THE internet ENCYCLOPEDIA 1 volume 3 phần 1 pps

McGowan Electronic Funds Transfer 624 Roger Gate and Alec Nacamuli Gender and Internet Usage 12 Ruby Roy Dholakia, Nikhilesh Dholakia, and Nir Kshetri Geographic Information Systems GIS

THEINTERNETENCYCLOPEDIA

iv

THEINTERNETENCYCLOPEDIA

This book is printed on acid-free paper. ∞

Copyright C 2004 by John Wiley & Sons, Inc All rights reserved

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means, electronic, mechanical, photocopying,recording, scanning, or otherwise, except as permitted under Section 107 or 108 ofthe 1976 United States Copyright Act, without either the prior written permission ofthe Publisher, or authorization through payment of the appropriate per-copy fee tothe Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978)750-8400, fax (978) 750-4470, or on the web at www.copyright.com Requests to thePublisher for permission should be addressed to the Permissions Department, JohnWiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201)748-6008, e-mail: permcoordinator@wiley.com

Limit of Liability/Disclaimer of Warranty: While the publisher and author haveused their best efforts in preparing this book, they make no representations or war-ranties with respect to the accuracy or completeness of the contents of this bookand specifically disclaim any implied warranties of merchantability or fitness for aparticular purpose No warranty may be created or extended by sales representatives orwritten sales materials The advice and strategies contained herein may not be suitablefor your situation The publisher is not engaged in rendering professional services, andyou should consult a professional where appropriate Neither the publisher nor authorshall be liable for any loss of profit or any other commercial damages, including butnot limited to special, incidental, consequential, or other damages

For general information on our other products and services please contact ourCustomer Care Department within the U.S at (800) 762-2974, outside the United States

at (317) 572-3993 or fax (317) 572-4002

Wiley also publishes its books in a variety of electronic formats Some contentthat appears in print may not be available in electronic books For more information

Library of Congress Cataloging-in-Publication Data:

The Internet encyclopedia / edited by Hossein Bidgoli

p cm

Includes bibliographical references and index

ISBN 0-471-22202-X (CLOTH VOL 1 : alk paper) – ISBN 0-471-22204-6(CLOTH VOL 2 : alk paper) – ISBN 0-471-22203-8 (CLOTH VOL 3 : alk

paper) – ISBN 0-471-22201-1 (CLOTH SET : alk paper)

1 Internet–Encyclopedias I Bidgoli, Hossein

TK5105.875.I57I5466 2003

004.67803–dc21

2002155552Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

iiabout Wiley products, visit our web site at www.Wiley.com

To so many fine memories of my brother, Mohsen, for hisuncompromising belief in the power of education.

iii

iv

About the Editor-in-Chief

Hossein Bidgoli, Ph.D., is Professor of Management

Information Systems at California State University Dr

Bidgoli helped set up the first PC lab in the United

States He is the author of 43 textbooks, 27 manuals, and

over four dozen technical articles and papers on various

aspects of computer applications, e-commerce, and

information systems, which have been published andpresented throughout the world Dr Bidgoli also serves

as the editor-in-chief of Encyclopedia of Information

Systems.

Dr Bidgoli was selected as the California State sity, Bakersfield’s 2001–2002 Professor of the Year

Univer-v

vi

viii

Mary Finley Wolfinbarger and Mary C Gilly

Consumer-Oriented Electronic Commerce 284

C ONTENTS

x

Data Compression 384

Chang-Su Kim and C.-C Jay Kuo

Data Mining in E-commerce 400

Disaster Recovery Planning 535

Marco Cremonini and Pierangela Samarati

Distance Learning (Virtual Learning) 549

Chris Dede, Tara Brown-L’Bahy, Diane Ketelhut,

and Pamela Whitehouse

Downloading from the Internet 561

Kuber Maharjan

E-business ROI Simulations 577

Edwin E Lewis

E-government 590

Shannon Schelin and G David Garson

Electronic Commerce and Electronic

Business 601

Charles Steinfield

Electronic Data Interchange (EDI) 613

Matthew K McGowan

Electronic Funds Transfer 624

Roger Gate and Alec Nacamuli

Gender and Internet Usage 12

Ruby Roy Dholakia, Nikhilesh Dholakia, and Nir Kshetri

Geographic Information Systems (GIS) and the Internet 23

Haluk Cetin

Global Diffusion of the Internet 38

Nikhilesh Dholakia, Ruby Roy Dholakia, and Nir Kshetri

Global Issues 52

Babita Gupta

Groupware 65

Pierre A Balthazard and Richard E Potter

Guidelines for a Comprehensive

Security System 76

Margarita Maria Lenk

Health Insurance and Managed Care 89

Etienne E Pracht

Health Issues 104

David Lukoff and Jayne Gackenbach

History of the Internet 114

John Sherry and Colleen Brown

HTML/XHTML (HyperText Markup

Language/Extensible HyperText

Markup Language) 124

Mark Michael

Human Factors and Ergonomics 141

Robert W Proctor and

Kim-Phuong L Vu

Human Resources Management 150

Dianna L Stone, Eduardo Salas,

and Linda C Isenhour

Information Quality in Internet

and E-business Environments 163

Larry P English

Integrated Services Digital Network (ISDN):

Narrowband and Broadband Services and

Applications 180

John S Thompson

Intelligent Agents 192

Daniel Dajun Zeng and Mark E Nissen

Interactive Multimedia on the Web 204

Borko Furht and Oge Marques

International Cyberlaw 216

Julia Alpert Gladstone

International Supply Chain Management 233

Gary LaPoint and Scott Webster

Intrusion Detection Techniques 355

Peng Ning and Sushil Jajodia

Inventory Management 368

Janice E Carrillo, Michael A Carrillo, and Anand Paul

Java 379

Judith C Simon and Charles J Campbell

JavaBeans and Software Architecture 388

Nenad Medvidovic and Nikunj R Mehta

Victoria S Dennis and Judith C Simon

Legal, Social, and Ethical Issues 464

Kenneth Einar Himma

Library Management 477

Clara L Sitter

Linux Operating System 486

Charles Abzug

Load Balancing on the Internet 499

Jianbin Wei, Cheng-Zhong Xu, and Xiaobo Zhou

Local Area Networks 515

Wayne C Summers

Machine Learning and Data Mining

on the Web 527

Qiang Yang

Managing a Network Environment 537

Haniph A Latchman and Jordan Walters

C ONTENTS

xii

Managing the Flow of Materials Across

the Supply Chain 551

Matthias Holweg and Nick Rich

Marketing Communication Strategies 562

Mobile Devices and Protocols 627

Julie R Mariga and Benjamin R Pobanz

Mobile Operating Systems and

Online Analytical Processing (OLAP) 685

Joseph Morabito and Edward A Stohr

Online Auctions 699

Gary C Anders

Online Auction Site Management 709

Peter R Wurman

Online Banking and Beyond:

