:::

詳目顯示

回上一頁
題名:電子商務交易安全之研究
作者:許義昌
作者(外文):Yi Chang Hsu
校院名稱:長庚大學
系所名稱:企業管理研究所博士班
指導教授:黃景彰
學位類別:博士
出版日期:2012
主題關鍵詞:交易安全計算雲端服務自主掌控的交易安全複合雜湊運算式電子商務交易確認Transaction security calculation cloud serviceDiscretionary transaction security controlComposite hash functionElectronic commerceTransaction confirmation
原始連結:連回原系統網址new window
相關次數:
  • 被引用次數被引用次數:期刊(1) 博士論文(0) 專書(0) 專書論文(0)
  • 排除自我引用排除自我引用:1
  • 共同引用共同引用:0
  • 點閱點閱:31
雲端運算概念下,運算能力較弱的用戶端裝置日漸普遍,傳統上用於電子商務之交易的安全機制,包括確認使用者之交易意圖的單次密碼、檢查交易內容是否遭受未經授權之變更的數位簽章、保護使用者資訊的加密技術等,未來有可能無法在用戶端裝置執行。同時,商務業者可能租用其他業者的儲存服務,故,資訊先加密再儲存有其必要,但解密金鑰不應由同一服務業者管理,才能避免資訊被不當揭露。這些交易安全問題可以被解決,是建立使用者信任感的關鍵。
本論文提出以「獨立的交易安全計算服務」來與電子商務系統協同合作的模式及配套的交易確認機制。特色是:使用者向電子商務系統註冊時,自主選擇一個秘密並只由他自己記憶;該秘密必須在每次進行交易之確認時提供給交易安全計算系統,才能正確地解密使用者資訊、計算單次交易密碼、及製作數位簽章,以與電子商務系統進行交易之確認;電子商務系統執行交易後的記錄,也由交易安全計算系統加密後傳回才予以儲存。換言之,使用者之秘密是執行交易及加解密資訊的關鍵,賦予了使用者自主掌控交易安全的權力。
交易安全計算系統的加入,落實了管理上權力分割的好處,避免了加密資訊與解密金鑰由同一家業者管理的資訊安全風險;同時,運作過程中不依賴用戶端裝置的運算能力且不使用額外設備,兼顧了使用者的操作便利性,讓新的電子商務模式更具有實施上的可行性。
As client devices with low computing power begin to prevail under the concept of cloud computing, traditional mechanisms for e-commerce security, such as one-time passwords (OTPs) that confirm user intention for online trading, digital signatures that check unauthorized modifications in transactions, and encryption techniques that protect user privacy, will all be likely to be unavailable on client-side devices in the future. Meanwhile, as business operators begin to rent or purchase storage services from other service providers, it is necessary that all those information be encrypted before storage. Nonetheless, the decryption key should never be put in the custody of only one service provider so as to avoid improper disclosure of information. Finding solutions to those security issues concerning online trading is crucial for trust building among users.
This paper presents a collaborative model that incorporates separate transaction security calculation services and the e-commerce system. Meanwhile, this paper also presents a supportive mechanism for transaction confirmation, where a user can make a discretionary choice of a secret known to him or her only during the registration to the e-commerce system and must submit that secret to the Secure Transaction System each time when a transaction occurs for confirmation in order to properly decrypt user information, compute the one-time password, and create one digital signature for transaction confirmation in the e-commerce system. The Secure Transaction System will then encrypt the transaction record before storage. In other words, a user can hold discretionary control over the security of each transaction by keeping the key secret for transaction implementation and information encryption or decryption.
The secure transaction system brings the benefits of power separation in administration by avoiding risks of concurrent administration of the encrypted information and the decryption key by only one single firm. Meanwhile, since additional equipment and computing power became no required on client-side devices, the new business model has also received higher implementation feasibility for its increased user convenience.
[1] A. Beldad , M. de Jong , M. Steehouder, "Review: How shall I trust the faceless and the intangible? A literature review on the antecedents of online trust," Computers in Human Behavior, vol.26 no.5, pp.857-869, 2010.
[2] The White House, The Framework for Global Electronic Commerce, Retrieved on March 23, 2012, from http://clinton4.nara.gov/WH/New/Commerce/read.html
[3] Commission of the European Communities, Report on Cross-border E-commerce in the EU, Brussels, 2009.
