3 Integrity– checks that the message sent is complete, i.e. that it isn’t corrupted.
4 Non-repudiability– ensures sender cannot deny sending message.
5 Availability– how can threats to the continuity and performance of the system be
eliminated?Approaches to developing secure systems
Digital certificates
There are two main methods of encryption using digital certificatesor ‘keys’:1 Secret-key(symmetric) encryption. This involves both parties having an identical
(shared) key that is known only to them. Only this key can be used to encrypt and
decrypt messages. The secret key has to be passed from one party to the other before
use in much the same way a copy of a secure attaché case key would have to be sent
to a receiver of information. This approach has traditionally been used to achieve
security between two separate parties, such as major companies conducting EDI. Here
the private key is sent out electronically or by courier to ensure it is not copied.
This method is not practical for general e-commerce since it would not be safe for
a purchaser to give a secret key to a merchant since control of it would be lost and it
could not then be used for other purposes. A merchant would also have to manage
many customer keys.
2 Public-key(asymmetric) encryption.Asymmetric encryption is so called since the keys
used by the sender and receiver of information are different. The two keys are related
by a numerical code, so only the pair of keys can be used in combination to encrypt
and decrypt information. Figure 3.11 shows how public-key encryption works in an
e-commerce context. A customer can place an order with a merchant by automati-
cally looking up the public key of the merchant and then using this key to encrypt
the message containing their order. The scrambled message is then sent across the
Internet and on receipt by the merchant is read using the merchant’s private key. In
this way only the merchant who has the only copy of the private key can read the
order. In the reverse case the merchant could confirm the customer’s identity by read-
ing identity information such as a digital signature encrypted with the private key of
the customer using their public key.Digital signatures
Digital signaturescan be used to create commercial systems by using public-key encryp-
tion to achieve authentication: the merchant and purchaser can prove they are genuine.
The purchaser’s digital signature is encrypted before sending a message using their privateCHAPTER 3· THE INTERNET MACRO-ENVIRONMENT
Digital certificates
(keys)
Consist of keys made
up of large numbers
that are used to
uniquely identify
individuals.
Symmetric
encryption
Both parties to a
transaction use the
same key to encode
and decode messages.
Asymmetric
encryption
Both parties use a
related but different
key to encode and
decode messages.
Digital signatures
A method of identifying
individuals or
companies using
public-key encryption.
Figure 3.11Public-key or asymmetric encryption