Internet-Related Offerings from

Public Accounting Firms 145

C Janie Chang and Annette Nellen

Public Key Infrastructure (PKI) 156

Russ Housley

Public Networks 166

Dale R Thompson and Amy W Apon

Radio Frequency and Wireless Communications 177

Okechukwu C Ugweje

Real Estate 192

Ashok Deo Bardhan and Dwight Jaffee

Research on the Internet 201

Paul S Piper

Return on Investment Analysis for E-business Projects 211

Mark Jeffery

Risk Management in Internet-Based

Supply Chain Management 365

Gerard J Burke and Asoo J Vakharia

Supply Chain Management and

the Internet 374

Thomas D Lairson

Supply Chain Management Technologies 387

Mark Smith

Supply Networks: Developing and

Maintaining Relationships and Strategies 398

Travel and Tourism 459

Daniel R Fesenmaier, Ulrike Gretzel, Yeong-Hyeon Hwang, and Youcheng Wang

Universally Accessible Web Resources:

Designing for People with Disabilities 477

Donald E Zimmerman and Carol A Akerelrea

Value Chain Analysis 525

C ONTENTS

xiv

Web Search Fundamentals 724

Raymond Wisman

Web Search Technology 738

Clement Yu and Weiyi Meng

Web Services 754

Akhil Sahai, Sven Graupner,

and Wooyoung Kim

Web Site Design 768

J Efrim Boritz and Won Gyun No

Chapter List by Subject Area

Applications

Developing Nations

Digital Libraries

Distance Learning (Virtual Learning)

Downloading from the Internet

Electronic Funds Transfer

E-mail and Instant Messaging

Enhanced TV

Game Design: Games for the World Wide Web

GroupWare

Health Insurance and Managed Care

Human Resources Management

Interactive Multimedia on the Web

Internet Relay Chat (IRC)

Online Banking and Beyond: Internet-Related Offerings

from U.S BanksOnline Communities

Online Dispute Resolution

Online News Services (Online Journalism)

Online Public Relations

Research on the Internet

Securities Trading on the Internet

Telecommuting and Telework

Travel and Tourism

Design, Implementation, and Management

Application Service Providers (ASPs)

Benchmarking Internet

Capacity Planning for Web Services

Client/Server Computing

E-business ROI Simulations

Enterprise Resource Planning (ERP)

Human Factors and Ergonomics

Information Quality in Internet and E-business

Environments

Load Balancing on the InternetManaging a Network EnvironmentPeer-to-Peer Systems

Project Management TechniquesPrototyping

Return on Investment Analysis for E-business ProjectsRisk Management in Internet-Based Software ProjectsSoftware Design and Implementation in the WebEnvironment

Structured Query Language (SQL)Universally Accessible Web Resources: Designing forPeople with Disabilities

Usability Testing: An Evaluation Process for InternetCommunications

Virtual Reality on the Internet: Collaborative VirtualReality

Web HostingWeb Quality of Service

Electronic Commerce

Business Plans for E-commerce ProjectsBusiness-to-Business (B2B) Electronic CommerceBusiness-to-Business (B2B) Internet Business ModelsBusiness-to-Consumer (B2C) Internet Business ModelsClick-and-Brick Electronic Commerce

Collaborative Commerce (C-Commerce)Consumer-Oriented Electronic CommerceE-government

Electronic Commerce and Electronic BusinessElectronic Data Interchange (EDI)

Electronic PaymentE-marketplacesExtranetsIntranetsOnline Auction Site ManagementOnline Auctions

Web Services

Foundation

Computer LiteracyDigital EconomyDownloading from the InternetElectronic Commerce and Electronic BusinessFile Types

Geographic Information Systems (GIS) and the InternetHistory of the Internet

Internet Etiquette (Netiquette)Internet Literacy

Internet Navigation (Basics, Services, and Portals)Multimedia

xv

C HAPTER L IST BY S UBJECT A REA

xvi

Value Chain Analysis

Web Search Fundamentals

Web Search Technology

Infrastructure

Circuit, Message, and Packet Switching

Conducted Communications Media

Convergence of Data, Sound, and Video

Data Compression

Digital Communication

Integrated Services Digital Network (ISDN):

Narrowband and Broadband Services and

Applications

Internet Architecture

Internet2

Linux Operating System

Local Area Networks

Middleware

Multiplexing

Public Networks

Speech and Audio Compression

Standards and Protocols in Data Communications

Storage Area Networks (SANs)

TCP/IP Suite

Unix Operating System

Video Compression

Voice over Internet Protocol (IP)

Virtual Private Networks: Internet Protocol (IP)

Based

Wide Area and Metropolitan Area Networks

Legal, Social, Organizational, International,

and Taxation Issues

Copyright Law

Cybercrime and Cyberfraud

Cyberlaw: The Major Areas, Development,

and Provisions

Cyberterrorism

Digital Divide

Digital Identity

Feasibility of Global E-business Projects

Gender and Internet Usage

Global Diffusion of the Internet

Data Warehousing and Data MartsDatabases on the Web

Fuzzy LogicIntelligent AgentsKnowledge ManagementMachine Learning and Data Mining on the WebMarketing Communication Strategies

Marketing Plans for E-commerce ProjectsOnline Analytical Processing (OLAP)Personalizations and Customization TechnologiesRule-Based and Expert Systems

Wireless Marketing

Security Issues and Measures

AuthenticationBiometric AuthenticationComputer Security Incident Response Teams (CSIRTs)Computer Viruses and Worms

Denial of Service AttacksDigital Signatures and Electronic SignaturesDisaster Recovery Planning

EncryptionFirewallsGuidelines for a Comprehensive Security SystemInternet Security Standards

Intrusion Detection SystemPasswords

Physical SecurityPublic Key Infrastructure (PKI)Secure Electronic Transmissions (SET)Secure Sockets Layer (SSL)

Virtual Private Networks: Internet Protocol (IP) BasedWindows 2000 Security

Supply Chain Management

Electronic ProcurementE-systems for the Support of Manufacturing OperationsInternational Supply Chain Management

Inventory ManagementManaging the Flow of Materials Across the Supply ChainStrategic Alliances

Supply Chain ManagementSupply Chain Management and the InternetSupply Chain Management TechnologiesSupply Networks: Developing and MaintainingRelationships and Stratedies

Value Chain Analysis

Web Design and Programming

Active Server Pages (ASP)ActiveX

ActiveX Data Objects (ADO)

Cascading Style Sheets (CSS)

Common Gateway Interface (CGI) Scripts

DHTML (Dynamic HyperText Markup Language)

Extensible Markup Language (XML)

Extensible Stylesheet Language (XSL)

HTML/XHTML (Hypertext Markup Language/Extensible

HyperText Markup Language)Java

Java Server Pages (JSP)

JavaBeans and Software Architecture

Wireless Internet and E-commerce

BluetoothTM—A Wireless Personal Area NetworkMobile Commerce

Mobile Devices and ProtocolsMobile Operating Systems and ApplicationsPropagation Characteristics of Wireless ChannelsRadio Frequency and Wireless CommunicationsWireless Application Protocol (WAP)

Wireless Communications ApplicationsWireless Internet

Wireless Marketing

xviii

James Madison University

Linux Operating System

Patricia Adams

Education Resources

Strategic Alliances

Carol A Akerelrea

Colorado State University

Usability Testing: An Evaluation Process for Internet Communications

University of Waterloo, Canada

XBRL (Extensible Business Reporting Language):

