Secure E-Commerce: Understanding the Public Key Cryptography Jigsaw Puzzle

Transcription

1 CRYPTOGRAPHY Secure E-Commerce: Understanding the Public Key Cryptography Jigsaw Puzzle Viswanathan Kodaganallur, Ph.D. Today almost all organizations use the Internet extensively for both intra- and inter-organizational communications. The Internet is also the exclusive vehicle for E-commerce transactions involving customers and other business partners. This eliminates the significant infrastructure costs of private data communications networks and enables even small companies to participate in E-commerce. However, extensive use of public media for transferring sensitive data poses serious security challenges. One of the main weapons in overcoming these challenges is public key cryptography. Although public key cryptography is extensively used today, relatively few people (managerial and technical) understand its essence, preferring to leave that to the specialists. Although the intricate technical details are best left to the specialists, a solid understanding of the broad picture is necessary and well within the reach of everyone. This article sets out to convey just such an understanding. BASICS OF SECRET COMMUNICATIONS Perfectly secure communication is impossible in theory. It is always a possibility for any message to fall into the wrong hands. The practical approach is to reduce the likelihood of this happening to acceptably small levels. Nowadays encryption is the main approach to keeping communications secret. A message being communicated () is encrypted in such a way that the encrypted message (text) can be understood only if it is decrypted. Clearly, the message is secret only to the extent that decrypting the text is difficult. A message can be encrypted in several ways. A procedure to encrypt a message is called a. A trivial (and not very secure) example of a is one that reverses the characters in a message. The recipient of the message, if aware of how the message has been encrypted, can decrypt it by reversing the characters in the text to recreate the. Another example is a substitution, which works by substituting each character VISWANATHAN KODAGANALLUR, Ph.D., is an Associate Professor of Computing and Decision Sciences at Seton Hall University's Stillman School of Business. He earned his Ph.D. in operations management from the Indian Institute of Management. Dr. Kodaganallur started his working career in academia. He then switched to the software development industry where he spent a decade before returning to academia in His research interests include information systems security, object-oriented software development, intelligent tutoring systems, and combinatorial optimization. 44 I N F O R M A T I O N S Y S T E M S S E C U R I T Y

2 FIGURE 1 Encryption and Decryption with Key-Based Symmetric Ciphers Shared key Shared key Symmetric text Symmetric Encryption Decryption of the message with some other character. This can be decrypted via reverse substitution by a recipient who is aware of what substitutions have been made. In this example, the operates in conjunction with a secret key (the substitution scheme). The same used on the same with a different key will yield different text. Single-character substitution s can be easily cracked by cryptanalysts (people who break s) through techniques such as frequency analysis. For example, the most frequently occurring letters in English are e, t, and a. By counting the frequency of each letter in the text, a cryptanalyst can make a guess about which letters in the text probably map to these letters. Once these are established, other clues, such as which letters commonly precede and follow these letters, can be used to make further progress. More powerful s, called block s, encode a block of text at a time rather than just a single character. Under these, a block of text (say, 128 bits) is replaced with a different block of the same, or different, size. The number of possible transformations increases rapidly with the block size, consequently making cryptanalysis more difficult. Although people can come up with many different methods of encoding, the need for standardization makes it necessary to adopt one or a few methods universally. On the face of it this would seem to defeat the very purpose of encrypted communication. However, with something called key-based s, the text depends not only on the encryption procedure but also on a secret key used during the encryption process. For example, suppose the is (perhaps a credit card number). Let us suppose that some specified method X is being used for encryption. With the secret key , the might get encoded to 6bgs 8ys9 0ehw yhfk ; whereas, using the same method X but a different secret key, the would be encoded to something completely different. To decrypt messages encrypted using keybased s, one needs to know not only the encoding procedure but also the secret key value. Keeping the key hidden from all except the message recipient makes it very difficult for unauthorized parties to obtain the from the text, even if they know what kind of has been used. This process is illustrated in Figure 1. An example of a key-based block is DES (Data Encryption Standard), which was adopted as a standard by the U.S. government in 1977 and the financial industry in DES uses a 56-bit key. Today, DES is not considered safe enough primarily because of its small key size. Computing technology has become powerful enough for a cryptanalyst to exhaustively try all possible key combinations on a DES text within a reasonable amount of time and hence to decode DES text even without having the secret key. C R Y P T O G R A P H Y 45 J A N U A R Y / F E B R U A R Y

