Bba401 Slm Unit 08

Unit 8 Encryption

Structure

8.1 Introduction

Objectives

8.2 Cryptography

8.3 Encryption

8.4 Digital Signature

8.5 Virtual Private Network

8.6 Summary

8.7 Glossary

8.8 Terminal Questions

8.9 Answers

References

8.1 Introduction

In the previous unit you learnt about security in electronic unit. In this unit, you

will learn about encryption. Encryption is an important cryptography technology

used to transform information using an algorithm to make it unreadable to anyone

except those possessing special knowledge (usually referred to as a key).

Cryptography is the science of writing in a secret code is called cryptography.

Since long, encryption is being used by militaries and governments to facilitate

secret communication as there are several instances of data in transit being

intercepted in recent years. Encryption is also used to protect data in transit,

i.e., data being transferred via networks (such as the Internet and e-commerce),

mobile telephones, wireless microphones, wireless intercom systems, Bluetooth

devices and bank automatic teller machines. Encrypting data in transit also

helps to secure it as it is often difficult to physically secure all access to networks.

Objectives

After studying this unit, you should be able to:

• Define cryptography and describe the purposes of cryptography

• Summarize the role of encryption in message security

• Discuss the various methods of encryption

• Identify the various features of digital signature

• Discuss the role of virtual private network (VPN) in encryption

E-Commerce Unit 8

Sikkim Manipal University Page No. 134

8.2 Cryptography

Cryptography is derived from the Greek words kryptos (hidden, secret) and

gráphô (I write). It is the practice and study of hiding information. Cryptography

is today considered a branch of both mathematics and computer science, and

is used extensively in information theory, computer security and engineering.

Cryptography is used in applications which require security of data, such as in

the case of ATM cards, computer passwords and electronic commerce.

8.2.1 Purpose of Cryptography

The science of writing in a secret code is called cryto. It is supposed to have

been first used as far back as 1900 BC by an Egyptian scribe. Cryptography is

believed to have appeared soon after writing was invented and used in diplomatic

exchanges and battle plans. With the development of computer communication,

the need for security of communication media also rose. Quite understandably,

then, cryptography began to be used to provide this security while communicating

over any untrusted medium, particularly the Internet.

These security requirements include:

• Authentication: That is, giving proof of one’s identity.

• Privacy/confidentiality: Making sure that no one other than the intended

reader reads the message.

• Integrity: Providing assurance to the receiver that the message received

by him is no different from the original one.

• Non-repudiation: A mechanism which will prove that the message was

actually sent by the sender and no one else.

Thus, it is seen that cryptography serves a dual purpose: data is protected

from being stolen or altered and users are authenticated. This is done in three

ways: (a) Secret key (or symmetric) cryptography, (b) Public-key (or asymmetric)

cryptography and (c) hash functions. The unencrypted data is referred to as

plaintext. It is encrypted into ciphertext, and then decrypted into usable plaintext.

8.2.2 Encryption as the Basis for Data and Messaging Security

Encryption is a cryptography technology to scramble (encrypt) the data with a

key so that no one can make sense of it while it is being transmitted. When the

data reaches its destination, the information is unscrambled (decrypted) using

the same or a different key.

E-Commerce Unit 8


The terms used commonly in a cryptography system are as follows:

• Intruder: An intruder is any person who does not have the authorization

to access the network or the information.

• Plaintext: It is an intelligible message that needs to be converted into

an unreadable message or encrypted message.

• Ciphertext: A message in an encrypted form.

Example:

(Encrypted Form) (Decrypted Form)

Plain Text Algorithm Cipher Text Algorithm Plain Text

Goods Next two letters Iqqfu Previous two letters Goods

Sales Previous one letter rzkdr Next one letter Sales

Encryption is a method by which plaintext can be converted into ciphertext.

Decryption is a method by which a ciphertext can be converted into plaintext.

Algorithm: A cryptography algorithm is a mathematical function.

Key: It is a string of digits.

Self-Assessment Questions

1. Fill in the blanks with appropriate words.

(a) The science of writing in a secret code is called_____________.

