Security fundamentals for e commerce

Today, computer andnetwork practitioners are equally interested in computer security, since theyrequire technologies and solutions that can be used to secure applicationsrelated to elect

TE AM

Team-Fly®

Security Fundamentals for E-Commerce

For a complete listing of the Artech House Computing Library,

turn to the back of this book

For quite a long time, computer security was a rather narrow field ofstudy that was populated mainly by theoretical computer scientists, electricalengineers, and applied mathematicians With the proliferation of open sys-tems in general, and the Internet and the World Wide Web (WWW) in par-ticular, this situation has changed fundamentally Today, computer andnetwork practitioners are equally interested in computer security, since theyrequire technologies and solutions that can be used to secure applicationsrelated to electronic commerce (e-commerce) Against this background, thefield of computer security has become very broad and includes many topics

of interest The aim of this series is to publish state-of-the-art, high standardtechnical books on topics related to computer security Further informationabout the series can be found on the WWW by the following URL:

http://www.esecurity.ch/serieseditor.html

Also, if you’d like to contribute to the series and write a book about atopic related to computer security, feel free to contact either the Commis-sioning Editor or the Series Editor at Artech House

Recent Titles in the Artech House

Computer Security Series

Rolf Oppliger, Series EditorInformation Hiding Techniques for Steganography and Digital Watermarking, StefanKatzenbeisser and Fabien A P Petitcolas

Security Fundamentals for E-Commerce, Vesna Hassler

Security Technologies for the World Wide Web, Rolf Oppliger

Security Fundamentals for E-Commerce

Vesna Hassler

Pedrick MooreTechnical Editor

Artech House Boston • London www.artechhouse.com

Library of Congress Cataloging-in-Publication Data

Hassler, Vesna.

Security fundamentals for E-commerce / Vesna Hassler; Pedrick Moore, technical editor.

p cm — (Artech House computer security series)

Includes bibliographical references and index.

ISBN 1-58053-108-3 (alk paper)

1 Electronic commerce—Security measures 2 Broadband communication systems.

I Moore, Pedrick II Title III Series.

Security fundamentals for e-commerce — (Artech House computer security series)

1 Business enterprises—Computer networks—Security measures 2 Electronic

commerce—Security measures 3 Broadband communication systems

I Title II Moore, Pedrick

005.8

ISBN 1-58053-406-6

Cover design by Wayne McCaul

© 2001 ARTECH HOUSE, INC.

685 Canton Street

Norwood, MA 02062

All rights reserved Printed and bound in the United States of America No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, in- cluding photocopying, recording, or by any information storage and retrieval system, with- out permission in writing from the publisher.

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Artech House cannot attest to the accuracy of this informa- tion Use of a term in this book should not be regarded as affecting the validity of any trade- mark or service mark.

International Standard Book Number: 1-58053-108-3

Library of Congress Catalog Card Number: 00-064278

10 9 8 7 6 5 4 3 2 1

3.2 Public Key Infrastructure 53

Part 2

To my families, Ristic′and Hassler

Is security an obstacle to e-commerce development? xx

2 Security Mechanisms 11

viii Security Fundamentals for E-Commerce

6.2 Payer Anonymity 88

6.5 Nonrepudiation of Payment Transaction Messages 95

x Security Fundamentals for E-Commerce

Team-Fly®

8.1 Payment Authorization Transfer 119

10.9 Virtual Private Networks (VPN) 158

11.3.2 Challenge-Handshake Authentication Protocol

12.2.2 Filtering Based on IP Addresses and Port Numbers 188

xii Security Fundamentals for E-Commerce

12.5 Network-Based Intrusion Detection 210

13.5 Simple Authentication and Security Layer (SASL) 232

13.6 Internet Security Association and Key Management

14.5.2 Types of Intruders 249

17 Web Client Security 285

19.3 Micropayment Markup 32419.4 Joint Electronic Payments Initiative (JEPI) 324

20.5 Protecting Platforms From Agents Tampered With

21.3 GSM Security 356

21.6 Mobile Station Application Execution

What is covered in this book

E-commerce can take place between companies and customers customer), between companies (business-to-business), or between custom-

e-commerce transaction involves information about goods or services, offers,ordering, delivery, and payment Obviously, since these processes take place

in a public and therefore, un-trusted network, there are many security issues

xix

involved, such as verification of the identities of the participants, or tion of data in transfer Security issues in e-commerce applications canmostly be found in many other network applications as well Some securityrequirements are, however, specific to e-commerce and demand specially tai-lored security concepts (e.g., electronic payment) The purpose of this book

protec-is to give an in-depth overview of all the basic security problems and tions that can be relevant for an e-commerce application

solu-Is security an obstacle to e-commerce development?

