Increasing Security Reliability in E-Commerce ... - IJOART

International Journal of Advancements in Research & Technology, Volume 4, Issue 11, November -2015 34 ISSN 2278-7763

Copyright © 2015 SciResPub. IJOART

Increasing Security Reliability in E-Commerce Platform through Customer Tracker and Code Inclusion

1Chukwurah E.E

2Mbachu C.B.

1,&2

Department of Electrical and Electronic Engineering, Anambra State University, Uli.Anambra State, Nigeria

Email: 1 [email protected] [email protected]

2

Abstract

E-commerce is fast growing media by which businesses and other market forms are achieved without the physical presence of the individuals in the business. Some exiting e-commerce platforms suffer from file inclusion vulnerability

which allows an attacker to include a file, usually through a script on the web server and this occurs due to the use of user-supplied input with weak validation. These platform output the contents of the file, execute codes on the client side, web

servers while creating the possibility of cross site scripting (XSS), denial of service (DoS) and data theft/manipulation. This paper developed a customer tracker and code inclusion analytics (CT-CIA) that monitors the http request of the

customer as well as the browser system details. When these are collected, it is sent to the e-commerce analytics servers in the form of a long list of parameters attached to a single-pixel image request. The data contained in the request is the data

sent to the e-commerce analytics server, which then generates the processed inclusion code for reliable customer transaction. The flowchart descriptions and process procedures are detailed while arguing that the approach offers

excellent protection against some methodologies in terms of cost, flexibility, reliability, and intelligence.

Keywords: Customer Tracker (CT), Code Inclusion Analytics (CIA), Hybrid Encryption, Cloud E-commerce Audit,

Feedback Security, SMS System.

IJOART



1. Introduction

1.1. Background Study

The viability of e-commerce is threatened with various forms of vulnerabilities.confidentiality, integrity, authenticity, access control, privacy, availability, authorization and accountability are serious issues facing the e-commerce ecosystem [1]. This is because users access the e-

commerce accounts by simply logging and shopping without an effective security checks and verification procedures. When the e-commerce platform runs on the Cloud, this computing approach moves the application software and databases to the large datacentres, where the

management of the data and services are not trustworthy [2]. According to [2], this unique attribute, however, poses many new security challenges. The challenges include but not limited to accessibility vulnerabilities, virtualisation vulnerabilities, web application

vulnerabilities such as SQL (Structured Query Language) injection and cross-site scripting, physical access issues, privacy and control issues arising from third parties having physical control of data, issues related to identity and credential management, issues related to data

verification, tampering, integrity, confidentiality, data loss and theft, issues related to authentication of the respondent device or devices and IP spoofing.

Users need to be assured of their transactions on the e-commerce platforms so as to encourage online transaction paradigm. It should be be noted that the advent of cloud internet system has facilitated a quantum leap in online presence as more business consignment and

individuals are engaging in more versatile bulk money businesses that the traditional trading security does not guarantee and the globalization of the world as a global village has made trading online a honey comb. The rapid development of the e-commerce has prompted transaction

security issues to become object of attention. The transmission of information such as the account names, passwords, details of financial transactions and other requests from the e-commerce portal to the web server, must remain confidential. It is on this note that the information

needs to be transmitted privately, securely and correctly between the e-commerce service provider and the customers. It is therefore important that the ever increasing population of online marketers be guarded and secured against fraud associated with online businesses. This can be

achieved by incorporating securities that will identify usernames and passwords, generates transaction codes for users and a feedback SMS

security system via mobile phones, show list of users and enable cloud audit at any point in time, also be able to disable users for any evidence of wrong use of transaction codes or activities likely to be fraud. The E-commerce visitor tracking (EVT) is the analysis of visitor

behaviour on a E-commerce platform under the jurisdiction of assigned privileges. In this case, the forensic analysis of an individual visitor's behaviour may be used to provide an audit logs and preferences; either during a visit or in the future. In this work, the context understanding

a web site visitor’s behaviour in order to identify buying intentions is very vital.

