An online shopping system permits a customer to submit online orders for items and/or services from a store. Usually, online shopping products are displayed and maintained on a web portal. A Web Portal is a type of Website. A Web Portal acts as a gateway to the internet. Web portals provide a single point of access to a variety of content and core services, and ideally offer a single sign-on point.
The main challenge for online shopping portals is to provide security for the transactions involved. Customers, usually need to enter their crucial information such as, credit card number, debit card number etc. to buy products. Today, most of the shopping portals make use of Secured Socket Layer (SSL) to transfer crucial data. Existing system was capable of providing a very good end-to-end security. But, it cannot encrypt only a part of information; hence a large cipher text is generated.
To, address the issues not considered by the current system, a new system is proposed here, which makes use of XML encryption to provide security. XML Encryption is intended to provide security for transactions by generating a compact cipher text, which is transferred over the net as an XML document.
In the project work the development of secured web portal is undertaken. Online shopping portals are a new face of our real time market hence must be designed in a creative but simple manner so that it is easy for the users to transact from it. There is a need to analyze this new player by applying the XML encryption technique which provides end-to-end security for applications that require secure exchange of structured data.
INTRODUCTION
1.1 E-Commerce
Commerce refers to the all activities surrounding the purchase or sale of goods or services. The various activities include Marketing, Sales, Payment, Fulfillment and customer service these activities applies to the business done on the web. E-Commerce refers to the process of buying or selling a product or service over an electronic network i.e. an Internet.
E-Commerce encompasses three types of business transactions.
1. B2C E- Commerce: This type can occur between a business and consumer. Example: A business that engages between B2C E-Commerce is Amazon. Amazon promotes itself as the place to find and discover anything a user wants to buy online i.e. by selling videos, books, CDs to the consumer.
2. B2B E-Commerce: This type can occur between one business and another business. Example: a company that engages in B2B IS Cisco system. Cisco system creates much of the physical infrastructure of the internet that allows businesses to communicate.
3. C2C E-Commerce: This type can occur between two consumers. Example: this type of E-Commerce is eBay. eBay enables its customers to auction items to other customers. eBay collects fee from every transaction.
Database: This acts as a storage container that holds information about the items
that merchants sell (products, prices, manufacturers, etc.)
Shopping Web Site: This is a web site that enables to modify the information in the database (update prices, add new items, delete old items, etc.)
Public Web Site: This is the web site that displays and describes merchants products to the customers. From this web site merchandise can be securely purchased by anyone in the world.
Step 1: In the diagram above, Step 1 shows the arrow flowing out of the database into a shopping web site. In other words, all of the information about the products, prices, manufacturers, etc will be displayed in easy to read lists inside the web browser. User can access these lists from anywhere in the world, not just from inside his office.
Step 2: This step shows the arrow flowing from the shopping web site into the database. As mentioned in Step 1, products information is displayed in the form of lists inside the web browser. Each individual item, on each list is editable. That means that merchants can change prices, add new items, and delete old items, etc from anywhere in the world. All of merchants “updates” to these lists are instantly stored in the database. This functionality empowers merchants to administer their own web site allowing them to avoid web site maintenance fees and service time when all they want to do is make a change to their product line.
Step 3: The final step shows the information that merchants have stored in database flowing into the Public web site. With all editing complete, merchants have the confidence in knowing that their customers are seeing accurate and up to the minute products and price information.
1.2 Trends in Online Shopping
Online shopping trend is rising every where for the past many years and is becoming a necessity in the day to day life of the people nowadays. The trend started few years back and today online shopping is quite popular. More and more websites are promoting products online and offer household products at the competitive prices .All kinds of products whether household or lifestyle are available online and more and more people are looking more towards online shopping to fulfill their daily needs.
Online shopping including social shopping trends have shown a better inclination of people towards this latest shopping trend. Through social shopping people can inquire with other users about the product usage and quality. Online Shopping has started a new way to shop, where there is no need for spending your precious time on asking for quality and configuration of products and also wandering for places in search of better brands and their offered prices. The most popular of all products in online shopping are the gift products that are attractively presented and nicely priced .Through interactive social shopping all the products are discussed and their usefulness is witnessed among majority of users .
The online shopping trend is most common in the high end Indian cities where people are learned and are earning well. In small cities very few people are aware of Internet usage while others remain isolated completely. India is blessed with the power of Internet, which has promoted the trend of online shopping to a larger extent. Social shopping network has made shopping well organized and wonderful way to shop.
1.3 Inclination Towards Online Shopping
Online shopping is a type of electronic commerce used for business-to-business (B2B) and business-to-consumer (B2C) transactions. It is a more effective way of getting products to people and spreading into different demographics. It offers some of the advantages such as Convenience, Information and reviews, Price and selection etc.
1. Convenience: Online stores are usually available 24 hours a day, and many consumers have Internet access both at work and at home. Searching or browsing an online catalog can be faster than browsing the aisles of a physical store.
2. Information and reviews: Online stores must describe products for sale with text, photos, and multimedia files, whereas in a physical retail store, the actual product and the manufacturer’s packaging will be available for direct inspection.
3. Price and selection: shopping online is being able to quickly seek out deals for items or services with many different vendors. Search engines and online price comparison services can be used to look up sellers of a particular product or service.
Online shopping offers some of the disadvantages they are
1. Lack of personal interaction, tangibility factor: In real world shopping, we can actually touch, feel or sense different product or picture with different means, but for online shopping we can only view the electronic catalogues this problems has been rectified to certain extent by use of 3D product catalogues
2. Shipping cost: If the shipping cost is more than that of actually carry the product home, then online shopping become unattractive.
3. Online security: shopping online should have to take additional care about credit cards so that to protect from unauthorized usage.
4. Real world shopping experience: Online shopping lacks the real world shopping experience that we get shopping with relatives and friends offline.
LITERATURE SURVEY
2.1 What is portal?
Portal is a term, generally synonymous with gateway, for a World Wide Web site that is or proposes to be a major starting site for users when they get connected to the Web or that users tend to visit as an anchor site. A portal uses a consistent framework for presenting the information in a standard way. The services available through the portal are all designed to fit within a standard portal framework. This consistency makes it easier to learn and use these services. There are general portals and specialized or niche portals. Some major general portals include Yahoo, Excite, Netscape, Lycos, CNET, Microsoft Network, and America Online’s AOL.com. Examples of niche portals include Garden.com (for gardeners), Fool.com (for investors), and SearchNetworking.com (for network administrators).
