This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Publisher : Prentice – Hall of India
Year of publication: 2003
indicates paragraphing Italics and bold face font This is a new book
11.2.9
Systems Analysis And Design
© V. Rajaraman
22 of 35
Linking Documents HTML can link to documents in other files.For Example to link an image we use : IMG indicates image and src the source (Observe the tag IMG is standalone and does not have end tag HTML has feature to list items with serial number or bullets HTML can also display tables and forms HTML is as rich as some word processors.
11.2.10 Systems Analysis And Design ©
V. Rajaraman
23 of 35
Hyperlinking Html Documents HTML allows a web page to refer to other web pages When a reference link in the page is clicked the browser switches to the referenced site. The specification is where A is called anchor tag. Linking can also be to other files . Automatic conversion of word documents to HTML is possible using a tool 11.2.11 Systems Analysis And Design ©
V. Rajaraman
24 of 35
Shortcomings Of Html HTML is the earliest markup language which made it possible to retrieve documents stored in the world wide web HTML is primarily to facilitate presentation of contents of a web page. HTML does not have any means of specifying what the documents represents. Is it an invoice? A purchase order, book description etc. It also has no means of specifying the type of data to allow manipulation of data by browser. We thus need a markup language which is richer and is more descriptive of structure of a document and what it represents 11.2.12 Systems Analysis And Design ©
V. Rajaraman
25 of 35
EXtensible Markup Language A document has CONTENT, it has a STRUCTURE and it needs to be PRESENTED for ease of reading Word processors and HTML emphasize presentation of content and have no means of specifying structure (or what the data actually represents) XML is a new markup language which is capable of specifying what a document really represents XML is a proper subset of an international standard known as STANDARD GENERALISED MARKUP LANGUAGE (SGML).It is open standard and not proprietary 11.2.13 Systems Analysis And Design ©
V. Rajaraman
26 of 35
Parts Of XML System XML defines the structure of a document Unlike HTML it has tags which are user defined.This allows easy understanding of the nature of the document and assists in its processing. Formatting and presentation are not part of XML unlike HTML which has tags for bold face,italics etc.This is delegated to a companion language called XSL (Extensible Style Language) Linking documents to create hypertext is also not integrated in XML unlike HTML where tag is a general purpose linking tag. Much more powerful linking is enabled by separating it to a companion language called XLL (Extensible Link Language). 11.2.14 Systems Analysis And Design ©
V. Rajaraman
27 of 35
Example Of XML Document • A purchase order is represented in XML as below < purchase_order > < order_no > B55567 < date> < year > 2004 < month > 10 < day > 9
11.2.15 Systems Analysis And Design ©
V. Rajaraman
28 of 35
Example Of XML Document (Contd)
11.2.16 Systems Analysis And Design ©
V. Rajaraman
29 of 35
Example Of XML Document Observe that the tags used have a syntax similar to HTML. The tags are, however, meaningful to a human reader The XML definition clearly brings out the structure of an invoice. However to interpret such a document and process it by a computer a companion document called Document Type Definition (DTD) is needed. DTD has its own syntax . We give DTD for this XML document in the next transparency. 11.2.17 Systems Analysis And Design ©
V. Rajaraman
30 of 35
Document Type Definition (DTD) DTD of XML document of 11.2.15 is given below
ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT ELEMENT
DTD Statements purchase order (entry +) > order_no (#PC DATA) > date (year, month ,day) year (#PC DATA)> month(#PC DATA)> day (#PC DATA)> purchaser (name,address)> name (#PC DATA)> address (street,city,pin-code)> street (#PC DATA)> city (#PC DATA)> pin-code (#PC DATA)> item (item_name,item_code,quantity)> item_name (#PC DATA)> item_code (#PC DATA)> quantity (#PC DATA)> supplier (name)> name(#PC DATA)>
11.2.18 Systems Analysis And Design ©
V. Rajaraman
31 of 35
Explanation Of Document Type Definition Each statement in DTD declares the elements of XML program states that purchase order is the top level element with one or more entry following it 2 statements are introduced at the start of XML definition which specifies the version of XML and the file name of DTD specification Assuming DTD is in a file purchase_order.dtd the declarations are XML Version =“1.0”> The tags used in XML definition are then specified.
11.2.19 Systems Analysis And Design ©
V. Rajaraman
32 of 35
Explanation Of Document Type Definition
V. Rajaraman
33 of 35
Some Application Of XML XML’s main use is in creating documents for the World Wide Web which can be retrieved by browsers at client computers. User defined tags give several advantages including use in - Push Technology – In this application time varying data specified by users e.g. Hourly stock prices of specified shares are automatically sent to the client’s browser - Online banking – A standard XML format known as financial exchange initiative is used to obtain information such as bank statements.
11.2.21
Systems Analysis And Design
© V. Rajaraman
34 of 35
Some Application Of XML Software and database updates XML adaptable to many natural languages such as Kannada as it uses Unicode standard. Use in Scientific Publications – Markup languages based on XML have been developed for chemistry – CML (Chemistry Markup Language) and MML (Mathematical Markup Language)
11.2.22 Systems Analysis And Design ©
V. Rajaraman
35 of 35
MODULE 11
DOCUMENTS ON WEB OBJECTIVE QUESTIONS
There are 4 alternative answers to each question. One of them is correct. Pick the correct answer. Do not guess. A key is given at the end of the module for you to verify your answer
LEARNING UNIT 1 11.1.1 Internet is (a) a local computer network (b) a world wide network of computers (c) an interconnected network of computers (d) a world wide interconnected network of computers which use a common protocol to communicate with one another 11.1.2 The facilities available in the internet are (i) electronic mail (ii) remote login (iii) file transfer (iv) word processing (a) i, ii (b) i, ii, iii (c) i, ii, iv (d) ii, iii and iv 11.1.3 Internet requires (a) an international agreement to connect computers (b) a local area network (c) a commonly agreed set of rules to communicate between computers (d) a World Wide Web 11.1.4 Each computer connected to the internet must (a) be an IBM PC (b) have a unique IP address (c) be internet compatible (d) have a modem connection
11.1.5 IP address is currently (a) 4 bytes long (b) available in plenty (c) 6 bytes long (d) not assigned as it is all used up 11.1.6 IP addresses are converted to (a) a binary string (b) alphanumeric string (c) a hierarchy of domain names (d) a hexadecimal string 11.1.7 Internet addresses must always have atleast (i) a country name or organization type (ii) internet service provider’s name (iii) name of organization (iv) name of individual (v) type of organization (a) i, ii, iii (b) ii, iii, iv (c) i, iii (d) ii, iii, iv, v 11.1.8 Internet uses (a) Packet switching (b) Circuit switching (c) Telephone switching (d) Telex switching 11.1.9 Internet data is broken up as (a) fixed length packets (b) variable length packets (c) not packetized (d) 64 bytes packets 11.1.10
Internet packet data structure consists of (i) source address (ii) destination address (iii) serial number of packets (iv) message bytes (v) control bits for error checking (vi) path identification bits (a) i, ii, iii (b) i, ii, iii, iv (c) i, ii, iii, iv, v (d) i, ii, iii, iv, v, vi
11.1.11 The packets of an internet message (a) take a predetermined path (b) take a path based on packet priority (c) go along different paths based on path availability (d) take the shortest path from source to destination 11.1.12 The time taken by internet packets (a) can be predetermined before transmission (b) are same for all packets (c) may be different for different packets (d) is irrelevant for audio packets 11.1.13 By an intranet we mean (a) a LAN of an organization (b) a Wide Area Network connecting all branches of an organization (c) a corporate computer network (d) a network connecting all computers of an organization and using the internet protocol 11.1.14 By an extranet we mean (a) an extra fast computer network (b) the intranets of two co-operating organizations interconnected via a secure leased line (c) an extra network used by an organization for higher reliability (d) an extra connection to internet provided to co-operating organizations
11.1.15 World Wide Web (a) is another name for internet (b) world wide connection for computers (c) a collection of linked information residing on computers connected by the internet (d) a collection of world wide information 11.1.16 Among services available on the World Wide Web are (i) Encryption (ii) HTTP (iii) HTML (iv) Firewalls (a) i and ii (b) ii and iii (c)iii and iv (d) i and iv
11.1.17 A world wide web contains web pages (a) residing in many computers (b) created using HTML (c) with links to other web pages (d) residing in many computers linked together using HTML 11.1.18 A web page is located using a (a) Universal Record Linking (b) Uniform Resource Locator (c) Universal Record Locator (d) Uniformly Reachable Links 11.1.19 A URL specifies the following: (i) protocol used (ii) domain name of server hosting web page (iii) name of folder with required information (iv) name of document formatted using HTML (v) the name of ISP (a) i, ii, iii, iv (b) ii, iii, iv, v (c) i, iii, iv (d) i, ii, iii, v 11.1.20 A search engine is a program to search (a) for information (b) web pages (c) web pages for specified index terms (d) web pages for information using specified search terms ‘
LEARNING UNIT 2 11.2.1 HTML stands for (a) Hyper Text Making Links (b) Hyper Text Markup Language (c) Higher Textual Marking of Links (d) Hyper Text Mixer of Links 11.2.2 HTML is similar to a (a) word processing language (b) screen editor (c) scripting language (d) search engine
11.2.3 Desirable properties of a website are (i) a meaningful address (ii) Help and search facilities (iii) Links to related sites (iv) Features to allow users to give feedback (v) Hosting on a mainframe (a) i, ii, iii (b) i, ii, iii, iv (c) i, ii, iii, iv, v (d) i, ii, iii, v
11.2.4 HTML uses (a) (b) (c) (d)
pre-specified tags user defined tags tags only for linking fixed tags defined by the language
11.2.5 HTML tags define (a) (b) (c) (d)
The data types of elements of document Presentation of specified elements of a document The contents of the document The structure of the document
11.2.6 The tag used in HTML to link it with other URL’s is: (a) (b)
(a) (i) and (ii)
(b) (i) and (iii)
(c) (ii) and (iv)
(d) (i),(ii) and (iii)
11.2.8 It is possible to display pictures (i.e, images) in HTML specification by using the tag. (a) (b) (c) (d)
11.2.9 SGML stands for (a) (b) (c) (d)
Standard Generalized Markup Language Structured General Markup Language Standard Graphics Mapping Language Standard General Markup Links
11.2.10 HTML and XML are markup languages (a) (b) (c) (d)
Specially development for the web Are based on SGML Are versions of SGML Independent of SGML
11.2.11 XML stands for (a) (b) (c) (d)
Extra Markup Language Excellent Markup Links Extended Markup Language Extended Marking Links
11.2.12 XML uses (a) (b) (c) (d)
user define tags pre-defined tags both predefined and user-defined tags Extended tags used in HTML and makes them powerful
11.2.13 In order to interpret XML documents one should (a) (b) (c) (d)
Use standardized tags Have a document type definition which defines the tags Define the tags separately Specify tag filename
11.2.14 The advantages of XML over HTML are (i) (ii) (iii) (iv)
It allows processing of data stored in web-pages It uses meaningful tags which aids in understanding the nature of a document Is simpler than HTML It separates presentation and structure of document
(a) (i),(ii) and (iii)
(b) (i),(ii) and(iv)
(c ) (ii),(iii) and (iv)
(d) (i),(iii) and (iv)
11.2.15 XSL definition is used along with XML definition to specify (a) (b) (c) (d)
The data types of the contents of XML document The presentation of XML document The links with other documents The structure of XML document
11.2.16 XLL definition is used along with XML to specify (a) (b) (c) (d)
The data types of the contents of XML document The presentation of XML document The links with other documents The structure of XML document
11.2.17 DTD definition is used along with XML to specify (a) The data types of the contents of XML document (b) The presentation of XML document (c) The links with other documents (d) The structure of XML document
KEY TO OBJECTIVE QUESTIONS
11.1.1 11.1.7 11.1.13 11.1.19 11.2.5 11.2.11 11.2.17
d c d a b c a
11.1.2 11.1.8 11.1.14 11.1.20 11.2.6 11.2.12
b a b d a a
11.1.3 11.1.9 11.1.15 11.2.1 11.2.7 11.2.13
c b c b a b
11.1.4 11.1.10 11.1.16 11.2.2 11.2.8 11.2.14
b 11.1.5 a 11.1.6 c c 11.1.11 c 11.1.12 c b 11.1.17 d 11.1.18 b a 11.2.3 b 11.2.4 d c 11.2.9 a 11.2.10 b b 11.2.15 b 11.2.16 c
System Analysis and Design/Documents On Web
11.1
Multiple Choice Questions
Internet is a. a local computer network b. a world wide network of computers c. an interconnected network of computers d. a world wide interconnected network of computers which use a common protocol to communicate with one another
11.2
The facilities available in the internet are (i) electronic mail (ii) remote login (iii)file transfer (iv)word processing a. i, ii b. i, ii, iii c. i, ii, iv d. ii, iii and iv
11.3
Internet requires a. an international agreement to connect computers b. a local area network c. a commonly agreed set of rules to communicate between computers d. a World Wide Web
11.4
Each computer connected to the internet must a. be an IBM PC b. have a unique IP address c. be internet compatible d. have a modem connection
11.5
IP address is currently a. 4 bytes long
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/1
System Analysis and Design/Documents On Web
Multiple Choice Questions
b. available in plenty c. 6 bytes long d. not assigned as it is all used up 11.6
IP addresses are converted to a. a binary string b. alphanumeric string c. a hierarchy of domain names d. a hexadecimal string
11.7
Internet addresses must always have at least (i) a country name or organization type (ii) internet service provider’s name (iii) name of organization (iv) name of individual (v) type of organization a. i, ii, iii b. ii, iii, iv c. i, iii d. ii, iii, iv, v
11.8
Internet uses a. Packet switching b. Circuit switching c. Telephone switching d. Telex switching
11.9
Internet data is broken up as a. fixed length packets b. variable length packets c. not packetized
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/2
System Analysis and Design/Documents On Web
Multiple Choice Questions
d. 64 bytes packets 11.10 Internet packet data structure consists of (i)source address (ii) destination address (iii)serial number of packets (iv)message bytes (v)Control bits for error checking (vi) Path identification bits a. i, ii, iii b. i, ii, iii, iv c. i, ii, iii, iv, v d. i, ii, iii, iv, v, vi 11.11 The packets of an internet message a. take a predetermined path b. take a path based on packet priority c. go along different paths based on path availability d. take the shortest path from source to destination 11.12 The time taken by internet packets a. can be predetermined before transmission b. may be different for different packets c. is irrelevant for audio packets 11.13 By an intranet we mean a. a LAN of an organization b. a Wide Area Network connecting all branches of an organization c. a corporate computer network d. a network connecting all computers of an organization and using the internet protocol
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/3
System Analysis and Design/Documents On Web
Multiple Choice Questions
11.14 By an extranet we mean a. an extra fast computer network b. the intranets of two co-operating organizations interconnected via a secure leased line c. an extra network used by an organization for higher reliability d. an extra connection to internet provided to co-operating organizati 11.15 World Wide Web a. is another name for internet b. world wide connection for computers c. a collection of linked information residing on computers connected by the internet d. a collection of world wide information 11.16 Among
services
available
on
the
World
Wide
Web
are
(i)Encryption (ii)HTTP (iii)HTML (iv)Firewalls a. i and ii b. ii and iii c. iii and iv d. i and iv 11.17 A world wide web contains web pages a. residing in many computers b. created using HTML c. with links to other web pages d. residing in many computers linked together using HTML 11.18 A web page is located using a
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/4
System Analysis and Design/Documents On Web
Multiple Choice Questions
a. Universal Record Linking b. Uniform Resource Locator c. Universal Record Locator d. Uniformly Reachable Links 11.19 A URL specifies the following: (i) protocol used (ii) domain name of server hosting web page (iii) name of folder with required information (iv) name of document formatted using HTML (v) the name of ISP a. i, ii, iii, iv b. ii, iii, iv, v c. i, iii, iv d. i, ii, iii, v 11.20 A search engine is a program to search a. for information b. web pages c. web pages for specified index terms d. web pages for information using specified search terms 11.21 HTML stands for a. Hyper Text Making Links b. Hyper Text Markup Language c. Higher Textual Marking of Links d. Hyper Text Mixer of Links 11.22 HTML is similar to a a. word processing language b. screen editor
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/5
System Analysis and Design/Documents On Web
Multiple Choice Questions
c. scripting language d. search engine 11.23
Desirable properties of a website are (i)a meaningful address (ii)Help and search facilities (iii) Links to related sites (iv)Features to allow users to give feedback (v)Hosting on a mainframe
a. i, ii, iii b. i, ii, iii, iv c. i, ii, iii, iv, v d. i, ii, iii, v 11.24 HTML uses a. pre-specified tags b. user defined tags c. tags only for linking d. fixed tags defined by the language 11.25 HTML tags define a. The data types of elements of document b. Presentation of specified elements of a document c. The contents of the document d. The structure of the document 11.26 The tag used in HTML to link it with other URL’s is: a. b.
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/6
System Analysis and Design/Documents On Web
Multiple Choice Questions
11.27 The tags used for specifying fonts in HTML are (i) (ii) (iii) (iv)
It is possible to display pictures (i.e, images) in HTML specification by using
the
tag.
a.
HTML and XML are markup languages
a. Specially development for the web b. Are based on SGML c. Are versions of SGML
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/7
System Analysis and Design/Documents On Web
Multiple Choice Questions
d. Independent of SGML 11.31
XML stands for
a. Extra Markup Language b. Excellent Markup Links c. Extended Markup Language d. Extended Marking Links 11.32
XML uses
a. user define tags b. pre-defined tags c. both predefined and user-defined tags d. Extended tags used in HTML and makes them powerful 11.33
In order to interpret XML documents one should
a. Use standardized tags b. Have a document type definition which defines the tags c. Define the tags separately d. Specify tag filename 11.34
The advantages of XML over HTML are (i) It allows processing of data stored in web-pages (ii) It uses meaningful tags which aids in understanding the nature of a document (iii)Is simpler than HTML (iv)It separates presentation and structure of document a. (i),(ii) and (iii) b. (i),(ii) and(iv) c. (ii),(iii) and (iv) d. (i),(iii) and (iv) 11.35
XSL definition is used along with XML definition to specify
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/8
System Analysis and Design/Documents On Web
Multiple Choice Questions
a. The data types of the contents of XML document b. The presentation of XML document c. The links with other documents d. The structure of XML document 11.36
XLL definition is used along with XML to specify
a. The data types of the contents of XML document b. The presentation of XML document c. The links with other documents d. The structure of XML document 11.37 DTD definition is used along with XML to specify a. The data types of the contents of XML document b. The presentation of XML document c. The links with other documents d. The structure of XML document
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/9
System Analysis and Design/Documents On Web
Multiple Choice Questions
Key to Objective Questions 11.1
d
11.2
b
11.3
c
11.4
b
11.5
11.7
c
11.8
a
11.9
b
11.10 c
11.11 c
11.13 d
11.14
b
11.15 c
11.19 a
11.20 d
11.21
b
11.22
11.26
11.27
a
11.28
11.25
b
11.31 c
11.32 a
a
11.33 b
11.16 b
11.34 b
11.17 a c
11.23 11.29
a
11.6
c
11.12 c
d
11.18 b b 11.24 a
11.35 b 11.36
d
11.30 b c
11.37 a
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/10
MODULE 11
DOCUMENTS ON WEB WORKED EXAMPLES
11.1
What do you understand by an IP address? How is an IP address represented numerically? An IP address is an unique address required by a computer interface to access the internet. Presently an IP address is a 4 byte address and is expressed in what is known as the dotted decimal format like 144.16.68.201.
11.2
What is a domain name? How are e-mail addresses assigned? Since IP addresses are represented numerically which is difficult to remember, these addresses are converted into a string of characters for ease of remembering. These addresses are grouped into domains. On the Internet, a domain consists of a set of network addresses. This domain is organized in levels. The top level identifies geographic location or purpose commonality (for example, .in for India, .com for commerce and .edu for education). The second level identifies a unique place within the top level domain and is, in fact, equivalent to a unique address on the Internet (or IP). Lower levels of domain may also be used. Domain addresses are assigned by an international authority known as Internet Corporation for Assigned Names and Numbers (ICANN).
11.3
What is packet switching? What are the advantages of packet switching? Why is packet switching used in internet communication? Packet switching is the technique in which data are transmitted through communication links as a set of packets. A message is broken into a number of packets. The packets are stored in routers along the path and forwarded to other routers when communication link is free. Here the message is broken into packets to reduce the transmission cost. The transmission is faster and fault-tolerant, in the sense that if a line is not working or free the stored packets can be sent along another line.
11.4
What is extranet? Give an example of an extranet An Extranet is private connection of intranets and leased lines from public telecommunication system to share part of business’s information or operations with suppliers, vendors, partners, customers, or other businesses. We can call it as a “private internet” Companies can use extranet to:
(a) Exchange large volumes of data using Electronic data Interchange(EDI) (b) Share product catalogs exclusively with wholesalers or those “in the trade” (c) Collaborate with other companies on joint development efforts (d) Jointly develop and use training programs with other companies An example of extranet is one which connects an automobile manufacturer with supplies of ancilliaries such as batteries, tyres, brakes etc. Another example is banknet connecting banks. 11.6
What is the world wide web? In what way is it different from internet? The world wide web is the global multimedia information service available on the internet. It consists of linked web pages. The internet helps in facilitating the functionality of www. Internet is a physical network of computers where www is a service provided using the internet.
11.7
What is the role of HTML in web page design? Give a HTML code to display Introduction to e-Commerce This is a new book HTML has features to embed with web pages pointing to other web pages. It has features for adding images, different colors etc. and also you can develop a very good and attractive web page to attract customers which is the basic need of eCommerce. The html code to display the information is given below: Introduction to e-Commerce
11.8
What is a URL? Explain the various parts of an URL? A URL stands for Uniform Resource Locator. A URL is the address of a (resource) accessible on the Internet. The type of resource depends on the Internet application protocol. In the URL http://www.entertainment.msn.com/movie.html the http stands for protocol to be used i.e., here hyper text transfer protocol. The www.msn.com preceded by:// is the address (called domain name) of computer, which is permanently connected to the internet. The entertainment is one directory. Under entertainment directory the file for information on movie is movie.html. The protocol can be http, ftp (file transfer protocol). The com stands for commercial organization.
Similarly there are different domains like edu, net etc., which are universally agreed as of specific type. 11.9
What is a hyperlink? How do you link an image file to a HTML document? An image or portion of text on a Web page that is linked to another Web page, either on the same site or in another Web site is an Hyperlink. Clicking on the link will take the user to another Web page, or to another place on the same page. The specification for linking an image file to a HTML document is < /A> where is called the anchor tag.
11.10 What is XML? In what way is it superior to HTML? XML or Extended Markup Language a subset of a SGML (Standard Generalized Markup Language), is a new markup language that is capable of specifying what a document really represents, unlike HTML which emphasizes on presentation of the content and no means of specifying structure. XML uses tags which are user defined, while HTML uses tags which are predefined by the language. Formatting and presentation are not part of XML unlike HTML which has tags for bold face, italics etc. This is delegated to a companion language called XSL (Extensible Style Language) Linking documents to create hypertext is also not integrated in XML unlike HTML where tag is a general purpose linking tag. Much more powerful linking is enabled by separating it to a companion language called XLL (Extensible Link Language).
11.11 What language do you use to format XML documents? Formatting is not a part of XML. This is delegated to a companion language called XSL (Extensible style language)
System Analysis and Design/Documents On Web
Question Bank
Question Bank 11.1
What is the difference between on-line and off-line data entry?
11.2
Why are input data records divided into batches for off-line data entry?
11.3
What is the purpose of a data validation program?
11.4
What are the main principles used in designing forms for data entry?
11.5
A good and a bad design for entering date in a form is given in Section 11.1. What are the reasons for saying that one of them is good and the other bad?
11.6
Design a form to be used by a salesman to report to the office about the sales executed by him at different customer locations.
11.7
Why are data fields coded in an information system?
11.8
Can the name of a person be used as a code, for say, his bank account? If not, why?
11.9
What are the requirements of a good coding scheme?
11.10
Is a concise code comprehensive? If not, why?
11.11
Is a meaningful code necessarily comprehensive?
11.12
Is a comprehensive code necessarily meaningful?
11.13
Is a precise code necessarily concise?
11.14
What is the advantage of a serial number code? Why is it not normally used?
11.15
What is the main advantage of block codes?
11.16
Design a group classification code to code (i) motor vehicles,, (ii) music cassettes, and (iii) books
11.17
Is a group classification code meaningful?
11.18
Give an example of a significant code. Are significant codes expandable?
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/1
System Analysis and Design/Documents On Web
11.19
Question Bank
Add a Modulus-11 check digit to the codes (i) 48467, (ii) 96432, and (iii) 87646257.
11.20
Modulus-37 check is suitable for alphanumeric codes. Add a modulus-37 character to the codes (i) 4AB9W, (ii) XBY483, and (iii) CAZ4642.
11.21
The following code was entered by an operator:449632. The last digit is a modulus-11 check digit. Is this code correct?
11.22
If a code uses hexadecimal digits, what should be N if the modulus-N check digit system is to be used with such codes? What are the allowable weights if single transcription and transposition errors are to be detected?
11.23
If modulus-11 check digit system is to generate detection of multiple identical digit transcription error (i.e., a code such as 45565 is wrongly entered as 48868), what should be the constraints on the weights?
11.24
A see-saw error is one in which one digit of the code is increased by x and another decreased by x. For example, 486732 becoming 456762. When can modulus N check detect such errors?
11.25
Why is it useful to assign sequence numbers for data records? What are the types of errors detected by sequence numbering?
11.26
What is the purpose of batch control record? What is the type of information contained in a batch control record?
11.27
A set of data records for student examination results has the following format: Roll no.
Name Marks (out of 100) Paper 1
Paper 2
Paper 3
Paper 4
Design for these records a batch control record and a record control field and any
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/2
System Analysis and Design/Documents On Web
Question Bank
other appropriate checks for the fields. 11.28
Give some example of fields for which a radix error check is appropriate.
11.29
What is the difference between range check and a radix check?
11.30
What are the appropriate range checks for the age of individuals in an employee file, a high school student file, and height of students in a student file.
11.31
Give some examples of fields where reasonableness check would be applicable.
11.32
Give some examples of inter-field relationship checks.
11.33
What is the main difference between menus, templates and command modes of interactive data entry? When is each of these modes appropriate?
11.34
Design a dialogue hierarchy for entering data on customers (of a manufacturer).
11.35
Design a dialogue hierarchy and the screens for a system used to reserve seats in long distance buses.
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/3
System Analysis and Design/Documents On Web
Pointers
References 1. Most traditional books on Systems Analysis and Design do not discuss HTML and XML and documents on the web. 2. HTML is discussed in Wall D.A., using world wide web, 2nd edition, Prentice Hall of India, New Delhi, 1996. 3. Detailed Presentation of XML may be found in the book by Sean McGrath, “XML by Example”, Prentice Hall, Inc., N.J., U.S.A., 1998. 4. D.Box, A.Skonnard and J……, “Essential XML”, Pearson Education Asia, New Delhi 2000. 5. Using HTML.4, XML and JAVA 1.2, Eric Ladd et.al , Prentice Hall of India, New Delhi, 1999. 6. HTML 4.0 specifications may be found in http://www/w3.org/TR/html40
V. Rajaraman/IISc. Bangalore
M11/V1/July 04/1
SUMMARY of Module 12 1.
Data may be input to a computer off-line or on-line. In on-line entry a user enters data interactively via a video terminal connected to the computer. In off-line data entry data filled in forms are entered by operators in a separate PC or a data entry machine.
2.
Off-line data entry is suitable if the number of records is very large.
3.
In off-line data entry, batches of data are formed and entered. They are checked by a validation program and the corrected records are stored in a file.
4.
To reduce errors in input, it is essential to carefully design the forms used for entering data.
5.
Important data elements are coded. Codes are necessary for unique identification, easily cross-referencing and efficient storage and retrieval.
6.
There are many methods for coding. An ideal code must be concise, expandable, meaningful, comprehensive and precise. It is not possible to incorporate all these ideal features in a code.
7.
Codes are classified as: (i) Serial number codes, (ii) Block codes, (iii) Group classification codes, and (iv) Significant codes. Group classification codes and Significant codes are most meaningful, expandable, precise and comprehensive. They are, however, not concise, Serial and Block number codes are more concise. They are also precise and expandable but are not meaningful and comprehensive.
8.
Any error made in entering important data fields such as account codes and identification codes must be detected during data entry.
9.
The most common errors made during data entry are: a single digit is incorrectly
entered or any two digits in the code are interchanged. These errors are called respectively single transcription and transposition errors and account for 96% of all data entry errors. 10.
Given a code, the digits in it starting from the last digit are multiplied by weights 2, 3, 4, etc., and the products are added. The sum is divided by 11. The remainder is subtracted from 11. This number (which is called a check digit) is appended as the last digit of the code. The code constructed in this way is called a midulus-11 check digit code.
11.
After data entry the digits in the code starting from the last digit are multiplied by weights 1, 2, 3, 4, etc., and the products are added. The sum is divided by 11. If the remainder is not zero then there is an error in the code.
12.
Modulus-11 check digit code guarantees detection of all single transcription and transposition errors. It also detects 95% of all other errors.
13.
It is essential to design good data validation programs to prevent data entry errors from corrupting files of input data. Validation programs need information for detecting errors. This information is provided by controls exercised during data preparation.
14.
Important control mechanisms are; giving unique sequence numbers to each data record, providing a batch control record containing a count of number of records and a total of one of the fields..
15.
The same data is entered by two different persons and compared to reduce transcription errors.
16.
Besides this, individual data fields are checked using information on their range of
allowed values, range of reasonable values, and relationships between different fields. Batch control provides information to detect incorrect values entered, missing records, and data in the wrong sequence. 17.
With the advent of Personal Computers, remote terminals connected to a computer and local computer networks, considerable amount of data is entered in files interactively.
18.
For interactive data input, special screens are designed on video terminals for easy data entry. Errors in data entry are instantly detected by a validation program during data entry and can be immediately corrected.
19.
Common methods of interactive data input is by use of menus, templates and interactive commands for data entry.
20.
A menu method is used to pick one out of many alternatives, a template method to enter new data, and a command method to add and delete data.
21.
These methods are combined to provide a user the most appropriate technique for a particular type of interactive data entry.
QUESTION BANK – MODULE 11 11.1
What is the difference between on-line and off-line data entry?
11.2
Why are input data records divided into batches for off-line data entry?
11.3
What is the purpose of a data validation program?
11.4
What are the main principles used in designing forms for data entry?
11.5
A good and a bad design for entering date in a form is given in Section 11.1. What are the reasons for saying that one of them is good and the other bad?
11.6
Design a form to be used by a salesman to report to the office about the sales executed by him at different customer locations.
11.7
Why are data fields coded in an information system?
11.8
Can the name of a person be used as a code, for say, his bank account? If not, why?
11.9
What are the requirements of a good coding scheme?
11.10
Is a concise code comprehensive? If not, why?
11.11
Is a meaningful code necessarily comprehensive?
11.12
Is a comprehensive code necessarily meaningful?
11.13
Is a precise code necessarily concise?
11.14
What is the advantage of a serial number code? Why is it not normally used?
11.15
What is the main advantage of block codes?
11.16
Design a group classification code to code (i) motor vehicles,, (ii) music cassettes, and (iii) books
11.17
Is a group classification code meaningful?
11.18
Give an example of a significant code. Are significant codes expandable?
11.19
Add a Modulus-11 check digit to the codes (i) 48467, (ii) 96432, and (iii) 87646257.
11.20
Modulus-37 check is suitable for alphanumeric codes. Add a modulus-37 character to the codes (i) 4AB9W, (ii) XBY483, and (iii) CAZ4642.
11.21
The following code was entered by an operator:449632. The last digit is a modulus-11 check digit. Is this code correct?
11.22
If a code uses hexadecimal digits, what should be N if the modulus-N check digit system is to be used with such codes? What are the allowable weights if single transcription and transposition errors are to be detected?
11.23
If modulus-11 check digit system is to generate detection of multiple identical digit transcription error (i.e., a code such as 45565 is wrongly entered as 48868), what should be the constraints on the weights?
11.24
A see-saw error is one in which one digit of the code is increased by x and another decreased by x. For example, 486732 becoming 456762. When can modulus N check detect such errors?
11.25
Why is it useful to assign sequence numbers for data records? What are the types of errors detected by sequence numbering?
11.26
What is the purpose of batch control record? What is the type of information contained in a batch control record?
11.27
A set of data records for student examination results has the following format:
Roll no.
Name Marks (out of 100)
Paper 1
Paper 2
Paper 3
Paper 4
Design for these records a batch control record and a record control field and any other appropriate checks for the fields. 11.28
Give some example of fields for which a radix error check is appropriate.
11.29
What is the difference between range check and a radix check?
11.30
What are the appropriate range checks for the age of individuals in an employee file, a high school student file, and height of students in a student file.
11.31
Give some examples of fields where reasonableness check would be applicable.
11.32
Give some examples of inter-field relationship checks.
11.33
What is the main difference between menus, templates and command modes of interactive data entry? When is each of these modes appropriate?
11.34
Design a dialogue hierarchy for entering data on customers (of a manufacturer).
11.35
Design a dialogue hierarchy and the screens for a system used to reserve seats in long distance buses.
