WWWWWW

Chapter 14

Encryption: A Matter Of Trust

2WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

OBJECTIVES

• What is Encryption?• Basic Cryptographic Algorithm• Digital Signatures• Major Attacks on Cryptosystems• Digital Certificates• Key Management• Internet Security Protocols and Standards• Government Regulations

3WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

WHAT IS ENCRYPTION?

• Based on use of mathematical procedures to scramble data to make it extremely difficult to recover the original message

• Converts the data into an encoded message using a key for decoding the message

4WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

WHAT DOES ENCRYPTION SATISFY?

• Authentication

• Integrity

• Nonrepudiation

• Privacy

5WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

BASIC CRYPTOGRAPHIC ALGORITHM

• Secret Key– The sender and recipient possess the same single

key

• Public Key– One public key anyone can know to encrypt– One private key only the owner knows to decrypt– Provide message confidentiality– Prove authenticity of the message of originator

6WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

COMMON CRYPTOSYSTEMS

• RSA Algorithm– Most commonly used but vulnerable

• Data Encryption Standards (DES)– Turns a message into a mess of unintelligible

characters

• 3DES• RC4• International Data Encryption Algorithm (IDEA)

7WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

DIGITAL SIGNATURES

• Transform the message signed so that anyone who reads it can be sure of the real sender

• A block of data representing a private key

• Serve the purpose of authentication

8WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

MAJOR ATTACKS ON CRYPTOSYSTEMS

• Chosen-plaintext Attack

• Known-plaintext Attack

• Ciphertext-only Attack

• Third-party Attack

9WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

DIGITAL CERTIFICATES

• An electronic document issued by a certificate authority (CA) to establish a merchant’s identity by verifying its name and public key

• Includes holder’s name, name of CA, public key for cryptographic use, duration of certificate, the certificate’s class and ID

10WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

CLASSES OF CERTIFICATES

• Class 1– Contains minimum checks on user’s background– Simplest and quickest

• Class 2– Checks for information e.g. names, SSN, date of

birth– Requires proof of physical address, etc.

11WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

CLASSES OF CERTIFICATES (Cont’d)

• Class 3– You need to prove exactly who you are and you

are responsible– Strongest

• Class 4– Checks on things like user’s position in an

organization in addition to class 3 requirements

12WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

KEY MANAGEMENT

• Key Generation and Registration

• Key Distribution

• Key Backup / Recovery

• Key Revocation and Destruction

13WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

THIRD-PARTY SERVICES

• Public Key Infrastructure– Certification Authority– Registration Authority– Directory Services

• Notary Services

• Arbitration Services

14WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

INTERNET SECURITY PROTOCOLS & STANDARDS

• Web Application– Secure Socket Layer (SSL)– Secure Hypertext Transfer Protocol (S-HTTP)

• E-Commerce– Secure Electronic Transaction (SET)

• E-Mail– PGP– S/MIME

15WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

SSL

• Operates between application and transport layers

• Most widely used standard for online data encryption

• Provide services:– Server authentication– Client authentication– Encrypted SSL connection

16WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

S-HTTP

• Secure Web transactions

• Provides transaction confidentiality, integrity and nonrepudiation of origin

• Able to integrate with HTTP applications

• Mainly used for intranet communications

• Does not require digital certificates / public keys

17WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

SET

• One protocol used for handling funds transfer from credit card issuers to a merchant’s bank account

• Provide confidentiality, authentication and integrity of payment card transmissions

• Requires customers to have digital certificate and digital wallet

18WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

PGP

• Encrypts the data with one-time algorithm, then encrypts the key to the algorithm using public-key cryptography

• Supports public-key encryption, symmetric-key encryption and digital signatures

• Supports other standards, e.g. SSL

19WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

S/MIME

• Provides security for different data types and attachments to e-mails

• Two key attributes:– Digital signature– Digital envelope

• Performs authentication using x.509 digital certificates

20WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

GOVERNMENT REGULATIONS

• National Security Agency (NSA)

• National Computer Security Center (NCSC)

• National Institute of Standards and Technology (NIST)

• Office of Defense Trade Controls (DTC)

WWWWWW

Chapter 14

Encryption: A Matter Of Trust