1.
Role of Certification Authority
in E-Commerce
M. Faisal Naqvi
Research Consultant (Technical),
ECAC

2.
Obstacle in growth of E-Commerce
Why most people don’t use E-Commerce?
• Lack of trust
• Fraudulent Merchants
• Hacking/Cracking
• Credit Card Information Theft
• Privacy issues

3.
Technical Requirements of User of E-Commerce
• Confidentiality :- Privacy from third person
• Integrity:- Change in message during transit
should be detected
• Authenticity:- Identity of sender should be
detected
• Non-repudiation:- Denial of sender should not be
possible
• Anonymity:- Info. of Customer & Transaction
should be confidential from dealing party.
• Availability

4.
How Requirements can be Fulfilled?
• Cryptography i.e.
– Encryption (Encoding)
– Decryption (Decoding)
CALL ME
Plain Text
E DBMM NF
Cipher Text
D CALL ME
Plain Text
Alice Bob

5.
Main Cryptographic Techniques
1. Secret Key Cryptography
2. Public Key Cryptography
a) For Confidentiality
b) For Authenticity & Integrity

6.
1. Secret Key Cryptography
• Also called Symmetric Key Cryptography
• Only one key is used for encryption as well as for
decryption
• e.g. Digital Encryption Standard (DES)
CALL ME
Plain Text
E DBMM NF
Cipher Text
D CALL ME
Plain Text
Alice BobKey=1 Key=1

7.
2. Public Key Cryptography
• Also called Asymmetric Key Cryptography
• For each party there is a Key pair i.e.:
1. Private Key (known to owner only)
2. Public Key (Published, known to Everyone)
• When we encrypt using Pub. Key it can only be
decrypted using Pvt. Key and vice versa.
• e.g. Rivest Shamir Adelman (RSA) Algorithm

8.
2. Public Key Cryptography (Cont...)
• Public Key Cryptography can be used in two ways:
a) Encryption with Pub. Key & Decryption with Pvt. Key (to
achieve Confidentiality).
b) Encryption with Pvt. Key & Decryption with Pub. Key (to
achieve Authenticity and Integrity)

9.
2. Public Key Cryptography (Cont...)
For Confidentiality
• Sender Encrypts the Message with the Public Key of the
Recipient
• The Recipient Decrypts the Encrypted Message, with his
own Private Key
10,000
Plain Text
E 5,000
Cipher Text
D 10,000
Plain Text
Bob
Bob’s
Public
Key=0.5
Bob’s
Private
Key=2Public

10.
2. Public Key Cryptography (Cont...)
For Authenticity & Integrity of Message
• The Sender Encrypts the Message, with his own
Private Key.
• The Recipient Decrypts the Encrypted Message
with the Public Key of the Sender.
10,000
Plain Text
E 20,000
Cipher Text
D 10,000
Plain Text
Bob
Bob’s
Private
Key=2
Bob’s
Public
Key=0.5 Public

11.
Achieving Authenticity, Integrity and Confidentiality
simultaneously...
Cipher
Digital Sign
1. Sender’s
Pvt.
Sender
2. Recipient’s
Pub.
3. Recipient’s
Pvt.
4. Sender’s
Pub.
Doc.
Digital Sign
Doc.
Recipient

12.
Achieving Authenticity, Integrity and Confidentiality
simultaneously (Cont…)
1. The Sender Encrypts the Message, with his own Pvt.
Key. (for Authenticity and Integrity)
2. Then Sender Encrypts the result, with the Pub. Key
of Recipient. (For confidentiality)
3. The Recipient decrypts the cipher, with his own Pvt.
Key (to open confidentiality)
4. Then Recipient decrypts the result, with the Pub.
Key of Sender (to Authenticate)

13.
Need of a Certification Authority (CA)
Issues
• How someone can Publish his Public Key?
• How someone can verify that a Public Key belongs to
a particular Person?
Solution
• Public Key can be Published through a Third Party,
Trusted by both Sender & Recipient.
• This Trusted Third Party is called Certification
Authority (CA)
• CA verifies and certifies, by issuing a Digital
Certificate, that a particular “Public Key” belongs to a
“Particular Person” and publishes the same through
Web.

14.
What CA publish about a Digital Certificate ?
Ibrar
Ahmad

15.
How CA Works?
CA :
• accepts Application to issue Digital Certificate
• verifies Identity of Subscriber
• verifies that subscriber has corresponding Pvt. key
• generates Digital Certificate
• publishes Digital Certificate of its subscriber on its
web site so that anyone can download Digital Cert. of
any other person from the CA’s web site
• accepts Request to Revoke the Certificate
• publishes Certificate Revocation List (CRL) so that
anyone can check whether Cert. is Revoked

16.
What is Public Key Infrastructure (PKI)?
• PKI includes:
– Sender(s)
– Recipient(s)
– and CA(s)
• By using Cryptography to fulfill all
requirements jointly or severally:
– Confidentiality
– Integrity
– Authenticity
– Non-repudiation
– Reliability
– Accountability
– Anonymity

17.
Importance of PKI
PKI:
• Provides secure and trusted e-communication
environment.
• Is inevitable for e-commerce, e-business & e-
governance etc.

18.
Some Public Sector organizations using PKI (Existing and
Planning)
• Pakistan Army
• Securities And Exchange Commission Pakistan (SECP )
• State Bank of Pakistan
• NADRA
• Ministry of IT/E-Government
• CBR
• Customs
• Project for Improvement of Financial Reporting and Auditing
(PIFRA)
• National Telecommunications and Information Technology
Security Board (NTISB)
• Institute of Physics (Quaid-e-Azam University)
• Pakistan Telecommunication Authority

19.
Some Private Sector organizations using PKI (Existing and
Planning)
• NIFT affiliate of VeriSign
• Khanani and Kalia International
• Live Securities (Online Brokerage House)
• EUGridPMA
• Academia Sinica Grid Computing Certification
Authority
• Pakistan Inter-Active Communications (Pvt.)
Limited

20.
Use of PKI in E-Commerce
Some Protocols based on PKI:
• Secure Socket Layer (SSL)
• Secure Electronic Transaction (SET)

21.
Secure Socket Layer (SSL)
• Most commonly used (e.g. Hotmail, Yahoo)
• Simplest
• only confidentiality and integrity is achieved
• Authenticity is not the part of Protocol
• Only server’s Digital Certificate is required
• Not a payment protocol specifically
• For any secure communication

22.
Secure Socket Layer Process
Server
Client
2. Server’s Public Key
1. Client Generate Secret Key
3. Secret Key encrypted with Server’s Pub. Key
4. Server decrypts Secret Key using its Pvt. Key
5. Communicate securely using secret key

23.
Secure Electronic Transaction (SET)
• Most Comprehensive
• Confidentiality, Integrity, Authenticity,
Non Repudiation and Anonymity/Privacy
can also be achieved
• Comparatively Complex
• Digital Certificates of Merchant, Bank
and Customer is required
• Specifically a Payment Protocol

24.
SET Protocol Process
• OI = Order Information (Products/Services)
• PI = Payment Information (Credit Card etc.)
• C = Customer
• M = Merchant
• B = Bank
• Pb = Public
• Pv = Private

25.
SET Protocol Process (Cont…)
Customer
Bank
Merchant
1. MPb[CPv{MPb(OI)+BPb(PI)}]
2. BPb[MPv[CPv{MPb(OI)+BPb(PI)}]]

26.
?

27.
Thank
You