Electronic commerce

Security and Encryption

1
Overview

• Encryption
• Digital signatures
• Digital certificates
• Fire walls

2
 Encryption
What does encryption mean to you?

3
Encryption

Security of Electronic communications is a

major control issue to all companies engaged in
E commerce.
Threats to:
• Cooperate secretes
• Credit card numbers and passwords
• E-Mail

4
Encryption

• Transmission of data must be kept private.

• EDI- Networks handle most of online commerce.
• VAN (Value Added Networks)- very secure. Privately
maintained & run on high speed private lines.
• Inflexible- connected to a limited no. of sites and
companies
• Expensive- $100,000

5
The Solution

• Internet emerging choice.

6
Definition of Encryption?

• Encryption is the coding and scrambling of messages into

unreadable characters prior to transmission to prevent unauthorized
access.
• Encryption enables both privacy (confidentiality of data) and access
control (ensuring that the data is accessed by only those who are
authorized to do so).
• The other name for this process is Enciphering.

7
Elements of an encryption system

• The main elements of an encryption system are :

1. The plaintext is the raw message or data that is
to be encrypted.
2. A cryptographic algorithm or cipher is a
mathematical set of rules that defines how the
plain text is to be combined with a key.
3. The key is a string of digits.
4. The cipher text is the encrypted message

8
Example

• If we take the phrase "Web store" and add 2 characters to each

letter the phrase becomes "ygd uvqtg".
• Here: "Web store" is the plaintext
"add x characters to each letter" is the cryptographic algorithm "2" is
the key

• "ygd uvqtg" is the ciphertext

9
Types of Encryption

Two major types of Encryption:

• Symmetric encryption
• Asymmetric encryption

10
Symmetric encryption (Single key)

• Also known as single-key encryption, involves the use of a single key

that is shared by both the sender and the receiver of the message.
• After creating the message, the sender encrypts it with their key and
passes it to the recipient who then decrypts it by using a copy of the
same key used to encrypt it.

11
Symmetric Encryption (Single key)

12
Symmetric Encryption

• Every time a party wants to communicate, the sender and receiver

are each given a key to encrypt and decrypt the message.
• Problem: applicable to small number of transactions eg. sending a
private e-mail to a friend. Not practical for Web commerce which can
involve communicating with thousands of customers.
• What does this mean?

13
Symmetric Encryption

• Another limitation with secret-key encryption is its

inability to support non-repudiation. As both parties
share the same key it is possible for one party to
create a message with the shared secret key and
falsely claim it had been sent by the other party.
• Secret-key encryption on its own is therefore not
suitable for Web commerce - instead a system
known as public-key encryption is used.

14
Common Symmetric Key Algorithms
DES-(Data Encryption Standard) is a symmetric-key
encryption method, which uses a 56-bit key, and
the block cipher method, which breaks text into 64-
bit blocks and then encrypts them.
Triple DES (3DES), is a model of the DES encryption
algorithm that encrypts data three times. Three 64-
bit keys are used, instead of one, for an overall key
length of 192 bits (the first encryption is encrypted
with second key, and the resulting cipher text is
again encrypted with a third key).

15
Common Symmetric Key Algorithms
• AES (Advanced Encryption Standard) is a symmetric 128-bit
block data encryption technique that works at multiple
network layers simultaneously.
• The terms AES and Rijndael are used interchangeably,
though there are some differences between the two.
• AES has a fixed block size of 128-bits and a key size of 128,
192, or 256-bits, whereas Rijndael can be specified with any
key and block sizes in a multiple of 32-bits, with a minimum
of 128-bits and a maximum of 256-bits.

16
Common Symmetric Key Algorithms
• International Data Encryption Algorithm (IDEA)
This is an encryption system that uses a 128-bit key. It uses the block
cipher method that breaks the text into 64-bit blocks before
encrypting them.

17
Advantages of Using Symmetric
Encryption
1. The encryption process is simple
2. Each trading partner can use the same publicly known encryption
algorithm - no need to develop and exchange secret algorithms
3. Security is dependent on the length of the key.

18
Disadvantages of Symmetric

1. A shared secret key must be agreed upon by

both parties.
2. if a user has n trading partners, then n secret
keys must be maintained, one for each trading
partner
3. authenticity of origin or receipt cannot be proved
because the secret key is shared
4. management of the symmetric keys becomes
problematic

19
Problems with Management of
Symmetric Keys
1. Trading partners must always use the exact same key to decrypt
the encrypted message
2. Key exchange is difficult because the exchange itself must be
secure with no intervening compromise of the key
3. Management of keys is difficult as numbers of trading partners
increases, especially when multiple keys exist for each trading
partner

20
Asymmetric Encryption
(Public Key Encryption)

21
Asymmetric Encryption (Public Key
Encryption)
• Public-key encryption, or asymmetric encryption involves the use of
two keys, one that can be used to encrypt messages (the public key)
and one that can be used to either encrypt them or decrypt them
(the private key).
• These key pairs can be used in two different ways, to provide privacy
or authentication.