(b) _____ is a cryptography technology to scramble (encrypt) the data

with a key so that no one can make sense of it while it is being

transmitted.

(c) _______ is an intelligible message that needs to be converted into

an unreadable message or encrypted message.

8.3 Encryption

8.3.1 Methods of Encryption

There are three types of cryptography or methods of encryption:

• Secret key or private key or symmetric key cryptography

• Public key or asymmetric key cryptography

• Hash function

E-Commerce Unit 8


1. Secret key or symmetic key cryptography

In this scheme, both the sender and the recipient possess the same key to

encrypt and decrypt the data. Figure 8.1 shows how secret or private key

cryptography works.

Original

Message

Encrypted

Message

Encrypted

Message

Original

Message

Secret Key Encrypt

Secret Key Decrypt

Internet

Figure 8.1 Schematic Diagram of Secret Key Cryptography

Data Encryption Standard

Data Encryption Standard (DES) is an example of secret key cryptography. It

was developed by IBM. DES is block cipher-based scheme which encrypts a

64-bit data block using a 56-bit key. The block is transformed in such a way that

it involves sixteen iterations. This done by using the security key.

To take an example, suppose, A encrypts a message with a secret key

and e-mails it to B, who on receiving it, checks the header to identify the sender.

B then has to take the duplicate of the secret key to decrypt the message.

Drawbacks of secret key cryptography

• Both parties must agree upon a shared secret key.

• If there are n correspondents, you have to keep track of n different

secret keys. If the same key is used by more than one correspondent,

the common key holders can read each other’s mail.

• Symmetric encryption schemes are also subject to authenticity

problems. Since both the sender and the recipient have the same

secret key, the identity of originator or recipient cannot be proved.

Both can encrypt or decrypt the message.

E-Commerce Unit 8


2. Triple Encryption

As discussed, the DES is a block cipher and employs shared secret encryption.

But, nowadays DES is considered unsafe for various applications primarily due

to the 56-bit key size which is too small. Triple DES is considered as an improved

version to overcome many of the shortcomings of DES. The triple encryption

technology is based on DES and is sometimes referred as Triple DES or 3DES.

The event follows an Encrypt-Decrypt-Encrypt (EDE) sequence. Decrypt

sequence is just the same encrypting operation with the keys reversed. It is

based on the DES algorithm and can easily modify the existing software to use

Triple DES. It has a longer key length that helps in eliminating many of the

shortcut attacks used to reduce the amount of time it takes to break DES. Thus,

Triple DES is considered as an exceptional and dependable option to fulfill the

security requirements of highly sensitive information.

Triple DES mode of operation takes three 64-bit keys for an overall key

length of 192 bits. In Private Key Encryption, the user can just type in the complete

192-bit (24 character) key rather than entering each of the three keys individually.

The procedure for encryption is exactly the same as regular DES, but it is repeated

three times. The data is encrypted with the first key, decrypted with the second

key and finally encrypted again with the third key (Refer to Figure 8.2).

Figure 8.2 Triple DES Mode

3. Public key cryptography

This scheme operates on a double key, called pair key, one of which is used to

encrypt the message and the other is used to decrypt it. This can be viewed as

two parts; one part of the key pair, the private key, is known only by the designated

owner. The other part, the public key, is published widely but is still associated

with the owner of the private key. Figure 8.3 shows how public key encryption

works.

E-Commerce Unit 8


Encrypted

Message

Original

Message

Original

Message

Encrypted

Message

Internet

(Cipher Text)

(Cipher Text)

Public Key Encrypt

Private Key Decrypt

Figure 8.3 Schematic Diagram of Public Key Cryptography

Encryption and Decryption

• Data encrypted with a public key can only be decrypted with a private key.

• Data encrypted with a private key can only be decrypted with a public key.

Advantages of public key cryptography

• Message confidentiality can be proved: The sender uses the recipient’s

public key to encrypt a message, so that only the private key holder can

decrypt the message, and no one else.

• Authenticity of the message originator can be proved: The receiver

uses his private key to encrypt a message, to which only the sender has

access.

• Easy to distribute public key: The public key of the pair can be easily

distributed.