REFERENCES 1. Most traditional books on Systems Analysis and Design do not discuss HTML and XML and documents on the web. 2. HTML is discussed in Wall D.A., using world wide web, 2nd edition, Prentice Hall of India, New Delhi, 1996. 3. Detailed Presentation of XML may be found in the book by Sean McGrath, “XML by Example”, Prentice Hall, Inc., N.J., U.S.A., 1998. 4. D.Box, A.Skonnard and J……, “Essential XML”, Pearson Education Asia, New Delhi 2000. 5. Using HTML.4, XML and JAVA 1.2, Eric Ladd et.al , Prentice Hall of India, New Delhi, 1999. 6. HTML 4.0 specifications may be found in http://www/w3.org/TR/html40
MODULE 12
CONTROL,AUDIT AND SECURITY OF INFORMATION SYSTEM
OBJECTIVE QUESTIONS
There are 4 alternative answers to each question. One of them is correct. Pick the correct answer. Do not guess. A key is given at the end of the module for you to verify your answer
LEARNING UNIT 1 12.1.1 Control in design of an information system is used to (a) inspect the system and check that it is built as per specifications (b) protect data from accidental or intentional loss (c) ensure that the system processes data as it was designed to and that the results are reliable (d) ensure privacy of data processed by it 12.1.2 Controls are necessary in information systems as (i) massive amounts of data are processed and human errors are expected in data entry (ii) accidental errors can lead to loss of money and credibility in a system (iii) to protect the system from virus attack (iv) data may be lost due to disk crashes (a) i and ii (b) i and iii (c) i and iv (d) ii and iii 12.1.3 The major objectives of control are (i) guard against frauds in data entry/processing (ii) check clerical handling of data before it enters a computer (iii) to provide a method to trace the steps and find where error has occurred (iv) automatically correct errors in data entry/processing (a) i, ii and iv (b) i, ii, iii and iv (c) i, ii and iii (d) i and iii
12.1.4 Organizational measures in control mean (a) a set of well organized methods (b) assignment of appropriate responsibilities to individuals in data processing in an organization (c) proper organization of data (d) creation of an organization for controlling system 12.1.5 Proof figures are used to check (i) arithmetic errors in processing (ii) data entry errors in processing (iii) loop errors in program (iv) proof of program correctness (a) i and ii (b) i and iii (c) ii and iv (d) iii and iv 12.1.6 A proof figure is (a) a figure used to prove the correctness of data entry (b) an additional data entered with each record to facilitate detection of arithmetic error (c) a number used during data entry (d) a modulus-11 check digit 12.1.7 A two way check (a) calculates the same quantity in two different ways and compares them for equality (b) calculates the quantities and compares them for equality (c) checks a data item in two different ways (d) enters data two times and cross-checks them 12.1.8 A two-way check is used to (i) check program correctness (ii) find data entry errors (iii) find multiplication errors (iv) find arithmetic error in processing (a) i and ii (b) ii and iii (c) ii and iv (d) i and iv
12.1.9 A relationship check (a) is concerned with checking a relation (b) uses an entity-relationship model for checking (c) finds out if a relationship is satisfied in computation (d) uses the fact that a known relationship exists between two data elements and checks if it is satisfied during computation 12.1.10 A check-point procedure (a) checks program correctness at certain points (b) divides a program into smaller parts (c) breaks a programs into portions at the end of each of which a check point program is executed (d) finds points in a program where it is convenient to check it 12.1.11 At each check-point (i) quantities such as control totals and proof figures are checked for correctness (ii) process state is stored in secondary storage (iii) a program halts for check by programmers (iv) a self-checking system is invoked by the analyst (a) i and iv (b) ii and iii (c) i and ii (d) i and iii
LEARNING UNIT 2 12.2.1 Audit in the design of information system is used to (a) inspect the system and check that it is built as per specifications (b) protect data from accidental or intentional loss (c) ensure that the system processes data as it was designed to and that the results are reliable (d) ensure privacy of data processed by it 12.2.2 Auditing of information systems is primarily required to ensure that (i) all input records are correct and are included in processing (ii) the system has ample protection against frauds (iii) the processing performance is reliable (iv) the system is developed at low cost (a) i and ii (b) iii and iv (c) ii and iii (d) i, ii and iii
12.2.3 By auditing around the computer we mean (a) the inputs and the corresponding outputs are compared and checked for correctness (b) the programs and procedures are checked for correctness (c) special synthetic data is input and outputs checked for correctness (d) programs are written to check the functioning of the computer hardware 12.2.4 By auditing with a computer we mean (a) the inputs and the corresponding outputs are compared and checked for correctness (b) the programs and procedures are checked for correctness (c) special synthetic data is input and outputs checked for correctness (d) programs are written to check the functioning of the computer hardware 12.2.5 By auditing through the computer we mean (a) the inputs and the corresponding outputs are compared and checked for correctness (b) the programs and procedures are checked for correctness (c) special synthetic data is input and outputs checked for correctness (d) programs are written to check the functioning of the computer hardware 12.2.6 An audit trail is established in a system to (a) detect errors in a system (b) enable auditing of a system (c) localize the source of an error in a system (d) trail a program 12.2.7 Some audit and control procedures in a system (i) detect and correct errors in programs (ii) selectively print records in a system which meet certain criteria (iii) examine credit and debit balances in an accounting system and check if they balance (iv) provide a facility to trace a variable value through processing steps and print intermediate values when required (a) i and ii (b) ii and iii (c) i, ii, iii (d) ii, iii, iv 12.2.8 It is advisable for an auditor to require an operational information system to (i) keep logs of all system runs and people involved (ii) ensure that the programs and system operation are well documented (iii) ensure that no changes are allowed (iv) ensure that the inputs and batch controls are properly designed (a) i, ii, iii (b) ii, iii, iv (c) i, ii, iv (d) i, ii
12.2.9 In auditing with a computer (a) auditing programs are designed and used to check a system (b) the hardware of the computer is thoroughly checked for malfunctions (c) system software is thoroughly checked to ensure error free operations (d) auditors check system with a computer 12.2.10 Some of the features of audit package used to check systems are: (i) facility to total specified items based on some criteria (ii) extracting items based on some criteria for checking (iii) check-pointing and restart facility (iv) hardware faults recovery (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) i, ii, iv
LEARNING UNIT 3 12.3.1 By information system testing we mean (a) testing an information system correctly (b) determining whether a system is performing as per specifications (c) determining whether a system is performing optimally (d) ensuring proper function of a system 12.3.2 The main objectives of testing are (i) when correct inputs are fed to the system the outputs are correct (ii) when incorrect inputs are fed to the system they are detected and rejected (iii) the requirement specifications are correct (iv) verify that the controls incorporated in the system function correctly (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) i, ii, iv 12.3.3 The scope of the system test includes (a) both computerized and manual procedures (b) only test of computer procedures (c) computerized procedures, manual procedures, computer operations and controls (d) mainly computerized procedures and operations controls
12.3.4 Program tests use test data to (i) exercise all paths taken by a program (ii) test loop counters (iii) test with values which change state of logical variables (iv) comprehensively exercise program (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) i, ii, iv 12.3.5 By string test we mean (a) a test which tests operations with strings (b) a string of tests on programs (c) Test on related programs (d) The output of a program is sent as input to related program(s) to see if data is transferred correctly 12.3.6 Parallel runs are used (a) during regular operation of an information system (b) when a system is initially implemented (c) whenever errors are found in a computerized system (d) whenever management insists 12.3.7 The purpose of parallel run is to (a) to see whether outputs of a newly computerized system matches those of currently running manual or legacy system (b) have redundancy for reliability (c) test an operational information system (d) test a system being newly designed
LEARNING UNIT 4 12.4.1 Security in the design of information system is used to (a) inspect the system and check that it is built as per the specifications (b) protect data and programs from accidental or intentional loss (c) ensure that the system processes data as it was designed to and that the results are reliable (d) ensure privacy of data processed by it
12.4.2 By security of an information system we mean protecting (i) data from accidental or intentional damage or loss (ii) programs from accidental or intentional corruption or loss (iii) programs and data from unauthorized disclosure or change (iv) individual private data from disclosure (a) i and ii (b) i and iii (c) i, ii, iii (d) i, ii, iii, iv 12.4.3 It is necessary to protect information system from the following risks: (i) natural disasters like fire, floods etc (ii) disgruntled employees (iii) poorly trained employees (iv) hackers (v) industrial spies (vi) data entry operators (a) ii, iii, iv, v (b) i, ii, iii, iv, v (c) i, iv, v (d) i, ii, iii, iv, v, vi 12.4.4 The following measures are taken to ensure security of information systems: (i) duplicate copies of data/programs are kept in a different place preferably in fire-proof vault (ii) password protection is used to prevent unauthorized access (iii) no one is allowed to alter data in the database (iv) no one is allowed alter programs (a) i and ii (b) i, ii, iii (c) ii, iii, iv (d) iii and iv 12.4.5 Some security measures commonly used are (i) data encryption (ii) logging of all accesses to an information system and recording changes made (if any) (iii) data compression (iv) copying of files (a) ii and iii (b) i and iii (c) i and ii (d) ii and iv 12.4.6 To protect a system from viruses one should (i) not allow unauthorized use of floppy disks (ii) scan viruses in files received via a network or floppies (iii) isolate a system from networks (iv) install a roll-back recovery program in the system (a) i and iii (b) i and ii (c) ii and iv (d) i, iii, iv
12.4.7 A firewall is used in a system connected to a wide area network to (a) prevent spread of fire in the network (b) prevent unauthorized access by hackers (c) to scan for viruses in files (d) to extinguish fire spreading via network cables
KEY TO OBJECTIVE QUESTIONS 12.1.1 12.1.7 12.2.2 12.2.8 12.3.4 12.4.3
c a d c b d
12.1.2 12.1.8 12.2.3 12.2.9 12.3.5 12.4.4
a c a a d a
12.1.3 12.1.9 12.2.4 12.2.10 12.3.6 12.4.5
c d c b b c
12.1.4 12.1.10 12.2.5 12.3.1 12.3.7 12.4.6
c c b b a b
12.1.5 12.1.11 12.2.6 12.3.2 12.4.1 12.4.7
a c c d b b
12.1.6 12.2.1 12.2.7 12.3.3 12.4.2
b a d c c
System Analysis and Design/ Control – audit and Security of Information Systems
Motivation
Motivation for Controls It is very important to ensure the reliability of reports produced by an information system If unreliability is seen by users the entire credibility of the system is lost Ensuring reliability is not difficult for small systems but when a system has to handle massive data it is a challenge Systematic controls are thus essential when a system is designed Motivation for Audits Many organizations are now entirely dependent on computer based information system These information systems contain financial data and other critical procedures It is essential to protect the systems against frauds and ensure that sound accounting practices are followed It is necessary to trace the origin and fix responsibilities when frauds occur Audit methods primary purpose is to ensure this. Motivation for Testing Systems contain many individual subsystems Usually sub-systems and programs are individually tested However when a whole system is integrated unforeseen errors may be seen Thus before releasing a system the entire operational system should be tested for correctness and completeness Motivation for Security Systems contain sensitive data about the organization and also about persons working in the organization Sensitive data should be protected from spies, thieves or disgruntled employees. Thus access should be carefully controlled and provided only on a need to know basis When computers are networked corruption/erasure may take place due to viruses Services may be disrupted due to denial of service attacks Thus systems should be designed with appropriate security measures.
V. Rajaraman/IISc. Bangalore
//V1/July 04/1
System Analysis and Design/ Control – audit and Security of Information Systems
Motivation
Motivation for Disaster Recovery Organizations depend on Information systems for their entire operations It is thus essential to ensure continuity of service when unforeseen situations such as disk crashes, fires, floods and such disasters take place. Thus it is essential to ensure quick recovery from disasters and ensure continuity of service.
V. Rajaraman/IISc. Bangalore
//V1/July 04/1
MODULE 12
CONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM Learning Units 12.1 Controls in Information systems 12.2 Need and methods of auditing Information systems 12.3 Testing Information systems 12.4 Security of Information systems
Systems Analysis And Design
© V. Rajaraman
LEARNING GOALS Why controls are necessary in Information systems Methods of controlling Information systems How controls are introduced in Information systems Why Information systems need auditing How are systems audited The methods used to test Information systems How the security of an Information system is ensured
Systems Analysis And Design
© V. Rajaraman
1 of 27
MOTIVATION FOR CONTROLS It is very important to ensure the reliability of reports produced by an information system If unreliability is seen by users the entire credibility of the system is lost Ensuring reliability is not difficult for small systems but when a system has to handle massive data it is a challenge Systematic controls are thus essential when a system is designed
Systems Analysis And Design
© V. Rajaraman
2 of 27
MOTIVATION FOR AUDITS Many organizations are now entirely dependent on computer based information system These information systems contain financial data and other critical procedures It is essential to protect the systems against frauds and ensure that sound accounting practices are followed It is necessary to trace the origin and fix responsibilities when frauds occur Audit methods primary purpose is to ensure this.
Systems Analysis And Design
© V. Rajaraman
3 of 27
MOTIVATION FOR TESTING Systems contain many individual subsystems Usually sub-systems and programs are individually tested However when a whole system is integrated unforeseen errors may be seen Thus before releasing a system the entire operational system should be tested for correctness and completeness
Systems Analysis And Design
© V. Rajaraman
4 of 27
MOTIVATION FOR SECURITY Systems contain sensitive data about the organization and also about persons working in the organization Sensitive data should be protected from spies, thieves or disgruntled employees. Thus access should be carefully controlled and provided only on a need to know basis When computers are networked corruption/erasure may take place due to viruses Services may be disrupted due to denial of service attacks Thus systems should be designed with appropriate security measures. Systems Analysis And Design
© V. Rajaraman
5 of 27
MOTIVATION FOR DISASTER RECOVERY Organizations depend on Information systems for their entire operations It is thus essential to ensure continuity of service when unforeseen situations such as disk crashes,fires,floods and such disasters take place. Thus it is essential to ensure quick recovery from disasters and ensure continuity of service.
Systems Analysis And Design
© V. Rajaraman
6 of 27
CONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM • CONTROL- Method to ensure that a system processes data as per design and that all data is included and are correct • AUDIT AND TESTING - Ensure that the system is built as per specifications and that processed results are correct. Protect systems from frauds. • SECURITY- Protection of data resources,programs,and equipment from illegal use,theft,vandalism,accidents, disasters etc. 12.1.1
Systems Analysis And Design
© V. Rajaraman
7 of 27
NEED OF CONTROLS
• Information systems handle massive amounts of data – accidents such as not including some data can cause serious damage • Incorrect data entry can lead to high monetary losses • Credibility in the information system may be lost if errors are found in operational systems
12.1.2
Systems Analysis And Design
© V. Rajaraman
8 of 27
OBJECTIVES OF CONTROLS •To make sure data entering the computer are correct •Check clerical handling of data before it is input to a computer •Provide means of detecting and tracing errors which occur due to bad data or bad program •Ensure legal requirements are met •To guard against frauds
12.1.3
Systems Analysis And Design
© V. Rajaraman
9 of 27
CONTROL TECHNIQUES • ORGANIZATIONAL MEASURES Well defined responsibility for input preparation, delivery output use, operation and maintenance - Changes in program and data (if any) should be documented - Performance of task and recording must be by different persons to prevent frauds
12.1.4
Systems Analysis And Design
© V. Rajaraman
10 of 27
CONTROL TECHNIQUES • INPUT PREPARATOIN CONTROL -Sequence numbering -Batch controls -Data entry and verification -Record totals -Self checking digits, (Covered in Module 7)
12.1.5
Systems Analysis And Design
© V. Rajaraman
11 of 27
PROCESSING CONTROLS PROOF FIGURES –An additional data element introduced to detect data entry/processing error Example:item code,qty supplied,cost/unit,proof cost(proof cost is additional data introduced. Proof cost=(H-cost/unit)where H is a constant > maxcost Check if H ∑ qty = ∑qty *proof cost + ∑qty * cost/unit If two sides are not equal, there is an error.
12.1.6
Systems Analysis And Design
© V. Rajaraman
12 of 27
PROCESSING CONTROLS TWO WAY CHECK – Calculate same qty in two different ways and they should be equal Example : ∑gross pay - ∑deductions = ∑net pay RELATIONSHIP CHECK –We know relation between variable. Example : Rebate total = ∑Sales * discount percent CHECKPOINT RESTART – Periodical storing of process state. If there is a failure roll back to saved state and restart computation. CHECK POINTS also useful to check intermediate results in long and complex calculations.Region where an error occurred can thus be isolated 12.1.7
Systems Analysis And Design
© V. Rajaraman
13 of 27
AUDITING OF INFORMATION SYSTEMS
OBJECTIVES Ensure computer based financial and other information reliable Ensure all records included while processing Ensure protection from frauds
12.2.1
Systems Analysis And Design
© V. Rajaraman
14 of 27
AUDIT METHODS AUDITING AROUND COMPUTER Take sample inputs and manually apply processing rules and compare outputs with computer outputs
AUDITING THROUGH THE COMPUTER -Establish audit trail which allows examining selected intermediate results -Control totals provide intermediate checks
12.2.2 Systems Analysis And Design ©
V. Rajaraman
15 of 27
AUDITING THROUGH THE COMPUTER Facility to trace transaction value and print intermediate results Selective printing of records meeting criteria specified by the auditor For example :Inactive accounts,overactive accounts, accounts with high balance Comparing credit and debit balances Ensure logs are kept of who did what in critical data entry and processing to fix responsibility.Called an Audit trail. Auditor’s own check inputs and expected outputs. 12.2.3
Systems Analysis And Design
© V. Rajaraman
16 of 27
AUDITING WITH THE COMPUTER Use special audit packages to check system Audit package allows Extracting data based on the specified criterion for inspection(e.g. Students with wide disparity in marks in two subjects) Totaling specified subset of data for check Procedure to check sale discounts Process with independent data file created by auditor and verify to see if system is as per specification 12.2.4
Systems Analysis And Design
© V. Rajaraman
17 of 27
SYSTEM TESTING OBJECTIVES To ensure the entire system will perform as per specification Ensure system meets users requirements Verify if controls function as intended To make sure incorrect inputs,incorrect processing and incorrect outputs (if any) will be detected during operation Should include both computer based and manual processes Remember that system testing is done before a system is released as ready for operation 12.3.1
Systems Analysis And Design
© V. Rajaraman
18 of 27
CLASIFICATION OF SYSTEM TESTS •PROGRAM TESTS -Program tests with test data - Normally individual modules tested then integration test done - Test boundary conditions - Test using loop counts
•SYSTEM TESTS -Results from a program fed as input to a succeeding program - a string of programs run one after another 12.3.2
Systems Analysis And Design
© V. Rajaraman
19 of 27
SYSTEM TESTING (CONTD) • SYSTEM TESTS -All programs in a complete system are tested together as a whole.Tested using unreasonable data and non key data besides normal test data for whole system
• PILOT TESTS -Use data from manual system to test system when it is first implemented. If it is modification of earlier computer based system use data and output from that system
12.3.3
Systems Analysis And Design
© V. Rajaraman
20 of 27
SYSTEM TESTING (CONTD)
• PARALLEL RUNS -Run both manual and computer based systems with same live data and see if both give identical results -If it is re-engineered (i.e.,Modified) system run both old and new systems and compare results
12.3.4
Systems Analysis And Design
© V. Rajaraman
21 of 27
SECURITY OF INFORMATION SYSTEMS Security means protection of data from accidental or
intentional modification, destruction or disclosure to unauthorised persons POTENTIAL THREATS TO SECURITY Natural disasters such as fire, floods, earthquakes Accidents such as disk crashes, file erasure by inexperienced operators Theft/erasure of data by disgruntled employees
12.4.1
Systems Analysis And Design
© V. Rajaraman
22 of 27
SECURITY OF INFORMATION SYSTEMS POTENTIAL THREATS TO SECURITY (CONTD) Frauds by changing programs, data by employees Industrial espionage Viruses/Worms Hackers who break into systems connected to the internet Denial of service attacks by flooding with mail 12.4.2
Systems Analysis And Design
© V. Rajaraman
23 of 27
HOW TO PROTECT DATA/PROGRAMS Regular back up of data bases every day/or week depending on the time criticality and size Incremental back up at shorter intervals Backup copies kept in safe remote location -particularly necessary for disaster recovery Duplicate systems run and all transactions mirrored if it is a very critical system and cannot tolerate any disruption before storing in disk. Physical locks Password system Biometric authentication (Eg: Finger print) 12.4.3
Systems Analysis And Design
© V. Rajaraman
24 of 27
HOW TO PROTECT DATA/PROGRAMS Encrypting sensitive data/programs Identification of all persons who read or modify data and logging it in a file Training employees on data care/handling and security Antivirus software Firewall protection when connected to internet
12.4.4
Systems Analysis And Design
© V. Rajaraman
25 of 27
DATA SECURITY, PRIVACY AND INTEGRITY Data security is concerned with protecting data from erasure,theft,unauthorized access and unauthorized modifications Data privacy is concerned with protecting data regarding individuals from being accessed and used without the permission/knowledge of concerned individuals Data integrity is concerned with the quality and reliability of raw as well as processed data 12.4.5
Systems Analysis And Design
© V. Rajaraman
26 of 27
DATA SECURITY, PRIVACY AND INTEGRITY Security does not imply privacy or integrity Privacy controls need specific law against disclosure of personal data Ultimately data and system integrity most important
12.4.6
Systems Analysis And Design
© V. Rajaraman
27 of 27
MODULE 12
CONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM
Contents
1. MOTIVATION AND LEARNING GOALS
2. LEARNING UNIT 1 Controls in Information systems 3. LEARNING UNIT 2 Need and methods of auditing Information systems 4. LEARNING UNIT 3 Testing Information systems 5. LEARNING UNIT 4 Security of Information systems 6. References
CONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM
MOTIVATION FOR CONTROLS It is very important to ensure the reliability of reports produced by an information system. If users see unreliability the entire credibility of the system is lost. Ensuring reliability is not difficult for small systems but when a system has to handle massive data it is a challenge. Systematic controls are thus essential when a system is designed. MOTIVATION FOR AUDITS Many organizations are now entirely dependent on computer based information system. These information systems contain financial data and other critical procedures. It is essential to protect the systems against frauds and ensure that sound accounting practices are followed. It is necessary to trace the origin and fix responsibilities when frauds occur. Audit methods primary purpose is to ensure this. MOTIVATION FOR TESTING Systems contain many individual subsystems. Usually sub-systems and programs are individually tested. However when a whole system is integrated unforeseen errors may be seen. Thus before releasing a system the entire operational system should be tested for correctness and completeness. MOTIVATION FOR SECURITY Systems contain sensitive data about the organization and also about persons working in the organization. This data should be protected from spies, thieves or disgruntled employees. Thus access should be carefully controlled and provided only on a need to know basis. When computers are networked corruption/erasure may take place due to viruses. Services may be disrupted due to denial of service attacks. Thus systems should be designed with appropriate security measures.
MOTIVATION FOR DISASTER RECOVERY Organizations depend on Information systems for their entire operations. It is thus essential to ensure continuity of service when unforeseen situations such as disk crashes, fires, floods and such disasters take place. Thus it is essential to ensure quick recovery from disasters and ensure continuity of service.
LEARNING GOALS At the end of the module you will learn:
Why controls are necessary in Information systems Methods of controlling Information systems How controls are introduced in Information systems Why Information systems need auditing How are Information systems audited The methods used to test Information systems How the security of an Information system is ensured
LEARNING UNIT 1
Controls in Information systems
CONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM • CONTROL- Method to ensure that a system processes data as per design and that all data is included and are correct • AUDIT AND TESTING - Ensure that the system is built as per specifications and that processed results are correct. Protect systems from frauds. • SECURITY- Protection of data resources, programs, and equipment from illegal use, theft, vandalism, accidents, disasters etc. NEED OF CONTROLS Information systems handle massive amounts of data – accidents such as not including some data can cause serious damage. Incorrect data entry can lead to high monetary losses. Credibility in the information system may be lost if errors are found in operational systems. OBJECTIVES OF CONTROLS To make sure data entering the computer are correct, check clerical handling of data before it is input to a computer. Provide means of detecting and tracing errors that occur due to bad data or bad program. Ensure that all legal requirements are met.
CONTROL TECHNIQUES • ORGANIZATIONAL MEASURES Well-defined responsibility for input preparation, delivery, output use, operation and maintenance. Changes in program and data (if any) should be documented. Performance of task and recording must be by different persons to prevent frauds. • INPUT PREPARATOIN CONTROL -Sequence numbering -Batch controls -Data entry and verification -Record totals -Self checking digits PROCESSING CONTROLS PROOF FIGURES –An additional data element introduced to detect data entry/processing error Example:item code,qty supplied,cost/unit,proof cost(proof cost is additional data introduced). Proof cost=(H-cost/unit)where H is a constant > maxcost Check if H * qty = ∑qty *proof cost + ∑qty * cost/unit If two sides are not equal, there is an error. TWO WAY CHECK – Calculate same qty in two different ways and they should be equal Example : ∑ gross pay - ∑deductions = ∑net pay RELATIONSHIP CHECK –We know relation between variable. Example : Rebate total = ∑Sales * discount percent CHECKPOINT RESTART – Periodical storing of process state. If there is a failure roll back to saved state and restart computation. CHECK POINTS also useful to check intermediate results in long and complex calculations. Region where an error occurred can thus be isolated
LEARNING UNIT 2
Need and methods of auditing Information systems
AUDITING OF INFORMATION SYSTEMS OBJECTIVES Ensure computer based financial and other information reliable Ensure all records included while processing Ensure protection from frauds AUDIT METHODS AUDITING AROUND COMPUTER : Take sample inputs and manually apply processing rules and compare outputs with computer outputs AUDITING THROUGH THE COMPUTER : Establish audit trail which allows examining selected intermediate results. Control totals provide intermediate checks AUDITING THROUGH THE COMPUTER Facility to trace transaction value and print intermediate results Selective printing of records meeting criteria specified by the auditor For example :Inactive accounts, overactive accounts, accounts with high balance Comparing credit and debit balances Ensure logs are kept of who did what in critical data entry and processing to fix responsibility. Called an Audit trail. Auditor’s own check inputs and expected outputs. AUDITING WITH THE COMPUTER Use special audit packages to check system Audit package allows Extracting data based on the specified criterion for inspection (e.g. Students with wide disparity in marks in two subjects) Totaling specified subset of data for check Procedure to check sale discounts Process with independent data file created by auditor and verify to see if system is as per specification LEARNING UNIT 3
Testing Information systems OBJECTIVES To ensure the entire system will perform as per specification Ensure system meets users requirements Verify if controls function as intended To make sure incorrect inputs, incorrect processing and incorrect outputs (if any) will be detected during operation Should include both computer based and manual processes Remember that system testing is done before a system is released as ready for operation CLASIFICATION OF SYSTEM TESTS •PROGRAM TESTS -Program tests with test data - Normally individual modules tested then integration test done - Test boundary conditions - Test using loop counts •SYSTEM TESTS -Results from a program fed as input to a succeeding program - a string of programs run one after another -All programs in a complete system are tested together as a whole. Tested using unreasonable data and non key data besides normal test data for whole system • PILOT TESTS -Use data from manual system to test system when it is first implemented. If it is modification of earlier computer based system use data and output from that system • PARALLEL RUNS -Run both manual and computer based systems with same live data and see if both give identical results -If it is re-engineered (i.e.,Modified) system run both old and new systems and compare results
LEARNING UNIT 4
Security of Information systems Security means protection of data from accidental or intentional modification, destruction or disclosure to unauthorised persons POTENTIAL THREATS TO SECURITY Natural disasters such as fire, floods, earthquakes Accidents such as disk crashes, file erasure by inexperienced operators Theft/erasure of data by disgruntled employees Frauds by changing programs, data by employees Industrial espionage Viruses/Worms Hackers who break into systems connected to the internet Denial of service attacks by flooding with mail SECURITY MEASURES Regular back up of data bases every day/or week depending on the time criticality and size Incremental back up at shorter intervals Backup copies kept in safe remote location -particularly necessary for disaster recovery Duplicate systems run and all transactions mirrored if it is a very critical system and cannot tolerate any disruption before storing in disk. Physical locks Password system Biometric authentication (Eg: Finger print) HOW TO PROTECT DATA/PROGRAMS Data/Programs can be protected in the following ways: Encrypting sensitive data/programs Identification of all persons who read or modify data and logging it in a file Training employees on data care/handling and security Antivirus software Firewall protection when connected to internet
DATA SECURITY, PRIVACY AND INTEGRITY Data security is concerned with protecting data from erasure, theft, unauthorized access and unauthorized modifications. Data privacy is concerned with protecting data regarding individuals from being accessed and used without the permission/knowledge of concerned individuals Data integrity is concerned with the quality, reliability and trustworthiness of raw as well as processed data Security does not imply privacy or integrity Privacy controls need specific law against disclosure of personal data Ultimately data and system integrity most important
REFERENCES
1. Most of the material in this module has been taken from Chapter 15, Control, Audit and Security of Information in the book “Analysis and Design of Information Systems”, 2nd Edition, Prentice Hall of India, 2002, by V.Rajaraman. 2. M.Bishop, Computer Security, Pearson Education Asia, New Delhi, 2003. It is an comprehensive book cover 1000 pages) which discusses security in great details. Going through the contents pages (pp.vii to xxx) will give a student a glimpse of various aspect of security, audit and integrity of information systems. 3. D.A. Watne, P.B.B. Turney, Auditing EDP Systems, Prentice Hall Inc. N.J., U.S.A., 1990, is an extensive treatment of auditing information systems.
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
12.1 Control in design of an information system is used to a. inspect the system and check that it is built as per specifications b. protect data from accidental or intentional loss c. ensure that the system processes data as it was designed to and that the results are reliable d. ensure privacy of data processed by it 12.2 Controls are necessary in information systems as (i) massive amounts of data are processed and human errors are expected in data entry (ii)
accidental errors can lead to loss of money and credibility in a system
(iii) to protect the system from virus attack (iv) data may be lost due to disk crashes a. i and ii b. i and iii c. i and iv d. ii and iii 12.3 The major objectives of control are (i)guard against frauds in data entry/processing (ii)check clerical handling of data before it enters a computer (iii)to provide a method to trace the steps and find where error has occurred (iv)automatically correct errors in data entry/processing a. i, ii and iv b. i, ii, iii and iv c. i, ii and iii d. i and iii 12.4 Organizational measures in control mean a. a set of well organized methods b. assignment of appropriate responsibilities to individuals in data processing in an organization c. proper organization of data
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/1
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
d. creation of an organization for controlling system 12.5 Proof figures are used to check (i) arithmetic errors in processing (ii)data entry errors in processing (iii)loop errors in program (iv)proof of program correctness a. i and ii b. i and iii c. ii and iv d. iii and iv 12.6 A proof figure is a.
a figure used to prove the correctness of data entry
b. an additional data entered with each record to facilitate detection of arithmetic error c. a number used during data entry d. a modulus-11 check digit 12.7 A two way check a. calculates the same quantity in two different ways and compares them for equality b. calculates the quantities and compares them for equality c. checks a data item in two different ways d. enters data two times and cross-checks them 12.8 A two-way check is used to (i)check program correctness (ii)find data entry errors (iii)find multiplication errors (iv)find arithmetic error in processing a. i and ii b. ii and iii c. ii and iv d. i and iv
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/2
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
12.9 A relationship check a. is concerned with checking a relation b. uses an entity-relationship model for checking c. finds out if a relationship is satisfied in computation d. uses the fact that a known relationship exists between two data elements and checks if it is satisfied during computation 12.10 A check-point procedure a. checks program correctness at certain points b. divides a program into smaller parts c. breaks a programs into portions at the end of each of which a check point program is executed d. finds points in a program where it is convenient to check it 12.11 At each check-point (i)quantities such as control totals and proof figures are checked for correctness (ii)process state is stored in secondary storage (iii)a program halts for check by programmers (iv)a self-checking system is invoked by the analyst a. i and iv b. ii and iii c. i and ii d. i and iii 12.12 Audit in the design of information system is used to a. inspect the system and check that it is built as per specifications b. protect data from accidental or intentional loss c. ensure that the system processes data as it was designed to and that the results are reliable d. ensure privacy of data processed by it 12.13 Auditing of information systems is primarily required to ensure the (i)all input records are correct and are included in processing (ii)the system has ample protection against frauds
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/3
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
(iii)the processing performance is reliable (iv)the system is developed at low cost a. i and ii b. iii and iv c. ii and iii d. i, ii and iii 12.14 By auditing around the computer we mean a. the inputs and the corresponding outputs are compared and checked for correctness b. the programs and procedures are checked for correctness c. special synthetic data is input and outputs checked for correctness d. programs are written to check the functioning of the computer har 12.15 By auditing with a computer we mean a. the inputs and the corresponding outputs are compared and checked for correctness b. the programs and procedures are checked for correctness c. special synthetic data is input and outputs checked for correctness d. programs are written to check the functioning of the computer hardware 12.16 By auditing through the computer we mean a. the inputs and the corresponding outputs are compared and checked for correctness b. the programs and procedures are checked for correctness c. special synthetic data is input and outputs checked for correctness d. programs are written to check the functioning of the computer hardware 12.17 An audit trail is established in a system to a. detect errors in a system b. enable auditing of a system c. localize the source of an error in a system d. trail a program 12.18 Some audit and control procedures in a system (i)detect and correct errors in programs
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/4
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
(ii)selectively print records in a system which meet certain criteria (iii)examine credit and debit balances in an accounting system and check if they balance (iv)provide a facility to trace a variable value through processing steps and print intermediate values when required a. i and ii b. ii and iii c. i, ii, iii d. ii, iii, iv 12.19 It is advisable for an auditor to require an operational information system
to (i)keep logs of all system runs and people involved (ii)ensure that the programs and system operation are well documented (iii)ensure that no changes are allowed (iv)ensure that the inputs and batch controls are properly designed
a. i, ii, iii b. ii, iii, iv c. i, ii, iv d. i, ii 12.20 In auditing with a computer a. auditing programs are designed and used to check a system b. the hardware of the computer is thoroughly checked for malfunctions c. system software is thoroughly checked to ensure error free operations d. auditors check system with a computer 12.21 Some of the features of audit package used to check systems are: (i)facility to total specified items based on some criteria (ii) extracting items based on some criteria for checking (iii)check-pointing and restart facility
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/5
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
(iv) Hardware faults recovery a. i, ii b. i, ii, iii c. i, ii, iii, iv d. i, ii, iv 12.22 By information system testing we mean a. testing an information system correctly b. determining whether a system is performing as per specifications c. determining whether a system is performing optimally d. ensuring proper function of a system 12.23 The main objectives of testing are (i)when correct inputs are fed to the system the outputs are correct (ii)when incorrect inputs are fed to the system they are detected and rejected (iii)the requirement specifications are correct (iv) verify that the controls incorporated in the system function correctly a. i, ii b. i, ii, iii c. i, ii, iii, iv d. i, ii, iv 12.24 The scope of the system test includes a. both computerized and manual procedures b. only test of computer procedures c. computerized procedures, manual procedures, computer operations and controls d. mainly computerized procedures and operations controls 12.25 Program tests use test data to (i) exercise all paths taken by a program (ii)test loop counters
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/6
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
(iii)test with values which change state of logical variables (iv)comprehensively exercise program a. i, ii b. i, ii, iii c. i, ii, iii, iv d. i, ii, iv 12.26 By string test we mean a. a test which tests operations with strings b. a string of tests on programs c. Test on related programs d. The output of a program is sent as input to related program(s) to see if data is transferred correctly 12.27 Parallel runs are used a. during regular operation of an information system b. when a system is initially implemented c. whenever errors are found in a computerized system d. whenever management insists 12.28 The purpose of parallel run is to a. to see whether outputs of a newly computerized system matches those of currently running manual or legacy system b. have redundancy for reliability c. test an operational information system d. test a system being newly designed 12.29 Security in the design of information system is used to a. inspect the system and check that it is built as per the specifications b. protect data and programs from accidental or intentional loss c. ensure that the system processes data as it was designed to and that the results are reliable d. ensure privacy of data processed by it 12.30
By
security
of
an
information
system
we
mean
protecting
(i)data from accidental or intentional damage or loss
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/7
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
(ii)programs from accidental or intentional corruption or loss (iii)programs and data from unauthorized disclosure or change (iv)individual private data from disclosure a. i and ii b. i and iii c. i, ii, iii d. i, ii, iii, iv 12.31
It is necessary to protect information system from the following (i)natural disasters like fire, floods etc (ii)disgruntled employees (iii)poorly trained employees (iv)hackers (v)industrial spies (vi)data entry operators a. ii, iii, iv, v b. i, ii, iii, iv, v c. i, iv, v d. i, ii, iii, iv, v, vi
12.32 The following measures are taken to ensure security of information systems: (i)duplicate copies of data/programs are kept in a different place preferably in fire-proof vault (ii)password protection is used to prevent unauthorized access (iii)no one is allowed to alter data in the database (iv)no one is allowed alter programs a. i and ii b. i, ii, iii c. ii, iii, iv d. iii and iv 12.33 Some security measures commonly used are (i)data encryption
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/8
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
(ii)logging of all accesses to an information system and recording changes made (if any) (iii)data compression (iv)copying of files a. ii and iii b. i and iii c. i and ii d. ii and iv 12.34 To protect a system from viruses one should (i)not allow unauthorized use of floppy disks (ii)scan viruses in files received via a network or floppies (iii)isolate a system from networks (iv)install a roll-back recovery program in the system a. i and iii b. i and ii c. ii and iv d. i, iii, iv 12.35 A firewall is used in a system connected to a wide area network to a. prevent spread of fire in the network b. prevent unauthorized access by hackers c. to scan for viruses in files d. to extinguish fire spreading via network cables
V. Rajaraman/IISc. Bangalore
M12/V1/July 04/9
System Analysis and Design/Control, Audit And Security Of Information System
Multiple Choice Questions
Key to Objective Questions 12.1 c
12.2a 12.3
c 12.4
c 12.5
a 12.6
b
12.7 a
12.8 c
12.9 d
12.10 c
12.11 c
12.12 a
12.13 d
12.14 a
12.15 c
12.16 b
12.17 c
12.18 d
12.19 c
12.22 a
12.21 b
12.22 b
12.23 d
12.24 c
12.25 b
12.26 d
12.27 b
12.28 a
12.29 b
12.30 c
12.31 d
12.32 a
12.33 c
V. Rajaraman/IISc. Bangalore
12.34 b
12.35 b
M12/V1/July 04/10
MODULE 12
CONTROL OF INFORMATION SYSTEMS AUDIT AND SECURITY WORKED EXAMPLES
12.1
A college has 1500 students whose final examination results are declared using computer processing. There are 5 subjects, each carrying 100 marks. Classes are awarded as follows: Marks 60 or above I Class, 50 or above II Class, below 50 Fail. Devise an appropriate control scheme for processing results. Control Measures (i) Organizational measures. Each examiner who grades papers sends a separate list for batches of 50 students, number of students getting >= 60, number getting >= 50 and number below 50. Data entry is done by a person different from the one who enters control information. Control total check from the computer is seen by the head examiner and compared with information on each batch sent by different examiners. (ii) Input preparation control. Roll nos. appended with self-checking digit using modulus-11 system. Records stored roll no. wise and sequence checked while processing. Total no. of records in each batch is counted and entered in the control record. Each mark entered is checked if it is <=100 or >= 0. If marks in subject P is <= 10 and subject K >= 90 such records are marked and retrieved for inspection. (iii) Control totals. Make batches of 50. For each batch, total marks in a specified subject. In another subject count no. of students with marks >= 60 and enter no. in control record. Count total records.
Processing Control Proof figure. In each student record one more field is added which is (100 – marks in subject 2). In processing in each batch this field is added together. The sum of subject 2 marks is also got as control total in each batch. Let N be the no. of records in each batch. Then sum of (100 – marks in subject 2) + sum of marks in subject 2 = 100 * N. This is checked. Checkpoint restart is provided during processing after every 150 seconds.
12.2
What is an audit trail? Audit trail provides the means of pinpointing where an error occurred once an error is detected.
12.3 What is the difference between control and audit? Controls are essential to enable an auditor to check the correctness of a system. An auditor checks whether controls put in a system are adequate. 12.4 What is an audit package? Enumerate some of the important features of an audit package. An audit package is a program developed by an auditor to check whether processing is done by a system as per specifications. Audit packages have features to (i)Extract data satisfying a specified criterion. (ii) Total specified fields for inspection. (iii) Check specified selected fields for inspection. (iv) Check totals of specified sets with certain characteristics. (iv) Matching data files with an auditor’s own file. 12.5 What is the purpose of security measures in an information system? Security measures are used to protect data and programs from accidental loss or theft. They also protect the system from unauthorized access, unauthorized change or copying. 12.6 What is the difference between security and privacy? Do secure systems ensure privacy? Security is concerned with protecting data and programs of organizations. Privacy is concerned with the need of secrecy of data regarding individuals. For example data on payroll may be secure if it is properly protected from fire, corruption etc. If an authorized person who has access to this 12.7 What is the difference between security measures and control measures? The security measures are to protect data whereas controls are to ensure that all data is processed and processed data is correct. 12.8 Is a password system sufficient to ensure security of access to files? No. Passwords can be broken by sustained effort. Double protection is slightly better. In this case two different passwords should be used. After the first password is accepted a second password is needed. Data stored may also be transformed and stored using a secret code (called encryption).
12.9 How can privacy be ensured in an information system? By proper legal protection given to individuals data. Requiring an individual’s written permission to divulge data on him/her. 12.10 Why are system tests necessary? System tests are necessary to ensure that a system conforms to specifications during operation, meets user requirements, controls function effectively, and its outputs are correct. 12.11 What are the objectives of system tests? The main objectives of system testing are: • To ensure that during operation the system will perform as per specifications. • To make sure that the system meets users’ requirements during operation. • To verify that the controls incorporated in the system function as intended. • To see that when correct inputs are fed to the system the outputs are correct. • To make sure that during operation, incorrect input, processing and outputs will be detected. 12.12 What is the difference between a pilot test and a parallel test? In pilot test a set of transactions which have been run on present system are collected. Results of their processing on the existing manual system are also kept. This set is used as test data when a computer-based system is initially developed. The two results are matched. The reason for any discrepancy is investigated to modify the new system. In parallel tests, both manual and computer-based systems are run simultaneously for a period of time and the results from the two systems are compared. It is good method for complex systems but is expensive.