[4] 財團法人資訊工業策進會,〈2011中華民國電子商務年鑑〉,台北,經濟部,民國一00年。
[5] I. Khan, B. Weishaar, L. Polinsky, S. Taffer, V. Karasyov, D. Wei, H. Kamide, S. Chang and A. Gogolev, Nothing but Net 2011 Internet Investment Guide, J.P. Morgan, 2011. Retrieved on March 25, 2012, from http://techcrunch.com/2011/01/03/j-p-morgan-global-e-commerce-
revenue-to-grow-by-19-percent-in-2011-to-680b/.
[6] 台日韓電子商務法制資訊網,台灣電子商務法制環境 推動電子商務之權責機構,於民國101年6月20日,由http://gcis.nat.gov.tw/eclaw/tjk/chinese/tjk_tw_body.asp?PageCode=
tw_page3取得。
[7] 經濟部,2011年度施政績效報告,於民國101年6月30日,由www.rdec.gov.tw/DO/DownloadControllerNDO.asp?CuAttachID=25511取得。
[8] 行政院經濟建設委員會,我國產業發展及政策 重點服務業,於民國101年6月30日,由http://www.cepd.gov.tw/m1.aspx?sNo=
0013919 &;page=1取得。
[9] 經濟部商業司,華文電子商務暨交易安全推動計畫簡介,於民國101年6月30日,由http://www.chineseec.org/about.php取得。
[10] D.L. Hoffman, T.P. Novak, and M. Peralta, "Building Consumer Trust Online," Communications of the ACM, vol. 42, no. 4, pp. 80-85, 1999.
[11] D. Gefen and D.W. Straub, "Managing User Trust in B2C E-services, e-Service Journal,” vol. 2, no. 2, pp. 7-24, 2003.
[12] D.H. McKnight and N.L. Chervany, "What Trust Means in E-commerce Customer Relationships: An Interdisciplinary Conceptual Typology," International Journal of Electronic Commerce, vol. 6, no. 2, pp. 35-59, 2002.
[13] M. Koufaris and W.H. Sosa, "The Development of Initial Trust in an Online Company by New Customers," Information &; Management, vol. 41, no. 3, pp. 377-397, 2004.
[14] H.W. Kim, Y. Xu and S. Gupta, "Which is More Important in Internet Shopping, Perceived Price or Trust?," Electronic Commerce Research and Applications, vol. 11, no. 3, pp. 241-252, 2002.
[15] S.G. Kräuter and E.A. Kaluscha, "Empirical Research in On-line Trust: a Review and Critical Assessment," International Journal of Human-Computer Studies, vol. 58, no. 6, pp. 783-812, 2003.
[16] M.K. Chang, W. Cheung and V.S. Lai, "Literature Derived Reference Models for the Adoption of Online Shopping," Information &; Management, vol. 42, no. 4, pp. 543-559, 2005.
[17] H. Wang, "Review of Studies on Online Consumer Trust," 2010 Second International Conference on Computational Intelligence and Natural Computing (CINC), vol. 2, pp. 97-100, 2010.
[18] C. Kim, R.D. Galliers, N. Shin, J.H. Ryoo and J. Kim, "Factors Influencing Internet Shopping Value and Customer Repurchase Intention," Electronic Commerce Research and Applications, , 2012. (article in press)
[19] J.P. Hernández and R.S. Mangas, "To Have or not to Have Internet at Home: Implications for Online Shopping," Information Economics and Policy, vol. 28, no. 3-4, pp. 213-226, 2011.
[20] A. Molla and P.S. Licker, "E-commerce Systems Success: An Attempt to Extend and Respecify the Delone and Maclean Model of IS Success," Journal of Electronic Commerce Research, vol. 2, no. 2, pp. 131-141, 2001.
[21] F. Belanger, J.S. Hiller and W.J. Smith, "Trustworthiness in Electronic Commerce: the Role of Privacy, Security, and Site Attributes," The Journal of Strategic Information Systems, vol. 11, no. 3-4, pp. 245-270, 2002.