Hash function

Hash function is a formula that converts a message of a given length into a

string of digits called a message digest. A mathematical transformation is used

by the hash function to encrypt information such that it is irreversible. The

encrypted ciphertext message cannot be decrypted back to plaintext.

E-Commerce Unit 8


(Hash function �� Message digest) Digital Signature

How it works: X sends a message to Y Sender Receiver

Encrypt

With sender’s private

key

X Y

(a) The sender generates a message.

(b) A ‘Message Digest’ of the message is created using the hash function.

(c) The sender attaches the digital signature to the end of the message.

(d) The sender encrypts both message and signature with the receiver’s public

key.

(e) Using a private key, the entire message is encrypted by the receiver.

(f) The receiver calculates the message digest using the hash function.

The receiver uses the same hash function that the sender uses, and which

has been agreed upon in advance. The main advantage of using the hash

function for encryption is that even if an unauthorized person accesses X’s

public key, he will not be able to get to the hash function-generated key; thus

making the digital signature authentic and secure.

Activity 1

Search on the Internet for public key cryptography and find out the

disadvantages of using it.


2. State whether the following statements are true or false:

(a) In secret key cryptography, only the sender possesses the same

key to encrypt and decrypt the data.

(b) Data Encryption Standard (DES) is an example of public key

cryptography.

(c) Triple DES mode of operation takes three 64-bit keys for an overall

key length of 192 bits.

(d) Data encrypted with a public key can only be decrypted with a private

key.

E-Commerce Unit 8


8.4 Digital Signature

Digital signatures are used for authenticating e-commerce business transactions.

The authentications refer to legal, financial and other document-related issues.

Digital signatures are just like handwritten signatures which determine

authentications.

A digital signature consists of two parts:

(i) Signature in the document: signer authentication

(ii) Document authentication

(i) Signer authentication: A signature should indicate who signed a

document, message or record and should be difficult for another person

to produce without authorization.

(ii) Document authentication: A signature should identify what is signed so

that:

• Sender can not remove the content of messages after signing it.

• The receiver cannot make any changes in the message.

8.4.1 Validity of Digital Signatures

Generally, a key expires after a certain period that could range from six months

to a year. A signed document with an expired key is not acceptable. The contract

is registered with a digital time stamping service at the time it is signed; the

signature can be authenticated even after expiry of the key. If every party on the

contract keeps a copy of the timestamp, all of them can prove that the contract

was signed using valid keys. Actually, the timestamp can prove the validity of

the contract even if one signatory’s key gets compromised at any instant after

the contract is signed.

A digital time stamping (DTS) service issues timestamps which associate

a date and time with a digital document in a cryptographically strong way. The

digital timestamp can be used at a later date to prove that an electronic document

existed at the time stated on its timestamp.

Because keys are intended to be public and are widely distributed, anyone

can easily create a private/public key pair and distribute the public key, claiming

it belonged to someone else. One solution to this problem is a public-key

certificate. A public-key certificate is a data structure, digitally signed by a

Certifying Authority (CA).

E-Commerce Unit 8


Certificates authority

Certificates authority is an organization or institution that issues digital certificate

to companies and organizations that are accessible via the Internet. These

certificates are issued for a certain period of time and are used as an assurance

of the security of a website. It is also known as trusted third party. CAs form

characteristics of many public key infrastructure (PKI) schemes. There are many

commercial CAs that charge for their services. There are also several providers

issuing digital certificates to the public without any cost. Generally, institutions

and governments have their own CAs.

Certificates authority issues digital certificates that consist of the

identification details of the owner and his public key. The corresponding private

key is in a similar manner not made available publicly, but kept as a secret by

the end-user, who generates a key pair. The certificate also acts as evidence by

the CA such that the public key contained in the certificate is related to the

person, organization, server or other entities noted in the certificate. If the user

believes in the Certificate Authority (CA) and is able to validate the CA’s signature,

then he can also validate the requirement of a certain public key that belongs to

whoever is identified in the certificate.

