The following taxonomy is useful in understanding the security systems, technologies and authentication tools widely available to support secure transmission and storage of information in a networked e-business environment.

Firewalls

Firewalls are used to keep a network secure from intruders. A firewall is a network node consisting of both hardware and software that isolates a private network. In order to understand how a firewall works, one should have an understanding of packets, IP addresses and DoS attacks. However, very simply, it is explained with Hazari's (2000) description:
"A firewall is like a bouncer in a nightclub. Like a bouncer in a nightclub the firewalls have a set of rules, similar to guest list or dress code, that determine if the data should be allowed entry. Just as the bouncer places himself at the door of the nightclub, the firewall is located at the point of entry, where data attempts to enter the computer system. As different nightclubs might have different rules for entry, different firewalls have different methods of inspecting data for acceptance or rejection" (Turban et al., 2002, p. 565).

Authentication

Where services are provided on-line, agencies will need to reassess how they authenticate users. Flaws in authentication can lead to situations such as the illegal transfer of funds, unauthorised ordering of goods or the mischievous alteration of data. Authentication enforces confidence in electronic transactions and is a vital component of e-business.
These can be implemented in the following ways:

Passwords, PINs and User IDs

A password is a code or more often a common word used to gain access to a computer network. Passwords are the most common method of authentication for computer systems today. Systems should be designed to include expiration of passwords at regular intervals. If a user has access to more than one system or database at the organization, he or she should apply different passwords to access different systems. The more often a password is changed, the more secure the account becomes. Login attempts should be limited to two or three times and passwords should not be written down. As described by NOIE (2002), under a password system, a client accessing an agency's electronic application is requested to enter a 'shared secret' such as a password with their User ID. The system checks that password against information in a database to ensure its correctness and thereby 'authenticates' the client. Multiple passwords and password encryption can be used to strengthen this technique. User IDs are usually used in combination with passwords. The User ID is not necessarily kept private and may be made up of several simple pieces of information. For example, Shirley Jones may have the User ID 'sjones'. User IDs may also contain numbers to help distinguish between clients with similar or identical names, e.g., 'sjones637'. Typically, password-based authentication requires no third party products or services. It is cheaper to implement and guarantees a limited degree of authentication, and relies on users keeping their passwords secret.
For some applications it is suitable to include a one-time password where the system generates a unique password to be entered each time the application is accessed. Challenge and response systems also authenticate by asking a user to respond to a random challenge that is based on information in their client record, or on 'secret' phrases lodged with the agency. For example, when entering a challenge and response web site, the user will first be asked for a User ID and password. They would then be asked for unique information, such as the middle name of their second child. If all data matches, access is granted http://www.rsasecurity.com.

Cookies

A cookie is a piece of information that allows a web site to record one's comings and goings. It can act as a form of authentication to identify the user when he or she next enters the same web site. Not only can cookies help web sites recognise returning users, they can provide access to specific resources, track on line purchases or provide customised web pages. Properly used, cookies can greatly enhance the user's experience of web resources and increase convenience. However, misuse of cookies raises obvious privacy and security issues. If cookies are used, it should be mentioned in the web site privacy statement. Although cookies are useful for users as well, they have raised concerns over privacy with web sites collecting private information such as users, preferences, interests and surfing patterns.

Biometrics and Authentication

A biometric control is the verification of the identity of a person based on physiological or behavioural characteristics (Turban, 2002). The most common biometrics are photos of face, fingerprints, hand geometry, blood vessel pattern in the retina of a person's eye, voice, signature, keystroke dynamics, iris scan and other facial thermography. With biometric technology, the physical characteristic is measured (by a microphone, optical reader or some other device) and converted into digital form. This information is then compared with a copy already stored in the computer and authenticated as belonging to a particular person. If they match, the software will accept the authentication and the transaction is allowed to proceed.
Biometric applications can provide very high levels of authentication, and can be applied to identify students undertaking online exams from a remote location, fraud recipients of government entitlements, authorised buyers and sellers, and person undertaking the interviews for employment. Applications for biometrics include automatic teller machine access, personal computer network logon, time and attendance, enterprise-level data security, physical access and customer verification. Biometric authentication is also suitable for access to individual devices. It is less suited for authentication to software systems over open networks such as the Internet.

Encryption

Encryption is the coding of information by using a mathematically based program and a secret to produce a string of characters that are jumbled. It consists of an algorithm and a key for encoding and decoding of text. The system uses a secret key, which is a computer file that includes a mathematical value. This is used in conjunction with an algorithm to encrypt or decrypt a message. Conventional encryption is used for both encryption and decryption of information, and can be performed very quickly by modern PCs.
Asymmetric cryptography also authenticates users. For example, clients would be issued with a private key on a hardware device. The associated public key is securely held by the agency. When logging in, the client would enter his or her User ID and password. The agency would then automatically send a random number for the user to key into his or her device. The device employs the private key to process the random number and produces a result which the user enters into the agency's log-in process. If the agency is able to retrieve the original random number by reversing the process with the corresponding public key, then the client is authentic (http://webopedia.internet.com/TERM/C/challenge_response.html).