I do not consider IT (Information Technology) security to be the mainobstacle to widespread use of e-commerce Many people do take that view,however, mainly because of the frequent reports on security incidents1anddenial-of-service attacks.2One “positive” consequence of such attacks is thatcertain governments have now recognized the importance of a common net-work security infrastructure, because vulnerabilities at one place on the net-work can create risks for all.3 Security technologies are, for the most part,sufficiently mature for e-commerce To some extent they are also standard-ized to ensure at least minimal interoperability (e.g., X.509 certificate for-mat), although more work on profiling has to be done to ensure trueinteroperability Basic security technologies are, however, not yet backed byappropriate international legislation For example, there is no internationallegal framework for the acceptance of digital signatures This is unfortunatelynot restricted to security, because other aspects of e-commerce transactions,such as taxation, liability, and ownership, are also not regulated in manycountries Another problem is that some countries control or even prohibitthe use and the export of cryptography Many governments now seem tohave realized that this is an obstacle to economic development The U.S.government, for example, finally relaxed export regulations significantly inJanuary 2000 (e.g., Netscape 4.7 can now be exported with 128-bit encryp-tion keys) Furthermore, IT products with security functionality supportingcritical tasks should be carefully evaluated and certified by trusted third par-ties, as is common for products such as elevators or trains, i.e., for safety-critical systems in general Finally, security is an area requiring constant

xx Security Fundamentals for E-Commerce

supervision and upgrading, in view of the steady increase in computingpower and improvement in crackers’ skills.4

Why I wrote this book

My main motivation for writing this book was to support my lecture on work and e-commerce security at the Technical University of Vienna Thereare many useful works on individual aspects of e-commerce security such ascryptography, network or Web security, or electronic payment systems Nev-ertheless, I wanted a book I could recommend to my students that wouldcover (and update) all topics that I considered relevant It can be said thatthis book is the result of my eight years of experience teaching computer andnetwork security at the graduate level The book is also intended for all ITprofessionals and others with some technical background who are interested

net-in e-commerce security

Some disclaimers

This book does not cover all aspects of e-commerce, nor does it discuss cific e-commerce models and their particular security requirements As itsname says, the book deals with the fundamental security issues that one mustconsider when developing an e-commerce application It does not alwaysprovide a detailed discussion of the security topics mentioned, but gives ref-erences instead Whenever possible, I also provide URLs, but unfortunately Icannot guarantee that they will still be valid at the time of reading In addi-tion, draft documents representing work in progress (e.g., by IETF, W3C,and other standardization bodies) may also be expired or no longer available.Throughout the book I have mentioned certain company or product names:their sole purpose is to provide examples, not to give preference over othercompanies or products

spe-How to read this book

The book has five parts Each part can be read individually, but each buildsupon the previous parts For example, the basic security mechanisms are

4 In technical circles, a “hacker” refers to someone who tries to break into a computer tem purely for the challenge, to prove that it can be done A “cracker,” on the other hand, breaks into a system with malicious intent.

sys-explained in Part 1, so they are not sys-explained again when mentioned where It is not necessary to study all of the math in Part 1 to understandother parts of the book It is sufficient, for example, to read the beginning of

else-a section explelse-aining else-a specific security mechelse-anism to get else-an ideelse-a of themechanism’s purpose Part 2 concentrates on the specific security require-ments of electronic payment systems Part 3 addresses communication secu-rity, i.e., security issues in transferring data over an insecure network Part 4gives an overview of Web-related security issues and solutions Finally, Part 5deals with mobility aspects of both the code (mobile agents) and the cus-tomer (mobile devices and smart cards) from the security point of view