Digital certificate

A digital certificate serves as an electronic identity card that establishes the

user’s credentials when business deals are transacted across the Web. A digital

certificate is defined as a method to electronically verify for authenticity. The

digital certificate is just like an identity card, such as a driver’s license. Digital

certificate is issued by a number of certificate authorities; it is used to prove that

a website, or a visitor to a website, is the entity or person they claim to be; An

electronic credential issued by a certification authority to establish the identity

of an organization when doing business on the Internet.

Contents of digital certificate

A digital certificate contains the following details:

• Certificate Holder’s Name, organization and address.

• The name of certificate authority who has issued this certificate.

• Public key of the holders for cryptographic use.

• Time limit, these certificates are issued for durations of six months to a

year.

• Digital certificate identification number.

E-Commerce Unit 8


A digital certificate contains a public key that is used for encrypting messages

and digital signatures. It also has the digital signature of the certificate authority.

By this signature a recipient can verify that the certificate is genuine. Sometime-

digital certificates conform to a standard, X.509. It can be kept in registries so

that authenticating users can look up other users’ public keys.

8.4.2 Non-Repudiation and Message Integrity

Digital identity is based on message integrity, non-repudiation and confidentiality.

Integrity ensures that a message or transaction has not been tampered with.

Non-repudiation ensures that the contents of the message sent are intact and

provides evidence for the existence of a message or transaction. The user and

the recipient cannot dispute the contents, once sent. The contents are protected

as confidential which means that only authorized individuals or groups can access

the contents of a message or transaction. In certain cases, these features are

not necessary and hence are considered as luxury. However, there are scenarios

where these features are most critical. For managing digital identity strategy,

clarity of these features is very important.

Integrity

Integrity is the basic requirement of a highly dependable identity infrastructure.

Identity systems serve the purpose of exchanging credentials as well as

messages and transactions pertaining to attributes, provisioning of information

and other data. Integrity builds a trust that the contents have not been tampered,

which is important in this environment. To understand this better, let us take an

example of a document that represents identity credentials. It is important to

validate the authenticity of the credentials to be sure of their originality.

Non-repudiation

Non-repudiation is the activity of presenting of tamper-proof evidence proving

that a message was sent or received. Critical identity-related acts should be

protected even though the messages or transactions can be disputed. For

understanding this better, let us take the instance of two people, Nadia and Joe,

who are exchanging messages. In one case, Nadia denies sending a message

to Joe that he claims to have received. The ability to counter Nadia’s denial is

called Non-repudiation of Origin (NRO). In the second scenario, Nadia claims

to have sent Joe a message that he denies having received. Provision of evidence

to counter Bob’s claim is called Non-Repudiation of Receipt (NRR).

E-Commerce Unit 8


Activity 2

Search on the Internet for the term ‘digital signature and find out how it

ensures non-repudiation of data.


3. Fill in the blanks with appropriate words.

(a) ______ are used to authenticate e-commerce business transactions.

(b) A ______ service issues timestamps which associate a date and

time with a digital document in a cryptographically strong way.

(c) A _____ is defined as a method to electronically verify for authenticity.

8.5 Virtual Private Network

A virbtual private network (VPN) establishes virtual connection between client

and server. It is a network that uses a public communication infrastructure,

such as the Internet, to provide remote offices (other place) or individual users

with secure access to their organization’s network. A virtual private network can

be compared with a system of owned or leased lines that can only be used by

one organization. The goal of a VPN is to provide the organization with the

same capabilities, but at a much lower cost.

A VPN works on the shared public infrastructure while maintaining privacy

through security procedures and tunneling protocols such as the Layer Two

Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the

sending end and decrypting it at the receiving end, send the data through a

“tunnel” that cannot be “entered” by data that is not properly encrypted. An

additional level of security involves encrypting not only the data, but also the

originating and receiving network addresses.

One popular technology to accomplish these goals is VPN . A VPN is a

private network that uses a public network (usually the Internet) to connect

remote sites or users together. The VPN uses “virtual” connections routed through

the Internet from the business’s private network to the remote site or employee.

By using a VPN, businesses ensure security — anyone intercepting the encrypted

data can’t read it.

