The Internet is no longer just an academic and scientific research
tool, it is rapidly being transformed into a model of a thriving new
world economic paradigm. Many people have heard the terms ``Information
Highway'' or ``National Information Infrastructure'', though few,
including network experts, have a firm grasp or agree on what these
terms mean. But, while the politicians and giant companies are fighting
over how to build this infrastructure, the Internet is already
transforming itself into the international ``dirt roads'' of network
commerce.
For over a year, more and more new businesses have begun offering
information, services, and even products on the Internet. The majority
of these new commercial services are being offered through the use of
the multi-media information distribution system World Wide Web (WWW),
which allow exchanging documents, files, pictures, videos, sounds, and
more across a network.
Mosaic, the WWW Navigator, has excited people all over the Internet
because of its ability to empower them with the ability to explore the
wealth of information which has been lurking throughout the Internet.
What is perhaps more significant is the constant barrage of new
businesses and services being offered every day through this medium. It
is as if this one application has unleashed the hidden potential of
computer networking for empowering all kinds of people with the ability
to do business on and use the Internet. Many companies are already
using Mosaic, and other tools on the Internet, as a means of performing
market research, analyzing their competitors, conducting customer
support, providing on-line brochures and catalogs, and even taking
orders.
There are hundreds of companies which offer services through Mosaic,
newsgroups, e-mail, ftp, gopher, WAIS, and many other Internet
information navigation applications. Companies using the Internet are
finding they can gain instant international market exposure, provide
24-hour support to their world-wide customers at lower costs than
traditional methods, offer up-to-the-minute advertising, provide the
latest product information or catalogs, and can even provide customers
with the ability to take orders without a phone call. Furthermore,
companies can use the Internet to collaborate with other companies
(large and small) to work together more effectively. Transmitting
information over the Internet is much faster in most cases than sending
by fax or by traditional delivery services. Documents and data can be
easily transferred saving countless hours and delivery costs.
Some larger companies have been connected to the Internet for years.
But in many cases only a few of their employees have truly realized its
benefits. The rapid growth and availability of new navigation tools
have brought new business value to using the Internet. It may take time
before these companies realize what they are missing.
The business opportunities on the Internet are developing too rapidly
for a few scattered specialists in a company to follow. Using the
Internet to a company's best advantage requires new training of a broad
selection of their employees on the tools and informational sources
available and on how to capitalize on the new opportunities. In
addition, many of the most Internet-capable companies today have
special internal teams, or use outside consultants, which are devoted
to watching how the company can capitalize on this rapidly changing
technology. Thankfully, new low-cost applications are making it easier
to track and follow these rapid changes in the technologies.
The Internet has become an invaluable tool in the workplace. A number
of experts from all types of fields are connected to the Internet, and
many are outspoken and willing to help others with problems in their
field. Getting answers to questions quickly can save lots of time and
money. Furthermore, communication with peers can greatly enhance the
level of expertise one gains while on the job. The Internet makes this
communication easier every day.
While the number of businesses on the Internet has soared this year,
many of these companies have not yet begun selling products over the
Internet, and instead are simply providing information about themselves
and upcoming products and services. Why? Because there is a lot of
hesitation about security, and there have been many articles in the
press highlighting recent break-ins. Unless security problems are
fixed, companies whose survival may depend on proprietary trade secrets
and closely guarded cost and price information, and financial
institutions required to provide a payments infrastructure will not
participate. Without the support of financial institutions, it will not
be possible to gather the critical density of businesses necessary for
a healthy marketplace to develop.
Cryptography and firewalls, based on company's security policy, can
address most of the issues to protect a business from fraud.
Cryptography provides for transaction security, while firewalls prevent
unauthorized access to information and accounts.
All of this functionality can be implemented in different ways using
different protocols. Secure e-mail software uses protocols such as PEM and
PGP; secure web servers use either SSL or S-HTTP protocols. The SSL and
S-HTTP web servers on the market today provide for confidentiality,
integrity, and server authentication, but none yet offer digital signatures
(Digital signatures are needed to perform customer authentication: to make
sure that the company doing business on the Internet knows for sure who is
at the other end). Many Internet shopping ventures have proceeded without
digital signatures, because if a customer orders a product and provides a
credit card number, it is not always necessary to know who has placed the
order: the credit card number is enough for some companies. Banks, however,
will probably want
to wait for cryptographic software that incorporates digital signatures.
An electronic mail system using public key cryptography issues its own
public-private keys, and a company desiring to do business over the
Internet issues key pairs to customers. Currently, there are a few
directory systems so that every person's public key can be available
from several locations (this is the case for PGP public keys), but
there is no central authority issuing key pairs so that there still
remains to establish some certifying authority systems that will be
unanimously trusted by merchants, customers and businesses.