Business Reporting with XML

Sviatoslav Braynov

State University of New York at Buffalo

Data Mining in E-commerce Personalization and Customization Technologies

Murray State University

Geographic Information Systems (GIS) and the Internet

Henry Chan

The Hong Kong Polytechnic University, China

Consumer-Oriented Electronic Commerce

C Janie Chang

San Jos´e State University

Public Accounting Firms

Camille Chin

West Virginia University

Cybercrime and Cyberfraud

T Matthew Ciolek

The Australian National University, Australia

Online Religion

Timothy W Cole

University of Illinois at Urbana-Champaign

Visual Basic Scripting Edition (VBScript)

Fred Condo

California State University, Chico

Cascading Style Sheets (CSS)

David E Cook

University of Derby, United Kingdom

Standards and Protocols in Data Communications

Marco Cremonini

Universit `a di Milano, Italy

Disaster Recovery Planning

xix

Rensselaer Polytechnic Institute

Wide Area and Metropolitan Area Networks

Nikhilesh Dholakia

University of Rhode Island

Gender and Internet Usage

Global Diffusion of the Internet

Ruby Roy Dholakia

University of Rhode Island

Gender and Internet Usage

Global Diffusion of the Internet

Information Impact International, Inc

Information Quality in Internet and E-business

University of Illinois at Urbana–Champaign

Travel and Tourism

Florida Atlantic University

Interactive Multimedia on the Web

Jayne Gackenbach

Athabasca University, Canada

Health Issues

Alan Gaitenby

University of Massachusetts, Amherst

Online Dispute Resolution

IBM United Kingdom Ltd., United Kingdom

Electronic Funds Transfer

University of Illinois at Urbana–Champaign

Travel and Tourism

Paul Gronke

Reed College

Politics

Jim Grubbs

University of Illinois at Springfield

E-mail and Instant Messaging

Mohsen Guizani

Western Michigan University

Wireless Communications Applications

Jon Gunderson

University of Illinois at Urbana–Champaign

Universally Accessible Web Resources: Designing for People with Disabilities

Kirk Hallahan

Colorado State University

Online Public Relations

University of Massachusetts Lowell

Extensible Stylesheet Language (XSL)

Wolf, Greenfield & Sacks, P.C

Open Source Development and Licensing

Massachusetts Institute of Technology

Managing the Flow of Materials Across the Supply Chain

Russ Housley

Vigil Security, LLC

Public Key Infrastructure (PKI)

Yeong-Hyeon Hwang

University of Illinois at Urbana–Champaign

Travel and Tourism

Robert E Irie

SPAWAR Systems Center San Diego

Web Site Design

Linda C Isenhour

University of Central Florida

Human Resources Management

Hans-Arno Jacobsen

University of Toronto, Canada

Application Service Providers (ASPs)

George Mason University

Intrusion Detection Techniques

Mark Jeffery

Northwestern University

Return on Investment Analysis for E-business Projects

Andrew Johnson

University of Illinois at Chicago

Virtual Reality on the Internet: Collaborative Virtual Reality

Ari Juels

RSA Laboratories

Encryption

Bhushan Kapoor

California State University, Fullerton

ActiveX Data Objects (ADO)

Joseph M Kayany

Western Michigan University

Internet Etiquette (Netiquette)

Doug Kaye

RDS Strategies LLC

Web Hosting

Chuck Kelley

Excellence In Data, Inc

Data Warehousing and Data Marts

Missouri Southern State University–Joplin

Value Chain Analysis

Graham Knight

University College London, United Kingdom

Internet Architecture

Craig D Knuckles

Lake Forest College

DHTML (Dynamic HyperText Markup Language)

Eastern Washington University

Convergence of Data, Sound, and Video

Nir Kshetri

University of North Carolina

Gender and Internet Usage Global Diffusion of the Internet

C.-C Jay Kuo

University of Southern California

Data Compression

Stan Kurkovsky

Columbus State University

Common Gateway Interface (CGI) Scripts

University of Illinois at Chicago

Virtual Reality on the Internet: Collaborative

Virtual Reality

Margarita Maria Lenk

Colorado State University

Guidelines for a Comprehensive Security System

Nanette S Levinson

American University

Developing Nations

Edwin E Lewis Jr.

Johns Hopkins University

E-business ROI Simulations

David J Loundy

DePaul University

Online Stalking

Robert H Lowson

University of East Anglia, United Kingdom

E-systems for the Support of Manufacturing

Operations Supply Networks: Developing and Maintaining

Relationships and Strategies

Mobile Devices and Protocols

Mobile Operating Systems and Applications

Oge Marques

Florida Atlantic University

Interactive Multimedia on the Web

University of Southern California

JavaBeans and Software Architecture

Nikunj R Mehta

University of Southern California

JavaBeans and Software Architecture

John A Mendonca

Purdue University

Organizational Impact

Weiyi Meng

State University of New York at Binghamton

Web Search Technology

Stevens Institute of Technology

Online Analytical Processing (OLAP)

Roy Morris

Capitol College

Voice over Internet Protocol (IP)

Alec Nacamuli

IBM United Kingdom Ltd., United Kingdom

Electronic Funds Transfer

Annette Nellen

San Jos´e State University

Public Accounting Firms Taxation Issues

Dale Nesbary

Oakland University

Nonprofit Organizations

Dat-Dao Nguyen

California State University, Northridge

Business-to-Business (B2B) Internet Business Models

Peng Ning

North Carolina State University

Intrusion Detection Techniques

Mark E Nissen

Naval Postgraduate School

Intelligent Agents

Won Gyun No

University of Waterloo, Canada

XBRL (Extensible Business Reporting Language):

Business Reporting with XML

Eric H Nyberg

Carnegie Mellon University

Prototyping

Jeff Offutt

George Mason University

Software Design and Implementation in the Web Environment

Donal O’Mahony

University of Dublin, Ireland

Electronic Payment

Robert Oshana

Southern Methodist University

Capacity Planning for Web Services

Dennis O Owen

Purdue University

Visual Basic

Raymond R Panko

University of Hawaii at Manoa

Computer Security Incident Response Teams (CSIRTs) Digital Signatures and Electronic Signatures

Internet Security Standards

Anand Paul

University of Florida

Inventory Management

Thomas L Pigg

Jackson State Community College

Conducted Communications Media

Paul S Piper

Western Washington University

Research on the Internet

Southern Oregon University

Cyberlaw: The Major Areas, Development, and Provisions

Paul R Prabhaker

Illinois Institute of Technology

E-marketplaces

Etienne E Pracht

University of South Florida

Health Insurance and Managed Care

California State University, Hayward

Enterprise Resource Planning (ERP)

Western New England College

Business-to-Business (B2B) Electronic Commerce

Pratap Reddy

Raritan Valley Community College

Internet Navigation (Basics, Services, and Portals)

