Solution to Security Threat Chapter 5 Electronic Commerce | Encryption Solution to Security Threat Source: E-Commerce by K.C Laudon Organize by - Qasim Rafique System Analyst (Hailey College of Commerce | University of the Punjab

HTTPS (Hyper Text Transfer Protocol) Topic’s Covered SSL(Secure Socket Layer) | CA (Certificate Authority) HTTPS (Hyper Text Transfer Protocol) ENCRYPTION Types of Encryption Substitution Encryption Transposition Encryption Symmetric / Secret /Same Key Encryption Asymmetric / Private /Different Key Encryption Encryption Using Hash Function and Digital Signature Encryption Using Digital Envelope Class Activity: Make a Small Virus Program that creates multiple folders in computer drives. Copyright © 2015 Pearson Education, Inc. Publishing as Prentice Hall

ENCRYPTION Encryption is the process of transforming plain text or data into cipher text through some algorithm and key that cannot be read by anyone other than the sender and the receiver. The purpose of encryption is (a) to secure stored information and (b) to secure information transmission. Encryption can provide four of the SIX KEY DIMENSIONS of e-commerce security. ? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

WHY ENCRYPTION? Because e-commerce transactions must flow over the public Internet, and there for involve thousands of routers and servers through which the transaction packets flow, security experts believe the greatest security threats occur at the level of Internet Communications. This is very different from a private network where a dedicated communication line is established b/w two parties. A number of tools are available to protect the security of Internet communications, the most basic of which is message encryption. Copyright © 2010 Pearson Education, Inc.

Substitution Encryption It basically consists of substituting every plaintext character for a different ciphertext character.  The simple substitution cipher offers very little communication security, and it will be shown that it can be easily broken even by hand. Example: plain alphabet : abcdefghijklmnopqrstuvwxyz cipher alphabet : phqgiumeaylnofdxjkrcvstzwb An example encryption using the above key: plaintext : defend the east wall of the castle ciphertext: giuifg cei iprc tpnn du cei qprcni }Key Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Transposition the ordering of the letters in each word is changed in some systematic way Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Algorithm (Just Concept) To make a computer do anything, you have to write a computer program. To write a computer program, you have to tell the computer, step by step, exactly what you want it to do. The computer then "executes" the program, following each step mechanically, to accomplish the end goal. Let's say that you have a relative arriving at the airport, and your friend needs to get from the airport to your house. Here are four different algorithms that you might give your friend for getting to your home: The taxi algorithm: Go to the taxi stand. Get in a taxi. Give the driver my address. The call-me algorithm: When your plane arrives, call my cell phone. Meet me outside baggage claim. The rent-a-car algorithm: Take the shuttle to the rental car place. Rent a car. Follow the directions to get to my house. Copyright © 2010 Pearson Education, Inc.

Algorithm (Just Concept) The rent-a-car algorithm: Take the shuttle to the rental car place. Rent a car. Follow the directions to get to my house. The bus algorithm: Outside baggage claim, catch bus number 70. Transfer to bus 14 on Main Street. Get off on Elm street. Walk two blocks north to my house. All four of these algorithms accomplish exactly the same goal, but each algorithm does it in completely different way. Each algorithm also has a different cost and a different travel time. Taking a taxi, for example, is probably the fastest way, but also the most expensive. Taking the bus is definitely less expensive, but a whole lot slower. You choose the algorithm based on the circumstances. EXAMPLE: F(X)=X2 -3X+27 | f(x)=x3-(x/2) F(3)=9-9+27 27(actually value of x i.e 3 is converted to 27 using a simple function method(algorithm) . Copyright © 2010 Pearson Education, Inc.

DES Encryption Algorithm JUST FOR CONCEPT Copyright © 2010 Pearson Education, Inc.

RSA (JUST FOR CONCEPT) Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Symmetric key Encryption An encryption system in which the sender and receiver of a message share a single, common key & Algorithm that is used to encrypt and decrypt the message.  Define Diagram Sender/Receiver Steps Copyright © 2010 Pearson Education, Inc.

Common flaws in Symmetric key Encryption First: in the digital age computer are so powerful and fast that these ancient means (Substitution and Transposition) of encryption can be broken quickly. Second: Same key is share by both, and they exchange over some communication medium where it could be stolen and used to decipher messages. Third: In, commercial use, we are all not part of the same team, you would need a secret key for each of the parties with whom you transacted, for example An key for the bank, Another key for departmental store Another for government One for other and so In a large population of users , this could result in as n(n-1) keys. In a population of millions of Internet users, thousands of millions of keys would be needed to accommodate all e – commerce. Copyright © 2010 Pearson Education, Inc.