22>
Asymmetric Encryption

• Privacy is ensured by encoding a message with the public key as it

can only be decoded by the holder of the private key.
• Authentication is achieved by decoding a message with the private
key. Once the recipient has successfully decrypted it with the private
key they can be assured it was sent by the holder of the public key.

23
Asymmetric Encryption

24
Asymmetric Encryption

• public-key cryptography does not suffer from the same key

distribution and management problems as the single-key system.
• One disadvantage of the public-key system is that it is relatively slow,
so when it is being used only for authentication it is not desirable to
encrypt the whole message particularly if it is a long one. To get
round this a digital signature is used.

25
Difference btw Symmetric &
Asymmetric Encryption
• Single key • Two keys
• Does not support non- • Supports non-repudiation.
repudiation.

26
Digital certificates

27
Digital certificates


Before encrypting and transmitting sensitive
information it is important to ensure that the
public key being used does indeed belong to the
intended message recipient and not someone
masquerading as them.
One method of doing this is to use a trusted third
party or certificate authority (CA). Owners of public
keys submit them to a CA along with proof of
identity and the CA then digitally signs and issues a
certificate which verifies that the public key
attached to the certificate belongs to the party
stated.

28
Digital certificates

• Digital certificates provide the basis for secure electronic transactions

as they enable all participants in a transaction to quickly and easily
verify the identity of the other participants

29
Digital signatures

30
Digital signatures

Digital signatures are implemented through public-

key encryption and are used to verify the origin
and contents of a message.
One advantage of public-key encryption is that the
recipient of successfully decrypted message knows
that it was sent by the owner of the private key.
This is known as authentication.

31
Digital signatures

A digital signature is prepared by first passing the

message through a one-way cryptographic function to
calculate the message digest. This digest is much
smaller than the original message and can be quickly
encrypted with the private key to produce a signature
which is then added to the original message
The recipient of the digital signature can be sure that
the message really came from the sender. And,
because changing even one character in the message
changes the message digest in an unpredictable way,
the recipient can be sure that the message was not
changed after the message digest was generated.

32
E Commerce Technologies
Smart cards

33
Smart cards

• At first glance a smart card looks like a normal credit or debit card.
However, closer examination reveals the absence of a magnetic
stripe as smart cards store all their information on a chip buried
within the card. Compared to conventional magnetic stripe cards,
smart cards differ in several important ways:

34
1. They can store much more data
2. They can be password protected
3. They can incorporate a microprocessor that can perform
processes such as encryption

35
• The potential for smart card use is enormous, but there are three
key functions of interest to the Web store merchant:
1. Storage of encryption keys
2. Electronic purses
3. User profile portability

36
Smart card Applications

1. Storage of encryption keys

Web commerce secure transaction protocols, such as SSL and SET,
require that private encryption keys are stored securely.
• Smart cards can provide a very secure way of generating, storing and
using private keys.

37
• Electronic purses
Many applications in place today use a smart card
as a replacement for cash because of the higher
security they offer over standard credit cards.
Although most of these systems (for example
Mondex, VisaCash, CLIP and Proton) were
developed for point of sales applications, their use
is likely to extend to Web commerce as they
provide an easy and secure way to handle cash
transactions.

38
Secure Sockets Layer (SSL)

39
• Netscape's Secure Sockets Layer (SSL) protocol is
currently the most widely used method for
performing secure transactions on the Web and is
supported by most Web servers and clients
including Netscape Navigator and Microsoft
Internet Explorer.
• The Secure Sockets Layer (SSL) protocol provides
several features that make it particularly suitable
for use in e-commerce transactions.

40
Features of SSL

• Privacy is guaranteed through encryption. Although

information can still be intercepted by a third party
they will be unable to read them as they have no
access to the encryption key.
• Integrity is also ensured through encryption. If
information is received that will not decrypt
properly then the recipient knows that the
information has been tampered with during
transmission.

41
• Authentication is provided through digital certificates. Digital
certificates provide the basis for secure electronic transactions as
they enable all participants in a transaction to quickly and easily
verify the identity of the other participants.

42
TASK

• Read more on SSL.

43