Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 34 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Increasing Security Reliability in E-Commerce Platform through Customer Tracker and Code Inclusion
1Chukwurah E.E
2Mbachu C.B.
1,&2
Department of Electrical and Electronic Engineering, Anambra State University, Uli.Anambra State, Nigeria
Email: 1 [email protected] [email protected]
2
Abstract
E-commerce is fast growing media by which businesses and other market forms are achieved without the physical presence of the individuals in the business. Some exiting e-commerce platforms suffer from file inclusion vulnerability
which allows an attacker to include a file, usually through a script on the web server and this occurs due to the use of user-supplied input with weak validation. These platform output the contents of the file, execute codes on the client side, web
servers while creating the possibility of cross site scripting (XSS), denial of service (DoS) and data theft/manipulation. This paper developed a customer tracker and code inclusion analytics (CT-CIA) that monitors the http request of the
customer as well as the browser system details. When these are collected, it is sent to the e-commerce analytics servers in the form of a long list of parameters attached to a single-pixel image request. The data contained in the request is the data
sent to the e-commerce analytics server, which then generates the processed inclusion code for reliable customer transaction. The flowchart descriptions and process procedures are detailed while arguing that the approach offers
excellent protection against some methodologies in terms of cost, flexibility, reliability, and intelligence.
Keywords: Customer Tracker (CT), Code Inclusion Analytics (CIA), Hybrid Encryption, Cloud E-commerce Audit,
Feedback Security, SMS System.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 35 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
1. Introduction
1.1. Background Study
The viability of e-commerce is threatened with various forms of vulnerabilities.confidentiality, integrity, authenticity, access control, privacy, availability, authorization and accountability are serious issues facing the e-commerce ecosystem [1]. This is because users access the e-
commerce accounts by simply logging and shopping without an effective security checks and verification procedures. When the e-commerce platform runs on the Cloud, this computing approach moves the application software and databases to the large datacentres, where the
management of the data and services are not trustworthy [2]. According to [2], this unique attribute, however, poses many new security challenges. The challenges include but not limited to accessibility vulnerabilities, virtualisation vulnerabilities, web application
vulnerabilities such as SQL (Structured Query Language) injection and cross-site scripting, physical access issues, privacy and control issues arising from third parties having physical control of data, issues related to identity and credential management, issues related to data
verification, tampering, integrity, confidentiality, data loss and theft, issues related to authentication of the respondent device or devices and IP spoofing.
Users need to be assured of their transactions on the e-commerce platforms so as to encourage online transaction paradigm. It should be be noted that the advent of cloud internet system has facilitated a quantum leap in online presence as more business consignment and
individuals are engaging in more versatile bulk money businesses that the traditional trading security does not guarantee and the globalization of the world as a global village has made trading online a honey comb. The rapid development of the e-commerce has prompted transaction
security issues to become object of attention. The transmission of information such as the account names, passwords, details of financial transactions and other requests from the e-commerce portal to the web server, must remain confidential. It is on this note that the information
needs to be transmitted privately, securely and correctly between the e-commerce service provider and the customers. It is therefore important that the ever increasing population of online marketers be guarded and secured against fraud associated with online businesses. This can be
achieved by incorporating securities that will identify usernames and passwords, generates transaction codes for users and a feedback SMS
security system via mobile phones, show list of users and enable cloud audit at any point in time, also be able to disable users for any evidence of wrong use of transaction codes or activities likely to be fraud. The E-commerce visitor tracking (EVT) is the analysis of visitor
behaviour on a E-commerce platform under the jurisdiction of assigned privileges. In this case, the forensic analysis of an individual visitor's behaviour may be used to provide an audit logs and preferences; either during a visit or in the future. In this work, the context understanding
a web site visitor’s behaviour in order to identify buying intentions is very vital.
