The electronic commerce system is composed of merchant system, server electronic wallet, payment gateway and secure web services. The merchant system ...
IADIS Internacional Conference e-Commerce 2004
DESIGN AND IMPLEMENTATIONS OF A BUSINESS TO CUSTOMER ELECTRONIC COMMERCE SYSTEM APPLYING WEB TECHNOLOGIES Bo Meng College of Computer Science, Wuhan University 430079 Wuhan P. R. China
Huan Guo Zhang College of Computer Science, Wuhan University 430079 Wuhan P. R. China
Qian Xing Xiong College of Computer Science and Technology, Wuhan University of Technology 430063 Wuhan P. R. China
ABSTRACT With the development of web technologies, on the one hand more and more enterprises develop its new electronic commerce system with web technologies; on the other hand a lot of enterprises need update its old electronic commerce system with web technologies. In this paper we introduce and develop an electronic commerce system applying web technologies. The electronic commerce system is composed of merchant system, server electronic wallet, payment gateway and secure web services. The merchant system includes online shop, query system and merchant payment system. The server electronic wallet supports multi-payment protocols and instruments and is secure and extensible. The payment gateway is a general payment gateway and can support several bank payment gateway interfaces. So the difficulty and complexity of development of electronic payment system is decreased. At the same time we describe the login secure scheme and password update scheme of the server electronic wallet. In the last we give its implementations. KEYWORDS Electronic Commerce, Web Technologies, Server Electronic Wallet, Electronic Payment.
1. INTRODUCTION With the development of web technologies, on the one hand more and more enterprises develop its new electronic commerce system with web technologies; on the other hand a lot of enterprises need update its old electronic commerce system with web technologies. An electronic commerce system generally includes merchant system, payment tools and payment gateway. Merchant system is mainly composed of online shop, query system and merchant payment system. The functions of online shop are same to the shop of real world. It is a website where the merchant lay out its goods. The customer can explore the website and chose the goods they want to buy. Merchant to query goods and order information uses query system. Merchant payment system is the merchant part of the whole payment system. Payment tools in the real word generally include the credit card, cash, check and so on. In the electronic commerce activity the electronic payment tools is mainly composed of electronic credit card, electronic check and electronic cash. People generally use electronic wallet to store personal financial information and transaction information. An electronic wallet [1] is a collection of confidential data of a personal nature or
527
ISBN: 972-98947-8-7 © 2004 IADIS
relating to a business role carried out by an individual, managed to conventions agreed with the owner, to facilitate completion of electronic transactions. Many electronic wallets, some are fat electronic wallet, such as SET electronic wallet of bank-of –china [2], others are server electronic wallet, such as 51 QB [3], Shenzhen financial organization [4], NetPay server electronic wallet [5], have been developed. But they don’t support the multi-payment protocols and instruments together. When the people and enterprise do electronic business with different merchant and pay the bill with the electronic wallet that only supported one payment protocol and instrument, so the people and enterprise must have to install several electronic wallets to pay different bill. This is not convenient to people and enterprise. So in our electronic commerce system we present a new server electronic wallet, which supported multipayment protocols and instruments. It is secure and extensible. Payment gateway is the interface of merchant payment and the bank. Generally, every bank such as ASSIST Internet payment gateway [6], DataCash bank payment gateway [7], CyberCash payment gateway [8] etc, has itself payment gateway, but these payment gateways are not compatible each other, which increases the difficulty and complexity of design and implementation of the merchant’s payment system. Hence in our electronic commerce system we present a general payment gateway .The merchant can use it to develop its payment system instead of using several different payment gateways. Thus the difficulty and complexity of the design and implementation of the payment system is decreased. Anyhow in this paper we introduce and develop electronic commerce system applying web technologies. The electronic commerce system is composed of merchant system, server electronic wallet, payment gateway and secure web services. The merchant system includes online shop, query system and merchant payment system. The server electronic wallet supports multi-payment protocols and instruments and is secure and extensible. The payment gateway is a general payment gateway and can support several bank payment gateway interfaces. So the difficulty and complexity of development of electronic payment system is decreased.
