电子票务：电子商务应用的风险【外文翻译】.doc

1、 外文翻译 原文 Electronic ticketing: risks in e-commerce applications Material Source:http: Author: Dominik Haneberg Abstract. This article gives an overview of Electronic Ticketing. It includes a discussion on the advantages of Electronic Ticketing and mentions some projects currently in operation. It al

2、so contains an introduction to different devices usually used to implement Electronic Ticketing systems. Two particularly interesting Electronic Ticketing applications for railway tickets are presented and the security problems associated with such applications are raised and techniques to secure su

3、ch applications discussed. 1 Introduction to electronic ticketing Electronic Ticketing is a form of electronic commerce that offers a new distribution channel for different kind of tickets, e.g. for public transport, for long-distance travel by train or airplane or for cultural institutions like cin

4、emas or museums. The tickets are sold electronically and stored in an electronic device. Usually a PC or PDA connected to the Internet, or a cell-phone, is used to order the tickets. The issued tickets are stored in cell-phones or smart cards. Storing the tickets on a device that a customer always c

5、arries with him/her simplifies life for the service user. The user will generally not forget their tickets anymore, because e.g. their cell-phone is their ticket. 1.1 Advantages for the customer Tickets can be bought at any time, independent of service hours of the public transport companies or rail

6、way stations. The tickets can be sold by an electronic system, e.g. an online shop, and the tickets are immediately transmitted to the customers device. Therefore there is no queuing at the service counter. These service improvements help to raise customer satisfaction. 1.2 Advantages for the ticket

7、 issuer In addition to the service improvements for the customer, Electronic Ticketing is also a chance for the ticket issuer to cut costs. Both the electronic selling and the electronic validation of tickets can help reduce staffing costs. And electronic tickets can help to solve the problem of cou

8、nterfeit tickets. Current ticketing is normally carried out with paper tickets, which can be modified or duplicated with modern image processing and printing technology. Using electronic tickets makes it possible to prevent such fraudulent behavior. Also, the usually expensive special paper often us

9、ed to print tickets is not needed anymore. 1.3 Electronic ticketing devices Electronic Ticketing systems can have different devices as a container for the tickets. The tickets can be stored in a smart card or a cellular phone. When a cell-phone is used the tickets can also be bought using the cell-p

10、hone. For certain Electronic Ticketing scenarios it is also possible to use a Personal Digital Assistant (PDA).Each of these different devices have specific advantages and disadvantages which will be discussed in the following sections. In some cases it is a definite advantage for the development of

11、 Electronic Ticketing systems (and other mobile commerce applications) if the device used is programmable in a high-level language, especially Java. Fortunately, there are smart cards and cell-phones available that can be programmed in Java and, of course, Personal Digital Assistants can be programm

12、ed in Java as well. The different advantages and disadvantages must be carefully considered in the application design process. A smart card based system is less flexible because the user cannot order tickets without an Internet connection, a solution with a non-tamper-proof device requires a complet

13、ely different design because the data stored in the device cannot be trusted. 1.4 Smart cards The main disadvantage of smart cards is that they cannot offer a user interface. Smart cards need an external terminal that communicates with the smart card and provides the user application interface. Most

14、 smart cards are contact-based, only a few smart cards offer wireless communication. Even if a smart card can communicate contact-less the communication range is limited. The smart card must be within less than approximately 30 cm of the smart card terminal. The most important advantage of smart car

15、ds is that they are tamper-proof devices. Both unauthorized access to data stored on the card and unauthorized modification of stored data is very difficult. Modern smart cards also offer support for cryptographic operations using a cryptographic co-processor. Multi-applicative smart cards also offe

16、r mechanisms to separate different applications installed on the same smart card and regulate the possible data exchanges between the applications on the same card. Because the smart card can guarantee that the different applications are protected against each other, it is possible to install differ