In this research, customer tracking and code inclusion algorithm (CT-CIA) is a useful approach to combat web vulnerabilities. The background encryption security system in the proposed e-commerce system is based on hybrid XAMP MD5 Random curve cryptography

running on the secure socket layer (SSL), which protects the users and administrators on the e-commerce platform. The E-commerce design uses a secured administrator interface (customer tracker) that shows list of customer's logins, enables cloud audit at any point in time, can

disable customers when there is element of ambiguity and generates transaction codes i.e. a number generated during registration which will be sent to the users e-mail or phone via SMS, the user will in turn provide the same code in transaction ID window, after the login

window, this serves as feedback security or extra layer security in the system .The result of the new security scheme randomly generates and secures the login details dynamically on the server during, authentication, authorization, and verification phases. This form of security is

designed to give any user of this portal confidence and reliability to carry out any transaction on e-commerce platform.

1.2.Our Contribution

Many useful security models have been introduced by researcher, but the unique property of the proposed E-comer CT-CIA is the customers tracker, cloud audit and transaction code generation that will be sent via SMS to the customers mobile line, this serves as feedback security

which is an extra layer security. This work then explores the intelligent analytics of the CT-CIA to bring about a secure e-commerce event driven philosophy.

2 .Related Works

In [3], Google Analytics has been developed which works by the inclusion of a block of JavaScript code on pages in a website. In their work, when users on a website view a page, this JavaScript code references a JavaScript file which then executes the tracking operation for

Analytics. The tracking operation retrieves data about the page request through various means and sends this information to the Analytics server via a list of parameters attached to a single-pixel image request.

In [4], the authors presented a design of a new security protocol using hybrid cryptographic algorithm for on line transaction. This captured the combination of both symmetric and asymmetric cryptographic techniques. This protocol provides three cryptographic primitives (such as

integrity, confidentiality and authentication) which will be achieved with the help of Elliptic Curve Cryptography, Dual-RSA algorithm and Message Digest MD5. Similarly, In [5], the author proposed a framework based on smart card that allows partners to realize secure

transactions. The proposed solution use smart cards to store keys and perform cryptographic algorithms. Their approach is an e-business framework based on smart card technology. In this case, Keys, certificates and digital signatures are stored in the card. The card also

performs the on-board cryptography operations. Also, the work in [6], and [7] all focused on Cryptographic Algorithms to secure e-commerce transactions. Possible vulnerabilities as found in all e-payments e.g E-commerce PayPAL have been identified in Figure 1.

According to [8], the three top web site vulnerabilities include: i. SQL Injection: This uses SQL to change the meaning of database command. (Refer to Figure 2).

IJOART



- Browser sends malicious input to server

- Bad input checking leads to malicious SQL query ii. Cross-site request forgery (CSRF): This leverages user session at victim server. (Refer to Figure 3).

- Bad web site sends browser request to good web site, using credentials of an innocent victim iii. Cross-site scripting (XSS): This injects malicious scripts into trusted contexts. (Refer to Figure 4a, b).

- Bad web site sends innocent victim a script that steals information from an honest web site.

Figure 1: Web Reported Vulnerabilities With Detection Rates [8]

Figure 2: SQL Injection [8]

IJOART



Figure 3: Cross-Site Request Forgery [8]

Figure 4a: Reflected Cross-Site Scripting [8]

IJOART



Figure 4b: Stores Cross-Site Scripting And Reflected XSS [8]

The major problem faced by consumers in an online transaction is the security vulnerability identified previously. The insecurity is due to the fact that -

1. Most of the platforms lack the benefits of validation code inclusion as a service (VCIaaS).

2. Most of the platforms build weak self-inclusive SQL commands. The use of parameterized and prepared SQL is usually lacking. 3. Most works do not use Object-relational mapping ORM framework. This is programming technique for converting data between

incompatible type systems in object-oriented programming languages. This creates, in effect, a application object database that can

be used from within the programming language. There are both free and commercial packages available that perform object-relational mapping, although some programmers opt to create their own ORM tools.

Figure 5: ORM Framework

4. Secret Validation Token such as < input type=hidden value=23a3af01b> has not been explored in most cases.

5. Referer Validation such as in facebook (Referer: http://www.facebook.com/home.php) is still the most used validation login

procedure but when wrongly implemented, SQL injection could threatened it.