A shopping portal is a page where buyers find links to a wide variety of products and services. A shopping portal offers convenience, saves time and makes it possible for customer to compare products and make selections. Online Shopping starts not so long ago. The idea of online shopping predates the World Wide Web, for there real-time transaction processing from a domestic television. Portals are subjected two types of attacks they are Passive attack, Syntactical attack.
1. Passive attack: Attacks against networks, phone lines, wires, and computers that attempt to physically disable a portal server.
2. Syntactical attack: These are the ones which we see on news daily and spawned an industry of virus protection software and frequent operating system updates and patches.
2.2 A Brief History
Online shopping was invented in the UK in 1979. There are two kinds of online shopping B2B (Business to Business) and B2C (Business to Customer). These were sold in the UK in the 1980s.The largest B2B was probably Ford’s Locate a Car system that operated in many European countries. The cleverest B2B was probably Nissan who sold Finance with online agency credit checks. The first B2C was Tesco. These systems were pre-internet pre-windows but otherwise fully functional.
In the 1990s these systems migrated to the internet and WWW and became fully featured, fast and secure making the pioneer systems look very ancient indeed. History of this starts not so long ago. Tim Berners-Lee created “The World Wide Web Browser” in 1990. In1994 few other developments took place. Online bank, the first of its kind opened this year. Another development was opening of online pizza shop by pizza hut.
In the same year Netscape introduced SSL encryption to enable encryption over the data transferred online. This later became the necessity of online shopping. In 1995, Amazon started operation, one of the largest online shopping mall now. Then in 1996 eBay started its online shopping portal.
1998 witnessed use of electronic postage stamps, where people can download and print postal stamps after paying nominal fee. In 1999 the first online shop in UK launched.
Online shopping is important because it offers buyers convenience that has never before been achievable. The technology that is now available allows customers to shop on the internet 24 hours a day and seven days a week, without having to leave their homes or offices. Shoppers are provided with an abundance of merchant sites where almost any goods on earth can be bought. Consumers can also compare prices from a variety of different retailers with greater ease, compared to them physically going to shop in a built shopping centre to check prices.
PRESENT THEORY and PRACTICE
3.1 Existing System
As the popularity of online shopping increased the risks involved in the transactions also grew exponentially. To address the issue of security Netscape introduced SSL encryption to provide security. Currently, Transport Layer Security (TLS) is the de facto standard for secure communication over the Internet. TLS is an end-to-end security protocol that follows the famous Secure Socket Layer (SSL).
SSL and TLS have been widely implemented in several open source software projects. Programmers may use the Open SSL, NSS, or Gnu TLS libraries for SSL/TLS functionality. Microsoft Windows includes an implementation of SSL and TLS as part of its Secure Channel package. Delphi programmers may use a library called Indy. This standard is used for providing security by some browsers also such as the one listed. Mozilla Firefox supports TLS since version 2. The Internet Explorer 8 in Windows 7 and Windows Server 2008 R2 supports TLS 1.2. As of Presto 2.2, featured in Opera 10, Opera supports TLS 1.2.
Though, standards have been proposed and implemented for providing security for an internet transaction, the challenges in this field are never ending. Hence periodic development in the security standards and methodologies is the need of the online transaction process. The new methodologies developed should be the enhancement of current technology and not a completely new method, as global acceptance of a completely new system is beyond reach goal unless it requires minimum or no change in the ease of use, speed and other factors.
3.2 Proposed system
With the ever increasing popularity of internet, the population capable of participating in internet increased dramatically, increasing the security challenges. Also network traffic also became a prime issue. To make efficient use of the available bandwidth, the messages transferred over the internet should be of smaller size and also, to establish end-to-end security session handshake message passing if possible should be avoided as it substantially increases the network traffic which, in extreme cases may lead to congestion.
Existing system using TLS/SSL was capable of providing a very good end-to-end security for transactions involved. But it required long chatty handshake signals for establishment of security session between two parties. Also, the whole file or whole message should be encrypted before sending over the internet. At a time not more than two parties could take part in the secured communication.
To, address the issues not addressed by the current system, a new system is proposed here, which makes use of XML encryption to provide security. XML Encryption provides end-to-end security for applications that require secure exchange of structured data. XML-based encryption is the natural way to handle complex requirements for security in data interchange applications. XML Encryption is not intended to replace or supersede SSL/TLS. Rather, it provides a mechanism for security requirements that are not covered by SSL.
The proposed system takes the crucial data provided by the user, encrypts it and forms an XML file as an output which is sent over the network. The receiver parses the received XNL file and gets back the crucial information. Using this system, any number of parties can take part in secured communication as no prior agreement or handshaking is required. Also, it provides an added advantage that, only specific part of the information which is most crucial can be encrypted leaving out rest of the information unencrypted. The proposed system makes use of both symmetric and asymmetric cryptography to provide complete security for the transaction involved. The only requirement of the system is the mechanism to generate XML files at sender and a parser to parse the received XML file at the receiver.
3.3 Security provided to the Existing system
Presently, Transport Layer Security (TLS) is the de facto standard for secure communication over the Internet.TLS runs on layers beneath application protocols such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol. TLS/SSL has a variety of security measures:
- SSL handshake with two way authentication with certificates.
A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection’s security.
- The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and presents a list of supported cipher and hash functions.
- From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision.
- The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certification authority (CA), and the server’s public encryption key.
The client may contact the server that issued the certificate (the trusted CA) and confirm that the certificate is authentic before proceeding.
- In order to generate the session keys used for the secure connection, the client encrypts a random number (RN) with the server’s public key (PbK), and sends the result to the server. Only the server can decrypt it (with its private key (PvK)): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data. The client knows PbK and RN, and the server knows PvK and (after decryption of the client’s message) RN. A third party may only know PbK, unless PvK has been compromised.
- From the random number, both parties generate key material for encryption and decryption.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes. If any one of the above steps fails, the TLS handshake fails, and the connection is not created.
