Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

WWWWWW

Chapter 10

Encryption: A Matter of Trust

2WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

OBJECTIVES

• What is Encryption?• Basic Cryptographic Algorithm• Digital Signatures• Major Attacks on Cryptosystems• Digital Certificates• Key Management• Internet Security Protocols & Standards• Government Regulations

Encryption: Objectives

3WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

WHAT IS ENCRYPTION?

• Based on use of mathematical procedures to scramble data to make it extremely difficult to recover the original message

• Converts the data into an encoded message using a key for decoding the message

Encryption: What is Encryption?

4WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

WHAT DOES ENCRYPTION SATISFY?

• Authentication

• Integrity

• Non-repudiation

• Privacy

Encryption: What is Encryption?

5WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

BASIC CRYPTOGRAPHIC ALGORITHM

• Secret Key– The sender and recipient possess the same

single key

• Public Key– One public anyone can know to encrypt– One private only the owner knows to decrypt– Provide message confidentiality– Prove authenticity of the message of originator

Encryption: Basic Cryptographic Algorithm

6WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

COMMONLY USED CRYPTOSYSTEMS

• RSA Algorithm– Most commonly used but vulnerable

• Data Encryption Standards (DES)– Turns a message into a mess of unintelligible

characters

• 3DES• RC4• International Data Encryption Algorithm (IDEA)

Encryption: Basic Cryptographic Algorithm

7WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

DIGITAL SIGNATURES

• Transform the message signed so that anyone who reads it can be sure of the real sender

• A block of data representing a private key

• Serve the purpose of authentication

Encryption: Digital Signatures

8WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

MAJOR ATTACKS ON CRYPTOSYSTEMS

• Chosen-plaintext Attack

• Known-plaintext Attack

• Ciphertext-only Attack

• Third-party Attack

Encryption: Major Attacks on Cryptosystems

9WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

DIGITAL CERTIFICATES

• An electronic document issued by a certificate authority (CA) to establish a merchant’s identity by verifying its name and public key

• Includes holder’s name, name of CA, public key for cryptographic use, duration of certificate, the certificate’s class & ID

Encryption: Digital Certificates

10WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

CLASSES OF CERTIFICATES

• Class 1– Contains minimum checks on user’s background– Simplest & quickest

• Class 2– Checks for information e.g. names, SSN, date of

birth– Requires proof of physical address, etc.

Encryption: Digital Certificates

11WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

CLASSES OF CERTIFICATES (Cont’d)

• Class 3– You need to prove exactly who you are & that you

are responsible– Strongest

• Class 4– Checks on things like user’s position in an

organization in addition to class 3 requirements

Encryption: Digital Certificates

12WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

KEY MANAGEMENT

• Key Generation & Registration

• Key Distribution

• Key Backup / Recovery

• Key Revocation & Destruction

Encryption: Key Management

13WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

THIRD PARTY SERVICES

• Public Key Infrastructure– Certification Authority– Registration Authority– Directory Services

• Notary Services

• Arbitration Services

Encryption: Key Management

14WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

INTERNET SECURITY PROTOCOLS & STANDARDS

• Web Application– Secure Socket Layer (SSL)– Secure Hypertext Transfer Protocol (S-HTTP)

• E-Commerce– Secure Electronic Transaction (SET)

• E-Mail– PGP– S/MIME

Encryption: Internet Security Protocols & Standards

15WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

SSL

• Operates between application & transport layers

• Most widely used standard for online data encryption

• Provide services:– Server authentication– Client authentication– Encrypted SSL connection

Encryption: Internet Security Protocols & Standards

16WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

S-HTTP

• Secures web transactions merely

• Provides transaction confidentiality, integrity & non-repudiation of origin

• Able to integrate with HTTP applications

• Mainly used for intranet communications

• Does not require digital certificates / public keys

Encryption: Internet Security Protocols & Standards

17WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

SET

• One protocol used for handling funds transferred from credit card issuers to a merchant’s bank account

• Provides confidentiality, authentication & integrity of payment card transmissions

• Requires customers to have digital certificate & digital wallet

Encryption: Internet Security Protocols & Standards

18WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

PGP

• Encrypts the data with one-time algorithm, then encrypts the key to the algorithm using public-key cryptography

• Supports public-key encryption, symmetric-key encryption & digital signatures

• Supports other standards, e.g. SSL

Encryption: Internet Security Protocols & Standards

19WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

S/MIME

• Provides security for different data types & attachments to e-mails

• Two key attributes:– Digital signature– Digital envelope

• Performs authentication using x.509 digital certificates

Encryption: Internet Security Protocols & Standards

20WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

GOVERNMENT REGULATIONS

• National Security Agency (NSA)

• National Computer Security Center (NCSC)

• National Institute of Standards & Technology (NIST)

• Office of Defense Trade Controls (DTC)

Encryption: Government Regulations

WWWWWW

Chapter 10

Encryption: A Matter of Trust