the role of cryptography in security for electronic commerce
TRANSCRIPT
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
1/31
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
2/31
ITB Journal
May 2001 Page 21
The Role of Cryptography in Security for Electronic Commerce
Ann Murphy. Dublin Institute of Technology
David Murphy. Institute of Technology Blanchardstown
Abstract
Many businesses and consumers are wary of conducting business over the Internet
due to a perceived lack of security. Electronic business is subject to a variety of
threats such as unauthorised access misappropriation alteration and destruction of
both data and systems. This paper e!plores the major security concerns of businesses
and users and describes the cryptographic techni"ues used to reduce such risks.
Keywords
Internet- 4e* Security- cryptography- hac&ers- pu*lic an# pri"ate &eys- ,8I-
CAs- Client Security- Ser"er Security- !ES- RSA- #igital signature- SS9- SET
Introduction
ost organisations either utilise the Internet for *usiness purposes alrea#y or inten#
#oing so in the "ery near future /Ernst : ;oung- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
3/31
Ama7on an# e6ay in#icate that security issues must *ecome a primary concern for
e"eryone #oing *usiness on the Internet /cGuire : Roser- 2000)
4hen net%or&e# information systems perform *a#ly or #onDt %or& at all- li"es- li*ertyan# property can *e put at ris&) Interrupting ser"ice can threaten li"es- %hile the
#isclosure or #estruction of information or itDs improper mo#ification can #isrupt the
%or& of go"ernments- corporations an# in#i"i#uals /Schnei#er- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
4/31
This paper e>amines the ma+or security concerns of *usinesses an# consumers
engaging in electronic commerce an# focuses principally on the role of cryptography
in re#ucing the ris& of con#ucting *usiness on the Internet) The techniBues an#
terminology use# *y cryptologists- inclu#ing pri"ate an# pu*lic &ey encryption an#their use an# a#"antages in securing *oth information an# systems are #escri*e# in
#etail) The issues in"ol"e# in authentication using #igital signatures an# Certification
Authorities are #iscusse#- as are the issues in"ol"e# in &ey management)
The Internet
Brief History
The %e* has emerge# as the most #ynamic force in the Information Technology /IT
in#ustry #uring the past #eca#e) This gro%th has *een facilitate# *y the confluence of
increasingly po%erful an# ine>pensi"e technologies that permitte# large?scale usage
an# the pro"ision of scala*le systems an# applications- allie# %ith the gro%ing
a"aila*ility of telecommunications #ue to #eclining costs an# increasing *an#%i#th
there*y allo%ing the sprea# of #igital information /Salnos&e- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
5/31
3) Greater amounts of information that can *e accesse# on #eman#
) Customisation in the #eli"ery of ser"ices
/FS !epartment of Commerce- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
6/31
4e* system infrastructures are compose# of three parts '
Web Client Internet Connection Web Server
Figure 1: Web Infrastructure (Stein, 1!"
