next up previous
Next: 6.2 Prospectives: Opportunities for Up: 6 Conclusion Previous: 6 Conclusion

6.1 General

The Internet is no longer just an academic and scientific research tool, it is rapidly being transformed into a model of a thriving new world economic paradigm. Many people have heard the terms ``Information Highway'' or ``National Information Infrastructure'', though few, including network experts, have a firm grasp or agree on what these terms mean. But, while the politicians and giant companies are fighting over how to build this infrastructure, the Internet is already transforming itself into the international ``dirt roads'' of network commerce.

For over a year, more and more new businesses have begun offering information, services, and even products on the Internet. The majority of these new commercial services are being offered through the use of the multi-media information distribution system World Wide Web (WWW), which allow exchanging documents, files, pictures, videos, sounds, and more across a network.

Mosaic, the WWW Navigator, has excited people all over the Internet because of its ability to empower them with the ability to explore the wealth of information which has been lurking throughout the Internet. What is perhaps more significant is the constant barrage of new businesses and services being offered every day through this medium. It is as if this one application has unleashed the hidden potential of computer networking for empowering all kinds of people with the ability to do business on and use the Internet. Many companies are already using Mosaic, and other tools on the Internet, as a means of performing market research, analyzing their competitors, conducting customer support, providing on-line brochures and catalogs, and even taking orders.

There are hundreds of companies which offer services through Mosaic, newsgroups, e-mail, ftp, gopher, WAIS, and many other Internet information navigation applications. Companies using the Internet are finding they can gain instant international market exposure, provide 24-hour support to their world-wide customers at lower costs than traditional methods, offer up-to-the-minute advertising, provide the latest product information or catalogs, and can even provide customers with the ability to take orders without a phone call. Furthermore, companies can use the Internet to collaborate with other companies (large and small) to work together more effectively. Transmitting information over the Internet is much faster in most cases than sending by fax or by traditional delivery services. Documents and data can be easily transferred saving countless hours and delivery costs.

Some larger companies have been connected to the Internet for years. But in many cases only a few of their employees have truly realized its benefits. The rapid growth and availability of new navigation tools have brought new business value to using the Internet. It may take time before these companies realize what they are missing.

The business opportunities on the Internet are developing too rapidly for a few scattered specialists in a company to follow. Using the Internet to a company's best advantage requires new training of a broad selection of their employees on the tools and informational sources available and on how to capitalize on the new opportunities. In addition, many of the most Internet-capable companies today have special internal teams, or use outside consultants, which are devoted to watching how the company can capitalize on this rapidly changing technology. Thankfully, new low-cost applications are making it easier to track and follow these rapid changes in the technologies.

The Internet has become an invaluable tool in the workplace. A number of experts from all types of fields are connected to the Internet, and many are outspoken and willing to help others with problems in their field. Getting answers to questions quickly can save lots of time and money. Furthermore, communication with peers can greatly enhance the level of expertise one gains while on the job. The Internet makes this communication easier every day.

While the number of businesses on the Internet has soared this year, many of these companies have not yet begun selling products over the Internet, and instead are simply providing information about themselves and upcoming products and services. Why? Because there is a lot of hesitation about security, and there have been many articles in the press highlighting recent break-ins. Unless security problems are fixed, companies whose survival may depend on proprietary trade secrets and closely guarded cost and price information, and financial institutions required to provide a payments infrastructure will not participate. Without the support of financial institutions, it will not be possible to gather the critical density of businesses necessary for a healthy marketplace to develop.

Cryptography and firewalls, based on company's security policy, can address most of the issues to protect a business from fraud. Cryptography provides for transaction security, while firewalls prevent unauthorized access to information and accounts.

All of this functionality can be implemented in different ways using different protocols. Secure e-mail software uses protocols such as PEM and PGP; secure web servers use either SSL or S-HTTP protocols. The SSL and S-HTTP web servers on the market today provide for confidentiality, integrity, and server authentication, but none yet offer digital signatures (Digital signatures are needed to perform customer authentication: to make sure that the company doing business on the Internet knows for sure who is at the other end). Many Internet shopping ventures have proceeded without digital signatures, because if a customer orders a product and provides a credit card number, it is not always necessary to know who has placed the order: the credit card number is enough for some companies. Banks, however, will probably want to wait for cryptographic software that incorporates digital signatures.

An electronic mail system using public key cryptography issues its own public-private keys, and a company desiring to do business over the Internet issues key pairs to customers. Currently, there are a few directory systems so that every person's public key can be available from several locations (this is the case for PGP public keys), but there is no central authority issuing key pairs so that there still remains to establish some certifying authority systems that will be unanimously trusted by merchants, customers and businesses.

