1. Cryptography is used to provide security in electronic commerce by ensuring privacy, authenticity, and preventing forgery, alteration, eavesdropping and tracing of messages. 2. There are two main types of cryptography - symmetric which uses the same key for encryption and decryption, and asymmetric (public key) which uses different keys for encryption and decryption. 3. Common symmetric algorithms are DES and AES while RSA is an example of an asymmetric algorithm commonly used for digital signatures and encryption.

1. 1

2. Security in Electronic CommerceKeyvan vahidyGraduate studentCollage nooretoubaStno:88610971389

3. abstract

4. mechanismsCryptographyCryptographyPrinciples of encryption, the encryptionGoals of CryptographyPrivacyAuthenticityDetermines who canread the messageDetermines who canwrite the messagePrevent forgery

5. Prevent alteration

6. Prevent eavesdropping

7. Prevent tracingMechanisms Cryptography types

8. Type Method SymmetricCryptography Symmetric Key to encrypt, decrypt equalMethod Symmetric two type:Stream cipherBlock cipher

9. Type Method SymmetricBlock cipherStream cipher

10. Type Method SymmetricStream cipher a string of data to continuously receive the encryptedStream advantages:DiffusionImmunity insertations & modificationsStream disadvantages.:Slow encryptionError propagation

11. Type Method SymmetricBlock cipher Into every block of data to which the blocks are individually passwordBlock advantages:Speed of transformationLow error propagationBlock disadvantages.:Low diffusionMalicious insertations & modifications possible

12. Encryption algorithms for securityTwo kinds of widely known Encryption algorithms :DESAES

13. Data Encryption Standard (DES)Released by NBS in 1976, based on ‘Lucifer’Combination of substitution and transposition16 iterations with 56-bit key (64)Based on diffusion and confusion (Shannon)Supported then adopted by NSACan be broken (in 22 hours, parallel attack)Key length dilemma, new algorithm to be AES

14. Data Encryption Standard (DES)Firstly the IP (explained below) is applied to the 64 bit plaintext. The result is then divided into two 32 bit halves, named L0 and R0. Then, the following happens 16 times:Key transformation number i (a permutation, but dropping 8 bits off - defined in the specification) is applied to the key to produce 48 bits.Apply the function f(Ri,Ki+1) (explained below) to produce a 32 bit output.Exclusive OR Li and f(Ri,Ki+1), and call this Ri+1.Make Li+1 = Ri

15. Data Encryption Standard (DES)

16. RSA Encryption1978. By Rivest-Shamir-Adelman ) is a popular asymmetric key encryption standard.Difficulty of determinating prime factorsIt is based on number theory (more specifically the difficulty in factorizing a large number).The key size ranges between 512 and 2048 bits.It is used in many e-commerce applications such as the Secure Electronic Transaction (SET) protocol for credit card payment.

17. RSA EncryptionPicks two large prime numbers p and qMultiplies p and q to obtain nChooses d, such that d and w=(p-1)(q-1)are relatively prime (no common factor).Chooses e such that 1 = d x e mod wPublic key is: <e, n>Private key is: <d, n>Message code m, secret code cc = memod nm = cd mod n

18. Public KeyOnly the decryption key is kept secret. The encryption key is made public.Each user has two keys, one secret and one public.Public keys are maintained in a public directory.To send a message M to user B, encrypt using the public key of B.B decrypts using his secret key.Signing MessagesFor a user Y to send a signed message M to user X.Y encrypts M using his secret key.X decrypts the message using Y’s public key.

19. Public Key

20. Public Key Infrastructure(PKI)A set of technologies and procedures to enable electronic authenticationUses public key cryptography and digital certificatesCertificate life-cycle management

21. Public Key Infrastructure(PKI)Many products from many vendors are available for certificate issuance and some management functionsInteroperability is a big issue -- especially when it comes to policiesEnabling the use of PKI in applications is limited todayBuilding and managing policies is the least understood issue

22. Public Key Infrastructure(PKI)Authentication and registration of certificate applicantsSystem administration and access to signing keysApplication use and interfacingTrust between hierarchiesTrust decisions to be made at different points within the application need different viewsCertificate fields, authorization and allowed use is really the hardest issueAuthorization policies for management of CAs and RAs

23. Public Key Infrastructure(PKI)

24. Message authentication code (MAC)

25. Malicious programs

26. VirusesUnauthorized software being runGamesWidely distributed softwareSharewareFreewareDistributed software

27. Trojan horseA Trojan horse, or Trojan, is that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system

28. computer worma computer worm is a self-replicating. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwith, whereas viruses almost always corrupt or modify files on a targeted computer

29. FirewallsA firewall is a barrier placed between the private network and the outside world.All incoming and outgoing traffic must pass through it.Can be used to separate address domains.Control network traffic.Cost: ranges from no-cost (available on the Internet) to $ 100,000 hardware/software system.Types:Router-BasedHost BasedCircuit Gateways

30. View of a Firewall

31. Firewall Types(Router-Based)

32. Firewall Types(Host-Based)

33. Secure ProtocolsHow to communicate securely:SSL – “the web security protocols”IPSEC – “the IP layer security protocol”SMIME – “the email security protocol”SET – “credit card transaction security protocol”S-HTTP – “Secure Hypertext Transfer Protocol”Others …

34. SSLNegotiates and employs essential functions for secure transactions

35. Mutual Authentication

36. Data Encryption

37. Data Integrity

38. Operates between application and transport layersWeb ApplicationsHTTPNNTPFTPTelnetFutureAppsEtc.SSLTCP/IP

39. SSL and Security Attacks

40. IP SEC

41. SMIME

42. SETSET standard two companies by VISA, Master card with the aim of ensuring security in the credit transaction year 1997 was introducedPrivacy information: credit card numbers of buyers see the seller remains hidden (using DES)Cardholder authentication: digital signatures with certificates X.509v3Authentication vendor: Digital signature certificate X.509v3

43. Goal SETMaintain confidentiality and purchase order payment informationOwner authentication Azaynrvkh cardholder authentication of a legitimate user is using a credit card accountMaintain the integrity of data transferred kidneyEnsure the safety of data transferred allSeller to provide authentication for the transactionEnsure the best security techniques and systems designed to protect all existing laws on electronic commerce transactions

44. Dual Signature(SET)

45. S-HTTPSecurity on application layerProtection mechanism:Digital SignatureMessage authenticationMessage encryptionSupport private & public key cryptographEnhanced HTTP data exchange

46. S-HTTPOperate on application layerEncryption and digital signatureWork only with (HTTP)Application dependantMore secure than SSL at end point even after data transferNo particular cryptographic systemMultiple times encryption

47. Electronic Mail SecurityE-mail is the most widely used application in the Internet.Who wants to read your mail ?Business competitorsReporters,CriminalsFriends and FamilyTwo approaches are used:PGP: Pretty Good PrivacyPEM: Privacy-Enhanced Mail

48. E-mail Security(PGP)Available free worldwide in versions running on:DOS/WindowsUnixMacintoshBased on:RSAIDEAMD5

49. E-mail Security(PEM)A draft Internet Standard (1993).Used with SMTP.Implemented at application layer.Provides:Disclosure protectionOriginator authenticityMessage integrity

50. Transaction Security

51. Agents participating in a Transaction