In the other system, the client may use the certificate authority’s (CA’s) public key to validate the CA’s digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.
- The client verifies that the issuing CA is on its list of trusted CAs.
- The client checks the server’s certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.
- Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
- Numbering all the Application records with a sequence number, and using this sequence number in the message authentication code (MACs).
- The message that ends the handshake (“Finished”) sends a hash of all the exchanged handshake messages seen by both parties.
- The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together to create the MAC. This provides protection even if one of these algorithms is found to be vulnerable. TLS only.
- SSL v3 improved upon SSL v2 by adding SHA-1 based ciphers, and support for certificate authentication. Additional improvements in SSL v3 include better handshake protocol flow and increased resistance to man-in-the-middle attacks.
If any one of the above steps fails, the TLS handshake fails, and the connection is not created. Early implementations of SSL used 40-bit symmetric key because of US government restrictions on the export of cryptographic technology. After several years of public controversy, a series of lawsuits, and eventual US government recognition of cryptographic products with longer key sizes produced outside the US, the authorities relaxed some aspects of the export restrictions.
PROBLEM DEFINITION
4.1 Necessity of proposed system
All the online shopping systems today make use of TLS/SSL security, which is the de-facto standard used for providing secured transactions over the internet. But, this system has some limitations such as, it cannot establish secured session more than two parties and also it requires the whole file to be encrypted in order to transfer over network. And even it requires handshake signals to establish secured session which consumes considerable network bandwidth. This provided the motivation to develop the proposed system which by making use of XML encryption covers the limitations of the current system.
4.2 Statement of problem
To develop the proposed system XML Encryption it required development of different modules in various stages. Some of the stages considered are developing a portal, providing security and developing databases. The project mainly consists of three entities such as Customer, Merchant and Service Provider.
1. Customer: The customer plays very good role in the project. The registered customer is allowed for the shopping transaction only when he/she register with the name and password and for the new customer he/she needs to fill the registration form first. The customer purchased products will be stored into the cart table which is maintained at the service provider. The customer is allowed to make the payment using either credit or debit card system.
2. Merchant: The merchant acts like Data bank, he contains all the product list with him send this list to the service provider for the display of the list on the portal.
3. Service Provider or bank: The service provider acts like Trusted third party. It provides all the information about products, Merchants, and about registered customer. The encrypted credit card number is sent to the service provider where it decrypts that number using the private key of bank to obtain the original number to complete the transaction.
4.2.1 Developing portal
Portal provides information of the users and displays all the content in one place. For the navigation the development of web portal is necessary that is, as a shopper is free to move around in a physical shopping mall, so should he be free to move around in a virtual mall. The major task of it is to reduce the traffic in the network as the user need not make repeated requests to find related information.
4.2.2 Providing Security
To secure the payment transactions the XML encryption technique is used. This provides the security to the part of the program or to the whole program. The XML encryption provides the major security features such as:
- Authentication: Confirms the identity of one party to another. In this project the authentication of customer is done by checking with customer database.
- Confidentiality: Ensures that the data is not exposed to the intruder or attacker. To perform the confidentiality in the project the credit card number is encrypted and performs the transaction.
- Data integrity: Ensures that the data is not modified from source to the destination. The encrypted credit card number is received as it is at the receiver side. This ensures the data integrity.
- Non repudiation: Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.
4.2.3 Developing Databases
There are totally three databases need to be created:
- Customer database: This maintains all the basic information about the client, including the public keys of the banks used for encryption of the data.
- Merchant database: This contains details of merchants, details of product list. The merchant acts as the data bank of products available on the portal.
- Bank database: This database contains the account details of customer for the payment of the purchase list, even it contains the merchant details if both details of client and merchant matches then allows for the transaction. This even maintains the private key ring which is used for the decryption of the crucial information received from the customers and merchants.
SOFTWARE REQUIREMENTS SPECIFICATION
5.1 Software Engineering Approach
The model used for the development of this software is waterfall model or software life cycle. They are,
- Requirement Analysis and definition
The systems services, constraints and goals are established by consultation with system users. They are then defined in detail and serve as a system specification.
- System and software design
The systems design process partitions requirements to either hardware or software systems. It establishes overall system architecture. Software design involves identifying and describing the fundamental software system abstraction and their relationships
- Implementation and unit testing
During this stage the software design is realized as a set of programs or program units. Unit testing involves verifying that each unit meets its specification.
- Integration and System testing
The individual program unit or program are integrated and tested as a complete system to ensure that the system requirements have been met. After testing the software system is delivered to the customer
- Operation and Maintenance
Normally (although not necessarily) this is the longest life cycle phase. The system is installed and put into practical use. Maintenance involves correcting errors which were not discovered in earlier stages of the life cycle, improving the implementation of the system units and enhancing the systems services as new requirements are discovered.
5.2 Software Requirement Specification
The Software Requirements Specification(SRS) provides an overview of the entire SRS with purpose, scope, definitions and Abrevations of the SRS. The aim of this document is to gather and analyze and give an in-depth insight of the complete software system by defining the problem statement in detail. it also concentrates on the capabilities required by stakeholders and their needs while defining high-level product features. The detailed requirements of the entities are provided in this document.
Introduction
This document provides details about the entire software requirements specification for the software e-shopping a database for online shopping centre.
Purpose
The purpose of this project is to provide easy shopping facility online and easy selling facility to the merchants of all categories.
Definitions and Abbreviations
- Customer : The person who purchases the product
- Merchant : The person/dealer/company who sell the product
- Service Provider: It acts as Trusted Third Party .
The requirement engineering process can be separated as user requirements to means high level abstract requirements and system requirements to means the detailed description of what the system should do.
5.2.1 User Requirements definition
User requirements to means high level abstract requirements. In the project main consideration is security, the main security parameters are considered in the user requirements. The list is shown as,
- The user should be provided with single sign-on point. He should re-login only if the user has logged out, not otherwise.
- The user should be provided with convenient, easy to browse web pages containing all the required information about the products, displaying discount prices and other details.
- Security: The entered credit card number is encrypted and it need to provide all major security considerations such as,
a) Authentication: The user should be provided with username and password on registration, which can then be used to authenticate the user .
b) Confidentiality: The crucial information entered by user should be encrypted to provide data confidentiality.
c) Data Integrity: Public key cryptography should be used to provide data integrity.
d) Nonrepudiation: The transactions involved should not be incomplete.