1) The 4e* Client1
2) The 4e* Ser"er
3) The Connection *et%een the t%o
Regar#ing security- the entire system is only as strong as the %ea&est lin& in the chain
/6u#ge- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
7/31
1) The user %ill not attempt to alter the contents of the 4e* site)
2) The user %ill not attempt to *rea& into the Ser"ers Computer system)
3) The user %ill not try to gain access to unauthorise# areas of the site)
) The user %ill not try to crash the ser"er there*y ma&ing it una"aila*le to other users
) That the user is %ho they claim to *e)
From Both $arties "iew#oint
1) That the connection is free from thir# parties listening in on the communications
line)
2) That the information sent *et%een *ro%ser an# ser"er is #eli"ere# intact an# freefrom tampering)
Section #escri*es the role of cryptography in a##ressing some of these issues- in
particular those of information integrity an# user an# ser"er authentication)
Cryptography
The a*ility to con#uct all &in#s of transactions across open information an#
communication net%or&s has le# to increasing concern a*out the security of the
information itself /!TI- 1t of the type of information that %ill *e encrypte# is nee#e#
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
8/31
*efore the co#es can *e #e"ise# /6ec&ett- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
9/31
The pro*lem %ith many historical ciphers is that their security relie# on the sen#er an#
recei"er to remem*er the encryption algorithm an# &eep it secret)
Cryptographic !ystems
To#ay- cryptographic metho#s are more sophisticate# an# are use# to support more
than the confi#entiality of the message- they also inclu#e integrity protection-
authentication- non?repu#iation an# #etection of unauthorise# copying /A#ams :
6on#- 2000)
All cryptographic systems- no matter ho% comple> ha"e four *asic parts '
,lainte>t
Algorithm8ey
Cipherte>t
Figure 2 : Basic %ry#togra#$ic Syste&
(lainte!t A message *efore anything has *een #one to it
#ipherte!t Fnrea#a*le ,lainte>t message after it has *een mo#ifie# in some
%ay
$lgorithm athematical operation use# to con"ert plainte>t into cipherte>t an#
"ice "ersa
,ey Secret &ey use# to encrypt an#(or #ecrypt the message) A &ey is a
%or#- phrase- numeric or alphanumeric string %hich %hen use# in
con+unction %ith the algorithm allo%s the plainte>t to *e encrypte#
an# #ecrypte#)
The a#"antage of cryptography is that the cipherte>t can *e transmitte# across
insecure- pu*lic communications channels) E"en if the cipherte>t is intercepte#- it is
useless to anyone %ho #oes not possess the #ecryption &ey /Stein- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
10/31
security #epen#s completely on the secrecy of the #ecryption &ey- it is not necessary
to &eep the %or&ings of the algorithm secret) This allo%s the same algorithm to
*e reuse# *y many people an# a"oi#s any nee# to protect cryptographic soft%are
/Stein-1t /!eitel et al.-
2001) The only perfect cryptosystem is calle# the -ne Time (ad in %hich the sheets
of paper in a pa# are fille# %ith completely ran#om characters) An e>act copy of the
pa# is ma#e an# han# #eli"ere# to the correspon#ent- the cipherte>t is create# *y
%riting the message *y a##ing the letters pair %ise %here AP1st letter- 6P2n# an# Q
%raps *ac& to A) The process is re"erse# *y the recipient re"ealing the plainte>t) nce
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
11/31
a sheet of the pa# is use#- it is #estroye#- if the pa# contains truly ran#om letters the
co#e is a*solutely secure /Treese : Ste%art- 1e#?length of
plainte>t into a *loc& of cipherte>t #ata of the same length) 6ecause each *loc& of a
cipher is in#epen#ent- an ea"es#ropper may notice that certain *loc&s are repeate#
in#icating that the plainte>t *loc&s also repeat) A Stream cipher typically operates on
smaller units of plain te>t an# is #esigne# to *e e>ceptionally fast *y using the &ey to