Cardiff Business School, United Kingdom

Managing the Flow of Materials Across the Supply Chain

Malu Roldan

San Jose State University

Marketing Plans for an E-commerce Project

University of Central Florida

Human Resources Management

Atul A Salvekar

Intel Corp

Digital Communication

Pierangela Samarati

Universit `a di Milano, Italy

Disaster Recovery Planning

J Christopher Sandvig

Western Washington University

Active Server Pages

C ONTRIBUTORS

xxiv

E Eugene Schultz

University of California–Berkley Lab

Denial of Service Attacks

Windows 2000 Security

Steven D Schwaitzberg

Tufts-New England Medical Center

Medical Care Delivery

Kathy Schwalbe

Augsburg College

Project Management Techniques

Mark Shacklette

The University of Chicago

Unix Operating System

Michigan State University

Click-and-Brick Electronic Commerce

Electronic Commerce and Electronic Business

Edward A Stohr

Stevens Institute of Technology

Online Analytical Processing (OLAP)

Dianna L Stone

University of Central Florida

Human Resources Management

David Stotts

University of North Carolina at Chapel Hill

Perl

Judy Strauss

University of Nevada, Reno

Marketing Communication Strategies

Wayne C Summers

Columbus State University

Local Area Networks

University of Colorado at Boulder

Integrated Services Digital Network (ISDN):

Narrowband and Broadband Services and Applications

The University of Akron

Radio Frequency and Wireless Communications

University of Illinois at Urbana–Champaign

Travel and Tourism

Wayne State University

Load Balancing on the Internet

Ralph D Westfall

California State Polytechnic University, Pomona

Telecommuting and Telework

New York University

Customer Relationship Management on the Web

Raymond Wisman

Indiana University Southeast

Web Search Fundamentals

Paul L Witt

University of Texas at Arlington

Internet Relay Chat (IRC)

Mary Finley Wolfinbarger

California State University, Long Beach

Consumer Behavior

Peter R Wurman

North Carolina State University

Online Auction Site Management

Cheng-Zhong Xu

Wayne State University

Load Balancing on the Internet

University of Illinois at Chicago

Web Search Technology

Daniel Dajun Zeng

University of Colorado at Colorado Springs

Load Balancing on the Internet

Donald E Zimmerman

Colorado State University

Usability Testing: An Evaluation Process for Internet Communications

xxvi

The Internet Encyclopedia is the first comprehensive

examination of the core topics in the Internet field

The Internet Encyclopedia, a three-volume reference work

with 205 chapters and more than 2,600 pages, provides

comprehensive coverage of the Internet as a business

tool, IT platform, and communications and commerce

medium The audience includes the libraries of two-year

and four-year colleges and universities with MIS, IT, IS,

data processing, computer science, and business

depart-ments; public and private libraries; and corporate

li-braries throughout the world It is the only comprehensive

source for reference material for educators and

practition-ers in the Internet field

Education, libraries, health, medical, biotechnology,military, law enforcement, accounting, law, justice, manu-

facturing, financial services, insurance, communications,

transportation, aerospace, energy, and utilities are among

the fields and industries expected to become increasingly

dependent upon the Internet and Web technologies

Com-panies in these areas are actively researching the many

issues surrounding the design, utilization, and

implemen-tation of these technologies

This definitive three-volume encyclopedia offers erage of both established and cutting-edge theories and

cov-developments of the Internet as a technical tool and

busi-ness/communications medium The encyclopedia

con-tains chapters from global experts in academia and

in-dustry It offers the following unique features:

1) Each chapter follows a format which includes titleand author, chapter outline, introduction, body, con-clusion, glossary, cross references, and references

This unique format enables the readers to pick andchoose among various sections of a chapter It alsocreates consistency throughout the entire series

2) The encyclopedia has been written by more than 240experts and reviewed by more than 840 academicsand practitioners chosen from around the world

This diverse collection of expertise has created themost definitive coverage of established and cuttingedge theories and applications in this fast-growingfield

3) Each chapter has been rigorously peer reviewed Thisreview process assures the accuracy and complete-ness of each topic

4) Each chapter provides extensive online and offlinereferences for additional readings This will enablereaders to further enrich their understanding of agiven topic

5) More than 1,000 illustrations and tables throughoutthe series highlight complex topics and assist furtherunderstanding

6) Each chapter provides extensive cross references

This helps the readers identify other chapters within

the encyclopedia related to a particular topic, whichprovides a one-stop knowledge base for a given topic.7) More than 2,500 glossary items define new terms andbuzzwords throughout the series, which assists read-ers in understanding concepts and applications.8) The encyclopedia includes a complete table of con-tents and index sections for easy access to variousparts of the series

9) The series emphasizes both technical and rial issues This approach provides researchers, ed-ucators, students, and practitioners with a balancedunderstanding of the topics and the necessary back-ground to deal with problems related to Internet-based systems design, implementation, utilization,and management

manage-10) The series has been designed based on the currentcore course materials in several leading universi-ties around the world and current practices in lead-ing computer- and Internet-related corporations Thisformat should appeal to a diverse group of educators,practitioners, and researchers in the Internet field

We chose to concentrate on fields and supporting nologies that have widespread applications in the aca-demic and business worlds To develop this encyclope-dia, we carefully reviewed current academic research inthe Internet field at leading universities and research in-stitutions around the world Management informationsystems, decision support systems (DSS), supply chainmanagement, electronic commence, network design andmanagement, and computer information systems (CIS)curricula recommended by the Association of Informa-tion Technology Professionals (AITP) and the Associationfor Computing Management (ACM) were carefully inves-tigated We also researched the current practices in theInternet field used by leading IT corporations Our workenabled us to define the boundaries and contents of thisproject

rSecurity issues and measures;

rWeb design and programming;

rDesign, implementation, and management;

rElectronic commerce;

rMarketing and advertising on the Web;

xxvii

P REFACE

xxviii

rSupply chain management;

rWireless Internet and e-commerce; and

rApplications.

Although these 11 categories of topics are interrelated,

each addresses one major dimension of the

Internet-related fields The chapters in each category are also

inter-related and complementary, enabling readers to compare,

contrast, and draw conclusions that might not otherwise

be possible

Although the entries have been arranged

alphabeti-cally, the light they shed knows no bounds The

encyclope-dia provides unmatched coverage of fundamental topics

and issues for successful design, implementation, and

uti-lization of Internet-based systems Its chapters can serve

as material for a wide spectrum of courses, such as the

following:

rWeb technology fundamentals;

rE-commerce;

rSecurity issues and measures for computers, networks,

and online transactions;

rLegal, social, organizational, and taxation issues raised

by the Internet and Web technology;

rWireless Internet and e-commerce;

rSupply chain management;

rWeb design and programming;

rMarketing and advertising on the Web; and

rThe Internet and electronic commerce applications.