QUESTION BANK – MODULE 12 12.1
What is the difference between on-line and off-line data entry?
12.2
Why are input data records divided into batches for off-line data entry?
12.3
What is the purpose of a data validation program?
12.4
What are the main principles used in designing forms for data entry?
12.5
A good and a bad design for entering date in a form is given in Section 11.1. What are the reasons for saying that one of them is good and the other bad?
12.6
Design a form to be used by a salesman to report to the office about the sales executed by him at different customer locations.
12.7
Why are data fields coded in an information system?
12.8
Can the name of a person be used as a code, for say, his bank account? If not, why?
12.9
What are the requirements of a good coding scheme?
12.10
Is a concise code comprehensive? If not, why?
12.11
Is a meaningful code necessarily comprehensive?
12.12
Is a comprehensive code necessarily meaningful?
12.13
Is a precise code necessarily concise?
12.14
What is the advantage of a serial number code? Why is it not normally used?
12.15
What is the main advantage of block codes?
12.16
Design a group classification code to code (i) motor vehicles,, (ii) music cassettes, and (iii) books
12.17
Is a group classification code meaningful?
12.18
Give an example of a significant code. Are significant codes expandable?
12.19
Add a Modulus-11 check digit to the codes (i) 48467, (ii) 96432, and (iii) 87646257.
12.20
Modulus-37 check is suitable for alphanumeric codes. Add a modulus-37 character to the codes (i) 4AB9W, (ii) XBY483, and (iii) CAZ4642.
12.21
The following code was entered by an operator:449632. The last digit is a modulus-11 check digit. Is this code correct?
12.22
If a code uses hexadecimal digits, what should be N if the modulus-N check digit system is to be used with such codes? What are the allowable weights if single transcription and transposition errors are to be detected?
12.23
If modulus-11 check digit system is to generate detection of multiple identical digit transcription error (i.e., a code such as 45565 is wrongly entered as 48868), what should be the constraints on the weights?
12.24
A see-saw error is one in which one digit of the code is increased by x and another decreased by x. For example, 486732 becoming 456762. When can modulus N check detect such errors?
12.25
Why is it useful to assign sequence numbers for data records? What are the types of errors detected by sequence numbering?
12.26
What is the purpose of batch control record? What is the type of information contained in a batch control record?
12.27
A set of data records for student examination results has the following format:
Roll no.
Name Marks (out of 100)
Paper 1
Paper 2
Paper 3
Paper 4
Design for these records a batch control record and a record control field and any other appropriate checks for the fields. 12.28
Give some example of fields for which a radix error check is appropriate.
12.29
What is the difference between range check and a radix check?
12.30
What are the appropriate range checks for the age of individuals in an employee file, a high school student file, and height of students in a student file.
12.31
Give some examples of fields where reasonableness check would be applicable.
12.32
Give some examples of inter-field relationship checks.
12.33
What is the main difference between menus, templates and command modes of interactive data entry? When is each of these modes appropriate?
12.34
Design a dialogue hierarchy for entering data on customers (of a manufacturer).
12.35
Design a dialogue hierarchy and the screens for a system used to reserve seats in long distance buses.
REFERENCES
1. Most of the material in this module has been taken from Chapter 15, Control, Audit and Security of Information in the book “Analysis and Design of Information Systems”, 2nd Edition, Prentice Hall of India, 2002, by V.Rajaraman. 2. M.Bishop, Computer Security, Pearson Education Asia, New Delhi, 2003. It is an comprehensive book cover 1000 pages) which discusses security in great details. Going through the contents pages (pp.vii to xxx) will give a student a glimpse of various aspect of security, audit and integrity of information systems. 3. D.A. Watne, P.B.B. Turney, Auditing EDP Systems, Prentice Hall Inc. N.J., U.S.A., 1990, is an extensive treatment of auditing information systems.
SUMMARY of Module 12 1.
Data may be input to a computer off-line or on-line. In on-line entry a user enters data interactively via a video terminal connected to the computer. In off-line data entry data filled in forms are entered by operators in a separate PC or a data entry machine.
2.
Off-line data entry is suitable if the number of records is very large.
3.
In off-line data entry, batches of data are formed and entered. They are checked by a validation program and the corrected records are stored in a file.
4.
To reduce errors in input, it is essential to carefully design the forms used for entering data.
5.
Important data elements are coded. Codes are necessary for unique identification, easily cross-referencing and efficient storage and retrieval.
6.
There are many methods for coding. An ideal code must be concise, expandable, meaningful, comprehensive and precise. It is not possible to incorporate all these ideal features in a code.
7.
Codes are classified as: (i) Serial number codes, (ii) Block codes, (iii) Group classification codes, and (iv) Significant codes. Group classification codes and Significant codes are most meaningful, expandable, precise and comprehensive. They are, however, not concise, Serial and Block number codes are more concise. They are also precise and expandable but are not meaningful and comprehensive.
8.
Any error made in entering important data fields such as account codes and identification codes must be detected during data entry.
9.
The most common errors made during data entry are: a single digit is incorrectly
entered or any two digits in the code are interchanged. These errors are called respectively single transcription and transposition errors and account for 96% of all data entry errors. 10.
Given a code, the digits in it starting from the last digit are multiplied by weights 2, 3, 4, etc., and the products are added. The sum is divided by 11. The remainder is subtracted from 11. This number (which is called a check digit) is appended as the last digit of the code. The code constructed in this way is called a midulus-11 check digit code.
11.
After data entry the digits in the code starting from the last digit are multiplied by weights 1, 2, 3, 4, etc., and the products are added. The sum is divided by 11. If the remainder is not zero then there is an error in the code.
12.
Modulus-11 check digit code guarantees detection of all single transcription and transposition errors. It also detects 95% of all other errors.
13.
It is essential to design good data validation programs to prevent data entry errors from corrupting files of input data. Validation programs need information for detecting errors. This information is provided by controls exercised during data preparation.
14.
Important control mechanisms are; giving unique sequence numbers to each data record, providing a batch control record containing a count of number of records and a total of one of the fields..
15.
The same data is entered by two different persons and compared to reduce transcription errors.
16.
Besides this, individual data fields are checked using information on their range of
allowed values, range of reasonable values, and relationships between different fields. Batch control provides information to detect incorrect values entered, missing records, and data in the wrong sequence. 17.
With the advent of Personal Computers, remote terminals connected to a computer and local computer networks, considerable amount of data is entered in files interactively.
18.
For interactive data input, special screens are designed on video terminals for easy data entry. Errors in data entry are instantly detected by a validation program during data entry and can be immediately corrected.
19.
Common methods of interactive data input is by use of menus, templates and interactive commands for data entry.
20.
A menu method is used to pick one out of many alternatives, a template method to enter new data, and a command method to add and delete data.
21.
These methods are combined to provide a user the most appropriate technique for a particular type of interactive data entry.
MODULE 13
ELECTRONIC COMMERCE OBJECTIVE QUESTIONS
There are 4 alternative answers to each question. One of them is correct. Pick the correct answer. Do not guess. A key is given at the end of the module for you to verify your answer
LEARNING UNIT 1 13.1.1 By Electronic Commerce we mean: (a) Commerce of electronic goods (b) Commerce which depends on electronics (c) Commerce which is based on the use of internet (d) Commerce which is based on transactions using computers connected by telecommunication network 13.1.2 For carrying out B2B e-Commerce the following infrastructure is essential: (i) World Wide Web (ii) Corporate network (iii) Electronic Data Interchange standards (iv) Secure Payment Services (v) Secure electronic communication link connecting businesses (a) i, ii, iii (b) ii, iii, iv (c) ii, iii, iv, v (d) i, ii, iii, iv, v 13.1.3 For carrying out B2C e-Commerce the following infrastructure is essential: (i) World Wide Web (ii) Corporate network (iii) Electronic Data Interchange standards (iv) Secure Payment Services (v) Secure electronic communication link connecting businesses (a) i, iv (b) i, iii, iv (c) ii, iii (d) i, ii, iii, iv
13.1.4 For carrying out C2C e-Commerce the following infrastructure is essential: (i) World Wide Web (ii) Corporate network (iii) Electronic Data Interchange standards (iv) Secure Payment Services (v) Secure electronic communication link connecting businesses (a) i and ii (b) ii and iv (c) i (d) i and iv 13.1.5 Advantages of B2C commerce are (i) Business gets a wide reach to customers (ii) Payment for services easy (iii) Shop can be open 24 hours a day seven days a week (iv) Privacy of transaction always maintained (a) i and ii (b) ii and iii (c) i and iii (d) iii and iv 13.1.6 B2C commerce (a) includes services such as legal advice (b) means only shopping for physical goods (c) means only customers should approach customers to sell (d) means only customers should approach business to buy 13.1.7 Advantages of B2C commerce to customers are (i) wide variety of goods can be accessed and comparative prices can be found (ii) shopping can be done at any time (iii) privacy of transactions can be guaranteed (iv) security of transactions can be guaranteed (a) i and ii (b) ii and iii (c) iii and iv (d) i and iv 13.1.8 Disadvantages of e-Commerce in India are (i) internet access is not universally available (ii) credit card payment security is not yet guaranteed (iii) transactions are de-personalized and human contact is missing (iv) cyberlaws are not in place (a) i and ii (b) ii and iii (c) i, ii, iii (d) i, ii, iii, iv
LEARNING UNIT 2 13.2.1 Electronic Data Interchange is necessary in (a) B2C e-Commerce (b) C2C e-Commerce (c) B2B e-Commerce (d) Commerce using internet 13.2.2 EDI requires (a) representation of common business documents in computer readable form (b) data entry operators by receivers (c) special value added networks (d) special hardware at co-operating Business premises 13.2.3 EDI standards are (a) not universally available (b) essential for B2B commerce (c) not required for B2B commerce (d) still being evolved 13.2.4 EDIFACT is a standard (a) for representing business forms used in e-Commerce (b) for e-mail transaction for e-Commerce (c) for ftp in e-Commerce (d) protocol used in e-Commerce 13.2.5 EDIFACT standard was developed by (a) American National Standard Institute (b) International Standard Institute (c) European Common Market (d) United Nations Economic Commission for Europe 13.2.6 ANSI X.12 is a standard developed by (a) American National Standard Institute (b) International Standard Institute (c) European Common Market (d) United Nations Economic Commission for Europe
13.2.7 In B2B e-Commerce (i) Co-operating Business should give an EDI standard to be used (ii) Programs must be developed to translate EDI forms to a form accepted by application program (iii) Method of transmitting/receiving data should be mutually agreed (iv) It is essential to use internet (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) ii, iii, iv 13.2.8 EDI use (a) requires an extranet (b) requires value added network (c) can be done on internet (d) requires a corporate intranet 13.2.9 EDI over internet uses (a) MIME to attach EDI forms to e-mail messages (b) FTP to send business forms (c) HTTP to send business forms (d) SGML to send business forms 13.2.10 For secure EDI transmission on internet (a) MIME is used (b) S/MIME is used (c) PGP is used (d) TCP/IP is used 13.2.11 EDI standard (a) is not easily available (b) defines several hundred transaction sets for various business forms (c) is not popular (d) defines only a transmission protocol
LEARNING UNIT 3 13.3.1 By security in e-Commerce we mean (i) Protecting an organization’s data resource from unauthorized access (ii) Preventing disasters from happening (iii) Authenticating messages received by an organization (iv) Protecting messages sent on the internet from being read and understood by unauthorized persons/organizations (a) i, ii (b) ii, iii (c) iii, iv (d) i, iii, iv
13.3.2 A firewall is a (a) wall built to prevent fires from damaging a corporate intranet (b) security device deployed at the boundary of a company to prevent unauthorized physical access (c) security device deployed at the boundary of a corporate intranet to protect it from unauthorized access (d) device to prevent all accesses from the internet to the corporate intranet 13.3.3 A firewall may be implemented in (a) routers which connect intranet to internet (b) bridges used in an intranet (c) expensive modem (d) user’s application programs 13.3.4 Firewall as part of a router program (a) filters only packets coming from internet (b) filters only packets going to internet (c) filters packets travelling from and to the intranet from the internet (d) ensures rapid traffic of packets for speedy e-Commerce 13.3.5 Filtering of packets by firewall based on a router has facilities to (i) prevent access to internet to some clients in the intranet (ii) prevent access at certain specified times (iii) filter packets based on source or destination IP address (iv) prevent access by certain users of the internet to other specified users of the internet (a) i, iii (b) i, ii, iii (c) i, ii, iii, iv (d) ii, iii, iv 13.3.6 Main function of proxy application gateway firewall is (a) to allow corporate users to use efficiently all internet services (b) to allow intranet users to securely use specified internet services (c) to allow corporate users to use all internet services (d) to prevent corporate users from using internet services 13.3.7 Proxy application gateway (i) acts on behalf of all intranet users wanting to access internet securely (ii) monitors all accesses to internet and allows access to only specified IP addresses (iii) disallows use of certain protocols with security problems (iv) disallows all internet users from accessing intranet (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) ii, iii, iv
13.3.8 A hardened firewall host on an intranet (i) has a proxy application gateway program running on it (ii) allows specified internet users to access specified services in the intranet (iii) initiates all internet activities requested by clients and monitors them (iv) prevents outsiders from accessing IP addresses within the intranet (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) ii, iii, iv 13.3.9 A hardened firewall host on an Intranet is (a) a software which runs in any of the computers in the intranet (b) a software which runs on a special reserved computer on the intranet (c) a stripped down computer connected to the intranet (d) a mainframe connected to the intranet to ensure security 13.3.10 By encryption of a text we mean (a) compressing it (b) expanding it (c) scrambling it to preserve its security (d) hashing it 13.3.11 Encryption is required to (i) protect business information from eavesdropping when it is transmitted on internet (ii) efficiently use the bandwidth available in PSTN (iii) to protect information stored in companies’ databases from retrieval (iv) to preserve secrecy of information stored in databases if an unauthorized person retrieves it (a) i and ii (b) ii and iii (c) iii and iv (d) i and iv 13.3.12 Encryption can be done (a) only on textual data (b) only on ASCII coded data (c) on any bit string (d) only on mnemonic data 13.3.13 By applying permutation (31254) and substitution by 5 characters away from current character (A Æ F , B Æ G etc..) the following string ABRACADABRA becomes (a) FGWCAAADRBF (b) RABCAAADRBF (c) WFGHFFFIWGF (d) None of the above
13.3.14 The following ciphertext was received. The plaintext was permuted using permutation (34152) and substitution. Substitute character by character +3 (A Æ D, etc). The plain text after decryption is: Cipher text : PDLJDLXHVQC (a) MAIGAIUESNZ (b) IAMAGENIUSZ (c) LDPDJHPLXVZ (d) IAMAGENIUSC 13.3.15 By symmetric key encryption we mean (a) one private key is used for both encryption and decryption (b) private and public key used are symmetric (c) only public keys are used for encryption (d) only symmetric key is used for encryption 13.3.16 The acronym DES stands for (a) Digital Evaluation System (b) Digital Encryption Standard (c) Digital Encryption System (d) Double Encryption Standard 13.3.17 DES works by using (a) permutation and substitution on 64 bit blocks of plain text (b) only permutations on blocks of 128 bits (c) exclusive ORing key bits with 64 bit blocks (d) 4 rounds of substitution on 64 bit blocks with 56 bit keys 13.3.18 DES (i) is a symmetric key encryption method (ii) guarantees absolute security (iii) is implementable as hardware VLSI chip (iv) is a public key encryption method (a) i and ii (b) ii and iii (c) i and iii (d) iii and iv 13.3.19 DES using 56 bit keys (a) Cannot be broken in reasonable time using presently available computers (b)Can be broken only if the algorithm is known using even slow computers. (c) Can be broken with presently available high performance computers. (d)It is impossible to break ever.
13.3.20 Triple DES uses (a) 168 bit keys on 64-bit blocks of plain text (b) Working on 64-bit blocks of plain text and 56 bit keys by applying DES algorithm for three rounds. (c) Works with 144 bit blocks of plain text and applies DES algorithm once. (d) Uses 128 bit blocks of plain text and 112 bit keys and apply DES algorithm thrice. 13.3.21 Triple DES (a) Cannot be broken in reasonable time using presently available computers. (b)Can be broken only if the algorithm is known using even slow computer. (c) Can be broken with presently available high performance computers. (d) It is impossible to break ever. 13.3.22 Triple DES (i) is a symmetric key encryption method (ii) guarantees excellent security (iii) is implementable as a hardware VLSI chip (iv) is public key encryption method with three keys. 13.3.23 Public key encryption method is a system (a) which uses a set of public keys one for each participant in e-Commerce (b) in which each person who wants to communicate has two keys; a private key known to him only and a public key which is publicized to enable others to send message to him (c) which uses the RSA coding system (d) which is a standard for use in e-Commerce 13.3.24 Public key system is useful because (a) it uses two keys (b) there is no key distribution problem as public key can be kept in a commonly accessible database (c) private key can be kept secret (d) it is a symmetric key system 13.3.25 In public key encryption if A wants to send an encrypted message to B (a) A encrypts message using his private key (b) A encrypts message using B’s private key (c) A encrypts message using B’s public key (d) A encrypts message using his public key
13.3.26 In public key encryption system if A encrypts a message using his private key and sends it to B (a) if B knows it is from A he can decrypt it using A’s public key (b) Even if B knows who sent the message it cannot be decrypted (c) It cannot be decrypted at all as no one knows A’s private key (d) A should send his public key with the message 13.3.27 Message can be sent more securely using DES by (a) encrypting plain text by a different randomly selected key for each transmission (b) encrypting plain text by a different random key for each message transmission and sending the key to the receiver using a public key system (c) using an algorithm to implement DES instead of using hardware (d) designing DES with high security and not publicizing algorithm used by it 13.3.28 DES and public key algorithm are combined (i) to speed up encrypted message transmission (ii) to ensure higher security by using different key for each transmission (iii) as a combination is always better than individual system (iv) as it is required in e-Commerce (a) i and ii (b) ii and iii (c) iii and iv (d) i and iv 13.3.29 A digital signature is (a) a bit string giving identity of a correspondent (b) a unique identification of a sender (c) an authentication of an electronic record by tying it uniquely to a key only a sender knows (d) an encrypted signature of a sender 13.3.30 A digital signature is required (i) to tie an electronic message to the sender’s identity (ii) for non repudiation of communication by a sender (iii) to prove that a message was sent by the sender in a court of law (iv) in all e-mail transactions (a) i and ii (b) i, ii, iii (c) i, ii, iii, iv (d) ii, iii, iv
13.3.31 A hashing function for digital signature (i) must give a hashed message which is shorter than the original message (ii) must be hardware implementable (iii) two different messages should not give the same hashed message (iv) is not essential for implementing digital signature (a) i and ii (b) ii and iii (c) i and iii (d) iii and iv 13.3.32 Hashed message is signed by a sender using (a) his public key (b) his private key (c) receiver’s public key (d) receiver’s private key 13.3.33 While sending a signed message, a sender (a) sends message key using public key encryption using DES and hashed message using public key encryption (b) sends message using public key encryption and hashed message using DES (c) sends both message and hashed message using DES (d) sends both message and hashed message using public key encryption 13.3.34 The responsibility of a certification authority for digital signature is to authenticate the (a) hash function used (b) private keys of subscribers (c) public keys of subscribers (d) key used in DES 13.3.35 Certification of Digital signature by an independent authority is needed because (a) it is safe (b) it gives confidence to a business (c) the authority checks and assures customers that the public key indeed belongs to the business which claims its ownership (d) private key claimed by a sender may not be actually his
LEARNING UNIT 4 13.4.1 The Secure Electronic Transaction protocol is used for (a) credit card payment (b) cheque payment (c) electronic cash payments (d) payment of small amounts for internet services 13.4.2 In SET protocol a customer encrypts credit card number using (a) his private key (b) bank’s public key (c) bank’s private key (d) merchant’s public key 13.4.3 In SET protocol a customer sends a purchase order (a) encrypted with his public key (b) in plain text form (c) encrypted using Bank’s public key (d) using digital Signature system 13.4.4 One of the problems with using SET protocol is (a) the merchant’s risk is high as he accepts encrypted credit card (b) the credit card company should check digital signature (c) the bank has to keep a database of the public keys of all customers (d) the bank has to keep a database of digital signatures of all customers 13.4.5 The bank has to have the public keys of all customers in SET protocol as it has to (a) check the digital signature of customers (b) communicate with merchants (c) communicate with merchants credit card company (d) certify their keys 13.4.6 In electronic cheque payments developed, it is assumed that most of the transactions will be (a) customers to customers (b) customers to business (c) business to business (d) banks to banks
13.4.7In cheque payment protocol, the purchase order form is signed by purchaser using (a) his public key (b) his private key (c) his private key using his signature hardware (d) various public keys 13.4.8 In the NetBill’s protocol for small payments for services available in the internet. (i) the customer is charged only when the information is delivered (ii) the vendor is guaranteed payment when information is delivered (iii) the customer must have a certified credit card (iv) the customer must have a valid public key (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) i, ii, iv 13.4.9 In NetBill’s protocol for small payments for internet services (i) Key to decrypt information is sent to customer by NetBill only when there is enough amount in debit account (ii) The vendor supplies the key to NetBill server when he receives payment (iii) Checksum of encrypted information received by customer is attached to his payment order (iv) Vendor does not encrypt information purchased by customer (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) i, ii, iv 13.4.10 In Electronic cash payment (a) a debit card payment system is used (b) a customer buys several electronic coins which are digitally signed by coin issuing bank (c) a credit card payment system is used (d) RSA cryptography is used in the transactions 13.4.11 In Electronic cash payment (i) a customer withdraws “coins” in various denominations signed by the bank (ii) the bank has a database of issued coins (iii) the bank has a database of spent coins (iv) the bank cannot trace a customer (a) i, ii (b) i, ii, iii (c) i, ii, iii, iv (d) ii, iii, iv
KEY TO OBJECTIVE QUESTIONS 13.1.1 13.1.7 13.2.5 13.2.11 13.3.6 13.3.12 13.3.18 13.3.24 13.3.30 13.4.1 13.4.7
d a d b b c c b b a c
13.1.2 c 13.1.8 c 13.2.6 a 13.3.1 d 13.3.7 b 13.3.13 c 13.3.19 c 13.3.25 c 13.3.31 c 13.4.2 b 13.4.8 d
13.1.3 13.2.1 13.2.7 13.3.2 13.3.8 13.3.14 13.3.20 13.3.26 13.3.32 13.4.3 13.4.9
a c b c c b b a b d b
13.1.4 c 13.2.2 a 13.2.8 c 13.3.3 a 13.3.9 b 13.3.15 a 13.3.21 a 13.3.27 b 13.3.33 a 13.4.4 c 13.4.10 b
13.1.5 13.2.3 13.2.9 13.3.4 13.3.10 13.3.16 13.3.22 13.3.28 13.3.34 13.4.5 13.4.11
c b a c c b b a c a b
13.1.6 a 13.2.4 a 13.2.10 b 13.3.5 b 13.3.11 d 13.3.17 a 13.3.23 b 13.3.29 c 13.3.35 c 13.4.6 c
System Analysis and Design / Electronic Commerce
Motivation
Motivation With the emergence of internet and the world wide web new methods of carrying out business transactions using the world wide web began to be explored. Electronic Commerce emerged as a very important application of the world wide web. Today it is difficult to find an isolated computer. Computers in an organization are interconnected to form intranets and intranets of the cooperating organizations are interconnected to form extranet. It is cheaper and faster to carry out business transactions within an organization and among organizations electronically using the network connection. Thus it is important to understand how business transactions are carried out electronically reliably and securely When designing information systems it is essential to understand the emerging web based transactions A number of organizations are exploring how to carry out all day-to-day operations electronically using the intranet in a so-called paperless system It is thus important for a student to understand how to design such systems
V. Rajaraman/IISc. Bangalore
//V1/July 04/1
MODULE 13
ELECTRONIC COMMERCE Learning Units 13.1 What is E-Commerce? 13.2 Electronic Data Interchange 13.3 Security of E-Commerce 13.4 Payment in E-Commerce
Systems Analysis And Design
©
V. Rajaraman
Learning Goals The basics of Electronic Commerce abbreviated as e-commerce The advantages and disadvantages of e-commerce Architecture of e-commerce systems Electronic Data Interchange in e-commerce The need for security in e-commerce transactions and how to ensure it How Electronic payment schemes work in e-commerce.
Systems Analysis And Design
© V. Rajaraman
1 of 92
Motivation With the emergence of internet and the world wide web new methods of carrying out business transactions using the world wide web began to be explored. Electronic Commerce emerged as a very important application of the world wide web. Today it is difficult to find an isolated computer. Computers in an organization are interconnected to form intranets and intranets of the cooperating organizations are interconnected to form extranet.
Systems Analysis And Design
© V. Rajaraman
2 of 92
Motivation (Contd) It is cheaper and faster to carry out business transactions within an organization and among organizations electronically using the network connection. Thus it is important to understand how business transactions are carried out electronically reliably and securely When designing information systems it is essential to understand the emerging web based transactions A number of organizations are exploring how to carry out all dayto-day operations electronically using the intranet in a so-called paperless system It is thus important for a student to understand how to design such systems Systems Analysis And Design
© V. Rajaraman
3 of 92
What Is Electronic Commerce DEFINITION •Sharing Business Information, Maintaining Business relationships and conducting business transactions using computers connected to a Telecommunication Network is called E-Commerce
CLASSIFICATION •CLASSIFIED AS : BUSINESS TO BUSINESS (B2B) BUSINESS TO CUSTOMER (B2C) CUSTOMER TO CUSTOMER (C2C)
13.1.1
Systems Analysis And Design
© V. Rajaraman
4 of 92
E-commerce Applications-example •RETAIL STORES - Books, Music •AUCTION SITES •COOPERATING BUSINESSES –Placing orders,paying invoices etc. •ELECTRONIC BANKING •BOOKING TICKETS - TRAINS, CINEMA, AIRLINES •ELECTRONIC PUBLISHING •FILLING TAX RETURNS WITH GOVERNMENT DEPT.
13.1.2
Systems Analysis And Design
© V. Rajaraman
5 of 92
Business To Business E-commerce LAN of buisness2
Public switched telephone network
LAN of buisness1
PSTN or LEASED LINE
Vendor Local computers
Purchase store accounts Local computers
• Local LAN of business would normally follow TCP/IP protocol of internet and is called corporate intranet
• Purchase order entered by business1 in its PC and electronically dispatched to vendor (by e-mail) • Vendor acknowledges electronically the order • Vendor dispatches goods(physically) and delivery note electronically to business1
13.1.3
Systems Analysis And Design
© V. Rajaraman
6 of 92
B2B E-commerce (Contd) •Business 1 can compare delivery note against order -both are in computer readable form •Discrepancy note(if any) can be immediately sent to the vendor •Business 1 can carry out all local transactions using its LAN •Local transactions are inventory update by stores - advice to accounts to pay for goods taken into stock • Accounts can make payment electronically to Vendor
13.1.4
Systems Analysis And Design
© V. Rajaraman
7 of 92
Implementing B2B E-commercerequirements 1. Agreed on formats for Purchase order, delivery note, payment order etc. Standard known as EDI (Electronic Data Interchange Standard) is used to send documents electronically 2.Each Business must have corporate intranet and the two nets are connected by PSTN or leased line 3. Transactions must be secure - particularly if PSTN is used 4.Secure electronic payment methods are required
13.1.5
Systems Analysis And Design
© V. Rajaraman
8 of 92
Steps In B2C E-commerce 1. Customer uses a browser and locates vendor or he has vendor's web page address 2. Sees Vendor's web page listing of items available, prices etc 3. Customer selects item and places order. Order may include credit card details or may be cash on delivery 4. Vendor checks with credit card company customer’s credit 5. Credit card company OKs transaction 6. Vendor acknowledges Customer’s order and gives details of delivery date, mode of transport, cost etc 7. Vendor orders with distributor who ships item to vendor's warehouse from where item supplied to customer 8. Customer's credit card company debits his account, credits vendor's account and sends bill to customer for payment 13.1.6
Systems Analysis And Design
© V. Rajaraman
9 of 92
Customer to Customer E-Commerce
Customer1
Customer2
Internet
Wants to buy Item 1
Wants to sell Item 1 Broker’s website •Advertises - "for sale"
•Brings together buyer and seller •Transports items •Collects fee from both Seller &Buyer
13.1.7
Systems Analysis And Design
© V. Rajaraman
10 of 92
Advantages Of E-commerce 1. Buying/selling a variety of goods and services from one's home or business 2. Anywhere, anytime transaction 3. Can look for lowest cost for specific goods or service 4. Businesses can reach out to worldwide clients - can establish business partnerships
13.1.8
Systems Analysis And Design
© V. Rajaraman
11 of 92
Advantages Of E-commerce 5. Order processing cost reduced 6. Electronic funds transfer faster 7. Supply chain management is simpler, faster, and cheaper using e-commerce - Can order from several vendors and monitor supplies. - Production schedule and inventory of an organization can be inspected by cooperating supplier who can in-turn schedule their work.
13.1.9
Systems Analysis And Design
© V. Rajaraman
12 of 92
Disadvantages Of E-commerce 1. Electronic data interchange using EDI is expensive for small businesses 2. Security of internet is not very good - viruses, hacker attacks can paralise e-commerce 3. Privacy of e-transactions is not guaranteed 4. E-commerce de-personalises shopping.People go shopping to meet others - window shop and bargain
13.1.10 Systems Analysis And Design
© V. Rajaraman
13 of 92
E-commerce System Architectures LOGICAL LAYERS
SERVICES IN LAYER
Application layer
B2B,B2C,C2C
Middleman services
Hosting services,value added nets payment services,Certificates
Secure messaging
Encryption,EDI,Firewalls
World wide web services Logical network
HTTP,HTML,XML,OLE Software agents Intranet,internet,extranet
Physical network
PSTN,LAN,Bridges,routers
Layered architecture 13.1.11 Systems Analysis And Design
© V. Rajaraman
14 of 92
Electronic Data Interchange •Computer readable forms for business documents such as invoices, purchase orders, delivery notes needed in B2B ecommerce so that e-documents can be exchanged. •Essential to eliminate manual data entry which is error prone • Essential to agree on common formats for commonly used forms. •Electronic data interchange (EDI) standard gives specifications for commonly used standard business forms •Currently two standards are available for EDI forms • It is possible to adapt these standards for documents which use XML for specification. 13.2.1
Systems Analysis And Design
© V. Rajaraman
15 of 92
EDI Standards •ANSI X.12 standard proposed by American National Standards Institute •EDIFACT (Electronic Data Interchange For Administration Commerce and Trade) standardized by United Nations Economic Commission for Europe for international trade •EDIFACT used in India for government transactions customs, central excise etc.
13.2.2
Systems Analysis And Design
© V. Rajaraman
16 of 92
EDI Transactions in B2B E-commerce •Cooperating businesses agree on EDI standard •Programs needed to translate data received in EDI format to a form needed by the application program •Method of sending/receiving data between businesses to be agreed on - is it PSTN, Extranet or VAN (value added network) service ? •Important to ensure reliable, guaranteed and secure receipt of electronic documents by intended receiver
13.2.3
Systems Analysis And Design
© V. Rajaraman
17 of 92
EDI Using Value Added Network Service •VAN provides post box for all subscribers •Guarantees delivery •Open 24 hours, 7 days a week •Provides security, acknowledgement, audit trails for transactions, non repudiation by users •Some VAN’S provide conversion of EDI forms to application format •Disadvantage high cost. Used by large businesses - may not be cost-effective for smaller businesses 13.2.4
Systems Analysis And Design
© V. Rajaraman
18 of 92
EDI Using Internet • Cheaper method for use by small business is to use XML for EDI and e-mail,instead of VAN • Establish EDI form standard - XML appropriate – Document Type Definition(DTD) publicised using organization’s web pagecooperating business can use a DTD to interpret XML documents. •Use MIME (multipurpose internet mail extension) to attach EDI forms to e-mail messages
13.2.5
Systems Analysis And Design
© V. Rajaraman
19 of 92
EDI Using Internet • Can use Simple Mail Transfer Protocol(SMTP) of internet • If secure transmission needed use S/MIME (Security enhanced MIME) which uses encryption and digital signature –(We will describe encryption and digital signature later in this module) • If very long document or many documents are to be sent together File Transfer Protocol (FTP) may be more appropriate.
13.2.6
Systems Analysis And Design
© V. Rajaraman
20 of 92
EDI Standard •Defines several hundred transaction sets corresponding to each type of business document such as invoice, purchase order etc. •Defines data segments - corresponding to groups of data elements such as purchase order line •Defines data elements - which are individual fields such as price, quantity etc
13.2.7
Systems Analysis And Design
© V. Rajaraman
21 of 92
Security In E-commerce •Transactions between organizations take place in many e-commerce applications using the Internet •Internet is widely accessible and insecure as eavesdropping is possible •Need to protect company confidential information from snoopers •We need to protect a company's network from unauthorised entry both hardware and software techniques used •When an organization receives a message it has to be sure from whom it came and whether the message is authentic and not changed by an unauthorised person •We thus need a digital signature which can be used in a court of law 13.3.1
Systems Analysis And Design
© V. Rajaraman
22 of 92
Network Security Using Firewall •Firewall is a security device deployed at the boundary of an organization' s network to protect it from unauthorised external access •It links an organization's intranet to the internet and restricts the type of traffic that it will pass, thus providing security •Simple firewalls may be implemented in some routers, called packet filtering firewalls, they pass only some packets based on simple specified criteria such as -Type of access (such as email, ftp, telnet as determined by TCP port number) -Direction of traffic -Source or destination IP address -Time of day 13.3.2
Systems Analysis And Design
© V. Rajaraman
23 of 92
Proxy Application Gateway •Primarily for allowing members of an organization on corporate intranet to access internet facility ensuring organizational discipline and security •Proxy application program running on a firewall machine is the one which acts on behalf of all members of an organization wanting to use the internet •This program monitors all requests - allows access to only designated addresses outside, limits use of certain browsers and disallows use of some protocols with known security holes •Proxy application program may also be allowed to run on some user's machine who have authorization for internet use
13.3.3
Systems Analysis And Design
© V. Rajaraman
24 of 92
Hardened Firewalls With Proxy Application Gateway •Any one from inside or outside an organization give their user id, password, service required to the firewall machine which acts as one's proxy (ie.does ones work on his behalf) •Proxy firewall is now server to the requestor's desktop PC and also a client to some other requested service acting on requestor's behalf •Firewall needs proxy agent for each service requested such as FTP, HTTP, TELNET etc
13.3.4
Systems Analysis And Design
© V. Rajaraman
25 of 92
Hardened Firewalls With Proxy Application Gateway •Now proxy firewall is the initiator of all sessions and thus knows every activity - thus ensuring security •Firewall with a proxy function replaces the source address of transaction requestor with its own IP address -this ensures that others on internet see only firewall's IP address - all other IP addresses of organization are hidden
13.3.5
Systems Analysis And Design
© V. Rajaraman
26 of 92
Data Encryption With Secret Keys •Data sent via a public network may be accessed and used by unauthorized persons •Thus necessary to scramble it so that even if one accesses it, it cannot be understood •Similarly data stored in data bases accessible via internet should be scrambled •Method of scrambling known as encryption •Method of unscrambling known as decryption 13.3.6
Systems Analysis And Design
© V. Rajaraman
27 of 92
Plain Text And Ciphertext •Plain text is data in its natural form •Encryption is taking data in any form(Text, Audio,Video etc.) and transforming it to another form which cannot be understood •Transformed data is known as cryptogram or cipher text
13.3.7
Systems Analysis And Design
© V. Rajaraman
28 of 92
Example Text Encryption Start plaintext
THIS IS A MESSAGE X
Block plaintext (5character blocks)
THISI SAMES SAGEX
Transpose characters with permutation (4 1 2 5 3)
4Æ1
STHII ESASM ESAXG
Substitute character by the one 4 letters away
WXLMM IWEWQ IXEBK
(eg AÆE,ZÆD) Cipher text This is an example of two transformations - permutation followed by substitution The keys are permutation function and substitution function
13.3.8
Systems Analysis And Design
© V. Rajaraman
29 of 92
Symmetric Encryption. PLAINTEXT
(m1,m2…mn )
CIPHER TEXT (c1 c2, c3….cn ) Where ci = k( Ti (mi) ) In which Ti is permutation of ith character and k is substitution. •Decryption by applying same transformations in reverse on cipher text. •This method called symmetric key encryption as encryption and decryption performed using same key. •Normally the encryption/decryption algorithm is publicised. Only key is secret. 13.3.9
Systems Analysis And Design
© V. Rajaraman
30 of 92
Symmetric Encryption • Problem is to ensure secrecy of key when it is sent to partner. • If the key is to be sent to many partners need for separate key for each partner.Directory of who was sent which key is to be kept and used for each transaction.Directory should be secure. • If large number of partners are there key distribution very difficult. • Advantage of symmetric key is easy and fast to transform plain text to cipher text.
13.3.10 Systems Analysis And Design
© V. Rajaraman
31 of 92
Digital Encryption Standard DES - Proposed by IBM in 1975 Standardised by US Govt in 1977 Reasonably secure It is a combination of permutation and substitution on blocks of 64 bits. A message is broken up into 64 bit blocks and each block is separately encrypted.