3 Prominent among the new approaches are AES (supports key sizes of 128, 192, and 256 bits), Triple DES (overcomes the limited key size by applying DES three times with two or three different keys), Rivest s (RC2, RC4, RC5, and RC6), and others such as IDEA (International Data Encryption Algorithm) and CAST. All the s mentioned above are called symmetric key s because the same secret key is used for encryption and decryption. Symmetric key s that are almost impossible to break are but one part of secure E-commerce. Other issues must be addressed for secure communications in today s world, where many parties need to communicate over an insecure medium such as the Internet. Any scheme that is used must ideally meet all of the following requirements: Confidentiality: It should be almost impossible for anyone but the intended recipient to de the message. This is the most obvious aspect of secure communications and is well addressed by the symmetric key s already mentioned. Scalability: The approach should be convenient to use when the number of communicants and messages is large. Secret communication with symmetric keys is not scalable when used in isolation. It runs into various problems when many unacquainted parties need to communicate secretly; as, for example, in E-commerce transactions. The biggest bottleneck with such systems is the distribution and management of the secret keys. Suppose there are n parties communicating with each other and all communications need to be secret; then each party has to keep track of one secret key for each of the n 1 parties with whom it needs to communicate. An even bigger problem is that of safely distributing the keys in the first place so that the secret keys do not fall into the wrong hands. It should be possible to exchange keys safely over insecure media; after all, it is not practical to expect that all communicating parties will meet in person to exchange keys. Furthermore, to break a, a cryptanalyst needs a lot of text created using a single key. Thus, to minimize the risk of compromising secrecy, it would be necessary to periodically change the symmetric keys used. This requirement further complicates the task of secure key distribution. Integrity: It should be possible for the recipient to verify that the message was not tampered with in transit. This is important because an attacker might intercept a message and insert a different one in its place. A contemporary example of this would be when a hacker intercepts a transmission from an E-commerce server to a client and inserts the hacker s own Web page in place of the server s page. An unsuspecting user might then enter sensitive information on the hacker s page and submit it to the hacker. Authentication: It should be possible for a message recipient to verify the identity of the message originator in order to avoid dealing with an imposter. This is essential because an imposter on the Web could easily pose as a genuine E-commerce vendor and steal sensitive information. Another related issue is that of nonrepudiation; a sender of a message (such as an important legal business document) should not be able to later claim to have never sent it. This goal is achieved once the identity of the sender of a message can be irrevocably established. I will now discuss the pieces of the public key cryptography jigsaw puzzle that address each of these issues. Table 1 summarizes the issues and the techniques that address each issue. Detailed descriptions of the techniques follow. ASYMMETRIC KEY CIPHERS We have already seen that key distribution and management is a problem with symmetric key s. Whitfield Diffie and Martin 46 I N F O R M A T I O N S Y S T E M S S E C U R I T Y

4 TABLE 1 Issues in Public Key Cryptography Issue Technique Confidentiality Scalability Integrity Authentication Key-based s (symmetric and asymmetric) key s, digital certificates, and Secure Sockets Layer Message digests and digital signatures Digital certificates and certificate authorities Hellman of Stanford University made pathbreaking discoveries that gave birth to modern cryptography. They demonstrated for the first time that it is possible for communicating parties to exchange keys securely over insecure media. They also suggested the concept of asymmetric key s, wherein the keys used for encryption and decryption are different. Although they suggested the concept of asymmetric key s, they were unable to develop a concrete realization of the concept an actual that would work as they suggested. That was later done by the MIT team of Ron Rivest, Adi Shamir, and Leonard Adleman, who created RSA, the first asymmetric key. Another wellknown asymmetric key is the ElGamal. The two keys of an asymmetric form a key pair, with one of them being the private key and the other the public key. A key pair has the following properties: A message encrypted with a public key can be decoded only with the matching private key. In the case of reversible asymmetric key s, the converse also works a message encrypted with a private key can be decrypted only with the matching public key. Given a public key, it is almost impossible to figure out the matching private key. By almost impossible, we mean that, although it is theoretically possible to figure out the private key given only the public key, in practice it would take several years of computing. As the names imply, a private key is kept completely private no one but the owner knows this key but the public key can be widely distributed because it does not matter who gets hold of it. Communication using asymmetric key s is called public key cryptography. For a concrete illustration of how secure communication would work under this system, suppose person A wants to send a secret message to person B, and A and B already have each other s public keys (they could have exchanged them via , for example). Further, suppose that a hacker (H) is eager to listen in on this communication. A would first encrypt her message using B s public key and send the text to B. On receiving the message, B can decrypt it using his private key. Even if H sees the text, not possessing B s private key, H can do nothing useful with the data. This process is illustrated in Figure 2. B can now reply to A by encrypting the message with A s public key, and the conversation can proceed securely even though H can potentially intercept each and every byte of the transmissions. Although this seems to be a foolproof arrangement, this alone does not prevent H from being malicious. H might be able to intercept a message from A to B and replace it with his own message properly encrypted with B s public key (recall that B makes no effort to hide his public key). On receiving this message, B has no way of knowing that the integrity of the message has been compromised and that the message has really been sent by an imposter acting as A. Although confidentiality has not been compromised, there has been a security breach. How can B be sure of the authenticity of the sender of the message just by looking at the message? C R Y P T O G R A P H Y 47 J A N U A R Y / F E B R U A R Y