5.2.2 System Requirement Specification
These are the statements of service the system should provide, how the system should react to particular inputs and how the system should behave in particular situations. In the project the system involves the validation, verification etc. The system requirements are enlisted below as,
- The system should have an appropriate database to be able to store the data entered by the user.
- The product list, customer list, merchant list and the purchased product list will be maintained in the database where for each entity a separate table is maintained.
- The system should store the password and other crucial information in an encrypted form in the database.
5.3 Hardware and Software Requirements
The system requires the following environment and tools
Operating System
- Microsoft® Windows XP
Software
- Tomcat server
- Jdk1.3, jdk 1.6 editors
- Browser Internet Explorer, Mozilla Firefox
- Mysql database
- Microsoft FrontPage software
- Mysql ODBC connector software
Hardware
- Processor
PC with a Pentium IV- class processor 1.2GHz
- RAM
Microsoft Windows XP Professional 512 MB
Microsoft Windows XP Professional 1GB
- Network connection with optional Internet facility
SOFTWARE DESIGN
6.1 Architectural design
The software uses the data flow diagram which identifies the subsystems involved and establishes a framework for sub-system control and communication.
In Online Shopping mainly three entities are present they are, Customer, Merchant, Service provider or bank .
1. Customer: Customer/buyer find product of interest by visiting the website of the retailer directly, or do a search across many different websites for this. He/she first browses for the product list through the internet.
2. Merchant: the merchant/seller act like data bank which provides the services to the requested customers. The merchants are maintained their own database for storing their information such as name, contact number, address etc.
3. Bank: The payment of the purchased product list is done through the bank. The encrypted credit card number is sent to the bank, where the decryption algorithm is applied to obtain the original number. Here the authentication of the customer is checked if it is valid the payment is done otherwise the invalid message is sent to the customer that they are not an authenticated customer.
6.2 Concepts Used
6.2.1 Cryptography
Cryptography is probably the most important aspect of communications security and is becoming increasingly important as a basic building block for computer security. The increased use of computer and communications systems by industry has increased the risk of theft of proprietary information. This theft requires a variety of counter measures; encryption is a primary method of protecting valuable electronic information.
The process of converting from plaintext to cipher text is known as enciphering or encryption. The many schemes used for enciphering constitute the area of study known as cryptography. Such a scheme is known as a cryptographic system or a cipher. Techniques used for deciphering
a message without any knowledge of the enciphering details fall into the area of cryptanalysis. The area of cryptography and cryptanalysis are called cryptology.
Types of Cryptography
There are two types of cryptography practiced in modern times those are, symmetric key cryptography and public-key cryptography. The two types are briefly explained below.
Symmetric key cryptography
Symmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key (or, less commonly, in which their keys are different, but related in an easily computable way). This was the only kind of encryption publicly known until June 1976.
The modern study of symmetric-key ciphers relates mainly to the study of block ciphers and stream ciphers and to their applications. A block cipher is, in a sense, a modern embodiment of Alberti’s poly alphabetic cipher: block ciphers take as input a block of plaintext and a key, and output a block of cipher text of the same size. Since messages are almost always longer than a single block, some method of knitting together successive blocks is required. Several have been developed, some with better security in one aspect or another than others. They are the modes of operation and must be carefully considered when using a block cipher in a cryptosystem.
The Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are block cipher designs which have been designated cryptography standards by the US government (though DES’s designation was finally withdrawn after the AES was adopted).Despite its deprecation as an official standard, DES (especially its still-approved and much more secure triple-DES variant) remains quite popular; it is used across a wide range of applications, from ATM encryption to e-mail privacy and secure remote access. Many other block ciphers have been designed and released, with considerable variation in quality. Many have been thoroughly broken.
Data flow Diagram
Public Key cryptography
Symmetric-key cryptosystems use the same key for encryption and decryption of a message, though a message or group of messages may have a different key than others. A significant disadvantage of symmetric ciphers is the key management necessary to use them securely. Each distinct pair of communicating parties must, ideally, share a different key, and perhaps each cipher text exchanged as well. The number of keys required increases as the square of the number of network members, which very quickly requires complex key management schemes to keep them all straight and secret.
The difficulty of securely establishing a secret key between two communicating parties, when a secure channel doesn’t already exist between them, also presents a chicken-and-egg problem which is a considerable practical obstacle for cryptography users in the real world.
In a groundbreaking 1976 paper, Whitfield Diffie and Martin Hellman proposed the notion of public-key (also, more generally, called asymmetric key) cryptography in which two different but mathematically related keys are used a public key and a private key. In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. The public key is typically used for encryption, while the private or secret key is used for decryption. Diffie and Hellman showed that public-key cryptography was possible by presenting the Diffie-Hellman key exchange protocol.
In 1978, Ronald Rivest, Adi Shamir, and Len Adleman invented RSA, another public-key system. In 1997, it finally became publicly known that asymmetric key cryptography had been invented by James H. Ellis at GCHQ, a British intelligence organization, and that, in the early 1970s, both the Diffie-Hellman and RSA algorithms had been previously developed (by Malcolm J. Williamson and Clifford Cocks, respectively).
The Diffie-Hellman and RSA algorithms, in addition to being the first publicly known examples of high quality public-key algorithms, have been among the most widely used. Others include the Cramer-Shoup cryptosystem, ElGamal encryption, and various elliptic curve techniques.
6.2.2 HTML (Hyper Text Markup Language)
HTML, an acronym for Hyper Text Markup Language, is the predominant markup language for web pages. It provides a means to describe the structure of text-based information in a documentby denoting certain text as links, headings, paragraphs, lists, etc.and to supplement that text with interactive forms, embedded images, and other objects. HTML is written in the form of “tags” that are surrounded by angle brackets. HTML can also describe, to some degree, the appearance and semantics of a document, and can include embedded scripting language code (such as JavaScript) that can affect the behavior of Web browsers and other HTML processors
HTML is a computer language devised to allow website creation. It is constantly undergoing revision and evolution to meet the demands and requirements of the growing Internet audience under the direction of the W3C, the organization charged with designing and maintaining the language.