In this research, customer tracking and code inclusion algorithm (CT-CIA) is a useful approach to combat web vulnerabilities. The background encryption security system in the proposed e-commerce system is based on hybrid XAMP MD5 Random curve cryptography
running on the secure socket layer (SSL), which protects the users and administrators on the e-commerce platform. The E-commerce design uses a secured administrator interface (customer tracker) that shows list of customer's logins, enables cloud audit at any point in time, can
disable customers when there is element of ambiguity and generates transaction codes i.e. a number generated during registration which will be sent to the users e-mail or phone via SMS, the user will in turn provide the same code in transaction ID window, after the login
window, this serves as feedback security or extra layer security in the system .The result of the new security scheme randomly generates and secures the login details dynamically on the server during, authentication, authorization, and verification phases. This form of security is
designed to give any user of this portal confidence and reliability to carry out any transaction on e-commerce platform.
1.2.Our Contribution
Many useful security models have been introduced by researcher, but the unique property of the proposed E-comer CT-CIA is the customers tracker, cloud audit and transaction code generation that will be sent via SMS to the customers mobile line, this serves as feedback security
which is an extra layer security. This work then explores the intelligent analytics of the CT-CIA to bring about a secure e-commerce event driven philosophy.
2 .Related Works
In [3], Google Analytics has been developed which works by the inclusion of a block of JavaScript code on pages in a website. In their work, when users on a website view a page, this JavaScript code references a JavaScript file which then executes the tracking operation for
Analytics. The tracking operation retrieves data about the page request through various means and sends this information to the Analytics server via a list of parameters attached to a single-pixel image request.
In [4], the authors presented a design of a new security protocol using hybrid cryptographic algorithm for on line transaction. This captured the combination of both symmetric and asymmetric cryptographic techniques. This protocol provides three cryptographic primitives (such as
integrity, confidentiality and authentication) which will be achieved with the help of Elliptic Curve Cryptography, Dual-RSA algorithm and Message Digest MD5. Similarly, In [5], the author proposed a framework based on smart card that allows partners to realize secure
transactions. The proposed solution use smart cards to store keys and perform cryptographic algorithms. Their approach is an e-business framework based on smart card technology. In this case, Keys, certificates and digital signatures are stored in the card. The card also
performs the on-board cryptography operations. Also, the work in [6], and [7] all focused on Cryptographic Algorithms to secure e-commerce transactions. Possible vulnerabilities as found in all e-payments e.g E-commerce PayPAL have been identified in Figure 1.
According to [8], the three top web site vulnerabilities include: i. SQL Injection: This uses SQL to change the meaning of database command. (Refer to Figure 2).
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 36 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
- Browser sends malicious input to server
- Bad input checking leads to malicious SQL query ii. Cross-site request forgery (CSRF): This leverages user session at victim server. (Refer to Figure 3).
- Bad web site sends browser request to good web site, using credentials of an innocent victim iii. Cross-site scripting (XSS): This injects malicious scripts into trusted contexts. (Refer to Figure 4a, b).
- Bad web site sends innocent victim a script that steals information from an honest web site.
Figure 1: Web Reported Vulnerabilities With Detection Rates [8]
Figure 2: SQL Injection [8]
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 37 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure 3: Cross-Site Request Forgery [8]
Figure 4a: Reflected Cross-Site Scripting [8]
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 38 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure 4b: Stores Cross-Site Scripting And Reflected XSS [8]
The major problem faced by consumers in an online transaction is the security vulnerability identified previously. The insecurity is due to the fact that -
1. Most of the platforms lack the benefits of validation code inclusion as a service (VCIaaS).
2. Most of the platforms build weak self-inclusive SQL commands. The use of parameterized and prepared SQL is usually lacking. 3. Most works do not use Object-relational mapping ORM framework. This is programming technique for converting data between
incompatible type systems in object-oriented programming languages. This creates, in effect, a application object database that can
be used from within the programming language. There are both free and commercial packages available that perform object-relational mapping, although some programmers opt to create their own ORM tools.
Figure 5: ORM Framework
4. Secret Validation Token such as < input type=hidden value=23a3af01b> has not been explored in most cases.
5. Referer Validation such as in facebook (Referer: http://www.facebook.com/home.php) is still the most used validation login
procedure but when wrongly implemented, SQL injection could threatened it.