6. Custom HTTP Header is sometimes poorly implemented e.g, X‐Requested‐By: XML Http Request

This work adopted CT-CIA as a Secret Token Validation (STV) in which requests include a hard-to-guess secret. The variations are:

IJOART

http://www.facebook.com/home.php



- Session identifier

- Session-independent token - Session-dependent token

- Hash Message Authentication Code (HMAC) of session identifier

3. METHODOLOGY

3.1. ORP Framework/Waterfall Model

This work used the ORP framework in which tasks act on object-oriented (OO) objects that are non-scalar values. In this case, logical

representations of the objects are translated into an atomized form that is capable of being stored in the database, while preserving the properties of the objects and their relationships so that they can be reloaded as objects when needed. With persistence, storage and retrieval

functionality were implemented. This was applied in CT-CIA proposal. Figure 6 shows the waterfall model applied in deriving Figure 5. It

shows the basic steps towards the implementation and integration of the security scheme.

Figure 6: CT-CIA Waterfall Flow Diagram.

3.2. Description of CT-CIA Technique

In this case, the CT-CIA is a conceived Hash Message Authentication Code (HMAC). This was used as a specific construction for calculating

a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As a MAC, it was used to simultaneously verify both the data integrity and the authentication of a customer transaction message. The work employed the

cryptographic hash function, MD5/SHA-1 for use in the computation of e-commerce HMAC. When adapted to MD5, the resulting MAC algorithm is referred to as e-commerce HMAC-MD5 but when used in SHA1, this is referred to as HMAC-SHA1 accordingly. The

cryptographic strength of the HMAC depended upon the cryptographic strength of the underlying hash function offered by the database logic, the size of its hash output, and on the size and quality of the key. In operation, an iterative hash function breaks up a message into blocks of a

fixed size and iterates over them with a compression function. In this case, the MD5 operates on 512-bit blocks. The size of the output of HMAC is the same as that of the underlying hash function, ie MD5 = 128 bits , and SHA-1= 160bits, respectively.

3.3 Security Algorithm

The security key is given by the operator: \textit{ CT-CIA} [CK, CM] = H\Big(K\oplus opad)\;||\;H\big((CK \oplus ipad)\;||\; CM \bigr)\Bigr)

Where H is a cryptographic hash function,

CK is a secret key padded to the right with extra zeroes to the input block size of the hash function, or the hash of the original key if it is longer than that block size,

CM is the message to be authenticated,

IJOART



|| denotes concatenation,

⊕ denotes exclusive or (XOR),

opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),

and ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).

This work used the following pseudocode to demonstrate the implementation of the CT-CIA (HMAC) was implemented with MD5. Block size is 64 (bytes) when using MD5 hash functions.

Function HMAC (key, message)

if (length(key) > blocksize) then key = hash(key) // keys longer than blocksize are shortened

end if if (length(key) < blocksize) then

key = key ∥ [0x00 * (blocksize - length(key))] // keys shorter than blocksize are zero-padded (where ∥ is concatenation)

end if

o_key_pad = [0x5c * blocksize] ⊕ key // Where blocksize is that of the underlying hash function

i_key_pad = [0x36 * blocksize] ⊕ key // Where ⊕ is exclusive or (XOR)

return hash (o_key_pad ∥ hash(i_key_pad ∥ message)) // Where ∥ is concatenation

end function //HMAC_MD5("", "") = 0x74e6f7298a9c2d168935f58c001bad88

//HMAC_SHA1("", "") = 0xfbdb1d1b18aa6c08324b7d64b71fb76370690e1d //HMAC_SHA256("", "") = 0xb613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad

End.

3.4. Proposed Cloud E-Commerce System

It could be recalled that the proposed e-commerce transaction is developed for products and services using waterfall with a reuse model shown in Figure 6. The system represents a combination of all the basic functionalities of the e-commerce models leveraging the CT-CIA. In

its operation mode, the e-commerce platform depicts a scenario where a user registers on the platform and a code (HMAC) is generated by the administrator and sent electronically as SMS to the mobile line (mobile phone) in putted in the transaction window. This now enables the

user to place order of products and services base on the administrator role privilege assignment. The main function of customer tracker work orders is to initiate work, clarify the work to be done, the delivery date and special instruction with audit logs. The tracker ensures that the

work order tracks the progress of the online activity.