pro#uce a pseu#oran#om &ey stream %hich is then use# to pro#uce the cipherte>t
/Treese : Ste%art- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
12/31
Since *oth parties must &no% the same &ey- authentication is assure# as %hen the
message arri"es- there is there is only one person that it coul# *e from)
essage inte&rity can *e "erifie# *y the use of a +essa&e -i&est- %hich generates ashort fi>e# length "alue &no%n as a hash) A .ash function is a transformation that
re#uces a large #ata message to one of a more comprehensi*le si7e H any message can
*e re#uce# to a fi>e# length- say 12= *its- using a hash function /Stein- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
13/31
contents of the pre"ious one /Cipher*loc& Chaining) The message is first re%ritten in
*inary format- then encrypte# using the !ES algorithm) /$I,S J?2- 1t- since a #ifferent &ey is use# an# then encrypte# again using a thir# &ey as
sho%n in $igure )
ther common symmetric encryption algorithms inclu#e the European International
!ata *loc& cipher Encryption Algorithm /I-(A- #e"elope# *y ames assey an#
eu+ia 9ai in 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
14/31
Sender )eceiver
Clearte*t
)e y -
(ncoded )ey - Clearte*t
+essa&e encry#t +essa&e
(ncoded
+essa&edecry#t
)ey B
decry#t-ouble
(ncoded
decry#t
-ouble
(ncoded )ey B
)ey %
encry#t
Transmitted
+essa&e
Tri#le
(ncoded
+
decry#t
)ey %
Figure . : Tri#le /*S /Greenstein : $einman- 2000
Blow/ish is a freely a"aila*le- "aria*le length *loc& cipher #esigne# *y 6ruce
Schneier of Counterpane Systems- /http'((%%%)counterpane)com(*lo%fis h) It is
nearly three times faster than !ES an# is *eing %i#ely use# in ,C file encryption an#
secure tunnelling applications /Treese : Ste%art- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
15/31
1) eet in ,erson H simplest metho# *ut #oesnDt scale %ell
2) Courier H Can the courier *e truste#- this can *e o"ercome *y splitting the &ey an#
using alternati"e routes to sen# &ey parts3) Telephone- email or letter
The pro*lem %ith &ey #istri*ution- is that anyone %ho intercepts the &ey in transit can
later mo#ify an# forge all information that is encrypte# or authenticate# %ith that &ey)
$ublic'Asymmetric Key (ncry#tion
ne of the main challenges for pri"ate &ey encryption is ena*ling the sen#er an#
recei"er to agree on the secret &ey %ithout anyone else fin#ing out) Another important
pro*lem occurs on the Internet- %here parties often nee# to communicate %ithout
ha"ing pre"iously met) E"en if it %ere possi*le to securely #istri*ute the ser"ers
secret &ey to the thousan#s of users- it %oul# *e impossi*le to &eep the &ey secret for
long /Stein- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
16/31
) The !iffie?ellman algorithm is use# to calculate a secret &ey correspon#ing to
the &ey pairs /a-6 an# /*-A-
Sender )eceiver
!etermine a
!eri"e an# a&e A ,u*lic
Retrie"e 6 an# compute &eyfrom secret a an# pu*lic 6
!etermine *
!eri"e an# a&e 6 ,u*lic
Retrie"e A an# compute &ey
from secret * an# pu*lic A
a0B Identical Keys 1enerated b0A
Clearte*tTransmitted
+essa&e
Clearte*t
+essa&e encry#t #ecryp t(ncoded
+essa&e
+essa&e
Figure : /iffieell&an Public )ey %ry#togra#$y/Greenstein : $einman- 2000
T%o %ay pu*lic &ey communication using !iffie?ellman cryptography is "ulnera*le
to a man?in?the?mi##le attac& %here a hac&er intercepts *oth the sen#ers an# recei"ers
pu*lic &eys an# replaces them %ith his o%n "alue- then either ren#ers the
communication in#eciphera*le or generates a matching &ey in or#er to alter the
message) .either sen#er nor recei"er realise their message has *een intercepte# or
altere# /Greenstein : $einmann- 2000)
RSA is an asymmetric encryption scheme- %hich %as #e"elope# *y ) i"est- Shamir
an# A#leman in 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
17/31
freely /Treese : Ste%art- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
18/31
#eco#es the signature using the sen#erDs pu*lic &ey there*y "erifying the message
