1. Cryptography is used to provide security in electronic commerce by ensuring privacy, authenticity, and preventing forgery, alteration, eavesdropping and tracing of messages.
2. There are two main types of cryptography - symmetric which uses the same key for encryption and decryption, and asymmetric (public key) which uses different keys for encryption and decryption.
3. Common symmetric algorithms are DES and AES while RSA is an example of an asymmetric algorithm commonly used for digital signatures and encryption.
10. Type Method Symmetric Stream cipher a string of data to continuously receive the encrypted Stream advantages: Diffusion Immunity insertations & modifications Stream disadvantages.: Slow encryption Error propagation
11. Type Method Symmetric Block cipher Into every block of data to which the blocks are individually password Block advantages: Speed of transformation Low error propagation Block disadvantages.: Low diffusion Malicious insertations & modifications possible
13. Data Encryption Standard (DES) Released by NBS in 1976, based on ‘Lucifer’ Combination of substitution and transposition 16 iterations with 56-bit key (64) Based on diffusion and confusion (Shannon) Supported then adopted by NSA Can be broken (in 22 hours, parallel attack) Key length dilemma, new algorithm to be AES
14. Data Encryption Standard (DES) Firstly the IP (explained below) is applied to the 64 bit plaintext. The result is then divided into two 32 bit halves, named L0 and R0. Then, the following happens 16 times: Key transformation number i (a permutation, but dropping 8 bits off - defined in the specification) is applied to the key to produce 48 bits. Apply the function f(Ri,Ki+1) (explained below) to produce a 32 bit output. Exclusive OR Li and f(Ri,Ki+1), and call this Ri+1. Make Li+1 = Ri
16. RSA Encryption 1978. By Rivest-Shamir-Adelman ) is a popular asymmetric key encryption standard. Difficulty of determinating prime factors It is based on number theory (more specifically the difficulty in factorizing a large number). The key size ranges between 512 and 2048 bits. It is used in many e-commerce applications such as the Secure Electronic Transaction (SET) protocol for credit card payment.
17. RSA Encryption Picks two large prime numbers p and q Multiplies p and q to obtain n Chooses d, such that d and w=(p-1)(q-1)are relatively prime (no common factor). Chooses e such that 1 = d x e mod w Public key is: <e, n> Private key is: <d, n> Message code m, secret code c c = memod n m = cd mod n
18. Public Key Only the decryption key is kept secret. The encryption key is made public. Each user has two keys, one secret and one public. Public keys are maintained in a public directory. To send a message M to user B, encrypt using the public key of B. B decrypts using his secret key. Signing Messages For a user Y to send a signed message M to user X. Y encrypts M using his secret key. X decrypts the message using Y’s public key.
20. Public Key Infrastructure(PKI) A set of technologies and procedures to enable electronic authentication Uses public key cryptography and digital certificates Certificate life-cycle management
21. Public Key Infrastructure(PKI) Many products from many vendors are available for certificate issuance and some management functions Interoperability is a big issue -- especially when it comes to policies Enabling the use of PKI in applications is limited today Building and managing policies is the least understood issue
22. Public Key Infrastructure(PKI) Authentication and registration of certificate applicants System administration and access to signing keys Application use and interfacing Trust between hierarchies Trust decisions to be made at different points within the application need different views Certificate fields, authorization and allowed use is really the hardest issue Authorization policies for management of CAs and RAs
27. Trojan horse A Trojan horse, or Trojan, is that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system
28. computer worm a computer worm is a self-replicating. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwith, whereas viruses almost always corrupt or modify files on a targeted computer
29. Firewalls A firewall is a barrier placed between the private network and the outside world. All incoming and outgoing traffic must pass through it. Can be used to separate address domains. Control network traffic. Cost: ranges from no-cost (available on the Internet) to $ 100,000 hardware/software system. Types: Router-Based Host Based Circuit Gateways
33. Secure Protocols How to communicate securely: SSL – “the web security protocols” IPSEC – “the IP layer security protocol” SMIME – “the email security protocol” SET – “credit card transaction security protocol” S-HTTP – “Secure Hypertext Transfer Protocol” Others …
42. SET SET standard two companies by VISA, Master card with the aim of ensuring security in the credit transaction year 1997 was introduced Privacy information: credit card numbers of buyers see the seller remains hidden (using DES) Cardholder authentication: digital signatures with certificates X.509v3 Authentication vendor: Digital signature certificate X.509v3
43. Goal SET Maintain confidentiality and purchase order payment information Owner authentication Azaynrvkh cardholder authentication of a legitimate user is using a credit card account Maintain the integrity of data transferred kidney Ensure the safety of data transferred all Seller to provide authentication for the transaction Ensure the best security techniques and systems designed to protect all existing laws on electronic commerce transactions
45. S-HTTP Security on application layer Protection mechanism: Digital Signature Message authentication Message encryption Support private & public key cryptograph Enhanced HTTP data exchange
46. S-HTTP Operate on application layer Encryption and digital signature Work only with (HTTP) Application dependant More secure than SSL at end point even after data transfer No particular cryptographic system Multiple times encryption
47. Electronic Mail Security E-mail is the most widely used application in the Internet. Who wants to read your mail ? Business competitors Reporters,Criminals Friends and Family Two approaches are used: PGP: Pretty Good Privacy PEM: Privacy-Enhanced Mail
49. E-mail Security(PEM) A draft Internet Standard (1993). Used with SMTP. Implemented at application layer. Provides: Disclosure protection Originator authenticity Message integrity
52. Agents participating in a Transaction Financial Audit Institute (Acquirer): A financial institution required with the following tasks: Open an Account for Sellers Ceiling set and enabled them credit cards Deposit amount received by the card vendor account Payment Gateway (Payment Gateway): processing messages and vendor payments by the Acquirer or the third person Reference Certification (CA): X509 certificate issuer for cards owners, sellers, and payment gateway
53. Payment Gatway Verify all certificates Decrypt the digital license to obtain and decrypt the symmetric key block Verify the sign vendor Decrypt digital pay to obtain and decrypt the symmetric key block Verify the signature block double payment Requested and received permission Sender