17、ent applications on the same card, even if the issuers of the different applications do not trust each other. 1.5 Cellular phones The disadvantages of cellular phones are the fact that cell-phones are only partially tamper-proof and their small display. The limitations of the display often lead to u

18、nwieldy user interfaces. The Subscriber Identity Module, a smart card used by the network operators to identify their customers, is tamper-proof but the storage system of the cell-phone itself is not tamper-proof. The great advantage of cell phones is that they offer different short- and long-range

19、wireless communication techniques, e.g. infrared, Bluetooth and, of course, GSM or UMTS. 1.6 Personal digital assistants PDAs offer the largest display of the different devices mentioned and, because of the touch-screen display, the applications can offer a user interface that is easy to use. PDAs o

20、ffer different short-range radio connections and can be combined with a cell-phone for long-range communication. The disadvantage of PDAs is that they are not tamper-proof at all. Further disadvantages of PDAs are their weight and the low numbers currently in use. 2 Electronic ticketing in practice

21、There are already numerous Electronic Ticketing systems in operation, mainly for public transport.Most of these systems are based on smart cards,either contact-based or contact-less. Electronic Ticketing for long-distance travel (e.g. railway or airline tickets) are not yet very common. E-Ticketing

22、for cultural or sportive events is also not yet established. In Germany, there are currently more than 25 E-Ticketing systems for public transport in operation, or in a test phase. By far the most of them are based on smart cards. Among the smart card based systems most of them are based on contact-

23、less smart cards and use a Check-In/Check-Out policy which means that the customer must register when entering and leaving e.g. the bus by holding the smart card in the proximity of the smart card terminal.This is somewhat inconvenient but allows dynamic pricing, i.e. the minimal rate for each trip

24、can be calculated. Improvements to the Check-In/Check-Out mechanism are offered by Walk-In/Walk-Out or Be-In/Be-Out which use a passive detection of the E-Ticketing customers. The customer does not have to register actively. The paper by Eugenia et al., 2002 provides an overview of smart card based

25、Electronic Ticketing systems. On the international level, there are Electronic Ticketing systems in more than 20 European countries and on every continent. Although public transport is the most common E-Ticketing application there are also some other examples. E.g. Siemens and an airline developed a

26、n application which allows the airline passenger to check-in and select his seat in the plane using his cellular phone. The ticket is sent to the cell-phone as a picture message which contains a matrix-code used as a boarding-pass at the gate. 2.1 Electronic ticketing for railway tickets In the foll

27、owing two sections, two entirely different innovative E-Ticketing solutions for railway tickets are presented. The first one is based on smart cards, the second one uses a PDA as a device for the customer. Each of these applications has distinct advantages but also specific risks which must be addre

28、ssed. 2.2 Electronic tickets with smart cards In the article by Haneberg,2002 an Electronic-Ticketing system for railway tickets based on smart cards is described. The application is based on a smart card application (“cardlet”) that must be installed on a smart card owned by the customer. Using mul

29、ti-applicative smart cards with support for field-loadable code would be optimal for such applications, because the customer just needs one smart card and all other applications they want to use are added on-demand to the set of cardlets on the smart card. This is convenient for the customer and red

30、uces costs, because sophisticated smart cards with e.g. cryptographic co-processors are expensive and therefore it would be a great advantage if it were not necessary to issue another smart card for each new application. In the presented Electronic Railway Tickets system, the tickets are sold electr

31、onically, e.g. via a Web-shop run by the railway company. The ticket issuing system (“server”) communicates with the cardlet on the customers smart card. Therefore it is necessary for the customers PC to have not only an Internet connection to contact the server but also a smart card terminal to com

32、municate with the cardlet. Tickets are ordered electronically and stored on the smart card. This means that the smart card contains the E-Ticketing application, the tickets bought by the customer and cryptographic keys necessary to secure the communication. A great advantage of this solution is that

33、 the tickets can be validated offline by the conductor. This means that the conductor does not need access to the data of the server issuing the tickets. This is possible because the authenticity of the smart card program can be checked using cryptographic methods (e.g. challenge and response method

