ECT 250: Survey of e-commerce technology

Security PART 2
Tools for site security
 Encryption & cryptography
 The process of transforming plain text or
data into cipher text that cannot be read
by anyone outside of the sender and the
receiver. The purpose of encryption is
 to secure stored information
 to secure information transmission
 Plain text is the text before encryption
 Cipher text is text that has been encrypted
 Early cipher systems
 Substitution cipher Every occurrence of a
given letter is replaced by a different one
 Plaintext: example
 Ciphertext: fybnqmf
 Transposition cipher The ordering of the
letters is shifted to form new words
 Plaintext: example
 Ciphertext: eape xml
 Modern cipher systems
 Modern cipher systems are digital. The
encryption algorithm is based on the individual
bits of a message rather than letters of the
alphabet.
 Encryption and decryption keys are binary
strings of a given key length (128 bit )
 The longer the key the more computing power
and time it takes to break the code
 Symmetric key cryptography
 It uses a single key to encrypt and decrypt
the message.
 The sender (Alice) and the receiver (Bob)
exchange the secret key
 Alice encodes the message using the secret key
and send the encrypted message
 Bob decodes the message using the same secret
key
 Problems with symmetric key
 How do they exchange the secret key in a
secure way? (key distribution centers)
 There is no authentication of the sender
 What if both wish to communicate with a
third party (back to square one, they have
to exchange the key)
 Currently we use a triple 56-bit Data
Encryption Standard (DES) encryption
algorithm Cracking the 56-bit DES system
 Public key cryptography
 Uses two mathematically related keys.
 The private key is kept secret by its owner
 The public key is freely distributed
 Both keys can be used to encrypt or decrypt but not on
the same message
 If Alice wants to communicate with Bob
 Alice encrypts the message using Bob’s public key
(which is publicly available) and sends it
 Alice decodes the message using her private key (only
her private key will unlock a message encrypted using
her public key)
Public-key encryption
 Authentication
 Of the merchant: if a customer sends a
message to a merchant using the merchant’s
public key, the customer knows that only the
merchant can decipher the message
 Of the customer: if the customer send a
message using the customer’s private key, the
merchant can decipher it only using the
customer’s public key thus identifying the
customer
 RSA and PGP
 The most commonly used pubic-key system
is RSA (Rivest, Shamir, Adleman invented it
in 1977 at MIT)
 Most secure e-commerce transactions use
RSA products.
 Another common system is PGP (Pretty
Good Privacy). Available freely for non
commercial use at MIT distribution center
 Secret-key vs public-key
 Advantages of public-key systems:
 With one combination of keys you can
exchange private messages with a large group
of people
 Key distribution is not a problem
 Drawback of public-key systems:
 They are not efficient for sending large
amounts of information
 Solution: use digital envelopes
 Digital envelope
 Is a technique that uses symmetric encryption for
large documents, but public key encryption to
encrypt and send the symmetric key

 Alice encrypts a message using a secret key

 Alice encrypts the secret key using Bob’ s public key and
sends both encrypted code to Bob
 Bob decrypts the secret key using his private key
 Bob uses the secret key to decipher Alice’s message
 Private
Secret
Message Secret
key
Key Key Alice sends
both to Bob

Alice encrypts the message Alice encrypts the secret key

using the secret key using Bob’s public key

Secret
Key Message

Bob receives
both messages Using his private key Using the secret key
Bob decrypts the secret key Bob decrypts the message
Digital envelope
 Ensuring transaction integrity
 Integrity violation may occur whenever a
message is altered while in transit between
the sender and receiver.
 To ensure transaction integrity, two
separate algorithms are applied to a
message:
 Hash function message digest
 Digital signature encrypts the digest
 Hash algorithm
 Produces a fixed-length number called
message digest based on the length and content
of the message.
 The original message cannot be retrieved from the
digest
 The digest is appended to the message
 The receiver recalculates the digest of the message
as it was received
 It the two digest don’t match, integrity was
violated
 Digital signature
 Is an encrypted message digest used to
check the identity of the sender and the
integrity of the message sent.
 Alice computes the digest and encrypts it using her
private key, then appends the digest to the message.
 Bob deciphers the digest using Alice’s public key (He is
now sure of Alice’s identity)
 Bob computes the digest of the message sent by Alice
and compares it with the digest sent by Alice. If they
match he knows the message was not altered
Digital signatures
 Securing the channels of communication

 Secure Sockets Layer (SSL) is the most

common form of securing channels
 Secure negotiated session is a client-server
session in which the URL of the requested
document, along with the contents, the contents
of forms, and the cookies exchanged, are
encrypted.
 Session key is a unique symmetric encryption
key chosen for a single secure session
SSL transaction
 Communications covered by SSL

 SSL resides on top of TCP/IP in the

Internet protocol suite
 As a result it can secure many different
types of communications
 FTP sessions
 Telnet sessions
 Http sessions ( S-HTTP)
 S-HTTP
 Secure Hypertext Transfer Protocol (S-HTTP)
is a secure message-oriented communications
protocol designed for use in conjunction with
HTTP. Cannot be used to secure non-HTTP
messages
 Security features include
 Client and server authentication
 Symmetric encryption for communication
 Message digests
 Message integrity
 Limitations of secure protocols
 SSL and S-HTTP protect information while
it is being transmitted
 They don’t protect it once it is stored on
the merchant’s computer
 The data needs to be encrypted and/or
the server secured to protect information
that was previously transmitted
 Protecting the network
 Access control and authentication who and
what has access to the network (users and
servers). Certificates and passwords
 Firewalls are software applications that act as a
filter between a company’s private network and
the Internet itself
 Proxy server is a software server that handles
all communications originating from or being
sent to the Internet, acting as a spokesperson or
bodyguard for the organization
The e-commerce security plan