2. THE BUSINESS TO CUSTOMER ELECTRONIC COMMERCE SYSTEM ARCHITECTURE The business to customer electronic commerce system architecture is description in Figure 1. The electronic commerce system is composed of merchant system, server electronic wallet, payment gateway and secure web services. The merchant system includes online shop, query system and merchant payment system. The server electronic wallet supports multi-payment protocols and instruments and is secure and extensible. The server electronic wallet is composed of login module, user information module, register module, payment instruments manager, and transaction evidence module, payment protocol manager, transaction module, and help module, logout module. The payment protocol manager is the core of the server electronic wallet and is responsible for which payment protocol is chose by the user and the merchant as the payment is doing. Payment instruments manager take charge the choice of payment instruments The payment gateway is a general payment gateway and can supports several bank payment gateway interfaces. The payment gateway is composed of query system and payment gateway manager. The payment gateway manager is responsible for calling the corresponding bank payment gateway interface according to the request of the enterprise payment system and returns it’s the response to merchant payment system. Secure web services we developed are listed in Table 1. Table 1. Secure web services Web service PinitReq web service Opreq web service PinitRes web service AuthCapReq web service OPres web service Signedata web service Enc web service EncB web service
528
Description Send to merchant Send to merchant Send to server electronic wallet Send to payment gateway Send to server electronic wallet Public service Public service Public service
IADIS Internacional Conference e-Commerce 2004
Decrpt web service Verify web service Ex web service GateWay web service DataCash web service
Public service Public service Public service Send to merchant Send to payment gateway
merchant system
merchant payment manager
online shop
SET
SOCPT
query system
server electronic wallet
browser
SSL
login module
payment instruments manager
user information module
ecash
register module
credit card
transaction evidence module
logout module
payment protocols manager SET
help module SOCPT
transaction module
payment gateway payment gateway manager CyberCash payment gateway interface
CyberCash payment gateway
CyberCash bank
DataCash payment gateway interface
DataCash payment gateway
DataCash bank
query system
secure web services/SSL
Figure 1. The business to customer electronic commerce system architecture
3. THE SECURE MECHANISM OF LOGIN MODULE In this section we describe the Login secure scheme and password update scheme.
529
ISBN: 972-98947-8-7 © 2004 IADIS
use name
server
client
password
database
digest of use name and plaintext password
random number use name
hash function
digest of use name and plaintext password
inquiry
compare inquiry and inquiry'
inquiry
inquiry'
encrypt inquiry with digest response
response
usename
usename
get digest according to usename,decrypt response and get inquiry
Figure 2. Login secure scheme
We describe the login secure schema in Figure 2. Login secure scheme is a single factor authentication scheme. First the server creates a random number as inquiry and sends it to the client. Then the client uses the encryption of inquiry with digest of user name and plaintext password as response. The client sends the user name and the response to the server. The server gets the digest according to the user name from the database and decrypts the response and gets inquiry. The server compares the inquiry of decryption of response and the inquiry created by the server. If they are same, then the user is legible. Otherwise the user is illegible. The login secure scheme has the following advantages: 1. Only the symmetric encryption mechanism is used. 2. It is not need store and transfer the plaintext password. 3. The digest is stored in the database in server .It is not needed transfer the digest between the server and client. 4. It can avoid replay attack and intermediary attack. client
server
database digest of old use name and plaintext password
encrypt digest of new use name and plaintext password with digest of old response use name and plaintext password usename
digest of new use name and plaintext password
use name
update digest response
usename
digest of use name and plaintext password
get old digest according to usename from database,decrypt response and get new digest
Figure 3. Password update scheme
We describe the password update schema in Figure 3. The user must login the server electronic wallet before he updates it password. First the client uses the digest of the old user name and password to encrypt the digest of new user name and password as the response. The client sends the response and user name to the server. The server gets the digest of old user name and password according to the user name from the database and decrypts the response and gets the digest of new user name and password. In the last the server updates the database.
530
IADIS Internacional Conference e-Commerce 2004
1. 2. 3. 4.
The password update scheme has the following advantages: Only the symmetric encryption mechanism is used. It is not need store and transfer the plaintext password. The digest is stored in the database in server. It is not needed transfer the digest between the server and client.
4. IMPLEMENTATIONS The implementations of the business to customer electronic commerce system apply CAPICOM [9], XML [10] technologies and web service [11] technologies. The electronic commerce system supports SOCPT (Secure Online Card Payment Protocol)[12] and the DataCash payment gateway. Figure 4 is the interface of the server electronic wallet.
