Professional Documents
Culture Documents
Security PART 2: ECT 250: Survey of E-Commerce Technology
Security PART 2: ECT 250: Survey of E-Commerce Technology
Security PART 2
Tools for site security
Encryption & cryptography
The process of transforming plain text or
data into cipher text that cannot be read
by anyone outside of the sender and the
receiver. The purpose of encryption is
to secure stored information
to secure information transmission
Plain text is the text before encryption
Cipher text is text that has been encrypted
Early cipher systems
Substitution cipher Every occurrence of a
given letter is replaced by a different one
Plaintext: example
Ciphertext: fybnqmf
Transposition cipher The ordering of the
letters is shifted to form new words
Plaintext: example
Ciphertext: eape xml
Modern cipher systems
Modern cipher systems are digital. The
encryption algorithm is based on the individual
bits of a message rather than letters of the
alphabet.
Encryption and decryption keys are binary
strings of a given key length (128 bit )
The longer the key the more computing power
and time it takes to break the code
Symmetric key cryptography
It uses a single key to encrypt and decrypt
the message.
The sender (Alice) and the receiver (Bob)
exchange the secret key
Alice encodes the message using the secret key
and send the encrypted message
Bob decodes the message using the same secret
key
Problems with symmetric key
How do they exchange the secret key in a
secure way? (key distribution centers)
There is no authentication of the sender
What if both wish to communicate with a
third party (back to square one, they have
to exchange the key)
Currently we use a triple 56-bit Data
Encryption Standard (DES) encryption
algorithm Cracking the 56-bit DES system
Public key cryptography
Uses two mathematically related keys.
The private key is kept secret by its owner
The public key is freely distributed
Both keys can be used to encrypt or decrypt but not on
the same message
If Alice wants to communicate with Bob
Alice encrypts the message using Bob’s public key
(which is publicly available) and sends it
Alice decodes the message using her private key (only
her private key will unlock a message encrypted using
her public key)
Public-key encryption
Authentication
Of the merchant: if a customer sends a
message to a merchant using the merchant’s
public key, the customer knows that only the
merchant can decipher the message
Of the customer: if the customer send a
message using the customer’s private key, the
merchant can decipher it only using the
customer’s public key thus identifying the
customer
RSA and PGP
The most commonly used pubic-key system
is RSA (Rivest, Shamir, Adleman invented it
in 1977 at MIT)
Most secure e-commerce transactions use
RSA products.
Another common system is PGP (Pretty
Good Privacy). Available freely for non
commercial use at MIT distribution center
Secret-key vs public-key
Advantages of public-key systems:
With one combination of keys you can
exchange private messages with a large group
of people
Key distribution is not a problem
Drawback of public-key systems:
They are not efficient for sending large
amounts of information
Solution: use digital envelopes
Digital envelope
Is a technique that uses symmetric encryption for
large documents, but public key encryption to
encrypt and send the symmetric key
Secret
Key Message
Bob receives
both messages Using his private key Using the secret key
Bob decrypts the secret key Bob decrypts the message
Digital envelope
Ensuring transaction integrity
Integrity violation may occur whenever a
message is altered while in transit between
the sender and receiver.
To ensure transaction integrity, two
separate algorithms are applied to a
message:
Hash function message digest
Digital signature encrypts the digest
Hash algorithm
Produces a fixed-length number called
message digest based on the length and content
of the message.
The original message cannot be retrieved from the
digest
The digest is appended to the message
The receiver recalculates the digest of the message
as it was received
It the two digest don’t match, integrity was
violated
Digital signature
Is an encrypted message digest used to
check the identity of the sender and the
integrity of the message sent.
Alice computes the digest and encrypts it using her
private key, then appends the digest to the message.
Bob deciphers the digest using Alice’s public key (He is
now sure of Alice’s identity)
Bob computes the digest of the message sent by Alice
and compares it with the digest sent by Alice. If they
match he knows the message was not altered
Digital signatures
Securing the channels of communication