Cryptography is one of the most powerful tools available that can make e-commerce secure. Cryptography is the science of hidden writing, storing information in such a way that it is not revealed to those who are not intended to see it. The way in which cryptography does this is through encryption. Encryption is the process of taking a readable piece of information, e.g. text or a file, and converting it into an unreadable format.
All encryption has four main areas:
In private key encryption the same key is used to encrypt and decrypt a message, the length of this key determines the strength of the encryption. The most widely used types of private key encryption in use today are:
DES stands for data encryption standard. It became the first national standard algorithm in the United States. However it has a 56-bit key and has been around since 1970, making it a bit insecure for continued use today.
TripleDES is a variation on the original DES algorithm in order to make it more secure. It consists of three iterations of the DES algorithm using different keys and thus making it much more secure.
RC4 is a stream cipher that is used in most types of SSL (secure socket layer). Its keys can be up to 128-bits long giving good security.
In order to send an encrypted piece of information using any private key algorithm the same set of problems occur. In order for the message to be encrypted and then decrypted, both the sender and recipient of the information will need the key. The key is the only way to encrypt and decrypt information but can be used by anyone who has it, therefore if the key gets into the wrong hands they would be able to read the contents. This is the fundamental problem with private key encryption, how to make sure the intended recipient of the information gets the key but no one else does.
Public Key Encryption
In 1976 Whitfield Diiffie and Martin Hellman invented a new type of encryption that overcame the problems posed by private key encryption. It is called public key encryption because it has two keys, a private key and a public key. Instead of using the same key for encryption and decryption, one is used to encrypt and the other to decrypt. One party keeps the private key secret and its corresponding public key is freely available. This means that the private key remains in a safe place and doesn’t have to be given to anyone where it may be intercepted or copied.
There are two types of public key encryption ciphers available:
RSA is one of the most common and widely used ways of encrypting messages on the web and it normal for it to have key lengths of 1024-bits or more.
ElGamal is a lesser known form of public key encryption although it is used in some forms of SSL.
Although public key encryption addresses the problem of both sender and recipient getting keys safely, it has one major flaw. Due to the structure of the keys, the level of security is based on the difficulty of factoring the value that corresponds a public key to its private key. In simple terms this means public key encryption must have much larger keys to produce the same security as private key encryption. This in itself is not a major problem, however the large key sizes mean that encryption and decryption are very slow when compared to private key encryption.
Session key encryption is a means of combining the speed of
private key encryption with the key security of public key encryption. This is
done by using a private key cipher to encrypt a plaintext message, then
encrypting that key with the public key cipher and using it as the key to get
the original message back. The recipient must decrypt this encrypted key using
the public key before decrypting the message.
Encryption is used in a variety of ways in the business and commercial world. The basic function of using encryption in business is to keep sensitive information safe. This information can come in a variety of forms:
Making an online credit card transaction is where most people come across encryption in e-commerce. This is normally done using SSL. The encryption used in SSL is normally 56-bit or 128-bit. However, according to Yahoo News the US government has recently approved a new 256-bit standard to replace the aging DES standard. The new standard, called Rijndael, scrambles communications by generating random key numbers up to 256 digits long. [Yahoo News, 2001, accessed 6/12/01]. This should go a long way to providing much greater security that will also help to increase consumer confidence in the safety of their card numbers when buying online.