[22] C. Liua, J.T. Marchewkab, J. Luc and C.S. Yu, "Beyond Concern—A Privacy-Trust-Behavioral Intention Model of Electronic Commerce," Information &; Management, vol. 42, no. 2, pp. 289-304, 2005.
[23] T.P. Van Dyke, V. Midha and H. Nemati, "The Effect of Consumer Privacy Empowerment on Trust and Privacy Concerns in E-commerce," Electronic Markets, vol. 17, no. 1, pp. 68 – 81, 2007.
[24] S. Ha and L. Stoel, "Consumer E-shopping Acceptance: Antecedents in a Technology Acceptance Model," Journal of Business Research, vol. 62, no. 5, pp. 565-571, 2009.
[25] 陳松春、江家德,〈從詐騙犯罪趨勢看網路交易與個人資料安全〉,《刑事雙月刊》,第27期,頁49~52,民國97年。
[26] 王義智,〈台灣線上購物市場發展趨勢〉,台北,資訊工業策進會產業情報研究所,民國99年。
[27] Internet Crime Complaint Center (IC3), 2011 Internet Crime Report, Retrieved on March 23, 2012, from http://www.ic3.gov/media/annualreports.aspx.
[28] 刑事警察局新聞快訊,小心ATM解除分期付款詐騙案件-網路前五大被害商家平台,2012。於民國101年6月30日,由http://www.cib.gov.tw/news/news02_2.aspx?no=957取得。
[29] 黃景彰、許義昌、蔡景乘,〈應用於網路銀行交易確認的簡訊單次密碼機制〉,《電子商務學報》,民國100年8月被接受。new window
[30] M. Alzomai, B. Alfayyadh, A. Jøsang and A. Mccullagh, "An Experimental Investigation of the Usability of Transaction Authorization in Online Bank Security Systems," In Proceedings of the Sixth Australasian Conference on Information Security, 2008.
[31] J. Claessens, V. Dem, D. Cock, B. Preneel and J. Vandewalle, "On the Security of Today's Online Electronic Banking Systems," Computers &; Security, vol. 21, no. 3, pp. 257-269, 2002.
[32] N. L. Clarke and M. S. Furnell, "Authentication of Users on Mobile Telephones-A Survey of Attitudes and Practices," Computers &; Security, vol. 24, no. 7, pp. 519-527, 2005.
[33] Y. Margalit and D. Margalit, User-computer Interaction Method for Use by a Population of Flexibly Connectable Computer Systems, United States Patent no. 6,748,541, 1997.
[34] K. P. Weiss, Method and Apparatus for Utilizing a Token for Resource Access, United States Patent no. 5,657,388, 1997.
[35] K. P. Weiss, Method and Apparatus for Synchronizing Generation of Separate, Free Running, Time-Dependent Equipment, United States Patent no. 4,885,778, 1989.
[36] F. Aloul, S. Zahidi and W.E. Hajj, "Two Factor Authentication Using Mobile Phones," IEEE/ACS International Conference on Computer Systems and Applications, 2009.
[37] A. Coviello, "Open Letter to RSA Customers," 2011. 2011. Retrieved on March 23, 2012, from http://www.rsa.com/node.aspx?id=3891.
[38] A. Coviello, Open Letter to RSA Customers, 2011. Retrieved on March 23, 2012, from http://www.rsa.com/node.aspx?id=3872.
[39] A. Biryukov, A. Shamir and D. Wagner, "Real Time Cryptanalysis of A5/1 on a PC. Fast Software Encryption," In Proceedings of FSE 2000, LNCS 1978, Springer-Verlag, 2011.
[40] A. Maximov, T. Johansson and S. Babbage, "An Improved Correlation Attack on A5/1," In Proceedings of the 11th international conference on Selected Areas in Cryptography, 2004.
[41] T. Gendrullis, M. Novotný and A. Rupp, "A Real-world Attack Breaking A5/1 Within Hours," Proceeding sof the 10th international workshop on Cryptographic Hardware and Embedded Systems, 2008.
[42] R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg and I. Brandic, "Cloud Computing and Emerging IT Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility," Future Generation Computer Systems, vol. 25, no. 6, pp. 599-616, 2009.
[43] X.commerce, About X.commerce. Retrieved on March 23, 2012, from https://www.x.com/corporate.
