Other Free Encyclopedias » Online Encyclopedia » Encyclopedia - Featured Articles » Contributed Topics from K-O

Online Multimedia E-Commerce - Securing Multimedia E-Commerce, Secure Sockets Layer, Single Sign-On

data ssl audio internet

Ben Falchuk
Telcordia Technologies, Inc., Piscataway, USA

Vinod Jayaraman
NTT Multimedia Labs, Palo Alto, USA

Definition: Online multimedia e-commerce refers to a secure transfer of multimedia data over the Internet.

This article outlines some of the main concepts and use-cases associated with online multimedia e-commerce. By online multimedia e-commerce, we mean to imply a transfer of multimedia data achieved securely (or within the requirements of the participants) over the Internet (via wireline or wireless network infrastructure). The transferred data has some intrinsic value to the buyer and so a payment to the seller follows or precedes the data transfer in some secure fashion. Buying and activating a new ringtone from a mobile cellular phone or buying digital audio (a song) from a desktop PC are two quintessential examples, though the concept generalizes.

At the time of writing, digital multimedia e-commerce is on the rise. Digital audio, video, ringtones, and imagery lead the way. The International Federation of the Phonographic Industry (IFPI) and Jupiter Research estimate the digital music market at around $330 million in 2004 (with over 200 million tracks downloaded) and expect that to double in 2005. While this may represent the market peak, it is unlikely; and the industry is serious. Elsewhere, Sony, Matsushita, Samsung and Phillips will attempt to jointly develop common standard Digital Rights Management technologies for their devices. Meanwhile, some say ringtone e-commerce revenue is reaching $2-$3 billion worldwide and the pages of Billboard Magazine now track best-selling ringtones beside best-selling CDs. Online multimedia e-commerce has the following main use-cases:

  1. Find multimedia of interest on the network
  2. Secure its delivery and payment
  3. Display the media on the Device
  4. Manipulate the media via other E-Commerce applications

The remainder of this chapter describes aspects of these main use-cases with details and examples from current prevalent technologies. As this topic is very broad and touches many aspects of technology, this chapter is intended to be a non-exhaustive high-level introduction to the concepts – technical and commercial – related to this domain.

Securing Multimedia E-Commerce

Secure data transactions over the Internet must generally meet the following requirements: authentication, authorization, confidentiality, integrity, and accounting [ 1 ], Authentication is the notion of identifying the buyer and/or seller. Authorization refers to the permissions of the participants with respect to the transaction and the data. Integrity refers to the process of ensuring that transaction data remains in an untampered-with form, agreed upon by all parties. Confidentiality is the notion that the details of both the transaction and the data remain known only to the parties involved. Accounting is the process by which trustworthy billing, reporting, and auditing information is reliably created. These requirements are not always met in all cases, and note that some technologies (described below) help to meet more than one requirement.

Digital certificates play a key underlying role in securing multimedia e-commerce. Certificates, issued by trusted 3 rd parties called Certificate Authorities (CA), verify the holder’s identity in an unforgeable way (for example, CREN.net grants “campus” certificates). A certificate is generally either a client certificate (to authenticate in individual’s identity, restrict access, etc.), server certificate (to allow visitors to an e-commerce site to authenticate the site’s identity), institutional certificates (allowing institutions to grant further certificates), or a root certificates from a CA. Certificates are used in the Secure Sockets Layer (SSL) (see next section) as well as Secure MIME, Internet Protocol Secure Standard (IPSec) and Secure Electronic Transactions (SET) protocols. The combination of certificates, CA’s, clients, and servers, together with the related policies and human roles, comprise a Public Key Infrastructure (PKI). Managing PKI’s in deployment remains a challenge for many reasons, including costs of ownership.

Secure Sockets Layer

Secure Sockets Layer (SSL) is a de facto standard, originally created and implemented by Netscape Corp. It is now very widely used to secure the transport of information between Internet entities, including servers and Web browsers. SSL secures the transport layer – recall in the well known Open System Interconnection 7-layer protocol stack that physical, data link, and network layers are ‘below’ transport, and session, presentation, and application layers are ‘above’ it. Therefore SSL and its equivalents are concerned with securing transfer of data between end systems, as well as end-to-end error recovery and flow control. The Transport layer ensures complete data transfer. Transport level security is not concerned with MAC-level issues, encoding packets into bits, or connections between applications themselves, as these are handled at other levels. Since SSL is implemented by Internet Explorer and Netscape browsers, casual Web users see SSL in action daily. Both browsers indicate secure (encrypted) sessions with lock icons on the bottom toolbar (see Figure 1). Note that the IETF stewards the Transport Layer Security (TLS) protocol, which it has worked from SSL, and will attempt to move it through to standardization.

