did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780130272768

Secure Electronic Commerce Building the Infrastructure for Digital Signatures and Encryption

by ;
  • ISBN13:

    9780130272768

  • ISBN10:

    0130272760

  • Edition: 2nd
  • Format: Paperback
  • Copyright: 2000-12-04
  • Publisher: PEARSO

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

List Price: $54.99 Save up to $13.75
  • Buy Used
    $41.24
    Add to Cart Free Shipping Icon Free Shipping

    USUALLY SHIPS IN 2-4 BUSINESS DAYS

Supplemental Materials

What is included with this book?

Summary

"More now than ever, business has a responsibility to understand the trade-offs, costs, benefits and risks involved in choosing any particular type of information security technology. That necessary due diligence begins in Chapter 1 of this book." -Spence Abraham, United States Senate Your e-commerce site is only as successful as it is secure Customer confidence is a prerequisite for successful e-commerce, and security is the underpinning of that confidence. To make your e-commerce deployment safe and functional, you need to know not merely the latest security technologies, but also the most current legal strategies. This revised best seller combines the advice of seasoned experts from both the technical and legal fields to help you create a winning business strategy. Traditional business users will learn how e-commerce transactions differ from paper-based commerce, and how to minimize the risks while maximizing the benefits. Technical users will appreciate the extensive coverage of the latest security technologies and how they are applied in the business environment. Internet and security topics: bull; bull;Digital signatures for secure transactions bull;Public-key infrastructure and certification policies bull;Firewalls, virtual private networks, Web and e-mail security Legal and business topics: bull; bull;Legal principles and practices to achieve enforceability bull;Regulations and guidelines in the U.S. and internationally bull;Non-repudiation and the role of trusted third-parties Newcomers will appreciate the clear explanations of the origins and development of secure e-commerce. More experienced developers can move straight to the detailed technical material. Anyone who is involved in e-commerce design, management, or operation needs Secure Electronic Commerce.

Author Biography

Warwick Ford, M.E., Ph.D., is Vice President for Strategic Technologies and Chief Technology Officer at VeriSign, Silicon Valley's premiere provider of identity, security, and payment services for e-commerce.

Michael Baum, J.D., M.B.A., CISSP, is Vice President for Practices and External Affairs at VeriSign.