- Hypertext is the method by which one can move around on the web by clicking on special text called hyperlinks which bring user to the next page. The fact that it is hyper just means it is not linear that is, user can go to any place on the Internet whenever he wants by clicking on links there is no set order to do things in.
- Markup is what HTML tags do to the text inside them. They mark it as a certain type of text (italicized text, for example).
- HTML is a Language, as it has code-words and syntax like any other language. This language is used for the creation of static pages.
6.2.3 XML (extensible Markup Language)
XML (Extensible Markup Language) is a general-purpose specification for creating custom markup languages. It is classified as an extensible language, because it allows the user to define the mark-up elements. XML’s purpose is to aid information systems in sharing structured data, especially via the Internet, to encode documents, and to serialize data; in the last context, it compares with text-based serialization languages such as JSON, YAML and S-Expressions.
XML’s set of tools helps developers in creating web pages but its usefulness goes well beyond that. XML, in combination with other standards, makes it possible to define the content of a document separately from its formatting, making it easy to reuse that content in other applications or for other presentation environments. Most importantly, XML provides a basic syntax that can be used to share information between different kinds of computers, different applications, and different organizations without needing to pass through many layers of conversion
An XML document has two correctness levels:
- Well-formed. A well-formed document conforms to the XML syntax rules; e.g. if a
start-tag (< >) appears without a corresponding end-tag (</>), it is not well-formed. A document not well-formed is not in XML; a conforming parser is disallowed from processing it.
- Valid. A valid document additionally conforms to semantic rules, either user-defined or in an XML schema, especially DTD; e.g. if a document contains an undefined element, then it is not valid; a validating parser is disallowed from processing it.
In XML files the only indispensable syntactical requirement is that the document has exactly one root element (also known as the document element), i.e. the text must be enclosed between a root start-tag and a corresponding end-tag, known as a “well-formed” XML document. The root element can be preceded by an optional (for XML 1.0 only) XML declaration element stating what XML version is in use (normally 1.0); it might also contain character encoding and external dependencies information. Starting with XML version 1.1, this declaration becomes mandatory. This is necessary, as an XML document without an XML declaration is assumed to be a version 1.0 document. For example,
<?xml version=”1.0″ encoding=”UTF-8″ ?>
The specification requires that processors of XML support the pan-Unicode character encodings UTF-8 and UTF-16 (UTF-32 is not mandatory). The use of more limited encodings, e.g. those based on ISO/IEC 8859, is acknowledged, widely used, and supported. In any meaningful application, additional markup is used to structure the contents of the XML document. The text enclosed by the root tags may contain an arbitrary number of XML elements. The basic syntax for one element is,
<element_name attribute_name=”attribute_value”>Element Content</element_name>
6.2.4 JavaScript
JavaScript is a scripting language used to enable programmatic access to objects within other applications. It is primarily used in the form of client-side JavaScript for the development of
dynamic websites. JavaScript is a dialect of the ECMA Script standard and is characterized as a dynamic, weakly typed, prototype-based language with first-class functions. JavaScript was influenced by many languages and was designed to look like Java, but be easier for non-programmers to work with.
JavaScript, despite the name, is essentially unrelated to the Java programming language even though the two do have superficial similarities. Both languages use syntaxes influenced by that of C syntax, and JavaScript copies many Java names and naming conventions. The language’s name is the result of a co-marketing deal between Netscape and Sun, in exchange for Netscape bundling Sun’s Java runtime with their then-dominant browser. The key design principles within JavaScript are inherited from the Self and Scheme programming languages.
The primary use of JavaScript is to write functions that are embedded in or included from HTML pages and interact with the Document Object Model (DOM) of the page. JavaScript code can run locally in a user's browser it can respond to user actions quickly, making an application feel more responsive. So, Applications such as Gmail take advantage of this: much of the user-interface logic is written in JavaScript, and JavaScript dispatches requests for information to the server.
A JavaScript engine (also known as JavaScript interpreter or JavaScript implementation) is an interpreter that interprets JavaScript source code and executes the script accordingly. for JavaScript a web browser is most common environment. The sample JavaScript can be written as,
<html> <head>
<script>
document.write(‘Hello World!’);
</script>
</head> </html>
6.2.5 JSP (Java Server Pages)
Java Server Pages (JSP) is a technology that mixes regular, static HTML with dynamically-generated HTML. The JSP page has .jsp extension. The code is written between the start of angular tag <% and end of angular tag %>. Three main types of JSP constructs can be embed in a page they are scripting elements, directives, and actions.
- Scripting elements specify Java code that will become part of the resultant servlet.
- Directives control the overall structure of the servlet. and
- Actions specify existing components should be used to perform the operations.
A JSP expression is used to insert Java values directly into the output. It has the following form:
<%= Java Expression %>
The Java expression is evaluated, converted to a string, and inserted in the page. This evaluation is performed at run-time (when the page is requested), and thus has full access to information about the request.
For example: the following shows the date/time that the page was requested:
Current time: <%= new java.util.Date() %>
There are a number of predefined variables. the most important ones are:
request, theHttpServletRequest;response, theHttpServletResponse;session, theHttpSessionassociated with the request andout, thePrintWriter(a buffered version of typeJspWriter) used to send output to the client.
6.2.6 JCA (Java Cryptography Architecture)
The Java platform strongly emphasizes security, including language safety, cryptography, public key infrastructure, authentication secure communication, and access control. The JCA is a major piece of platform and contains provider architecture and a set of APIs for digital signatures, message digest, certificates, certificate validation, encryption, key generation and management and generation of random numbers etc. These APIs allow the developer easily integrate the security into their code. The architecture was designed around the following things.1. Implementation independence and Interoperability. 2. Algorithm extensibility
Cryptographic Service Providers
Java.security. Provider is the base class for all security providers. Each CSP contains the instance of this class which contains the providers name and list of security algorithm that it implements. To use JCA application requests the particular type of object and particular algorithm or service. Application calls are routed through the engine class and are delivered to the underlying backing implementation. The implementation handles the request and returns the proper results.
The application API methods in each engine class are routed to the provider’s implementations through classes that implement the corresponding Service Provider Interface (SPI). To supply the implementation of a particular type of service for a specific algorithm, providers must subclass the corresponding SPI class and provide implementations for all the abstract methods.