6. Custom HTTP Header is sometimes poorly implemented e.g, X‐Requested‐By: XML Http Request
This work adopted CT-CIA as a Secret Token Validation (STV) in which requests include a hard-to-guess secret. The variations are:
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 39 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
- Session identifier
- Session-independent token - Session-dependent token
- Hash Message Authentication Code (HMAC) of session identifier
3. METHODOLOGY
3.1. ORP Framework/Waterfall Model
This work used the ORP framework in which tasks act on object-oriented (OO) objects that are non-scalar values. In this case, logical
representations of the objects are translated into an atomized form that is capable of being stored in the database, while preserving the properties of the objects and their relationships so that they can be reloaded as objects when needed. With persistence, storage and retrieval
functionality were implemented. This was applied in CT-CIA proposal. Figure 6 shows the waterfall model applied in deriving Figure 5. It
shows the basic steps towards the implementation and integration of the security scheme.
Figure 6: CT-CIA Waterfall Flow Diagram.
3.2. Description of CT-CIA Technique
In this case, the CT-CIA is a conceived Hash Message Authentication Code (HMAC). This was used as a specific construction for calculating
a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As a MAC, it was used to simultaneously verify both the data integrity and the authentication of a customer transaction message. The work employed the
cryptographic hash function, MD5/SHA-1 for use in the computation of e-commerce HMAC. When adapted to MD5, the resulting MAC algorithm is referred to as e-commerce HMAC-MD5 but when used in SHA1, this is referred to as HMAC-SHA1 accordingly. The
cryptographic strength of the HMAC depended upon the cryptographic strength of the underlying hash function offered by the database logic, the size of its hash output, and on the size and quality of the key. In operation, an iterative hash function breaks up a message into blocks of a
fixed size and iterates over them with a compression function. In this case, the MD5 operates on 512-bit blocks. The size of the output of HMAC is the same as that of the underlying hash function, ie MD5 = 128 bits , and SHA-1= 160bits, respectively.
3.3 Security Algorithm
The security key is given by the operator: \textit{ CT-CIA} [CK, CM] = H\Big(K\oplus opad)\;||\;H\big((CK \oplus ipad)\;||\; CM \bigr)\Bigr)
Where H is a cryptographic hash function,
CK is a secret key padded to the right with extra zeroes to the input block size of the hash function, or the hash of the original key if it is longer than that block size,
CM is the message to be authenticated,
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 40 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
|| denotes concatenation,
⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),
and ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
This work used the following pseudocode to demonstrate the implementation of the CT-CIA (HMAC) was implemented with MD5. Block size is 64 (bytes) when using MD5 hash functions.
Function HMAC (key, message)
if (length(key) > blocksize) then key = hash(key) // keys longer than blocksize are shortened
end if if (length(key) < blocksize) then
key = key ∥ [0x00 * (blocksize - length(key))] // keys shorter than blocksize are zero-padded (where ∥ is concatenation)
end if
o_key_pad = [0x5c * blocksize] ⊕ key // Where blocksize is that of the underlying hash function
i_key_pad = [0x36 * blocksize] ⊕ key // Where ⊕ is exclusive or (XOR)
return hash (o_key_pad ∥ hash(i_key_pad ∥ message)) // Where ∥ is concatenation
end function //HMAC_MD5("", "") = 0x74e6f7298a9c2d168935f58c001bad88
//HMAC_SHA1("", "") = 0xfbdb1d1b18aa6c08324b7d64b71fb76370690e1d //HMAC_SHA256("", "") = 0xb613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad
End.
3.4. Proposed Cloud E-Commerce System
It could be recalled that the proposed e-commerce transaction is developed for products and services using waterfall with a reuse model shown in Figure 6. The system represents a combination of all the basic functionalities of the e-commerce models leveraging the CT-CIA. In
its operation mode, the e-commerce platform depicts a scenario where a user registers on the platform and a code (HMAC) is generated by the administrator and sent electronically as SMS to the mobile line (mobile phone) in putted in the transaction window. This now enables the
user to place order of products and services base on the administrator role privilege assignment. The main function of customer tracker work orders is to initiate work, clarify the work to be done, the delivery date and special instruction with audit logs. The tracker ensures that the
work order tracks the progress of the online activity.
