EGERTON COMP 424

UNIVERSITY

Computer Security

ASSIGNMENT: Digital signature and Non-repudiation services in E-Commerce

PRESENTED BY: BII K. ERIC S13/20450/08 k.ericbii@gmail.com 0727652805

Lecturer: MR. BOSIRE Date: 23-2-2012

1

When you send a document to someone. In public key cryptography. He/she then encrypts the hash-code with his/her private key. Digital signature technology grew out of public key cryptography. When recipients receive the signed document. they use the sender's public key to authenticate the document. and that it appears on first glance to have come from the given sender. This diagram illustrates the digital signature process 2 . The sender uses a one-way hash function to generate a hash-code from the message data. you have two keys: a private key and a public key. The receiver recomputes the hashcode from the data and decrypts the received hash with the sender’s public key.DIGITAL SIGNATURE TECHNOLOGY Introduction Definition: a "digital signature" is extra data appended to a message which identifies and authenticates the identity of the sender and the message data using public-key encryption. If the two hash-codes are equal. the receiver is given an indication that the data has not been corrupted while in transit from one machine to another. you use your private key to sign the document.

no one can derive original document contents from a message hash. 3 . The chance that two documents will have the same hash is almost zero. thereby converting the signature to the original hash. you pass it through a message hash algorithm. After you create the document. The most commonly used message hash algorithms are Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1).500 documents for every square meter of the earth's surface. and SHA-1 can produce a 160-bit hash. however. John knows that tampering or a transmission error changed the document contents. With digital signature technology. At the same time. The hash algorithm is a one-way function that generates a one-way hash. For example. any change in a signed document—such as content modification or signature replacement—causes the digital signature verification process to fail. (2128 translates into about 1. The algorithm generates a hash of the document that is a checksum of the contents of the document. data encryption plays a very central role in ensuring customers that paying for anything online is secure.Suppose you want to send a digitally signed document to John. If the hashes match. John then compares the newly generated hash and the original hash. If the hashes don't match. When John receives the document. You then encrypt the message hash with your private key. he passes the document contents through the same message hash algorithm that you used. John can be sure that the document he received is really from you and that no one altered it during transmission. the possibility that MD5 will output the same hash for two different documents is 1/2128. and creates a new hash. John uses your public key to decrypt your digital signature. Billions of dollars have passed hands in the process and each entrepreneur wants a slice of the dough.) A digital signature is superior to a traditional handwritten signature. Use of Digital signature in E-Commerce Web-commerce has grown into one of the fastest-growing sector of industry in the past two years. and then send it to John. MD5 can produce a 128-bit hash. The result is a digital signature. A skilled forger can alter the contents of a document with a handwritten signature or move a signature from one document to another without being detected. You append this digital signature to the document to form a digitally signed document. To make this possible. Therefore.

data encryption plays four important functions: Digital authentication allows both the customers and the merchant to be sure that they are dealing with whom the other party claims to be. What kind of encryption does e-commerce use? There are two methods of encryption employed: Private-key encryption (secret-key or symmetric encryption) in which users share a common key. encryption ensures privacy that prevents third parties from reading and or using the information to their own advantage. Public-key encryption (also known as asymmetric encryption) where different keys are used for encryption and decryption. Non-repudiation prevents customers or merchants denying they ever received or sent a particular message or order. Integrity ensures that the messages received re not changed during transmission by any third party. These systems have their advantages and disadvantages and so secure transaction protocols such as Netscape's Secure Sockets Layer and Secure Electronic Transaction use a combination of both. 4 . In the event that information is intercepted. This is absolutely necessary before sending credit card details to the merchant and also allows merchants to verify that the customer is the real owner of the credit card being used.Importance of encryption in e-commerce In order to enable secure online transaction.