13.3.11 Systems Analysis And Design
© V. Rajaraman
32 of 92
Digital Encryption Standard #General idea used in DES M = PLAINTEXT 01101100
11011000
11011010
K = KEY
10101111
00101100
01011011
E= M+K
11000011
11110100
10000001 encryption
M= E + K
01101100
11011000
11011010 decryption
See simplicity of Transformation using Exclusive OR
13.3.12 Systems Analysis And Design
© V. Rajaraman
33 of 92
Digital Encryption Standard Algorithm Before applying DES the text is split up into the 64 bit blocks. DES applied on each 64 bit block. Encryption method Step 1: Apply an initial permutation on a block.Result is B=IP(P) where P is the 64 bit block IP Initial Permutation function and B the result. Step 2: Split B into 32 bit blocks Li = leftmost 32 bits Ri = rightmost 32 bits. Step 3: Pick a 56 bit key. Permute it Step 4: Left circular shift it by 1 bit giving K1. 13.3.13 Systems Analysis And Design
© V. Rajaraman
34 of 92
Digital Encryption Standard Algorithm Step 5: Perform a complex sequence of operations and obtain X1 = F(R1,K1) (The complex set of operations include table look up and dropping bits). Step 6: Find R2 = L1 + X1 Step 7: Set L2 = R1 Repeat steps 2 to 7 16 times to get B16 = L16,R16 Step 8: Apply inverse of initial permutation on B16 The result is the encrypted block
13.3.14 Systems Analysis And Design
© V. Rajaraman
35 of 92
Digital Encryption Standard Algorithm • In summary the DES encryption applies the following transformation 16 times.The ith round transformation are Li+1= Ri Ri+1= Li + F(Ri,Ki) • Each round has a different key Ki • For Decryption the process of encryption is reversed.The encrypted block is permuted using IP-1.On this transformations are applied starting with K16 and going to K1 last.The keys and F are same as those used in encryption process. 13.3.15 Systems Analysis And Design
© V. Rajaraman
36 of 92
Digital Encryption Standard Algorithm • The encryption process uses simple binary operations. They can thus be realised in hardware as an integrated circuit chip. • DES chips are inexpensive. Key externally fed. • The complex encryption algorithm is explained using two block diagrams in the next two transparencies.
13.3.16 Systems Analysis And Design
© V. Rajaraman
37 of 92
64 bit block of plain text
IP
R O U N D 1 R O U N D 2
L1
Initial Permutation Permute
R1 K1
F
+ L2
L1 +
F(R1,K1) Permute
K2
F
+ . . .
L16
L2 +
R3
Left circular shift
P1
R2
L3 .
56 bit key
DES Encryption Block Diagram
F(R2,K2) K16
P2 . . . . P16
. . . . .
Left circular shift
Left circular shift
+
R16
IP-1
64 bit Cipher text
Inverse of Initial permutation (F is a complex function involving two table look ups and dropping bits of K1 to get 32 bits for bitwise Exclusive OR of L1 and F(K1,R1) )
38 of 92
Details of One Round of DES Encryption 64 bit Plain Text
56-bit key
Permute 32 bits 32 bits L1 R1
Permute 28 bits 28 bits KL KB
Left Shifts
48 bits
Permute and Contract
L1
Round1
F(R1,K1)
K1
+ L2
R2 . . . .
KL
KB
For next key
Repeat 15 more times
13.3.18 Systems Analysis And Design
© V. Rajaraman
39 of 92
DES Chip
64 Input block Key
DES CHIP
64
Encrypted Block
56
• Observe that from initial key others are derived by circular shifts • Decryption chip inputs encrypted block and key and the output is decrypted block
13.3.19 Systems Analysis And Design
© V. Rajaraman
40 of 92
DES - Discussion • Cryptanalysis is technique for breaking a code, given samples of encrypted messages. • If plain text also known it is somewhat easier. • DES code can be broken if key is found. • The easiest method of breaking a code is by brute force of trying out all possible keys to decrypt message.
13.3.20 Systems Analysis And Design
© V. Rajaraman
41 of 92
DES - Discussion • With increase in speed of computers it has now been shown that DES key can be found in less than 12 hrs with a fast computer (1 Million decryption per microsecond) • Thus DES is practically useless now (original DES was invented in mid 70s) • New more secure symmetric encryption algorithm is needed • An extension of DES called triple DES is shown to be more secure.
13.3.21 Systems Analysis And Design
© V. Rajaraman
42 of 92
Triple DES • Triple DES uses three different keys and three executions of DES algorithm. • The algorithm is Cipher text = Ek3 [Dk2 [Ek1 [Plain Text]]] where Ek[X] = DES Encryption of X using key K and Dk[X] = DES Decryption of X using key K • Remember that in DES Decryption of encrypted plain text with a different key is almost same as another encryption. •This is true as encryption and decryption use the same algorithm
13.3.22 Systems Analysis And Design
© V. Rajaraman
43 of 92
Triple DES • To decrypt cipher text we reverse the operations. Plain text = Dk1[Ek2 [Dk3[Cipher Text]]] BLOCK DIAGRAMS OF TRIPLE DES Encryption K1
Plain text (64 bit block)
E
K2
D
K3
Cipher text (64bit block)
E
Decryption K3
Cipher text
E
K2
D
13.3.23 Systems Analysis And Design
K1
E © V. Rajaraman
Plain text
44 of 92
Triple DES(Contd) • Using DES thrice is equivalent to having a DES key length of 168 bits. • Brute force method to break triple DES with 106 decrypts per micro second will take 5.9 X 10 30 years! • Even at 1012 fold increase in computer speed will make triple DES secure against brute force attacks to break code • The only reason D is used as middle step in triple DES is to allow data encrypted using single DES hardware.In this case K3=K2=K1 (Single key used) (See block diagram)
13.3.24 Systems Analysis And Design
© V. Rajaraman
45 of 92
Triple DES(Contd) • Triple DES will be quite popular for a foreseeable future as it is very secure, can be realised by simple hardware. • Triple DES has two disadvantages 1. It is slow to implement in software 2. It uses 64 bit blocks. • Thus new standards were explored.
13.3.25 Systems Analysis And Design
© V. Rajaraman
46 of 92
Requirements of Symmetric Key Cryptography Algorithm(NIST) –Advanced Encryption System(AES) • National Institute for Standards Technology put out a call for proposals for new crypto system with following requirements. • Must provide a high level of security (i.e. difficult to decrypt in finite time) • Must be completely specified and easily understood. • Security must reside in key – Not in algorithm
13.3.26 Systems Analysis And Design
© V. Rajaraman
47 of 92
Requirements of Symmetric Key Cryptography Algorithm(NIST) –Advanced Encryption System(AES) • Must be available for all users • Adaptable for use in diverse applications e.g.credit cards • Implementable economically in electronic devices • Must be efficient to use as both software and hardware • Must allow one to validate it.
13.3.27 Systems Analysis And Design
© V. Rajaraman
48 of 92
Requirements of Symmetric Key Cryptography Algorithm(NIST) –Advanced Encryption System(AES) • Must be exportable • No trap door • Must use 128 blocks and key lengths of 128,192 or 256 bits depending on the level of security desired. • In October 2000 it announced the selection of an algorithm – called Rijin dael(Pronounce RAIN DOLL) as new Advance Encryption Standard (AES) •Details may be found in www.nist.gov/aes 13.3.28 Systems Analysis And Design
© V. Rajaraman
49 of 92
Public Key Encryption •In Private Key Encryption transmission of key without compromising not easy •It is necessary to assign different private key to each business partner. When this is done a directory of keys should be kept which should be secret.This is difficult. •Only secure way is to change the private key every time a message is sent •Public Key Encryption eliminates the key distribution problem •There is a pair of keys for each organization - A Private Key and its Public Key •If A wants to send message to B, A encrypts the message with B's Public Key When message is received by B he decrypts it with his Private Key
A
Plain text
ENCRYPT
DECRYPT Cipher text
B’s Public Key
SENDER A 13.3.29 Systems Analysis And Design
Plain text
B
B’s Private Key
RECEIVER B
© V. Rajaraman
50 of 92
RSA Code Details.”R” Wants To Find His Public And Private Keys 1. Pick large primes p and q. Let n =p * q 2 Find ø = (p-l)*(q-l) 3 Find e relatively prime to Ø, i.e. gcd(ø,e)=1; 1<e<ø. {e,n} is R's Public Key 4 Find a number d which satisfies relation (d * e) mod (ø) =1 {d,n} is R’s Private key
13.3.30 Systems Analysis And Design
© V. Rajaraman
51 of 92
RSA Code Details.”R” Wants To Find His Public And Private Keys 5. Let plain text = t. Encrypt t using R’s public key. Encryption = te (mod n) = c (cipher text) 6. Decryption
cd (mod n) =t
(Both n and e should be known to encrypt.Similarly both n and d should be known to decrypt)
13.3.31 Systems Analysis And Design
© V. Rajaraman
52 of 92
Example Of RSA Use •
This example is a toy example to illustrate the method.In practice the primes p and q will be very large – each at least 300 digits long to ensure security.
RSA Algorithm 1. Pick as prime numbers p=3,q=11 n = p * q=33 Note : The message to be encrypted should be smaller than 33.If we do letter by letter encryption of English alphabets (A to Z Æ 1 to 26) this is OK 2. Ø = (p-1) x (q-1) = 2 x 10 = 20 13.3.32 Systems Analysis And Design
© V. Rajaraman
53 of 92
Example Of RSA Use RSA Algorithm (Contd) 3. Pick a number relatively prime to 20. We pick 7. The Public key of R = {7,33} 4. To pick private key of R find d from relation (d x e)mod(ø) = 1 (d x 7) mod (20) =1 This gives d =3 Therefore, the private key of R = {3,33}
13.3.33 Systems Analysis And Design
© V. Rajaraman
54 of 92
Applying RSA Algorithm 1. Let the message be CODE If we use code C=3, O=14,D=4,E=5 The message is 3,14,4,5 2. We will encrypt one letter at a time Thus cipher of plain text 3 is 3e mod (n) =37 mod(33) 37 mod (33) =2187 mod (33)=9 (14)7 mod (33) = 105413504mod(33)=20 (4)7 mod (33) =16384 mod (33) =16 (5)7 mod (33) =78125 mod(33) = 14 3. Thus cipher text = 9,20,16,14 13.3.34 Systems Analysis And Design
© V. Rajaraman
55 of 92
Applying RSA Algorithm 4. Decryption : cd mod (n) d=3,n=33 93 mod (33) = 729 mod(33) = 3 203 mod(33) = 8000 mod(33)=14 163 mod(33) = 4096 mod(33) =4 143 mod(33) = 2744 mod(33) =5 We see that we get the original text 3,14,4,5
13.3.35 Systems Analysis And Design
© V. Rajaraman
56 of 92
Discussion on RSA • The security RSA encryption is dependent on the fact that factorising a large prime number to its factors is very difficult. • RSA algorithm is symmetric.In other words if a plain text is encoded by the private key of S, the sender, it can be decrypted using the public key of R, the receiver (We will find later that this symmetry property is used in creating digital signature) •Example using S’s keys S’s Private key = {3,33} S’s Public key = {7,33}
13.3.36 Systems Analysis And Design
© V. Rajaraman
57 of 92
Discussion on RSA • If we encrypt a plain text using S’s private key and send it to R,R must be able to decrypt it with S’s public key. •Assume Plain text is encrypted with S’s private key and get cipher text = (14)3 mod (33)=5 •Decrypting with S’s Public key we get (5)7 mod (33) =78125 mod(33) ={(2367 x 33) + 14} mod (33) =14
13.3.37 Systems Analysis And Design
© V. Rajaraman
58 of 92
DISCUSSION – RSA Vs DES •RSA Public key has two keys – a private secret key and a public open key. •RSA implemented as a program (software) It is computationally complex to encode plain text and decode cipher text using RSA •DES Same key for encryption and decryption It is a single key system - Also called symmetric key system
13.3.38 Systems Analysis And Design
© V. Rajaraman
59 of 92
DISCUSSION – RSA Vs DES •DES computationally simple-implemented in hardware thus very fast •Each communication between two businesses can use a different key –provided key is securely exchanged •If key can be sent separately encrypted using RSA, then a recipient can use this to decrypt DES encrypted message. •We look next at combining DES and RSA.
13.3.39 Systems Analysis And Design
© V. Rajaraman
60 of 92
Combining RSA And DES KEY
SENDER PLAIN TEXT
ENCRYPT
DECRYPT
Public key Of the receiver
Private key Of the receiver
DES
DES
RECOVERED KEY
RECEIVER PLAIN TEXT
CIPHER TEXT
Advantages: • Key is sent along with the plain text. Encrypted using RSA • Key small-fast to encrypt/decrypt • Each transaction using DES can have a different key- higher security and also fast.Key directory not needed. 13.3.40 Systems Analysis And Design
© V. Rajaraman
61 of 92
Digital Signature REQUIREMENTS •Needed to ensure that a message received from say "A" is indeed from him •Signature should be tied to the message sent by "A" SENDING STEP •Sender sends key using RSA system •Sender sends plain text "M" using DES •Receiver decrypts cipher text using DES and the key received from sender call it "MR" 13.3.41 Systems Analysis And Design
© V. Rajaraman
62 of 92
Digital Signature •Sender hashes plain text "M' using a hashing function - let the hashed text be "H" •Hashed text "H" encrypted by sender using his Private key •DS is his signature as H encrypted with his private key •DS decrypted by receiver using sender's Public key and obtains "H"
13.3.42 Systems Analysis And Design
© V. Rajaraman
63 of 92
Digital Signature (Contd) Authentication step •Receiver hashes “MR" using hash function and gets“HR" •Receiver compares “H" with “HR" •If they match then it is a signed authenticated plain text •TM is signed as sender has encrypted the hashed text using his private key which he only knows.If H=(MR)(HASHED) = HR where MR is the received message then MR must have been sent by sender. He cannot repudiate.
13.3.43 Systems Analysis And Design
© V. Rajaraman
64 of 92
Signing A Message Using Digital Signature R’s Private key
R’s Public key KE
K
ENCRYPT
DECRYPT K
K
SENDER
M
ENCRYPT
Forgery
ME
DECRYPT
MR
RECEIVER
no DS
Hash
ENCRYPT
DECRYPT
H
H
S’s Private key
Hash
Equal
S’s Public key
HR yes
Signature OK Accept M 13.3.44 Systems Analysis And Design
© V. Rajaraman
65 of 92
Certificate Authority For Digital Signature •As the hashed message in Digital Signature system is decrypted using senders public key,this key must be certified as belonging to sender by an independent authority •Certification needed to ensure authenticity of public keys of organizations as public key is used to verify signature •Certification authority keeps data base of public keys of organizations participating in e-commerce after verifying their credentials. •Potential business partners can authenticate public keys by sending request to certifying authority who certifies after receiving a fee for his services 13.3.45 Systems Analysis And Design
© V. Rajaraman
66 of 92
Electronic Payment Systems • In any commercial transaction payment is an integral part for goods supplied. •Four types of payments may be made in e-commerce they are •Credit card payments •Electronic cheque payments •Micro or small payments for internet based services such as music download. •Electronic-cash payments Each of these requires a different system of payment. We will examine first credit card payments. 13.4.1
Systems Analysis And Design
© V. Rajaraman
67 of 92
Review Of Manual Credit Card Payment Four parties are invoked in credit card payments. They are: • Customer having a credit card • Merchant accepting credit cards (such as VISA, MASTER CARD etc) • Bank which issues credit cards to customers and collects payments from customers
13.4.2
Systems Analysis And Design
© V. Rajaraman
68 of 92
Review Of Manual Credit Card Payment •Acquirer which is financial institution that establishes an account with a merchant,validates credit card information sent electronically by merchant and authorises sale based on customer’s credit status. • Acquirer accepts credit cards of several card companies and guarantees payment to merchants. •Acquirer gets reimbursed by bank issuing credit card.
13.4.3
Systems Analysis And Design
© V. Rajaraman
69 of 92
Sequence Of Transactions In Manual Credit Card Payment Step 1: Customer presents credit card after purchase. Merchant swipes it on his special phone and enters amount
Step 2: Data from merchant’s terminal goes to acquirer via a private telephone line
Step 3: Acquirer checks with the issuing bank validity of card and credit-available
13.4.4
Systems Analysis And Design
© V. Rajaraman
70 of 92
Sequence Of Transactions In Manual Credit Card Payment Step 4: Acquirer authorizes sale if all OK and sends approval slip which is printed at merchant’s terminal.
Step 5: Merchant takes customer’s signature on the slip-verifies it with the signature on card and delivers the goods.
Step 6: The acquirer pays the money to merchant and collects it from the appropriate issuing bank. The bank sends monthly statement to customer and collects outstanding amount.
13.4.5
Systems Analysis And Design
© V. Rajaraman
71 of 92
Block Diagram Of Steps In Credit Card Transaction Step1
Customer
Merchant Step5 Step 4
Step2 Step6
Acquirer
Step3
Issuing bank
Step3 Step6
Steps correspond to that given in previous 2 PPT’s 13.4.6
Systems Analysis And Design
© V. Rajaraman
72 of 92
Credit Card In E-commerce Main Problems 1. Main Problem is: if a merchant had only a web presence, a Customer needs to be reassured that the merchant is genuine. 2. Customers Signature cannot be physically verified.Customer needs electronic signature. 3. Secrecy of credit card number has to be ensured. 4. Dispute settlement mechanism must be worked out.
13.4.7
Systems Analysis And Design
© V. Rajaraman
73 of 92
Secure Electronic Transaction Protocol • •
Standardised credit card payments in e-commerce by major card companies such as Visa, MasterCard etc. To use SET protocol it is assumed that 1. Each party involved in e-commerce transaction has a public and private key.A public key encryption is used. 2. All parties have their public keys certified. 3. A standard hashing algorithm is used to create message digest for signature verification.
13.4.8
Systems Analysis And Design
© V. Rajaraman
74 of 92
Secure Electronic Transaction Protocol Main Features •
Customers credit card number is not revealed to a merchant. It is revealed only to the acquirer who authorises payment.
•
Purchase invoice details are not revealed to the acquirer.Only the credit card number and total amount are revealed to him
•
Purchase invoice + credit card number is digitally signed by the customer.In case of a dispute an arbitrator can use this to settle the dispute. (Computer protocol runs to 262 pages and may be found in www.ibm.com/redbook/SG244978)
13.4.9
Systems Analysis And Design
© V. Rajaraman
75 of 92
Secure Electronic Transaction Protocol DUAL SIGNATURE SCHEME • Dual signature scheme is an innovation in SET protocol Steps followed in the protocol are: 1. Customer purchase information has 3 parts (i) Purchase Order (PO) (ii) Credit Card Number(CCN) (iii) Amount to be paid 2. Merchant should know (PO + Amount)=POA 3. Acquirer should know (CCN+Amount)=CCA 13.4.10 Systems Analysis And Design
© V. Rajaraman
76 of 92
Secure Electronic Transaction Protocol 4. Hash POA using standard Hash algorithm such as RSA’s MD5.Call it POD. 5. Hash CCA using MD5. Call it CCD 6. Concatenate POD and CCD.Call it (POD||CCD) 7. Hash (POD||CCD) giving PPD
13.4.11 Systems Analysis And Design
© V. Rajaraman
77 of 92
Secure Electronic Transaction Protocol 8. PPD is encrypted using Private key of customer.This is customer’s digitally signed purchase order DS = Encrypt (PPD) with CPRK CPRK is Private key of customer. This is sent to merchant by customer.DS is called Dual Signature as a private key is used to sign two separate digests concatenated together. 9. POA separately encrypted by customer using merchant’s public key and sent to merchant 10. Merchant decrypts it using his private key.He thus gets Purchase order +Amount 13.4.12 Systems Analysis And Design
© V. Rajaraman
78 of 92
Secure Electronic Transaction Protocol 11. CCD and DS also sent to merchant. From CCD merchant cannot find CCN. 12. Merchant can decrypt DS using customer’s public key and get PPD. Customer must have a certified public key for verification. 13. Merchant can compute H(POD||CCD) If H(POD||CCD)=PPD,then customer’s signature is OK. 14. Merchant forwards to acquirer CCA,POD,DS each separately encrypted using acquirer’s public key. 13.4.13 Systems Analysis And Design
© V. Rajaraman
79 of 92
Secure Electronic Transaction Protocol 15. Acquirer’s forwards to bank. 16.Bank finds CCN and Amount.Verifies balance amount.Bank also verifies customer’s digital signature using CCD,POD and DS.If all OK acquirer is informed. 17. Acquirer OK’s transaction to merchant 18. Merchant supplies item.Gets payment from acquirer.Bank collects from customer.
13.4.14 Systems Analysis And Design
© V. Rajaraman
80 of 92
Dual Signature System To Merchant C U S T O M E R
P.O+Amount
POA
Hash
POD Concatenate
C.C No + Amount
CCA
Hash
CCD
Hash POD||CCD
To Bank
PPD
Encrypt
Private key Of customer CPRK
DS Dual signature
POA: (Purchase Order + Amount) POD: Purchase Order Digest CCA: (Credit card + Amount) CCD: (Credit card + Amount)Digest || : Concatenation operator which strings together POD and CCD PPD : Purchase Payment Digest CPRK: Private Key of Customer
13.4.15 Systems Analysis And Design
© V. Rajaraman
81 of 92
Secure Electronic Transaction Protocol - Step1 : [(POA)EM + (CCA)EB + CCD +DS] to Merchant - Step2 : Merchant sends [(CCA)EB + DS + POD] to Acquirer - Step3 : Acquirer sends (CCA)EB + DS +POD to Bank. - Bank finds (CC No. + amount) sees if OK Computes H(CCD||POD) Decrypts DS with customer’s public key If (DS)CPK = H(CCD || POD) Signature verified - Step4 : OK to acquirer if credit and signature OK - Step5 : Ok to Merchant Merchant finds H(H(POA) || CCD)=PPD Decrypts DS with public key of customer.If match signature verified. - Step6 : Sends delivery details - Step7 : Bill to customer 13.4.16 Systems Analysis And Design
© V. Rajaraman
82 of 92
Secure Electronic Transaction Protocol Merchant Step 1
Step2
Step5
Step6
Customer
Acquirer
Step3
Bank
Step4 Step 7
13.4.17 Systems Analysis And Design
© V. Rajaraman
83 of 92
Secure Electronic Transaction Protocol Step1: Customer fills Purchase order, amount and credit card number in his PC. A software in PC strips it into two parts Purchase Order + Amount (POA), Credit Card No. + Amount(CCA) POA is encrypted using merchants. Public key and CCA with bank’s public key.These are sent with customer’s public key certificates, CCD and DS. Merchant verifies DS. Step2: Merchant forwards to acquirer DS and CCD (These are encrypted using acquirer’s public key) Step3: Acquirer forwards to bank. Bank decrypts CCA with its private key.Checks validity of credit card and balance. If OK informs acquirer
13.4.18 Systems Analysis And Design
© V. Rajaraman
84 of 92
Secure Electronic Transaction Protocol Step4: Acquirer OK’s transaction to merchant and credits merchant's account. Step5: Merchant accepts customer’s order and proceeds to dispatch items. Step6: At the end of the month bank sends bill to customer. (All these done by clicks of mouse button)
13.4.19 Systems Analysis And Design
© V. Rajaraman
85 of 92
Electronic Cheque Payment •Most cheque based transactions will be between businesses -thus special hardware attached to PC’s for signing payments •Signature encrypted by hardware •All public keys of business partners authenticated by certifying agencies Steps in transaction 1 Purchaser sends purchase order and payment advice signed with his private key to vendor.He also sends his public key certificate encrypted with vendor's public key to vendor 2 Vendor decrypts with his private key, checks certificate and cheque, attaches deposit slip, encrypts with bank's public key and sends it to bank. he also sends his public key certificate 3 Bank checks signatures, credits and clears cheque 4 Credit advice goes to vendor,& consolidated debit advice sent to purchaser periodically 13.4.20 Systems Analysis And Design
© V. Rajaraman
86 of 92
Clearing Cheque Payment Electronically Purchaser
Vendor Order form
Signature Card
Signature Card Order
Debit Advice
Credit Advice
Cheque Signature Certificate
Deposit slip
Secure Envelope Purchaser’s Bank
Clearing House
Vendor’s Bank Deposit Cheque
13.4.21 Systems Analysis And Design
Cheque Signature Certificates Endorsement Certificate
© V. Rajaraman
87 of 92
Payments Of Small Amounts On Internet NETBILL'S PROPRIETARY SYSTEM •Customer charged only when information delivered •Vendor guaranteed payment when information delivered •Netbill is the intermediary MAJOR STEPS •When customer accepts quote for information, vendor sends encrypted information without key to customer •Payment order sent to vendor with checksum of information obtained. It is signed by customer •Vendor sends to NET BILL copy of purchase order and the key for decryption •NET BILL checks credit of customer. If ok it sends key to customer. Credits vendor account and debits customer account. Key sent to customer to decrypt information •Customer decrypts information 13.4.22 Systems Analysis And Design
© V. Rajaraman
88 of 92
Paying for Small Internet Transactions 1 2 3 4
Customer
1. 2. 3. 4. 5. 6. 7.
Request for information. Quote Order Encrypted Text Customer Bill+key Ok to vendor Key to customer
Customer’s Bank
Vendor 7
5
6 Net Bill’s Server
Credit in Account
Net Bill’s Server
13.4.23 Systems Analysis And Design
Batch Payment
© V. Rajaraman
Vendor’s Bank
89 of 92
Electronic Cash •Cash for small payments •Cash preserves anonymity •Cash should not be traceable We will discuss only traceable cash payments STEPS 1.Customer withdraws coins in various denominations signed by bank STRUCTURE------> serial no, denomination, signature of bank Bank stores issued coins copy 2.Customer pays vendor using signed coins 3.Bank checks whether it is current or spent 4.If current it authorises dispatch of goods and credits vendor account with electronic coins 13.4.24 Systems Analysis And Design
© V. Rajaraman
90 of 92
Electronic Cash(contd) • Cheaper than credit card transaction • DES normally used for these transaction as it is cheap and amounts involved is small
13.4.25 Systems Analysis And Design
© V. Rajaraman
91 of 92
Electronic Cash Payment Amt 10 5
ID 1568 6789
Signature
5
Customer
Vendor 2
86ABC 86ABC 1
4 Yes
3 OK?
Bank 1. 2. 3. 4. 5.
Withdraw Pay Check if OK Replying OK Accept order
13.4.26 Systems Analysis And Design
Spent Amt
. .
© V. Rajaraman
Coins ID
. .
92 of 92
MODULE 13
ELECTRONIC COMMERCE Contents
1. MOTIVATION AND LEARNING GOALS
2. LEARNING UNIT 1 What is E-Commerce?
3. LEARNING UNIT 2 Electronic Data Interchange 4. LEARNING UNIT 3 Security of E-Commerce 5. LEARNING UNIT 4 Payment in E-Commerce 6. REFERENCES
ELECTRONIC COMMERCE Motivation With the emergence of internet and the world wide web new methods of carrying out business transactions using the world wide web began to be explored. Electronic Commerce emerged as a very important application of the world wide web. Today it is difficult to find an isolated computer. Computers in an organization are interconnected to form intranets and Intranets of the cooperating organizations are interconnected to form extranet. It is cheaper and faster to carry out business transactions within an organization and among organizations electronically using the network connection. Thus it is important to understand how business transactions are carried out electronically reliably and securely. When designing information systems it is essential to understand the emerging web based transactions. A number of organizations are exploring how to carry out all day-to-day operations electronically using the intranet in a so-called paperless system. It is thus important for a student to understand how to design such systems.
Learning Goals At the end of this module you will know: The basics of Electronic Commerce abbreviated as e-commerce The advantages and disadvantages of e-commerce Architecture of e-commerce systems Electronic Data Interchange in e-commerce The need for security in e-commerce transactions and how to ensure it How Electronic payment schemes work in e-commerce.
LEARNING UNIT 1
What is E-Commerce?
DEFINITION Sharing business information, maintaining business relationships and conducting business transactions using computers connected to a telecommunication network is called E-Commerce CLASSIFICATION CLASSIFIED AS : BUSINESS TO BUSINESS (B2B) BUSINESS TO CUSTOMER (B2C) CUSTOMER TO CUSTOMER (C2C) E-commerce Applications-example •RETAIL STORES - Books, Music •AUCTION SITES •COOPERATING BUSINESSES –Placing orders, paying invoices etc. •ELECTRONIC BANKING •BOOKING TICKETS - TRAINS, CINEMA, AIRLINES •ELECTRONIC PUBLISHING •FILLING TAX RETURNS WITH GOVERNMENT DEPT.
Business To Business E-commerce
LAN of buisness2
Public switched telephone network
LAN of buisness1
PSTN or LEASED LINE Vendor Local computers
Purchase store accounts Local computers
• Local LAN of business would normally follow TCP/IP protocol of internet and is called corporate intranet • Purchase order entered by business1 in its PC and electronically dispatched to vendor (by e-mail) • Vendor acknowledges electronically the order • Vendor dispatches goods (physically) and delivery note electronically to business1 •Business 1 can compare delivery note against order -both are in computer readable form •Discrepancy note(if any) can be immediately sent to the vendor(business 2) •Business 1 can carry out all local transactions using its LAN •Local transactions are inventory update by stores - advice to accounts to pay for goods taken into stock • Accounts can make payment electronically to Vendor
Implementing B2B E-commerce-requirements 1.Agreed on formats for Purchase order, delivery note, payment order etc. Standard known as EDI (Electronic Data Interchange Standard) is used to send documents electronically. 2.Each Business must have corporate intranet and the two nets are connected by PSTN or leased line. 3.Transactions must be secure - particularly if PSTN is used. 4.Secure electronic payment methods are required.
Steps In B2C E-commerce 1. Customer uses a browser and locates vendor or he has vendor's web page address 2. Sees Vendor's web page listing of items available, prices etc 3. Customer selects item and places order. Order may include credit card details or may be cash on delivery 4. Vendor checks with credit card company customer’s credit 5. Credit card company OKs transaction 6. Vendor acknowledges Customer’s order and gives details of delivery date, mode of transport, cost etc 7. Vendor orders with distributor who ships item to vendor's warehouse from where item supplied to customer 8. Customer's credit card company debits his account, credits vendor's account and sends bill to customer for payment.
Customer to Customer E-Commerce
Customer 1
Customer 2
Internet
Wants to buy Item 1
Wants to sell Item 1 Broker’s website
•Advertises - "for sale" •Brings together buyer and seller •Transports items •Collects fee from both Seller &Buyer
Advantages Of E-commerce 1. Buying/selling a variety of goods and services from one's home or business 2. Anywhere, anytime transaction 3. Can look for lowest cost for specific goods or service 4. Businesses can reach out to worldwide clients - can establish business partnerships 5. Order processing cost reduced 6. Electronic funds transfer faster 7. Supply chain management is simpler, faster, and cheaper using ecommerce - Can order from several vendors and monitor supplies. - Production schedule and inventory of an organization can be inspected by cooperating supplier who can in-turn schedule their work.
Disadvantages Of E-commerce 1. Electronic data interchange using EDI is expensive for small businesses 2. Security of internet is not very good - viruses, hacker attacks can paralise e-commerce 3. Privacy of e-transactions is not guaranteed 4. E-commerce de-personalises shopping. People go shopping to meet others - window shop and bargain E-commerce System Architectures LOGICAL LAYERS Application layer
SERVICES IN LAYER B2B,B2C,C2C
Middleman services
Hosting services, value added nets payment services, Certificates
Secure messaging
Encryption, EDI, Firewalls
World wide web services
HTTP, HTML, XML, OLE Software agents
Logical network
Intranet, internet, extranet
Physical network
PSTN, LAN, Bridges, routers Layered architecture
LEARNING UNIT 2 Electronic Data Interchange •Computer readable forms for business documents such as invoices, purchase orders, delivery notes needed in B2B e-commerce so that edocuments can be exchanged. •Essential to eliminate manual data entry, which is error prone •Essential to agree on common formats for commonly used forms. •Electronic data interchange (EDI) standard gives specifications for commonly used standard business forms •Currently two standards are available for EDI forms •It is possible to adapt these standards for documents which use XML for specification. EDI Specification Defines several hundred transaction sets corresponding to each type of business document such as invoice, purchase order etc. Defines data segments - corresponding to groups of data elements such as purchase order line. Defines data elements - which are individual fields such as price, quantity etc EDI Standards •ANSI X.12 standard proposed by American National Standards Institute •EDIFACT (Electronic Data Interchange For Administration Commerce and Trade) standardized by United Nations Economic Commission for Europe for international trade •EDIFACT used in India for government transactions - customs, central excise etc. EDI Transactions in B2B E-commerce •Cooperating businesses agree on EDI standard. •Programs needed to translate data received in EDI format to a form needed by the application program. •Method of sending/receiving data between businesses to be agreed on - is it PSTN, Extranet or VAN (value added network) service? •Important to ensure reliable, guaranteed and secure receipt of electronic documents by intended receiver.
EDI Using Value Added Network Service VAN provides post box for all subscribers, guarantees delivery and is open 24 hours, 7 days a week. Provides security, acknowledgement, audit trails for transactions, non repudiation by users. Some VAN’S provide conversion of EDI forms to application format. Disadvantages are it has high cost, that may not be cost-effective for smaller businesses
EDI Using Internet Cheaper method for use by small business is to use XML for EDI and email, instead of VAN. Establish EDI form standard - XML appropriate – Document Type Definition (DTD) publicised using organization’s web page-cooperating business can use a DTD to interpret XML documents. Use MIME (multipurpose internet mail extension) to attach EDI forms to email messages. Can use Simple Mail Transfer Protocol (SMTP) of internet If secure transmission needed use S/MIME (Security enhanced MIME) which uses encryption and digital signature –(We will describe encryption and digital signature later in this module). If very long document or many documents are to be sent together File Transfer Protocol (FTP) may be more appropriate.
LEARNING UNIT 3
Security of E-Commerce Transactions between organizations take place in many e-commerce applications using the Internet. Internet is widely accessible and insecure as eavesdropping is possible. Hence, there is need to protect company confidential information from snoopers. We also need to protect a company's network from unauthorised entry. When an organization receives a message it has to be sure from whom it came and whether the message is authentic and not changed by an unauthorised person. We thus need a digital signature which can be used in a court of law. Network Security Using Firewall Firewall is a security device deployed at the boundary of an organization' s network to protect it from unauthorised external access. It links an organization's intranet to the internet and restricts the type of traffic that it will pass, thus providing security. Simple firewalls may be implemented in some routers, called packet filtering firewalls, they pass only some packets based on simple specified criteria such as -Type of access (such as email, ftp, telnet as determined by TCP port number) -Direction of traffic -Source or destination IP address -Time of day Proxy Application Gateway Proxy application program running on a firewall machine is the one which acts on behalf of all members of an organization wanting to use the internet. This program monitors all requests - allows access to only designated addresses outside, limits use of certain browsers and disallows use of some protocols with known security holes. Proxy application program may also be allowed to run on some user's machine who have authorization for internet use.
Hardened Firewalls With Proxy Application Gateway Any one from inside or outside an organization give their user id, password, service required to the firewall machine which acts as one's proxy (ie.does ones work on his behalf). Proxy firewall is now server to the requestor's desktop PC and also a client to some other requested service acting on requestor's behalf. Firewall needs proxy agent for each service requested such as FTP, HTTP, TELNET etc. Now proxy firewall is the initiator of all sessions and thus knows every activity - thus ensuring security. Firewall with a proxy function replaces the source address of transaction requestor with its own IP address -this ensures that others on internet see only firewall's IP address - all other IP addresses of organization are hidden Data Encryption With Secret Keys Data sent via a public network may be accessed and used by unauthorized persons. Thus it is necessary to scramble it so that even if one accesses it, it cannot be understood. Similarly data stored in data bases accessible via internet should be scrambled. Method of scrambling is known as encryption. Method of unscrambling is known as decryption. Plain Text And Ciphertext •Plain text is data in its natural form •Encryption is taking data in any form(Text, Audio,Video etc.) and transforming it to another form which cannot be understood •Transformed data is known as cryptogram or cipher text
Example Text Encryption
Start plaintext
THIS IS A MESSAGE X
Block plaintext (5character blocks)
THISI SAMES SAGEX
Transpose characters with
4Æ1
permutation (4 1 2 5 3)
STHII ESASM ESAXG
Substitute character by the one 4 letters away (eg AÆE,ZÆD)
WXLMM IWEWQ IXEBK
Cipher text This is an example of two transformations - permutation followed by substitution The keys are permutation function and substitution function
Symmetric Encryption PLAINTEXT (m1,m2…mn ) CIPHER TEXT (c1 c2, c3….cn )Where ci = k( Ti (mi) ) In which Ti is permutation of ith character and k is substitution. Decryption by applying same transformations in reverse on cipher text. This method called symmetric key encryption as encryption and decryption performed using same key. Normally the encryption/decryption algorithm is publicised. Only key is secret. Problem is to ensure secrecy of key when it is sent to partner. If the key is to be sent to many partners need for separate key for each partner. Directory of who was sent which key is to be kept and used for each transaction. Directory should be secure. If large number of partners are there key distribution becomes very difficult. Advantage of symmetric key is easy and fast to transform plain text to cipher text.
Digital Encryption Standard DES - Proposed by IBM in 1975 Standardised by US Govt in 1977 It is a combination of permutation and substitution on blocks of 64 bits. A message is broken up into 64 bit blocks and each block is separately encrypted.