3.4.1. System Elements
In the proposed system model, the key factors include: i. Cloud Super Admin Authentication Sa
ii. Dedicated Administrator Aarg[Da] iii. Cloud Customers Cc1,Cc2,............Ccn
iv. Cloud Audit [Sales Audit] v. Shopping/Order/billing
vi. Customer code generator
3.4.2. Architectural/ Operational Mechanism
In this architecture, the super admin Sa on the cloud portal assigns subsidiary administrators which are depicted Dedicated Administrator Da1, Da2..............Dan, that coordinates and monitor the activities of numerous registered cloud customers Cc1,Cc2,............Ccn.. From user
perspective, the cloud customers who are legitimately registered are authenticated using HMAC in context and an immediate transaction code will be generated from the Customers Code Generator and this will be sent as SMS via the customer's mobile number or e-mail. The access
control authentication and encryption algorithm intelligently grants or denies access to platform domain based on the logon and customer transaction Code status of the cloud customer .The status control serves to enforce discipline on either DA or Cc, while the cloud audit stores
and displays customers transactions information when desired at any point in time in the cloud logs for all DA and Cc. Figure 7 illustrates the proposed model.
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 41 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure7.Proposed model for the CES
3.4.3 IMPLEMENTATION
The system accepts new registration or prompts for a new registration. Essentially, it is either a customer logs in or registers before initiating any transaction on the CES. Figure 8 shows CES user interface. The descriptive flow
charts used to develop the entire system model are presented below
Figure 8.E-commerce Cloud Portal (User Interface)
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 42 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure 9 E-commerce Cloud Portal (Login Interface)
Figure 10: E-commerce Cloud Portal (Registration Interface)
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 43 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure 11.E-commerce Cloud Super Admin Interface
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 44 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure 12. E-Commerce Cloud Register Admin Interface
Figure. 13 E-commerce Cloud Customer Info DB
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 45 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure 14: E-commerce Cloud Audit Log Interface
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 46 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure 15: E-commerce Cloud Assigned Administrators Interface
Figure 16: E-commerce Cloud Assigned Administrators Interface
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 47 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
This work used adobe dream weaver as the integrated development environment with a visual editor that supports Web
technologies such as CSS, JavaScript, and various server-side scripting languages and frameworks including ASP (ASP JavaScript, ASP VBScript, ASP.NET C#, and ASP.NET VB), Code Fusion, Scriptlet, and PHP. The IDE was configured
with My SQL server in XAMP control panel which has integrated supports for Apache server and MySQL database. In this work, entire program using the design phase of the SDLC waterfall model with Reuse model was tested using
different data and system platform. Before the proposed e commerce was made fully operational, it was thoroughly tested on a local host server while
debugging and ensuring there is no syntax errors syntax errors giving rise to successful compilations while testing with real user test data. After several tests, the reliability of the system was ascertained while making the necessary
documentation. In this research, the e commerce model was designed to run on the high performance data centre network infrastructure comprising a MikroTik server with local host HP Envy m4 window8 running Apache, MySQL and CS4
adobe Dreamweaver IDE.
Figure17 .CES user registration pictorial Framework
Figure 18.CES login Interface pictorial Framework
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 48 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
Figure 19 CES Shoping Cart (users accepted )
These at a glance show the major display that shows the level of dependability being projected to make security in e-
commerce reliable.