34、s) and because the tamper-proofness of the smart cards mean that data stored on the smart card cannot be manipulated without authorisation.Therefore, the conductor terminal can trust the data it receives from an authenticated smart card application. The fact that the authenticity of the E-Ticketing

35、smart card program can be verified permits the passing-on of tickets from one smart card to another because the receiving smart card can verify the authenticity of the cardlet that sent the ticket and therefore can be sure that the ticket it received is authentic as well. Another advantage of this s

36、ystem is that it is possible to combine the Electronic Ticketing with other applications e.g. loyalty-programs or electronic payment solutions. 2.3 Electronic onboard ticketing The system described in the previous section is the usual way of buying railway tickets. The trip is planned in advance and

37、 suitable tickets are ordered before the trip starts. Sometimes this is not convenient, or is even impossible. The E-Ticketing system described in this section offers a solution for this case and is therefore very different from the system described above. Electronic Onboard Ticketing was presented

38、in detail by Haneberg et al., 2004. The system is designed as a location-based service that sells railway tickets where the customer needs them: on the train. The scenario for Electronic Onboard Ticketing is a traveller who knows his/her possible connections but who cannot or does not want to buy ti

39、ckets in advance. An example is a person who attends a business meeting finishing at an unspecified time. After the meeting, the traveller simply wants to go to the railway station and board a train in a specific direction without having to wait in a queue to buy a ticket. With Electronic Onboard Ti

40、cketing this is possible. The traveller can buy the ticket on the train using a PDA. The PDA must have Bluetooth capability to locate the ticket issuing service and communicate with the train. Buying tickets is very simple. When the traveller has boarded the train he activates the PDA on which the c

41、lient application is installed. After the programme has been started it contacts the train server via Bluetooth and requests the upcoming stations. The train transmits the list of remaining stops to the PDA and the customer selects his/her destination. The destination is transmitted to the server an

42、d the class in which the customer is travelling is determined, based on the Bluetooth-receiver the customers PDA is connected to. Then an appropriate ticket is generated. After the payment data is transmitted,the purchase is completed. The main advantages of this E-Ticketing solution are ease of use

43、, a cost-free communication technique and the fact that the customer can buy tickets in a locationbased way. 3 Security problems in e-commerce applications In the sections above, it was shown that Electronic Ticketing has clear advantages, but there are also some risks. Communication is an integral

44、part of E-Commerce applications in general and E-Ticketing systems in particular. If the application is not designed carefully, the security of the application is in danger and fraud or disclosure of confidential data is possible. The data that is exchanged between the different systems of the appli

45、cation must be protected using cryptographic methods. Two different sources of security problems must be considered. The first problem is an application design that is inappropriate for the devices used. For example, ticket validation in Electronic Onboard Ticketing is completely different from vali

46、dation of the smart card based E-Ticketing. Because PDAs are not tamper-proof the railway company cannot trust the data stored on the PDA. Besides manipulation of the data on the PDA it is also possible to copy the data. Therefore, in this scenario, it is not possible to implement an offline validat

47、ion of tickets. In this application the tickets are stored on the train server instead of the PDA. The PDA only receives a ticket identifier. The validation of a ticket is also done on the train server which enables the conductors to find out whether the same ticket is presented more than once. The

48、second threat to E-Commerce applications are erroneous cryptographic protocols. Cryptographic protocols are necessary to ensure the secrecy and integrity of transmitted data as well as the authenticity of communication partners and transmitted data. The problem is that cryptographic protocols are di

49、fficult to develop (Anderson et al.1995; Burrows et al.1990). They often contain subtle errors that may be exploited by malicious users of the service. In the remaining part of this section an example of a protocol error for the smart card based E-Ticketing system is described. The protocol is denoted as a sequence of message transfers. Messages are either basic information(e.g. cryptographic keys) or compound messages such as encrypted data. In the protocol description Ri denotes a random number(“nonce”), SA is the