Acknowledgements

I am deeply grateful to all those who supported me, directly and indirectly, inwriting this book Here I mention only some of them Special thanks to RolfOppliger for introducing me to Artech House, encouraging me to write thebook, and supporting my proposal until it was accepted He was a greatreviewer and helped me enormously to improve the quality of the content byhis expert advice and many useful and important references Special thanks toPeddie Moore for her friendship and the great moral support from the verybeginning of the project She not only improved the language and the style ofthe text, but also helped me correct many ambiguous or imperfect explana-tions Thanks to Matthew Quirk for supporting Peddie and reviewing ourwork Many thanks to Viki Williams, Susanna Taggart, and Ruth Young ofArtech for their very professional and kind support Thanks to my colleagues,Oliver Fodor and Herbert Leitold, for helping me find several important refer-ences Many thanks to Prof Mehdi Jazayeri, my department head, and my col-leagues from the Distributed Systems Group for their support andunderstanding Thanks to my students who attended the e-commerce securitylecture for their interesting classroom discussions Finally, very special thanks

to my husband Hannes for his support, love, understanding, the many goodtechnical books he bought for our home library, and excellent cooking duringthe numerous weekends I spent working at home

I hope that you will enjoy reading the book, and that you will learnsomething from it I am grateful for any feedback You can reach me athassler@infosys.tuwien.ac.at

Vesna HasslerVienna, October 2000

xxii Security Fundamentals for E-Commerce

Part 1

Information Security

The Internet is a large and convenient network for transferring data andtherefore seems to provide an ideal infrastructure for electronic commerce.Unfortunately, it is also a public and very insecure infrastructure, so data intransfer used for e-commerce must be protected by some form of informa-tion security Part 1 explains basic information security services and crypto-graphic techniques to implement them

1

Introduction to Security

This chapter presents a brief introduction to information security andexplains the fundamental terms It gives an overview of the basic informationsecurity services and security mechanisms that can be used to support a spe-cific security policy

1.1 Security Threats

Why would someone need a special security functionality? What can happen

if he doesn’t have it? Systems can be exposed to many different types ofthreats or attacks The term system here means a service available in a com-munication network, such as the Internet It may be a logon service offered

by a computer running a specific operating system, or a virtual shopping mall

on a merchant’s Web site The users and providers of such services, includinghuman users, computers (hosts), and computer processes, are known asprincipals

Attacks on a system can be classified as several types:

Eavesdropping—intercepting and reading messages intended for otherprincipals;

Masquerading—sending/receiving messages using another principal’sidentity;

3

Message tampering—intercepting and altering messages intended forother principals;

Replaying—using previously sent messages to gain another principal’sprivileges;

Infiltration—abusing a principal’s authority in order to run hostile ormalicious programs;

Traffic analysis—observing the traffic to/from a principal;

Denial-of-service—preventing authorized principals from accessingvarious resources

1.2 Risk Management

The process of enhancing a system with security functionality always beginswith a thorough analysis of the most probable threats and the system’s vul-nerabilities to them Risk analysis [1] evaluates the relationship between theseriousness of a threat, its frequency of occurrence (probability), and the cost

of implementing a suitable protection mechanism Seriousness can bemeasured by the cost of repairing any damage caused by a successful attack.Table 1.1 shows a simplified analysis of the total cost (1 means lowest totalcost, 9 means highest) that could be caused by a particular attack This meas-ure is sometimes referred to as the risk level, and the whole process is calledrisk management Obviously, if an attack is likely to occur often and is veryserious, it will be expensive to recover from Consequently, it will pay off toimplement suitable protection

Risk analysis should be done in the planning phase, before a specificsecurity solution is implemented However, since most systems that needprotection are quite complex, it is impossible to be completely sure that the

4 Security Fundamentals for E-Commerce

Table 1.1 Risk Levels 1-9 Threat probability

security measures implemented are sufficient The Internet is a constantlychanging environment, also from the security perspective; new vulnerabilitiesand new, more efficient, attacks are being discovered all the time It is therole of compliance management to analyze whether the security functionality

in place offers the kind of protection it is expected to

1.3 Security Services

On the basis of the results of risk analysis, one can define a security policy thatclearly specifies what must be secured [2] A security policy usually cannotcover all possible risks to the system, but it represents a reasonable trade-offbetween risks and available resources The functions that enforce the securitypolicy are referred to as security services The services are implemented bysecurity mechanisms that are in turn realized by cryptographic algorithms andsecure protocols