Figure 4. The interface of server electronic wallet
XML technology XML [10] was developed by an XML Working Group formed under the auspices of the World Wide Web Consortium (W3C) in 1996. XML describes a class of data objects called XML documents and partially describes the behavior of computer programs which process them. XML documents are made up of storage units called entities, which contain either parsed or unparsed data. Parsed data is made up of characters, some of which form character data, and some of which form markup. Markup encodes a description of the document's storage layout and logical structure. XML provides a mechanism to impose constraints on the storage layout and logical structure. Now XML has been the standard of Internet data exchange of electronic business. So In our electronic commerce system we use XML as the data exchange format. Web service In the past the three distributed object models are used. They are DCOM [13] of Microsoft, CORBA [14] of Object Management Group and RMI [15] of Sun. These technologies give the reliable and updateable mechanism to satisfy the requirements of the applications. But these technologies have two disadvantages. One they are not compatible. The other is that the tight coupling system is developed in order to apply these technologies. These technologies are not suitable to be applied in the Internet environments. Now web service can deal with the two disadvantages. Web service [11] is a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format. Other systems interact with the Web service in a manner prescribed by its description using SOAP [16,17] messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards. A Web service is an abstract notion that must be implemented by a concrete agent. The agent is the concrete piece of software or hardware that sends and receives messages, while the service is the resource characterized by the abstract set of functionality that is provided. To illustrate this distinction, you might
531
ISBN: 972-98947-8-7 © 2004 IADIS
implement a particular Web service using one agent one day, and a different agent the next day with the same functionality. Although the agent may have changed, the Web service remains the same. Web service provides a practical solution of data and system cooperative work. Web service uses message based on XML to exchange data among different component models, operating system and program languages. Web service has the specialties of good encapsulation, loose coupling, the standard protocol used, integration and the abstract of implementation and application. Web service customer only knows the input, output and location of web service provider and can use it. We have development thirteen web services described in table 1 in our electronic commerce system. CAPICOM The CAPICOM [9] provides services that enable application developers to add security based on cryptography to applications. CryptoAPI includes functionality for authentication using digital signatures, for enveloping messages, and for encrypting and decrypting data.
5. CONCLUSION With the development of web technologies, on the one hand more and more enterprises develop its new electronic commerce system with web technologies; on the other hand a lot of enterprises need update its old electronic commerce system with web technologies. In this paper we introduce and develop an electronic commerce system applying web technologies. The electronic commerce system is composed of merchant system, server electronic wallet, and payment gateway and secure web services. The merchant system includes online shop, query system and merchant payment system. The server electronic wallet supports multi-payment protocols and instruments and is secure and extensible. The payment gateway is a general payment gateway and can support several bank payment gateway interfaces. So the difficulty and complexity of development of electronic payment system is decreased. At the same time we describe the login secure scheme and password update scheme of the server electronic wallet. In the last we give its implementations.
REFERENCES 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
Andrew Hinchley ,Authentication and transaction support-the role of electronic wallet, http://www.radicchio.org/member_center/download/ t2r/9th-tb5-andrew-Hinchley.ppt http://supermart.stockstar.com/supermarket/chinabank/aqzs.htm https://paygo.51qb.com.cn/index.jsp https://www.szpos.com/webhelp/faq.jsp#2 Xiaoling Dai, John Grundy, 2002, Architecture of a Micro-payment System for Thinclient Web Applications, Proceedings of the 2002 International Conference on Internet Computing, Las Vegas. http://www1.assist.ru/eng/find_tranz.htm https://reporting.datacash.com/reporting2/login http://www.cybercash.com http://msdn.microsoft.com/library/default.asp? Url=/library/en-us/security/security/capicom_reference.asp http://www.w3.org/XML/ Web Services Architecture, W3C Working Draft, 8 August 2003. http://www.w3.org/TR/ws-arch/ Bo Meng, Qianxing Xiong, 2004,SOCPT: A Secure Online Card Payment Protocol, Proceedings of the eighth international conference on CSCW in Design, Xiamen, P.R. China, pp. 679-684. DCOM Technical Overview, http://msdn.microsoft.com/library/default.asp? Url=/library/enus/dndcom/html/msdn_dcomtec.asp CORBA. http://www.omg.org/gettingstarted/corbafaq.htm Java Remote Method Invocation, http://java.sun.com/marketing/collateral/javarmi.html SOAP Version 1.2 Part 0: Primer, http://www.w3.org/TR/soap12-part0/ SOAP Version 1.2 Part 1: Messaging Framework, http://www.w3.org/TR/soap12-part1/
532
