Wednesday, February 18, 2009

Case Study 3 in E-Commerce

1. Assume that John wants to buy some CD from an online shop called MusicPlus. Describe step by step (with figures and words).
a) How John should encrypt the information and send via the internet so that the information will be sent securely to MusicPlus.
Let us assume that MusicPlus has established an Asymmetric encryption for every transaction made to the store. Asymmetric encryption uses two keys, one for encryption and the other for decryption. This is more like public and private keys. The public key is given to any one (John) and the private key is kept secret (MusicPlus). The keys use a one-way hash function that is impossible to reverse engineer.

With the assumption stated above, I believe that the best way for John to ensure the security of the information sent to MusicPlus is to have the public key.

b.) How MusicPlus can ensure the information received is not being altered during the transmission process.
Internet security systems are systems that sustain private resources and information on the internet. There are many different types of internet security systems that will help MusicPlus be assured that the information sent to them or received by them are not being altered during the transmission process.

I believe, in relation to my answer on the first situational problem, that the best way to ensure data security is by using data encryption and by building firewalls. The figure below shows how MusicPlus can be protected by possible virtual attacks.

Figure1: Shows a basic firewall topology.

It has been defined that firewalls are a security device that controls the communication between computer networks. It is located between the company's internal network and external networks; it prevents unauthorized access to the internal network. The firewall averts unprocessed database information sent over the Internet so it doesn't reach the database management system computer. When the database is processed through the Internet, the firewall permits limited access through techniques such as packet filtering. It is wise for the computer user to have their computer protected by a firewall device to ensure the security.

2. What are the differences between key distribution centre and certification authority? Briefly describe their mechanisms step by step.

Data encryptions using both symmetric and asymmetric key cryptography are both good method for ensuring data security. But then as it cannot be avoided, there are certain drawbacks with these methods. Symmetric key cryptography’s drawback was the need for the two communicating parties to have agreed upon their secret key ahead of time. While on the public key encryption is the problem of obtaining someone’s true public key. Both of these problems – determining a shared key for symmetric key cryptography and securely obtaining the public key for public key cryptography – can be solved using a trusted intermediary.

For symmetric key cryptography, the trusted intermediary is called a Key Distribution Center (KDC), which is a single, trusted network entity with whom one has established a shared secret key.

For public key cryptography, the trusted intermediary is called a Certification Authority (CA). A certification authority certifies that a public key belongs to a particular entity (a person or a network entity).

Process of KDC:

Suppose that Juan and Pedro are users of the KDC of which they only know their individual key, J and P, respectively; for communicating securely with the KDC. Juan takes the first step:

Step 1: Using J to encrypt his communication with the KDC, Juan sends a message to the KDC saying he (A) wants to communicate with Pedro (B). We denote this message, J (A, B). As part of this exchange, Juan should authenticate the KDC using an authentication protocol and the shared key J.

Step 2: The KDC, knowing J, decrypts J (A,B). The KDC then authenticates Juan. The KDC then generates a random number, R1. This is the shared key value that Juan and Pedro will use to perform symmetric encryption when they communicate with each other. This key is referred to as a one-time session key, as Juan and Pedro will use this key for only this one session that they are currently setting up. The KDC now needs to inform Juan and Pedro of the value of R1. The KDC thus sends back an encrypted message to Juan.

Step 3: Juan receives the message from the KDC, verifies the nonce, extracts R1 from the message and saves it. Juan now knows the one-time session key, R1. Juan also extracts P (A, R1) and forwards this to Pedro.

Step 4: Pedro decrypts the received message, P (A, R1), using P and extracts A and R1. Pedro now knows the one-time session key, R1, and the person with whom he is sharing this key, A. Of course, he takes care to authenticate Juan using R1 before proceeding any further.

A certification authority (CA) is an entity entrusted to issue certificates to individuals, computers, or organizations that affirm the identity and other attributes of the certificate subject to other entities. A CA accepts a certificate request, verifies the requester's information according to the policy of the CA, and then uses its private key to apply its digital signature to the certificate. The CA then issues the certificate to the subject of the certificate for use as a security credential within a public key infrastructure (PKI). A CA is also responsible for revoking certificates and publishing a certificate revocation list (CRL).


Post a Comment