3.4.1. System Elements

In the proposed system model, the key factors include: i. Cloud Super Admin Authentication Sa

ii. Dedicated Administrator Aarg[Da] iii. Cloud Customers Cc1,Cc2,............Ccn

iv. Cloud Audit [Sales Audit] v. Shopping/Order/billing

vi. Customer code generator

3.4.2. Architectural/ Operational Mechanism

In this architecture, the super admin Sa on the cloud portal assigns subsidiary administrators which are depicted Dedicated Administrator Da1, Da2..............Dan, that coordinates and monitor the activities of numerous registered cloud customers Cc1,Cc2,............Ccn.. From user

perspective, the cloud customers who are legitimately registered are authenticated using HMAC in context and an immediate transaction code will be generated from the Customers Code Generator and this will be sent as SMS via the customer's mobile number or e-mail. The access

control authentication and encryption algorithm intelligently grants or denies access to platform domain based on the logon and customer transaction Code status of the cloud customer .The status control serves to enforce discipline on either DA or Cc, while the cloud audit stores

and displays customers transactions information when desired at any point in time in the cloud logs for all DA and Cc. Figure 7 illustrates the proposed model.

IJOART



Figure7.Proposed model for the CES

3.4.3 IMPLEMENTATION

The system accepts new registration or prompts for a new registration. Essentially, it is either a customer logs in or registers before initiating any transaction on the CES. Figure 8 shows CES user interface. The descriptive flow

charts used to develop the entire system model are presented below

Figure 8.E-commerce Cloud Portal (User Interface)

IJOART



Figure 9 E-commerce Cloud Portal (Login Interface)

Figure 10: E-commerce Cloud Portal (Registration Interface)

IJOART



Figure 11.E-commerce Cloud Super Admin Interface

IJOART



Figure 12. E-Commerce Cloud Register Admin Interface

Figure. 13 E-commerce Cloud Customer Info DB

IJOART



Figure 14: E-commerce Cloud Audit Log Interface

IJOART



Figure 15: E-commerce Cloud Assigned Administrators Interface

Figure 16: E-commerce Cloud Assigned Administrators Interface

IJOART



This work used adobe dream weaver as the integrated development environment with a visual editor that supports Web

technologies such as CSS, JavaScript, and various server-side scripting languages and frameworks including ASP (ASP JavaScript, ASP VBScript, ASP.NET C#, and ASP.NET VB), Code Fusion, Scriptlet, and PHP. The IDE was configured

with My SQL server in XAMP control panel which has integrated supports for Apache server and MySQL database. In this work, entire program using the design phase of the SDLC waterfall model with Reuse model was tested using

different data and system platform. Before the proposed e commerce was made fully operational, it was thoroughly tested on a local host server while

debugging and ensuring there is no syntax errors syntax errors giving rise to successful compilations while testing with real user test data. After several tests, the reliability of the system was ascertained while making the necessary

documentation. In this research, the e commerce model was designed to run on the high performance data centre network infrastructure comprising a MikroTik server with local host HP Envy m4 window8 running Apache, MySQL and CS4

adobe Dreamweaver IDE.

Figure17 .CES user registration pictorial Framework

Figure 18.CES login Interface pictorial Framework

IJOART



Figure 19 CES Shoping Cart (users accepted )

These at a glance show the major display that shows the level of dependability being projected to make security in e-

commerce reliable.

4 .Results and Discussion The display of the user interface was in line with the design flow charts. The flowcharts for the e-ecommerce system

model show the level of reliability of customer’s security. Figure 7 the e-commerce design, in which security was tested yield satisfactory results. The design of the HMAC specification was observed to eliminate attacks on e-commerce system

based on the key with a hash function. The security of HMAC using MAC = H(key ∥ message) is very robust and reliable. Unlike in most encryption schemes, the computational overhead of the CT-CIA is lower as the processor spends little time

generating the inclusion code string. Again, in some existing cryptographic algorithms as seen in literature, their methods suffer from a serious flaw, in that with most hash functions, it is easy to append data to the message without knowing the

key and obtain another valid MAC (length-extension attack). The alternative, appending the key using MAC = H(message

