You are on page 1of 10

CSE 306

Evaluation of Encryption techniques and encryption roles in E-Commerce

Lame Segokgo
e-mail: lame.segokgo@gmail.com

Abstract
It has to be appreciated that most people are choosing the click and mortar type of shopping
methods as opposed to brick and mortar models. E- Commerce is the purchasing of goods and
services through the internet, Al-Slamy, N.M.A (2008). This model includes exchanging of
valuable information between the buyer and the seller and amongst this information are
financial credentials which are compromised when transactions take place over the internet
hence the need for security mechanisms such as encryption. According to Widjadja, D., (2009),
Encryption is the encoding of data using an algorithm so that it is incomprehensible to any party
in the event that data transmission is intercepted unless the key is known to enable decryption.
There is Symmetric encryption and Asymmetric encryption as types of encryption and then
techniques such as the RSA (Rivest-Shamir-Adlmen) algorithm, Data Encryption Standard
(DES), Secure Socket Layer (SSL) and Pretty Good Privacy (PGP), all of which will be
evaluated in this paper as far e-commerce is concerned. This paper will briefly evaluate the
abovementioned encryption techniques, their roles in e-commerce and as well as the future of
encryption as far as e-commerce is concerned. We will also evaluate the existing literature on
the phenomenon.

1.0 Introduction
It has been observed that most people now
are moving towards purchasing of goods and
services through the internet and that is
termed as electronic commerce or ecommerce, according to Al-Slamy, N.M.A.,
(2008). This thereby means that a lot of user
data to the extent of financial credentials are
being part of the transaction(s). The
different types of e-commerce models
available are, business to business (B2B),

business to customer (B2C), customer to


customer (C2C), customer to business (C2B)
and business to government (B2G). it was
sought that a mechanism is needed to ensure
that users are protected at all times and user
data is being transferred in the most secure
and anonymous way to malicious acts or
persons who may wish to exploit that
simultaneously ensuring safety of the
business and its clients.The mechanism that

will be identified and evaluated in this paper


is the encryption method.
According to Widjadja, D., (2009),
Encryption is the encoding of data using an
algorithm so that it is incomprehensible to
any party in the event that data transmission
is intercepted unless the key is known to
enable decryption. This will therefore ensure
integrity of data and also enforces digital
authentication thus allowing the customer
and the retailer to explicitly identify one
another on both ends. The various risks that
the retailers and customers are exposed to in
e-commerce are, spoofing, eavesdropping,
hacking and unauthorized disclosure and
action and even data alteration. Popular
encryption techniques used to tackle these
threats are, data encryption standard (DES),
advanced encryption standards (AES),
digital signatures, digital certificates, pretty
good privacy (PGP), Rivest, Shamir,
Adleman (RSA) systems and the most
popular secure socket layer (SSL). In this
paper we will closely evaluate these
techniques as far as the e-commerce
phenomenon is concerned.
When talking about encryption, there are
two terms that are commonly used and
should never be omitted, asymmetric
encryption and symmetric encryption. These
are the methods that the above techniques
are classified under. They will be briefly
perused in this paper also.

2.0 Literature Review


2.1 Role of Encryption in e-commerce
As we have pointed out in the previous
section, encryption is necessary in that it
keeps away unauthorized parties from
accessing sensitive user data. Encryption
provides customers with the confidence that
a client values their privacy and security,
(coldfuel.co.uk). This means that, a
customer feels emotionally secured knowing
that the retailer has his/her interests at heart
by providing a secure means for transaction.
http://www.coldfuel.co.uk/news-blog/theimportance-of-ssl-for-your-ecommercewebsite/ (accessed on 30-10-2012)
Encryption also ensures that the e-commerce
transactions remain confidential and cannot
be modified or repudiated
(ecommercetimes.com). It is important that
an e-commerce treat every customer data
diligently so as to avoid third party access
that can manipulate the data to their own
benefit or sabotage original clients by
altering their information which may end up
being denied by the system.
http://www.ecommercetimes.com/story/764
87.html (accessed on 30-10-2012)
2.1 Encryption Methods
2.1.1 Symmetric Encryption
This is a method of encryption that features
only one key to encrypt the information and
also to decrypt it. It works very well when
both the sender and the receiver arrange well
in time to exchange information. A high
level of trust and rapport have to exist