The International Organization for Standardization1defines the ing basic security services [3]:

follow-Authentication—ensures that a principal’s identity or data origin isgenuine;

Access control—ensures that only authorized principals can gain access

1 ISO, http://www.iso.ch

communication channel is only logical, the service is referred to as less confidentiality If only certain parts of messages to be exchanged must beprotected, a selective field confidentiality service is needed For example, whenHTTP messages are SSL-protected, there is connection confidentiality; if onlysome parts of HTTP messages are encrypted (e.g., by S-HTTP), there is selec-tive field confidentiality Traffic flow confidentiality protects against trafficanalysis.

connection-Similar to data confidentiality services, data integrity services are ent for connection-oriented and connectionless protocols For connection-oriented protocols they may even provide message recovery Data integrityservices can also protect selected fields of messages only

differ-According to the ISO, nonrepudiation services can prevent denial ofthe origin of data or the delivery of data There are two additional possibili-ties: nonrepudiation of submission and nonrepudiation of receipt However,they require a very complex infrastructure and are not discussed in this book

1.4 Security Mechanisms

Security mechanisms can be specific or pervasive The following specific rity mechanisms can be used to implement security services:

secu-Encryption mechanisms;

Digital signature mechanisms;

Access control mechanisms;

Data integrity mechanisms;

Authentication exchange mechanisms;

Traffic padding mechanisms;

Routing control mechanisms;

Notarization mechanisms

Encryption mechanisms protect the confidentiality (or privacy) of data

An encryption mechanism always uses a key available only to a defined group

of people Such a group can consist of one person (the receiver of theencrypted data) or several people (e.g., all parties involved in a communica-tion session)

As will be explained later, a digital signature is even more powerful than

a hand-written signature It can be generated by a special digital signaturemechanism as well as by some encryption mechanisms

6 Security Fundamentals for E-Commerce

Authentication can be based on an encryption mechanism, but for cal reasons this is not always legal or desirable Therefore several mechanismshave been developed whose only purpose is authentication exchange.

politi-Access control mechanisms are closely connected with authentication.Each principal is assigned a set of access permissions or rights (e.g., read, write,execute) Each access to a protected resource is mediated by a central comput-ing facility called a reference monitor In order to be able to use its access per-missions, a principal has to be successfully authenticated first If access control

is implemented correctly, most infiltration attacks pose no danger

Data integrity mechanisms protect data from unauthorized tion They can, for example, use digital signatures of message digests computed

modifica-by a cryptographic hash function

Traffic padding mechanisms offer protection against traffic analysis.Sometimes an adversary can draw conclusions from observing, for example, achange in the amount of data exchanged between two principals Therefore itmay be advisable to generate “dummy” traffic to keep the level approximatelyconstant, so that the adversary cannot gain any information

A routing control mechanism makes it possible to choose a specific pathfor sending data through a network In this way, trusted network nodes can beselected so that the data is not exposed to security attacks Moreover, if dataentering a private network has no appropriate security label, the networkadministrator can decide to reject it

Notarization mechanisms are provided by a third-party notary that must

be trusted by all participants The notary can assure integrity, origin, time ordestination of data For example, a message that has to be submitted by a spe-cific deadline may be required to bear a time stamp from a trusted time serviceproving the time of submission The time service could affix a time stamp and,

if necessary, also digitally sign the message

The following sections of this chapter describe most of the specific rity mechanisms and explain some of the most frequently used cryptographictechniques for their implementation Routing control mechanisms are notdescribed in detail since they use a combination of authentication and accesscontrol mechanisms as well as certain other mechanisms that are outside thescope of this book Nor are notarization mechanisms considered further, sincethey are based on authentication and nonrepudiation mechanisms

secu-The ISO standard [3] defines the placement of security services andmechanisms in the OSI (Open Systems Interconnection) seven-layer refer-ence model Some services may be provided at more than one layer if theeffect on security is different (Table 1.2 [4])

