A part of Indiaonline network empowering local businesses

E COMMERCE CRYPTOGRAPHY AND DIGITAL SIGNATURE

Posted by : sanchita pandey on | Oct 16,2012

E COMMERCE CRYPTOGRAPHY AND DIGITAL SIGNATURE


E-commerce or electronic commerce is a part of e-business. It entails purchasing, selling or exchanging of goods, services or information using computer networks such as internet. All the transactions are done electronically without limitations of boundaries or time. E-commerce can be B2B (business to business), B2C(business to consumer), C2B(consumer to business) and C2C(consumer to consumer). The companies and various organisations create websites for the purpose of selling their products or services online.

In traditional business, there are specific sales hours, you are physically confined to a specific geographical region and  have to maintain a shop or office from where you can start sales. However, as far as e-commerce is concerned, you are open to the world 24X7, need  an internet service, delivery time is reduced, you enjoy global reach, allows reduced inventories and is actually the cheapest means of doing business. E-commerce actually enables people in IIIrd world countries and even those residing in remote villages to enjoy services which were not available to them a few years ago.

 In such a set up, where business is carried on among consumers and organisations and even between organisations, security becomes an important factor. Some of the security issues are:

1.CONFIDENTIALITY ---- Information transmitted should not be tapped and decoded by anyone.


2.INTEGRITY ---- The original document should not be prone to any changes.


3. AVAILABILITY ---- Information transmitted should be available whenever required that too within pre-established time constraints.


4. AUTHENTICITY ---- When a message is received, it should be possible to verify if the document so received is from the same person.


5. NON-REPUDABILITY ---- Once the message is sent, the sender should not, at a later date,  be able to deny having sent the message.


                      As a solution to security concerns mentioned above, there are some international organisations to  take care of them like CERT(Computer Emergency Response Team), SANS INSTITUTE(System Administrator, Audit, Network and Security Institute).


Cryptography  is one of the many efforts to deal with security issues. Cryptography is a technique of converting any message into unintelligible form so that if  any unauthorised person intercepts the message, he would not be able to understand anything. Cryptography is actually thousands of years old and was used to hide secrets of science and other religious secrets. It  includes ENCRYPTION (process of making information unintelligible to unauthorised person) and DECRYPTION (reversing encryption to make the message readable again).


 Main elements of encryption are:

1. PLAIN TEXT ---- It is the message that is to be encrypted.


2. CIPHER ---- It means cryptographic algorithm which are designed to make public key(key used for encryption) different from private key(key used for decryption).


3. CIPHERTEXT ---- It is the encrypted message. Security depends upon how difficult it is to break the algorithms. For example, the data is believed to be safe if the cost and time  required to break the algorithm is greater than the value of the encrypted data.


 There are two basic types of cryptographic systems ----

1. SYMMETRIC ENCRYPTION or SECRET-KEY ENCRYPTION or SINGLE KEY ENCRYPTION ----  It involves use of single key shared by both the sender and the receiver of the message. The sender encrypts the message with the key and sends it to the recipient. The recipient decrypts it by using a copy of the same key used to encrypt it. A widely used method of secret key encryption is DES(Data Encryption Standard). However, symmetric encryption is not practical for e-commerce as it involves thousands of customers every day. It is fine for sending a private e-mail to your friend. Also, both parties share the same key. So, it is possible that one party creates a message with shared secret key and later falsely claims that it had been sent by the other party.

2. ASYMMETRIC ENCRYPTION or PUBLIC-KEY ENCRYPTION ---- It uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a ''public key'' and a ''private key''. The private key is not distributed and kept secret while the public key is distributed widely and made public. The data which is encrypted with public key can be decrypted only with private key. Similarly, the data encrypted with the private key can be decrypted only with the public key. So, this asymmetry makes this type of cryptography extremely useful and authentication is achieved.

                  However, one disadvantage with this type of encryption is  that it is relatively slow. So, it if the message is a long one, the whole message should not be encrypted. To take care of this drawback, DIGITAL SIGNATURES are used.

                    PGP(Pretty Good Privacy) is the name of a popular cryptographic system which is available for general public use.

 Techniques used for cryptography are ----

1. SUBSTITUTION ---- In this, each letter in the message is replaced by another to make the message un-understandable. For instance, letter ''b'' in the message is replaced with letter ''g''.

2. TRANSPOSITION ---- It is based on scrambling the letters in the message. A ''transposition system'' writes a message row by row and then this message is rewritten column by column to make it scrambled.

E.g.   '' Do not send it today.''

D

O

N

O

T

S

E

N

D

I

T

T

O

D

A

Y

                     

DTDOOSIDNETAONTY -

 

                         

                        Encryption algorithms can be defeated by using a combination of mathematics and computer knowhow  and so many encrypted messages also can be deciphered even without knowing the key. Such a type of attack is called ''cryptanalysis''. ''Quantum computing'' deals with development of cryptographic algorithms but can also be used to find flaws in the cryptographic algorithms and to launch attacks!

ü DIGITAL SIGNATURES ----- Digital Signatures means any letters, numbers, symbols, images, character or their combination thereof, in electronic form, applied to an electronic document, which can ensure authenticity, integrity and non-repudiation. It uses public-key cryptography. One advantage of ''public-key encryption'' is authentication ----- that the recipient of the decrypted message knows that it was sent by the owner of the private key. But since encrypting messages with a private key is relatively slow process ( particularly if message is a long one). So, a system of ''digital signatures'' is used. Digital signatures help to:

ü verify authenticity of the message

ü verify claimed identity of sender

ü verify message integrity

ü ''hash functions'' operate on large messages. They generate ''message digests'' of fixed and comparatively smaller lengths. If any change is made on the message, it will cause the message digest to be different, thus strengthening authentication.

 

             In case of portal sites, the interaction takes place between businessman and customer. It is possible that the supplier has portal site but no goods to supply and he gets credit card details of the consumer, thereby cheating him. To avoid this, there is a need for third parties like ''VeriSign'' (of America), to authenticate the supplier. These third parties are also called ''Certification Authority".

                 A certification authority is defined to be a trusted public/private body that attests the association of a particular individual with his corresponding public key. A certification authority signs digital certificates with its private key. Certification authorities are supposed to issue the certificate after proper enquiry, otherwise they may be held liable under different laws.

                  Owners of public keys submit them to a certification authority. They also give their proof of identity to the certification authority. The certification authority signs and then issues a certificate which verifies that the public key attached to the certificate belongs to the concerned party.     Today, ''digital certificates'' have made electronic transactions more secure.

 

***************************************************

Comments