If a message is received that will not decrypt properly then the recipient knows that the information has been tampered with during transmission. a scheme to identify oneself in the digital world must exist. The recipient of the digital signature can be sure that the message genuinely came from the sender.Digital Identification To be sure those genuine clients are dealing with genuine merchants. This is the role played by digital signature and digital authentication. And. Established Online Transaction Protocols Secure Sockets Layer (SSL) Netscape's Secure Sockets Layer (SSL) protocol is currently the most widely used method for performing secure transactions on the Web and is supported by most Web servers and clients including Netscape's Navigator and Microsoft's Internet Explorer. Privacy is guaranteed through encryption. They are digitally signed and issued by a Certificate Authority which verifies that the public key attached to the certificate belongs to the party stated. What is a digital certificate? Digital certificates provide the basis for secure electronic transactions as they enable all participants in a transaction to quickly and easily verify the identity of the other participants. because the slightest change in the message gets reflected multi-fold in the message digest in a very obvious manner. the recipient can be sure that the message was not changed after the message digest was generated. Although data can still be intercepted by a third party they will be unable to read it as they have no access to the encryption key. Digital signatures therefore are implemented through public-key encryption and are used to verify the origin and contents of a message. A digital signature is prepared by first passing the message through a cryptographic function to calculate the message digest. The digest is then encrypted with the private key to produce a signature which is then added to the original message. The Secure Sockets Layer (SSL) protocol provides several features that make it particularly suitable for use in e-commerce transactions. 5 . Integrity is also ensured through encryption.

People are much more willing to supply their credit card to the intended merchant when they learn of the security feature. this will work only when the visitors' browser support SSL. using technologies developed by RSA Security. where a reputable company confirms that one really is who one says one is. Netscape was one of the pioneers in online information public security when it introduced SSL (secure sockets layer) in its popular Navigator browser in 1995. the recent batch of which actually do. 6 . Secure Electronic Transaction (SET) SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. A digital certificate as a form of identification in the online world. SET allows for the merchant's identity to be authenticated via digital certificates. Digital certificates provide the basis for secure electronic transactions as they enable all participants in a transaction to quickly and easily verify the identity of the other participants. Like SSL. This makes it much more difficult for someone to use a stolen credit card. It increased the volume of online transaction. Both merchant and potential customer then should obtain a digital ID (also known as an authentication certificate) from a trusted third-party source that can vouch for their repective identity. URLs that begin with "https://" are using SSL. the key to the encrypted data is provided by the manufacturer after a purchaser registers his product. a particular web-server must enable its SSL feature. However.- Authentication is provided through digital certificates. Often. Just like telephones. SET also allows for the merchant to request users authenticate themselves through digital certificates. To be able to use SSL. SSL is an encryption technology that scrambles a message so that only the recipient can unscramble it. It uses digital certificates to ensure the identities of all parties involved in a purchase and encrypts credit card information before sending it across the Internet. because this reduces online transaction risk and increases customer sense of security. Digital Copyright Protection There are several ways in which encryption could help protect copyrighted materials in electronic world.

A solution is to encrypt K with ID: FID(K). Machine-specific program will not work when program is transferred. Often the value of key K. which is not necessarily unique from CD to CD. card too can be re-issued and recycled. CD-ROM contains many files. When the time does not match with the hashed value of time and purchaser ID. This code is shipped at registration time. the existing serial number is converted into a product of hash function — obtained from some blocks of data from the hard disk.Pirated Copies freezing data at original time of original version copy may indicate authenticity. hence obtaining raw values of K for different files. it is obvious from the absence of a magnetic stripe that they store all their 7 . where the smart card contains keys that can be used to decrypt the already present encrypted data. this does not rule out copying all the files and their unlocking codes into new CDs and redistributing them. This unlocked version is copied into hard disk — ready to use. When keys are replaced in regular intervals. …FID(Kn) and try to ‘decrypt’ the algorithm to recover ID. In smart card. Custom unlocking codes Files has one true key to unlock it. Locking CD-ROM Files are ‘locked’ in CD-ROM. Customizing software when software is installed. Hardware or software may also be forced to accept only authentic data. However. unless a customized digital ID code is generated and copied together with software. A weakness occurs when a user gathers FID(K1). This method prevents collecting a list of unlocking codes for the CD and then distributing it. Smart Card 'pay per view' system could be implemented. FID(K2). has to be read aloud over the phone. Hence the value made known to user varies from CD to CD (different IDs). which may be obtained from the manufacturer upon purchase of that particular file. since each CD has different sequence of unlocking codes. Unlocking the files requires different keys. the program may be made to abort installation. not all of which the user wants to buy. A defensive mechanism then would be to encrypt each locking code with different values (hashed from time and ID).