Table 1.2 Placement of Security Services in the OSI 7-Layer Reference Model

Application Presentation

Session Transport Nonrepudiation of

Delivery Network Nonrepudiation of

Origin Data Link Selective Field

Confidentiality Physical Selective Field

Connection Integrity Selective Field Connectionless Integrity Connection

Integrity with Recovery

Connection Integrity with Recovery Peer Entity

Authentication Peer EntityAuthentication Peer EntityAuthentication Data Origin

Authentication Data OriginAuthentication Data OriginAuthentication Access Control

Service Access ControlService Access ControlService Connection Integrity

without Recovery Connection Integritywithout Recovery ConnectionIntegrity without

Recovery Connectionless

Integrity ConnectionlessIntegrity ConnectionlessIntegrity Connectionless

Confidentiality ConnectionlessConfidentiality ConnectionlessConfidentiality ConnectionlessConfidentiality Connection

Confidentiality ConnectionConfidentiality ConnectionConfidentiality ConnectionConfidentiality ConnectionConfidentiality Traffic Flow

Confidentiality Traffic FlowConfidentiality Traffic FlowConfidentiality

Pervasive security mechanisms are not specific to any particular securityservice Trusted functionality mechanisms provide a trusted computing basefor performing security-critical operations Security labels indicate the sensi-tivity level of data (e.g., top secret) Security recovery includes measures such

as blacklisting of hosts or users, or disconnection from a public network Asecurity audit provides constant supervision of the security-critical activities

in a system under protection Its task is also to test for adequacy of systemcontrols and compliance with the established security policy (compliancemanagement) The results of auditing are referred to as the security audit trail

8 Security Fundamentals for E-Commerce

Team-Fly®

(e.g., log files) Finally, the role of event detection or intrusion detection is toobserve specific security violations or potentially dangerous events, or thenumber of occurrences of a specific event For example, if the security policy

of a LAN does not permit users to log in from outside the network, it is sible to detect any such attempts by automatically searching the log files forlogin attempts where the user domain is different from the local one

pos-Security mechanism management, as specified in the ISO standard, isconcerned with the management of individual mechanisms One of its mostimportant functions is key management, which involves the generation andsecure distribution of cryptographic keys

References

[1] Ekenberg, L., and M Danielson, “Handling Imprecise Information in Risk ment,” In Information Security – the Next Decade, Eloff, J H P., and S H von Solms (eds.), London: Chapman & Hall, 1995.

Manage-[2] Muftic ′ S., Security Mechanisms for Computer Networks, Chichester: Ellis Horwood Ltd., 1989.

[3] International Organization for Standardization, Information Technology – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture, ISO IS 7498-2, 1989.

[4] Hassler, V., Aspects of Group Communications Security, Ph.D dissertation, Graz versity of Technology, Graz, Austria, 1995.

Security Mechanisms

This chapter deals with security mechanisms that can be used to realize mation security services It first explains which cryptographic systems orcryptosystems are suitable for implementation and then describes the mostwidely used ones in detail

infor-2.1 Data Integrity Mechanisms

One way to protect data integrity is to use an encryption mechanism (e.g.,DES in CBC mode, see Section 2.2) In this way both data integrity and dataconfidentiality are ensured Unfortunately, encryption alone is not secureenough because of the possibility of bit flipping attacks [1] If no authentica-tion is provided, an attacker can flip bits in the ciphertext (i.e., exchange “0”for “1” or vice versa) without being detected If the encrypted plaintext is not

a human-readable message but a string automatically processed by a runningprogram, the result from decryption of the altered ciphertext can potentially

be interpreted in such a way as to cause serious damage to the program or thereceiving host The protection is either to add some authentication informa-tion to the plaintext before encryption or, if only integrity protection isrequired, to send the original message together with the ciphertext

Another way to ensure integrity is to use a digital signature mechanism(see Section 2.3) Digital signatures provide not only data integrity but also

11

nonrepudiation If only data integrity is desired, without confidentiality ornonrepudiation, it can be achieved by applying a message authenticationcode (MAC) based on a cryptographic hash function to the data to be pro-tected (see Section 2.1.2) In general, cryptographic hash functions are veryfast—far faster than encryption mechanisms.