For each engine class in the API, implementation instances are requested and instantiated by calling the getInstance () factory method in the engine class. A factory method is a static method that returns an instance of a class. The engine class uses the framework provider selection mechanism to obtain the actual backing implementation (SPI), and then creates the actual engine object. Each instance of the engine class encapsulates (as a private field) the
instance of the corresponding SPI class, known as the SPI object. For example,
import javax.crypto.*;
Cipher c = Cipher.getInstance(“AES”);
c.init(ENCRYPT_MODE, key);
Here an application wants an “AES” javax.crypto. Cipher instance for this the application calls the getInstance() factory methods of the Cipher engine class, which in turn asks the JCA framework to find the first provider instance that supports “AES”. The framework consults each installed provider, and obtains the provider’s instance of the Provider class. The framework searches each provider, finally finding a suitable entry in CSP3. This database entry points to the implementation class com.foo.AESCipher which extends CipherSpi, and is thus suitable for use by the Cipher engine class. An instance of com.foo.AESCipher is created, and is encapsulated in a newly-created instance of javax.crypto. Cipher, which is returned to the application. When the application now does the init () operation on the Cipher instance, the Cipher engine class routes the request into the corresponding engineInit () backing method in the com.foo.AESCipher class.
Key Management
A database called a “keystore” can be used to manage a repository of keys and certificates. Keystores are available to applications that need data for authentication, encryption, or signing purposes.
Applications can access a keystore via an implementation of the KeyStore class, which is in the java.security package. A default KeyStore implementation is provided by Sun Microsystems. It implements the keystore as a file, using a proprietary keystore type (format) named “jks”. Other keystore formats are available, such as “jceks” which is an alternate proprietary keystore format with much stronger encryption than “jks”, and “pkcs12”, which is based on the RSA.
6.2.6 MYSQL
MySQL is a relational database management system (RDBMS) which has more than 6 million installations. The program runs as a server providing multi-user access to a number of databases. MySQL Enterprise Server software is the most reliable, secure and up-to-date version of MySQL for cost-effectively delivering E-commerce, Online Transaction Processing (OLTP), and multi-terabyte Data Warehousing applications. It is a fully integrated transaction-safe, ACID compliant database with full commit, rollback, and crash recovery and row level locking capabilities. MySQL delivers the ease of use, scalability, and performance that has made MySQL the world’s most popular open source database.
The following features are implemented by MySQL but not by some other RDBMS software:
- Multiple storage engines, allow choosing the one that is most effective for each table in the application.
- Native storage engines
- Community-developed storage engines
- Custom storage engine
IMPLEMENTATION AND UNIT TESTING
This phase involves implementation of each modules individually and then testing them individually so that they satisfy the user requirements. The implementation and unit testing is described module wise in the following sections.
7.1 Static Pages
Static pages in the project are created using HTML, for the development of portal which displays product lists. As the project includes three products, three categories of static pages are created namely,
- Books
- Computers and
- Watches.
Book Category
Here five types of books have been included namely, Engineering Books, Medical Books, Magazines, Novels and Puzzles.
Computer Category
This category includes two types which are, desktops and laptops. The code used for development of this category of pages is similar to Books category.
Watch Category
Here two categories namely, gents and ladies watches are maintained. The code used for development of this category of pages is similar to Books category.
7.2 Database Design
In the project three separate databases are maintained in separate three personal computers they are customer database portal at customer computer, merchant database merchant at merchant computer and bank database bank is maintained at bank computer. To access the data from database using dynamic pages Jdbc Odbc connection need to be established. To store the data in the database the following JSP code is used. Database connectivity is used in the project when a user registers with the portal and to validate user on entering username and password.
<!– Data base connectivity code –>
<%@ page import=”java.sql.*” %>
<% Class.forName (“sun.jdbc.odbc.JdbcOdbcDriver”); %>
<%
Connection con = DriverManager.getConnection (“jdbc:odbc:shopping”,”root”,”pavi”);
Statement st=con.createStatement ();
%>
Using the above code Jdbc Odbc connection has been established so the secure transactions can takes place between the communicating parties.
7.3 Client side encryption using Java Script
JavaScript is used in the project to validate the entered card number entered by the user when making a purchase order and also to encrypt the card number before sending it over the network to provide additional security. Usually the java script is used at the client side for providing the security.
The validation code used in the project is as follows.
function validateprocess()
{
var valid = “0123456789” // Valid digits in a credit card number
var valid1=false;
var n=document.f.name.value;
if( n == “”)
{
alert(“Please enter the name on the credit card”);
valid1=false;
}
var no=document.f.ccn.value;
var len = no.length;
if( no == “”)
{
alert(“Please enter the card number”);
valid=false;
}
else
{
valid=true;
encrypt(); //Calls the function used for encryption
return valid;
}
}
The JavaScript encrypts the credit card number using the following code.
function encryptedString(key, s)
{
var a = new Array();
var sl = s.length;
var i = 0;
while (i < sl)
{
a[i] = s.charCodeAt(i);
i++;
}
while (a.length % key.chunkSize != 0)
{
a[i++] = 0;
}
var al = a.length;
var result = “”;
var j, k, block;
for (i = 0; i < al; i += key.chunkSize)
{
block = new BigInt();
j = 0;
for (k = i; k < i + key.chunkSize; ++j)
{
block.digits[j] = a[k++];
block.digits[j] += a[k++] << 8;
}
var crypt = key.barrett.powMod(block, key.e);
var text = key.radix == 16 ? biToHex(crypt) : biToString(crypt, key.radix);
result += text + ” “;
var r=result;
}
return result.substring(0, result.length – 1);
}
7.4 Server side encryption using JSP
To send crucial information such as credit card number, in an encrypted form to the bank for validation, the service provider makes use of jsp along with the functionalities of JCA to provide security.
Two methodologies have been used here for encryption and decryption.
1. TLS/SSL security
2. XML Encryption
7.4.1 TLS/SSL security
Transport Layer Security along with Secured Socket Layer is the default standard used for providing security over the internet. In the project, RSA algorithm is used. Public key generated in the RSA is used for encrypting the data and Private Key is used for decryption. The pair of the keys are generated at the bank the bank then send this public key to the customer for making the encryption that is, using this public key the credit card number is encrypted and perform the transactions.