Figure 1. Web Browsers Netscape (left) and Internet Explorer (right) indicating SSL.
First, a brief outline of the basic SSL e-commerce use-case:

  1. Web client (e.g. Firefox, Internet Explorer, etc.) connects to an SSL-compliant Website (e.g. to submit a credit card payment)
  2. The Web client asks Web server to authenticate itself. This usually involves getting a legitimate CA’s declaration that the server has indeed registered. Once this ‘handshake’ is complete the parties have authenticated themselves (usually only the server) and exchanged ‘session keys’.
  3. Data sent from the web client during the SSL session is encrypted and cannot be read by interceptors, nor can it be tampered with

SSL works on two main fronts: a) ensuring data integrity and security, and b) coordinating connections. A view of the SSL layers of control is shown in Figure 2.

The SSL Record Protocol is used in the encryption of user data for packaging into a TCP packet (e.g. the credit card number above). Figure 3 illustrates this packaging procedure. User data is fragmented into (optionally compressed) small fragments (e.g. Data! in the Figure 3). Header information is added to each fragment, including record lengths, and a Message Authentication Code (MAC) value which results from hashing the data in the fragment with a secret key and other information. Then the data and the MAC are encrypted using some agreed upon encryption technique; additional headers (such as SSL version types) are added. Finally, the data is placed into a TCP packet for transmission. Note that past work has shown that the SSL’s overhead can incur a significant performance hit on SSL-enabled servers.

Single Sign-On

Single Sign-On (SSO) is an increasingly important enabler for online multimedia ecommerce. SSO alleviates the need for online users to have a user name and password for each Service Provider (SP) – that is, the need to be authenticated at each e-commerce site. Instead, a user with SSO technology can be authenticated only once for a circle of SP e-commerce sites. For example, once signed-on, the user can go to an airline web site and book tickets, and to a car rental web site for a car. At each site the user’s credentials and authorization (e.g. credit card number) are accessible to the SP via SSO technologies. The user is authenticated by a third party Authentication Service Provider (ASP) who has a special relationship with the SP’s in the ‘circle’. The user may have many identities with the ASP, and one or more may be associated with any of the SP’s. The ASP necessarily communicates user updates and identity information to SP’s in a secure fashion. At the time of writing, the Liberty Alliance (see projectlibery.org) and Microsoft Passport are two prevalent SSO technologies. The OASIS 1 Security Assertion Markup Language (SAML) defines an XML schema allowing authentication, authorization, and attribution assertions to be represented, and can serve as representation syntax for SSO-related assertions. In the example above, the SSO provider sends SAML assertions to both the airline and car rental e-commerce sites.

Multimedia E-Commerce Formats

Digital audio and video – movies and music – are two very important multimedia commodities (i.e. types), with respect to e-commerce. Online music and movie downloads comprise a large part of Internet multimedia revenue. For both of these there exist many digital formats, some of which are proprietary, while others are open standards; others still are grass-roots formats gathering community support (or losing it as the case may be). This section informally outlines some of these technologies. Table 1 summarizes some popular Internet file types for multimedia. Due to the lossy nature of the Internet, maintaining quality while delivering these multimedia types across the Internet to users is a challenge. Most audio and video playback tools rely on buffering to help ‘smooth out’ losses; some utilize a dynamic view of the current application bit rate to maintain quality.

In general, audio and video codecs intended for Internet use should compensate for anticipated packet losses (and subsequent retransmits) to optimize the end-user Quality of Experience (QoE). Codecs sample analog music and create a digital format. The sample length (in bits) and rate (number of samples per sec) essentially determine the resulting quality. As an example, audio CD’s are sampled in 16 bits at 44.1 kHz.

The audio encoding formats MP3 (MPEG-1/2 Layer 3) and AAC (MPEG-2 Advanced Audio Coding) are two of a small handful of dominant Internet audio formats. There are several reasons for this, including these standards’ open nature, availability of codecs/decoders, and their performance in audio quality tests. AAC is the more recent of the above two technologies and is widely seen as a successor to MP3. Both are lossy perceptual encodings, meaning that the file recovered by uncompressing the audio is not a bit-for-bit replica of the original. However, the algorithms have been designed to get close to the threshold at which these bit losses are inaudible to the human perception system (hence the coding is therefore referred to as perceptual encoding).

