E-commerce Security Issues

Confidentiality A C Authenticity A C Integrity A C B B

Comparison of Time and Money Needed to Break Different Length Keys

Length of key in bits
Cost $ 100 thousand $1 million 40 2 secs .2 secs 56 35 hrs 3.5 hrs 2 mins 64 1 yr 80 128

70000 yrs 1019 yrs 1018 yrs 1016 yrs 1015 yrs

37 days 7000 yrs 9 hrs 70 yrs 7 yrs

$100 million 2 msecs $1 billion .2 msecs

13 secs 1 hr

$100 billion

2*10-6 secs .1 sec

32 secs 24 days

1013 yrs

Applied Cryptography by Bruce Schneier (2nd Edition , Hohn Wiley & Sons, 1996)

RSA Procedure:The following is an outline of the

procedure to encrypt and decrypt codes by using the RSA Algorithm. http://cisnet.baruch.cuny.edu/holowczak/classes/9444/rsademo/
Come up with two large prime number, p and q.
e.g. p = 233, q = 199 (we will use smaller prime numbers for now for easier understanding)

Let n = pq.
e.g. n = 233 x 199 = 44377

Let m = (p-1)(q-1).

e.g. m = (232-1)(199-1) = (1)(2) = 43956

Choose a key E that is relatively prime to (p-1) * (q-1) Choose a key D such that E*D = 1 mod (p-1) * (q-1) In other words, E*D - 1 is evenly divisible by [ (p-1) * (q-1) ]
e.g.ED 1 = 175824, E = 5, D = 35165

At the Senders end

Given a Message M, to encrypt into ciphertext C, we use the following formula: C = ME mod n Our public key is (E, n)

213495 mod 44377

At the receivers end

Given a Ciphertext C, to decrypt into plaintext message M we use the following formula: M = CD mod n Our private key is (D, n)
2574335165 mod 44377

The Asymmetric Process

A encrypts the message using its own private key. (No one else knows As private key) A encrypts the message using Bs public key. (everyone knows Bs public key) A sends this message to B B decrypts the message using its private key. (Only B knows its private key) B decrypts the message using As public key. (Everyone knows As public key)

Digital signatures
A digital signature
Allows the receiver to authenticate the identity of the sender Prevents the sender from later claiming that he did not sent the message

Prevents the receiver from constructing the message that appears as if it came from the sender

Digital signatures
Step 1: A encrypts the plaintext (PT1) to ciphertext (CT1) using Bs public key PT1 CT1
Step 2: A creates a message digest by hashing and then the digital signature by encrypting the digest with As private key. PT1 MD1 DS1 Step 3: A sends both the ciphertext (CT1) and digital signature (DS1) to B. B receives both.

CT1 DS1 As end

CT2 DS2 Bs end

Digital signatures
Step 4: B decrypts ciphertext received in step 3 by using Bs private key to get the original plaintext message. CT2 PT2
How do we know PT2 = PT1? Comparing PT1 and PT2 is not a wise thing. Step 5: B obtains a message digest (MD2) by decrypting As digital signature received in step 3 by using As public key. Hope MD1 = MD2. Step 6: B creates its own message digest (MD3) using the same hashing algorithm on the plaintext message (PT2). If MD2 = MD3 B concludes that the message must have come from A and it has not been tempered with.

Digital Signature takes care of

Authentication
Message integrity Non-repudiation

Advantages and Disadvantages of Cryptographic Systems Characteristic

Key used Speed of encryption/decryption Size of resulting encrypted text

Symmetric
Same key is used Very fast Usually same as or less than the original size

Asymmetric
Two different keys Slower More than the original plain text size

Key agreement/exchange Number of keys required

A big problem Equals about the square of the number of participants, so scalability is an issue
Mainly for encryption and decryption (confidentiality), cannot be used of DS (integrity and non-repudiability)

No problem Same as the number of participants

Usage

Can be used for encryption and decryption (confidentiality) as well as for DS (integrity and nonrepudiability)

The best of both worlds

The client generates a one time symmetric session key with the help of certain cryptography algorithms.
The client then encrypts the original clear text message with one-time symmetric key to produce ciphertext. The client takes key one-time symmetric key and and encrypts it with servers public key (key wrapping).

The best of both worlds

The encrypted symmetric key + ciphertext message is encrypted again with servers public key and sent to the server (digital envelope). Message Digest is made of original clear-text and encrypted with own private key (digital signature)
Send digital envelope and digital signature to Server Guess the steps at Servers end .

Digital Certificates
The certification Authority How do you generate a public/private key? How do you inform everyone? How do others know that the key sent by you is actually sent by you? Classes of certificates Certification Revocation List Online Certificate Validation Protocol

How digital Certificates Work

Let us say that A wants to send his credit card details to B. and A wants to verify that B is actually B. A will ask for digital certificate. B will send this certificate to A. As we know certificate will contain Bs identity, public key etc. A can now send the message, encrypting it with public key of B to B. B will decrypt it with its private key.

A Digital Certificate include

1. Certificate owners identifying information 2. Certificate owners public key 3. Validity Date 4. Serial Number of the certificate 5. Name of the certificate issuer 6. Digital Signature of the issuer

A Digital Certificate
Version: v3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US Validity: Not Before: Fri Oct 17 18:36:25 1997 Not After: Sun Oct 17 18:36:25 1999 Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=US Subject Public Key Info: Algorithm: PKCS #1 RSA Encryption Public Key: Modulus: 43:7d:45:6d:71:4e:17:3d:f0:36:4b:5b:7f:a8 Public Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c Data:

SSL
Client sends hello message Send encryption algorithm and key length Server responds with hello message Client sends response Send server certificate containing servers public key Server receives client response and initiates sessions

Send client certificate and encrypted private session key

Session

Send data between client and server using private, shared key

Session