[44] A. Parakh and S. Kak, "Online Data Storage Using Implicit Security," Information Sciences, vol. 179, no. 19, pp. 3323-3333.
[45] B. Schneier, Applied Cryptography (2nd ed.), New York: John Wiley &; Sons, 1996.
[46] N. Hawthorn, "Finding Security in the Cloud," Computer Fraud &; Security, vol. 2009, no. 10, pp. 19-20, 2009.
[47] P. Mell and T. Grance, The NIST Definition of Cloud Computing, National Institute of Standards and Technology, 2011.
[48] ISO/IEC, ISO/IEC 17799:Information Technology-Code of Practice for Information Security Management, 2000.
[49] ISO/IEC, ISO/IEC 10181-4: Information Technology-Open Systems Interconnection-Security Frameworks for Open System: Nonrepudiation Framework, 1997.
[50] M.M. Head, Y. Yuan and N. Archer, "Building Trust in E-commerce: A Theoretical Framework," Proceedings of the Second World Congress on the Management of Electronic Commerce, 2001.
[51] 新網路時代電子商務發展計畫網站。於民國101年7月1日,由http://ecommerce.org.tw取得。
[52] M.K.O. Lee and E. Turban, "A Trust Model for Consumer Internet Shopping," International Journal of Electronic Commerce, vol. 6, no. 1, pp. 75-91, 2001.
[53] S. Ba and P.A. Pavlou, "Evidence of the Effect of Trust Building Technology in Electronic markets: Price Premiums and Buyer Behavior," MIS Quarterly, vol. 26, no. 3, pp. 243 – 268, 2002.
[54] D. Gefen, "Customer Loyalty in E-commerce," Journal of the Association for Information Systems, vol. 3,no. 1, pp. 27-51, 2002.
[55] S. Dayal, H. Landesberg and M. Zeisser, "How to Build Trust Online," Marketing Management, pp. 64-69, 1999.
[56] P.M. Doney and J.P. Cannon, " An Examination of the Nature of Trust in Buyer–Seller Relationships," Journal of Marketing, vol. 61, no. 4, pp. 35-51, 1997.
[57] T.B. Warrington, N.J. Abgrab and H.M. Caldwell, "Building Trust to Develop Competitive Advantage in E-business Relationships,” Competitiveness Review, vol. 10, no. 2, pp. 160-168, 2000.
[58] P.A. Pavlou, " Consumer Acceptance of Electronic Commerce: Integrating Trust and Risk with the. Technology Acceptance Model," International Journal of Electronic Commerce, vol. 7, no. 3, pp. 101-134, 2003
[59] B. Shneiderman, "Designing trust into online experiences," Communications of the ACM, vol. 43, no. 12, pp. 57-59, 2000.
[60] J.W. Palmer, J.P. Bailey and S. Faraj, "The Role of Intermediaries in the Development of Trust on the WWW: The Use and Prominence of Trusted Third Parties and Privacy Statements," Journal of Computer-Mediated Communication, vol. 5, no. 3, 2000.
[61] L.J. Hoffman, K. Lawson and J. Blum," Trust Beyond Security: An Expanded Trust Model," Communications of the ACM, vol. 49, no. 7, pp. 95-101, 2006.
[62] C. Raganathan and S. Ganapathy, "Key Ddimensions of Businessto-consumer Web Sites", Information &; Management, vol. 39, pp. 457-465, 2002.
[63] P. Shaw, E-business Privacy and Trust: Planning and Management Strategies, New York: John Wiley &; Sons, 2001.
[64] A. Weiss, "Computing in the Clouds," netWorker, vol. 11, no. 4, pp. 16-25, 2007.
[65] Weinhardt, A. Anandasivam, B. Blau, N. Borissov, T. Meinl, W. Michalk and J. Stößer, "Cloud Computing-A Classification, Business Models, and Research Directions," Business &; Information Systems Engineering, vol. 1, no. 5, pp. 391-399, 2009.
[66] Rappa, "The Utility Business Model and the Future of Computing Services," IBM Systems Journal, vol. 43, no. 1, pp. 32-42, 2004.
[67] W. Liu, "A Brief Analysis on Data Encryption's Application in Electronic Business Transaction Security," 2010 International Conference on E-Health Networking, Digital Ecosystems and Technologies, vol. 1, pp. 373-376, 2010.