2.1.1 Cryptographic Hash Functions

If a cryptographic hash function is applied to an input value of any length(up to a maximum possible length, for example 264for SHA-1), the resultingoutput value will always be of a constant length (for example, 160 bit forSHA-1) This fixed-length output is referred to as the message digest or check-sum, or hashsum Since the set of all possible inputs is much larger than theset of all possible outputs, many different input values will be mapped to thesame output value However, it should be rendered computationally expen-sive to find different inputs that are mapped to the same output In otherwords, the function must be made easy to compute in one direction (i.e., h:input→output), but not in the opposite direction For this reason, crypto-graphic hash functions are often referred to as the one-way (hash) functions.Strictly speaking, a cryptographic hash function y=h (x) must satisfy the fol-lowing conditions:

It is computationally infeasible to find

(a) x such that h (x)=y, for any given y

(b) y ≠x such that h (x)=h (y), for any given x

(c) (x,y) such that h (x)=h (y)

In general, there are two serious types of attacks against cryptographichash functions The first consists in finding a message M’ yielding the samehashsum as the original message M Such an attack can be very dangerouswhere a digital signature is generated from the shorter hashsum instead offrom the longer message This is usually done as a matter of convenience, forgenerating a signature is a time- and resource-consuming task As an exam-ple, suppose that A edited a message M and signed the hashsum h(M ), Mbeing a bank order to transfer 100 euros to B ’s account If condition (b)were not satisfied, B could easily find another message M’ so that h(M )

=h(M’ ), in which 10,000 euros instead of 100 euros would be transferred Ifcondition (a) were satisfied, however, this type of attack would be extremelytime consuming even for short hashsums

12 Security Fundamentals for E-Commerce

The second type of attack is much more serious This is when B tries tofind two messages, M and M ’, that yield the same hashsum but havecompletely different meanings Suppose B wants A to transfer 10,000 euros

to B ’s account B knows that A would never agree to transfer more than 100euros, so it is necessary somehow for B to obtain A’s signature on the home-banking order Note that in this case B has much more freedom, since thereare many different ways to say that A wants to give B 100 euros, or 10,000euros Therefore the probability of finding two suitable messages is signifi-cantly higher than in the first attack, in which one of the messages is given.Actually, the probability is quite surprisingly higher, which is often referred

to as the birthday paradox

In terms of cryptographic hash functions, the first attack would requirehundreds of thousands of years of computing time, while the second attackwould be a matter of hours, at least for short (less than 100-bit) hashsums.For this reason it is of crucial importance to use a cryptographic hash func-tion that not only satisfies the conditions (a) - (b), but also produces outputsthat are long enough to make the birthday attack infeasible with currenttechnology

The most popular cryptographic hash function family is the MD sage digest) family developed by R Rivest MD5, which is specified in aRequest for Comments (RFC) document issued by the Internet EngineeringTask Force [2],1is the latest member of the family Since it has a 128-bit out-put, it is potentially vulnerable to a birthday attack and therefore not consid-ered secure enough for the latest technology (it also has some structuralproblems)

1 http://www.ieft.org

SHA-1 (Secure Hash Standard) is a much better choice since it duces a 160-bit output [3] It is based on principles similar to those used by

pro-R Rivest when designing MD4 and MD5 The input message can be up to

264bits long It is divided into 512-bit blocks that are sequentially processed

in such a way that the hashsum depends on all input blocks A block consists

of 16 words Words are basic processing units on which the following tions are performed:

opera-• Bitwise logical “and,” “inclusive-or,” “exclusive-or,” and “complement”;

• Addition modulo 232;

• Circular left shift

SHA-1 additionally uses some carefully chosen constants The tation requires two buffers with five 32-bit words each, and a sequence ofeighty 32-bit words The standard describes two methods of computation,one of which requires less memory than the other, but longer execution time.Implementers can make use of these possibilities to trade off memory againstexecution time

compu-2.1.2 Message Authentication Code

Cryptographic hash functions can be used to implement a data tion mechanism Data authentication is a combination of authentication anddata integrity The so-called MAC is computed in the following way:MAC(message)=f (Secret Key, message)