sen#erDs i#entity)
Figure ! : /igital Signature /,G,- 2001
Rather than creating a #igital signature *y encrypting the entire message using the
sen#erDs pri"ate &ey- a hash of the message can *e encrypte# instea#) This creates a
small fi>e# si7e signature- regar#less of the length of the message) o%e"er- a #igital
signature #oes not pro"e that the authenticate# sen#er actually sent the message- onlythat the computer #i# If the computer %ere inappropriately infecte#- malicious co#e
coul# use the &ey to sign #ocuments %ithout the userDs &no%le#ge or permission)
The legal acceptance of #igital signatures shifts the *ur#en of proof to the negati"e-
that the signature in #ispute %as not signe# rather than %as signe# /Ellison :
Schneier- 2000
-i&ital (nvelo#es and Session Keys
ne of the main #isa#"antages of pu*lic &ey encryption is spee# since pu*lic &ey
encryption is noticea*ly slo%er than pri"ate &ey encryption /Garfin&el- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
19/31
each e>change /A#ams : 6on#- 2000) This com*ination of pri"ate an# pu*lic is
carrie# out as follo%s'
1) A secret /session &ey is generate# at ran#om2) The message is encrypte# using the session &ey an# the symmetric algorithm
3) The session &ey is then encrypte# %ith the recei"erDs pu*lic &ey H this is &no%n as
the !igital En"elope
) 6oth the encrypte# message an# the #igital en"elope are sent to the recei"er
) The recei"er uses their pri"ate &ey to #ecrypt the #igital en"elope reco"ering the
session &ey %hich is use# to #ecrypt the message /Stein- 1act time of a commercial e"ent can *e
recor#e# /Cross- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
20/31
secure as access to the machine an# the pass%or# protection mechanisms)
Cryptographic &eys are usually store# in #is& files as they may *e ran#omly generate#
an# are too long to *e use# manually) At present pri"ate &eys are generally store# on
the o%nerDs ,C an# protecte# *y a pass%or#) If the ,C is hac&e# or stolen- the pri"ate&ey coul# *e frau#ulently use#- hence the &eys themsel"es are usually store# in an
encrypte# format)
Smart Cards
A smart car# contains a microprocessor an# storage unit) $eatures such as car# si7e-
contact layout an# electrical characteristics ha"e *een stan#ar#ise# /IS K=1J) Smart
car#s ha"e physical tamper?resistant properties- plus secure storage an# processing
capa*ilities) The mechanism employe# to ensure that the car# is *eing use# *y its
authorise# user is achie"e# *y off?line entry of a ,I. /something you &no%D &no%n
only to the car# an# its rightful hol#er /something you ha"eD /Tras& : eyerstein-
1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
21/31
#istri*ute# among a #esignate# set of people %hose cumulati"e information suffices to
#etermine the secret)
Key )ecovery
This term refers to the useful technology that allo%s a &ey to *e re"eale# if a user
acci#entally loses or #eletes the &ey- or if a la% enforcement agency %ants to
ea"es#rop on a suspecte# criminal %ithout the suspectDs &no%le#ge)
Key -estruction
8eys shoul# *e #estroye# after use- as they remain "alua*le after they ha"e *een
replace#) If the attac&er retains the cipherte>t an# the &ey *ecomes a"aila*le- then it
can *e easily #ecrypte#)
"ublic #ey Infrastructure %"#I&
A %ell?#esigne# an# implemente# ,8I is essential to esta*lish maintain trust in #igital
certificates) any stu#ies ha"e sho%n that the full potential of electronic commerce
%ill not *e realise# until pu*lic &ey infrastructures emerge %hich generate sufficient
trust for *usinesses an# in#i"i#uals to commit their information an# transactions to
the emerging pu*lic net%or&s /EC!- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
22/31
interception of communications un#er the Interception of Communications Act 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
23/31
!ecure !ocets 'ayer %!!'&
SS9 is a non?proprietary protocol- #e"elope# *y .etscape- use# to secure