E-Commerce Unit 8


VPN was not the first technology to make remote connections. Leased

lines, such as ISDN (integrated services digital network, 128 Kbps), are private

network connections that a telecommunications company could lease to its

customers. Leased lines provided a company with a way to expand its private

network beyond its immediate geographic area. These connections form a single

wide-area network (WAN) for the organization. Though leased lines are reliable

and secure, the leases are expensive, with costs rising as the distance between

offices and work places increases.


4. State whether the following statements are true or false:

(a) A virtual private network (VPN) is a network that uses a private

communication infrastructure.

(b) The goal of a VPN is to provide the organization with the same

capabilities, but at a much lower cost.

8.6 Summary

Let us recapitulate the important concepts discussed in this unit:

• The science of writing in a secret code is called cartography. It is supposed

to have been first used as far back as 1900 BC by an Egyptian scribe.

• Encryption is a cryptography technology to scramble (encrypt) the data

with a key so that no one can make sense of it while it is being transmitted.

• Encryption is a method by which plaintext can be converted into a

ciphertext.

• Decryption is a method by which a ciphertext can be converted into a

plaintext.

• In secret key cryptography, both the sender and the recipient possess the

same key to encrypt and decrypt the data.

• Data Encryption Standard (DES) is a block cipher based scheme which

encrypts a 64 bit data block using a 56 bit key. The block is transformed

in such a way that it involves 16 iterations.

• Public key cryptography operates on a double key, called pair key, one of

which is used to encrypt the message and the other is used to decrypt it.

E-Commerce Unit 8


• Digital signatures are used for authenticating e-commerce business

transactions. The authentications refer to legal, financial and other

document-related issues.

• Hash function is a formula that converts a message of a given length into

a string of digits called a message digest.

• Certificates authority is an organization or institution that issues digital

certificate to companies and organizations that are accessible via the

Internet.

• Digital identity is based on message integrity, non-repudiation and

confidentiality.

• A virtual private network (VPN) establishes virtual connection between

client and server. It is a network that uses a public communication

infrastructure, such as the Internet, to provide remote offices (other place)

or individual users with secure access to their organization’s network.

• A VPN works on the shared public infrastructure while maintaining privacy

through security procedures and tunneling protocols such as the Layer

Two Tunneling Protocol (L2TP).

8.7 Glossary

• Cryptography: The science of writing in a secret code

• Encryption: A cryptography technology to scramble (encrypt) the data

with a key so that no one can make sense of it while it is being transmitted

• Intruder: Any person who does not have the authorization to access the

network or the information

• Plaintext: An unreadable message that needs to be converted into an

intelligible message or encrypted message.

• Ciphertext: A message in an encrypted form.

• Hash function: is a formula that converts a message of a given length

into a string of digits called a message digest.

• Non-repudiation: is the activity of presenting of tamper-proof evidence

proving that a message was sent or received

E-Commerce Unit 8


8.8 Terminal Questions

1. Discuss the meaning and purpose of cryptography.

2. Compare the features of secret key cryptography and those of public key

cryptography.

3. Explain how hash function operates.

4. Describe how digital signatures are validated.

5. Explain the method of ensuring non-Repudiation and message integrity

of message.

6. What is virtual private network (VPN)? Discuss how it works.

8.9 Answers

Answers to Self-Assessment Questions

1. (a) Cryptography; (b) Encryption; (c) Plaintext

2. (a) False; (b) False; (c) True; (d) True

3. (a) Digital signatures; (b) Digital time stamping; (c) Digital certificate

4. (a) False; (b) True

Answers to Terminal Questions

1. Refer to Section 8.2



4. Refer to Section 8.4.1

5. Refer to Section 8.4.2


E-Commerce Unit 8


References

1. Turban, Efraim, Jae Kuy Lee and Michael Chung. Electronic Commerce:

A Managerial Perspective. Prentice-Hall, 1999.

2. Whitley, David. E-Commerce: Strategy, Technologies and Applications.

Tata McGraw-Hill, 1998.

Bba401 Slm Unit 08

Documents

Transcript of Bba401 Slm Unit 08