Successful design, implementation, and utilization of

Internet-based systems require a thorough knowledge of

several technologies, theories, and supporting disciplines

Internet and Web technologies researchers and

practition-ers have had to consult many resources to find answpractition-ers

Some of these sources concentrate on technologies

and infrastructures, some on social and legal issues,

and some on applications of Internet-based systems

This encyclopedia provides all of this relevant

informa-tion in a comprehensive three-volume set with a lively

format

Each volume incorporates core Internet topics,

practi-cal applications, and coverage of the emerging issues in

the Internet and Web technologies field Written by

schol-ars and practitioners from around the world, the chapters

fall into the 11 major subject areas mentioned previously

Foundation

Chapters in this group examine a broad range of topics

Theories and concepts that have a direct or indirect effect

on the understanding, role, and the impact of the Internet

in public and private organizations are presented They

also highlight some of the current issues in the

Inter-net field These articles explore historical issues and basic

concepts as well as economic and value chain concepts

They address fundamentals of Web-based systems as well

as Web search issues and technologies As a group they

provide a solid foundation for the study of the Internet

and Web-based systems

Infrastructure

Chapters in this group explore the hardware, software, erating systems, standards, protocols, network systems,and technologies used for design and implementation ofthe Internet and Web-based systems Thorough discus-sions of TCP/IP, compression technologies, and varioustypes of networks systems including LANs, MANS, andWANs are presented

op-Legal, Social, Organizational, International, and Taxation Issues

These chapters look at important issues (positive and ative) in the Internet field The coverage includes copy-right, patent and trademark laws, privacy and ethical is-sues, and various types of cyberthreats from hackers andcomputer criminals They also investigate internationaland taxation issues, organizational issues, and social is-sues of the Internet and Web-based systems

neg-Security Issues and Measures

Chapters in this group provide a comprehensive sion of security issues, threats, and measures for com-puters, network systems, and online transactions Thesechapters collectively identify major vulnerabilities andthen provide suggestions and solutions that could signif-icantly enhance the security of computer networks andonline transactions

discus-Web Design and Programming

The chapters in this group review major programminglanguages, concepts, and techniques used for designingprograms, Web sites, and virtual storefronts in the e-commerce environment They also discuss tools and tech-niques for Web content management

Design, Implementation, and Management

The chapters in this group address a host of issues, cepts, theories and techniques that are used for design,implementation, and management of the Internet andWeb-based systems These chapters address conceptualissues, fundamentals, and cost benefits and returns on in-vestment for Internet and e-business projects They alsopresent project management and control tools and tech-niques for the management of Internet and Web-basedsystems

con-Electronic Commerce

These chapters present a thorough discussion of tronic commerce fundamentals, taxonomies, and appli-cations They also discuss supporting technologies andapplications of e-commerce inclining intranets, extranets,online auctions, and Web services These chapters clearlydemonstrate the successful applications of the Internetand Web technologies in private and public sectors

elec-Marketing and Advertising on the Web

The chapters in this group explore concepts, theories, andtechnologies used for effective marketing and advertising

on the Web These chapters examine both qualitative and

quantitative techniques They also investigate the

emerg-ing technologies for mass personalization and

customiza-tion in the Web environment

Supply Chain Management

The chapters in this group discuss the fundamentals

con-cepts and theories of value chain and supply chain

man-agement The chapters examine the major role that the

Internet and Web technologies play in an efficient and

ef-fective supply chain management program

Wireless Internet and E-commerce

These chapters look at the fundamental concepts and

technologies of wireless networks and wireless computing

as they relate to the Internet and e-commerce operations

They also discuss mobile commerce and wireless

market-ing as two of the growmarket-ing fields within the e-commerce

environment

Applications

The Internet and Web-based systems are everywhere In

most cases they have improved the efficiency and

effec-tiveness of managers and decision makers Chapters in

this group highlight applications of the Internet in several

fields, such as accounting, manufacturing, education, and

human resources management, and their unique

applica-tions in a broad section of the service industries including

law, law enforcement, medical delivery, health insurance

and managed care, library management, nonprofit

orga-nizations, banking, online communities, dispute

resolu-tion, news services, public relations, publishing, religion,

politics, and real estate Although these disciplines are

dif-ferent in scope, they all utilize the Internet to improve

pro-ductivity and in many cases to increase customer service

in a dynamic business environment

Specialists have written the collection for experienced and

not-so-experienced readers It is to these contributors that

I am especially grateful This remarkable collection of

scholars and practitioners has distilled their knowledge

into a fascinating and enlightening one-stop knowledgebase in Internet-based systems that “talk” to readers Thishas been a massive effort but one of the most rewardingexperiences I have ever undertaken So many people haveplayed a role that it is difficult to know where to begin

I should like to thank the members of the editorialboard for participating in the project and for their ex-pert advice on the selection of topics, recommendationsfor authors, and review of the materials Many thanks tothe more than 840 reviewers who devoted their times byproving advice to me and the authors on improving thecoverage, accuracy, and comprehensiveness of these ma-terials

I thank my senior editor at John Wiley & Sons,Matthew Holt, who initiated the idea of the encyclopediaback in spring of 2001 Through a dozen drafts and manyreviews, the project got off the ground and then was man-aged flawlessly by Matthew and his professional team.Matthew and his team made many recommendations forkeeping the project focused and maintaining its lively cov-erage Tamara Hummel, our superb editorial coordinator,exchanged several hundred e-mail messages with me andmany of our authors to keep the project on schedule I amgrateful to all her support When it came to the produc-tion phase, the superb Wiley production team took over.Particularly I want to thank Deborah DeBlasi, our seniorproduction editor at John Wiley & Sons, and Nancy J.Hulan, our project manager at TechBooks I am grateful

to all their hard work

Last, but not least, I want to thank my wonderful wifeNooshin and my two lovely children Mohsen and Morva-reed for being so patient during this venture They pro-vided a pleasant environment that expedited the com-pletion of this project Nooshin was also a great help

in designing and maintaining the author and reviewerdatabases Her efforts are greatly appreciated Also, mytwo sisters Azam and Akram provided moral supportthroughout my life To this family, any expression ofthanks is insufficient

Hossein BidgoliCalifornia State University, Bakersfield

xxx

Guide to the Internet Encyclopedia

The Internet Encyclopedia is a comprehensive summary

of the relatively new and very important field of the

In-ternet This reference work consists of three separate

vol-umes and 205 chapters on various aspects of this field

Each chapter in the encyclopedia provides a

comprehen-sive overview of the selected topic intended to inform a

board spectrum of readers ranging from computer

pro-fessionals and academicians to students to the general

business community

In order that you, the reader, will derive the greatest

possible benefit from The Internet Encyclopedia, we have

provided this Guide It explains how the information

within the encyclopedia can be located

ORGANIZATION

The Internet Encyclopedia is organized to provide

maxi-mum ease of use for its readers All of the chapters are

arranged in alphabetical sequence by title Chapters titles

that begin with the letters A to F are in Volume 1,

chap-ter titles from G to O are in Volume 2, and chapchap-ter titles

from P to Z are in Volume 3 So that they can be easily

located, chapter titles generally begin with the key word

or phrase indicating the topic, with any descriptive terms

following For example, “Virtual Reality on the Internet:

Collaborative Virtual Reality” is the chapter title rather

than “Collaborative Virtual Reality.”