Table of Contents

Forewords xv
Preface xxiii
Introduction
1(10)
The Upside
2(1)
The Downside
3(2)
E-Commerce Compared with Paper-Based Commerce
5(1)
Making E-Commerce Secure
6(2)
Book Road Map
8(3)
The Internet
11(28)
Computer Networking
11(5)
Distributed Applications
11(1)
Computer Networks
12(2)
The Internet
14(2)
Intranets, Extranets, and Virtual Private Networks
16(1)
Internet Applications
16(3)
The World Wide Web
16(2)
Electronic Messaging
18(1)
The Internet Community
19(7)
Service Providers
19(1)
Internet Standards
20(2)
Internet Name Assignment
22(2)
Securing the Internet
24(1)
Mobile Wireless Internet Access
25(1)
Internet Commerce
26(4)
Business-to-Consumer E-Commerce
26(1)
Business-to-Business E-Commerce
27(1)
EDI on the Internet
28(1)
Open Internet Commerce
29(1)
Example Transaction Scenarios
30(2)
Summary
32(7)
Business and Legal Principles
39(54)
The Electronic Commerce Transaction
40(1)
Creating a Binding Commitment
41(3)
Functional Equivalence
41(1)
Sources of Law
42(2)
Validity and Enforceability of Agreements
44(8)
Offer and Acceptance
45(2)
Consideration
47(1)
Statutes of Frauds
47(3)
Performance
50(1)
Compliance
51(1)
Breach
51(1)
Enforcement
52(4)
Liability and Damages
52(1)
Evidence
53(3)
Other Legal Issues
56(8)
Notice and Conspicuousness
57(1)
Privacy and Other Consumer Issues
58(2)
Personal Jurisdiction
60(1)
Negotiability
61(1)
Intellectual Property
62(1)
Taxation
63(1)
Illegal Bargains and Criminal Law
64(1)
Dealing with Legal Uncertainties
64(3)
Agreements
65(1)
Security Provisions in Model Agreements
66(1)
Two Business Models
67(2)
The Formalistic Model
67(1)
The Risk-Based Model
67(1)
Analysis of These Models
68(1)
Business Controls in a Digital Environment
69(1)
Summary
70(23)
Information Security Technologies
93(48)
Information Security Fundamentals
93(8)
Basic Concepts
94(1)
Threats
95(2)
Safeguards
97(1)
Non-repudiation
98(3)
Introduction to Cryptography
101(8)
Symmetric Cryptosystems
101(3)
Message Authentication Codes
104(1)
Public-Key Cryptosystems
105(3)
RSA Algorithm
108(1)
Digital Signatures
109(5)
RSA Digital Signatures
110(2)
Digital Signature Algorithm (DSA)
112(1)
Elliptic Curve Digital Signature Algorithm
112(1)
Hash Functions
113(1)
Key Management
114(6)
Fundamentals
114(3)
RSA Key Transport
117(1)
Diffie-Hellman Key Agreement
118(1)
Distribution of Public Keys
119(1)
Authentication
120(12)
Passwords and PINs
121(1)
Authentication Protocols
122(2)
Kerberos
124(3)
Personal Tokens
127(1)
Biometrics
128(1)
Roaming Protocols
129(2)
Address-Based Authentication
131(1)
System Trust
132(1)
Summary
133(8)
Internet Security
141(40)
Segmenting the Problem
141(5)
Network-Layer Security
142(1)
Application-Layer Security
143(1)
System Security
144(2)
Firewalls
146(1)
IPsec and Virtual Private Networks
147(5)
Security Policy and Security Associations
149(1)
Authentication Header Protocol
150(1)
Packet Encryption Protocol
151(1)
IPsec Key Management
151(1)
Web Security with SSL/TLS
152(5)
Other Web Security Protocols
157(3)
Wireless Transport Layer Security
157(1)
Signed Downloaded Objects
158(1)
Client Digital Signatures
159(1)
Platform for Privacy Preferences
160(1)
Secure Messaging and S/MIME
160(7)
Messaging Security Services
160(2)
S/MIME
162(5)
Other Messaging Security Protocols
167(1)
Web-Based Secure Mail
167(1)
Pretty Good Privacy
167(1)
Legacy Secure Messaging Protocols
168(1)
Secure Payments on the Internet
168(5)
Secure Payment Data Capture
169(1)
Online Payment Processing
169(1)
The SET Protocol for Bank Card Payments
170(2)
Secure EDI Transactions
172(1)
Summary
173(8)
Certificates
181(70)
Introduction to Public-Key Certificates
181(6)
Certification Paths
184(2)
Validity Periods and Revocation
186(1)
Legal Relationships
186(1)
Public-Private Key-Pair Management
187(4)
Key-Pair Generation
187(1)
Private-Key Protection
188(1)
Key-Pair Update
189(1)
How Many Key Pairs Does a User Need?
190(1)
Certificate Issuance
191(5)
Registration Authorities
191(1)
Enrollment
192(1)
Certificate Generation
193(1)
Subject Authentication
194(1)
Certificate Update
195(1)