5 FIGURE 2 Secret Communication with Public Keys and Ciphers A s computer B s computer B s public key B s private key text FIGURE 3 Double Encryption Scheme with Public Key Cryptography p B s public key A s private key text 1 B s computer text B s private key A s public key text 1 There is a way by which confidentiality, integrity, and authentication can all be achieved with asymmetric s. Let us assume as before that A and B have exchanged public keys. Now, when A wants to send a message to B, A first encrypts the message using B s public key and then encrypts the resulting text once again using her own private key and sends the resultant doubly encrypted message to B. B first uses A s public key and, on the result, uses his own private key to get back the original message. Figure 3 illustrates this process. This approach provides confidentiality. H can decrypt using A s public key and undo the effect of A s private key; but the result is still text created with B s public key that requires B s private key to decrypt. Not possessing B s private key, H can go no further. This approach preserves integrity. The second step in the decryption process by B is to use A s public key. This can work only on a message encrypted with A s private key. Not having A s private key, H cannot insert anything that will decrypt properly with A s public key. 48 I N F O R M A T I O N S Y S T E M S S E C U R I T Y

6 This approach provides authentication. When B uses A s public key followed by his own private key and gets anything meaningful, it is clear that the message was actually sent by A. No one other than A could have sent anything that could be decrypted meaningfully with A s public key. Although this seems to be a complete solution, it leaves open two problems: Encryption and decryption with asymmetric key s are extremely computing intensive. The operations are slower by a factor of 100 when compared with symmetric key s. Thus, the above scenario is actually impractical from a computing-time perspective. key s are therefore seldom used for entire communications unless the amount of data being encrypted is very small. We will see later in the article that they are generally used only to exchange public keys spontaneously when needed, and to use these keys to agree on a symmetric session key. The session key is then used for the rest of the session with a symmetric key. Communicating parties would need to manage large numbers of public keys, and if two unacquainted parties needed to communicate they would have to go through the ritual of public key exchange first but how do they trust each other in the first place? Digital certificates and certificate authorities, discussed later, address this issue. Although the method of double encryption of the message does solve the integrity problem, we have seen that it is not practical. A practical approach is based on digital signatures. DIGITAL SIGNATURES To explain how digital signatures work, I first need to introduce the concept of message digests. A message digest is a simple number that can be quickly calculated from an input message. A good message digest has the property that if even a single bit of the input message is changed, the digest calculated will have a different value. Further, it is almost impossible to intentionally construct two messages that have the same digest value. For the moment, assume that we are concerned only about integrity and that there is no requirement for confidentiality. (I will bring confidentiality back into the equation later.) In such a case, when A sends a message to B, A can send the message along with its calculated digest value. On receiving the message, B re-computes the digest value and compares it to the value sent by A. If the two match, B can be confident that the message was not changed in any way in transit; if the message was modified, the two message digest values would not match. It is easy to see that message digests alone are insufficient to thwart a hacker. After all, the hacker can interpose and replace the message with a new one and also replace the digest with the digest corresponding to the new message. Thus, the recipient will find that the digests match even though the message has lost its integrity. Digital signatures use the concept of message digests with an added twist based on asymmetric keys to completely thwart hackers from surreptitiously modifying a message in transit. Once again we assume that our only concern is integrity. Using digital signatures, when A sends a message to B, A first calculates the message digest. A then encrypts the message digest with her private key. The result is the digital signature of the message. A now sends the original message along with its digital signature to B. Because the message digest is only a simple number, using asymmetric key s on it is not computationally intensive. On receiving the message, B first uses A s public key to decrypt the digital signature. This provides B with the message digest value. B can then independently generate the message digest from the message and compare the two. If they C R Y P T O G R A P H Y 49 J A N U A R Y / F E B R U A R Y