To repudiate means to deny. Non-repudiation Protocol While security issues such as secrecy and authentication have been studied intensively. since a digital signature can only be created by one person. Consequently a non-repudiation protocol has to 8 . Compared to conventional magnetic stripe cards. but also. such as capturing unique biometric information and other data about the sender or signer that collectively would be difficult to repudiate. Authorities have sought to make repudiation impossible in some situations. neither one nor the other can deny having participated in this communication. On the Internet. Non-repudiation services must ensure that when two parties exchange information over a network. so the recipient cannot deny that a letter was delivered.information on a chip buried within the card. for example. Since no security technology is absolutely fool-proof. It is suggested that multiple approaches be used. to ensure that a person cannot later deny that they furnished the signature. notably in the yearly 1990s with the explosion of Internet services and electronic transactions. some experts warn that a digital signature alone may not always guarantee non-repudiation. Similarly. One might send registered mail. It is the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. a legal document typically requires witnesses to signing so that the person who signs cannot deny having done so. Email non-repudiation involves methods such as email tracking that is designed to ensure that the sender cannot deny having sent a message and/or that the recipient cannot deny having received it. smart cards differ in several important ways: They can store much more data They can be password protected They can incorporate a microprocessor that can perform processes such as encryption NON-REPUDIATION SERVICE IN E-COMMERCE Non-repudiation is the assurance that someone cannot deny something. most interest in non-repudiation protocols has only come in recent years. a digital signature is used not only to ensure that a message or document has been electronically signed by the person that purported to sign the document.

This service only applies when the protocol uses a TTP. The evidence of origin is generated by the originator and held by the recipient. that means the user could not deny having received the latest issue because the publisher has an evidence of the download. Fairness is not required for non-repudiation. no party should be able to reach a point where they have the evidence or the message they require without the other party also having their required evidence. Given an adequate public key infrastructure. For example. so non-repudiation of receipt would be required. Non-repudiation of receipt (NRR): provides the originator with the evidence NRR which ensures that the recipient will not be able to deny having received the message. but it is usually desirable. The TTP can be used as a delivery agent to provide simultaneous share of evidences. In that case non-repudiation of origin or fairness is not applicable. From the existing applications. Contrariwise an electronic transactions site would require both non-repudiation of origin. which is very unlikely in a real world scenario. i. the publisher of an on-line magazine may want to keep track of the users that are downloading the latest issue. With the advent of digital signatures and public key cryptography. the protocol might also aim to provide fairness.e. A typical non-repudiation protocol can provide a number of different non-repudiation services. However this simultaneous secret exchange is troublesome for actual implementation because fairness is based on the assumption of equal computational power on both parties. Therefore the solution we will focus here is the adoption of a trusted third party (TTP). one having a signed message has an irrefutable evidence of the participation and the identity of his party. 9 . Non-repudiation of submission (NRS): is intended to provide evidence that the originator submitted the message for delivery. The evidence of receipt is generated by the recipient and held by the originator.generate evidences of participation to be used in the case of a dispute. we can distinguish the following non-repudiation services: Non-repudiation of origin (NRO): provides the recipient with the evidence NRO which ensures that the originator will not be able to deny having sent the message. the base for non-repudiation services was created. receipt and also fairness. non-repudiation of receipt and fairness. In the cases where the evidence is provided to both parties. like non-repudiation of origin. but the actual nonrepudiation services provided by a protocol depend mainly on its application. The first solutions providing fairness in exchange protocols were based on a gradual exchange of the expected information.

References i. Zhou. Non-repudiation of delivery (NRD): is intended to provide evidence that the recipient received the message. or none of them has any valuable information. Computer Security S e r i e s . and will be held by the originator.Evidence of submission is generated by the delivery agent. Non-repudiation in electronic commerce. 10 . and will be held by the originator. Artech House. This service also only applies when the protocol uses a TTP. http://library. Evidence of delivery is generated by the delivery agent.thinkquest. 2001. Fairness: is achieved for a non-repudiation protocol if at the end of the protocol execution either the originator has the evidence of receipt for the message m and the recipient has the evidence of origin of the corresponding message m. ii.org J.

Sign up to vote on this title
UsefulNot useful