There are several techniques that can identify and verify someone seeking to access an e-commerce system. These include:
A user name and password combination, where the password can vary in length and include numbers and characters. Remember to include a system that prompts employees to change their passwords at regular intervals.
"Two-factor" authentication requiring something the user has (eg an authentication token) and something the user knows (eg a personal identification number).
A digital certificate that enables authentication through the use of an individual's unique signing key.
A person's unique physical attribute, referred to as a biometric. This can range from a fingerprint or iris scan, through to retina or facial-feature recognition.
This technique scrambles data, and is used to protect information that is being either held on a computer or transmitted over a network. It uses technologies such as virtual private networks (VPNs) and secure socket layers.
One way to ensure that confidentiality and privacy of message is to make sure that even if they fall into wrong hands cannot be read. this is where cryptography comes into play.
secret key cryptography , also known as symmetric cryptography uses a single secret key for both encryption and decryption. To use symmetric cryptography for communication, both the sender & receiver would have to know the key beforehand, or it would have to be sent along with the message.
Encryption involves applying an operation (an algorithm) to the data to be encrypted using the private key to make them unintelligible. The slightest algorithm (such as an exclusive OR) can make the system nearly tamper proof (there being so such thing as absolute security).
symmetric encryption requires that a secure channel be used to exchange the key, which seriously diminishes the usefulness of this kind of encryption system.
Symmetric encryption is based on the exchange of a secret (keys). The problem of key distribution therefore arises
Moreover, a user wanting to communicate with several people while ensuring separate confidentiality levels has to use as many private keys as there are people. For a group of N people using a secret-key cryptosystem, it is necessary to distribute a number of keys equal to N * (N-1) / 2 .
Public-key encryption (also called asymmetric encryption ) involves a pair of keys--a public key and a private key --associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data. Each public key is published, and the corresponding private key is kept secret. Data encrypted with your public key can be decrypted only with your private key.
Anyone can encrypt using the public key, but only the holder of the private key can decrypt. Security depends on the secrecy of the private key.
Data encrypted with your private key can be decrypted only with your public key. This would not be a desirable way to encrypt sensitive data, however, because it means that anyone with your public key, which is by definition published, could decrypt the data.
Using a private key to encrypt (thus signing) a message; anyone can check the signature using the public key. Validity depends on private key security.
PK Encryption using Digital Signatures and Hash Digests
There is no authentication of sender. The sender could deny sending the message that is repudiation.
There is no assurance that messaged was not altered somehow in transit.
A hash function is used first to create a hash digest( an algorithm that is used to produce a fixed length number called Hash or message digest