The code used for encryption looks as follows.
<%@ page import=”crypt.rsa.*” %>
<%@ page import=”java.math.BigInteger” %>
<%@ page import=”java.security.*” %>
<%@ page import=”java.security.spec.*” %>
<%@ page import=”java.security.interfaces.*” %>
<%@ page import=”javax.crypto.*” %>
<%@ page import=”javax.crypto.spec.*” %>
<%@ page import=”javax.crypto.interfaces.*” %>
<%@ page import=”com.sun.crypto.provider.SunJCE” %>
<%@ page import=”java.security.Key” %>
<%@ page import=”java.security.interfaces.RSAPublicKey” %>
<%@ page import=”java.security.NoSuchAlgorithmException” %>
<%@ page import=”org.w3c.dom.*, javax.xml.parsers.*”%>
<%@ page import=”javax.xml.transform.dom.*,javax.xml.transform.stream.*,javax.xml.transform.*” %>
<%@ page import=”java.io.*” %>
<%@ page import=”java.sql.*” %>” %>
<%
String uname=request.getParameter(“uname”);
String ccn=request.getParameter(“ccn”);
String pubk=null;
String Nkey=null;
try
{
Class.forName(“sun.jdbc.odbc.JdbcOdbcDriver”); //Driver Connection Setup
Connection con = DriverManager.getConnection(“jdbc:odbc:shop”,”root”,”root”);
java.sql.Statement st = con.createStatement(); // Create stmt
String str=”select * from site where ccno='”+ccn+”‘”;
out.println(str);
ResultSet rs=st.executeQuery(str);
if(rs.next())
{
pubk= rs.getString(“pubkey”);
Nkey= rs.getString(“nkey”);
out.println(“Found “+Nkey);
}
} catch(Exception exp) { }
try
{
FileOutputStream fstream = new FileOutputStream(“input.txt”);
PrintWriter pw=new PrintWriter(fstream);
pw.print(ccn);
pw.close();
} catch (Exception ee)
{
System.err.println(“File input error”);
}
//Encry Using RSA
//Encrypt encrypt = new Encrypt(rsa.getPublicKey(), rsa.getN());
try
{
BigInteger bigpubk = new BigInteger(pubk);
BigInteger bigNkey = new BigInteger(Nkey);
Encrypt encrypt = new Encrypt(bigpubk,bigNkey);
}catch(Exception exp) { }
7.4.2 XML Encryption
XML makes use of asymmetric encryption. Asymmetric encryption is used for encryption of the credit card number by making use of a public key bank. The resulted encrypted data is placed in the nodes of XML and a XML file is generated which is sent over the network. At the recipient Bank uses its private key to decrypt the credit card number. Parsing of XML file is needed at the recipient. In the project, RSA is used as public key algorithm.
The code used for applying XML encryption is as follows.
<%@page import=”org.w3c.dom.*, javax.xml.parsers.*”%>
<%@page import=”javax.xml.transform.dom.*,javax.xml.transform.stream.*,javax.xml.transform.*” %>
<%@ page import=”java.io.*” %>
<%@ page import=”java.sql.*” %>
<%@ page import=”java.math.BigInteger” %>
<%@ page import=”java.security.*” %>
<%@ page import=”java.security.spec.*” %>
<%@ page import=”java.security.interfaces.*” %>
<%@ page import=”javax.crypto.*” %>
<%@ page import=”javax.crypto.spec.*” %>
<%@ page import=”javax.crypto.interfaces.*” %>
<%@ page import=”com.sun.crypto.provider.SunJCE” %>
<%@ page import=”java.security.Key” %>
<%@ page import=”java.security.interfaces.RSAPublicKey” %>
<%@ page import=”java.security.NoSuchAlgorithmException” %>
<%@ page import=”org.w3c.dom.*, javax.xml.parsers.*”%>
<%@page import=”javax.xml.transform.dom.*,javax.xml.transform.stream.*,javax.xml.transform.*” %>
//XML file code
String Eccn = null;
try
{
FileInputStream fstream = new FileInputStream(“encrypt.txt”);
DataInputStream in = new DataInputStream(fstream);
Eccn=in.readLine();
in.close();
}
catch (Exception ee)
{
System.err.println(“File input error”);
}
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.newDocument();
Element rootElement1 = document.createElement(“ccinfo”);
document.appendChild(rootElement1);
Element rootElement = document.createElement(“ccrec”);
rootElement1.appendChild(rootElement);
String element = “uname”;
String data = uname;
Element em = document.createElement(element);
em.appendChild(document.createTextNode(data));
rootElement.appendChild(em);
element = “ccn”;
data = Eccn;
em = document.createElement(element);
em.appendChild(document.createTextNode(data));
rootElement.appendChild(em);
TransformerFactory transformerFactory = TransformerFactory.newInstance();
Transformer transformer = transformerFactory.newTransformer();
DOMSource source = new DOMSource(document);
System.out.print(“Over1”);
File f1=new File(“c:\\tomcat\\webapps\\project\\ccinfo.xml”);
StreamResult result = new StreamResult(f1);
transformer.transform(source, result);
The code used for applying XML decryption is as follows.