Some of the differences are pointed out below (see for more detailed explanations, and for block diagrams of MP3 and AAC encoder functionality):

  • Compressed file size – Given equal bit rates, AAC-encoded audio’s superior compression will yield a smaller file
  • Joint Stereo Coding – More flexible mid/side and intensity AAC coding algorithm (yields better compression)
  • Huffman Coding – in MP3, the coding of quantized samples occurs mostly in pairs (rarely quadruples). AAC uses quadruples coding more often.
  • High Freq. Resolutions – MP3: 576 frequency lines, AAC: 1024 frequency lines
  • Perceived Audio quality – AAC encoded audio fares better than MP3 (at the same bit rate). Note that such perceptual tests are difficult to administer and subjective

Multimedia formats enable content to be experienced on various hardware devices.

1 Organization for the Advancement of Structured Information Standards,

Consumer Devices

The target destination of online multimedia content, apart from the home computer, is a variety of consumer devices. With declining memory prices, shrinking hard drive sizes, and significant advances in compression technologies, there is wide array of consumer devices available for the public. Consumer devices come packaged with software to directly connect to an online store and allow the user to transfer, store, and catalog content. Content can then be synchronized with a PC over USB/FireWire/Bluetooth links. The end consumer devices fall in various categories:

  • Mobile Music players – In this scenario an individual user performs the following step:

    • Uses an application (e.g. iTunes from Apple) on his computer to access an online music store.
    • Browses, samples, and selects the music he wants.
    • Purchases the music through a secure encrypted channel such as SSL.
    • The user can, then, listen to the music on his home computer, burn it to a CD, or transfer it to a mobile device.

Mobile audio players come in various sizes and flavors – the storage capacity ranges from 16MB (flash) to over 60 GB (hard disk – space equivalent to around 15,000 songs). These devices are capable of playing music in various formats including AAC, MP3, WAV, and WMA. Popular vendors include: Apple, Creative Zen Micro, iRiver, and Yepp.

  • Cell Phones

    • Music – At the time of this writing, newer models of phones come equipped with over two gigabytes of disk space with optional memory. Stereo audio is supported wirelessly over Bluetooth technology. Handsets support MP3, WMA, RealAudio/Video, MIDI, WAV, AAC and a range of others formats -providing wide-ranging industry compatibility.
    • Images/ Video / TV – Camera cell phones with photo and video capture capabilities along with media players are increasingly popular. Streaming video along with TV for cell phones (e.g. MobiTV from Idetic:) is on the rise. Content providers such as sports and news channel tailor their content for display on cell phones. Current configurations support video encoded in 3GPP2 (MPEG-4 and H.263), video can be captured at QCIF (176×144 pixel) or Sub-QCIF (128 × 95 pixel) with resolution of 15 frames per second.
  • Home entertainment – With current audio and video compression techniques and streaming technologies there is a drive to integrate multimedia content from the web with home entertainment devices such as television and home stereo. This combines the capabilities of PC software to search, purchase, and catalog content with more sophisticated playback capabilities of home entertainment equipment. Wireless networking is one of the most attractive options to connect home equipment together. Competing technologies are:

    • IEEE802.11 is a family of evolving standards – 802.11b/g operates at 2.4GHz and provides data rates of HMbs and 54Mbs respectively. 802.11a operates at 5GHz and provides data rates of up to 54Mbs.
    • Home RF is specifically designed for connecting home devices operates at 2.4GHz and provides data rates of around 10Mbs.
    • Bluetooth designed for short range devices operates at 2.4GHz and provides data rates of about IMbs.
    • Ultra wideband (UWB) still under approval process from FCC operates between 3.1GHz and 10.6 GHz and can potentially have higher data rates than IEEE802.il based networks.

Use of mobile devices for e-commerce is constantly evolving. Standardized in ISO 18092 and operating in the 13.56-MHz range, NFC is an interface technology for exchanging data between consumer electronic devices at a distance of about 10 cm. An example is an NFC-enabled mobile phone that reads a smart tag embedded in a concert poster to download information about the artist and can initiate transactions to purchase songs or order concert tickets from the web.

Oort, Jan Hendrik [next] [back] Online Multimedia and Television - Internet-to-TV

User Comments

Your email address will be altered so spam harvesting bots can't read it easily.
Hide my email completely instead?

Cancel or