Rehan Ullah

Lecture overview
 Transaction security cont…
 Digital signature
 Digital certificates

 Web security
 SSL
 SET
 Digital signature
A digital signature is a cryptographic
mechanism that performs a similar function to a
written signature.

 Digital
signatures are implemented using public-
key encryption.
 Purpose of using digital signature
 Itis used to verify the origin and contents of a
message.
 Digital signatures are used for sender
authentication.
 The originator(the sender of an e-mail message)
cannot falsely deny having signed the data.
 The digital signature enables the computer to
notarize the message, ensuring the recipient that
the message has not been forged in transit.
 Scenario using Digital signature
 Susan orders something from Online Mart, she
uses Online Mart’s public key to encrypt her
confidential information.
 Online Mart then uses its private key to decrypt
the message.
 To ensure further security, Susan can enclose a
digital signature, encrypted with Susan’s private
key which online Mart could decrypt with
Susan’s public key and knows that only Susan
could have sent it.
 How it works?
 To digitally sign a document, a user combines
her private key and the document and performs
a computation on the composite( key +
document ).

 The output of this computation is a unique

number called the digital signature.
 Consider the following bank scenario.
 Sender side
 An electronic document, such as an order form
with a credit card number is run through the
digital signature process,
 The output is a unique “finger print” of the
document.
 This “finger print” is attached to the original
message.
 This “finger print” is further encrypted with the
signer’s private key.
 The user sends the result of the second
encryption to her bank.
 Receiving Side
 The bank then decrypts the document using her
public key .
 To verify the signature, the bank performs a
computation involving the original document, the
purported digital signature and the customers
public key.
 If the results of the computation generate a
matching”finger print” of the document,the digital
signature is verified as genuine, otherwise, the
signature may be fraudulent or the message
altered.
 Digital certificates
 Authentication is further strengthened by the use
of digital certificates.
 Before two parties use public-key encryption to
conduct business, each wants to be sure that the
other party is authenticated.
 One way to ensure that the public key belongs to
the specific party is to receive it over a secure
channel directly from that party, however this is
not always possible.
 Digital certificates cont…
 An alternative to the use of a secure channel is to
use a trusted third party to authenticate that the
public key belongs to the specific party.
 Such a party is known as certification
authority(CA).
 Once the specific party has provided proof of its
identity, the certificate authority creates a message
containing the party’s name and its public key.
 This message is known as a certificate, is digitally
signed by the certificate authority.
 Digital certificates cont…

Itcontains owner identification

information as well as copy of one of the
owner’s public key’s.
To get the most benefit, the public key of
the certificate authority should be known
to as many people as possible.
 World wide web security
 Itis important that clients authenticate
themselves to servers and that servers
authenticate themselves to clients.
 Whenever a message enters the public internet it
must bear some form of identification from the
system from which it came.
 On the network this identification often takes
the form of IP address.
 Secure Sockets Layer
 The web itself does not encrypt the data sent
across it, and anyone who intercepts a web
transmission has complete access to the
information contained there in.
 Through the use of SSL if a transmission falls
into the wrong hands, the information it contains
should be unreadable to anyone other than the
sender and receiver.
 How it works?
 When a browser communicates with web
servers using a language called HTTP.
 To download an HTML file of a homepage e.g.
the browser sends an “HTTP GET” command to
the server.
 The server responds by transmitting the file
contents to the browser.
 The text of the Get command and the text of
HTML file are sent and received through
connections called sockets.
 How it works? Cont…
 SSL automatically encrypts the data before it is
being transmitted and then unencrypted on the
receiving end.
 In between the data is meaningless jumble of
zeros and ones to anyone without the decryption
key.
 Secure Electronic Transaction(SET)
 SET is a protocol developed by VISA and
MasterCard in February 1996.
 SET uses digital certificates to authenticate each
party in an ecommerce transaction including the
customer, the merchant and the merchant’s
bank.
 Public-key cryptography is used to secure
information as it is passed over the web.
 How it works?
 Merchants must have a digital certificate and
special SET software to process transactions.
 Customers must have a digital certificate and
digital wallet software.
 A digital wallet is similar to a real wallet, it
stores credit( or debit) card information for
multiple cards as well as a digital certificate
verifying the cardholder’s identity.
 How it works?
 Digital wallets add convenience to online
shopping, customers no longer need to re-enter
their credit-card information at each shopping
site.
 When a customer is ready to place an order, the
merchant’s SET software sends the order
information and the merchant’s digital
certificate to the customer’s digital wallet.
 Thus activating the wallet software.
 How it works? Cont…
The customer selects the credit card to be used
for the transaction.
The credit card and order information are
encrypted by using the merchant’s bank’s
public key and sent to the merchant along with
the customer’s digital certificate.
 How it works? Cont…
 The merchant then forwards the information to
the merchant’s bank to process the payment.
 Only the merchants bank can decrypt the
message.
 The merchant’s bank then sends the amount of
the purchase and its own digital certificate to the
customer’s bank to get approval to process the
transaction.
 How it works? Cont…

Ifthe customer’s charge is approved, the

customer’s bank sends an authorization back to
the merchant’s bank.
The merchant’s bank then sends a credit card
authorization to the merchant.
Finally, the merchant sends a confirmation of
the order to the customer.
 Advantages and limitations of SET
In SET protocol ,the merchant never sees the
client’s proprietary information.
Therefore the client’s credit card number is not
stored on the merchant’s server considerably
reducing the risk of fraud.
SET requires special type of software on both
client an server side, that requirement increases
the transaction cost..
Have a nice Day!!!