Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 22

13-2 © 2007 Prentice-Hall, Inc Agenda Assignment 8 Posted –Due April 26 Assignment 9 will assigned next week ECommerce Initiative Frameworks –GuidelinesGuidelines –Due May 8 AM Finish Discussion on Encryption Play Cyber-Protect Game –An Interactive training exercise from DOD

13-3 © 2007 Prentice-Hall, Inc End of days? (subject to change) April 23 –Chap 14 Encryption April 26 –Chap 15 Getting the money –Student Course Evaluations –Assignment 8 Due April 30 –Review –Quiz 4?? May 3 –Quiz 4?? –Assignment 9 Due May 8AM –eCommerce frameworks due –Student presentations 5 Mins each

13-4 © 2007 Prentice-Hall, Inc The focus of this chapter is on several learning objectives Understanding the basic algorithm used in encryption Issues in public-key cryptography Tools used for authentication and trust Brief coverage of the main Internet security protocols and standards Implications and future of encryption in e- commerce

13-5 © 2007 Prentice-Hall, Inc What Is Encryption? A way to transform a message so that only the sender and recipient can read, see, or understand it Plaintext (cleartext): the message that is being protected Encrypt (encipher): transform a plaintext into ciphertext Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines –Plaintext + key = ciphertext –Ciphetext – key = Plaintext

13-6 © 2007 Prentice-Hall, Inc Symmetric Key Encryption Message “Hello” Encryption Method & Key Symmetric Key Party A Party B Interceptor Network Encrypted Message Encryption uses a non-secret encryption method and a secret key

13-7 © 2007 Prentice-Hall, Inc Public Key Encryption Encrypt with Party B’s Public Key Decrypt with Party B’s Private Key Decrypt with Party A’s Private Key Encrypt with Party A’s Public Key Public Key Encryption for Confidentiality Encrypted Message Encrypted Message Party A Party B Note: Four keys are used to encrypt and decrypt in both directions

13-8 © 2007 Prentice-Hall, Inc Public-Key Infrastructure (PKI) Creates the ability to authenticate users, maintain privacy, ensure data integrity, and process transactions without the risk of repudiation PKI satisfies four security needs –Authentication - identifies or verifies that the senders of messages are, in fact, who they claim to be –Integrity - verifies that neither the purchase amount not the goods bought are changed or lost during transmission –Nonrepudiation - prevents sender and vendor in a transaction of communication activity from later falsely denying that the transaction occurred –Privacy - shields communications from unauthorized viewing or access

13-9 © 2007 Prentice-Hall, Inc Basic Encryption Algorithm Both sender and receiver have to know the rules used to transform the original message or transaction into its coded form A set of rules for encoding and decoding messages is called a cipher (or cyper) A message can be decrypted only if the decryption key matches the encryption key A 6-bit key allows for only 64 possible numeric combinations(2 6 ) The standard 56-bit DES encryption code can be cracked on a high-speed computer in a few hours 100 bit key has possible keys

13-10 © 2007 Prentice-Hall, Inc Classes of Algorithms Secret-key (symmetric) encryption : encryption system in which sender and receiver possess the same key; the key used to encrypt a message also can be used to decrypt it Stream cipher : a symmetric algorithm that encrypts a single bit of plaintext at a time Block cipher : a symmetric algorithm that encrypts a number of bits as a single unit Public-key (asymmetric) encryption : encoding/decoding using two mathematically related keys or key-pairs; one public key and one private key Key-pairs can be used in two ways: –To provide message confidentiality –To prove the authenticity of the message originator

13-11 © 2007 Prentice-Hall, Inc Message Confidentiality Using a Key-Pair

13-12 © 2007 Prentice-Hall, Inc Common Cryptosystems RSA Algorithm is the most commonly used public-key algorithm, although it is vulnerable to attack Data Encryption Standards (DES) is a popular secret-key encryption system; the first to be widely adopted commercially Triple DES (3DES) is a stronger version of DES that uses three 56-bit keys to encrypt each block of plaintext RC4 is a variable-length cipher widely used on the Internet as a bulk encryption cipher in SSL protocol IDEA is a strong encryption algorithm using a 128-bit key to encrypt 64-bit blocks; resistant to brute-force attack AES (Rijandael) Successor to DES, with variable key and black size ( bit). Works by arrange data into 4X4 array of bytes which are rearranges prior to encryption. This is Cryptosystem used by the NSA

13-13 © 2007 Prentice-Hall, Inc Major Attacks on Cryptosystems Chosen-plaintext attack Known-plaintext attack Ciphertext-only attack Third-party attack (man-in-the middle)

13-14 © 2007 Prentice-Hall, Inc Authentication and Trust Digital Signature is a special signature for signing electronic correspondence, produced by encrypting the message digest with the sender’s private key Authentication is verifying that a message or document, in fact, comes from the claimed sender Hash function is a formula that converts a message of a given length into a string of digits called a message digest Cryptographic hash functions are generally used to construct the message digest