Asymmetric/Public key Encryption In public key encryption mathematically algorithms produce the keys through one – way function. In one – way function an input can’t be derived from output. Example: it is easy to make scrambled eggs, but impossible to retrieve whole eggs from the scrambled eggs. Keys used in Asymmetric key encryption are 128 bit, 256bit, 512bit. Algorithm used in Asymmetric key encryption are RSA(Ron Rives, Adi Shamir and Len Adleman ) etc. Copyright © 2010 Pearson Education, Inc.

Asymmetric cryptography or public-key cryptography is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely. Initially, a network user receives a public and private key pair from a certificate authority. Any other user who wants to send an encrypted message can get the intended recipient's public key from a public directory. They use this key to encrypt the message, and they send it to the recipient. When the recipient gets the message, they decrypt it with their private key, which no one else should have access to. Define Diagram Sender/Receiver Steps Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

The RSA Algorithm – Key Generation (Just Concept) Select p,q p and q both prime Calculate n = p x q Calculate Select integer e Calculate d Public Key KU = {e,n} Private key KR = {d,n} Copyright © 2010 Pearson Education, Inc.

The RSA Algorithm – Encryption/Decryption Just Concept Plaintext: M<n Ciphertext: C = Me (mod n) Ciphertext: C Plaintext: M = Cd (mod n) Copyright © 2010 Pearson Education, Inc.

Example of RSA Algorithm (Just Concept) Choose p = 3 and q = 11 Compute n = p * q = 3 * 11 = 33 Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20 Choose e such that 1 < e < φ(n) and e and n are coprime. Let e = 7 Compute a value for d such that (d * e) % φ(n) = 1. One solution is d = 3 [(3 * 7) % 20 = 1] Public key is (e, n) => (7, 33) Private key is (d, n) => (3, 33) The encryption of m = 2 is c = 27 % 33 = 29 The decryption of c = 29 is m = 293 % 33 = 2 Copyright © 2010 Pearson Education, Inc.

Problem: asymmetric key encryption (a simple case) In public key encryption some elements of security are missing. Although we can be quite sure the message was not understood or read by a third party (Message Confidentiality) But No guarantee the sender really is the sender (no authentication of message) This mean the sender could deny ever sending the message (repudiation) And there is no assurance the message was not altered some how in transit. (Integrity) Example: message change to Buy Cisco@Rs.25 from sell Cisco @Rs.25. This suggests a potential lack of integrity in the system. Copyright © 2010 Pearson Education, Inc.

Public Key Encryption Using Digital Signatures and Hash Digests Hash function: Mathematical algorithm that produces fixed-length number called message or hash digest A HAS FUNCTION CEN BE SIMPLE, AND COUNT THE NUMBER OF DIGITAL 1S IN A MESSAGE, OR It can be more complex, and produce a 128 bit number that reflects the number of 0s and 1s , the number 00s , 11s, and so on. Example: MD4, MD5, SHA-1, SHA-2 Hash digest of message sent to recipient along with message to verify integrity (Hash digest and message) encrypted with recipient’s public key Entire cipher text then encrypted with Sender private key—creating digital signature (e - signature)—for authenticity, nonrepudiation A digital signature or “signed” cipher text that can be sent over the Internet. A digital signature is a close parallel to a handwritten signature. Like a handwritten signature, a digital signature is unique. When used with a hash function, the digital signature is even more unique than a handwritten signature. And changes for every document. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Public Key Cryptography with Digital Signatures HASH + MESSAGE Define Diagram Sender/Receiver Steps HASH + MESSAGE Figure 5.9, Page 291 Copyright © 2010 Pearson Education, Inc.

Public Key Encryption Using Digital Signatures and Hash Digests The receiver of this signed cipher( message + message digest) first uses the sender’s public key to authenticate the message. Once Authenticate, the recipient uses his or her private key to obtain the hash result (message digest) and original message. As a final step, the recipient applies the same hash function to the original text (original message) and compares the result with the result sent by the sender. If the results are same (Send message digest = receiver message digest) the receiver now knows the message has not been changed during transmission The message has integrity. Copyright © 2010 Pearson Education, Inc.

A Symmetric Key Encryption Using Digital Envelopes Problem: Public key encryption Computationally slow, decreased transmission speed, increased processing time Symmetric key encryption Insecure transmission lines Solution: Digital envelope: A technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key. Define Diagram Sender/Receiver Steps Copyright © 2010 Pearson Education, Inc.