#General idea used in DES M = PLAINTEXT 01101100 11011000 11011010 K = KEY 10101111 00101100 01011011 E= M⊕K 11000011 11110100 10000001 encryption M= E ⊕ K 01101100 11011000 11011010 decryption Digital Encryption Standard Algorithm Before applying DES the text is split up into the 64 bit blocks. DES applied on each 64 bit block. Encryption method Step 1: Apply an initial permutation on a block.Result is B=IP(P) where P is the 64 bit block IP Initial Permutation function and B the result. Step 2: Split B into 32 bit blocks Li = leftmost 32 bits Ri = rightmost 32 bits. Step 3: Pick a 56 bit key. Permute it Step 4: Left circular shift it by 1 bit giving K1. Step 5: Perform a complex sequence of operations and obtain X1 = F(R1,K1) (The complex set of operations include table look up and dropping bits). Step 6: Find R2 = L1 + X1 Step 7: Set L2 = R1 Repeat steps 2 to 7 16 times to get B16 = L16,R16 Step 8: Apply inverse of initial permutation on B16 The result is the encrypted block
In summary the DES encryption applies the following transformation 16 times. The ith round transformation are Li+1= Ri Ri+1= Li ⊕ F(Ri,Ki) Each round has a different key Ki For Decryption the process of encryption is reversed. The encrypted block is permuted using IP-1.On this transformations are applied starting with K16 and going to K1 last. The keys and F are same as those used in encryption process. The encryption process uses simple binary operations. They can thus be realised in hardware as an integrated circuit chip. DES chips are inexpensive. Key is externally fed.
Details of One Round of DES Encryption
DES Chip
64 Input block Key
DES CHIP
64
Encrypted Block
56
Observe that from initial key others are derived by circular shifts Decryption chip inputs encrypted block and key and the output is decrypted block
DES - Discussion Cryptananalysis is technique for breaking a code, given the samples of encrypted messages. If plain text also known it is somewhat easier. DES code can be broken if key is found. The easiest method of breaking a code is by brute force of trying out all possible keys to decrypt message. With increase in speed of computers it has now been shown that DES key can be found in less than 12 hrs with a fast computer (1 Million decryption per microsecond). Thus DES is practically useless now (original DES was invented in mid 70s). New more secure symmetric encryption algorithm is needed. An extension of DES called triple DES is shown to be more secure. Triple DES Triple DES uses three different keys and three executions of DES algorithm. The algorithm is Cipher text = Ek3 [Dk2 [Ek1 [Plain Text]]] where Ek[X] = DES Encryption of X using key K and Dk[X] = DES Decryption of X using key K Remember that in DES Decryption of encrypted plain text with a different key is almost same as another encryption. This is true as encryption and decryption use the same algorithm. To decrypt cipher text we reverse the operations. Plain text = Dk1[Ek2 [Dk3[Cipher Text]]]
BLOCK DIAGRAMS OF TRIPLE DES
K3
D
Cipher text (64bit block)
E
K1
D
E
Using DES thrice is equivalent to having a DES key length of 168 bits. Brute force method to break triple DES with 106 decrypts per micro second will take 5.9 X 10 30 years! Even at 1012 fold increase in computer speed will make triple DES secure against brute force attacks to break code The only reason D is used as middle step in triple DES is to allow decryption of data encrypted using single DES hardware. In this case K3=K2=K1 (Single key used) (See block diagram) Triple DES will be quite popular for a foreseeable future as it is very secure, can be realised by simple hardware. Triple DES has two disadvantages 1. It is slow to implement in software 2. It uses 64 bit blocks. Thus new standards were explored.
Plain text
Requirements of Symmetric Key Cryptography Algorithm(NIST) – Advanced Encryption System(AES) • National Institute for Standards Technology put out a call for proposals for new crypto system with following requirements. • Must provide a high level of security (i.e. difficult to decrypt in finite time) • Must be completely specified and easily understood. • Security must reside in key – Not in algorithm • Must be available for all users • Adaptable for use in diverse applications e.g.credit cards • Implementable economically in electronic devices • Must be efficient to use as both software and hardware • Must allow one to validate it. • Must be exportable • No trap door • Must use 128 blocks and key lengths of 128,192 or 256 bits depending on the level of security desired. • In October 2000 it announced the selection of an algorithm – called Rijin dael(Pronounce RAIN DOLL) as new Advance Encryption Standard (AES) •Details may be found in www.nist.gov/aes
Public Key Encryption In Private Key Encryption transmission of key without compromising not easy. It is necessary to assign different private key to each business partner. When this is done a directory of keys should be kept which should be secret. This is difficult. Only secure way is to change the private key every time a message is sent. Public Key Encryption eliminates the key distribution problem. There is a pair of keys for each organization - A Private Key and its Public Key. If A wants to send message to B, A encrypts the message with B's Public Key When message is received by B he decrypts it with his Private Key .
RSA Code Details.”R” Wants To Find His Public And Private Keys 1. Pick large primes p and q. Let n =p * q 2 Find ø = (p-l)*(q-l) 3 Find e relatively prime to Ø, i.e. gcd(ø,e)=1; 1<e<ø. {e,n} is R's Public Key 4 Find a number d which satisfies relation (d * e) mod (ø) =1 {d,n} is R’s Private key 5. Let plain text = t. Encrypt t using R’s public key. Encryption = te (mod n) = c (cipher text) 6.Decryption cd (mod n) =t (Both n and e should be known to encrypt. Similarly both n and d should be known to decrypt) Example Of RSA Use This example is a toy example to illustrate the method. In practice the primes p and q will be very large – each at least 300 digits long to ensure security. RSA Algorithm 1.Pick as prime numbers p=3,q=11 n = p * q=33 Note : The message to be encrypted should be smaller than 33.If we do letter by letter encryption of English alphabets (A to Z as 1 to 26) this is OK 2. Ø = (p-1) x (q-1) = 2 x 10 = 20 3.Pick a number relatively prime to 20. We pick 7. The Public key of R = {7,33} 4.To pick private key of R find d from relation (d x e)mod(ø) = 1 (d x 7) mod (20) =1 This gives d =3 Therefore, the private key of R = {3,33}
Applying RSA Algorithm 1.Let the message be CODE If we use code C=3, O=14,D=4,E=5 The message is 3,14,4,5 2.We will encrypt one letter at a time Thus cipher of plain text 3 is 3e mod (n) =37 mod(33) 37 mod (33) =2187 mod (33)=9 (14)7 mod (33) = 105413504mod(33)=20 (4)7 mod (33) =16384 mod (33) =16 (5)7 mod (33) =78125 mod(33) = 14 3.Thus cipher text = 9,20,16,14 4. Decryption : cd mod (n) d=3,n=33 93 mod (33) = 729 mod(33) = 3 203 mod(33) = 8000 mod(33)=14 163 mod(33) = 4096 mod(33) =4 143 mod(33) = 2744 mod(33) =5 We see that we get the original text 3,14,4,5
Discussion on RSA • The security RSA encryption is dependent on the fact that factorising a large prime number to its factors is very difficult. • RSA algorithm is symmetric. In other words if a plain text is encoded by the private key of S, the sender, it can be decrypted using the public key of R, the receiver (We will find later that this symmetry property is used in creating digital signature) •Example using S’s keys S’s Private key = {3,33} S’s Public key = {7,33} • If we encrypt a plain text using S’s private key and send it to R,R must be able to decrypt it with S’s public key. •Assume Plain text is encrypted with S’s private key and get cipher text = (14)3 mod (33)=5 •Decrypting with S’s Public key we get (5)7 mod (33) =78125 mod(33) ={(2367 x 33) + 14} mod (33) =14
DISCUSSION – RSA Vs DES •RSA Public key has two keys – a private secret key and a public open key. •RSA implemented as a program (software) It is computationally complex to encode plain text and decode cipher text using RSA •DES Same key for encryption and decryption. It is a single key system Also called symmetric key system •DES computationally simple-implemented in hardware - thus very fast •Each communication between two businesses can use a different key – provided key is securely exchanged •If key can be sent separately encrypted using RSA, then a recipient can use this to decrypt DES encrypted message.
Combining RSA And DES
Advantages: • Key is sent along with the plain text. Encrypted using RSA • Key is small-fast to encrypt/decrypt • Each transaction using DES can have a different key- higher security and also fast.Key directory not needed.
Digital Signature REQUIREMENTS •Needed to ensure that a message received from say "A" is indeed from him •Signature should be tied to the message sent by "A" SENDING STEP •Sender sends key using RSA system •Sender sends plain text "M" using DES •Receiver decrypts cipher text using DES and the key received from sender call it "MR" •Sender hashes plain text "M' using a hashing function - let the hashed text be "H" •Hashed text "H" encrypted by sender using his Private key •DS is his signature as H encrypted with his private key •DS decrypted by receiver using sender's Public key and obtains "H" Authentication step •Receiver hashes “MR" using hash function and gets “HR" •Receiver compares “H" with “HR" •If they match then it is a signed authenticated plain text •TM is signed as sender has encrypted the hashed text using his private key which he only knows.If H=(MR)(HASHED) = HR where MR is the received message then MR must have been sent by sender. He cannot repudiate.
Signing A Message Using Digital Signature
Certificate Authority For Digital Signature •As the hashed message in Digital Signature system is decrypted using senders public key, this key must be certified as belonging to sender by an independent authority •Certification needed to ensure authenticity of public keys of organizations as public key is used to verify signature •Certification authority keeps data base of public keys of organizations participating in e-commerce after verifying their credentials. •Potential business partners can authenticate public keys by sending request to certifying authority who certifies after receiving a fee for his services
LEARNING UNIT 4
Payment in E-Commerce In any commercial transaction payment is an integral part for goods supplied. Four types of payments may be made in e-commerce they are •Credit card payments •Electronic cheque payments •Micro or small payments for internet based services such as music download. •Electronic-cash payments Each of these requires a different system of payment.
Review Of Manual Credit Card Payment Four parties are invoked in credit card payments. They are: • Customer having a credit card • Merchant accepting credit cards (such as VISA, MASTER CARD etc) • Bank which issues credit cards to customers and collects payments from customers •Acquirer which is financial institution that establishes an account with a merchant, validates credit card information sent electronically by merchant and authorises sale based on customer’s credit status. Acquirer accepts credit cards of several card companies and guarantees payment to merchants. Acquirer gets reimbursed by bank issuing credit card.
Sequence Of Transactions In Manual Credit Card Payment Step 1: Customer presents credit card after purchase. Merchant swipes it on his special phone and enters amount Step 2: Data from merchant’s terminal goes to acquirer via a private telephone line Step 3: Acquirer checks with the issuing bank validity of card and creditavailable Step 4: Acquirer authorizes sale if all OK and sends approval slip which is printed at merchant’s terminal. Step 5: Merchant takes customer’s signature on the slip-verifies it with the signature on card and delivers the goods. Step 6: The acquirer pays the money to merchant and collects it from the appropriate issuing bank. The bank sends monthly statement to customer and collects outstanding amount.
Block Diagram Of Steps In Credit Card Transaction
Credit Card In E-commerce Main Problems 1.Main Problem is: if a merchant had only a web presence, a Customer needs to be reassured that the merchant is genuine. 2.Customers Signature cannot be physically verified. Customer needs electronic signature. 3.Secrecy of credit card number has to be ensured. 4.Dispute settlement mechanism must be worked out.
Secure Electronic Transaction Protocol To use SET protocol it is assumed that 1. Each party involved in e-commerce transaction has a public and private key.A public key encryption is used. 2. All parties have their public keys certified. 3. A standard hashing algorithm is used to create message digest for signature verification. Main Features •Customers credit card number is not revealed to a merchant. It is revealed only to the acquirer who authorises payment. •Purchase invoice details are not revealed to the acquirer.Only the credit card number and total amount are revealed to him •Purchase invoice + credit card number is digitally signed by the customer.In case of a dispute an arbitrator can use this to settle the dispute. (Computer protocol runs to 262 pages and may be found in www.ibm.com/redbook/SG244978) DUAL SIGNATURE SCHEME Dual signature scheme is an innovation in SET protocol Steps followed in the protocol are: 1. Customer purchase information has 3 parts (i) Purchase Order (PO) (ii) Credit Card Number (CCN) (iii) Amount to be paid 2. Merchant should know (PO + Amount)=POA 3. Acquirer should know (CCN+Amount)=CCA 4. Hash POA using standard Hash algorithm such as RSA’s MD5. Call it POD. 5. Hash CCA using MD5. Call it CCD
6. Concatenate POD and CCD. Call it (POD||CCD) 7. Hash (POD||CCD) giving PPD 8. PPD is encrypted using Private key of customer. This is customer’s digitally signed purchase order DS = Encrypt (PPD) with CPRK CPRK is Private key of customer. This is sent to merchant by customer. DS is called Dual Signature as a private key is used to sign two separate digests concatenated together. 9. POA separately encrypted by customer using merchant’s public key and sent to merchant 10. Merchant decrypts it using his private key. He thus gets Purchase order +Amount. He can hash it and get POD 11. CCD and DS also sent to merchant. From CCD merchant cannot find CCN. 12. Merchant can decrypt DS using customer’s public key and get PPD. Customer must have a certified public key for verification. 13. Merchant can compute H(POD||CCD) If H(POD||CCD)=PPD,then customer’s signature is OK. 14. Merchant forwards to acquirer CCA,POD,DS each separately encrypted using acquirer’s public key. 15. Acquirer’s forwards to bank. 16.Bank finds CCN and Amount.Verifies balance amount.Bank also verifies customer’s digital signature using CCD,POD and DS.If all OK acquirer is informed. 17. Acquirer OK’s transaction to merchant 18. Merchant supplies item.Gets payment from acquirer.Bank collects from customer.
Dual Signature System
EM: Public key of Merchant EB: Public key of bank (POA) EM is encrypted value with merchant’s public key POA: (Purchase Order + Amount) POD: Purchase Order Digest CCA: (Credit card + Amount) CCD: (Credit card + Amount)Digest || : Concatenation operator which strings together POD and CCD PPD : Purchase Payment Digest CPRK: Private Key of Customer, CPK: Public Key of customer - Step1 : [(POA)EM , (CCA)EB , CCD ,DS] to Merchant - Step2 : Merchant sends [(CCA)EB , DS , POD] to Acquirer - Step3 : Acquirer sends (CCA)EB + DS +POD to Bank. - Bank finds (CC No. + amount) using its private key sees if OK Computes H(CCD||POD) Decrypts DS with customer’s public key If (DS)CPK = H(CCD || POD) Signature verified - Step4 : OK to acquirer if credit and signature OK - Step5 : Ok to Merchant Merchant finds H(H(POA) || CCD)=PPD Decrypts DS with public key of customer. If it gives PPD signature verified. - Step6 : Sends delivery details - Step7 : Bill to customer
Step1: Customer fills Purchase order, amount and credit card number in his PC. A software in PC strips it into two parts Purchase Order + Amount (POA), Credit Card No. + Amount(CCA) POA is encrypted using merchant’s public key and CCA with bank’s public key.These are sent with customer’s public key certificates, CCD and DS. Merchant verifies DS. Step2: Merchant forwards to acquirer DS and CCD (These are encrypted using acquirer’s public key) Step3: Acquirer forwards to bank. Bank decrypts CCA with its private key.Checks validity of credit card and balance. If OK informs acquirer Step4: Acquirer OK’s transaction to merchant and credits merchant's account. Step5: Merchant accepts customer’s order and proceeds to dispatch items. Step6: At the end of the month bank sends bill to customer. (All these done by clicks of mouse button)
Electronic Cheque Payment Most cheque based transactions will be between businesses -thus a special hardware is attached to PC’s for signing payments. Signature is encrypted by hardware. All public keys of business partners authenticated by certifying agencies. Steps in transaction 1. Purchaser sends purchase order and payment advice signed with his private key to vendor.He also sends his public key certificate encrypted with vendor's public key to vendor 2. Vendor decrypts with his private key, checks certificate and cheque, attaches deposit slip, encrypts with bank's public key and sends it to bank. he also sends his public key certificate 3. Bank checks signatures, credits and clears cheque. Credit advice goes to vendor, and consolidated debit advice sent to purchaser periodically Clearing Cheque Payment Electronically
Payments Of Small Amounts On Internet NETBILL'S PROPRIETARY SYSTEM •Customer charged only when information delivered •Vendor guaranteed payment when information delivered •Netbill is the intermediary MAJOR STEPS •When customer accepts quote for information, vendor sends encrypted information without key to customer •Payment order sent to vendor with checksum of information obtained. It is signed by customer •Vendor sends to NET BILL copy of purchase order and the key for decryption •NET BILL checks credit of customer. If ok it sends key to customer. Credits vendor account and debits customer account. Key sent to customer to decrypt information •Customer decrypts information Paying for Small Internet Transactions
Electronic Cash •Cash for small payments •Cash preserves anonymity •Cash should not be traceable •Cheaper than credit card transaction •DES normally used for these transaction as it is cheap and amount involved is small Traceable cash payments STEPS 1.Customer withdraws coins in various denominations signed by bank STRUCTURE------> serial no, denomination, signature of bank Bank stores issued coins copy 2.Customer pays vendor using signed coins 3.Bank checks whether it is current or spent 4.If current it authorises dispatch of goods and credits vendor account with electronic coins
Electronic Cash Payment
REFERENCES 1. Most of the material in this chapter are taken from Chapter 16, Electronic Commerce of the book Analysis and Design of Information Systems (2nd edition) by V.Rajaraman, Prentice-Hall of India, New Delhi,2004 2. There are many books on E-Commerce, which describe E-Commerce in detail. Among these are: E.Awad, Electronic Commerce, Prentice-Hall of India, New Delhi 2002.This book takes managers perspective and not very strong on technology aspects of E-Commerce. All the examples have a strong American bias as the book is primarily intended for students in America. The language is clear but the book is verbose. What can be said in 100 pages is said in 400 pages as it includes all kinds of gossip not relevant to students wanting the learn the subject. 3. D.Minoli and E.Minoli, Web Commerce Technology Handbook, Tata McGraw-Hill, New Delhi, 1999.This book is strong in technology and has wide coverage. 4. W. Stallings, Network Security Essentials, Pearson Education Asia, New Delhi,2001. Has good presentation on DES, Triple DES, RSA and SET protocol. 5. Most traditional Systems Analysis and Design book such as the one by Kendall and Kendall do not separately discuss E-Commerce, they have a cursory treatment at various places in the book.
System Analysis and Design/Electronic Commerce
13.1
Multiple Choice Questions
By Electronic Commerce we mean: a. Commerce of electronic goods b. Commerce which depends on electronics c. Commerce which is based on the use of internet d. Commerce which is based on transactions using computers connected by telecommunication network
13.2 For carrying out B2B e-Commerce the following infrastructure is essential: (i) World Wide Web (ii) Corporate network (iii) Electronic Data Interchange standards (iv) Secure Payment Services (v)Secure electronic communication link connecting businesses a. i, ii, iii b. ii, iii, iv c. ii, iii, iv, v d. i, ii, iii, iv, v 13.3 For carrying out B2C e-Commerce the following infrastructure is essential (i) World Wide Web (ii) Corporate network (iii) Electronic Data Interchange standards (iv) Secure Payment Services (v) Secure electronic communication link connecting businesses a. i, iv b. i, iii, iv c. ii, iii d. i, ii, iii, iv 13.4 For carrying out C2C e-Commerce the following infrastructure is essential (i) World Wide Web (ii) Corporate network (iii) Electronic Data Interchange standards V. Rajaraman/IISc. Bangalore
M13/V1/July 04/1
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
(iv) Secure Payment Services (v)Secure electronic communication link connecting businesses a. i and ii b. ii and iv c. i and iii d. i and iv 13.5 Advantages of B2C commerce are (i) Business gets a wide reach to customers (ii) Payment for services easy (iii)Shop can be open 24 hours a day seven days a week (iv)Privacy of transaction always maintained a. i and ii b. ii and iii c. i and iii d. iii and iv 13.6 B2C commerce a. includes services such as legal advice b. means only shopping for physical goods c. means only customers should approach customers to sell d. means only customers should approach business to buy 13.7 Advantages of B2C commerce to customers are (i)wide variety of goods can be accessed and comparative prices can be found (ii) shopping can be done at any time (iii)privacy of transactions can be guaranteed (iv)security of transactions can be guaranteed a. i and ii b. ii and iii c. iii and iv d. i and iv
V. Rajaraman/IISc. Bangalore
M13/V1/July 04/2
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
13.8 Disadvantages of e-Commerce in India are (i) internet access is not universally available (ii) Credit card payment security is not yet guaranteed (iii) Transactions are de-personalized and human contact is missing (iv) Cyberlaws are not in place a. i and ii b. ii and iii c. i, ii, iii d. i, ii, iii, iv 13.9 Electronic Data Interchange is necessary in a. B2C e-Commerce b. C2C e-Commerce c. B2B e-Commerce d. Commerce using internet 13.10 EDI requires a. representation of common business documents in computer readable forms b. data entry operators by receivers c. special value added networks d. special hardware at co-operating Business premises 13.11 EDI standards are a. not universally available b. essential for B2B commerce c. not required for B2B commerce d. still being evolved 13.12 EDIFACT is a standard a. for representing business forms used in e-Commerce b. for e-mail transaction for e-Commerce c. for ftp in e-Commerce d. protocol used in e-Commerce 13.13 EDIFACT standard was developed by a. American National Standard Institute V. Rajaraman/IISc. Bangalore
M13/V1/July 04/3
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
b. International Standard Institute c. European Common Market d. United Nations Economic Commission for Europe 13.14
ANSI X.12 is a standard developed by a. American National Standard Institute b. International Standard Institute c. European Common Market d. United Nations Economic Commission for Europe
13.15 In B2B e-Commerce (i)
Co-operating Business should give an EDI standard to be used
(ii)
Programs must be developed to translate EDI forms to a form accepted by application program
(iii) Method of transmitting/receiving data should be mutually agreed (iv) It is essential to use internet a. i, ii b. i, ii, iii c. i, ii, iii, iv d. ii, iii, iv 13.16 EDI use a. requires an extranet b. requires value added network c. can be done on internet d. requires a corporate intranet 13.17 EDI over internet uses a. MIME to attach EDI forms to e-mail messages b. FTP to send business forms c. HTTP to send business forms d. SGML to send business forms 13.18 For secure EDI transmission on internet a. MIME is used b. S/MIME is used V. Rajaraman/IISc. Bangalore
M13/V1/July 04/4
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
c. PGP is used d. TCP/IP is used 13.19 EDI standard a. is not easily available b. defines several hundred transaction sets for various business forms c. is not popular d. defines only a transmission protocol 13.20 By security in e-Commerce we mean (i) Protecting an organization’s data resource from unauthorized access (ii)Preventing disasters from happening (iii) Authenticating messages received by an organization (iv) Protecting messages sent on the internet from being read and understood by unauthorized persons/organizations a. i, ii b. ii, iii c. iii, iv d. i, iii, iv 13.21 A firewall is a a. wall built to prevent fires from damaging a corporate intranet b. security device deployed at the boundary of a company to prevent unauthorized physical access c. security device deployed at the boundary of a corporate intranet to protect it from unauthorized access d. device to prevent all accesses from the internet to the corporate intranet 13.22 A firewall may be implemented in a. routers which connect intranet to internet b. bridges used in an intranet c. expensive modem d. user’s application programs 13.23 Firewall as part of a router program a. filters only packets coming from internet V. Rajaraman/IISc. Bangalore
M13/V1/July 04/5
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
b. filters only packets going to internet c. filters packets travelling from and to the intranet from the internet d. ensures rapid traffic of packets for speedy e-Commerce 13.24 Filtering of packets by firewall based on a router has facilities to a. i, iii b. i, ii, iii c. i, ii, iii, iv d. ii, iii, iv 13.25 Main function of proxy application gateway firewall is a. to allow corporate users to use efficiently all internet services b. to allow intranet users to securely use specified internet services c. to allow corporate users to use all internet services d. to prevent corporate users from using internet services 13.26 Proxy application gateway (i) acts on behalf of all intranet users wanting to access interne securely (ii)monitors all accesses to internet and allows access to only specified IP addresses (iii) disallows use of certain protocols with security problems (iv) disallows all internet users from accessing intranet a. i, ii b. i, ii, iii c. i, ii, iii, iv d. ii, iii, iv 13.27 A hardened firewall host on an intranet (i) has a proxy application gateway program running on it (ii)Allows specified internet users to access specified services in the intranet (iii) Initiates all internet activities requested by clients and monitors them (iv) prevents outsiders from accessing IP addresses within the intranet a. i, ii b. i, ii, iii c. i, ii, iii, iv d. ii, iii, iv V. Rajaraman/IISc. Bangalore
M13/V1/July 04/6
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
13.28 A hardened firewall host on an Intranet is a. a software which runs in any of the computers in the intranet b. a software which runs on a special reserved computer on the intranet c. a stripped down computer connected to the intranet d. a mainframe connected to the intranet to ensure security 13.29 By encryption of a text we mean a. compressing it b. expanding it c. scrambling it to preserve its security d. hashing it 13.30 Encryption is required to (i) protect business information from eavesdropping when it is transmitted on internet (ii)efficiently use the bandwidth available in PSTN (iii) to protect information stored in companies’ databases from retrieval (iv) to preserve secrecy of information stored in databases if an unauthorized person retrieves it a. i and ii b. ii and iii c. iii and iv d. i and iv 13.31 Encryption can be done a. only on textual data b. only on ASCII coded data c. on any bit string d. only on mnemonic data 13.32
By applying permutation (31254) and substitution by 5 characters away
from current character (A Æ F , B Æ G etc..) the following string ABRACADABRA becomes a. FGWCAAADRBF b. RABCAAADRBF c. WFGHFFFIWGF V. Rajaraman/IISc. Bangalore
M13/V1/July 04/7
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
d. None of the above 13.33 The following ciphertext was received. The plaintext was permuted using permutation (34152) and substitution. Substitute character by character +3 (A Æ D, etc). The plain text after decryption is: Cipher text : PDLJDLXHVQC a. MAIGAIUESNZ b. IAMAGENIUSZ c. LDPDJHPLXVZ d. IAMAGENIUSC 13.34 By symmetric key encryption we mean a. one private key is used for both encryption and decryption b. private and public key used are symmetric c. only public keys are used for encryption d. only symmetric key is used for encryption 13.35 The acronym DES stands for a. Digital Evaluation System b. Digital Encryption Standard c. Digital Encryption System d. Double Encryption Standard 13.36 DES works by using a. permutation and substitution on 64 bit blocks of plain text b. only permutations on blocks of 128 bits c. exclusive ORing key bits with 64 bit blocks d. 4 rounds of substitution on 64 bit blocks with 56 bit keys 13.37 DES (i) is a symmetric key encryption method (ii)guarantees absolute security (iii) is implementable as hardware VLSI chip (iv) is a public key encryption method a. i and ii b. ii and iii V. Rajaraman/IISc. Bangalore
M13/V1/July 04/8
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
c. i and iii d. iii and iv 13.38 DES using 56 bit keys a. Cannot be broken in reasonable time using presently available computers b. Can be broken only if the algorithm is known using even slow computers. c. Can be broken with presently available high performance computers. d. It is impossible to break ever. 13.39 Triple DES uses a. 168 bit keys on 64-bit blocks of plain text b.
Working on 64-bit blocks of plain text and 56 bit keys by applying DES algorithm for three rounds.
c.
Works with 144 bit blocks of plain text and applies DES algorithm once.
d.
Uses 128 bit blocks of plain text and 112 bit keys and apply DES algorithm thrice.
13.40 ripple DES a. Cannot be broken in reasonable time using presently available computers. b. Can be broken only if the algorithm is known using even slow computer. c. Can be broken with presently available high performance computers. d. It is impossible to break ever. 13.41
Triple DES a.
is a symmetric key encryption method
b. guarantees excellent security c. is implementable as a hardware VLSI chip d. is public key encryption method with three keys. 13.42 Public key encryption method is a system a. which uses a set of public keys one for each participant in e-Commerce b. in which each person who wants to communicate has two keys; a private key known to him only and a public key which is publicized to enable others to send message to him. c. which uses the RSA coding system. d. which is a standard for use in e-Commerce. V. Rajaraman/IISc. Bangalore
M13/V1/July 04/9
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
13.43 Public key system is useful because a. it uses two keys. b. there is no key distribution problem as public key can be kept in a commonly accessible database. c. private key can be kept secret. d. it is a symmetric key system. 13.44 In public key encryption if A wants to send an encrypted message a. A encrypts message using his private key b. A encrypts message using B’s private key c. A encrypts message using B’s public key d. A encrypts message using his public key 13.45 In public key encryption system if A encrypts a message using his private key and sends it to B a. if B knows it is from A he can decrypt it using A’s public key b. Even if B knows who sent the message it cannot be decrypted c. It cannot be decrypted at all as no one knows A’s private key d. A should send his public key with the message 13.46 Message can be sent more securely using DES by a. encrypting plain text by a different randomly selected key for each transmission b. encrypting plain text by a different random key for each message transmission and sending the key to the receiver using a public key system c. using an algorithm to implement DES instead of using hardware d. designing DES with high security and not publicizing algorithm used by it 13.47 DES and public key algorithm are combined (i) to speed up encrypted message transmission (ii)to ensure higher security by using different key for each transmission (iii) as a combination is always better than individual system (iv) as it is required in e-Commerce a. i and ii b. ii and iii V. Rajaraman/IISc. Bangalore
M13/V1/July 04/10
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
c. iii and iv d. i and iv 13.48 A digital signature is a. a bit string giving identity of a correspondent b. a unique identification of a sender c. an authentication of an electronic record by tying it uniquely to a key only a sender knows d. an encrypted signature of a sender 13.49
A digital signature is required
(i) to tie an electronic message to the sender’s identity (ii)for non repudiation of communication by a sender (iii) to prove that a message was sent by the sender in a court of law (iv) in all e-mail transactions a. i and ii b. i, ii, iii c. i, ii, iii, iv d. ii, iii, iv 13.50
A hashing function for digital signature
(i) must give a hashed message which is shorter than the original message (ii)must be hardware implementable (iii) two different messages should not give the same hashed message (iv) is not essential for implementing digital signature a. i and ii b. ii and iii c. i and iii d. iii and iv 13.51 Hashed message is signed by a sender using a. his public key b. his private key c. receiver’s public key d. receiver’s private key V. Rajaraman/IISc. Bangalore
M13/V1/July 04/11
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
13.52 While sending a signed message, a sender a. sends message key using public key encryption using DES and hashed message using public key encryption b. sends message using public key encryption and hashed message using DES c.
sends both message and hashed message using DES
d. sends both message and hashed message using public key encryption 13.53 The responsibility of a certification authority for digital signature is to authenticate the a. hash function used b. private keys of subscribers c. public keys of subscribers d. key used in DES 13.54 Certification of Digital signature by an independent authority is needed because a. it is safe b. it gives confidence to a business c. the authority checks and assures customers that the public key indeed belongs to the business which claims its ownership d. private key claimed by a sender may not be actually his 13.55 The Secure Electronic Transaction protocol is used for a. credit card payment b. cheque payment c. electronic cash payments d. payment of small amounts for internet services 13.56 In SET protocol a customer encrypts credit card number using a. his private key b. bank’s public key c. bank’s private key d. merchant’s public key 13.57 In SET protocol a customer sends a purchase order V. Rajaraman/IISc. Bangalore
M13/V1/July 04/12
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
a. encrypted with his public key b. in plain text form c. encrypted using Bank’s public key d. using digital Signature system 13.58 One of the problems with using SET protocol is a. the merchant’s risk is high as he accepts encrypted credit card b. the credit card company should check digital signature c. the bank has to keep a database of the public keys of all customers d. the bank has to keep a database of digital signatures of all customers 13.59 The bank has to have the public keys of all customers in SET protocol as it has to a. check the digital signature of customers b. communicate with merchants c. communicate with merchants credit card company d. certify their keys 13.60 In electronic cheque payments developed, it is assumed that most of the transactions will be a. customers to customers b. customers to business c. business to business d. banks to banks 13.61 In cheque payment protocol, the purchase order form is signed by purchaser using a. his public key b. his private key c. his private key using his signature hardware d. various public keys 13.62 In the NetBill’s protocol for small payments for services available in the internet. (i) the customer is charged only when the information is delivered (ii)the vendor is guaranteed payment when information is delivered V. Rajaraman/IISc. Bangalore
M13/V1/July 04/13
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
(iii) the customer must have a certified credit card (iv) the customer must have a valid public key a. i, ii b. i, ii, iii c. i, ii, iii, iv d. i, ii, iv 13.63 In NetBill’s protocol for small payments for internet services (i) Key to decrypt information is sent to customer by NetBill only when there is enough amount in debit account (ii) The vendor supplies the key to NetBill server when he receives payment (iii) Checksum of encrypted information received by customer is attached to his payment order (iv) Vendor does not encrypt information purchased by customer a. i, ii b. i, ii, iii c. i, ii, iii, iv d. i, ii, iv 13.64 In Electronic cash payment a. a debit card payment system is used b. a customer buys several electronic coins which are digitally signed by coin issuing bank c. a credit card payment system is used d. RSA cryptography is used in the transactions 13.65 In Electronic cash payment (i) a customer withdraws “coins” in various denominations signed by the bank (ii)the bank has a database of issued coins (iii) the bank has a database of spent coins (iv) the bank cannot trace a customer a. i, ii b. i, ii, iii c. i, ii, iii, iv d. ii, iii, iv
V. Rajaraman/IISc. Bangalore
M13/V1/July 04/14
System Analysis and Design/Electronic Commerce
Multiple Choice Questions
Key to Objective Questions 13.1
d
13.2 c
13.3
a 13.4
c 13.5
c 13.6
a
13.7
a
13.8 c
13.9
c 13.10
a 13.11
b 13.12
a
13.13
d
13.19 b
13.14a 13.20 d
13.25 b
13.26 b
13.31 c
13.32 c
13.37 c
13.38 c
13.44 c
13.45 a
c
13.51
13.55 13.61 c
a
13.15
b 13.56 b 13.62 d
b
13.21 13.27
c c
13.33 b 13.39 b
13.16 c 13.22 a
13.17
a
13.18 b
13.23
c
13.24 b
13.28 b
13.29 c
13.30 d
13.34 a
13.35 b
13.36 a
13.40 a
13.41 b
13.46b
13.47 a
13.48 c
13.52 a
13.53 c
13.54 c
13.58 c
13.59
13.57 13.63
V. Rajaraman/IISc. Bangalore
d b
13.64 b
13.42 b
13.43
13.49 b
a
13.60
b 13.50
c
13.65 b
M13/V1/July 04/15
MODULE 13
ELECTRONIC COMMERCE WORKED EXAMPLES
13.1 Explain B2B e-Commerce using an example of a book distributor who stocks a large number of books, which he distributes via a large network of book sellers. Assume that the distributor has stocks of books of a large number of publishers and book sellers order books as and when their stock is low. Distributors give 1 month’s time to booksellers for payment
Warehouse of Bookseller
Book Received(6)
Distributor’s warehouse
Reminder if bill not paid within one month (14) Acknowledge order and send bill(5) Enquire Availability (2) Distributor’s Bookseller website
Stock goes below level(1)
Display various books(3) Places order (4) Send cheque(7) Receipt to Book supplied to seller(13) bookseller (6)
Distributor’s bank
Cheque sent Ok’s after verification of Cheque seller’s public (11) key certificates (8)
Send cheque for clearance (9) Credit to distributor’s bank A/C (13)
Ok’s clearance (10)
Book seller’s bank
Information flow (Normally electronically) Physical item flows
Clearing house
Debit advice to book seller’s bank (12)
13.2 Explain B2C e-Commerce of a customer reserving airline tickets from his home or place of work. B2C e-Commerce involves the business between an individual and an organization. For the case given in question, the customer has to visit the site of the travel agency or a broker and get the status of the availability of tickets. If ticket is available he/she will book the ticket and input the credit card details. He/She will be given the details of delivery of ticket. The block diagram below depicts the total process
(8) Acknowledge order and sends ticket (1) Request Service Website of travel agency
Customer (2) Display information on various flights
(8) Bill to Customer
(3) Places order with credit card details
Travel agency’s bank A/C
(5) Ok’s Credit (4) Credit card card details
Credit Card companies computer (7) Debit advice giving credit card no
(8) Credit to travel agency’s A/C Customer’s Bank
13.3
Explain C2C e-Commerce with an appropriate example Here the selling and purchasing is carried out between two individuals. One is a seller and the other is a buyer. The items are usually used items, collector’s items such as stamps/coins or antiques. The seller posts the description of the item and the expected price of the item on a web site maintained by a company which acts as a middle man or broker. For example: Consider a company Y which acts as a broker. Suppose an indivi-dual A has to sell some items, so it will post the description of the items in Y’s site. A person B is interested to purchase some items, then he/she will visit Y’s site. Here we can have three cases. Case I: The broker Y can just acts as an advertising agency and make the two persons meet each other and carry out further transaction. For this it gets some commission from both the parties. This is described in the block diagram below:
Negotiations are made and deal is finalized (5) Places order (6) Send the mail id of A(4)
Request for items (3) Website of Y
B
Display items (2)
Post Description of items (1) A
Case II: The broker Y can act as an advertising agency, make the two persons negotiate the price. Then Y takes all responsibilities until the item is delivered. For this it gets some commission from both the parties. This is described in the block diagram below: Negotiations are made and deal is finalized (5)
Places order with credit card details(7)
Pays the amount received after taking commission(13)
Send the mail id of A(4) Communication regarding the price settled (6) Request for items (3)
Post Description of items (1)
Website of Y
B
Display items (2)
A
Acknowledge order (10)
Send credit card details (8)
Y’s Bank A/C
Bill sent to B(12)
Shiping Advice (11)
Credit to Y’s A/C (11)
Ok’s credift card(9)
Credit Card companies computer Debit advice giving Credit card no (9) B’s bank
Items delivered to B (11)
Y’s warehouse
Information flow (Normally electronically) Physical items flow
Case III: The broker Y can act as an advertising agency and displays items posted by the seller with prices. Both the buyer and seller will not have knowledge of each other. Y takes all responsibilities until the item is delivered. For this he gets some commission from both the parties. This is described in the block diagram below:
Places order with credit card details(4)
Pays the amount received after taking commission(12)
Request for items (3)
Post Description of items (1)
Website of Y
B
Display items (2)
A
Acknowledge order (7)
Send credit card details (5)
Y’s Bank A/C
Bill sent to B(11)
Shiping Advice (9)
Credit to Y’s A/C (11)
Ok’s credift card(6)
Credit Card companies computer Debit advice giving Credit card no (8) B’s bank
Items delivered to B (10)
Y’s warehouse
Information flow (Normally electronically) Physical items flow
13.4
What do you understand by EDI? Is EDI used in B2C or B2B eCommerce? Why is EDI important in e-Commerce? EDI stands for Electronic Data Interchange. It is a standard electronic format used for purchase orders, invoices etc. When such electronic forms are received they can be interpreted correctly by recipient’s computer program and used. EDI is used in B2B e-Commerce . It is important in e-Commerce because there is no manual intervention and data transfer is faster. As the format is agreed between two organizations, communication is simple.