Table of Contents

A complete table of contents for the entire encyclopedia

appears in the front of each volume This list of titles

represents topics that have been carefully selected by the

editor-in-chief, Dr Hossein Bidgoli, and his colleagues on

the Editorial Board

Following this list of chapters by title is a second plete list, in which the chapters are grouped according to

com-subject area The encyclopedia provides coverage of 11

specific subject areas, such as E-commerce and Supply

Chain Management Please see the Preface for a more

de-tailed description of these subject areas

Index

The Subject Index is located at the end of Volume 3 This

index is the most convenient way to locate a desired topic

within the encyclopedia The subjects in the index are

listed alphabetically and indicate the volume and page

number where information on this topic can be found

Chapters

Each chapter in The Internet Encyclopedia begins on a new

page, so that the reader may quickly locate it The author’s

name and affiliation are displayed at the beginning of the

Introduction

The text of each chapter begins with an introductory tion that defines the topic under discussion and summa-rizes the content By reading this section the readers get

sec-a genersec-al idesec-a sec-about the content of sec-a specific chsec-apter

mate-Glossary

The glossary contains terms that are important to an derstanding of the chapter and that may be unfamiliar tothe reader Each term is defined in the context of the par-ticular chapter in which it is used Thus the same termmay be defined in two or more chapters with the detail ofthe definition varying slightly from one to another The en-cyclopedia includes approximately 2,500 glossary terms

un-xxxi

G UIDE TO THE I NTERNET E NCYCLOPEDIA

xxxii

For example, the article “Computer Literacy” includes the

following glossary entries:

Computer A machine that accepts data as input,

pro-cesses the data without human interference using a

set of stored instructions, and outputs information

In-structions are step-by-step directions given to a

com-puter for performing specific tasks

Computer generations Different classes of computer

technology identified by a distinct architecture and

technology; the first generation was vacuum tubes, the

second transistors, the third integrated circuits, the

fourth very-large-scale integration, and the fifth

gal-lium arsenide and parallel processing

Cross References

All the chapters in the encyclopedia have cross references

to other chapters These appear at the end of the

chap-ter, following the text and preceding the references The

cross references indicate related chapters which can be

consulted for further information on the same topic Theencyclopedia contains more than 2,000 cross references

in all For example, the chapter “Java” has the followingcross references:

JavaBeans and Software Architecture; Software Designand Implementation in the Web Environment

Re-in this encyclopedia are for the benefit of the reader, toprovide direction for further research on the given topic.Thus they typically consist of one to two dozen entries.They are not intended to represent a complete listing of allmaterials consulted by the author in preparing the chap-ter In addition, some chapters contain a Further Readingsection, which includes additional sources readers maywish to consult

Passwords

Jeremy Rasmussen, Sypris Electronics, LLC

Introduction 1

Types of Identification/ Authentication 1

History of Passwords in Modern Computing 2

Green Book: The Need for Accountability 2

Types of Password-Cracking Tools 6

Password Security Issues and Effective

Password Length and Human Memory 9

An Argument for Simplified Passwords 10

The ancient folk tale of Ali Baba and the forty thieves

mentions the use of a password In this story, Ali Baba

finds that the phrase “Open Sesame” magically opens the

entrance to a cave where the thieves have hidden their

treasure Similarly, modern computer systems use

pass-words to authenticate users and allow them entrance to

system resources and data shares on an automated basis

The use of passwords in computer systems likely can be

traced to the earliest timesharing and dial-up networks

Passwords were probably not used before then in purely

batch systems

The security provided by a password system depends

on the passwords being kept secret at all times Thus,

a password is vulnerable to compromise whenever it is

used, stored, or even known In a password-based

authen-tication mechanism implemented on a computer system,

passwords are vulnerable to compromise due to five

es-sential aspects of the password system:

Passwords must be initially assigned to users when they

are enrolled on the system;

Users’ passwords must be changed periodically;

The system must maintain a “password database”;

Users must remember their passwords; and

Users must enter their passwords into the system at

mecha-to achieve strong authentication

TYPES OF IDENTIFICATION/

AUTHENTICATION

Access control is the security service that deals with ing or denying permission for subjects (e.g., users or pro-grams) to use objects (e.g., other programs or files) on

grant-a given computer system Access control cgrant-an be grant-plished through either hardware or software features, op-erating procedures, management procedures, or a combi-nation of these Access control mechanisms are classified

accom-by their ability to verify the authenticity of a user Thethree basic verification methods are as follows:

What you have (examples: smart card or token);

What you are (examples: biometric fingerprint [seeFigure 1] or iris pattern); and

What you know (examples: PIN or password)

Of all verification methods, passwords are bly weakest, yet they are still the most widely usedmethod in systems today In order to guarantee strong

proba-1

P ASSWORDS

2

Figure 1: A biometric fingerprint scanner.

authentication, a system ought to combine two or more

of these factors For example, in order to access an ATM,

one must have a bank card and know his or her personal

identification number (PIN)

HISTORY OF PASSWORDS IN

MODERN COMPUTING

Conjecture as to which system was the first to

incorpo-rate passwords has been bandied about by several

com-puting pioneers on the Cyberspace History List-Server

(CYHIST) However, there has not been any concrete

evidence as yet to support one system or another as

the progenitor The consensus opinion favors the

Com-patible Time Sharing System (CTSS) developed at the

Massachusetts Institute of Technology (MIT)

Computa-tion Center beginning in 1961 As part of Project MAC

(Multiple Access Computer) under the direction of

Profes-sor Fernando J “Corby” Corbat ´o, the system was

imple-mented on an IBM 7094 and reportedly began using

pass-words by 1963 According to researcher Norman Hardy,

who worked on the project, the security of passwords

im-mediately became an issue as well: “I can vouch for some

version of CTSS having passwords It was in the second

edition of the CTSS manual, I think, that illustrated the

login command It had Corby’s user name and password

It worked—and he changed it the same day.”

Passwords were widely in use by the early 1970s as the

“hacker” culture began to develop, possibly in tacit

op-position to the ARPANET Now, with the explosion of the

Internet, the use of passwords and the quantity of

confi-dential data that those passwords protect have grown

ex-ponentially But just as the 40 thieves’ password protection

system was breached (the cave could not differentiate

be-tween Ali Baba’s voice and those of the thieves), computer

password systems have also been plagued by a number of

vulnerabilities Although strong password authentication

has remained a “hard” problem in cryptography despite

advances in both symmetric (secret-key) and

asymmet-ric (public-key) cryptosystems, the history of password

authentication is replete with examples of weak, easily

compromised systems In general, “weak” authentication

systems are characterized by protocols that either leak

the password directly over the network or leak sufficient

information while performing authentication to allow

in-truders to deduce or guess at the password

Green Book: The Need for Accountability

In 1983, the U.S Department of Defense Computer

Se-curity Center (CSC) published the venerable tome Trusted

Computer System Evaluation Criteria, also known as the

Orange Book This publication defined the assurance quirements for security protection of computer systemsthat were to be used in processing classified or other sensi-tive information One major requirement imposed by theOrange Book was accountability: “Individual accountabil-ity is the key to securing and controlling any system thatprocesses information on behalf of individuals or groups

re-of individuals” (Latham, 1985)

The Orange Book clarified accountability as follows:Individual user identification: Without this, there is noway to distinguish the actions of one user on a systemfrom those of another

Authentication: Without this, user identification has nocredibility And without a credible identity, no securitypolicies can be properly invoked because there is noassurance that proper authorizations can be made

The CSC went on to publish the Password Management

Guideline (also known as the Green Book) in 1985 “to

assist in providing that much needed credibility of useridentity by presenting a set of good practices related tothe design, implementation and use of password-baseduser authentication mechanisms.” The Green Book out-lined a number of steps that system security administra-tors should take to ensure password security on the systemand suggests that, whenever possible, they be automated.These include the following 10 rules (Brotzman, 1985):

