_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1  Wiley and the book authors, 2001 E-Commerce: Fundamentals and Applications Chapter 7 : Basic cryptography for enabling e-commerce

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications2  Wiley and the book authors, 2001 Outline Security requirements Encryption Two basic principles for private key encryption Public key encryption RSA encryption algorithm Hybrid encryption Message digest Message authentication code Digital signature Authentication (digital certificate)

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications3  Wiley and the book authors, 2001 Security requirements : C onfidentiality  assure that data can be kept secret  method: encryption I ntegrity  assure that received message has not been altered  method: digital signature A uthentication  about verifying identities  method: digital certificate

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications4  Wiley and the book authors, 2001 Encryption Ciphertext Encryption key This is Plaintext Plaintext

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications5  Wiley and the book authors, 2001 Decryption Decryption Key Ciphertext This is Plaintext Plaintext

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications6  Wiley and the book authors, 2001 Two basic principles Substitution  THIS IS A SECRET (key n=3)  WKLV LV D VHFUHW Transposition  THIS IS A SECRET (key 4213)  IHSTSI S EAERTC

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications7  Wiley and the book authors, 2001 Data Encryption Standard (DES) DES is probably the most popular symmetric (private) key encryption method. It is based on research by IBM and standardized by the USA government in DES uses many stages of transposition and substitution to encrypt 64- bit data blocks using using a 56-bit key. A triple DES standard is available to further enhance the security - it uses three stages of encryption/decryption/encryption with two keys (also called DESede).

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications8  Wiley and the book authors, 2001 Public Key Encryption Plaintext public key Encryption Ciphertext This is Plaintext kfl30kfl private key Decryption Plaintext kfl30kfl Ciphertext This is Plaintext

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications9  Wiley and the book authors, 2001 RSA RSA (Rivest, Shamir Adleman) is a popular asymmetric key encryption standard. It is based on number theory (more specifically the difficulty in factorizing a large number). The key size ranges between 512 and 2048 bits. It is used in many e-commerce applications such as the Secure Electronic Transaction (SET) protocol for credit card payment.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications10  Wiley and the book authors, 2001 How RSA works Picks two large prime numbers p and q Multiply p and q to obtain n Chooses d, such that d and w=(p-1)(q-1) are relatively prime (no common factor other than 1). d must be smaller than w Chooses e such that 1 = (d * e) mod w Public key is: Private key is: Message code m, secret code c  c = m e mod n (encrypt original message m)  m = c d mod n (decrypt original message m)

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications11  Wiley and the book authors, 2001 Hybrid encryption RSA encryption is slower than DES encryption. It is more effective to combine them. How? Suppose that A wants to send messages to B. B generates a random session (DES) key. This session key is encrypted with A’s public key. The encrypted session key is sent to A. A can obtain the session key by means of decryption with his/her private key. The session key can then be used for encrypting subsequent messages (using DES encryption).

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications12  Wiley and the book authors, 2001 Message digest In some cases, we may only concern with data integrity. As it is slow to perform encryption, it may not be necessary to encrypt all messages. A message digest algorithm can generate an almost unique message digest (looks like a “fingerprint”) for a message. A popular message digest algorithm is MD5. Message Digest Algorithm Message 1 Message digest 1 Message N (different size) Message digest N (same size) :::: ::::

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications13  Wiley and the book authors, 2001 Message authentication code (MAC) Basic idea (using symmetric key encryption):  Suppose that the sender and receiver share a large random number (i.e. a secret).  The secret is attached to the message for finding the message digest.  The message (without the secret) together with the message digest is sent.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications14  Wiley and the book authors, 2001 Steps in digital signature generation File File + Digital Signature (signed file) Step 3 : Send the file and digital signature (signed file) Digital Signature Step 1 : Compute the message digest of the file Step 2 : Encrypt the message digest with sender’s private key Message Digest

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications15  Wiley and the book authors, 2001 Steps in digital signature verification File Digital Signature Sender Step 1a : Find the message digest of the file Step 1b : Decrypt the digital signature with sender’s public key Step 2 : Compare the two message digests Accept Reject Different Same Message Digest Signed file Receiver

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications16  Wiley and the book authors, 2001 Format of Digital Certificate X.509 Digital Certificate Version Serial number Signature algorithm identifier Issuer Validity period Subject Subject public key information Issuer unique identifier Subject unique identifier Extension fields Digital signature

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications17  Wiley and the book authors, 2001 Revocation of certificates Each certificate is assigned a validity period like a credit card. However, a certificate may still be revoked before the expiry date (e.g., the user is no longer certified by the CA). Each CA uses a certificate revocation list (CRL) to provide information on the revoked certificates. The CRL is usually kept in a public directory. A user should check if a certificate has been revoked from the public directory.