13-15 © 2007 Prentice-Hall, Inc The Digital Signature Process

13-16 © 2007 Prentice-Hall, Inc Crypto, Digital Signature and Digital Certificates Cryptography provides security by using encryption –Ensures privacy Digital Signatures are just like a real signature –DCMA makes them just as legally binding as a signed paper document Digital Certificates uses Cryptographic techniques to prove Identity

13-17 © 2007 Prentice-Hall, Inc Digital Signature Sender Receiver DSPlaintext Add Digital Signature to Each Message Provides Message-by-Message Authentication Encrypted for Confidentiality

13-18 © 2007 Prentice-Hall, Inc Digital Signature: Sender DS Plaintext MD Hash Sign (Encrypt) MD with Sender’s Private Key To Create the Digital Signature: 1.Hash the plaintext to create a brief message digest; This is NOT the digital signature 2. Sign (encrypt) the message digest with the sender’s private key to create the digital Signature

13-19 © 2007 Prentice-Hall, Inc Digital Signature Sender Encrypts Receiver Decrypts Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DSPlaintext Transmission

13-20 © 2007 Prentice-Hall, Inc Digital Signature: Receiver DSReceived Plaintext MD 1. Hash 2. Decrypt with True Party’s Public Key 3. Are they Equal? 1. Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Party’s private key

13-21 © 2007 Prentice-Hall, Inc Public Key Deception Impostor “I am the True Person.” “Here is TP’s public key.” (Sends Impostor’s public key) “Here is authentication based on TP’s private key.” (Really Impostor’s private key) Decryption of message from Verifier encrypted with Impostor’s public key, so Impostor can decrypt it Verifier Must authenticate True Person. Believes now has TP’s public key Believes True Person is authenticated based on Impostor’s public key “True Person, here is a message encrypted with your public key.” Critical Deception

13-22 © 2007 Prentice-Hall, Inc Digital Certificates Digital certificates are electronic documents that give the true party’s name and public key Applicants claiming to be the true party have their authentication methods tested by this public key If they are not the true party, they cannot use the true party’s private key and so will not be authenticated Digital certificates follow the X.509 Standard

13-23 © 2007 Prentice-Hall, Inc Digital Signatures and Digital Certificates Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature DSPlaintext Applicant Verifier Certificate Authority Digital Certificate: True Party’s Public Key

13-24 © 2007 Prentice-Hall, Inc Four Classes of Digital Certificates Class 1 certificates contain minimum checks on the user’s background Class 2 certificates check for information like real name, Social Security number, and the date of birth Class 3 certificates are the strongest type Class 4 certificates are the most thorough

13-25 © 2007 Prentice-Hall, Inc Managing Cryptographic Keys Key management is the process of making keys known to the systems that need them and making sure keys are protected against disclosure or substitution Key Life Cycle –Key generation and registration –Key distribution –Key backup and recovery Key escrow : location where keys held in trust by a third party reside Notary service : company that provides encryption-oriented services including key escrow, key recovery, time stamping, trusted intermediary, and archiving –Key revocation and destruction

13-26 © 2007 Prentice-Hall, Inc Third-Party Services Certificate authority verifies certificates intended for use by other distinct legal entities Certificate policy is a set of rules that identifies how, when, and for what reasons certificates are used within the assigned organization Directory service is a repository that distributes certificates as requested by message originators

13-27 © 2007 Prentice-Hall, Inc Internet Security Protocols Two key protocols for secure World Wide Web transactions are: –Secure Socket Layer (SSL) is a portocol for secure Web transactions, secures data packets at the network layer –Secure HTTP (S-HTTP) is a protocol that secures Web transactions and nothing else Secure Electronic Transaction (SET) is a protocol used for handling funds transfers from credit card issuers to a merchant’s bank account –A digital certificate customers can request from their issuing bank by filling out a form on the bank’s Web site –A digital wallet is an online shopping device that seals personal information in a free plug-in that can be invoked when making a purchase

13-28 © 2007 Prentice-Hall, Inc Secure Pretty Good Privacy (PGP) is a protocol that encrypts the data with a one-time algorithm and then encrypts the key to the algorithm using public-key cryptography S/MIME (Multipurpose Internet Mail Extension) is a powerful protocol that provides security for different data types and attachments to s Message Security Protocol (MSP) is a protocol that secures attachments across multiple platforms

13-29 © 2007 Prentice-Hall, Inc Implications for E-Commerce Developing high-powered and reliable encryption methods is a top priority for many organizations Most encryption systems have prevention as the sole means of defense Merchants face a number of choices when considering encryption methods A major concern is the cost associated with different encryption methods Government regulations present considerable problems for businesses