13.5 What is VAN? What services do VANs provide? What are the advantages and disadvantages of VAN? VAN stands for Value Added Networks which provide services to Businesses which are members VANs provide post boxes for each of its subscribers who want to use their services. Some VANs provide conversion of forms to standard EDI format. The disadvantage of VAN services is high cost. 13.6 Why is security important in e-Commerce? What are the security issues to be taken into account while designing a security system for eCommerce? Since in e-Commerce the transaction and communication takes place between two entities using PSTN, security issue is important. The different security issues that are taken into account , while designing a security system for e-Commerce are given below: •
• •
As internet connects several networks one has to be sure that unauthorised persons do not gain access to the company’s confidential information. Both hardware and software solutions are needed to ensure this. The communication between companies should be protected from snoopers. When a company receives a message, it must be sure from whom it has come. In electronic communication system there should be digital signature so that the receiver knows that it has come from an authorised business. It should also ensure that the authentication of digital signature must be maintainable in a court of law in case of disputes.
13.7 What is a firewall? What are the functions of a firewall? A firewall is a set of related programs , located at a network gateway server that protects the resources of private network from other networks. Basically firewall, working closely with a router program, filters all network packets to determine whether to forward them toward their destination.
The different functions of firewall are: • • • • •
Protection from vulnerable service Control access to site system Concentrated security Enhance privacy Logging and statistics on Network use and misuse
13.8 What is a hardened firewall host? What are its functions? In what way is it different from proxy application gateway? The hardened firewall is a computer that will require inside or outside users to connect to the trusted applications in it before connecting to external world. The major functions of hardened firewall are: • •
Security processes are concentrated on one machine Names of systems on LAN, e-mail address etc., are hidden from outsiders • Network service management is simplified by locating services such as ftp, e-mail, search engines etc., in the firewall machine. The difference between hardened firewall and proxy application gateway is that for hardened firewall the inside or outside users are required to connect to the trusted application in firewall machine before connecting to any machine. All the information will pass through this computer, hence it is more secure. 13.9 Given a plain text: THIS IS A SAMPLE SENTENCE FOR ENCRYPTION. Apply the permutation (231564) and the substitution: (letter Æ letter + 6 ) and obtain the cipher text. Step 1: write the message in block of 6 characters THISIS ASAMPL ESENTE NCEFOR ENCRYP TION Step 2: follow permutation(231564) HITISS SAAPLM SEETEN CENORF NCEYPR TION Step 3: make substitution (Letter Æ Letter + 6) NOZOYY YGGVRS YKKZKT IKTUXL TIKEVXZOUT 13.10 What is DES? Explain what DES does when the following hexadecimal plain text is input to a DES hardware. A1907FBCD986543201FED14E890ABCA5 DES is a symmetric cryptographic algorithm. It is a block cipher, and encrypts data in 64-bit blocks. The same algorithm and key are used for both encryption and decryption.
The key length is 56 bits. The key is usually expressed as a 64-bit number, but every eighth bit is used for parity checking and is ignored. These parity bits are the least-significant bits of the key bytes. After the initial permutation, the block is broken into a right half and a left half, each 32 bits long. Then there are 16 rounds of identical operations, called Function f, in which the data are combined with the key. After the sixteenth round, the right and left halves are joined, and a final permutation (the inverse of the initial permutation) finishes off the algorithm. In each round as shown in the figure (page 210) the key bits are shifted, and then 48 bits are selected from the 56 bits of the key. The right half of the data is expanded to 48 bits, combined with 48 bits of a shifted and permuted key via an XOR, then again converted to 32 new bits, and permuted again. These four operations make up Function f. The output of Function f is then combined with the left half via another XOR. The result of these operations becomes the new right half; the old right half becomes the new left half. These operations are repeated 16 times, making 16 rounds of DES. If Bi is the result of the ith iteration, Li and Ri are the left and right halves of Bi, Ki is the 48-bit key for round i, and f is the function and does all the substituting and permuting and XORing with the key, then a round looks like: Li = Ri – 1 Ri = Li – 1 ⊕
f(R i – 1, Ki)
For more information on DES please refer to book “APPLIED CRYPTOGRAPHY” written by Bruce Schneier.
Plain Text IP
Lo
Ro
⊕
f K1 R1=L1⊕ f(R1,K2)
L1 =R0
⊕
f K2
L2 =R1
R2=L1⊕ f(R1,K2)
L15 =R14
R15=L14⊕ f(R14,K15)
⊕
f K16
R16=L15⊕ f(R15,K16)
L16 =R15
IP-1
Cipher text
13.11
What do you understand by symmetric key cryptography? What are the main advantages and disadvantages of symmetric key cryptography? The cryptography in which the same key is used for encryption and decryption and known to both parties while exchanging information is known as symmetric key or private key cryptography. The disadvantage of this method is , the difficulty in securely distributing the keys to authorised
13.12 What is public key encryption? In what way is it different from private key encryption? Why is it important in e-Commerce? The encryption in which two keys are used for encryption and decryption is called public key encryption. One of these keys is known as public key which is available to anyone wanting to send encrypted message. It is different from private key encryption in the sense that it uses two keys. One key is used for encryption and other is used for decryption. A private encryption, on the other hand uses one key for both encryption and decryption. Public key system is important in e-Commerce because the public key of an organization is publicized globally. The customers encrypt a message using receiving organization’s public key, which is decrypted by the receiving organization using its private key. Similarly the organization encrypts the message using particular customer’s public key which is then decrypted by the customer using their private key. With this secure communication can be established which is an important aspect of e-Commerce. 13.13 What are the main differences between DES based encryption and RSA based encryption? Is it possible to combine these two systems? If so explain how? The main difference between DES based encryption and RSA based encryption is •
DES uses a single key for both encryption and decryption whereas RSA uses two keys for the same • DES is faster as it is implemented through hardware • RSA is secure but slow since it uses complex computational procedure. Breaking the key is not easy Yes, one can combine the two keys. DES can be used to encrypt/decrypt messages using one key. The key itself can be sent using RSA. persons.
13.14 Give a block diagram of a system for transmitting a signed purchase order from business 1 to business 2. See Fig. 16.13 of text. 13.15
What types of electronic payment systems are required in eCommerce? Why are there different types of payment systems? Explain the necessary characteristics of each type of payment system and give an example each of where it is used. The different types of electronic payment systems required in e-Commerce are: cash payments, credit card payments and cheque payments. Each of these payments have their own advantages and disadvantages Cash payment is used for small transactions and mostly used for C2C eCommerce Credit card is used for middle size transactions and mostly used for B2C e-Commerce Cheque payment system is used for voluminous transactions and mostly used for B2B e-Commerce The characteristics of e-Cash or electronic cash payments are: • •
e-Cash must have monetary value e-Cash must be interoperable i.e., exchangeable for other e-cash, paper-cash, goods and services • It must be storable and retrievable The characteristics of credit card transactions are: • •
The credit card number entered by the customer should be encrypted The merchant should not have the knowledge of the credit card number of the customer
The characteristics of cheque payment are: • Both the parties involved in business should have public key certificates • The cheque should be cleared by a clearing house before any transaction occurs Necessary dedicated hardware device is required for signing and encrypting the order. 13.16 Explain SET protocol used in credit card transactions. What is the main interesting aspect of SET protocol which gives confidence to customers transacting business using the internet? See Sec 16.6.1 steps 1 to 7 The main interesting aspect of SET protocol which gives the confidence to the customer is that the merchant does not know the credit card number of the customer.
13.17 What are the main characteristics of cash payment in contrast with cheque payment? Why are governments not sympathetic to large cash transactions in e-Commerce? Cash payments are used in C2B applications which involve small payments whereas cheque payment system is generally used in B2B applications in which higher amount of transactions are carried out. Cheque payments are much more secure and traceable compared to cash payments. A sophisticated scheme called transaction blinding has been invented, using which cash payments cannot be traced. As governments do not like untraceable large cash transactions it is not sympathetic to large cash transactions in e-Commerce. 13.18
Explain how cash transactions take place in e-Commerce. What special precautions should be taken by a bank to ensure that a customer does not double spend the same electronic coins issued to him/her? Cash Transaction in e-Commerce A customer can withdraw “coins” in various denomination from his bank and keeps in his PC. The withdrawal takes place by the customer giving a serial number and denomination of each coin and requesting his bank to digitally sign it. The signed coins are of the form: (serial no., denomination, signature of bank). The bank will store a copy of issued coins. The customer pays a vendor by cash by sending the signed coin. The vendor sends it to the issuing bank (or to his bank which may deal with the issuing bank via a clearing house). The bank checks whether it has been signed by it and not yet spent. If it is OK it informs the vendor, who now can despatch the goods. The bank transfers the cash to the vendor’s account. The coin is stored in the “spent amount database” of the bank so that if the coin is presented again it can be dishonored. Bank manages “spent amount database” which stores the information about the coin spent by the customer. If the customer tries to reuse the coin bank can easily trace it out from the “spent amount database”.
QUESTION BANK 13.1
Define E-commerce. What are the different types of E-commerce?
13.2
Explain B2B E-Commerce using an example of a book distributor who stocks a large number of books, which he distributes via a large network of book sellers. Assume that the distributor has stocks of books of a large number of publishers and book sellers order books as and when their stock is low. Distributors give 1 month's time to booksellers for payment.
13.3
Explain B2C E-Commerce of a customer reserving airline tickets from his home or place of work.
13.4
Explain C2C E-Commerce with an appropriate example.
13.5
List the advantages and disadvantages of E-Commerce
13.6
Explain the system architecture of E-Commerce by looking at it as a set of layers with the physical network at the bottom layer and applications at the top layer.
13.7
Define internet. Why is internet important in E-Commerce?
13.8
What do you understand by EDI? Is EDI used in B2C or B2B E-Commerce? Why is EDI important in E-Commerce?
13.9
What are two major EDI standards used in E-Commerce? Which is the standard accepted for Government transactions in India?
13.10
What is VAN? What services do VANs provide? What are the advantages and disadvantages of VAN?
13.11
If internet is to be used for EDI which mail standard is used?
13.12
If email is to be used to exchange EDI between two businesses what are the
points on which they should agree? 13.13
Why is security important in E-Commerce? What are the security issues to be taken into account while designing a security system for E-Commerce?
13.14
What is a firewall? What are the functions of a firewall?
13.15
What is packet screening? Which hardware device performs packet screening?
13.16
What is a proxy application gateway? What are the functions of this gateway?
13.17
What is a hardened firewall host? What are its functions? In what way is it different from proxy application gateway?
13.18
Given a plain text: THIS IS A SAMPLE SENTENCE FOR ENCRYPTION. Apply the permutation (231564) and the substitution: (letter Æ letter + 6 ) and obtain the cipher text.
13.19
What is DES? Explain what DES does when the following hexadecimal plain text is input to a DES hardware. A1907FBCD986543201FED14E890ABCA5
13.20
What do you understand by symmetric key cryptography? What are the main advantages and disadvantages of symmetric key cryptography?
13.21
What is public key encryption? In what way is it different from private key encryption? Why is it important in E-Commerce?
13.22
What are the main differences between DES based encryption and RSA based encryption? Is it possible to combine these two systems? If so explain how?
13.23
Given two prime numbers 23 and 41 design a RSA system. Explain with an example how it works.
13.24
What is a digital signature? Why is it necessary in E-Commerce? What are the necessary conditions a hash function used in digital signature should satisfy?
13.25
Give a block diagram of a system for transmitting a signed purchase order from business 1 to business 2.
13.26
What is a certifying authority? Why is a certifying authority required in ECommerce? How does a certifying authority performs its tasks?
13.27
What types of electronic payment systems are required in E-Commerce? Why are there different types of payment systems? Explain the necessary characteristics of each type of payment system and give an example each of where it is used.
13.28
Explain SET protocol used in credit card transactions. What is the main interesting aspect of SET protocol which gives confidence to customers transacting business using the internet?
13.29
In using SET protocol who has to keep a data base of public keys of all customers? How does the customer assured that he will not be double charged for the same item purchased?
13.30
What are the main differences between electronic cheque payment and credit card payment in E-Commerce? Explain cheque transaction protocol used in ECommerce.
13.31
Why is a different payment system needed for small payment for internet services? Explain how one such system functions. How does the system make sure that payment is made only after information for which payment has been made is actually delivered to the customer?
13.32
What are the main characteristics of cash payment in contrast with cheque payment? Why are governments not sympathetic to large cash transactions in E-Commerce?
13.33
Explain how cash transactions take place in E-Commerce. What special precautions should be taken by a bank to ensure that a customer does not double spend the same electronic coins issued to him/her?
References 1. Most of the material in this chapter are taken from Chapter 16, Electronic Commerce of the book Analysis and Design of Information Systems (2nd edition) by V.Rajaraman, Prentice-Hall of India, New Delhi,2004 2. There are many books on E-Commerce, which describe E-Commerce in detail. Among these are: E.Awad, Electronic Commerce, Prentice-Hall of India, New Delhi 2002.This book takes managers perspective and not very strong on technology aspects of ECommerce. All the examples have a strong American bias as the book is primarily intended for students in America. The language is clear but the book is verbose. What can be said in 100 pages is said in 400 pages as it includes all kinds of gossip not relevant to students wanting the learn the subject. 3. D.Minoli and E.Minoli, Web Commerce Technology Handbook, Tata McGrawHill, New Delhi, 1999.This book is strong in technology and has wide coverage. 4. W. Stallings, Network Security Essentials, Pearson Education Asia, New Delhi,2001. Has good presentation on DES, Triple DES, RSA and SET protocol. 5. Most traditional Systems Analysis and Design book such as the one by Kendall and Kendall do not separately discuss E-Commerce, they have a cursory treatment at various places in the book.
SUMMARY OF MODULE 13 1.
The sharing of
business information, maintaining business relationships and
conducting business transactions by using telecommunication networks is usually defined as Electronic Commerce. 2.
E-commerce is normally categorised as Business to Business (B2B), Business to Customer (B2C) and Customer to Customer (C2C)
3.
The major advantages of
E-Commerce are anytime, anywhere transaction,
reduction in cost of transactions, reduction in time to market products, faster interbusiness transaction and faster transfer of funds. 4.
The major disadvantages of E-commerce are poor security of transactions unless special precautions are taken, loss of privacy, lack of legislation to settle disputes and menace of hackers.
5.
E-Commerce architecture consists of the following layers: The lowest layer in the physical network which may be a LAN connected by unshielded twisted pair wires, Public Switched Telephone Networks, WAN using optical fibre etc. The next layer is the logical network such as internet, intranet and extranet (all of which use TCP/IP protocol). Resting on this is the world wide web and services on it such as web pages, browsers, and search engines. Above this is Deleted: r
the security layer which deals with encryption, digital signatures etc. Resting on this are Electronic Data Interchange and Electronic payment services. All these layers are necessary to write application systems.
1
6.
At the physical level most organizations use local area networks using unshielded Deleted: ck po
twisted pair cables and Ethernet protocol. The cheapest method of interconnecting organizations is to use Public Switched Telephone Network. 7.
Internet is the most important logical network which enables E-Commerce. internet protocol called TCP/IP is universally used.
The
Organizational private
networks which use TCP/IP protocol are called intranets. Organizational intranets are often connected by a private secure communication link. Such a network is called an Extranet. 8.
World wide web is a global multimedia information service available on the Deleted: prepared using hyper text markup language.
internet. It supports web pages . 9.
Deleted: ¶
Web pages are located using a scheme known as Universal Resource Locator (URL) which is its address. Web browsers are used to locate web pages.
10.
Web pages are created using a language known as hypertext markup language Deleted: html
(HTML). Words can be picked and tagged to connect the page with other related
Deleted: mpile
pages. Deleted: which
11.
It is imperative for every organization to have a website in today's internet world to publicise their functions. The page must be attractively designed and updated regularly.
12.
Electronic Data Interchange (EDI) is essential in E-Commerce.
EDI replaces
printed forms by a standard electronic format which can be interpreted correctly by computer programs of cooperating businesses.
2
Deleted: Network
13.
EDI standards have been published by American National Standards Institute and Deleted: -Commerce
by United Nations Economic
Commission for Europe.
The United Nations
Deleted: n
standard is called EDIFACT and may become the standard for international commerce. 14.
Value Added Network Services provide electronic post boxes to their clients to exchange EDI documents. They guarantee security and delivery of documents. They also provide services to convert an organization's forms to standard format such as EDIFACT. Deleted: le
15.
If internet is used for exchanging business documents Secure Multipurpose Internet Mail Extension (S/MIME) standard is recommended.
16.
An organizaion's intranet is connected to the internet via a proxy server or a Deleted: f
hardware unit.
This is called a firewall . Firewall protects an organization's
computers from unauthorised intruders. 17.
Messages exchanged between organizations using the internet can be easily tapped by eaves droppers. It is thus necessary to scramble them to prevent eavesdroppers from understanding the messages. It is done by encrypting messages.
18.
Message (plain text) is encrypted by transposing characters of the plain text by a specified
permutation and substituting characters by other characters.
The
encrypted text is called ciphertext. 19.
This general idea is used in a standard encryption method called Digital Encryption Standard(DES). DES encrypts 64 bit blocks with a 56 bit key.
3
20.
DES has been implemented as a hardware device. DES hardware may be attached Deleted: it
to a computer's output port so that messages sent from the computer are encrypted. The receiver can decrypt it if he is given the key. 21.
A system in which the encrypting and decrypting keys are same is called a symmetric key system.
22.
The main problem with a symmetric key system is the need to distribute the key Deleted: It is, however, fast.
securely to all participating businesses. Symmetric key encryption/decryption is fast. 23.
Two key based system called RSA system does not require distributing secret keys. It has two keys for each participant in the communication, a private key and a public key. If A wants to send a message to B, A encrypts the message using B's public key. B decrypts it using his private key. Thus there is no key distribution problem. It is, however, slower than the symmetric key system.
24.
RSA system is based on the fact that it is difficult to factor two prime components Deleted: when
from their product, particularly, when the prime numbers are large.
Deleted: is known Deleted: RSA system is symmetric.
25.
In RSA system, a message encrypted with a private key, can be decrypted with
Deleted: other words Deleted: is
the corresponding public key. This is used in digital signature.
4
26.
In order to sign a message the sender hashes the message with a known algorithm to get a message digest MD. MD is encrypted with the sender's private key and sent to the intended receiver. Let us call it MDe. The message itself is encrypted with a symmetric key and sent. The recipient decrypts the message and computes the message digest MD using the known hashing algorithm. He then decrypts the Deleted: it
encrypted message digest MDe using the sender's public key. If (MDe) decrypted = MD then the message is not a forgery as only the sender knows his private key. This signature ties the signature to the message and cannot be repudiated by the sender. 27.
To ensure that public keys of organizations do belong to them there are certification authorities which check the legitimacy of organizations
and issue public key
certificates. 28.
In E-Commerce payments are made as credit card payments, cheque payments or cash payments . Besides this a system to make small payments for information Deleted: downloads
goods (such as files, books etc.) downloaded from the internet is needed. Deleted: k
29.
Credit card payments are made using a protocol called Secure Electronic Transaction (SET protocol). It uses RSA system and digital signatures.
30.
Cheque payments are made between organizations using digitally signed cheques and public key certificates issued by a certifying authority.
5
31.
Payment for small transactions is made using digital coins issued by banks to Deleted: csutomer's
customer after debiting the customer's account. A digital coin consists of amount, identification number and banks signature. These coins are given in exchange for goods. The bank reimburses the vendor after checking its signature and ensuring that the coin has not been spent earlier. 32.
A system called NetBill has been proposed for small payment for information services on the internet. It ensures that a key is given to a customer for decrypting information only after payment is received by the vendor.
It also guarantees
delivery of contracted information by the vendor.
6
Formatted
QUESTION BANK 13.1
Define E-commerce. What are the different types of E-commerce?
13.2
Explain B2B E-Commerce using an example of a book distributor who stocks a large number of books, which he distributes via a large network of book sellers. Assume that the distributor has stocks of books of a large number of publishers and book sellers order books as and when their stock is low. Distributors give 1 month's time to booksellers for payment.
13.3
Explain B2C E-Commerce of a customer reserving airline tickets from his home or place of work.
13.4
Explain C2C E-Commerce with an appropriate example.
13.5
List the advantages and disadvantages of E-Commerce
13.6
Explain the system architecture of E-Commerce by looking at it as a set of layers with the physical network at the bottom layer and applications at the top layer.
13.7
Define internet. Why is internet important in E-Commerce?
7
13.8
What do you understand by EDI? Is EDI used in B2C or B2B E-Commerce? Why is EDI important in E-Commerce?
13.9
What are two major EDI standards used in E-Commerce? Which is the standard accepted for Government transactions in India?
13.10
What is VAN? What services do VANs provide? What are the advantages and disadvantages of VAN?
13.11
If internet is to be used for EDI which mail standard is used?
13.12
If email is to be used to exchange EDI between two businesses what are the points on which they should agree?
13.13
Why is security important in E-Commerce? What are the security issues to be taken into account while designing a security system for E-Commerce?
13.14
What is a firewall? What are the functions of a firewall?
13.15
What is packet screening? Which hardware device performs packet screening?
13.16
What is a proxy application gateway? What are the functions of this gateway?
13.17
What is a hardened firewall host? What are its functions? In what way is it different from proxy application gateway?
13.18
Given a plain text: THIS IS A SAMPLE SENTENCE FOR ENCRYPTION. Apply the permutation (231564) and the substitution: (letter Æ letter + 6 ) and obtain the cipher text.
13.19
What is DES? Explain what DES does when the following hexadecimal plain text is input to a DES hardware. A1907FBCD986543201FED14E890ABCA5 8
13.20
What do you understand by symmetric key cryptography? What are the main advantages and disadvantages of symmetric key cryptography?
13.21
What is public key encryption? In what way is it different from private key encryption? Why is it important in E-Commerce?
13.22
What are the main differences between DES based encryption and RSA based encryption? Is it possible to combine these two systems? If so explain how?
13.23
Given two prime numbers 23 and 41 design a RSA system. Explain with an example how it works.
13.24
What is a digital signature? Why is it necessary in E-Commerce? What are the necessary conditions a hash function used in digital signature should satisfy?
13.25
Give a block diagram of a system for transmitting a signed purchase order from business 1 to business 2.
13.26
What is a certifying authority? Why is a certifying authority required in ECommerce? How does a certifying authority performs its tasks?
13.27
What types of electronic payment systems are required in E-Commerce? Why are there different types of payment systems? Explain the necessary characteristics of each type of payment system and give an example each of where it is used.
13.28
Explain SET protocol used in credit card transactions. What is the main interesting aspect of SET protocol which gives confidence to customers transacting business using the internet?
9
13.29
In using SET protocol who has to keep a data base of public keys of all customers? How does the customer assured that he will not be double charged for the same item purchased?
13.30
What are the main differences between electronic cheque payment and credit card payment in E-Commerce? Explain cheque transaction protocol used in ECommerce.
13.31
Why is a different payment system needed for small payment for internet services? Explain how one such system functions. How does the system make sure that payment is made only after information for which payment has been made is actually delivered to the customer?
13.32
What are the main characteristics of cash payment in contrast with cheque payment? Why are governments not sympathetic to large cash transactions in E-Commerce?
13.33
Explain how cash transactions take place in E-Commerce. What special precautions should be taken by a bank to ensure that a customer does not double spend the same electronic coins issued to him/her?
10
11
MODULE 14
CASE TOOLS OBJECTIVE QUESTIONS
There are 4 alternative answers to each question. One of them is correct. Pick the correct answer. Do not guess. A key is given at the end of the module for you to verify your answer 1. The expansion of CASE tools is: (a) Computer Assisted Self Evaluation (b) Computer Aided Software Engineering (c) Computer Aided Software Environment (d) Core Aids for Software Engineering
2. CASE tools are used by industries to (i) Improve productivity of their software engineers (ii) Reduce time to develop applications (iii)Improve documentation (iv)Automate system analysis (a) i and ii (c) i, ii, and iii
(b) i and iii (d) ii and iii
3. The following are the disadvantages of CASE tools (i) Some tools are expensive (ii) All software engineers need to be trained to use these tools (iii) A lot of time is wasted in using the tools (iv) Software developed using CASE tools are of poor quality (a) i, ii, iii, iv (c) ii, iii, and iv
(b) iii and iv (d) i and ii
4. CASE tools are useful (a) only during system design stage (b) during all the phases of system life cycle (c) only for system documentation (d) only during system analysis stage 5. CASE tools have the following advantages (i) they integrate the development done during each phase of system development (ii) they permit effective communication with users (iii) they are useful as communication aids with users of the system (iv) they are useful in estimating cost of changes in system requested by users 6. CASE tools are (a) A Set of rules to be used during system analysis and design (b) Program, packages used during system analysis and design (c) A set of tools used by analysts (d) Needed for use case development. 7. By open domain CASE tools we mean (a) tools available in open domain (b) software packages which can be downloaded form the internet (c) software packages to aid each phase of the systems analysis and design which can be downloaded free of cost from the internet (d) source codes of CASE tools 8. Open domain CASE tools (a) are better than commercial tools (b) are not very useful (c) do not usually have very good user interface but are otherwise useful (d) are full of bugs 9. Open domain CASE tools (a) always provide the source code (b) are available for use only for a limited period (c) never provide the source code (d) are usually object files available for unrestricted use with on-line help files 10. Open domain CASE tools (a) are available for almost all phases of system analysis and design life cycle (b) are available only for drawing DFD’s (c) are no available to document SRS (d) creating data dictionaries
11. CASE tools are classified often as (a) Classical and Modern CASE tools (b) Upper and lower CASE tools (c) Source and Object CASE tools (d) Object oriented and Structured CASE tools 12. Upper CASE tools are used (a) for developing DFD’s (b) for screen design (c) during all phases of system analysis and design life cycle (d) for converting structured English procedures to source code into a language such as C 13. Lower CASE tools are used for (a) for developing DFD’s (b) for screen design (c) during all phases of system analysis and design life cycle (d) for converting structured English procedures to source code into a language such as C 14. Lower CASE tools are used for (a) develop graphical user interface (b) for converting decision tables to source programs (c) for generating test cases (d) for developing use cases 15. The current standard tool for designing object oriented systems is called (a) Unified Modelling Language (b) Booch Modelling Language (c) Object Modelling Language (d) Class, responsibilities and collaborators language
KEYS 1. 2. 3. 4. 5. 6. 7. 8.
b c d b ? b c c
10 a 11 b 12 a 13 d 14 b 15 a
MODULE 14
CASE TOOLS Learning Units 14.1 CASE tools and their importance 14.2 Some CASE tools and their use
Systems Analysis And Design
©
V. Rajaraman
Learning Goals What are CASE tools? Why are they important in systems analysis and design? When are they used? How are they used?
Systems Analysis And Design
© V. Rajaraman
1 of 9
Motivation Industries routinely use CASE tools as productivity aid to reduce time to develop systems. A student should know what these tools are and how they are useful The intention of this module is not to make you an expert in the use of these tools but to make you aware about them and their importance in industrial practice
Systems Analysis And Design
© V. Rajaraman
2 of 9
CASE Tools and their importance CASE tools stand for Computer Aided Software Engineering tools As the name implies they are computer based programs to increase the productivity of analysts They permit effective communication with users as well as other members of the development team. They integrate the development done during each phase of a system life cycle. They assist in correctly assessing the effects and cost of changes so that maintenance cost can be estimated.
Systems Analysis And Design
© V. Rajaraman
3 of 9
Available CASE tools • Commercially available systems provide tools (i.e computer program packages) for each phase of the system development life cycle. A typical package is Visual Analyst which has several tools integrated together.
• Tools are also in the open domain which can be downloaded and used. They do not usually have very good user interfaces.
14.1.1
Systems Analysis And Design
© V. Rajaraman
4 of 9
Available CASE tools • System requirements specification documentation tool • Data flow diagramming tool • System flow chart generation tool • Data dictionary creation • Formatting and checking structured English process logic
14.1.2
Systems Analysis And Design
© V. Rajaraman
5 of 9
Available CASE tools •Decision table checking • Screen design for data inputting • Form design for outputs. • E-R diagramming • Data base normalization given the dependency information
14.1.3
Systems Analysis And Design
© V. Rajaraman
6 of 9
When are tools used • Tools are used throughout the system design phase • CASE tools are sometimes classified as upper CASE tools and lower CASE tools. • The tools we have described so far are upper CASE tools • Tools are available which will generate computer screen code from higher level descriptions such as structured English and decision tables,They are called lower CASE tools
14.1.4
Systems Analysis And Design
© V. Rajaraman
7 of 9
Object Oriented System Design Tools • Unified Modelling Language is currently the standard • UML tool set is marketed by Rational Rose a company whose tools are widely used. • This is an expensive tool and not in our scope in his course.
14.1.5
Systems Analysis And Design
© V. Rajaraman
8 of 9
How to use the tools
• Most tools have a user’s guide which is given as help files along with the tool •Many have FAQ’s and search capabilities •Details on several open domain tools and what they do is given as notes.
14.2.1
Systems Analysis And Design
© V. Rajaraman
9 of 9
MODULE 14
CASE TOOLS Contents
1. MOTIVATION AND LEARNING GOALS
2. LEARNING UNIT 1 CASE tools and their importance
3. LEARNING UNIT 2 Some CASE tools and their use
4. REFERENCES
CASE TOOLS MOTIVATION
Industries routinely use CASE tools as productivity aid to reduce time to develop systems. A student should know what these tools are and how they are useful. The intention of this module is not to make you an expert in the use of these tools but to make you aware about them and their importance in industrial practice.
LEARNING GOALS
What are CASE tools? Why are they important in systems analysis and design? When are they used? How are they used?
LEARNING UNIT 1
CASE Tools and their importance
CASE tools stand for Computer Aided Software Engineering tools. As the name implies they are computer based programs to increase the productivity of analysts. They permit effective communication with users as well as other members of the development team. They integrate the development done during each phase of a system life cycle and also assist in correctly assessing the effects and cost of changes so that maintenance cost can be estimated. Available CASE tools Commercially available systems provide tools (i.e computer program packages) for each phase of the system development life cycle. A typical package is Visual Analyst which has several tools integrated together. Tools are also in the open domain which can be downloaded and used. However, they do not usually have very good user interfaces. Following types of tools are available:
System requirements specification documentation tool Data flow diagramming tool System flow chart generation tool Data dictionary creation Formatting and checking structured English process logic Decision table checking Screen design for data inputting Form design for outputs. E-R diagramming Data base normalization given the dependency information
When are tools used Tools are used throughout the system design phase. CASE tools are sometimes classified as upper CASE tools and lower CASE tools. The tools we have described so far are upper CASE tools They are tools which will generate computer screen code from higher level descriptions such as structured English and decision tables, such tools are called lower CASE tools
Object Oriented System Design Tools Unified Modelling Language is currently the standard. UML tool set is marketed by Rational Rose a company whose tools are widely used. This is an expensive tool and not in our scope in his course.
LEARNING UNIT 2
How to use the tools •Most tools have a user’s guide which is given as help files along with the tool •Many have FAQ’s and search capabilities •Details on several open domain tools and what they do is given below.
I. SYSTEM FLOWCHART AND ER-DIAGRAM GENERATION TOOL Name of the tool: SMARTDRAW URL: This Software can be downloaded from: http://www.smartdraw.com. This is a paid software, but a 30-day free trial for learning can be downloaded.
Requirements to use the tool: PC running Windows 95, 98 or NT. The latest versions of Internet Explorer or Netscape Navigator, and about 20MB of free space.
What the tool does: Smartdraw is a perfect suite for drawing all kinds of diagrams and charts: Flowcharts, Organizational charts, Gantt charts, Network diagrams, ERdiagrams etc. The drag and drop readymade graphics of thousands of templates from built-in libraries makes drawing easier. It has a large drawing area and drawings from this tool can be embedded into Word, Excel and PowerPoint by simply copy-pasting. It has an extensive collection of symbols for all kinds of drawings. How to use: The built-in tips guides as the drawing is being created. Tool tips automatically label buttons on the tool bar. There is online tutorial provided in:
http://www.smartdraw.com/tutorials/flowcharts/tutorials1.htm http://www.ttp.co.uk/abtsd.html
II. DATA FLOW DIAGRAM TOOL Name of the tool: IBMS/DFD URL: This a free software that can be downloaded from: http://viu.eng.rpi.edu
Requirements to use the tool: The following installation instructions assume that the user uses a PC running Windows 95, 98 or NT. Additionally, the instructions assume the use of the latest versions of Internet Explorer or Netscape Navigator. To download the zip files & extract them you will need WinZip or similar software. If needed download at http://www.winzip.com.
What the tool does: The tool helps the users draw a standard data flow diagram (a process-oriented model of information systems) for systems analysis. How to use: Double click on the IBMS icon to see the welcome screen. Click anywhere inside the welcome screen to bring up the first screen. Under "Tools" menu, select DFD Modeling. The IBMS will pop up the Data Flow Diagram window. Its menu bar has the File, Edit, Insert, Font, Tool, Window and Help options. Its tool box on the right contains 10 icons, representing (from left to right and top to bottom) pointer, cut, data flow, process, external entity, data store, zoom-out, zoom-in, decompose, and compose operations, respectively. Left click on the DFD component to be used in the toolbox, key in the information pertaining to it in the input dialogue box that prompts for information. To move the DFD components: Left click on the Pointer icon in the tool box, point to the component, and hold Left Button to move to the new location desired in the work area. To edit information of the DFD components: Right click on the DFD component. The input dialogue box will prompt you to edit information of that component. Levelling of DFD: Use the Decompose icon in the tool box for levelling To save the DFD: Under File menu, choose Save or SaveAs. Input the name and extension of the DFD (the default extension is DFD) and specify folder for the DFD to be saved. Click OK.
III. TOOL TO CONVERT DECISION TABLE TO STRUCTURED ENGLISH
Name of the tool: COPE URL: This is a free tool and should be worked online at http://www.cs.adelaide.edeu.au/users/dwyer/examples.html
What the tool does: Cope is a program that converts decision tables to Cobol source statements
How to use: The general arrangement of a Cope decision table is shown in Example below. This table consists of a heading and four rows. The first two rows are conditions, and the last two are actions. A condition row consists of a number of entries followed by the word is and a Cobol condition. An action row consists of a series of entries followed by a Cobol statement. Example: YYNN YNYN XX - -XXX
is A = 0. is B = 0. Move 0 to C. Add 1 to C.
Type in the Decision table in the text area provided (each line should start with 6 blanks and an asterisk), click on “Generate Cobol” to obtain the Cobol statements of the Decision table. There is online help provided at: http://www.cs.adelaide.edu.au/users/dwyer/COPE-MAN.html#RTFToC1 Another tool (to be worked online) for program code generation from Decision table can be found at http://dtable.projxonline.com/Default.aspx Note: The tools to convert Decision Tables to Structured English is not available.
IV. SYSTEM REQUIREMENTS SPECIFICATION DOCUMENTATION TOOL Name of the tool: ARM URL: The tool can be downloaded without cost at http://sw-assurance.gsfc.nasa.gov/disciplines/quality/index.php
What the tool does: ARM or Automated Requirement Measurement tool aids in writing the System Requirements Specifications right. The user writes the SRS in a text file, the ARM tool scans this file that contains the requirement specifications and gives a report file with the same prefix name as the user’s source file and adds an extension of “.arm”. This report file contains a category called INCOMPLETE that indicate the words and phrases that are not fully developed.
Requirements to use the tool : PC running Windows 95, 98 or NT. The latest versions of Internet Explorer or Netscape Navigator, and about 8MB of free space. How to use the tool : On clicking the option Analyze under File menu and selecting the file that contains the System Requirements Specifications, the tool processes the document to check if the specifications are right and generates a ARM report. The WALKTHROUGH option in the ARM tool assists a user by guiding him as to how to use the tool apart from the HELP menu. The README.doc file downloaded during installation also contains description of the usage of this tool.
V. A TOOL FOR SCREEN DESIGN AND DATA INPUTTING Name of the tool: Visual Basic URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=bf9a24f9-b5c548f4-8edd-cdf2d29a79d5&displaylang=en
What the tool does: This tool is used to create the graphical user interface (GUI) to describe the appearance and location of interface elements, you simply add prebuilt objects into place on screen. Help: http://msdn.microsoft.com/library/default.asp?url=/library/enus/vbcon98/html/vbconpart1visualbasicbasics.asp
VI A TOOL FOR DESIGNING AND MANIPULATING DECISION TABLES Name of the tool: Prologa V.5 URL: http://www.econ.kuleuven.ac.be/prologa Note: This tool can be downloaded from the above given URL, after obtaining the password. What the tool does: The purpose of the tool is to allow the decision maker to construct and manipulate (systems of) decision tables. In this construction process, the features available are automatic table contraction, automatic table optimization, (automatic) decomposition and composition of tables, verification and validation of tables and between tables, visual development, and rule based specification.