4 .Results and Discussion The display of the user interface was in line with the design flow charts. The flowcharts for the e-ecommerce system
model show the level of reliability of customer’s security. Figure 7 the e-commerce design, in which security was tested yield satisfactory results. The design of the HMAC specification was observed to eliminate attacks on e-commerce system
based on the key with a hash function. The security of HMAC using MAC = H(key ∥ message) is very robust and reliable. Unlike in most encryption schemes, the computational overhead of the CT-CIA is lower as the processor spends little time
generating the inclusion code string. Again, in some existing cryptographic algorithms as seen in literature, their methods suffer from a serious flaw, in that with most hash functions, it is easy to append data to the message without knowing the
key and obtain another valid MAC (length-extension attack). The alternative, appending the key using MAC = H(message
∥ key), suffers from the problem that an attacker who can find a collision in the (unkeyed) hash function can use it quickly
to compromise the e-commerce system. Using MAC = H(key ∥ message ∥ key) is better, but various security papers have suggested vulnerabilities with this approach, even when two different keys are used. No known extensions attacks have
been found against the current HMAC specification which is defined as H(key ∥ H(key ∥ message)) because the outer
application of the hash function masks the intermediate result of the internal hash. The values of ipad and opad are not
Figure 20 CES login Interface( Denying access)
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 49 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
critical to the security of the algorithm, but were defined in such a way to have a large Hamming distance from each other
and so the inner and outer keys will have fewer bits in common. The security reduction of HMAC does require them to be different in at least one bit. This is used to generate the authorization code for the e-commerce transaction via mobile
phone SMS. Table 1 summarises a comparison between the proposed and some existing schemes
Table 1: Comparison between Hybrid cryptographic Schemes and CT-CIA schemes (Performance Evaluation)
5. CONCLUSION
This research work developed a security integrated e-commerce system that leverages intelligent CT-CIA. This new Security scheme which is based on hybrid XAMP MD5 Random curve cryptography with customer tracker code
inclusion, addresses the vulnerability in e-commerce domain. This scheme enables customers to carry out reliable and flexible online transaction with ease. The extra security layer or feedback security guaranteed adequate security for online
transactions. Therefore this new security model is expected that over 80%of business owner will be offing their transaction via this platform. This design of E-commerce security model reliability application is compactable with all browsers after
following the ORP waterfall methodology. A comparison between the proposed scheme and the generalized cryptographic schemes shows that the performance of the proposed system is very satisfactory.
References 1. Bela, Genge, Adela Beres, Piroska haller, “A Survey on Cloud-based Software Platforms to Implement Secure
Smart Grids”, In IEEE, 2014. 2. S. Subashini, V. Kavitha , “A survey on security issues in service delivery models of cloud computing “, Journal
of Network and Computer Applications, Elesiver Scidirect. 34 (2011) 1–11. 3. Google Analytics. Online
https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview?hl=en, Retrived on 13
th Sept.2015.
Parameter Hybrid Security
Schemes
CT-CIA
Cryptographic Security
Secrecy Fuses cryptographic
uniqueness with secrecy
caters for secrecy with least overhead
Comparison
process
Takes a lot of
computation resources
This is done easily
with fewer computation
resources
User convenience requires huge effort from the
user
Requires less memorization of PINs
Vulnerability to
eavesdropping
It can be hacked
if discovered by constant
monitoring,
With constant
monitoring, passwords can never
be discovered
Vulnerability to brute force attack
Highly vulnerable
Less vulnerable
Countermeasures Counter attacks
have not yet been
documented
Counter attacks on
password systems are
well documented
Cost Effectiveness
Very Expensive PIN code systems are relatively cheap
IJOART
International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 50 ISSN 2278-7763
Copyright © 2015 SciResPub. IJOART
4. S. Subasree And N. K. Sakthivel, “ Design of A New Security Protocol Using Hybrid Cryptography
Algorithms”, IJRRAS 2 (2), February 2010. 5. Hakim Fourar-Laidi, “A smart card based framework for securing e-business transactions in distributed
systems”, Journal of King Saud University –Computer and Information Sciences, Computer and Information Sciences (2013) 25, 1–5 http://dx.doi.org/10.1016/j.jksuci.2012.05.002.
6. Okafor N. I, Okafor K.C, Udeze C.C. & Onwusuru I. M, “3-Tier E-Comp: A Novel E-Commerce Management Portal Based On Secured SDLC Approach”, Computing, Information Systems, Development Informatics &
Allied Research ISBN 978-2257-44-7(Print) ISSN 2167-1710 (online) Vol. 4 No. 4 Dec. 2013.Pp.1-11. 7. Okafor KC, Udeze CC, Okafor CM, ISCLOUD V.1.0: An Interactive Cloud Shopping Cart Based On Software
As A Service Computing Model With Hybrid Cryptographic Algorithm”, International Journal Of Engineering And Computer Science ISSN:2319-7242 Vol. 2 Issue 6 June, 2013 Page No. 1727-1738.
8. John Mitchell, “Web Application Security”, CS 155, Spring 2010
IJOART