Besides, commerce needs reliable and secure payment means in order to
become in electronic version what it is in the ``real'' world. It is
now clear that the technology necessary for secure electronic Internet
payment systems already exists. Thus, achieving security for all
parties, inclusive perfect untraceability for the buyer, is possible.
Currently, no proposal or system is dominant, but with high probability
this will change within the next two years at most. However, the
question ``Which payment system will be used on the Internet?'' will
not have a single answer. Several payment systems will coexist:
Micro-payments (less than $1), low-value payments ($1-$100) and
high-value payments have significantly different security and cost
requirements.
Possibly, high values will be transferred using non-anonymous, on-line
payment systems based on asymmetric cryptography, implementing a
cheque-like or credit-card-like payment model. As soon as smartcard
readers are available at PCs and workstations, small amounts might be
paid using pre-paid off-line payment systems that provide a certain
degree of untraceability (like real cash).
Payment systems with and without tamper-resistant hardware at the buyer
will coexist for some time. Ultimately, payment systems based on
smartcards and electronic wallets (having their own display and
keyboard, and communicating with the buyer's terminal via an infrared
interface) will become dominant, since they clearly provide better
security and enable the buyer to use untrusted terminals without
endangering security. Probably, a few almost equivalent payment systems
will coexist for the same areas of application (i.e., payment model and
maximum amounts). The reasons are various ``cultural'' differences in
the business and payment processes (e.g., between the U.S. and Europe),
national security considerations that might disable some solutions in
some countries, and competition between payment system providers.
Cryptography so far has been implemented application by application; a
person running secure e-mail and a secure browser has to have two
passwords, one for each application. It makes more sense long-term,
however, for the cryptographic software to reside below the application
level (like CP8 Software could intend to do), down at the operating
system level, so that all applications on the computer, rather than
just the specially modified application, can be made secure. By running
cryptography down at the operating system level, businesses can deal
with customers running insecure browsers such as Mosaic rather than
having to give them or sell them a secure browser.
Applications based on encryption that can provide strong, reliable and
robust security services exist in the marketplace today. Yet forces
continue to prevent their widescale deployment within the Internet.
Specifically, government officials have argued that cryptography is a
threat to their missions to preserve national security and prevent
crimes. They fear that encryption will be used to hide illegal
activities, prevent authorized tapping of communications lines, and
otherwise mask terrorist acts. Many nations have implemented laws that
prevent or restrict the use, trade, export and import of algorithms,
applications, and devices that use especially strong forms of
cryptography. However, we can assume that a reasonable balance can be
found between the groups that need strong and inexpensive cryptography
for international electronic commerce and governmental agencies
responsible for national security and crime prevention.
The implementation of an internationally agreed-upon cryptography
policy and adherence to certain standard implementations of
cryptographic mechanisms are necessary conditions for a strong,
reliable electronic commerce infrastructure. Users must be able to
purchase off-the-shelf, interoperable products that will easily plug
into the infrastructure. If they cannot, the Internet will be perceived
as a niche channel, not a robust commercial sales channel, exploited
only by those with enough knowledge and resources to navigate the
technical maze.
We can assume that the key to a robust, ubiquitous international
electronic marketplace will be interoperability among many different
hardware and software systems. Standard implementations of protocols
along with a variety of user-driven options will be critical to user
acceptance. The majority of users will prefer ``plug-and-play''
products and will not want to bother with the technical issues of
encryption method, key length, challenge response protocols, and export
status (Thus, providing a significant, seamless and reliable mean to
partially secure electronic commerce, CP8 could allure many users).
A buyer on the Internet will need to interact with many servers from
many organizations. In some cases, confidentiality and authentication
may be required, in others only authentication or only confidentiality
may be chosen. For certain transactions, the user may need to encrypt
using a mechanism approved for export, such as an exportable version of
RC2 from RSA Data Security. For other transactions, the user may wish
to use triple DES, a strong form of DES encryption. These kinds of
pick-and-choose, reliably implemented options will only be available if
suppliers of products agree to standard protocols and technologies,
that then become pervasive.
Eventually, we can assume that cryptographic mechanisms will be
deployed at virtually every level of the global information
infrastructure. Routers will use cryptography to authenticate each
other, as will users to other users, programs to users, users to
services, programs to hardware, and so on. Data links will be encrypted
from a hand-held device to the computer on your desk, from host to
network, and from router to router. Files on a local disk will be
routinely encrypted, as are applications such as those that move sums
of money from one bank to another or that transmit secret information
such as a consumer's credit card number or a price quotation for goods
or services.. This sort of universally suspicious action between
interfaces at every layer of abstraction is the appropriate policy when
the means to secure communications is inexpensive, the price of
compromise so potentially high, and the path between end points crosses
many boundaries of trust.