Cryptographic methods form the foundation of all e-commerce transactions. For the purposes of e-commerce, applied cryptography is the study of the process of creating cipher text (encrypted text) from plain text (human readable text). The types of encryption relevant to e-commerce are listed in the table below.
Symmetric encryption[1] is necessary because it encrypts data quickly and it is relatively secure. However, it is very difficult to distribute the symmetric keys securely in an e-commerce setting. Because the same key both encrypts and decrypts the data, you must keep the key secret. Yet, how do you get this key to its destination once you have encrypted the message?
Asymmetric encryption[2] handles this process, because it is able to use a key pair, where one key is made freely available and the other remains completely private.
For example, an email program uses symmetric encryption to encrypt the actual data. It uses asymmetric encryption to encrypt symmetric keys. It then uses
one-way encryption to sign the data to ensure that the information has not been tampered with.
This is all encrypted to the receiver's public key, then sent across the network wire. When the receiver gets the message, the receiver uses the private key (the second half of the key pair) to decrypt the
asymmetric encryption.
The receiving computer decrypts the text with the symmetric key, then calculates the hash value. If the hash value is correct, the message has not been tampered with, and the email browser that supports these protocols allows the message to be read.
The Image Gallery below describes how this process works.
The defense-in-depth strategy toward security requires system administrators to
take every possible action to improve security. One significant improvement to
security can be obtained by widespread use of encryption. With respect to the
UNIX workstation, the following are security advantages to be gained:
- If a workstation gets compromised and taken over by an attacker, previously encrypted files are likely to be protected. This assumes that passphrases used to encrypt the data are kept in the users memory and not on the workstation.
- By encrypting traffic on the local area network (LAN), the risk of being attacked from a local source is greatly reduced.
Many organizations consider their biggest security feature to be the firewall between the LAN and the Internet. Hower, other workstations on the LAN also pose a significant threat. For example, if the LAN is hubbed, any workstation can listen in on all instant messaging to and from another worksation. Even if the network is switched there are readily available tools, such as ettercap, that can monitor all traffic in and out of a workstation.
- Much of the traffic that travels over the Internet, such as e-mail or FTP, is in the clear or unencrypted. The only protection afforded to this traffic is security through obscurity. In other words, the telnet, e-mail, and FTP traffic can be read in many places as the traffic is routed, but who would want to? Most users would not find this level of security very comforting.