Certificate Distribution
196(2)
Certificate Accompanying Signature
196(1)
Distribution via Directory Services
197(1)
Other Distribution Methods
198(1)
X.509 Certificate Format
198(18)
Base Certificate Format
198(2)
X.500 Names
200(2)
Object Registration
202(3)
Extended (Version 3) Certificate Format
205(3)
Naming in X.509 Version 3
208(1)
Standard Certificate Extensions
209(4)
The PKIX Certificate Profile
213(1)
Qualified Certificates
214(2)
ASN.1 Notation and Encoding
216(1)
Certificate Revocation
216(10)
Requesting Revocation
216(1)
Certificate Revocation Lists
217(2)
Broadcast CRLs
219(1)
Online Status Checking
220(2)
Short-Lived Certificates
222(1)
Other Revocation Methods
222(2)
Revocation Process Timeline
224(2)
X.509 Certificate Revocation List
226(9)
CRL Format
226(2)
General Extensions
228(1)
CRL Distribution Points
229(2)
Delta-CRLs
231(1)
Indirect CRLs
232(1)
Certificate Suspension
233(1)
Status Referrals
234(1)
Key-Pair and Certificate Validity Periods
235(3)
Encryption-Related Key Pairs
235(1)
Digital Signature Key Pairs
236(1)
Certification Authority Signature Key Pairs
237(1)
Certificate Formats Other than X.509
238(1)
Certification of Authorization Information
238(5)
Authorization Information in X.509 Public-Key Certificates
239(1)
Attribute Certificates
240(2)
Simple Public-Key Infrastructure
242(1)
Summary
243(8)
Public-Key Infrastructure
251(38)
PKI for the Typical E-Commerce Enterprise
251(2)
Certification Authority Structures: Traditional Models
253(6)
Hierarchies (Trees)
254(3)
Forests of Trees
257(2)
Certification Authority Structures: The Generalized Model
259(4)
Certification Path Discovery
259(3)
Certification Path Validation
262(1)
Certificate Policies
263(6)
The Certificate Policy Concept
263(1)
Certificate Policies Extension
264(2)
Policy Mappings Extension
266(1)
Policy Constraints and Inhibit-Any-Policy Extensions
267(1)
Contents of a Certificate Policy
268(1)
Name Constraints
269(2)
Certificate Management Protocols
271(4)
PKCS Standards
271(1)
Certificate Management Protocol (CMP)
271(2)
Certificate Management Over CMS (CMC)
273(1)
Server-Based Public-Key Validation
274(1)
PGP's Web of Trust
275(2)
Some Multienterprise PKI Examples
277(7)
Privacy Enhanced Mail
277(2)
Secure Electronic Transaction (SET)
279(2)
Identrus
281(1)
VeriSign Trust Network
282(1)
Federal Bridge Certification Authority
282(2)
Government of Canada PKI
284(1)
Pragmatics of PKI Interoperation and Community Building
284(1)
Summary
285(4)
Legislation, Regulation, and Guidelines
289(44)
General E-Commerce Legislation and Regulation
290(12)
Electronic Funds Transfer Act and Regulation E
290(1)
UCC Article 4A: Funds Transfers
291(1)
Electronic Signature Legislation
292(1)
UCC Draft Revisions
292(1)
UCITA
293(1)
UN Model Law on Electronic Commerce
294(1)
UETA
294(2)
U.S. Federal Legislation
296(3)
EU Electronic Signature Directive
299(1)
UN Draft Model Law on Electronic Signatures
300(2)
Digital Signature Laws
302(8)
Technology
304(1)
Scope and Detail
304(2)
Writings and Signatures
306(1)
Certification Authority Quality and Standards
307(1)
Subscriber Requirements
307(1)
Apportionment of Liability
307(3)
General E-Commerce Guidelines
310(1)
PKI-Related Standards and Guidelines
311(6)
American Bar Association Digital Signature Guidelines
311(1)
General Usage for International Digitally Ensured Commerce
312(1)
IETF Certificate Policy and Practices Framework
312(1)
American Bar Association PKI Assessment Guidelines
313(1)
British Standard BS 7799-1:1999: A Code of Practice for Information Security Management
313(1)
Standard Qualified Certificate Policy for Certification Service Providers Issuing Qualified Certificates
314(1)
Federal Information Processing Standard Publication 140
315(1)
CS2: Practical Commercial Protection
315(1)
WebTrust Principles and Criteria for System Reliability
315(1)
Financial Services Industry Documents
316(1)
Health Care Industry Documents
316(1)
Summary
317(16)
Non-repudiation
333(52)
Concept and Definition
333(4)
Non-repudiation in E-Commerce
334(3)
Types of Non-repudiation
