policies
– Jurisdictional "turf" issues
 Issues in Cryptography Policy
Privacy Issues

When should government have right to

monitor telecommunications?
What safeguards prevent abuse of
information obtained with taps?
Can a free society tolerate
hidden data with no accountability?
Clipper Chip Solution (Clipper I) (adapted from White House briefing)
* provides successor for DES WARRANT
* provides law enforcement solution

2
Key Escrow Holders
1 Law Enforcement
Agency
Commerce Dept., NIST Court
Treasury Dept., Automated Systems Div

Clipper Chip Encryption device

 THE FOUR HORSEMEN OF THE
APOCALYPSE
(CYPHERPUNKS VERSION)
 nuclear terrorists
 child pornographers
 money launderers
 drug dealers

APPLICATION OF BLIND SIGNATURE TO A REAL CRIME

B. von Solms and D. Naccache, Computers and Security 11, 6 (1992)
reprinted in Hoffman, L. (Ed.), Building in Big Brother,
Springer-Verlag, 1995
19111

WHAT IF UNBREAKABLE ENCRYPTION LEADS TO

THIS?
How many times per year is acceptable?
19892

NAS/NRC CRYPTO POLICY REPORT

HIGHLIGHTS
Commercial use: Should promote widespread
commercial use of technologies that can
prevent unauthorized access to electronic info
Exportation: Should allow export of DES to
provide an acceptable level of security
Escrow: Premature (Key recovery = current proposal)
Classified material: The debate on crypto
policy should be open and does not require
knowledge of classified material
Total preliminary report at http://www.nap.edu/nap/online/titleindex.html#c
Cryptography's Role in Securing the Information Society, 1996,
National Academy Press, 2101 Constitution Ave. NW, Box 285, Washington DC 20055, (800) 624-6242
19870

CURRENT ENCRYPTION
LEGISLATION
Highlights: Full Text at
 SAFE (HR 695)
http://www.cdt.org/crypto/
Reps. Goodlatte (R-VA), Eshoo (D-CA)
 Pro-CODE (S 377)
– Sen. Leahy (D-VT), Burns (R-CO), Wyden (D-OR)
– Audio and photo transcript and lots of information
from 3/19/97 hearing at
www.democracy.net/archive/03191997
 Commonalities between SAFE and Pro-CODE
– Prohibit government from imposing mandatory key escrow
– No export license required for public domain or
– generally available encryption software
 (Draft Clinton administration legislation [no warrant])
Building a Home Page to Sell
Something
 Just Building a Home Page
 Now Making It Sell Something
 What to Sell?