between communicators because of the fact


that the same key is used to encrypt and
decrypt information so one may easily
manipulate data to their advantage if should
they be in possession of your key. It works
well with short keys and shorter lifespan. An
advantage in that accord is that, it is very
fast and highly efficient and also that it is
used when a large amount of information is
to be encrypted. However, the shortfalls
noted are thus, there is a high possibility of
keys being intercepted during
communication and therefore posing and
information risk. Key transmission should
be highly guaranteed in this regard.
2.1.2 Asymmetric Encryption
This is a method in which two keys are used
to encrypt and decrypt the data. These keys,
the public key and the private key
complement each other. The public key is
used to encrypt the information and is freely
distributed across the network. It can never
be used to decrypted and encrypted
information and the private key is used to
decrypt the information and is known only
to the receiver. It can never be shared.
Asymmetric encryption is very slow and is
not advisable for information that is above 1
kilobyte. However its advantage is that it
provides security for the information that it
is being implemented on. It also solves the
repudiation problem as there are no third
users that can be blamed, only the sender
and receiver can access the data.
3.0 Encryption techniques in e-commerce
3.1 Data Encryption Standard (DES)

This is an encryption technique that was


introduced in 1975 by IBM and standardized
in 1977 by the US government. It uses the
transformations on blocks of 64bit
corresponding to binary encoding of
message text. It was originallydesigned to be
implemented in hardware. The process of
DES as explained by Rajamaran, V.,(2001)
is that, these 64bit blocks are divided into
32bit blocks each and a secret key is applies
in the ith round of the process. He further
explains that s complex function which uses
both permutation and substitution operation
is applied to produce a prototype block. This
block will then be permuted using the secret
key to obtain the final encrypted block. One
advantage to note about DES is that it would
take a very long time for one to break the
code by trying all the possible keys. And a
shortfall that has been noted by Ramajaran
is that with advent of super computers which
are very fast, it would soon become a glide
to break a DES encrypted transaction. So its
advisable for retailers to affiance themselves
with the Advanced Encryptions Standards
(AES) which uses 128bits blocks.

3.1 Rivest, Shamir, Adleman (RSA)


this is a popular public key invented by the
three investors Rivest, Shamir and Adleman
around the year 1977. It is the first ever
algorithm to be invented that can be used for
public key encryption and digital signatures.
According to techtarget.com (accessed 3010-12), RSA as is it is widely known, is the
most commonly used encryption and
authentication algorithm and it is included as
part of web browsers from Microsoft and
Netscape. The RSA algorithm entails only

three steps which are; key generation,


encryption and decryption. According to
Rouse, M., (2005), the algorithm involves
multiplication of two large prime numbers
and through additional operations deriving a
set of two numbers that constitutes the
public key and another set as the private key
and once these keys are created the prime
numbers are then discarded. In this whole
process the private key is never sent through
the internet. RSA is most commonly used in
e-mails. An advantage noted is that with
RSA, it provides high security without
compromising usability, Henry, D., (2009).
This means that genuine customers to the
retailer can freely gain access to the
retailers system while fraudsters will be
blocked which translates to minimal
reduction of fraud and peak in customer
confidence. It also boasts that itd take a
whole amount of resources including time
for someone to come near factoring the
public key. However Killeen, R
(http://members.tripod.com) states that there
are possible attacks to this prime standard of
encryption and top of the list is factoring of
prime numbers. This explained mean that, if
multiple modern super computers are
combined in grid computing, finding two
prime factors of even a 640bit number can
take maybe up to 5months which means that
after all, when a fraudster invests more
resources as mentioned above they can at
the end of the day break an RSA encrypted
message. But up until then RSA standard
becomes the unsolvable, unbeatable and
unbreakable standard.
http://searchsecurity.techtarget.com/definitio
n/RSA (Accessed 30-10-2012)

http://members.tripod.com[Accessed on 3010-2012]
3.3 Pretty Good Privacy (PGP)
This is an algorithm founded by Phillip
Zimmerman and standardized in 1996 to
provide a good means of communications in
a non-secure environment. It is now owned
by Network Associates who have now since
converted it into open source allowing
anyone to review the code and suggest
improvements. Its application is mostly
centered in securing e-mail communications
but the US government has since adopted it
to secure day-to-day communications, thus
fulfilling the original intentions of
Zimmerman and PGP of safeguarding
information from governmental intrusions,
Sean, D. (2000). Most e-commerce retailers
however use PGP as a way of signing the
document/communique as a way of
verifying the integrity of the original work.
There are five (5) services offered by PGP
and these are; authentication,
confidentiality, compression, e-mail
compatibility and segmentation. According
to Pool, J.B., (2001), the process of PGP
entails a user creating a pair of keys in
inception of the process. These keys are
created at varying strengths to the
satisfaction of the user, that is a 512, 1024 or
2048bit keys can be used, the higher the
number, the stronger the key.As other
standards a pair of keys is produced, being
the private key and the public key, the
private key should be kept as safe as
possible. There are a few quoted advantages
of using this encryption algorithm; a user
has absolute assurance that the information
they had just sent or received has not been