System security administrators should change the words for all standard user IDs before allowing thegeneral user population to access the system

pass-A new user should always appear to the system as having

an “expired password” which will require the user tochange the password by the usual procedure beforereceiving authorization to access the system

Each user ID should be assigned to only one person Notwo people should ever have the same user ID at thesame time, or even at different times It should be con-sidered a security violation when two or more peopleknow the password for a user ID

Users need to be aware of their responsibility to keeppasswords private and to report changes in their userstatus, suspected security violations, etc Users shouldalso be required to sign a statement to acknowledgeunderstanding of these responsibilities

Passwords should be changed on a periodic basis tocounter the possibility of undetected password com-promise

Users should memorize their passwords and not writethem on any medium If passwords must be written,they should be protected in a manner that is consistentwith the damage that could be caused by their compro-mise

Stored passwords should be protected by access controlsprovided by the system, by password encryption, or byboth

Passwords should be encrypted immediately after entry,

and the memory containing the plaintext passwordshould be erased immediately after encryption

Only the encrypted password should be used in

compar-isons There is no need to be able to decrypt passwords

Comparisons can be made by encrypting the passwordentered at login and comparing the encrypted formwith the encrypted password stored in the passworddatabase

The system should not echo passwords that users type

in, or at least should mask the entered password (e.g., with

asterisks)

PASSWORD SECURITY—

BACKGROUND

Information Theory

Cryptography is a powerful mechanism for securing data

and keeping them confidential The idea is that the

origi-nal message is scrambled via an algorithm (or cipher), and

only those with the correct key can unlock the scrambled

message and get back the plaintext contents In general,

the strength of a cryptographic algorithm is based on the

length and quality of its keys Passwords are a similar

problem Based on their length and quality, they should

be more difficult to attack either by dictionary, by hybrid,

or by brute-force attacks However, the quality of a

pass-word, just as the quality of a cryptographic key, is based

on entropy Entropy is a measure of disorder

An example of entropy

Say a user is filling out a form on a Web page (see Figure 2)

The form has a space for “Sex,” and leaves six characters

for entering either “female” or “male” before encrypting

the form entry and sending it to the server If each

charac-ter is a byte (i.e., 8 bits), then 6× 8 = 48 bits will be sent

for this response Is this how much information is actually

contained in the field, though?

Clearly, there is only one bit of data represented by theentry—a binary value—either male or female That means

Figure 2: Sample Web page entry form.

that there is only one bit of entropy (or uncertainty) andthere are 47 bits of redundancy in the field This redun-dancy could be used by a cryptanalyst (someone who an-alyzes cryptosystems) to help crack the key

Fundamental work by Claude Shannon during the1940s illustrated this concept, that is, that the amount ofinformation in a message is not necessarily a function ofthe length of a message (or the number of symbols used inthe message) (Sloane & Wyner, 1993) Instead, the amount

of information in a message is determined by how manydifferent possible messages there are and how frequentlyeach message is used

The same concepts apply to password security A longerpassword is not necessarily a better password Rather, apassword that is difficult to guess (i.e., one that has highentropy) is best This usually comes from a combination offactors (see “Guidelines for selecting a good password”).The probability that any single attempt at guessing a pass-word will be successful is one of the most critical factors

in a password system This probability depends on thesize of the password space and the statistical distributionwithin that space of passwords that are actually used.Over the past several decades, Moore’s Law has made

it possible to brute-force password spaces of larger andlarger entropy In addition, there is a limit to the entropythat the average user can remember A user cannot typi-cally remember a 32-character password, but that is what

is required to have the equivalent strength of a 128-bitkey Recently, password cracking tools have advanced tothe point of being able to crack nearly anything a systemcould reasonably expect a user to memorize (see “Pass-word Length and Human Memory”)

Cryptographic Protection of Passwords

Early on, the most basic and least secure method of thentication was to store passwords in plaintext (i.e., un-encrypted) in a database on the server During authen-tication, the client would send his or her password tothe server, and the server would compare this against thestored value Obviously, however, if the password file wereaccessible to unauthorized users, the security of the sys-tem could be easily compromised

au-In later systems, developers discovered that a serverdid not have to store a user’s password in plaintext form

in order to perform password authentication Instead,the user’s password could be transformed through a one-way function, such as a hashing function, into a random-looking sequence of bytes Such a function would be diffi-cult to invert In other words, given a password, it would

be easy to compute its hash, but given a hash, it would becomputationally infeasible to compute the password from

it (see “Hashing”) Authentication would consist merely

of performing the hash function over the client’s word and comparing it to the stored value The pass-word database itself could be made accessible to all userswithout fear of an intruder being able to steal passwordsfrom it

pass-Hashing

A hash function is an algorithm that takes a length string as the input and produces a fixed-lengthvalue (hash) as the output The challenge for a hashing al-gorithm is to make this process irreversible; that is, finding

variable-P ASSWORDS

4

Table 1 Output from the MD5 Test Suite

For the Input String The Output Message Digest is

“1234567890123456789012345678901234567890123456789 57edf4a22be3c955ac49da2e2107b67a

01234567890123456 78901234567890”

a string that produces a given hash value should be very

difficult It should also be difficult to find two arbitrary

strings that produce the same hash value Also called a

message digest or fingerprint, several one-way hash

func-tions are in common use today Among these are

Se-cure Hashing Algorithm-1 (SHA-1) and Message Digest-5

(MD-5) The latter was invented by Ron Rivest for RSA

Security, Inc and produces a 128-bit hash value See

Table 1 for an example of output generated by MD5

SHA-1 was developed by the U.S National Institute of

Standards and Technology (NIST) and the National

Se-curity Agency (NSA) and produces 160-bit hash values

SHA-1 is generally considered more secure than MD5 due

to its longer hash value

Microsoft Windows NT uses one-way hash functions

to store password information in the Security Account

Manager (SAM) There are no Windows32 Applications

Programming Interface (API) function calls to retrieve

user passwords because the system does not store them It

stores only hash values However, even a hash-encrypted

password in a database is not entirely secure A

crack-ing tool can compile a list of, say, the one million most

commonly used passwords and compute hash functions

from all of them Then the tool can obtain the system

account database and compare the hashed passwords in

the database with its own list to see what matches This

is called a “dictionary attack” (see “Password Cracking

Tools”)

To make dictionary attacks more difficult, often a salt is

used A salt is a random string that is concatenated with a

password before it is operated on by the hashing function

The salt value is then stored in the user database, together

with the result of the hash function Using a salt makes

dictionary attacks more difficult, as a cracker would have

to compute the hashes for all possible salt values

A simple example of a salt would be to add the time of

day; for example, if a user logs in at noon using the

pass-word “pass,” the string that would be encrypted might be

“1p2a0s0s.” By adding this randomness to the password,

the hash will actually be different every time the user logs

in (unless it is at noon every day) Whether a salt is used

and what the salt actually is depends upon the

operat-ing system and the encryption algorithm beoperat-ing used On

a FreeBSD system, for example, there is a function called

crypt that uses the DES, MD5, or Blowfish algorithms to

hash passwords and can also use three forms of salts

According to Cambridge University professor of

com-puting Roger Needham, the Cambridge Multiple Access

System (CMAS), which was an integrated online–offlineterminal or regular input-driven system, may have beenamong the earliest to implement such one-way func-tions It first went online in 1967 and incorporatedpassword protection According to Needham: “In 1966,

we conceived the use of one-way functions to protect thepassword file, and this was an implemented feature fromday one” (R Needham, personal communication, April

