While the internet is an incredible resource of information, it is not very private or secure. Most data that travels over the internet is relayed over many computers around the world. Almost anything you do online can be monitored. Information that is transmitted over the internet can be intercepted and read by other internet users without your knowledge. In this situation e-mail should actually be called e-postcard.

In recent years, the internet has opened various business opportunities for organizations worldwide. Despite all of the enthusiasm about e-commerce, security issues are holding back many businesses from implementing on-line shopping. There are several differences between commerce in the real world and on the Internet. The most important challenges that e-commerce faces is the ability to guarantee privacy when using credit cards to purchase online and to know that someone is legitimate in his or her dealings? Consumers need assurance that they are purchasing from a legitimate enterprise, rather than a site whose sole purpose is to collect credit card numbers and misuse them.

As organizations continue to transfer various business processes to computer networks, stronger methods of encryption and authentication are needed for information security. The world of cyberspace has many difficulties of encryption and authentication due to its remote and electronic nature. Achieving information security requires a vast array of technical and legal skills. The technical means is provided through cryptography

Cryptography is not a new technology created for the Internet. This is old as language itself and has been used for many different purposes. Cryptography techniques allow changing a digital message (from plain text to ciphertext) so that it can be read only by intended parties (also called enciphering), or to verify the identity of the sender (authentication), or to be assured that the sender really did send that message (nonrepudiation). The simple Caesar cipher encrypts a message by shifting letters around a specific number of places.

In the traditional private key (also called secret key or symmetric) cryptography the same secret key is used to encrypt and decrypt the message. A key is just a string of bits. The same plaintext encrypts to different ciphertext with different keys. One difficulty with this approach is that the two parties must somehow agree on the shared key securely. Also there is a shared responsibility for keeping the key secure. Examples are DES, 3DES, RC2, RC4, RC5, IDEA and AES.

Public key cryptography solves the problem of establishing a secure channel for the exchange of the secret key. Each communicating party is responsible for their own key. Public key cryptography supports security mechanisms such as confidentiality, integrity, authentication, and non-repudiation. Examples are RSA, Diffie-Hellman and ElGamal.

The security of encrypted data is entirely dependent on two things: the strength of the cryptographic algorithm and the secrecy of the key. Cryptographic strength is measured in the time and resources it would require to recover the plaintext. Open Source cryptography software is usually considered more secure. Commercial software is sometimes suspected to contain implementation flaws or intentional backdoors.

In many cryptographic systems the encryption technique is standardized and available to everyone. The only way to tell good cryptography from bad, however, is to have it examined. But it doesn't do any good to have a bunch of random people examine the code. A proprietary algorithm will always be much riskier than a public algorithm. This makes for a strong argument in favor of open source cryptographic algorithms.

Public Key

In public key cryptography system each person is issued a pair of keys, one called the public key and the other called the private key. The public key is published and can be accessed by everyone, while the private key is kept secret. The sender encrypts the message with the recipient's public key. The recipient upon receipt of the message is able to decipher the same with the private key counterpart.

Today, RSA is the most popular public key algorithm. In 1977, shortly after the idea of a public key system was proposed at Stanford University, three professors at the Massachusetts Institute of Technology (MIT), Ron Rivest, Adi Shamir and Len Adleman gave a concrete example of how such a method could be implemented in the paper "A Method for Obtaining Digital Signatures and Public Key Cryptosystems". To honour them, the method was referred to as the RSA Scheme. In order for the public key encryption scheme to work, the private and the public keys must be linked in some way.

A digital solution of signing that is as simple and at least as trustworthy as a hand written signature is almost impossible to find, but digital certificates and signatures which use public key encryption are expected to become an essential part of doing business online. Digital certificate is electronic form of identification and can be compared with identification card or passport. A digital certificate ensures the legitimate online transfer of confidential information, money, or other sensitive materials and to verify the identity of a person or a device (usually a server or a network device) by means of public encryption technology. A digital signature confirms that the document, e-mail, or software in question originated from the individual or company whose name appears on it and it has not been altered or tampered with in any way since it was signed.

A digital certificate is issued by a certificate authority. A digital certificate holder has two keys (strings of numbers): a private key held only by the user, for signing outgoing messages and decrypting incoming messages; and a public key, for use by anyone, for encrypting data to send to a specific user. A certificate authority (such as VeriSign) is responsible for providing and assigning the unique strings of numbers that make up the keys used in digital certificates for authentication and to encrypt and decrypt sensitive or confidential incoming and outgoing online information.