//Decryption
//store Ekey in encrypt.txt
try
{
FileOutputStream fstream = new FileOutputStream(“encrypt.txt”);
PrintWriter pw=new PrintWriter(fstream);
pw.print(Eccn);
pw.close();
}
catch (Exception ee)
{
System.err.println(“File input error”);
}
String privk=null;
String Nkey=null;
String Dkey=null;
String sign=null;
String occno=null;
try
{
Class.forName(“sun.jdbc.odbc.JdbcOdbcDriver”); //Driver Connection Setup
Connection con = DriverManager.getConnection(“jdbc:odbc:shop”,”root”,” “); //Set connection with DSN
java.sql.Statement st = con.createStatement(); // Create stmt
ResultSet rs=st.executeQuery(“select * from ccard”);
if(rs.next())
{
occno= rs.getString(“ccno”);
privk= rs.getString(“privkey”);
out.println(“Private key”+privk);
Nkey= rs.getString(“nkey”);
out.println(“nkey”+Nkey);
}
} catch(Exception exp) { }
try
{
//Call RSA Decrypt
BigInteger bigpvk=new BigInteger(privk);
out.println(“big pkey”+bigpvk);
BigInteger bigNkey=new BigInteger(Nkey);
out.println(“big nkey”+bigNkey);
Decrypt decrypt = new Decrypt(bigpvk,bigNkey);
//Read from decrypt.txt
FileInputStream fstream = new FileInputStream(“decrypt.txt”);
DataInputStream in = new DataInputStream(fstream);
Dkey=in.readLine();
in.close();
if(Dkey.equals(occno))
{
out.print(“Valid “);
}
else
{
out.print(“Not Valid”);
}
}
catch (Exception ee)
{
System.err.println(“File input error”);
}
INTEGRATION AND SYSTEM TESTING
In the integrations phase, all the modules in this case all the pages which were developed independently were properly linked to from a complete portal. Also, integration of different systems where, one representing client, one as merchant and a bank system were properly connected and tested for connectivity. The integration and testing stages are explained below.
This phase examines the individual program units or programs and integrated them to test as a complete system to ensure that software requirements have been met. After testing, the software system is delivered to the customer.
Here, in the project HTML pages are created and linked one page with other using hyperlink. Here three entities that are customer, merchant and bank are maintained at the three different personal computers. Customer selects the products from the site sent that information to the bank. The connection to the bank from customer is done through the Odbc Jdbc connection. The same procedure is followed for the connection between bank and merchant. This shows the integration phase of the project.
The integration of HTML, JSP Pages and the formation of XML documents are shown in this phase using the Snapshots.
8.1 USER MANUAL
The administrative users have to install Tomcat 5.0 server before using this system. Later to run the system he has to start the Tomcat server and keep it up and running for the clients to access the services provided by the system. The clients can then use any browsers to access the services. The customer has to type the URL: http://localhost:8080/project/ to get the main page.
HOME PAGE FOR CUSTOMER
The opening page of the Online Shopping system is shown above. It contains the link to login for existing customers the login includes the username and password which need to be filled by the customer to purchase the things online and if person is not registered he/she must register to purchase the items online. It also contains the links for the products available in the online shopping, about the shopping and contact numbers for the enquiry of the shopping.
PRODUCT PAGE
The product list mainly consists of three category products they are Books category, Computer category and watch category. The Books category mainly consists of five different types they are Engineering books, Medical books, Novels, Magazines and puzzles. The Computer category consists of two kinds of computers they are Desktop computers and Laptop computers. The next product type is Watch category it consists of Ladies watches and Gents watches. To All products the necessary information along with the price is displayed in the pages.
SHOPPING CART
This table is placed at the customer database. The selected products of the customer are entered into the cart table. This also maintains the total payable amount of the products and Payment mode. The payment mode may be either Credit card or Debit card mode. The Cart page is shown as follow,
CREDIT CARD PAYMENT MODE PAGE
In the project the customer may choose either credit or debit payment mode. If he chooses the credit card then he needs to enter all the necessary information. Which page is given as,
XML DOCUMENT PAGE
The main goal of the project is to provide the security. The security is provided using the XML encryption. The entered credit card number is encrypted using RSA algorithm. The Encrypted credit card number is stored in the xml document which is called at the bank side for decryption. The document generated on the browser as below,
8.2 SYSTEM TESTING
System testing is concerned with finding errors that result from unanticipated interactions between components and component interface problems. It is also concerned with validating that the system meets its functional and non-functional requirements and testing the emergent system properties. For large systems, this may be a multi stage process where components are integrated to form the final system.
In the project the all three personal terminals are connected to one another for the secure transaction from the customer to the bank and then to the merchant. The connection from one terminal to the other is checked that is subsystem checking. Then the overall system is checked for the error correction and provides the major security measures.
CONCLUSION AND FUTURE SCOPE
The main principle of this project is to provide security for online transactions. This project makes use of XML Encryption to secure the transactions. XML encryption tries to overcome the limitations of earlier system. It can encrypt only a part of the file. Only the crucial information such as credit card number is encrypted leaving the rest of the file as it is. Hence, it is a combination of secure and non-secure encryption. It effectively reduces the overhead involved in encrypting the whole file.
The encryption and decryption here is performed using the functionalities provided by java and XML language is used for transferring the encrypted data. Properties of XML and java allow full compatibility with large installed base of secure web servers, extensibility and flexibility.
Currently the system treats the entered credit card numbers if they are in the right format as valid and proceeds further. But, a list of invalid and fraudulent credit card lists should be maintained to avoid misuse of the crucial information.
The encrypted XML may be compressed to further reduce the size of the cipher text which makes efficient use of the network bandwidth. The compression of encrypted XML can be added as the future scope.
REFERENCES
BOOKS REFERRED
[1] Cryptography and Network Security –By William Stallings, Pearson Education Publication, Third edition-2004.
[2] HTML Introduction to Web Page Design – By David Mercer,
Tata McGraw Hill- Edition 2004.
[3] The Complete Reference –By, Harbert Schildt, The Tata MC Edition,Seventh edition 2005 for java concepts.
[4] Software Engineering -By Ian Sommerville, Pearson Education Publication, Seventh Edition-2004.
[5] A Method for obtaining digital signatures and public-key cryptosystems -By Rivest .R, Shamir, A. and Adleman, OpenP2P OReilly Network, 2000.
[6] A new micro-payment system using general payword chain -By Wang C. Chang C. Electronic Commerce Research Journal, vol. 2, 2002.
[7] JavaScript: Complete Concepts and Techniques. By Cashman, Thomas J, William J, Pearson Education (2000).
[8] PROFESSIONAL JSP -By Karl Avedal, Danny Ayers, Carl Burnham, SHROFF PUBLISHERS, 2001.
[9] XML How to Program By Deitel, Nieto, Lin Sadhu, Pearson Education, 2008.
SITES REFERRED
[1] http://www.rsa.com
[2] http://www.howstuf.com
[3] http://www.chalcedony.com/javascript
[4] http://www.micropayment.com
[5] http://www.java.sun.com
Post by – Rekha B.
is that code is running?????