E0 239 : Electronic commerce Y. Narahari e-Enterprises Laboratory Department of Computer Science and Automation Indian Institute of Science Bangalore - 560 012 INDIA

The objective of Release 3 is to "secure" transactions in VIPANI and implement simple "payments." The deadline for this would be Saturday, April 10th.

For the sake of simplicity and convenience, we will understand how things can be done for the first business model (supply curve auction). I would like you to develop and implement "security and payment protocols" as explained below, for your second business model.

1. Note that VIPANI has two types of entities: Buying Agent (B), and Selling Agents (S). In addition to this, we will have two more entities:
   • Payment Gateway and Banks Combined (call it BANK) and
   • Certification Authority (CA). You need to implement CA and BANK also. Their roles are explained below.
2. CA issues public key certificates to BANK, buying agent, and all selling agents. Each of these entities will first generate their respective key pairs and later submit their respective public keys to CA for certification. A digital certificate iisued by CA will have the form (ID of entity, public key of entity, expiry date of public key) and is digitally signed with the private key of the CA. This digital certificate can be verified using the public key of the CA. All entities in the system (buying agent, all selling agents, and BANK) are assumed to have an authentic copy of the public key of CA. Also, the digital certificate issued by CA to the BANK are assumed to be known by all the entities.
3. Buying agent and selling agents can open Accounts with BANK and the BANK issues debit cards to the agents. The Account numbers and Debit Card are unique to each agent. (These are not credit cards but debit cards. Note the difference). Protocol for this:
   • An agent, say X, requests BANK by sending its ID (ie X), its public key certificate, and an opening balance, all encrypted with the public key of the BANK.
   • The BANK decrypts the above using its private key.
   • The BANK determines the authentic public key of X using the certificate
   • The BANK issues to X an Account No. and a Debit Card No. along with opening balance in account. The bank sends this information encrypted with the public key of X.
   • X decrypts the info and knows its account no, debit card no, and balance in account.
4. Selling agents communicate their bids (ie supply curves) to the buying agent. Each selling agent encrypts the information using the public key of the buying agent. Along with this "encrypted bid", each selling agent sends its public key certificate to the buying agent. The buying agent uses its private key to decrypt the information from each selling agent.
5. Simple Payments: This involves payments by the buying agent to all "winning" selling agents. For each winning selling agent (say W), the following activities take place:
   • The buying agent sends a "payment advice" to BANK to transfer money to the account of the selling agent W. This payment advice is encrypted using the authentic public key of the BANK and is digitally signed by the buying agent.
   • The buying agent also sends a "payment notification" to W, encrypting it using the authentic public key of W, and signing it with its private key. W decrypts this using its private key and verifies signature of buying agent.
   • The BANK receives the encrypted payment advice, decrypts using its private key, and also verifies the signature of the buying agent. The BANK does a credit to the account of the selling agent W and a debit from the account of the buying agent.
   • The BANK notifies the buying agent and the selling agent W about this. The notification message for the buying agent is encrypted using the public key of buying agent and digitally signed. The notification message for W is encrypted using the public key of W and digitally signed.
   • W decrypts the notification from BANK and verifies the BANK's signature and matches this with the "payment notification" from the buying agent (Step (b)). W now sends "payment receipt" message to the buying agent.

You can use CRYPTLIB, CRYPTOPP, CRYPTOOL.ORG, CRYPTC (from our Informatics Lab), or invoke appropriate APIs from Java security package (this is part of JDK 1.2, 1.3, 1.4). Consult Java Tutorial Online for more information on how to use the Java Security Package. You can also implement some of the tasks yourself. You may also look into http://www.securitytechnet.com/crypto/open_src.html for more information on open source libraries for cryptography and security.
Breakup of weightage at the time of Demo for Release 2:

1. Is your implementation faithful to the design? You have to explain to the TAs in what ways your implementation model captures the design model and in what ways it deviates from the design model. (10%)
2. Correctness and completeness of your implementation (20%). Remember that you are supposed to implement two business models for the second release.
3. Use of design patterns. How effectively have you used design patterns. Remember that you have to use at least two patterns in a solid way (20%)
4. Structuring of your code and quality of your documentation (20%). You have to walk through your code for this.
5. Innovations, any nice algorithms you have used, any interesting data structures, any technological innovations, etc. (You need to impress the TAs on these) (20 %)
6. Your response to on-line questions asked by TAs (10 %)

• Implementation of CA - 20 %
• Implementation of BANK- 20 %
• Selling Agent to Buying Agent Transactions - 20 %
• Payment Transactions - 20 %
• Conformance to original design - 10 %
• Online questions - 10 %