Cryptography Simplified – Symmetric Key, Public Key, Digital Signature, CA, SSL, SET

M. Faisal Naqvi

Research Consultant (Technical), ECAC

Obstacle in growth of E-Commerce

Why most people don’t use E-Commerce?• Lack of trust• Fraudulent Merchants• Hacking/Cracking• Credit Card Information Theft• Privacy issues

Technical Requirements of User of E-Commerce

• Confidentiality :- Privacy from third person• Integrity:- Change in message during transit

should be detected• Authenticity:- Identity of sender should be

detected• Non-repudiation:- Denial of sender should not be

possible• Anonymity:- Info. of Customer & Transaction

should be confidential from dealing party.• Availability

How Requirements can be Fulfilled?

• Cryptography i.e.– Encryption (Encoding)– Decryption (Decoding)

CALL ME

Plain Text

E DBMM NF

Cipher Text

D CALL ME

Plain Text

Alice Bob

Main Cryptographic Techniques

1. Secret Key Cryptography

2. Public Key Cryptographya) For Confidentiality

b) For Authenticity & Integrity

1. Secret Key Cryptography

• Also called Symmetric Key Cryptography• Only one key is used for encryption as well as for

decryption• e.g. Digital Encryption Standard (DES)

CALL ME

Plain Text

E DBMM NF

Cipher Text

D CALL ME

Plain Text

Alice BobKey=1 Key=1

2. Public Key Cryptography

• Also called Asymmetric Key Cryptography• For each party there is a Key pair i.e.:

1. Private Key (known to owner only)

2. Public Key (Published, known to Everyone)

• When we encrypt using Pub. Key it can only be decrypted using Pvt. Key and vice versa.

• e.g. Rivest Shamir Adelman (RSA) Algorithm

2. Public Key Cryptography (Cont...)

• Public Key Cryptography can be used in two ways:a) Encryption with Pub. Key & Decryption with Pvt. Key (to

achieve Confidentiality).

b) Encryption with Pvt. Key & Decryption with Pub. Key (to achieve Authenticity and Integrity)

2. Public Key Cryptography (Cont...) For Confidentiality

• Sender Encrypts the Message with the Public Key of the Recipient

• The Recipient Decrypts the Encrypted Message, with his own Private Key

10,000

Plain Text

E 5,000

Cipher Text

D 10,000

Plain Text

Bob

Bob’sPublicKey=0.5

Bob’sPrivateKey=2Public

2. Public Key Cryptography (Cont...)For Authenticity & Integrity of Message

• The Sender Encrypts the Message, with his own Private Key.

• The Recipient Decrypts the Encrypted Message with the Public Key of the Sender.

10,000

Plain Text

E 20,000

Cipher Text

D 10,000

Plain Text

Bob

Bob’sPrivateKey=2

Bob’sPublicKey=0.5 Public

Achieving Authenticity, Integrity and Confidentiality simultaneously...

Cipher

Digital Sign

1. Sender’s Pvt.

Sender

2. Recipient’s Pub.

3. Recipient’s Pvt.

4. Sender’s Pub.

Doc.

Digital Sign

Doc.

Recipient

Achieving Authenticity, Integrity and Confidentiality simultaneously (Cont…)

1. The Sender Encrypts the Message, with his own Pvt. Key. (for Authenticity and Integrity)

2. Then Sender Encrypts the result, with the Pub. Key of Recipient. (For confidentiality)

3. The Recipient decrypts the cipher, with his own Pvt. Key (to open confidentiality)

4. Then Recipient decrypts the result, with the Pub. Key of Sender (to Authenticate)

Need of a Certification Authority (CA)

Issues• How someone can Publish his Public Key?• How someone can verify that a Public Key belongs to

a particular Person?Solution• Public Key can be Published through a Third Party,

Trusted by both Sender & Recipient.• This Trusted Third Party is called Certification

Authority (CA)• CA verifies and certifies, by issuing a Digital

Certificate, that a particular “Public Key” belongs to a “Particular Person” and publishes the same through Web.

What CA publish about a Digital Certificate ?

Ibrar Ahmad

How CA Works?

CA :• accepts Application to issue Digital Certificate• verifies Identity of Subscriber• verifies that subscriber has corresponding Pvt. key• generates Digital Certificate• publishes Digital Certificate of its subscriber on its

web site so that anyone can download Digital Cert. of any other person from the CA’s web site

• accepts Request to Revoke the Certificate• publishes Certificate Revocation List (CRL) so that

anyone can check whether Cert. is Revoked

What is Public Key Infrastructure (PKI)?• PKI includes:

– Sender(s)– Recipient(s)– and CA(s)

• By using Cryptography to fulfill all requirements jointly or severally:– Confidentiality– Integrity– Authenticity– Non-repudiation– Reliability– Accountability– Anonymity

Importance of PKI

PKI:• Provides secure and trusted e-communication

environment.• Is inevitable for e-commerce, e-business & e-

governance etc.

Use of PKI in E-Commerce

Some Protocols based on PKI:• Secure Socket Layer (SSL)• Secure Electronic Transaction (SET)

Secure Socket Layer (SSL)

• Most commonly used (e.g. Hotmail, Yahoo)• Simplest• only confidentiality and integrity is achieved• Authenticity is not the part of Protocol• Only server’s Digital Certificate is required• Not a payment protocol specifically• For any secure communication

Secure Socket Layer Process

Server

Client

2. Server’s Public Key

1. Client Generate Secret Key

3. Secret Key encrypted with Server’s Pub. Key

4. Server decrypts Secret Key using its Pvt. Key

5. Communicate securely using secret key

Secure Electronic Transaction (SET)

• Most Comprehensive

• Confidentiality, Integrity, Authenticity, Non Repudiation and Anonymity/Privacy can also be achieved

• Comparatively Complex

• Digital Certificates of Merchant, Bank and Customer is required

• Specifically a Payment Protocol

SET Protocol Process

• OI = Order Information (Products/Services)• PI = Payment Information (Credit Card etc.)• C = Customer• M = Merchant• B = Bank• Pb = Public• Pv = Private

SET Protocol Process (Cont…)

Customer

Bank

Merchant

1. MPb[CPv{MPb(OI)+BPb(PI)}]

2. BPb[MPv[CPv{MPb(OI)+BPb(PI)}]]

?

ThankYou