References: 1. J.A.Hoffer, J.F.George and J.S.Valacich “Modern Systems Analysis and Design”, Pearson Education Asia,New Delhi,2002 Chapter 4 “Automated Tools for Systems Development” has a good discussion of CASE tools. 2. G.Booch, J.Rumbaugh, I.Jacobson; “The Unified Modelling Language User Guide”, Addison Wesley, Reading, MA, USA, KGG authentic Introduction to Rational Commercial tools for Object oriented modelling 3. URL’s of various available CASE tools (a) System flowchart and Er-diagram generation tool: Smartdraw http://www.smartdraw.com (b) Data flow diagram tool: IBMS/DFD http://viu.eng.rpi.edu (c) Tool to convert decision table to structured english: COPE http://www.cs.adelaide.edeu.au/users/dwyer/examples.html (d) System Requirements Specification documentation tool: ARM http://sw-assurance.gsfc.nasa.gov/disciplines/quality/index.php
(e) A tool for screen design and data inputting: Visual Basic http://www.microsoft.com/downloads/details.aspx?FamilyID=b f9a24f9-b5c5-48f4-8edd-cdf2d29a79d5&displaylang=en (f) A tool for creation, manipulation and checking of decision tables:Prologa v.5 http://www.econ.kuleuven.ac.be/prologa
System Analysis and Design/Case Tools
Multiple Choice Questions
14.1 The expansion of CASE tools is: a. Computer Assisted Self Evaluation b. Computer Aided Software Engineering c. Computer Aided Software Environment d. Core Aids for Software Engineering 14.2 CASE tools are used by industries to (i)
Improve productivity of their software engineers
(ii)
Reduce time to develop applications
(iii)
Improve documentation
(iv)
Automate system analysis a.
i and ii
b.
i and iii
c.
i, ii, and iii
d. ii and iii 14.3 The following are the disadvantages of CASE tools (i)
Some tools are expensive
(ii)
All software engineers need to be trained to use these tools
(iii)
A lot of time is wasted in using the tools
(iv)
Software developed using CASE tools are of poor quality a. i, ii, iii, iv b. iii and iv c. ii, iii, and iv d.
i and ii
14.4 CASE tools are useful a. only during system design stage b. during all the phases of system life cycle c. only for system documentation d. only during system analysis stage 14.5 CASE tools have the following advantages a. they integrate the development done during each phase of system development
V. Rajaraman/IISc. Bangalore
M14/V1/July 04/1
System Analysis and Design/Case Tools
Multiple Choice Questions
b. they permit effective communication with users c. they are useful as communication aids with users of the system d. they are useful in estimating cost of changes in system requested by users 14.6 CASE tools are a. A Set of rules to be used during system analysis and design b. Program, packages used during system analysis and design c. A set of tools used by analysts d. Needed for use case development. 14.7 By open domain CASE tools we mean a. tools available in open domain b. software packages which can be downloaded form the internet c. software packages to aid each phase of the systems analysis and design which can be downloaded free of cost from the internet d. source codes of CASE tools 14.8 Open domain CASE tools a. are better than commercial tools b. are not very useful c. do not usually have very good user interface but are otherwise useful d. are full of bugs 14.9 Open domain CASE tools a. always provide the source code b. are available for use only for a limited period c. never provide the source code d. are usually object files available for unrestricted use with on-line help files 14.10 Open domain CASE tools a. are available for almost all phases of system analysis and design life cycle b. are available only for drawing DFD’s c. are no available to document SRS d. creating data dictionaries 14.11 CASE tools are classified often as a. Classical and Modern CASE tools
V. Rajaraman/IISc. Bangalore
M14/V1/July 04/2
System Analysis and Design/Case Tools
Multiple Choice Questions
b. Upper and lower CASE tools c. Source and Object CASE tools d. Object oriented and Structured CASE tools 14.12 Upper CASE tools are used a. for developing DFD’s b. for screen design c. during all phases of system analysis and design life cycle d. for converting structured English procedures to source code into a language such as C 14.13 Lower CASE tools are used for a. for developing DFD’s b. for screen design c. during all phases of system analysis and design life cycle d. for converting structured English procedures to source code into a language such as C 14.14 Lower CASE tools are used for a. develop graphical user interface b. for converting decision tables to source programs c. for generating test cases d. for developing use cases 14.15 The current standard tool for designing object oriented systems is called a. Unified Modeling Language b. Booch Modeling Language c. Object Modeling Language d. Class, responsibilities and collaborators language
V. Rajaraman/IISc. Bangalore
M14/V1/July 04/3
System Analysis and Design/Case Tools
Multiple Choice Questions
Key to Objective Questions 1. b
2.c
3. d
4.b
6 .b
7.c
8.c
10.a
11.b
12 .a
13.d
14 .b
15.a
V. Rajaraman/IISc. Bangalore
M14/V1/July 04/4
MODULE 14
CASE TOOLS WORKED EXAMPLES
14.1 What is the expansion of CASE tools? CASE tools stand for Computer Aided Software Engineering tools.
14.2 What are the advantages of using CASE tools? The advantages of CASE tools are as follows: 1. CASE tools are software packages, which allows software engineers to develop systems faster. 2. CASE tools also assist in better communication among members of a team developing a system. They improve communication between team members and users of the system 3. Use of CASE tools result in better documentation of systems 4. CASE tools also assist in correctly assessing the effects and cost of changes requested by users during system development and maintenance 5.
System Analysis and Design/Case Tools
Question Bank
Exercises 1. Use a DFD diagramming to draw DFD’s for the following: Admission procedure in a University. An advertisement is issued giving essential qualifications for the course, the last date for receipt of application, and the fee to be enclosed with the application. A clerk in the Registrar’s office checks the received applications to see if marksheet and fee are enclosed and sends valid applications to the concerned academic department. The department checks the application in detail and decides the applicants to be admitted, those to be put in the waiting list, and those rejected. Appropriate letters are sent to the Registrar’s office which intimates the applicant. Give physical and logical DFDs corresponding to the above problem. 2. Use a DFD diagramming to draw DFD’s for the following: A magazine is published monthly and is sent by post to its subscribers. Two months before the expiry of subscription, a reminder is sent to the subscribers. If subscription is not received within a month, another reminder is sent. If renewal subscription is not received up to two weeks before the expiry of the subscription, the subscriber’s name is removed from the mailing list and the subscriber informed. Obtain logical DFDs for this problem. 3. Use a CASE tool to format and check structured English processing rules for the following: An organization maintains an employee file in which each record has following data: { Employee No., employee name, employee gross pay}. It has been decided to increase the pay as per the following formula: For pay of Rs. 1000 or less increase 15%. For pay of more than Rs. 1000 but up to Rs. 2500 increase 10%. For pay over Rs. 2500 increase 5%. (i) While employee records left in file do Read Number, name , gross pay if gross pay <=1000 then increase = gross pay 0.15 else if gross pay <= 2500 then increase = gross pay 0.1 else increase = gross pay .05 end if end if Gross pay = gross pay + increase Write Number, name, gross pay end while (ii) While employee records left in file do Read Number, name, gross pay do Table Gross pay <= 1000 Y N N Gross pay <= 2500 – YN Percent increase 15 10 5
V. Rajaraman/IISc. Bangalore
M14/V1/July 04/1
System Analysis and Design/Case Tools
Question Bank
end table Gross pay = gross pay (1+percent increase/100) Write Number, name, gross pay end while 4. Use a structured English process description tool to obtain Structured English description for the following: An offshore gas company bills its customers according to the following rate schedule: First 500 litres Rs. 10 (flat) Next 300 litres Rs. 1.25 per 100 litres Next 30,000 litres Rs. 1.20 per 100 litres Next 100,000 litres Rs. 1.10 per 100 litres Above this Re. 1.00 per 100 litres The input record has customer identification, name and address, meter reading, past and present. 5. Obtain system flow chart using appropriate tools for Exercises 3 and 4 above. 6. Use Decision Table checking tool to check the following Decision table. R1 R2 R3 C1: Door open? C2: Ring sign on? C3: Enter sign on? C4: Door locked?
R4 N N N N
R5 N N N Y
R6 R7 R8 R9 R10R11R12R13R14 N N N N N N Y Y Y Y N N Y Y Y Y N N N N Y Y N N Y Y N N Y Y N Y N Y N Y N Y N Y
R15R16 Y Y Y Y Y Y N N Y N Y N
Ring bell – – – – X – X – – ? – ? X ? X Enter– – X – – – X – – ? X ? – ? X ? Wait – – – – X – – – – ? – ? X ? – ? LeaveX X – X – X – X X ? – ? – ? – ? A1 A1 A2 A1 A3 A1 A4 A1 A1 A2 A3 A4 7. Use Decision Table checking tool for the following Decision table C1: This week’s cash > weekly rate – Y – Y N Y N – N – C2: This week’s cash > 0 – – Y – Y – Y N – N C3: Any cash during last month Y – N N Y Y Y N N – C4: Arrears . > 2 * weekly rate N – – – – – Y – – Y C5: Arrears > 4 * weekly rate – N N – Y Y N N Y Y Send arrears letter A – – – – Send arrears letter B – – – – Send arrears letter C – – – – Send arrears letter D – – – – Notify accounts X X X X Take special action – – – – 8. Use ER-Diagramming tool to solve the following (i) Customer withdraws money from his account. (ii) Students write examinations. (iii)Students attend classes. (iv) Professors write books. V. Rajaraman/IISc. Bangalore
– – – – X –
X – – – – –
– X – – – –
– – X – – –
– – – – – X
– – – – – X
Y Y Y Y ?
– N Y Y N – – – X – –
M14/V1/July 04/2
System Analysis and Design/Case Tools
Question Bank
(v) Driver drives a car. 9. Use ER-Diagramming tool to solve the following (i) A bill is sent to a customer. A customer can receive many bills. (ii) A clerk works in a bank. The bank has many clerks. (iii) A part is used in many products and a product uses many parts. (iv) Students apply for seats in colleges. Each student can atmost get one seat. A college has many seats. A student can send many applications. (v) A car is owned by a person. The person can own many cars. 10. Use ER-Diagramming tool to solve the following: Use any reasonable assumptions. “A machine shop produces many parts which it takes on contract. It employs many machinists who operate any of the machines. A part needs working on only one machine. A record is kept on the quantity of material needed for producing each part. The production of each part is tracked by giving a job number, start time and end time and machinist identification.” 11.Design an input screen using a tool to reserve tickets in a long distance bus. 12.Design an input screen using a tool to enter examination marks of students. Each record has Roll no, Name, Marks in all subjects, total and class.
V. Rajaraman/IISc. Bangalore
M14/V1/July 04/3
System Analysis and Design/Case Tools
Pointers
References: 1. J.A.Hoffer, J.F.George and J.S.Valacich “Modern Systems Analysis and Design”, Pearson Education Asia,New Delhi,2002 Chapter 4 “Automated Tools for Systems Development” has a good discussion of CASE tools. 2. G.Booch, J.Rumbaugh, I.Jacobson; “The Unified Modelling Language User Guide”, Addison Wesley, Reading, MA, USA, KGG authentic Introduction to Rational Commercial tools for Object oriented modelling 3. URL’s of various available CASE tools (a) System flowchart and Er-diagram generation tool: Smartdraw http://www.smartdraw.com (b) Data flow diagram tool: IBMS/DFD http://viu.eng.rpi.edu (c) Tool to convert decision table to structured english: COPE http://www.cs.adelaide.edeu.au/users/dwyer/examples.html (d) System Requirements Specification documentation tool: ARM http://swassurance.gsfc.nasa.gov/disciplines/quality/index.php (e) A tool for screen design and data inputting: Visual Basic http://www.microsoft.com/downloads/details.aspx?FamilyID=bf9a24f9b5c5-48f4-8edd-cdf2d29a79d5&displaylang=en (f) A tool for creation, manipulation and checking of decision tables:Prologa v.5 http://www.econ.kuleuven.ac.be/prologa
V. Rajaraman/IISc. Bangalore
M14/V1/July 04/1
Module 14 Summary 1. CASE is an acronym for Computer Assisted Software Engineering 2. CASE tools are readymade computer programe, which assist a system analyst and applications programmer to increase his/her productivity tools 3. Besides improving productivity thus also provide better interaction among members of a system development team. 4. CASE tools allow tracking of progress of projects. 5. They also aid in assessing cost and time needed to effect changes in a system. 6. There are both commercial and open domain tools to assist in all phases of a system analysis and design life cycle. 7. Commercial tools are expensive. They however have better user interfaces and customer support. 8. For object oriented systems analysis and design Universal Modelling Language (UML) is the correct standard. 9. A tool for Object oriented analysis using UML is marketed by a company named Rational Rose and is the most popular tool set used by industry. 10. In the notes we have given the URL’s of a number of open domain tools, which can be tried by students.
References: 1. J.A.Hoffer, J.F.George and J.S.Valacich “Modern Systems Analysis and Design”, Pearson Education Asia,New Delhi,2002 Chapter 4 “Automated Tools for Systems Development” has a good discussion of CASE tools. 2. G.Booch, J.Rumbaugh, I.Jacobson; “The Unified Modelling Language User Guide”, Addison Wesley, Reading, MA, USA, KGG authentic Introduction to Rational Commercial tools for Object oriented modelling 3. URL’s of various available CASE tools (a) System flowchart and Er-diagram generation tool: Smartdraw http://www.smartdraw.com (b) Data flow diagram tool: IBMS/DFD http://viu.eng.rpi.edu (c) Tool to convert decision table to structured english: COPE http://www.cs.adelaide.edeu.au/users/dwyer/examples.html (d) System Requirements Specification documentation tool: ARM http://sw-assurance.gsfc.nasa.gov/disciplines/quality/index.php
(e) A tool for screen design and data inputting: Visual Basic http://www.microsoft.com/downloads/details.aspx?FamilyID=b f9a24f9-b5c5-48f4-8edd-cdf2d29a79d5&displaylang=en (f) A tool for creation, manipulation and checking of decision tables:Prologa v.5 http://www.econ.kuleuven.ac.be/prologa
System Analysis and Design/Case Study
Learning Objectives
Learning Objectives In this module we will learn using two examples How an informal description of a problem is analyzed to obtain a more formal specification of requirements. How various techniques learnt in the rest of the modules of this course are integrated to develop a complete information system to meet requirements specifications. How an information system is documented.
V. Rajaraman/IISc. Bangalore
//V1/Sep 05/1
MODULE 15
CASE STUDY
Learning Units 15.1 Analysis and design of a journal acquisition system 15.2 Analysis and design of a data processing system for small hotel
Systems Analysis And Design
© V. Rajaraman
Learning Goals In this module we will learn using two examples 1. How an informal description of a problem is analyzed to obtain a more formal specification of requirements 2. How various techniques learnt in the rest of the modules of this course are integrated to develop a complete information system to meet requirements specifications 3. How an information system is documented
Systems Analysis And Design
© V. Rajaraman
MOTIVATION 1. It is necessary at the end of a course to understand how various techniques learnt as separate modules can be used together in some full case studies. This integrated the learning experience 2. By following the case study analysis and design a student will learn how to go through a step-by-step process and finally document the designed step.
Systems Analysis And Design
© V. Rajaraman
System Analysis and Design/Case Study
Question Bank
Exercises 1. Passenger Reservation System Assume that ABC Bus Corporation has approached you for computerizing their bus reservation system for various destinations originating from Bangalore. The Corporation has currently about 1000 buses spread over 60 routes operating from Bangalore to various places. Of them, 700 are regular, 200 are semi-luxury, and remaining are super deluxe buses. The seating capacity are 48, 42 and 36, respectively. The Corporation would like to have at least one week advance reservation. The details required to be provided by the passenger would be date of journey, starting point, destination, number of seats (half or full), concession required, if any, route no., and departure time of the service. If seats are available, your system should be able to provide enquiry services in a variety of ways to help the passenger take a decision. What is the route nos., which halt at the place requested by the passenger either as a final destination or as an intermediate point? Whether seats are available by same route no. but at a different departure time. Whether seats are available by a different route no. on the same day. The earliest date on which seats are available for a place by a given route no. The cost of travel by various categories of buses (namely, ordinary, deluxe, etc) to a destination by various routes. The above are some of the questions that could be asked by the customer. Two seats are reserved VIPs and/or emergency quota. However , if nobody turns up for the same, upto half an hour before the departure, the seats are allotted to those in the waiting list according to priority. Concessions are given in respect of students during summer vacation. Thus they need to pay only 50% of the actual fare. Employees and their eligible family members may travel free once a year, by producing the appropriate identity cards. Your system must verify that the total distance travelled by such a person does not exceed 3000km. Seats are not allowed for half ticket but a seat may be allotted for half tickets issued. You system should provide a facility for cancellation. 10% of the fare shall be forfeited if the cancellation is done atleast two days prior to the journey. 20% shall be forfeited if the cancellation is done one day prior to the journey but not more than two days, 25% if done 8 hours and 40% for less than half an hour and up to half an hour after departure of the bus. In all other cases the amount is forfeited. The reservation fee of Rs. 5 is always nonrefundable. Journey can be postponed/advanced subject to availability of seats by the same route at most once at no extra cost. Your system would have to maintain a database of various routes originationg from Bangalore and the fare by each of them for various categories of buses to various destinations. Frequently the Corporation revises the fares and your system should accommodate this. Assume that more than one counter is simultaneously active for reservation/cancellation. 2. Hostel Information System Assume that your college hostel authorities have approached you for developing a computerized information system that can handle hostel room allotments and keep track of them.
V. Rajaraman/IISc. Bangalore
M15/V1/Sep 05/1
System Analysis and Design/Case Study
Question Bank
You are quite familiar with the hostels. As first step, catalogue the details such as various hostels, their capacities, types of rooms, i.e., single/double/spacious double/married students apartments etc. Assume a suitable figure for ladies hostel also. Since the number of rooms are less than the number of students, some students have to share a room. Assume that research students are given priority, followed by M.E. and B.E students. Married students are given married students apartments, if available; else they fall into general pool. Find out how many students join/leave every year in each of the college programmes. A student is allotted a room on joining as follows: If the student is married and married students hostel is available and all others senior to him in his category have been allotted an apartment; else he gets only single/double/spacious double room. If the student is unmarried; or he is married but no married students apartment is available, he gets either a single/spacious double/ double room, i.e., if a single room is available and all others senior to him in this category (viz., Research/ M.E/B.E) have been allotted the same, he also gets a single room; else he has to be given a spacious double room. If that also is not available then allot him a double room. Priorities based on course (Research, M.E., B.E) and within that date of joining is to be maintained so as to give a student a better room as and when it is available. Your system should maintain a list of hostels, rooms and details and should be able to, Give the lists of available rooms, those occupied, those likely to become free, etc., Intimate students as and when their priorities increase about the new rooms which are available and handle room allotments, Prepare a list of students who do not vacate their rooms even after the last date of vacating their rooms after their course is over, and Allow students to change rooms within the same class either mutually or to any other vacant room of the same class. 3. Hospital Automation Consider the operation of a medium size hospital. Patients data are stored and retrieved. Further, data about the various types of and number of wards/beds/operation theatres available and allotment of wards to patients are also maintained. The hospital authorities are interested in computerizing this information. The hospital has three types of operation theatres: A, B and C, respectively used for major, minor and small operations, respectively. Wards are of two types: general and special. General wards have capacities of 4 and 8 beds while special wards are either single or double beds. The hospitals also has a maternity ward with 25 rooms, each of which can accommodate 2 beds. The hospital has 20 general wards of capacity 4 and 30, general wards of capacity 8. It has 20 special wards with 2 beds each and 10 special wards with single bed. Moreover, the hospital has an intensive care unit with a 5-bed capacity. The charges are given in the table below(Rs.).
V. Rajaraman/IISc. Bangalore
M15/V1/Sep 05/2
System Analysis and Design/Case Study
Question Bank
General
Special
4-bed
8-bed
200
150
Maternity
Single 400
Double 300
250
Intensive care unit costs Rs. 1000/- per day. The doctor notes down the clinical details on the patient’s card, which contains the following details. The name of the patient, address, date of visit, doctor’s name etc. If the patient has to be admitted, other details such as bed no., ward no., type, and date of admission are noted. If the patient has been recommended or desires a special ward but is currently not available, he may be admitted in a general ward and later transferred when a bed is available. Operation costs are not fixed and are determined on a case by case basis. When the patient is discharged, the bed charges should be computed. To this should be added costs of medicine, treatment, consultation fees, operation charges if any, and laboratory charges. Assume that another subsystem of hospital information system gives you these details and is available. Your system will have to compute equipment charges for those used by patients. Whenever an equipment is used by the patient, the details are noted. Assume that the available equipment are X-ray machine, infra red radiation generation machine, scanner, ultrasound machine, etc. The charges are based on number of exposures incase of X-ray at Rs.50 per exposure. The others are based on number of hours of usage, at Rs. 100, 150, and 200, respectively All the above costs are to be added and presented in final bill. Your system should keep track of patients data, history ward/equipment usage to calculate other costs, ward/bed allotted or otherwise, operation theatre used. The following problems are encountered by the hospital: Currently the hospital is not able to keep track of the free/allotted wards/beds and their details due to frequent shifting of the patients, difficulty in tracking both wardwise and patientwise. Patients data, especially history is also difficult to extract. Your system should be able to provide the following information: Details of a patient such as when a patient was admitted, his or her charges, facilities used, date of discharge, etc. State of beds/wards, free/occupied etc. 4. Insurance The Bangalore divisional office of XYZ Insurance Corporation of India desires to have computerized information system and has approached you for developing the same. Assume that the Corporation offers 2 types of policies, namely, endowment and moneyback. The endowment policy operates as follows: the policy holder pays premium until the maturity of the policy or his death, at which time the sum assured and bonus is paid to the holder or the nominee respectively.
V. Rajaraman/IISc. Bangalore
M15/V1/Sep 05/3
System Analysis and Design/Case Study
Question Bank
The money-back scheme differs in that 25% of the sum assured is paid back to the holder after expiry of every quarter of the policy term. For instance, consider a policy for 20 years and Rs. 50,000 sum assured. Rs.12,500 would be paid back to the holder at the expiry of 5,10 and 15 years, respectively. At the maturity of the policy the remaining Rs12500 and the bonus would be payable. In case of death the remaining amount of the sum assured and bonus would be paid back to the nominee. Assume that the Bangalore division has 100,000 policy holders and 150,000 policies of which 20,000 are money back. (i) Endowment policy. The premium to be paid is worked out based on age of the person proposed and the term of the policy. The sample table given below shows the annual premium payable (in Rs.) for an assured sum of Rs. 1000. The sum assured should be a multiple of Rs.1000 and the minimum is Rs10,000.The minimum term is 15 years. The minimum age at entry is 18 and the maximum is 45.Premium can be paid monthly, quarterly, half-yearly, or annually. Form tables for the above cases using these data as guideline. While designing the tables keep in mind that the total premium paid should be slightly lower incase of annual mode of payments, and the highest premium should be for monthly payments, and the highest premium should be for monthly payment.
(ii)
Age at entry
18
25
30
35
Policy term 15 years 20 years 25 years 30 years
70 52 41 34
72 53 42 34.5
74 54 42.75 35
76.25 56 44 -
Money –back policy. The premiums are much higher than the endowment case. Typically they would be Rs 10-20 more for every Rs 1000 sum assured. The Amount paid as bonus by the Corporation on maturity is currently Rs.65 per Rs 1000 sum assured. This amount may be revised every year by the Corporation depending on the profits. This holds for both types of policies. Policies may lapse if the holder does not pay the premium for more than to two years. However, it can be paying penalty charges if the period of lapse does not exceed five years. The Corporation has divided Bangalore division into 15 zones for its convenience. Each zone has a zonal manager. The Corporation also has several agents to procure business. A proposer of a policy may do so only through an authorized agent. These agents report to the zonal manager. Every zone has a number of agents allotted, typically ranging from 10 to 20. Every agent must procure a minimum of 10 customers and a policy value (combined) of at least Rs.1.5 lakhs in order to retain his agency. Agents get commission as follows: 25% and 5% in every subsequent year. Your system should keep track of zones, agents, policy holders and their details. In addition
V. Rajaraman/IISc. Bangalore
M15/V1/Sep 05/4
System Analysis and Design/Case Study
Question Bank
to operational information, your system should handle queries such as the following: Which agents perform consistently well/badly? Which areas can be assigned to more agents and which have already too many? Which type of policies perform well/badly? 5. Book Publisher’s Assistant This system attempts to help a book publisher in maintaining details about his books, customers, receipts/payments, etc. A book may be published afresh or it could be a new Edition or just reprint. The copyright may belong to either the author(s) or publisher. The publisher may reprint any number of copies if he holds the copyright. If the author holds the copyright, he may publish only as much as is asked by the author. Further, the publisher may have to pay royalty in such a case for every book sold. Various book sellers, libraries, institutions, etc., order books. If the required number of copies is available the publisher sends the books and updates his stock level. If they are not available, he may send a partial consignment provided it is acceptable to the customer. Payments may be either cash/credit, subject to suitable credit limits. The publisher may decide to reprint a popular book if he holds the copyright. Otherwise he approaches the author for consent. The author may also revise it and the publisher brings out a new edition. Assume that the publisher has published roughly 10,000 books of various titles in various subjects and that roughly 100 new books are oublished every year and that 100 new editions are also brought each year. Assume that 200 reprints of various books are also published. The minimum number of copies published is 1000. On an average about 5000 copies of each book is published. Your system should provide the following information: A list of various customers, libraries, etc., placing orders has to maintained, with relevant details. For each customer the list of books ordered with details such as cost, address of customer, date of order, date of delivery, qty.delivered, etc. Details of reprints, new editions of books. Details of current stock, books and their quantity in publication etc. Books published by an author. List of books in a given subject The books that get sold out fast, the authors who are popular, etc. The publisher would also like to send a list of new books published every year to various customers/libraries, etc., with relevant details such as title and author.
V. Rajaraman/IISc. Bangalore
M15/V1/Sep 05/5
A BRIEF OUTLINE OF ANALYSIS AND DESIGN OF SYSTEM FOR ROOM BOOKING IN A HOTEL STATEMENT OF PROBLEM This project addresses the information required by a hotel to book rooms and clear the bills of customers. The hotel decides to computerize room booking and customer checkout formalities. The hotel has various types of rooms. It wants to allow booking online through the internet besides normal booking by phone, letter and also spot booking on arrival of the customer. The hotel management is willing to invest in a PC with internet connection. It is also willing to train the staff at the reception desk to handle computerized booking. It is unwilling to invest in local network in the hotel, which would allow on-line updating of customer charges. Customer bills are sent from restaurant, laundry etc to the reception desk accountant for manual updating of accounts. As the hotel is small with only 177 rooms, this is feasible.
A
i)
FACT GATHERING AND REQUIREMENTS SPECIFICATION
Hierarchy chart of the organization
Manager
Hotel Staff
Front desk receptionist
House keeping staff
ii) List of persons to be interviewed Manager Front desk receptionist Accounts staff
Restaurant staff
Communication systems
Accounts office
ii) Questions to be asked a) b) c) d) e) f) g) h) i) j) k)
What are the various rooms and their details? What are the rates applicable to each type of room? Is advance booking like booking via internet, phone etc to be allowed? What are the facilities provided by the hotel? Is the utilization of these considered as extra charges or is it included along with the room charges? What are the functions of the front desk receptionist? What communications services are provided? How many days ahead of stay can a room be reserved? Can companies book rooms on credit and clear the bills when sent to them? Can a person extend his stay? What if the customer does not turn up even after he books?
iii) Records of Discussion: a) The hotel has rooms in the first, second and third floor. b) Rooms may be regular/deluxe/suite type and can be either single/double/triple. c) Suite types are double or triple occupancy. d) Rooms may or may not be air-conditioned. e) All deluxe/suite types are always air-conditioned f) The no of rooms and booking rates are shown below:
Rates per day (Rs) and No of rooms in each floor
Rate AC Single Non-AC Single AC Double Non-AC Double AC Triple Non-AC Triple Floor
150 100 250 175 350 275
Regular No. of 50 75 20 30 10 10 G
30 30 10 15 05 F
rooms
Rate
20 30 10 15 05 S
250 400 600 -
Deluxe No. of 30 40 05 G
40 20 10 F
rooms 40 20 10 S
Suite Rate No. of rooms 500 700 -
10 03 G
30 20 05 07 F S
g) Facility for online booking on the internet is to be provided. Form specifying the customer details, room request, date of arrival, duration of stay, credit card details etc has to be filled and submitted, and the hotel management should be able to respond immediately. h) A room can be booked a week well in advance with an advance payment. Advanced booking by a company for its employees is allowed. But this requires an advance of 50% of estimated charge to be paid. The customer can cancel anytime up to 5:00 pm, the day prior to arrival. No cancellation charge applies, the advance amount is refunded, unless you cancel after this time, in which case the cancellation fee equivalent of one night’s stay, is charged. i) The check-in and checkout time for the customer is 2:00pm. He is allowed to stay 1hr after the checkout time without any charge. After that (provided the room is not booked), he is charged with a rent of ½ a day j) Booking by phone is to be provided. In this case also credit card details are to be provided and the hotel should be able to confirm reservation immediately. k) The customer books the room and does not turn up, he also does not intimate the hotel for canceling of rooms, then his advance amount is forfeited. l) If the customer wants to extend his stay beyond 7 days, he needs to pay at least 50% of his current amount balance, then he is eligible for extension. m) If the customer wants to reduce his stay, he need to inform the hotel staff 1day prior to the checkout time, otherwise his money will not be refunded. n) If the customer is averse to giving his credit card details on the Internet he could download the reservation form and send the completed form through FAX along with credit card details. o) The facilities provided by the hotel which the customer can avail are bar, restaurants, room services, laundry services, travel packages, swimming pool, rooms with computers and internet connection for surfing, shopping mall, parking garage for overnight or short term parking, communication systems like telephone, fax, room service, extra beds and ATM counter. p) The modes of payments are credit card or cash or billing to companies. When the customer checks out his/her bills include in addition to room charges extra charges for facilities used by him such as telephone, telex, fax services, extra beds, laundry services and Internet surfing.
q) The customer is allowed to extend his stay provided the room is vacant and is not been booked by any other customer on the same dates. r) The responsibility of the front office which should have access to the computer are: (i) Room booking (ii) Collating all bills (such as room rent, room service, restaurant, communications) of a customer and charging it to customers room account. (iii) Preparing consolidated bill for a customer and collecting amount due on departure or charging to credit card or sending it to the company booking accommodation (iv) After sending bill to company follow up on payment of bill. (v) Reconciling credit card bills with payments credited to hotel’s account by credit card issuing bank (periodically normally once a month) (vi) When a bill is paid and a customer checks out of the hotel immediately inform housekeeping to get the room cleaned and ready for the next occupant. (vii) When housekeeping phones and says the room is ready include in the vacant rooms list
iv) Document flow diagram Not available, list of available rooms
CUSTOMER
Request for room reservation through Web/Phone/letter/spot request/company request Customer details
FRONT END OFFICE
Checks Updates
AVAILABLE ROOMS IN EACH FLOOR
Response to request Informs ready status of the room HOUSE KEEPING STAFF
Informs about the exit
CREDIT CARD Advance/Payment /CASH Avails
FACILITIES
Customer details
Accept after checking validity
Informs about the bill settlement
EXIT/CASH COUNTER
Room rent +Extra charges for use of facilities
Invoice/ Receipt of cash payment
The outputs of the Document flow diagram: a) List of available rooms in each floor b) Generation of invoice, including the room rent and extra charges of the facilities availed. c) Updating of the available room list after a customer vacates.
B SYSTEM SPECIFICATIONS (i) Detailed DFD
Avails
Confirms Room reservation Room Not Available List of available rooms
CUSTOMER
Requests for room/Exit request
Records Receipt/ Invoice
Customer details
Confirms room reservation /Informs about the exit
1. Processing a room reservation request Checks availability
Updates Available rooms
2. Payment Section
Room rates Invoice Payments Receipt/Remainder
Bank
Intimate about unreconciled accounts
Credit card payment
Informs the ready status of the room House keeping staff
Validity of the credit card
Confirms Bills for use of facilities
Company database
Company customer
Informs vacating rooms
Checks
Inform about the allotment Room request
List of facilities and its cost details
Available Rooms
Advance/Payment Confirms Room reservation
3. Facilities
4. Reconciliation of accounts
Invoices for use
Customer accounts Update customer accounts
Update Reconciled accounts
The functions of the each process in the DFD are as follows: Functions of Process1 a. When a particular room request is obtained from the customer via Internet browser or phone or fax, checks if the requested room is available from the AVAILIABLE ROOM database (Room No, Type of room, Rent, Status). b. If the requested room is available CUSTOMER DETAILS (Customer name, Type of room, Contact Address, Credit card No, Date of Arrival, Date of leaving) is recorded, saved in the database so that Process2 can access it. Inform the customer about the room allotment, after Process2 sends the confirmation of allotment. c. If the requested room type is not available intimate the customer so that he could ask for an alternate room or try elsewhere. d. If the customer is been sponsored by a company check for the availability of the room from the database and confirm the allotment if available. Obtain the customer details and inform about the allotment to the Process2. e. The check-in and checkout time for the occupant is 2:00pm. The customer is allowed to stay 1 hr after the checkout time without cost, after which he is charged with ½ day charge. Inform Process2 for the transactions. f. If there is request for exit from the customer, inform Process 2 g. Informs the house keeping staff upon exit of a customer, so that the room can be made ready for the next occupant. h. Upon cancellation of room reservation or reducing the number of days of stay request, intimate Process2, so that it can take care of forfeit charges. i. If the customer requires an extension, check whether the room is not allotted to some other customer and hence is vacant. If it is vacant and is not booked by any other customer, provide extension for stay, otherwise deny the request. j. Incase of a customer’s request to extend his stay after 7 days, the customer is asked to pay 50% of his current account balance, provided the room is vacant and is not booked by any other
customer. Inform Process 2. Allot the room after confirmation obtained form Process 2. k. If the customer does not turn up after advance booking of the room and does not send and cancellation request he is forfeited with the advance amount. Inform Process 2 for payment transactions. Functions of Process 2 a. For the customer who is sponsored by a company maintain his accounts in a COMPANY DATABASE (Customer Name, Company, Type of room, Contact Address, Date of Arrival, Date of leaving). b. Collect advance payment from the customer either by cash or by credit card based on the room rates and advance payment conditions. If credit card, checks for the validity of the credit card and confirms him about the room allocation. c. Maintains customer’s accounts in CUSTOMER ACCOUNTS database (Room no, Advance, Extra charges, Forfeited cost, Total). d. Send the customer receipt of the current transactions. e. Updates the AVAILABLE ROOM list in the database after allotment. f. Inform Process 1 about the confirmation of room request. g. At the time of the ordinary customer’s checkout, give the customer the INVOICE (Customer Name, Date of Arrival, Date of Departure, Room type, Room rent, Name of facility, Date when used, Facility cost, Last Date of Payment, Total) and collect dues. h. Incase of a customer who wants to extend his stay, even after 7 days of his stay in the hotel, provide him an invoice of the current balance account and request him to pay 50% of the dues. After payment, update the account database and inform Process1. i. Confirm Process1 about the exit of the customer and update the available room database j. Incase of cancellation, the customer can cancel anytime up to 5:00 pm, the day prior to arrival. No cancellation charge applies, the advance amount is refunded, unless you cancel after this time, in which case the cancellation fee equivalent of one night’s stay, is charged.
k. If the customer wants to reduce his stay he has to inform the hotel staff 1 day prior to the checkout time, otherwise his money is not refunded. l. Incase of a customer who has not turned up after advance booking of the room, he is forfeited with advance amount.
Functions of Process 3: a. Updates the customer accounts database by the details of FACILITIES (Room no, Facility details, Cost) availed by the customer and its corresponding charges. Sends invoices to Process 2 for updating customer’s accounts.