Public Key Cryptography (Digital Certificates)

Public key encryption is a form of asymmetric cryptography. It ensures the confidentiality and privacy of a message as it moves across a network by scrambling or encrypting it so that it is difficult and time consuming for an unauthorised person to decrypt the message. Public key cryptography uses separate pairs of keys for authentication (or signing) and encryption (or confidentiality). The key pairs are referred to as public keys and private keys. An application of public key cryptography as described in the NOIE report (2002) is:
"Authentication (or signing). When using an authentication key pair, the public key is published to the world while keeping your private 'signing' key secret. Anyone with a copy of the public key can decrypt something encrypted ones private 'signing' key. This will provide them with a level of assurance of ones identity. On its own, the public key cannot be used to sign a document; it can only be used to verify who has signed it.
Encryption (or confidentiality). In the same fashion, to use an encryption key pair the public key is published while the private key is kept a secret. Anyone with a copy of this published public key can then encrypt information that only the sender can read. The information encrypted with the public 'confidentiality' key can only be decrypted using ones private 'confidentiality' key."
Several prominent authentication solutions make use of public key cryptography. These include PKI, PGP and SSL.

Public Key Infrastructure (PKI)

PKI is a set of procedures and technology that enables users of a network such as the Internet to authenticate identity, and to securely and privately exchange information through the use of public key cryptography. To achieve this, public and private keys and a digital certificate can be obtained through a trusted third party authority, known as a Certification Authority (CA). The CA links the public key to the digital certificate and vouches for the identity of the key holder. Registration Authorities (RAs) collect and manage the appropriate levels of Evidence of Identity (EOI) from applicants for digital certificates. Dependent upon the PKI business model employed, appropriately accredited RAs may also create keys and certificates (NOIE, 2002).

Pretty Good Privacy (PGP)

PGP is a security software application that enables two known parties to exchange information securely with each other. PGP can be utilised for small communities or businesses who know each other and wish to communicate securely. In these instances it is easy to manually exchange diskettes or e-mails containing each owner's public key rather than publishing public keys to the world. Each member of the group holds a copy of each other's public key.
Difficulties associated with holding large numbers of public keys means that PGP is practical only to a certain point. Beyond that point, it is necessary to put systems into place that can provide the necessary security, storage and exchange mechanisms for co-workers, business partners or strangers to communicate if need be. PKI systems (discussed above) provide these kinds of features.

SSL and TLS

The Secure Sockets Layer (SSL) protocol is a set of rules governing authentication of servers (such as web servers) and encrypted communication between clients and servers. It operates at the TCP/IP layer and supports a variety of encryption algorithms and authentication methods. The protocol was developed to secure the transmission of data over the Internet. The authentication process under SSL uses public key encryption, and digital signatures do not authenticate the user but confirm that a server is in fact the server it claims to be. Once the server has been authenticated, the client and server use symmetric key encryption to encrypt the information exchanged electronically. A different session key is used for each transaction, impeding a hacker's ability to decrypt messages. However, SSL and Transport Layer Security (TLS) only provide confidentiality and integrity for the server (http://www.dsd.gov.au/infosec/publications/SSL_policy.html).

SET

A crypotographic solution that is designed to handle the complete transaction is the secure electronic transaction (SET). In order to fulfil credit-card payments on the web, both Visa and MasterCard needed a protocol that could safely link the Internet to existing bank-card processing networks, and the two went head-to-head with competing solutions (Turban, 2002). This enforces trust in e-business because of the involvement of reputed companies. Regardless of which protocol comes out on top, customers' confidence in security of transactions on the web is enhanced by names like Visa and MasterCard. The converged protocol that the ensuing collaboration produced is known as Secure Electronic Transactions, or SET. Like any other secure-channel protocols, SET provides public/private key authentication and message integrity and is specifically designed for credit-card transactions, in that sensitive information is encrypted throughout the card-processing network. SET's configuration allows merchants to access only the data they require to fulfil the order, making it more secure. The customer's credit-card data remains encrypted until it reaches the appropriate financial institutions. All of the major companies involved hope that SET is the protocol that will finally instil confidence in the Internet as a safe space in which to conduct e-business (NOIE, 2002). Acceptance of SET has been slow in Australia due to the requirement by both clients to have the specialised software.