337(5)
Non-repudiation of Origin
338(2)
Non-repudiation of Delivery
340(1)
Non-repudiation of Submission
341(1)
Activities and Roles
342(4)
Non-repudiation Request
343(1)
Record Generation
344(1)
Record Distribution
345(1)
Record Verification
345(1)
Record Retention
346(1)
Mechanisms for Non-repudiation of Origin
346(5)
Originator's Digital Signature
346(2)
Digital Signature of a Trusted Third Party
348(1)
Digital Signature of Trusted Third Party on Digest
349(1)
Inline Trusted Third Party
350(1)
Combinations of Mechanisms
350(1)
Mechanisms for Non-repudiation of Delivery
351(2)
Recipient Acknowledgment with Signature
351(1)
Trusted Delivery Agent
352(1)
Progressive Delivery Reports
353(1)
Non-repudiation of Submission
353(1)
Trusted Third Parties
353(8)
Public-Key Certification
354(1)
Identity Confirmation
355(1)
Time Stamping
355(3)
Records Retention
358(1)
Delivery Intermediation
358(1)
Dispute Resolution
359(1)
Required Attributes of Trusted Third Parties
359(1)
Notaries
359(2)
Dispute Resolution
361(4)
Technology-Based Evidence
362(1)
Expert Testimony Regarding Technology-Based Evidence
363(2)
Summary
365(20)
Certification Policies and Practices
385(48)
Concepts
385(8)
Privacy Enhanced Mail (PEM) Policy Statement
385(1)
Certification Practice Statement
386(1)
Certificate Policy (CP)
387(1)
The Relationship between a CPS and a CP
387(2)
Assurance Levels
389(1)
Certificate Classes
390(1)
Organization of CP or CPS Content
391(2)
CP and CPS Topics: Introduction of a CP or CPS
393(2)
Community Membership and Interoperation
393(1)
Certificate Usage
393(1)
Digital Signature Verification Process
394(1)
Writings and Signatures
395(1)
Identification
395(1)
CP and CPS Topics: General Provisions
395(9)
Obligations
396(2)
Liability
398(2)
Financial Responsibility
400(1)
Interpretation and Enforcement
401(1)
Publication and Repository
401(1)
Compliance Audit
402(1)
Confidentiality
403(1)
Right to Investigate Compromises
404(1)
Criminal Activity
404(1)
CP and CPS Topics: Identification and Authentication
404(3)
Initial Registration: Naming
405(1)
Initial Registration: Authentication
405(2)
CP and CPS Topics: Operational Requirements
407(7)
Certificate Application
407(2)
Certificate Issuance
409(1)
Certificate Acceptance
410(1)
Certificate Suspension and Revocation
410(1)
Record Archiving
411(2)
Compromise and Disaster Recovery
413(1)
Certification Authority Termination
413(1)
CP and CPS Topics: Physical, Procedural, and Personnel Security Controls
414(2)
CP and CPS Topics: Technical Security Controls
416(2)
Key-Pair Generation and Installation
417(1)
Private-Key Protection
417(1)
Other Technical Security Controls
417(1)
CP and CPS Topics: Certificate and CRL Profiles
418(1)
CP and CPS Topics: Specification Administration
419(1)
J Systematizing CP and CPS Development
420(1)
Summary
421(12)
Public-Key Infrastructure Assessment and Accreditation
433(38)
The Role of Assessment in Public-Key Infrastructure
434(8)
Users of Assessments
435(1)
Qualifications of Assessors
435(1)
Assessment Targets
436(3)
Assessment Criteria
439(1)
Assessment Types and Requirements
440(1)
Models of Assessment
441(1)
Evolution of Information System Assessment Criteria
442(5)
Features and Use of the Common Criteria
444(3)
Mutual Recognition of Common Criteria Certificates
447(1)
Liability of the Commercial Licensed Evaluation Facility
447(1)
Noteworthy Assessment and Accreditation Schemes
447(12)
National Schemes
447(8)
Regional Schemes
455(2)
Sectoral Schemes
457(2)
Rationalization of Assessment Schemes
459(1)
Summary
460(11)
Appendix A Forms of Agreement 471(18)
Appendix B The U.S. Federal E-Sign Act 489(14)
Appendix C ASN.1 Notation 503(8)
Appendix D X.509 in ASN.I Notation 511(30)
Appendix E United Nations Model Law on Electronic Commerce 541(10)
Appendix F How to Obtain Referenced Documents 551(4)
Appendix G Legacy Application Security Standards 555(6)
Appendix H PKI Disclosure Statement 561(2)
Appendix I Repudiation In Law 563(6)
Appendix J Public-Key Cryptosystems 569(20)
Appendix K European Signature Directive 589(6)
Index 595