The same digital certificate that is issued by CA can also be used to digitally sign documents. The sender uses the private key to create the digital signature, which can then be read by anyone who has access to the corresponding public key. This confirms that the message really is from the apparent sender. Digital signatures can also be used to prevent forgeries and/or tampering.

In real implementations, a hash function is also involved to reduce the amount of information to sign: instead of signing the whole message, the system only signs the output of the hash function (message digest) which is a fingerprint of the original text. A message digest is created from the block of data to be encrypted by using a one-way hash function. It is a mathematical process that creates a short fixed-length block of data from a message, called as hash. The hash value is unique to the message used by the hash function. Two distinct messages are extremely unlikely to generate identical message digests. The recipient decrypts the digital signature and then uses the same hash function to create a second hash value from the original message. If the sender and recipient's hash values are same, the message is unaltered in transit. Thus, digital signatures provide non-repudiation and data integrity. Examples of hash functions are MD5 (128-bit digest) and SHA1 (160-bit digest).

Secure Transactions

SSL (Secure Sockets Layer) designed by Netscape Communications Corporation is implemented in major web browsers such as Netscape Communicator and internet Explorer. The address keyword https:// is used to designate a secure, or SSL enabled, connection. HTTPS is a unique protocol that combines SSL and HTTP and uses different port (443). The use of SSL on a Web server helps ensure that information transmitted between a client, such as a Web browser and a server, such as a Web server, remains private, and enables the clients to authenticate the identity of the server. Current version of SSL (SSL 3.0) has additional features, such as authentication of who the client is.

Another protocol for transmitting data securely over the internet is Secure HTTP (S-HTTP). Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely.

SSL and S-HTTP were not specially designed for secure credit card transactions and the merchant can see and misuse the number. Secure Electronic Transaction (SET) is a payment protocol developed by VISA and MasterCard that will enable secure credit card transactions on the Internet. It will protect buyers by providing a mechanism for their credit card number to be transferred directly to the credit card issuer for verification and billing without the merchant being able to see the number. Aside from VISA and MasterCard, there are now a number of companies supporting SET such as IBM, Microsoft, Netscape and VeriSign.

Digital Certificate

Certificates can be divided into personal certificates, server certificates or certificates for software developers. It is really very easy to obtain a personal digital certificate and use it. There are several companies, called certificate authorities (CA's), which issue digital certificates. The two largest and well-known certificate authorities include VeriSign and Thawte. There is a free trial certificate provided by most CA's for your initial testing. A certificate authority will only issue a certificate when they are confident that they have positively identified the applicant. A digital certificate can be installed in your browser. Once installed, your digital certificate identifies you to web sites equipped to automatically check it. After acquiring your digital certificate you can also send and receive secure email using most popular email programs, including Microsoft Outlook Express, Microsoft Outlook, or Netscape Messenger. A free 60-day trial edition is available from VeriSign http://www.verisign.com/client/enrollment/index.html

To obtain a free Thawte's Personal Email Certificate, visit http://www.thawte.com/html/COMMUNITY/personal/index.html

Encrypt your e-mail for the same reason that you don't write all of your private correspondence on the back of a post card. Before you can send and receive encrypted e-mail, both you and the person you are corresponding with must obtain digital certificates. You and your correspondent must exchange public keys, so that you can send encrypted messages to each other. An efficient way to send people your public key is to send your e-mail signed. The e-mail recipient should also send you a signed, nonencrypted e-mail if you want to exchange encrypted e-mails with him or her. You can also obtain someone's public key from a directory service or public keyserver by entering their email address.

Pretty Good Privacy

Pretty Good Privacy (PGP) is the most widely used privacy-ensuring program. PGP provides two main functions, encryption and digital signatures. Developed by Philip R. Zimmermann in 1991, PGP has become a de facto standard for e-mail security. PGP is available both as freeware and in low-cost commercial versions. PGP comes in two public key versions - RSA and Diffie-Hellman. Each sender and receiver needs a copy of the PGP software. Typically, PGP contains a user interface that works with popular e-mail programs like Microsoft Outlook Express. Using the software, each user generates a pair of key. The private key is protected by a pass phrase that the user chooses when creating the pair. The public key can be exchanged by diskette, by e-mail, or using Internet-accessible key servers.

PGP is better than "pretty good." This software is so strong that the U.S. Department of Defense has formally declared PGP to be a "munition", and has banned PGP's export outside North America. In my view PGP and related technologies provide privacy and security without threatening anyone else. The use of cryptography for data integrity and authentication, including digital signatures, is not a threat although encryption can be used to hide criminal activity.

Practically everyone agrees that cryptography is an essential information security tool, and that it should be publicly accessible and readily available to everyone.

Copyright © ShahrukhWeb.TK - All Rights Reserved