role of certification authority in e-commerce
TRANSCRIPT
Role of Certification Authority in E-Commerce
M. Faisal Naqvi
Research Consultant (Technical), ECAC
Obstacle in growth of E-Commerce
Why most people don’t use E-Commerce?• Lack of trust• Fraudulent Merchants• Hacking/Cracking• Credit Card Information Theft
• Privacy issues
Technical Requirements of User of E-Commerce
• Confidentiality :- Privacy from third person• Integrity:- Change in message during transit
should be detected• Authenticity:- Identity of sender should be
detected• Non-repudiation:- Denial of sender should not be
possible• Anonymity:- Info. of Customer & Transaction
should be confidential from dealing party.• Availability
How Requirements can be Fulfilled?
• Cryptography i.e.– Encryption (Encoding)– Decryption (Decoding)
CALL ME
Plain Text
E DBMM NF
Cipher Text
D CALL ME
Plain Text
Alice Bob
Main Cryptographic Techniques
1. Secret Key Cryptography
2. Public Key Cryptographya) For Confidentiality
b) For Authenticity & Integrity
1. Secret Key Cryptography
• Also called Symmetric Key Cryptography• Only one key is used for encryption as well as for
decryption• e.g. Digital Encryption Standard (DES)
CALL ME
Plain Text
E DBMM NF
Cipher Text
D CALL ME
Plain Text
Alice BobKey=1 Key=1
2. Public Key Cryptography
• Also called Asymmetric Key Cryptography• For each party there is a Key pair i.e.:
1. Private Key (known to owner only)
2. Public Key (Published, known to Everyone)
• When we encrypt using Pub. Key it can only be decrypted using Pvt. Key and vice versa.
• e.g. Rivest Shamir Adelman (RSA) Algorithm
2. Public Key Cryptography (Cont...)
• Public Key Cryptography can be used in two ways:a) Encryption with Pub. Key & Decryption with Pvt. Key (to
achieve Confidentiality).
b) Encryption with Pvt. Key & Decryption with Pub. Key (to achieve Authenticity and Integrity)
2. Public Key Cryptography (Cont...) For Confidentiality
• Sender Encrypts the Message with the Public Key of the Recipient
• The Recipient Decrypts the Encrypted Message, with his own Private Key
10,000
Plain Text
E 5,000
Cipher Text
D 10,000
Plain Text
Bob
Bob’sPublicKey=0.5
Bob’sPrivateKey=2Public
2. Public Key Cryptography (Cont...)For Authenticity & Integrity of Message
• The Sender Encrypts the Message, with his own Private Key.
• The Recipient Decrypts the Encrypted Message with the Public Key of the Sender.
10,000
Plain Text
E 20,000
Cipher Text
D 10,000
Plain Text
Bob
Bob’sPrivateKey=2
Bob’sPublicKey=0.5 Public
Achieving Authenticity, Integrity and Confidentiality simultaneously...
Cipher
Digital Sign
1. Sender’s Pvt.
Sender
2. Recipient’s Pub.
3. Recipient’s Pvt.
4. Sender’s Pub.
Doc.
Digital Sign
Doc.
Recipient
Achieving Authenticity, Integrity and Confidentiality simultaneously (Cont…)
1. The Sender Encrypts the Message, with his own Pvt. Key. (for Authenticity and Integrity)
2. Then Sender Encrypts the result, with the Pub. Key of Recipient. (For confidentiality)
3. The Recipient decrypts the cipher, with his own Pvt. Key (to open confidentiality)
4. Then Recipient decrypts the result, with the Pub. Key of Sender (to Authenticate)
Need of a Certification Authority (CA)
Issues• How someone can Publish his Public Key?• How someone can verify that a Public Key belongs to
a particular Person?Solution• Public Key can be Published through a Third Party,
Trusted by both Sender & Recipient.• This Trusted Third Party is called Certification
Authority (CA)• CA verifies and certifies, by issuing a Digital
Certificate, that a particular “Public Key” belongs to a “Particular Person” and publishes the same through Web.
What CA publish about a Digital Certificate ?
Ibrar Ahmad
How CA Works?
CA :• accepts Application to issue Digital Certificate• verifies Identity of Subscriber• verifies that subscriber has corresponding Pvt. key• generates Digital Certificate• publishes Digital Certificate of its subscriber on its
web site so that anyone can download Digital Cert. of any other person from the CA’s web site
• accepts Request to Revoke the Certificate• publishes Certificate Revocation List (CRL) so that
anyone can check whether Cert. is Revoked
What is Public Key Infrastructure (PKI)?• PKI includes:
– Sender(s)– Recipient(s)– and CA(s)
• By using Cryptography to fulfill all requirements jointly or severally:– Confidentiality– Integrity– Authenticity– Non-repudiation– Reliability– Accountability– Anonymity
Importance of PKI
PKI:• Provides secure and trusted e-communication
environment.
• Is inevitable for e-commerce, e-business & e-governance etc.
Some Public Sector organizations using PKI (Existing and Planning)
• Pakistan Army• Securities And Exchange Commission Pakistan (SECP )• State Bank of Pakistan• NADRA• Ministry of IT/E-Government• CBR• Customs• Project for Improvement of Financial Reporting and Auditing
(PIFRA)• National Telecommunications and Information Technology
Security Board (NTISB)• Institute of Physics (Quaid-e-Azam University)• Pakistan Telecommunication Authority
Some Private Sector organizations using PKI (Existing and Planning)
• NIFT affiliate of VeriSign• Khanani and Kalia International• Live Securities (Online Brokerage House)• EUGridPMA• Academia Sinica Grid Computing Certification
Authority• Pakistan Inter-Active Communications (Pvt.)
Limited
Use of PKI in E-CommerceSome Protocols based on PKI:• Secure Socket Layer (SSL)
• Secure Electronic Transaction (SET)
Secure Socket Layer (SSL)
• Most commonly used (e.g. Hotmail, Yahoo)• Simplest• only confidentiality and integrity is achieved• Authenticity is not the part of Protocol• Only server’s Digital Certificate is required• Not a payment protocol specifically• For any secure communication
Secure Socket Layer Process
Server
Client
2. Server’s Public Key
1. Client Generate Secret Key
3. Secret Key encrypted with Server’s Pub. Key
4. Server decrypts Secret Key using its Pvt. Key
5. Communicate securely using secret key
Secure Electronic Transaction (SET)
• Most Comprehensive
• Confidentiality, Integrity, Authenticity, Non Repudiation and Anonymity/Privacy can also be achieved
• Comparatively Complex
• Digital Certificates of Merchant, Bank and Customer is required
• Specifically a Payment Protocol
SET Protocol Process
• OI = Order Information (Products/Services)• PI = Payment Information (Credit Card etc.)• C = Customer• M = Merchant• B = Bank
• Pb = Public• Pv = Private
SET Protocol Process (Cont…)
Customer
Bank
Merchant
1. MPb[CPv{MPb(OI)+BPb(PI)}]
2. BPb[MPv[CPv{MPb(OI)+BPb(PI)}]]
?
Thank
You