[68] L. Lamport, "Password Authentication with Insecure Communication," Communications of the ACM, vol. 24, no. 11, pp. 770-772, 1981.
[69] RSA Laboratories, PKCS #11 V2.3:Cryptographic Token Interface Standard, RSA Security Inc., 2009.
[70] R.S. Sandhu and P. Samarati, "Access Control: Principle and Practice," IEEE Communications Magazine, vol. 32, no. 9, pp. 40-48, 1994.
[71] The Identity Theft Resource Center, 2008 Data Breach Totals Soar, 2009. Retrieved on June 25, 2012, from http://www.idtheftcenter.org/artman2/publish/m_press/2008_Data_Breach_Totals_Soar.shtml.
[72] Verizon, 2011 Data Breach Investigations Report, 2011. Retrieved on June 23, 2012, from http://www.verizonbusiness.com/resources/
reports/rp_data-breach-nvestigations-report-2011_en_xg.pdf.
[73] US National Institute of Standards and Technology, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, version 1.1, 2008.
[74] US National Institute of Standards and Technology, Advanced Encryption Standard, Federal Information Processing Standard (FIPS) Publication 197, 2001.
[75] R. Rivest, A. Shamir and L. Adleman, "A Method for Obtaining Digital Signatures and Public-key Cryptosystems," Communications of the ACM, vol. 21, no. 2, pp. 120-126, 1978.
[76] V. Miller, "Uses of Elliptic Curves in Cryptography," Advances in Cryptology - CRYPTO '85, 1986.
[77] 金融監督管理委員會,〈金融機構辦理電子銀行業務安全控管作業基準〉,中華民國銀行商業同業公會全國聯合會全電字二五八六號函修正發布第五點,民國97年.
[78] S. Subashini and V. Kavitha, "A Survey on Security Issues in Service Delivery Models of Cloud Computing," Journal of Network and Computer Applications, vol. 34, pp. 1-11, 2011.
[79] RSA Laboratories, PKCS #11 V2.3:Cryptographic Token Interface Standard, RSA Security Inc., 2009.
[80] BBC News, Security Firm RSA Offers to Replace SecurID Tokens, 2011. Retrieved on March 23, 2012, from http://www.bbc.co.uk/news/technology-13681566.
[81] Standard Chartered Bank, Frequently Asked Questions-Is it Safe to Use the Personal Online Banking Service?, Retrieved on March 23, 2012, from http://www.standardchartered.com.tw/en/etc/cs_fq.asp#Q3.
[82] M. Alzomai, B. Alfayyadh and A. Josang, "Display Security for Online Transactions: SMS-based," International Conference for Internet Technology and Secured Transactions, 2010.
[83] 黃景彰,〈資訊安全 — 電子商務之基礎〉,台北,華泰文化,民國90年。
[84] 許義昌,〈利用可重複之第一通行密碼及不重複之第二通行密碼來組合成單次通行密碼的使用者鑑別技術〉,長庚大學,碩士論文,民國95。
[85] 黃景彰,〈利用個人化秘密的RSA密碼學方法與系統〉,中華民國專利第I255121號,民國94年。
[86] J.J. Hwang, RSA with Personalized Secret. United States Patent Application no. 20060083370, 2006.
[87] 許義昌、黃景彰、劉興華,〈利用可重複之第一通行密碼及不重複之第二通行密碼來組合成單次通行密碼的使用者鑑別技術〉,中華民國專利公開案第201034423號,民國99年。
[88] E. Hand, "Head in the Clouds," Nature, vol. 449, pp. 963, 2007.
[89] P. McFedries, "The Cloud is the Computer," IEEE Spectrum, 2008. Retrieved on July 1, 2012 from the World Wide Web: http://www.spectrum.ieee.org/aug08/6490
[90] 黃景彰,〈藉由連結隨機產生的認證秘密與個人化秘密的使用者認證方法〉,中華民國專利第I293529號,民國97年。
[91] J.J. Hwang, User Authentication by Linking Randomly-Generated Authentication Secret with Personalized Secret. United States Patent Application no. 20060036857, 2006.
 
 
 
 
第一頁 上一頁 下一頁 最後一頁 top
QR Code
QRCODE