Besides, commerce needs reliable and secure payment means in order to become in electronic version what it is in the ``real'' world. It is now clear that the technology necessary for secure electronic Internet payment systems already exists. Thus, achieving security for all parties, inclusive perfect untraceability for the buyer, is possible.

Currently, no proposal or system is dominant, but with high probability this will change within the next two years at most. However, the question ``Which payment system will be used on the Internet?'' will not have a single answer. Several payment systems will coexist: Micro-payments (less than $1), low-value payments ($1-$100) and high-value payments have significantly different security and cost requirements.

Possibly, high values will be transferred using non-anonymous, on-line payment systems based on asymmetric cryptography, implementing a cheque-like or credit-card-like payment model. As soon as smartcard readers are available at PCs and workstations, small amounts might be paid using pre-paid off-line payment systems that provide a certain degree of untraceability (like real cash).

Payment systems with and without tamper-resistant hardware at the buyer will coexist for some time. Ultimately, payment systems based on smartcards and electronic wallets (having their own display and keyboard, and communicating with the buyer's terminal via an infrared interface) will become dominant, since they clearly provide better security and enable the buyer to use untrusted terminals without endangering security. Probably, a few almost equivalent payment systems will coexist for the same areas of application (i.e., payment model and maximum amounts). The reasons are various ``cultural'' differences in the business and payment processes (e.g., between the U.S. and Europe), national security considerations that might disable some solutions in some countries, and competition between payment system providers.

Cryptography so far has been implemented application by application; a person running secure e-mail and a secure browser has to have two passwords, one for each application. It makes more sense long-term, however, for the cryptographic software to reside below the application level (like CP8 Software could intend to do), down at the operating system level, so that all applications on the computer, rather than just the specially modified application, can be made secure. By running cryptography down at the operating system level, businesses can deal with customers running insecure browsers such as Mosaic rather than having to give them or sell them a secure browser.

Applications based on encryption that can provide strong, reliable and robust security services exist in the marketplace today. Yet forces continue to prevent their widescale deployment within the Internet. Specifically, government officials have argued that cryptography is a threat to their missions to preserve national security and prevent crimes. They fear that encryption will be used to hide illegal activities, prevent authorized tapping of communications lines, and otherwise mask terrorist acts. Many nations have implemented laws that prevent or restrict the use, trade, export and import of algorithms, applications, and devices that use especially strong forms of cryptography. However, we can assume that a reasonable balance can be found between the groups that need strong and inexpensive cryptography for international electronic commerce and governmental agencies responsible for national security and crime prevention.

The implementation of an internationally agreed-upon cryptography policy and adherence to certain standard implementations of cryptographic mechanisms are necessary conditions for a strong, reliable electronic commerce infrastructure. Users must be able to purchase off-the-shelf, interoperable products that will easily plug into the infrastructure. If they cannot, the Internet will be perceived as a niche channel, not a robust commercial sales channel, exploited only by those with enough knowledge and resources to navigate the technical maze.

We can assume that the key to a robust, ubiquitous international electronic marketplace will be interoperability among many different hardware and software systems. Standard implementations of protocols along with a variety of user-driven options will be critical to user acceptance. The majority of users will prefer ``plug-and-play'' products and will not want to bother with the technical issues of encryption method, key length, challenge response protocols, and export status (Thus, providing a significant, seamless and reliable mean to partially secure electronic commerce, CP8 could allure many users).

A buyer on the Internet will need to interact with many servers from many organizations. In some cases, confidentiality and authentication may be required, in others only authentication or only confidentiality may be chosen. For certain transactions, the user may need to encrypt using a mechanism approved for export, such as an exportable version of RC2 from RSA Data Security. For other transactions, the user may wish to use triple DES, a strong form of DES encryption. These kinds of pick-and-choose, reliably implemented options will only be available if suppliers of products agree to standard protocols and technologies, that then become pervasive.

Eventually, we can assume that cryptographic mechanisms will be deployed at virtually every level of the global information infrastructure. Routers will use cryptography to authenticate each other, as will users to other users, programs to users, users to services, programs to hardware, and so on. Data links will be encrypted from a hand-held device to the computer on your desk, from host to network, and from router to router. Files on a local disk will be routinely encrypted, as are applications such as those that move sums of money from one bank to another or that transmit secret information such as a consumer's credit card number or a price quotation for goods or services.. This sort of universally suspicious action between interfaces at every layer of abstraction is the appropriate policy when the means to secure communications is inexpensive, the price of compromise so potentially high, and the path between end points crosses many boundaries of trust.


next up previous
Next: 6.2 Prospectives: Opportunities for Up: 6 Conclusion Previous: 6 Conclusion
Denis Arnaud
12/19/1997