modified in transit. That means to say data is


from third party distortion and modification
thus avoiding repudiation. Its openness also
allows for flexibility and always updated
because different users will come with
varying and most of the times custom ideas
to the benefit of the retailer and the buyers.
However, PGP is demanding in the sense
that it needs both the sender and the
customer to have PGP installed for either to
view the message. This means that if the
receiver does not have PGP installed there is
no how they can be able to view the
messages sent to them. As most users have
complained that PGP is complex to
manipulate, key management in PGP can be
a very challenging task as keys that are lost
or corrupted can be seen security risks on
users that are in a highly secure area, some
might not even be able to neither receive nor
read the documents sent to them. The
solution to all these now remains training of
users on how to use PGP enabled systems,
which comes with its own costs.

3.4 Secure Socket Layer (SSL)


This is a communication system that ensures
privacy when communicating with other
SSL enabled products. The first version of
SSL was designed by Netscape
Development Corporation while the current
version was designed from review and input
by the industry. SSL is a symmetric
encryption nested with public key
encryption, authenticated through use of

certificates. Technically we could say SSL is


a protocol that runs above the TCP/IP and
below HTTP or other top-level protocols.
SSL is commonly used for transmitting
payment information between buyer and
seller. It sends data back and forth between
the card holders web browser software and
the merchants web browser within a secure
environment. SSL encapsulates data into
transactions and guarantees confidentiality
and integrity of the individual engaged in
the transaction. SSL uses the public
key/private key encryption system from
RSA which also includes the use of a digital
certificate. The secure environment for SSL
is created through the use of public key
cryptography, which consists of the
encryption (scrambling) and decryption
(unscrambling) of information. The recipient
then uses a private key to decrypt the
message. As a result, only the designated
recipient has the ability to read the message,
Korper, S. and Ellis, J., (2001) pp. 142 -143.
The advantage of SSL is that, it ensures data
confidentiality and integrity between buyer
and sellers thus building a very good rapport
between them as customers are assured that
the merchant values their privacy and
security. A disadvantage observed about the
SSL is that, communication is only possible
between SSL compatible environments and
it is very complex and costly to install SSL
software on a computer.
http://developer.netscape.com/docs/manuals/
proxy/adminux/encrypt.htm

4.0 Critical Evaluation of Encryption


Techniques
This section complements the above section
which was reviewing existing research from
other academics as far as this phenomenon
is concerned. However, this research will in
this section evaluate and review the future of
encryption techniques in e-commerce as far
as user security and technology
advancement are concerned.
4.1 Future of the Encryption techniques
The various encryption
techniques/algorithms that we reviewed
have an exceptional ability to develop and
are very flexible as far as accepting new
modules of development are concerned. A
typical example can be the Data Encryption
Standard (DES) which is currently being
reviewed and thought to be improved to the
Advanced Encryption Standard (AES). This
comes after the realization that DES can
only use transformations on 64bit blocks of
which it can take modern super-fast
computers to crack the key for encryption.
AES is said to use 128bits per block which
means that cracking the code will take a
very long time or close to impossible to
achieve. Research in the field of encryption
e-commerce security also is maturing as new
threats and solutions to those threats are
concerned. These threats are centered on the
advancement of the technological hardware
of the malicious personnel so the research
on the area has shown that the operations of
these also has to be improved especially
when talking about the size of blocks the
algorithms are capable of handling. This
may come as expensive but it is pertinent to
keep up with rapid growth of technology

and hackers. Most importantly, customers


on the other side will have to always be
encouraged to improve their systems and
this where the open source systems come in
play that is they should develop free
licensed software to improve the security
capabilities of the current client-server
software. Even though they come with their
own disadvantages, the open source systems
are very much reliable as they are updated
every now and then thus ensuring systems
that can match latest security threats. This is
to mean, algorithms such as SSL and PGP
stand a good chance of not being replaced in
the future but rather improved with lesser
changes as they are currently being
developed by the open source community.