authentica-in which f () is a function based on a specific combauthentica-ination of the graphic hash functions If a sender and a receiver both know the secret key,the receiver can check the sender authenticity and the message integrity byapplying the combination of known cryptographic hash functions to thesecret key and the message The first proposal for MAC computation wassimply to apply a cryptographic hash function h() to the concatenation of thesecret key and the message, that is, to compute h(Secret Key, message) orh(message, Secret Key) Unfortunately, that approach proved to be insecure[4].2A combined approach was to prefix and suffix two different secret keys

crypto-14 Security Fundamentals for E-Commerce

2 See CRYPTO/EUROCRYPT papers at http://www.cryptography.com/resources/papers/ index.htm

and compute h(Secret Key 1, message, Secret Key 2) This approach is muchmore secure, but there is an attack, although impractical, that makes it possi-ble to find the secret keys The best approach so far is to apply an iteratedhash function [4], for example h[secret key, h(secret key, message)], and usesome padding This approach was chosen as mandatory to implement formany Internet security protocols [5], such as IPsec and SSL/TLS.

2.2.1 Symmetric Mechanisms

In a symmetric cryptosystem, the encryption and decryption transformationsare identical or easily derived from each other If the message to be encrypted(plaintext) is denoted by M, the encrypted message (cyphertext) by C, andthe cryptographic key by K, the symmetric encryption E and decryption Dcan be defined as follows:

E MK( )=C

D CK( )=M

In a symmetric cryptosystem the same key is used for both encryptionand decryption This key is called the secret key since it must remain secret toeverybody except the message sender(s) and the message receiver(s) Obvi-ously, it is necessary that the receiver obtain not only the encrypted message,but also the corresponding key The encrypted message may be sent over an

insecure communication channel—after all, that is why it needs to beencrypted The key, however, must not be sent over the same channel, andthis leads to a serious problem of symmetric cryptosystems: key management.The secret key must either be sent over a separate, secure channel (e.g., asealed envelope), or it must be sent encrypted For the encryption ofsymmetric keys in transfer, a public key mechanism can be used (seeSection 2.2.2).

2.2.1.1 One-Time Pad

Encryption techniques are much older than computers In fact, one of theearliest known encryption techniques was used by the Roman dictator JuliusCaesar (100–44 B.C.) In the Caesar Cipher, each plaintext character of theLatin alphabet is replaced by the character three positions to the right of it(“A” is replaced by “D,” “B” by “E,” etc.) The one-time pad is also a classictechnique Invented by Gilbert Vernam in 1917 and improved by MajorJoseph Mauborgne, it was originally used for spy messages

The one-time pad is very important for cryptography because it is theonly perfect encryption scheme known In other words, the ciphertext yieldsabsolutely no information about the plaintext except its length [6] The defi-nition of perfect secrecy given by C E Shannon in 1943 is actually youngerthan the one-time pad It turns out that perfect secrecy requires that

• The encryption key be at least as long as the message to be encrypted;

• Each key be used only once

This is exactly the case with the one-time pad Unfortunately, it makeskey management extremely difficult, since new keys must be exchanged eachtime

The one-time pad key is a large, nonrepeating set of truly random keyletters The encryption is the addition modulo 26 of one plaintext characterand one one-time pad key character Plaintext characters are mapped tonumbers corresponding to their positions in the English alphabet The one-time pad is a symmetric mechanism, since the same key is used for bothencryption and decryption For example,

2.2.1.2 Data Encryption Standard

The Data Encryption Standard (DES) was developed in the United States byIBM and NIST (the National Institute of Standards and Technology3) in

1976 DES is standardized as the Data Encryption Algorithm (DEA) byANSI (the American National Standards Institute4) [7], and as DEA-1 byISO5[8] Its main advantage, apart from not yet being broken by cryptoana-lysts despite its age, is that it can be easily and efficiently implemented inhardware More information on the background of DES can be found in [6].DES is a block cipher since it encrypts data in 64-bit blocks If data islonger, it must be divided into 64-bit blocks It may happen that the last part

of some data is shorter than 64 bits In such a case it is usual to fill theremaining part of the block with zeros (padding) The result of DES encryp-tion is also a 64-bit block The key has 56 bits and 8 parity bits The samealgorithm is used for both encryption and decryption, but with reverse keyordering