The Need for Security
On the Internet, information you send from one computer to another passes through numerous systems before it reaches its destination. Normally, the users of these intermediary systems don't monitor the Internet traffic routed through them, but someone who's determined can intercept and eavesdrop on your private conversations or credit card exchanges. Worse still, they might replace your information with their own and send it back on its way.
Due to the architecture of the Internet and intranets,
there will always be ways for unscrupulous people to intercept and replace
data in transit. Without security precautions, users can be compromised
when sending information over the Internet or an intranet. This has serious
implications for Internet Commerce. For Internet Commerce to exist, there
has to be a means to secure data sent over the Internet. Without a secure
means of communication, commerce cannot exist.
How do I protect my data?
Encryption & Digital Certificates are the solution for Internet Commerce. Used together, they protect your data as it travels over the Internet.
Encryption is the process of using a mathematical algorithm to transform information into a format that can't be read (this format is called cipher text). Decryption is the process of using another algorithm to transform encrypted information back into a readable format (this format is called plain text).
Digital Certificates are your digital passport, an Internet ID. They are verification of you who you are and the integrity of your data.
Combined, encryption and digital certificates protect and secure your data in the following four ways:.
To understand how this all works, we need to start with the basics. Encryption has been around for centuries, Julius Caesar used encrypted notes to communicate with Rome thousands of years ago. This traditional cryptography is based on the sender and receiver of a message knowing and using the same secret key: the sender uses the secret key to encrypt the message, and the receiver uses the same secret key to decrypt the message. For Caesar, the letter A was represented by the letter D, B by the letter E, C by the letter F, etc. The recipient would know about this sequence, or key, and decrypt his message. This method is known as secret-key or symmetric cryptography. Its main problem is getting the sender and receiver to agree on the key without anyone else finding out. Both sides must find some "secure" way to agree or exchange this common key. Because all keys must remain secret, secret-key cryptography often has difficulty providing secure key management, especially in open systems with a large numbers of users, such as the Internet.
21 years ago, a revolution happened in cryptography that changed all this, public-key cryptography. In 1976, Whitfield Diffie and Martin Hellman, introduced this new method of encryption and key management. A public-key cryptosystem is a cryptographic system that uses a pair of unique keys (a public key and a private key). Each individual is assigned a pair of these keys to encrypt and decrypt information. A message encrypted by one of these keys can only be decrypted by the other key in the pair:
Exchanging keys is no longer a security concern. I have my public key and private key. I send my public key to anyone on the Internet. With that public key, they encrypt their email. Since the email was encrypted with my public key, ONLY I can decrypt that email with my private key, no one else can. If I want to encrypt my email to anyone else on the Internet, I need their public key. Each individual involved needs their own public/private key combination.
Now, the big question is, when you initially
receive someone's public key for the first time, how do you know it is
them? If spoofing someone's identity is so easy, how do you knowingly exchange
public keys, how do you TRUST the user is really who he says he is? You
use your digital certificate. A digital certificate is a digital document
that vouches for the identity and key ownership of an individual, a computer
system (or a specific server running on that system), or an organization.
For example, a user's certificate verifies that the user owns a particular
public key. Certificates are issued by certificate authorities, or CAs.
These authorities are responsible for verifying the identity and key ownership
of the individual before issuing the certificate, such as Verisign, http://www.verisign.com.
Authentication & Integrity
We now have a secure means of encrypting data, one of the four methods of securing data on the Internet. Two others, authentication and data integrity, are combined in what is called a digital signature. A digital signature works as follows:
If the message is sent by someone claiming to be the sender, this person does not have access to the sender's private key. The person claiming to be the sender must use a different private key to encrypt the message digest.
Because the recipient uses the sender's public key to decrypt the message digest (and not the actual public key corresponding to the private key used to encrypt the message digest), the decrypted message digest will not match the newly generated message digest.
If the message was modified during transmission, the hash function will generate a different message digest when applied after the transmission.
Tokens represent the fourth security option by replacing
passwords. Tokens are simply your digital certificate residing on your
hardrive. When a computer prompts you for your password, your computer
sends your certificate over the Internet instead. Your certificate verifies
your identity instead of the password. This is a more secure (and easier)
means of verification.
How Secure is all This?
Just how secure is encryption. The strength of encryption is measured in bits, or how big the key is. The bigger the key, the stronger the encryption. There are currently 3 commonly used key sizes used commercially, 40, 56, and 128 bit. Originally, the government allowed only 40 bit keys for exportation. However, this proved far to weak for security. In February of 1997, a college student was able to crack 40 bit encrypted data within 4 hours (http://www2.ecst.csuchico.edu/~atman).
Yesterday (1/28) RSA Data Security Inc. challenged the world to decipher a message encrypted with its RC5 symmetric stream cipher, using a 40-bit key, the longest keysize allowed for export. RSA offered a $1,000 reward, designed to stimulate research and practical experience with the security of today's codes.
Goldberg succeeded a mere 3 1/2 hours after the contest began, which provides very strong evidence that 40-bit ciphers are totally unsuitable for practical security.
In the end, the DESCHALL effort solved
the DES challenge after only searching 24.6% of the key space. (about 18
quadrillion keys!) The winning key was determined by Michael Sanders, using
a Pentium 90 MHz desktop PC with 16 megs of RAM.
What it Looks Like
Below is an example of a message that has
been encrypted and signed, but intercepted before the recipient has received
it. Notice how the body of the entire message is "gibberish",
i.e., the message cannot be read. That is what encryption looks like.
Below is an example of the same message,
but received by the intended recipient. The recipient has decrypted
the message and verified the message's integrity & /authenticity.
The protocol or Internet standard used for Digital Certificates is X.509
& S/MIME. Any email system that has these open based standards
can use Digital Certifcates for Internet Commerce. The image below
is of Netscape Navigator, which is both X.509 and S/MIME compliant.
Utilizing digital certificates and encryption, users can easily and securely communicate on the Internet. This combination of ease of use and security lays the foundation for commerce. As users gain confidence and experience using these tools, Internet Commerce, much like encryption, will grow exponentially.