5.0 Recommendation
This section is where this paper will
recommend its suggestions to the online
security authorities as far as encryption
techniques in e-commerce are concerned.
With all the above realizations that some
encryption techniques can be cracked if the
right resources are channeled towards the
process, this paper recommends that those
loopholes should be perused and they be
solved amicably. This could be done by
investing the right kind of resources or more
that maybe needed to break the code if
possible, and exploring the number of bit
blocks that are used to break that code. After
all this is done, the developers will be in a
good way to determine the exact
requirements needed to improve the
algorithm. Such techniques for example are
the likes of Data Encryption Standard
(DES). Also to ensure that online customers
interests are safeguarded and thought for,
the authorities should hastily move to
standardize the Advanced Encryption
Standard (AES) which has not been
standardized as yet. AES is said to be a
direct improvement/replacement to the DES
as it uses transformations on 128bit blocks
as compared to the 64bit blocks of DES.
Also, this research suggests that online
customers should be advised to move for
latest encryption enabled software
environments like SSL enabled browsers as
their payment information needs to be
confidential between them and their retailers
and only such environments can guarantee
such confidentiality and integrity. There
should also be a regulatory body with the
open source community which will ensure
that the developed products do not

compromise the security of information


shared between customers and their retailers.

6.0 Conclusion
This research paper concludes that for the
complete security of transactions and
information that transpires between the
buyer and the seller online, there has to be
robust technological advancement thus
ensuring that different techniques of ecommerce are catered for. It has been
acknowledged in the paper that hackers are
also improving their intellect and resources
to counter or manipulate the existing
encryption techniques for e-commerce
systems, so the authorities should act well in
time to save the customers from such
incidents. With all fact finding especially
from the existing literature espoused by this
research, this research would like to
conclude that the best algorithm yet is the
RSA algorithm which more secure and has
less shortfalls as compared to all other
techniques reviewed herein. This conclusion
comes after reviewing the processes of the
RSA algorithm, its pros and cons and its
ability to not allow room for repudiation. An
interesting advantage quoted is that, it
provides security for information without
compromising usability.
However, with integration of other online
security mechanisms like the Intrusion
Detection Systems, the encryption
techniques used for e-commerce would not
come costly as the intrusion detection
systems would keep hackers at bay. This
conclusion is derived from the impeccable
ability of the intrusion detection systems of
being able to keep hackers at bay or alert the
administrator of any malicious intent during
the transaction.

7. References
[1]. Dr. Nada M. A. Al-Slamy (2008).
Ecommerce Security,Vol. 8, No.5,
International Journal of Computer Science
and Network Security, Available at
paper.ijcsns.org/07_book/200805/20080550.
pdf [accessed on 30-10-2012]
[2] Diana Widjadja, (2009). E-commerce,
Encryption Methods for secure e-commerce
websites Available at
www.dianawidjaja.com/files/ecommercesec
urity.pdf [Accessed 30-10-2012]
[3] http://www.coldfuel.co.uk/newsblog/the-importance-of-ssl-for-yourecommerce-website/[accessed on 30-102012]
[4] John K. Higgins, Feds Find E-mail
Encryption Can Backfire, October 26, 2012
http://www.ecommercetimes.com/story/764
87.html [accessed on 30-10-2012]
[5] V Ramajan, (2001). Electronic
Commerce, Secure Messaging, vol 6. Pg.8
17 Available at
www.ias.ac.in/resonance/Jan2001/pdf/Jan20
01p8-17.pdf [Accessed on 30-12-2012]
[6] Margaret Rouse, RSA (Rivest Shamir
Adleman) Algorithm, September, 2005.
http://searchsecurity.techtarget.com/definitio
n/RSA (Accessed 30-10-2012)
[7] Robert Kelleen,
http://members.tripod.com[Accessed on 3010-2012]
[8] Dane Henry, RSA: Asymmetric
Cryptography and Algorithm Analysis for a
Secure Computing Environment, 2009.

Available at
http://www.dwhenry.com/files/RSA.pdf
[Accessed on 30-10-2012]
[9] Bernard John Poole. Pretty Good
Privacy Downloading, Installing, Setting
Up, and Using this Encryption Software -A
Tutorial for Beginners to PGP, 2001.
Available at
http://www.pitt.edu/~poole/PGPTutorial.pdf
[Accessed 30-10-12]
[10] Korper, S. and Ellis, J., the ECommerce Book, 2nd Edition, Academic
Press, 2001.
[11]
http://developer.netscape.com/docs/manuals/
proxy/adminux/encrypt.htm [Accessed on
30-10-2012]