Functions of Process 4: a) Send the invoice to the company at the time of exit of customer stating the deadline within which the due is to be settled. b) Provide a receipt after the settlement of the dues. c) Update the CUSTOMER ACCOUNTS database. d) Update the RECONCILED ACCOUNTS (customer name, organization name, room number, duration of stay, total amount) database. e) Send a remainder to company if the accounts are not settled within the specified deadline f) Inform the bank about unreconciled credit card payments. The structured English description of each process is given below: Procedure for process1 (a) for every room request obtained from a customer do check if the requested room is available if the requested room is available then record the customer details. Inform the customer of the room allotment after Process2 confirms it. else intimate the customer about the non-availability of the room end for
(b) for every room request obtained from a company on behalf of a customer do check if the requested room is available if the requested room is available then
Inform the company of the room confirmation Record the company customer details. Inform Process2 about the allotment. else Intimate the company about the non-availability of the room; end for (c) for every exit request by the customer do Inform process2 about exit request; end for (d) for every room exit info obtained do Inform the house keeping staff so that the room can be made ready for the next occupant; end for
(e) for every cancellation of room request obtained do Inform Process2 about the cancellation; end for
(f) for every request for extension obtained by the customer do Check whether the room is vacant and is not booked by any other customer; if the room is vacant then accept the request for extension; else deny the request; end if if the customer is been staying in the hotel for 7 days and requires extension then Inform Process2 for 50% of due settlement; Allot the room to the customer after confirmation obtained from Process2; end if end for
(g) for every customer who does not turn up after advance booking of the room do
Inform Process2; end for
Procedure for process2 (a) for every room allotment request obtained from a customer do receive an advance payment by the customer if the mode of payment is credit card then check for the validity of the card inform Process1 about the confirmation; Send the customer the receipt of current transaction; else if mode of payment is cash then Collect the advance cash Inform Process1 about the confirmation; Send the customer the receipt of current transaction; else State as room not allotted; end if end for
if the room is allotted then Create the customers account to maintain the customer’s transactions; Update the customer accounts database; end if (b) for room allotment information obtained by Process1 about the company customer do Record the details in the company database Update the customer accounts; end for (c) for every extension request obtained form Process1 then Send the invoice to customer asking him to pay 50% of the current balance; After payment, update the customer accounts database; Inform Process1 to confirm allotment; end for
(d) for every exit request obtained do
if he if not a company customer then Give the customer the invoice by getting details from the customer’s account; Collect the payment; Update the available room database; Inform Process1 about the exit; else if he is an company customer then Inform Process4 about the exit end if end for (e) for every cancellation request obtained form Process1 do if it is within 5:00 pm and one day prior to the arrival then No cancellation fee is charged; Cancel the booked rooms; Update available room database; else Charge the customer with the cost equal to one nights stay; Issue the cancellation receipt; Update the customer account database; end if end for
(f) for every customer who has not turned up after booking the room do forfeit his advance amount; Issue the receipt; Update the customer account database; Update the available room database; end for (g) for every customer at the time of checkout do if the customer wants to stay 1 hr after checkout time then the customer is not charged; else charge him with ½ a days charge after 1 hour; Update the customer account database; end if end for
Procedure for process3: (a) for facilities availed by the customer do update the customer’s account by the price of the facility made use of; end for Procedure for process4: (a) for every company customer who is exiting from the hotel do Send the invoice specifying the deadline within which the dues are to be paid to the company; if the mode of payment is cheque, and is within the dead line then collect the invoice payment; update the customer’s account; update reconciled accounts database; provide a receipt of the current transaction; else Send the remainder to the company; end if if the mode of payment is credit card then collect the invoice payment from Bank; update the customer’s account; update reconciled accounts database; else if amount from the bank has not reached the hotel within the deadline then intimate the bank about the unreconciled amount Send a remainder to the company end if end for
ER DIAGRAM 1
Customer
Request
Customer Num Customer Name Customer type Date of arrival Duration Address Customer Num Room type Date of arrival Duration
Rooms
Room Num Room type Check-in time Checkout time Cost/day
Rooms
Room Num Room type Check-in time Checkout time Cost/day
ER DIAGRAM 2
Allocated to
Customer ER DIAGRAM 3
Room num Customer num
Customer Num Customer Name Customer type Date of arrival Duration Address
Customer
Avails
Facilities
Customer Num Customer Name Customer type Date of arrival Duration Address Customer num Facility Num Date of use
Facility Num Facility name Facility Cost Facility Details
ER DIAGRAM 4 (At the time of Exit)
Customer
Pays
Invoice
Customer Num Customer Name Customer type Date of arrival Duration Address
Customer Num Invoice Num Last date for payment
Invoice Num Customer Num Date of payment Customer Name Date of Arrival Date of departure Room Num Room type Room rent Facility Num Name of facility Date when used Facility cost Advance paid Total
ER DIAGRAM 5
Outstanding Invoices
Sent to
Customer
Customer Num Invoice Num Last Date of payment Customer Name Date of Arrival Date of departure Room Num Room type Room rent Facility Num Name of facility Date when used Facility cost Advance paid Total
Invoice Num Customer Num Last date for payment
Customer Num Customer Name Customer type Date of arrival Duration Address
ER-DIAGRAM 6 (Incase of cancellation of room and when the customer does not turn up after booking the room, or when he is reducing his duration of stay)
Cancellation Receipt
Sent to
Customer
Receipt Num Customer Num Customer Name Advance paid Check-in time Checkout time Forfeited cost/ Cancellation fee Balance amount
Receipt Num Customer Num
Customer Num Customer Name Customer type Date of arrival Duration Address
Normalized relations Customer : Customer Num, Customer Name, Date of arrival, Duration, Address, Customer type. Room: Room Num, Room type, Check-in time, checkout time, Room cost/day Customer-room relation : Customer Num, Room Num Facilities: Facility Num, Facility name, Facility Cost Customer-facility relation: Customer Num, Facility Num, Date of Use Invoice : Invoice Num, Customer Num, Customer Name, Date of Arrival, Date of Departure, Room type, Room rent, Name of facility, Date when used, Facility cost, Last Date of Payment, Total. Customer-pays-Invoice relation: Customer Num, Invoice Num, Last date of payment
USER INTERFACE MAIN MENU 1. MENU A: BOOKING 2. MENU B: PAYMENT SECTION 3. MENU C: FACILITIES 4. MENU D: EXIT 5. MENU E: RECONCILIATION 6. MENU F: EXTENSIONS 1. MENU A: BOOKING a) Types and cost of rooms b) Conditions for booking c) Request for customer details d) Check for the availability of the room e) Respond to the customer f) Exit from MENU A 2. MENU B: PAYMENT SECTION a) Accept advance payment (after checking validity if necessary) b) Send confirmation of room allocation c) Add the customer to the customer accounts database d) Update the Available room database e) Exit from MENU B
3. MENU C: FACILITIES a) List of Facilities and cost details b) Update customer account c) Exit from MENU C 4. MENU D: EXIT a) Send the invoice b) Accept full payment c) Update the Available room database d) Inform house keeping staff e) Exit from MENU D 5. MENU E: RECONCILIATION a) Send the invoice b) Accept cheque or credit card mode of payment c) Provide a dead line for the payment d) Send remainder if not paid within the dead line 6. MENU F: EXTENSIONS a) Forfeit amount on cancellation b) Display invoice c) Print invoice d) Update available room database e) Exit from MENU E
CONTROL AUDIT AND TEST PLAN
USE CASE: Room reservation Goal in context: A customer requests for a room and is allocated if available. Primary Actor: Customer Level: User Goal level Precondition: Advance online booking requires that the customer has a valid credit card and an advance payment is required if the booking is via phone. Booking on arrival requires, if the requested room is available, 50% of the room rent to be paid. Success Guarantees: Room requested is available and credit card must be valid incase of advanced booking. Failure: The requested room is not available; the Customer can select form the available list of rooms.
Trigger: Customer sends a request for room reservation. Scenario: 1.Customer initiates the requests. 1a. The customer can send an online request. Form specifying the customer details, room request, date of arrival, duration of stay, credit card details etc has to be filled and submitted, and the hotel management would respond as quickly as possible after checking the validity of the credit card. 1b. The customer can book the room via phone. But this requires a deposit of room rent for 1 or 2 nights be sent within 10 days to guarantee the reservation. 1c. The customer can book a room by going to the hotel personally and is allocated the room if available and asked to pay an advance amount. 1d. Advanced booking by a company for its employees is allowed. But this requires an advance of 50% of estimated charge to be paid. 2. Front desk receptionist checks for the list of available rooms, if available records customer details. 2a. If the requested room is not available the customer is intimated and he could book a room from the available list. 2b.
Intimate the Payment section when there is request from the customer for exit.
2c. If the customer request for an extension check if the room is not booked by any other customer, agree for the extension for not allotted otherwise deny the request for extension. 2d. Incase of the customer who would like to extend his stay after staying for 7 days in the hotel, he has to pay 50% of his current account balance. 2e. Incase of cancellation, the customer can cancel anytime up to 5:00 pm, the day prior to arrival. No cancellation charge applies, the advance amount is refunded, unless you cancel after this time, in which case the cancellation fee equivalent of one night’s stay, is charged. 2e. For a customer who has booked the room in advance but has not occupied, advance amount is forfeited.
3. Accounts staff in the payment section manages/accepts the advance payment and confirms room allocation after checking the validity of the credit card, if the payment was via credit card. 3a. The Payment section maintains the customer accounts and this includes along with room charges and advance payment, the extra charges of the facilities the customer has availed, such as telex, telephone, fax services, extra beds, laundry services, internet surfing, shopping mall and bar and restaurant. 3b. Upon intimation about the customers exit, sends invoice to him, after deducting his advance payment. 3c. Cheque or Credit card mode of payment is accepted if the customer is from a company 3d. A deadline is mentioned within which the payment has to be made, otherwise a remainder is sent. 4. The House keeping staff is informed so that the room can be made ready for the next occupant, after the customers exit. 5. If the customer wants to reduce his stay, he need to inform the hotel staff 1day prior to the checkout time, otherwise his money will not be refunded.
Extensions: 1. The check-in and checkout time for the customer is 2:00pm. He is allowed to stay 1hr after the checkout time without any charge. After that (provided the room is not booked), he is charged with a rent of ½ a day 2. The customer is informed if the room requested is not available and he could book another from the available list. 3. If the customer finds unsafe to book via internet he could download the reservation form and send the completed form through FAX along with photocopy of both sides of the credit card. 4. Bookings made must be guaranteed immediately with a credit card to reserve the room. Channel to Primary Actor: The customer can book the room personally. Advanced booking can be made via Internet browser, Phone or FAX.
Test plan: 1. Enter a room number, which is already allotted, during booking and see the response. 2. Enter a room number, which is not allotted and see the response. 3. Enter an invalid credit card number and check the response. 4. Create payment transactions scenarios and see the result. 5. Use the facilities options and see if it’s updating the customer accounts. 6. Check the response when the customer exits 7. Check if the remainder is sent, when the deadline for payment is not met. IMPLEMENTATION PLAN 1. Design the input screen 2. Create a database of available rooms, their cost and their status 3. Create a database for customer details 4. Create customer accounts database 5. Integrate all database and processes designed 6. Test each process designed using sample data 7. Create transactions to check the various processes mentioned in the test plan. 8. Create user manual 9. Create systems manual 10. Design user’s feedback form and system review plan
DATA DICTIONARY
Customer Customer Num: Num(10), Primary Key Holds the Unique Customer Number Customer Name: First Name: char (50) Last Name: char (50) Holds the name of the Customer Customer Address: Has information about the customers address Street: char (50) City: char (50) State: char (50) Zip: num (50) Phone: num (50) Email: varchar (50) Date of arrival: Varchar (10) Has the date when the customer arrived to the hotel in the form DD/MM/YYYY Duration: Num(3) This field contains the duration of the customers stay Customer Type: Num(1), Not Null Two types of customers 1Æ Company Customer 2Æ Ordinary Customer
Facilities Facility Num: Num(2), Primary Key Holds the serial number of each facility Facility Name: Char(50) Holds the name of the facility provided by the hotel. [The list of facilities provided by the hotel is as follows:
Telephone, telex, fax services, extra beds, laundry services, internet surfing and Restaurant].
Facility Cost: Num(7) Contains the cost charged for each facility Room Room Num: Num(3), Primary Key
This field contains the room number Room type: Char(1) The room types can be as follows: AC Single Non-AC Single AC Double Non-AC Double AC Triple Non-AC Triple Room cost/day: Num(3) Contains the cost of the room charged on daily basis Check-in time: Varchar(7) Records the time when the customer checked into the room Checkout time: Varchar(7) Record the time when the customer checked out of the room Rooms available: Num(3) Has a record of Number of room currently available
Invoice Invoice Num: Num (10), Primary Key
Contains a unique Invoice number
Customer Num: Num(10) Holds the customer number Date of arrival: Varchar (6) Has the date when the customer arrived to the hotel
Date of departure: Varchar (6) The date when the customer leaves the hotel Room type: Char (1) The room types can be as follows: AC Single Non-AC Single AC Double Non-AC Double AC Triple Non-AC Triple Room rent: Num (3) Contains the cost of the room charged on daily basis Name of facility: Char (2)
Holds the name of the facility provided by the hotel. [The list of facilities provided by the hotel is as follows:
Telephone, telex, fax services, extra beds, laundry services, internet surfing and Restaurant]. Date when used: Varchar (10) Holds the date when the facility was used in the format DD/MM/YYYY
Facility cost: Num(3) Contains the cost charged for each facility Last date of payment: Varchar (10) The date within which the payment has to be made in the format DD/MM/YYYY Advance paid: Num(6) Advance amount paid by the customer. Total: Num(8) The gross amount that the customer has to pay
Outstanding invoices Customer Num: Num(10), Primary Key Holds the Unique Customer Number Invoice Num: Num (10), Primary Key
Contains a unique Invoice number Last date of payment: Varchar (10) The date within which the payment has to be made in the format DD/MM/YYYY Customer Name: First Name: char (50) Last Name: char (50) Holds the name of the Customer
Date of arrival: Varchar (6) Has the date when the customer arrived to the hotel
Date of departure: Varchar (6) The date when the customer leaves the hotel Room Num: Num(3), Primary Key This field contains the room number
Room type: Char(1) The room types can be as follows: AC Single Non-AC Single AC Double Non-AC Double AC Triple Non-AC Triple Room rent: Num (3) Contains the cost of the room charged on daily basis Name of facility: Char (2) Holds the name of the facility provided by the hotel. [The list of facilities provided by the hotel is as follows:
Telephone, telex, fax services, extra beds, laundry services, internet surfing and Restaurant]. Date when used: Varchar (10) Holds the date when the facility was used in the format DD/MM/YYYY
Facility cost: Num(3) Contains the cost charged for each facility Advance paid: Num(6) Advance amount paid by the customer. Total: Num(8) The gross amount that the customer has to pay
Cancellation Receipt Receipt Num: Num (10), Primary Key
Contains a unique Invoice number Customer Num: Num(10), Primary Key Holds the Unique Customer Number Customer Name: First Name: char (50) Last Name: char (50) Holds the name of the Customer Advance paid: Num(6) Advance amount paid by the customer.
Forfeited cost/ Cancellation fee: Num(6) Contains the cost the customer will be charged upon cancellation of the booked room. Balance: Num(8)
The gross amount that the customer has to pay
CASE STUDY 1 A SYSTEM FOR JOURNAL ACQUISITION Statement of Problem A small library in an educational institution subscribes to 300 journals. It is desired to automate the journal acquisition and subscription system. We will follow the steps given in Table1 to analyze and design the system. The first step in design is fact gathering. The outcome of fact gathering is given below.
FACT GATHERING AND REQUIREMENTS SPECIFICATION
i)
Hierarchy chart of the organization
LIBRARIAN
DEPUTY LIBRARIAN JOURNAL ORGANIZATION
Programmer
Library assistant
ii) List of persons to be interviewed a. Librarian overall incharge of library b. Deputy Librarian incharge of journal acquisition c. Library Assistant who assists deputy librarian ii) Questions to be asked a. b. c. d. e.
Why is the computer-based system being considered? What are the basic objectives of the proposed system? What is the volume of data to be processed? What is the frequency of processing? What are the benefits expected from the system?
iii) Records of Discussion:
a. About 300 journals are subscribed by the Library, with periodicity varying from half yearly, monthly and quarterly b. The journals mostly come from abroad by surface mail and take approximately three months to reach from the date of dispatch c. Loss of journals in mail and delay on publication is also noticed d. If a journal is missed and a request for replacement is sent promptly the publisher normally sends the duplicate copy free of charge e. If the request is not sent promptly then it would be difficult to get the free copy f. Most subscriptions are to be sent in November well ahead of start of new year. g. As foreign exchange payment is involved, renewal an payment is required to be made in advance Currently the entire system is manual and is done by two scientific assistants. They handle approximately 50 journals per week. It is found that follow up of journal acquisition is time consuming and error prone. It is felt that follow up will be easier and faster if a PC is used. As the volume of transactions is not large a standard PC configuration (P4 or AMD processor, 128 MB main memory, 40GB disk, CDROM, floppy disk, 15’’ monitor, standard key board, Windows2000, MSOffice) will be quite adequate. A programmer will develop all the application software in 2 or 3 months. The system is cost effective and is feasible. A detailed feasibility analysis is not essential in the problem. The basic objectives of the system are: a. To follow up regularly receipt of journals, promptly detect delay in receipt of an issue and send a reminder to the journal publisher b. To follow up with the publisher to send invoice for journal subscription well ahead of time c. To renew subscriptions of journal promptly d. To print out each week a list of journals received to be displayed so that users know of the arrival of journals e. To answer queries about the status of subscription, receipts, missing issues, etc, of any journal in the collection The main benefits expected by using the computer–based systems are a. Prompt follow-up with publishers to get replacement of missing issues of journals b. Prompt renewal of subscription and follow up with accounts section. This will avoid late payment of subscription and consequent cancellation of subscription and missing/late issues. c. Ability to answer enquiries about receipt of journals d. Analyze budget for journals, allocation of money to different disciplines.
iv) Document flow diagram
Journal order and cheque Remainder for journals Remainder for invoice
Publisher
Invoice
Receiving Office
Journals Journals Library
Invoice Received Journal Information
Journal Processing group
Journal received list
Invoice + Indent reference + cheque
Indent Purchase section
Accounts section Invoice copy
Journals for binding list The outputs required from the system and frequencies of outputs are described below: a. List of journals received - each week b. List of completed volumes ready to be bound – Once a year. c. Journal renewal with subscription to publishers - Before Nov 30 , each year starting on November 1. d. Reminder to publishers on non-receipt of journal – Aperiodic e. Indents for journal procurement to be sent to Accounts section – Before Nov1 each year starting Oct 1 Feasibility of the system We saw that the system is fairly simple and straightforward to implement and can be done with just 1 PC. The benefits here have already been listed. The cost is just that of a PC with system software and applications. It is around Rs 35,000 at 2005 prices.
SYSTEM SPECIFICATIONS
(i)
Detailed DFD
Request for missing journal issue
3 Generate reminder
Journals not received
Publisher Received journal details
Request for invoice
1 Check with order
Journal master
Received journal details
2 Update journals received and print
Weekly list
Library office
Journals ready for binding Journal master
4 Renewal process
Invoice for renewal
Journal publisher master
Journal expected
Generate Indent
Purchase section
Journal Received file
Payment authorization
5 Send Payment
Journal publisher master
Accounts section
Draft details with invoice copy
Payments detail with Invoice copy
Journal master
Journal publisher master
Journal payment Detail file
The functions of the each process in the DFD are as follows:
Process 1: 1. When a journal is received check journal ordered master 2. Generate details of journal received (journal identity, name, volume, issue no, month) and send details to Process 2. Process 2: 1. Enter journal received detail in journal received file 2. Print list of journals received during a week 3. Check list of journals expected with the journals received file. Send the list of journals expected and not received to process 3 4. When all issues of journal expected during the year have been received, send the information to journal binding section of the library Process 3: 1. Using the journals not received list, generate reminders to the publishers and request replacement Process 4: 1. In September, October and November check whether an invoice is received from the publisher for journal due for renewal in that month. If not, send request for invoice to the publisher. 2. When an invoice is received from the publisher, generate an indent to be sent to the purchase section Process 5: 1. When payment details with invoice copy are received from accounts, update entry in journal master file, enter payment information in payment detail file and mail payment detail with a copy of invoice to the publisher
The structured English description of each process is given below: Procedure for process1
for each journal received do Enter journal identification code, volume and issue no. if journal is in ordered file then Retrieve journal details from master file and send details to Process2; else Give message “Journal not in master. Check identification code entered”; end for
Procedure for process2 for each journal received transaction sent by process1 do Enter journal received file; Print journal received in weekly list; end for Send list of journals received during week to the library. At the end of each month for each journal expected during the month do Search in journal received file; if not in file then send journal identification, volume no, and not received transaction to process 3; end for At year end for each journal in journal received file do if all issues of volume received then print journal details in binding list end for Send list to library
Procedure for process3 for each journal received note from process2 do using journal identification find publisher details from Journal-publisher master file; print letter requesting replacement to publisher; end for
Procedure for process4 At the end the month for each invoice received from the publisher do Search journal master file to find journal details; Search publisher master file to find publisher details; Generate indent and send to purchase section; Enter journal ordered information in journal master file; end for
Procedure for process5 for each payment detail received from accounts section with invoice copy do Enter payment details in payment detail file; Enter paid information in Journal master file; Send payment details with invoice to publisher; end for
DATABASE DESIGN (i)
(ii)
(iii)
Data about journals: Journals id, Journal code (ISSN), journal name, vol no, periodicity, parts per number, subject code, language, publisher identification, time allowed for delivery, year of first issue ordered renewed upto year. Data about subscription details : Journal identification, date of invoice to be sent, yearly subscription, currency of subscription, date when subscription sent, subscriber code, amount in rupees, subscription amount in foreign country, invoice no, order no, draft no, draft date, bank name Data about publisher/agent supplying journal: Publisher identification, Publisher’s name, address, agent or publisher.
The entity-relationship diagram for the application is shown below:
Publisher
1
1
1 Expected from
Ordered from
Publishes
1
N Journals
N
The publisher-journal relationship is one-to-many. The normalized relations are given below. Journal: Journal id, journal name, journal ISSN, subject code, language, key words, number per volume, parts per volume, month of first number, year first ordered, renewed upto year. Publisher/Agent: Publisher id, publisher’s name, address, agent or publisher, publisher type. Journal-publisher relation: Journal-id, publisher id Journals Expected: Journal-id, vol, no, first no, month, periodicity, expected delay. Journals received: Journal-id, vol, no of issues in vol, no of issues received, last issue no received. Journal payment details: Journal id, vol, order no, order date, publisher’s invoice no, invoice date, foreign currency amount, rupee amount, draft no, draft date, bank no.
The relations needed by each process in the DFD:
Process
Relations to be read
1.
Journal expected
2.
Journal Journal expected
3.
Journal-publisher Publisher
4.
Journal-publisher Publisher Journal
5.
Journal-publisher Journal
Relations to be written
Journal received
Journal payment details
(iv)
Data encoding: All journals have a standard international code known as ISSN that can be used. In our design a simple serial number is used as a code to reduce data entry. In this case this is acceptable as the number of journals is quite small.
MENUS FOR DATA INPUT MAIN MENU AUTOMATED SERIALS CONTROL SYSTEM LIBRARY “XYZ” A> ORDER PROCESSING B> JOURNAL MAINTENANCE C> SUPPLIER MASTER MAINTENANCE D> QUERY E> EXIT ENTER YOUR OPTION
MENU A : ORDER PROCESSING 1. ADD/DELETE JOURNAL 2. REQUEST FOR INVOICE OR REMAINDER 3. INPUT INVOICE 4. PRINT INDENT LIST 5. ENTER PAYMENT DETAILS 6. PRINT PAYMENT DETAILS 7. EXIT ENTER YOUR OPTION MENU B: JOURNAL MAINTEINANCE 1. UPDATE JOURNAL INFORMATION 2. ENTER JOURNAL RECEIVED DETAILS 3. PRINT REMINDERS 4. EXIT ENTER OPTION AND PRESS RETURN MENU C: MAINTAINING PUBLISHER MASTER 1. ADD PUBLISHER NAME 2. DELETE PUBLISHER NAME 3. MODIFY PUBLISHER DETAILS 4. EXIT ENTER OPTION AND PRESS RETURN
MENU D: ENQUIRY OR PRINTING ENQUIRY
PRINT OPTION
DISPLAY A. RECEIVED JOURNALS 1 LIST JOURNALS YEARWISE B. LIST OF JOURNALS BY KEYWORD 2 LIST JOURNALS ALPHABETICALLY 3 LIST NEW JOURNALS 4 LIST JOURNALS BY LANGUAGE 5 LIST JOURNALS BY KEYWORD 6 LIST JOURNALS BY SUBJECT 7 PUBLISHER LIST 8 MAILING LIST 9 BINDING LIST ENTER YOUR OPTION AND PRESS Esc CONTROL, AUDIT AND TEST PLAN Control plan 1. Check whether duplicate copies of an issue of a journal have been received 2. Check whether invoice amount and order amount match 3. Check on Nov 30 whether total number of periodicals for which renewal subscriptions sent equals number of titles in the subscription list Audit plan 1. Compare total order amount with total payment amount (draft volumes) 2. Check that no duplicate renewals here been sent when duplicate invoices from publisher is received.
Test plan: 1. Enter a wrong journal code and see the response 2. Enter a correct journal code and see the response 3. Enter a wrong journal volume and see the response 4. Enter a few journal codes expected in a month and see the response 5. Create a journal not received transaction and see the result of processing 6. Try giving year end message and see the effect 7. Create payment details transaction and enter to see the effect 8. The input screens must have prompts and messages if incorrect data is entered.
IMPLEMENTATION PLAN 1. 2. 3. 4. 5. 6.
Codify journals being subscribed Create a master database of journals with details Codify publishers and agents who supply journals Create a master database of publishers with addresses Create journal id, publisher id, database Based on knowledge of delays in delivery, enter in journal expected relation the expected delay 7. Create a sample set of weekly, monthly and year-end transaction 8. Create transactions corresponding to receiving draft from accounts for subscription payment. 9. Design screens for data input and query answering 10. Test each process using sample data 11. Integrate all processes and databases 12. Create user manuals 13. Create system manuals 14. Design user’s feedback forms and system review plan (i)
(ii)
(iii)
System’s manual: A one page instruction is prepared on how to use the system. As the system is interactive with screens and prompts, no extensive user manual is needed User’s feedback form: This form should be designed to obtain user’s opinion on ease of use, ease of data input, quality of screens and system response time Review plan: The system is to be reviewed at the end of one year.
AVAILABLE CASE TOOLS
I. SYSTEM FLOWCHART AND ER-DIAGRAM GENERATION TOOL Name of the tool: SMARTDRAW
URL: This Software can be downloaded from: http://www.smartdraw.com. This is a paid software, but a 30-day free trial for learning can be downloaded. Requirements to use the tool: PC running Windows 95, 98 or NT. The latest versions of Internet Explorer or Netscape Navigator, and about 20MB of free space. What the tool does: Smartdraw is a perfect suite for drawing all kinds of diagrams and charts: Flowcharts, Organizational charts, Gantt charts, Network diagrams, ER-diagrams etc. The drag and drop readymade graphics of thousands of templates from built-in libraries makes drawing easier. It has a large drawing area and drawings from this tool can be embedded into Word, Excel and PowerPoint by simply copy-pasting. It has an extensive collection of symbols for all kinds of drawings. How to use: The built-in tips guides as the drawing is being created. Tool tips automatically label buttons on the tool bar. There is online tutorial provided in: http://www.smartdraw.com/tutorials/flowcharts/tutorials1.htm http://www.ttp.co.uk/abtsd.html
II. DATA FLOW DIAGRAM TOOL Name of the tool: IBMS/DFD
URL: This a free software that can be downloaded from: http://viu.eng.rpi.edu
Requirements to use the tool: The following installation instructions assume that the user uses a PC running Windows 95, 98 or NT. Additionally, the instructions assume the use of the latest versions of Internet Explorer or Netscape Navigator. To download the zip files & extract them you will need WinZip or similar software. If needed download at http://www.winzip.com.
What the tool does: The tool helps the users draw a standard data flow diagram (a process-oriented model of information systems) for systems analysis.
How to use: Double click on the IBMS icon to see the welcome screen. Click anywhere inside the welcome screen to bring up the first screen. Under "Tools" menu, select DFD Modeling. The IBMS will pop up the Data Flow Diagram window. Its menu bar has the File, Edit, Insert, Font, Tool, Window and Help options. Its tool box on the right contains 10 icons, representing (from left to right and top to bottom) pointer, cut, data flow, process, external entity, data store, zoom-out, zoom-in, decompose, and compose operations, respectively. Left click on the DFD component to be used in the toolbox, key in the information pertaining to it in the input dialogue box that prompts for information. To move the DFD components: Left click on the Pointer icon in the tool box, point to the component, and hold Left Button to move to the new location desired in the work area. To edit information of the DFD components: Right click on the DFD component. The input dialogue box will prompt you to edit information of that component. Levelling of DFD: Use the Decompose icon in the tool box for levelling To save the DFD: Under File menu, choose Save or SaveAs. Input the name and extension of the DFD (the default extension is DFD) and specify folder for the DFD to be saved. Click OK.
III. TOOL TO CONVERT DECISION TABLE TO STRUCTURED ENGLISH Name of the tool: COPE
URL: This is a free tool and should be worked online at http://www.cs.adelaide.edeu.au/users/dwyer/examples.html
What the tool does: Cope is a program that converts decision tables to Cobol source statements
How to use: The general arrangement of a Cope decision table is shown in Example below. This table consists of a heading and four rows. The first two rows are conditions, and the last two are actions. A condition row consists of a number of entries followed by the word is and a Cobol condition. An action row consists of a series of entries followed by a Cobol statement. Example: YYNN YNYN XX - -XXX
is A = 0. is B = 0. Move 0 to C. Add 1 to C.
Type in the Decision table in the text area provided (each line should start with 6 blanks and an asterisk), click on “Generate Cobol” to obtain the Cobol statements of the Decision table. There is online help provided at: http://www.cs.adelaide.edu.au/users/dwyer/COPE-MAN.html#RTFToC1 Another tool (to be worked online) for program code generation from Decision table can be found at http://dtable.projxonline.com/Default.aspx Note: The tools to convert Decision Tables to Structured English is not available.
IV. SYSTEM REQUIREMENTS SPECIFICATION DOCUMENTATION TOOL Name of the tool: ARM
URL: The tool can be downloaded without cost at http://sw-assurance.gsfc.nasa.gov/disciplines/quality/index.php
What the tool does: ARM or Automated Requirement Measurement tool aids in writing the System Requirements Specifications right. The user writes the SRS in a text file, the ARM tool scans this file that contains the requirement specifications and gives a report file with the same prefix name as the user’s source file and adds an extension of “.arm”. This report file contains a category called INCOMPLETE that indicate the words and phrases that are not fully developed.
Requirements to use the tool : PC running Windows 95, 98 or NT. The latest versions of Internet Explorer or Netscape Navigator, and about 8MB of free space.
How to use the tool : On clicking the option Analyze under File menu and selecting the file that contains the System Requirements Specifications, the tool processes the document to check if the specifications are right and generates a ARM report. The WALKTHROUGH option in the ARM tool assists a user by guiding him as to how to use the tool apart from the HELP menu. The README.doc file downloaded during installation also contains description of the usage of this tool.
V. A TOOL FOR SCREEN DESIGN AND DATA INPUTTING Name of the tool: Visual Basic
URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=bf9a24f9-b5c548f4-8edd-cdf2d29a79d5&displaylang=en
What the tool does: This tool is used to create the graphical user interface (GUI) to describe the appearance and location of interface elements, you simply add prebuilt objects into place on screen. Help: http://msdn.microsoft.com/library/default.asp?url=/library/enus/vbcon98/html/vbconpart1visualbasicbasics.asp
VI A TOOL FOR DESIGNING AND MANIPULATING DECISION TABLES Name of the tool: Prologa V.5 URL: http://www.econ.kuleuven.ac.be/prologa Note: This tool can be downloaded from the above given URL, after obtaining the password.
What the tool does: The purpose of the tool is to allow the decision maker to construct and manipulate (systems of) decision tables. In this construction process, the features available are automatic table contraction, automatic table optimization, (automatic) decomposition and composition of tables, verification and validation of tables and between tables, visual development, and rule based specification.
TEST EXAMPLES Module1 1. What would be the strategic, operational and tactical needs of a State Road Transport Corporation? 2. What do you think are the functional management areas in a large Students hostel? 3. Explain how data will be processed in a bank when a cheque is presented by a customer and payment made to him (assume the bank uses computers)
Module2 4. What benefits do you expect if an information system for a hostel is designed? 5.
In designing an information system for a hostel what constraints should be taken into account during feasibility analysis?
Module3
6. A hostel warden states the following requirements for a hostel information system: "Our hostel has 500 rooms and 4 messes. Currently, there are 1000 students all in 2 seated rooms. They eat in any one of the messes but can get a rebate if they inform and do not eat for at least 4 consecutive days. Besides normal menu, extra items are also given to students when they ask for it. Such extras are entered in an extras book. At the end of the month a bill is prepared based on the normal daily rate and extras and given to each student. We find that bill preparation is delayed. We are also not able to keep proper track of payments and billing for extras. We need a system to streamline this". Obtain a document flow diagram for the problem described above.
Module4 7.
Is it essential that an operationally feasible solution should be technically feasible? Discuss with examples.
8.
A system costs Rs.1 lakh to install and Rs.10,000 per month as recurring expenses. The benefit per year is Rs.1.5 lakhs. Assuming an interest rate of 12% per annum, what is the pay back period of the investment?
9.
A project costs Rs.2 lakhs and the net benefits are Rs.50,000 (1st year), Rs.80,000 (2nd year),Rs.90,000 (3rd year), Rs.70,000 (4th year), Rs.50,000 (5th year), and Rs.30,000 (6th year). Assuming 10% per annum interest rate, would you proceed with this project if your criterion is cost/benefit?
Module5 10. A magazine is published monthly and is sent by post to its subscribers. Two months before the expiry of subscription, a reminder is sent to the subscribers. If subscription is not received within a month, another reminder is sent. If renewal subscription is not received up to two weeks before the expiry of the subscription, the subscriber's name is removed from the mailing list and the subscriber informed. Obtain logical DFDs for this problem and also a flowchart. 11. Obtain a physical DFD for a simple payroll system described below. A list of employees with their basic pay is sent to a clerk. He calculates the gross pay using standard allowances which are known for each pay slab. Deduction statements such as loan repayment, subscription to associations etc. are also sent to another clerk who matches these slips with the slips of gross pay and calculates net pay. This slip is used by a third clerk to write out pay cheques for each employee and sent to respective employees. The total net pay amount paid and bills paid are also computed. 12. If the procedure of the above problem is to be computerised, obtain a logical DFD for the computer-based system.
Module6 13. An organization maintains an employee file in which each record has the following data: (Employee No., employee name, employee gross pay). It has been decided to increase the pay as per the following formula: For pay of Rs.1000 or less increase 15% For pay of more than Rs.1000 but up to Rs.2500 increase 10%. For pay over Rs.2500 increase 5%. (i) Write a structured English processing rule corresponding to the above policies (ii) Express the policies as a decision table.
14. An offshore gas company bills its customer according to the following rate schedule: First 500 litres Rs. 10 (flat) Next 300 litres Rs.1.25 per 100 litres Next 30,000 litres Rs.1.20 per 100 litres
Next 100,000 litres Rs.1.10 per 100 litres Above this Rs.1.00 per 100 litres. The input record has customer identification, name and address, meter readings, past and present. Write a structured English procedure to obtain a bill for the customer. 15. Obtain a decision table for an automatic stamps vending machine with the following specifications: (i) To dispense 20, 15, 10, 5 paise stamps (ii) To accept 50, 25, 10, 5 paise coins (iii) Do not return change if it is necessary to return more than two coins of the same denomination. In such a case return the customer's coin and turn on "no change" light. The machine should dispense a stamp, the right amount of change, no stamp available, no change available signals etc. 16. You want to go to Delhi from Bangalore. There are three flights per day; early morning, late morning and evening. You would like to go on 21.4.04 by early morning flight. If it is not available you will take the late morning flight. If neither is available you are willing to take any flight on 22.4.04 but prefer early and late morning flights., Obtain a decision tree for this word statement. Is decisiontable suitable for this problem? If not why?
Module7 17. Design a form to be used by a salesman to report to the office about sales executed by him at different customer locations 18. Design a group classification code to code (i) motor vehicles,, (ii) music cassettes, and (iii) books 19. Add a Modulus-11 check digit to the codes (i) 48467, (ii) 96432, and (iii) 87646257. 20. Modulus-37 check is suitable for alphanumeric codes. Add a modulus-37 character to the codes (i) 4AB9W, (ii) XBY483, and (iii) CAZ4642. 21. What is the purpose of batch control record? What is the type of information contained in a batch control record? A set of data records for student examination results has the following format: Roll no. Name Marks (out of 100) Paper 1 Paper 2 Paper 3 Paper 4 Design for these records a batch control record and a record control field and any other appropriate checks for the fields.
22. Design a dialogue hierarchy and the screens for a system used to reserve seats in long distance buses.
Module8 23. Develop E-R diagram for the following: Customer withdraws money from his account Students write examinations. Students attend classes Professors write books Driver drives a car 23. Student's records in a University are kept by various sections: Hostel, Health Centre, Academic Office, major departments, Accounts Section and Library. If each of these sections maintains its own file-based system for processing, what problems do you foresee? Give examples.
Module9 24. How do you select objects from a requirement specification? Given the following requirement statement, select potential objects. A list of employers with their basic pay is sent to a clerk. He calculates the gross pay using standard allowances which are known for each pay slab. Deduction statements such as loan repayment, subscription to association etc., are also sent to another clerk who matches these slips with the slips of gross pay and calculates net pay. This step is used by another clerk to write out pay cheques for each employee and sent to respective employees. The total pay bills computed is also computed". 25. Give a brief requirements specification for a bus ticket reservation system. Model it using objects. Module10 26. Prepare a print chart for stores data processing system. 27. Pick the appropriate graphics presentation for the following applications: (i) (ii) (iii) (iv)
Relative enrollment of students in various departments in a University. Growth of student strength in a department over a period of 10 years. Sales percent of a product in 6 regions of a country. Proportion of total revenue of a state from direct taxes, indirect taxes, public loan, land revenue, income from public sector companies, and
miscellaneous receipts. Module11. 28. Give a HTML code to display Introduction to e-Commerce This is a new book 29. Give an example of an extranet Module12 30. A college has 1500 students whose final examination results are declared using computer processing. There are 5 subjects, each carrying 100 marks. Classes are awarded as follows: Marks60 or above, I class Marks 50 or above, II class Marks below 50, Fail Device an appropriate control scheme for processing results. 31. Design a proof figure for the above example.
Module13 32. Given a plain text: THIS IS A SAMPLE SENTENCE FOR ENCRYPTION. Apply the permutation (231564) and the substitution: (letter Æ letter + 6 ) and obtain the cipher text. 33. How does DES hardware encrypt the following hexadecimal plain text A1907FBCD986543201FED14E890ABCA5 34. Given two prime numbers 23 and 41 design a RSA system 35. Explain how cash transactions take place in E-Commerce. What special precautions should be taken by a bank to ensure that a customer does not double spend the same electronic coins issued to him/her?