∥ key), suffers from the problem that an attacker who can find a collision in the (unkeyed) hash function can use it quickly

to compromise the e-commerce system. Using MAC = H(key ∥ message ∥ key) is better, but various security papers have suggested vulnerabilities with this approach, even when two different keys are used. No known extensions attacks have

been found against the current HMAC specification which is defined as H(key ∥ H(key ∥ message)) because the outer

application of the hash function masks the intermediate result of the internal hash. The values of ipad and opad are not

Figure 20 CES login Interface( Denying access)

IJOART



critical to the security of the algorithm, but were defined in such a way to have a large Hamming distance from each other

and so the inner and outer keys will have fewer bits in common. The security reduction of HMAC does require them to be different in at least one bit. This is used to generate the authorization code for the e-commerce transaction via mobile

phone SMS. Table 1 summarises a comparison between the proposed and some existing schemes

Table 1: Comparison between Hybrid cryptographic Schemes and CT-CIA schemes (Performance Evaluation)

5. CONCLUSION

This research work developed a security integrated e-commerce system that leverages intelligent CT-CIA. This new Security scheme which is based on hybrid XAMP MD5 Random curve cryptography with customer tracker code

inclusion, addresses the vulnerability in e-commerce domain. This scheme enables customers to carry out reliable and flexible online transaction with ease. The extra security layer or feedback security guaranteed adequate security for online

transactions. Therefore this new security model is expected that over 80%of business owner will be offing their transaction via this platform. This design of E-commerce security model reliability application is compactable with all browsers after

following the ORP waterfall methodology. A comparison between the proposed scheme and the generalized cryptographic schemes shows that the performance of the proposed system is very satisfactory.

References 1. Bela, Genge, Adela Beres, Piroska haller, “A Survey on Cloud-based Software Platforms to Implement Secure

Smart Grids”, In IEEE, 2014. 2. S. Subashini, V. Kavitha , “A survey on security issues in service delivery models of cloud computing “, Journal

of Network and Computer Applications, Elesiver Scidirect. 34 (2011) 1–11. 3. Google Analytics. Online

https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview?hl=en, Retrived on 13

th Sept.2015.

Parameter Hybrid Security

Schemes

CT-CIA

Cryptographic Security

Secrecy Fuses cryptographic

uniqueness with secrecy

caters for secrecy with least overhead

Comparison

process

Takes a lot of

computation resources

This is done easily

with fewer computation

resources

User convenience requires huge effort from the

user

Requires less memorization of PINs

Vulnerability to

eavesdropping

It can be hacked

if discovered by constant

monitoring,

With constant

monitoring, passwords can never

be discovered

Vulnerability to brute force attack

Highly vulnerable

Less vulnerable

Countermeasures Counter attacks

have not yet been

documented

Counter attacks on

password systems are

well documented

Cost Effectiveness

Very Expensive PIN code systems are relatively cheap

IJOART

https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview?hl=en



4. S. Subasree And N. K. Sakthivel, “ Design of A New Security Protocol Using Hybrid Cryptography

Algorithms”, IJRRAS 2 (2), February 2010. 5. Hakim Fourar-Laidi, “A smart card based framework for securing e-business transactions in distributed

systems”, Journal of King Saud University –Computer and Information Sciences, Computer and Information Sciences (2013) 25, 1–5 http://dx.doi.org/10.1016/j.jksuci.2012.05.002.

6. Okafor N. I, Okafor K.C, Udeze C.C. & Onwusuru I. M, “3-Tier E-Comp: A Novel E-Commerce Management Portal Based On Secured SDLC Approach”, Computing, Information Systems, Development Informatics &

Allied Research ISBN 978-2257-44-7(Print) ISSN 2167-1710 (online) Vol. 4 No. 4 Dec. 2013.Pp.1-11. 7. Okafor KC, Udeze CC, Okafor CM, ISCLOUD V.1.0: An Interactive Cloud Shopping Cart Based On Software

As A Service Computing Model With Hybrid Cryptographic Algorithm”, International Journal Of Engineering And Computer Science ISSN:2319-7242 Vol. 2 Issue 6 June, 2013 Page No. 1727-1738.

8. John Mitchell, “Web Application Security”, CS 155, Spring 2010

IJOART

http://dx.doi.org/10.1016/j.jksuci.2012.05.002

Documents

Increasing Security Reliability in E-Commerce ... - IJOART