communication on the Internet) SS9 uses pu*lic?&ey technology an# #igital
certificates to authenticate the ser"er in a transaction an# protects pri"ateinformation as it passes from one party to another) SS9 transactions #o not reBuire
client authentication /!eitel et al.- 2001)
The steps in the process are sho%n in $igure
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
24/31
13 Client Sen#s #lient/ello Message
Session
23 Ser"er ac&no%le#ges %ith *erver/ello Message
33 Ser"er sen#s its Certificate
S
Server
Server’s
Digital Envelope
3 Client sen#s #lient,eyE!change essage
3 6oth sen# #hange#ipher*pec essages
J3 6oth sen# inished essages
Server’s
Session Key
Figure : SS4 an5s$a6e /Stein- 1ample- cre#it car# num*ers- are store# on the
merchantDs ser"er they are "ulnera*le to *oth outsi#e an# insi#er attac& /!eitel et al.-
2001)
!ecure $lectronic Transactions %!$T&
SET is a specialise# protocol- #e"elope# *y Visa- astercar#- .etscape an#
icrosoft- for safeguar#ing cre#it?car#?*ase# transactions *et%een customers an#
merchants /Stein- 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
25/31
1) ,ro"i#e confi#entiality of information through encryption
2) Ensure payment integrity through #igital signatures an# message #igests
3) Authenticate *oth merchants an# car#hol#ers through the use of #igital signatures
an# certificates) Interoperate %ith other protocols /Greenstein : $einman- 2000)
The SET protocol in"ol"es the car#hol#er- the merchant- the car#?issuing *an& an#
the merchantDs *an& using pu*lic(pri"ate &ey pairs an# signe# certificates to esta*lish
each playerDs i#entity) $igure 10 sho%s ho% SET %or&s)
43 The Customer initiates a #urchase
Customer *ro%ses 4e* Site- fills out or#er form an# ,resses ,ay 6utton- Ser"er
sen#s customers computer a message initiating SET soft%are
2) The Client’s So/tware sends the order and #ayment in/ormation
Clients SET soft%are creates t%o messages- one containing or#er information-
%hich is encrypte# using a ran#om session &ey an# pac&age# into a #igital
en"elope using the erchantDs pu*lic &ey) The other message contains payment
information encrypte# using the erchant 6an&s pu*lic &ey) The soft%arecomputes a hash of the or#er an# payment information an# signs it %ith the
customerDs pri"ate &ey)
3) The +erchant #asses #ayment in/ormation to the ban,
SET soft%are on the erchants ser"er generates an authorisation reBuest-
for%ar#ing the customers encrypte# information to the 6an&- signing the message
%ith its pri"ate &ey to pro"e its i#entity to the 6an&) This reBuest is encrypte# %ith
a ne% ran#om session &ey an# incorporate# into a #igital en"elope using the6an&s pu*lic &ey
) The Ban,s chec,s the validity o/ the card
The 6an& #ecrypts an# "erifies the erchantDs message- then #ecrypts an# "erifies
the customerDs i#entity) It then generates an encrypte# an# #igitally signe#
authorisation reBuest to the CustomerDs *an&
) The Customers Ban, authorises #ayment
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
26/31
The customerDs *an& confirms the merchantDs *an& i#entity- #ecrypts the
information- chec&s the customer account an# appro"es(re+ects the reBuest *y
#igitally signing an# encrypting it an# returning it to the merchantDs *an&
J) The +erchants Ban, authorises the transactionThe 6an& authorises- signs an# returns the transaction to the erchant
K) The +erchant’s Web Server com#letes the transaction
erchant ac&no%le#ges the confirmation to the customer- "ia a confirmation
page- an# procee#s to transact the or#er
=) The +erchant con/irms the transaction to the Ban,
The erchant confirms the purchase to its *an&- causing the customerDs cre#it
car# to *e #e*ite# an# the merchantDs account to *e cre#ite#)
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
27/31
In the SET protocol- the merchant ne"er sees the clientDs proprietary information-
consi#era*ly re#ucing the ris& of frau# /!eitel et al.- 2001) SET focuses on