7 FIGURE 4 Creating and Verifying Digital Signatures A s private key Digest Algorithm message digest digital signature B s computer A s public key digital signature Digest Algorithm message digest 1 message digest 2 If the two digests match then B knows that the message is genuine match, then B is confident that no one has tampered with the message. This process is illustrated in Figure 4. Under this scenario, it is impossible for the hacker (H) to undetectably replace the transmission with a new message and a matching digital signature because H does not have A s private key. Suppose H does replace the message with a new message and replaces the digital signature with one generated using his own private key and then sends the message and the signature to B. B, assuming that the message is coming from A, will use A s public key on the digital signature. This will fail to produce the actual message digest that H calculated because H did not use A s private key. B will thus know that someone has tampered with the message. Digital signatures do not address the confidentiality issue at all. They do solve the integrity problem completely. To a limited extent, they also solve the problem of authentication, if the message recipient has the public key of the sender. In real terms it is impractical to expect that any two communicants will have each other s public keys readily available at all times. We need a scalable way of exchanging public keys spontaneously with a guarantee of the identities of the parties involved. This is where digital certificates and certificate authorities come into the picture. DIGITAL CERTIFICATES As before, let us assume that A and B have already exchanged public keys and trust each other. Suppose C now wants to have a secure communication with A, but A and C are not mutually acquainted. Unless A knows or trusts C, A will refuse to have a secure conversation with C. Suppose B knows and trusts C. Now, because A trusts B and B trusts C, there is a chain of trust potentially enabling A to trust C. How is this chain of trust established electronically? Because B trusts C, B can issue a digital certificate to C. A digital certificate consists of identifying information about an entity along with the signed public key of that entity. It essentially states that the issuer of the certificate believes that the public key in the certificate belongs to the person whose identifying information appears in the certificate. To issue a digital certificate to C, B creates a structure that contains identifying information about C (e.g., the name and other important public information) and attaches C s public key encrypted with the private key of B. Because B is the only entity that can use B s private key, the certificate 50 I N F O R M A T I O N S Y S T E M S S E C U R I T Y

8 FIGURE 5 B Creating a Digital Certificate for C B s private key Digest Algorithm message digest Information about B Information about C C s public key digital signature C s digital certificate essentially represents that B vouches for C s identity, and anyone having B s public key can verify the fact. This process is illustrated in Figure 5. The above arrangement works fine when there is an intermediary such as B who can establish a chain of trust between the communicating parties. In most business situations, especially in Web-based business-toconsumer E-commerce, this requirement would be cumbersome. This issue is addressed by certificate authorities. CERTIFICATE AUTHORITIES Certificate authorities (CAs) are organizations specifically created to issue digital certificates after properly verifying the identities of entities requesting them. Many CAs exist; some well-known ones are Verisign, Certisign, and Thawte. CAs are assumed to be trusted parties and hence the certificates issued by them serve to verify the identities of the parties presenting them. For example, in a Web-based E-commerce transaction, a buyer would want to ensure that she is really dealing with a genuine Web site and not that of an imposter before entering sensitive information such as a credit card number. The vendor can establish identity by presenting a digital certificate issued by a CA. The public keys of CAs are widely distributed. All Web browsers typically come pre-installed with these public keys. Suppose two parties A and C are unacquainted and one of them, say C, wishes to initiate a secure conversation with the other. C first gets a digital certificate from a CA and presents it to A. A already has the public key of well-known CAs and hence can use the appropriate one to extract C s public key from the certificate. Similarly, A can present her certificate to C, from which C can get A s public key. The above mechanism can be employed to spontaneously exchange public keys with complete confidence about the identities of the communicating parties. However, as already mentioned, using public key encryption is computing intensive and impractical for complete conversations. This final hurdle is addressed by Secure Sockets Layer. SECURE SOCKETS LAYER Secure Sockets Layer (SSL) was created by Netscape Corporation to address the difficulty of using public key encryption for complete conversations. It provides a way to use a symmetric key (much more efficient than asymmetric key s) in a secure manner. It is specifically designed for Web-based E-commerce wherein a browser and server need to engage in a secure conversation. The following steps occur in an SSL-based exchange: C R Y P T O G R A P H Y 51 J A N U A R Y / F E B R U A R Y

9 The server presents a digital certificate issued by a CA. The browser verifies the certificate and extracts the server s public key. The browser then generates a symmetric key (called session key). The browser encrypts the session key with the server s public key and sends it to the server. The server extracts the session key. The browser and server conduct a secret conversation using the shared session key, but they can use a symmetric key for much greater efficiency. Server and browser discard the session key at the end of the conversation. In the above scenario, only the server is authenticated by means of a digital certificate; this is all that is typically needed for business-to-consumer E-commerce. A version of SSL includes client authentication as well, which can be used when both parties need to be authenticated. When we see in our browser s address line, it indicates that SSL, and therefore the full weight of public key cryptography, is in use. CONCLUSIONS This article has introduced the essential aspects of public key cryptography. We looked at the shortcomings of symmetric key s used in isolation and showed how public key cryptography based on asymmetric key s overcomes the problems by enabling confidentiality, message integrity, and authentication. Finally, we looked at the essentials of SSL, which combines the power of public key cryptography with the speed of symmetric key s to provide security and efficiency. References 1. Harold F. Tipton (Editor), Micki Krause (Editor), Information Security Management Handbook, Fifth Edition, Auerbach Publications, Charlie Kaufman, Radia Perlman, Mike Speciner, Network Security: Private Communication in a Public World, Second Edition, Prentice Hall, I N F O R M A T I O N S Y S T E M S S E C U R I T Y