11, 2002)

One-way hashing is still being used today, although itdoes not address another weakness—in a networked envi-ronment, it is difficult to transmit the password securely

to the server for verification without its being capturedand reused, perhaps in a replay attack To avoid revealingpasswords directly over an untrusted network, computerscientists have developed challenge–response systems Attheir simplest, the server sends the user some sort of chal-lenge, which would typically be a random string of char-acters called a nonce The user then computes a response,usually some function based on both the challenge andthe password This way, even if the intruder captured avalid challenge–response pair, it would not help him orher gain access to the system, because future challengeswould be different and require different responses.These challenge-and-response systems are referred to

as one-time password (OTP) systems Bellcore’s S/KEY isone such system in which a one-time password is calcu-lated by combining a seed with a secret password knownonly to the user and then applying a secure hashing algo-rithm a number of times equal to the sequence number.Each time the user is authenticated, the sequence numberexpected by the system is decremented, thus eliminatingthe possibility of an attacker trying a replay attack usingthe same password again One-time passwords were moreprevalent before secure shell (SSH) and secure socketslayer (SSL) systems came into widespread use

PASSWORD CRACKING TOOLS

Password-Cracking Approaches

As mentioned earlier, passwords are typically stored asvalues hashed with SHA-1 or MD5, which are one-wayfunctions In other words, this entire encyclopedia could

be hashed and represented as eight bytes of gibberish.There would be no way to use these eight bytes of data

to obtain the original text However, password ers know that people do not use whole encyclopedias astheir passwords The vast majority of passwords are 4 to

crack-12 characters Passwords are also, in general, not just

random strings of symbols Because users need to

re-member them, passwords are usually words or phrases

of significance to the user This is an opportunity for the

attacker to reduce the search space

An attacker might steal a password file–or sniff thewire and capture the user ID/password hash pairs dur-

ing logon–and then run a password-cracking tool on it

Because it is impossible to decrypt a hash back to a

pass-word, these programs will try a dictionary approach first

The program guesses a password—say, the word “Dilbert.”

The program then hashes “Dilbert” and compares the

hash to one of the hashed entries in the password file If

it matches, then that password hash represents the

pass-word “Dilbert.” If the hash does not match, the program

takes another guess Depending on the tool, a password

cracker will try all the words in a dictionary, all the names

in a phone book, and so on Again, the attacker does not

need to know the original password–just a password that

hashes to the same value

This is analogous to the “birthday paradox,” which sically says, “If you get 25 people together in a room, the

ba-odds are better than 50/50 that two of them will have the

same birthday.” How does this work? Imagine a person

meeting another on the street and asking him his birthday

The chances of the two having the same birthday are only

1/365 (0.27%) Even if one person asks 25 people, the

prob-ability is still low But with 25 people in a room together,

each of the 25 is asking the other 24 about their

birth-days Each person only has a small (less than 5%) chance

of success, but trying it 25 times increases the probability

significantly

In a room of 25 people, there are 300 possiblepairs (25*24/2) Each pair has a probability of success

of 1/365 = 0.27%, and a probability of failure of 1 −

0.27% = 99.726% Calculating the probability of failure:

99.726%300= 44% The probability of success is then

100%− 44% = 56% So a birthday match will actually be

found five out of nine times In a room with 42 people,

the odds of finding a birthday match rise to 9 out of 10

Thus, the birthday paradox is that it is much easier to find

two values that match than it is to find a match to some

particular value

If a wave of dictionary guesses fails to produce anypasswords for the attacker, the cracking program will next

try a hybrid approach of different combinations—-such

as forward and backward spellings of dictionary words,

additional numbers and special characters, or sequences

of characters The goal here again is to reduce the cracker’s

search space by trying “likely” combinations of known

words

Only after exhausting both of these avenues will thecracking program start in on an exhaustive or brute-force

attack on the entire password space And, of course, it

re-members the passwords it has already tried and will not

have to recheck these either during the brute-force search

Approaches to Retrieving Passwords

Most password-cracking programs will first attempt to

re-trieve password hashes to begin their cracking processes

A sophisticated attacker will not try to guess passwords

by entering them through the standard user interface

because the time to do so is prohibitive, and most tems can be configured to lock a user out after too manywrong guesses

sys-On Microsoft Windows systems, it typically requiresthe “Administrator” privilege to read the password hashesfrom the database in which they are stored This is usu-ally somewhere in the system registry In order to accessthem, a cracking tool will attempt to dump the passwordhashes from the Windows registry on the local machine

or over the network if the remote machine allows networkregistry access The latter requires a target Windows ma-chine name or IP address

Another method is to access the password hashes rectly from the file system On Microsoft Windows sys-tems, this is the SAM Because Windows locks the SAMfile where the password hashes are stored in the file sys-tem with an encryption mechanism known as SYSKEY, it

di-is impossible to read them from thdi-is file while the system

is running However, sometimes there is a backup of thisfile on tape, on an emergency repair disk (ERD), or in therepair directory of the system’s hard drive Alternately, auser may boot from a floppy disk running another operat-ing system such as MS-DOS and be able to read passwordhashes directly from the file system This is why securityadministrators should never neglect physical security ofsystems If an attacker can physically access a machine,

he or she can bypass the built-in file system security anisms (see Recovering Windows NT Passwords).Todd Sabin has released a free utility called PWDUMP2that can dump the password hashes on a local machine

mech-if the SAM has been encrypted with the SYSKEY ity that was introduced in Windows NT Service Pack 3.Once a user downloads the utility, he or she can followthe instructions on the Web page to retrieve the passwordhashes, load the hashes into a tool such as L0phtCrack,and begin cracking them

util-Password Sniffing

Instead of capturing the system user file (SAM on dows or /etc/passwd or /etc/shadow on Unix/Linux), an-other way of collecting user IDs and passwords is throughsniffing network traffic Sniffing uses some sort of soft-ware or hardware wiretap device to eavesdrop on networkcommunications, usually by capturing and decipheringcommunications packets According to Peiter “Mudge”Zatko, who initially wrote L0phtCrack: “Sniffing is slangfor placing a network card into promiscuous mode so that

Win-it actually looks at all of the traffic coming along the lineand not just the packets that are addressed to it By doingthis one can catch passwords, login names, confidentialinformation, etc” (Zatko, 1999b)

L0phtCrack offers an “SMB Packet Capture” function

to capture encrypted hashes transmitted over a Windowsnetwork segment On a switched network, a cracker willonly be able to sniff sessions originating from the localmachine or connecting to that machine As server mes-sage block (SMB) session authentication messages arecaptured by the tool, they are displayed in the SMB PacketCapture window The display shows the source and des-tination IP addresses, the user name, the SMB challenge,the encrypted LAN manager hash, and the encrypted

NT LAN manager hash, if any To crack these hashes,