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Excerpts

PrefaceOur entry into the twenty-first century has been accompanied by the emergence of electronic commerce (e-commerce) as both an enabler and a component of business reengineering. E-commerce offers great rewards for all who embrace it. However, it also brings considerable risks for the unwary. While new technologies, with their complexities and explosive adoption rates, can be largely blamed for creating these new risks, new technologies also represent a large part of the solution, in managing and mitigating these risks. The latter technologies include, in particular, digital signatures and public-key cryptography. However, achieving secure electronic commerce requires much more than the mere application of such core technologies. It also depends upon interdependent technological, business, and legal infrastructures that are needed to enable the use of these core technologies on a large scale. Our goal in this book is to describe the ingredients and recipe for making e-commerce secure, with emphasis on the role, practical deployment, and use of these infrastructures.Why have an engineer and a lawyer teamed up to write this book? The answer is that secure e-commerce can only be achieved through a delicate interweaving of technological safeguards and legal controls. The most critical issues cannot be understood by studying either the technological or legal aspects in isolation. Therefore, an effective treatise on this subject must draw on both technological and legal expertise.This book is targeted at a broad audience, including business professionals, information technologists, and lawyersNanyone who is concerned about the security of e-commerce. Readers are not expected to have substantive technological or legal backgrounds. To make this book valuable to businesspersons, consumers, bankers, product developers, service providers, legal counsel, policymakers, and students alike, we include introductory material to virtually all topics, with a view to bringing all readers up to a base knowledge threshold before addressing the more complex issues.Since the first edition was published, there has been enormous progress in the field of secure e-commerce. While the core technologies have not changed materially, there have been significant advances in software tools and packaging, standards, legislation globally, and experience in applying the technologies described in the first edition to real-world e-commerce. In the standards arena, for example, we have seen the completion and widespread adoption of the S/MIME secure messaging specifications, IPsec virtual private network specifications, and IETF PKIX specifications for public-key infrastructure. Notable legislative activities have included diverse national and state digital signature laws, and the U.S. Federal E-Sign Act. There has also been solid progress on the assessment and accreditation of secure e-commerce infrastructure components, such as certification authorities. These advances have occurred in conjunction with a massive increase in e-commerce deployment generally, in particular, the rapid emergence of business-to-business Internet commerce. Consequently, in this edition we have focused more on those aspects of the field that are proving most important in todayOs marketplace and that require rigorous analysis to ensure successful deployment.We have written this book with an international audience in mind. However, the reader will observe, especially in our coverage of practices and legal issues, a predominance of coverage from the U.S. perspective. In general, we believe the problems faced globally are much the same as those faced in the United States, so we anticipate that our coverage of problems and progress in the United States will map meaningfully to developments in other nations. If we sometimes fall short in this respect, we apologize to our international colleagues.

Rewards Program