confi#entiality an# authentication an# ensures that not only can thie"es not steal a
cre#it car# num*er *ut pre"ents merchants from seeing the num*er %hile still pro"i#ing assurances that the car# is "ali# /a%&ins et al.- 2000)
4hile SET pro"i#es a high le"el of security- *usiness ha"e *een slo% to em*race
this technology *ecause of the increase# transaction time an# the specialise#
soft%are reBuirement on *oth the client an# ser"er si#es %hich increases transaction
costs /!eitel et al.- 2001)
Summary and Conclusions
!ummary of techni(ues
The applications of cryptography that meet the facilities reBuire# from an Internet
*ase# infrastructure are summarise# in Ta*le 1)
Facilities
)e=uired
+ethod Uni=ue Features %imitations
Con/identiality • Encryption • Scram*les the #ata *efore transmission
• Spee# oftransmission
Inte&rity • Encryption
(!ecryption
• Electronic 8ey reBuire#to open encrypte# #ata
• Fser may loose&ey
• 8ey may fall into%rong han#s
Authentication • !igital Certificateconfirme# *y a CA
• Verifies the authenticityof sen#er
• Alerts recipient if message has *een
altere#
• nly useful ifcompanies use atruste# thir#
party Certificate
Authority• nly "erifies that
the message %assent from theusers computer or pri"ate &ey
2on>
)e#udiation
• !igital Certificate
• Time Stamp from a
CA
• .either sen#er nor recei"er can #enycommunication
Co#y$rotection
• Encryption
• !igital Time Stamp
• ,re"ents the #ata from *eing repro#uce#
• ,ro"es authorship
Table 1 : Internet Security %oonents -55resse5 by %ry#togra#$y
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
28/31
Security- message integrity an# authentication can *e achie"e# *y using SS9- %hich
ensures secure communication *et%een client an# ser"er *y using pu*lic &ey
technology to encrypt the #ata an# authenticate the ser"er) Although more comple>
an# e>pensi"e to implement- SET enhances SS9 *y pro"i#ing mechanisms to ensureClient Authentication an# the security of financial transactions through the separation
of merchant an# payment information)
Conclusion
This paper has consi#ere# the history an# techniBues of cryptography use# for
securing communications o"er the Internet) The use of pu*lic an# pri"ate &ey
encryption infrastructures- #igital signatures an# time stamping- to ensure
authentication an# non?repu#iation ha"e *een #escri*e#) The significance of &ey
management systems an# the importance of esta*lishing a ,u*lic 8ey Infrastructure
using Truste# Thir# ,arties an# Certification Authorities to esta*lish an# maintain
trust in #igital certificates ha"e *een #iscusse#) etho#s of ensuring secure electronic
communication using SS9 an# safeguar#ing financial transactions using SET ha"e
*een #escri*e#)
In order for companies to be confident that their electronic transactions can be
carried out securely Internet security will always be a never&ending challenge. $s
improvements in protocols authentication integrity access control and
confidentiality occur hacking techni"ues will also improve. The future of Internet
*ecurity will remain in human hands to continually monitor network infrastructures
and to assess and implement hardware and software solutions.
Bibliography
A#ams !) : 6on# R) /2000 Secure E?Commerce H A Competiti"e 4eapon- ElectronicCommerce
Report- F.IC Seminars 9t#)
6ec&ett 6) /1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
29/31
!ramatic Increase in Reports to 9a% Enforcementh ttp'(( g oc s i)co m (prelea
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
30/31
9ee C)- ;eh ;)- Chen !) : 8u 8) /2000 A Share Assignment etho# to a>imise the ,ro*a*ility of
Secret Sharing Reconstruction un#er the Internet) IEICE Transactions on Information Systems E=3!
/2 1
-
8/17/2019 The Role of Cryptography in Security for Electronic Commerce
31/31
8ey?Escro% ,roposals) A"aila*le at h ttp'((c % is ) &u * )n l(W f r % (people( & oop s (*i n # ? art) h tm
Accesse# 2