Role of Certification Authority in E-Commerce
Download as PPT, PDF3 likes2,701 views
The document discusses the role of certification authorities in enabling e-commerce through establishing trust between parties. It explains that certification authorities issue digital certificates that map public keys to identities, allowing for the authentication of users and encryption of communications. The document outlines some of the main cryptographic techniques used, including secret key cryptography, public key cryptography for confidentiality and signatures for authenticity and integrity. It describes how public key infrastructure establishes a trusted system involving certification authorities that enable secure e-commerce transactions through protocols like SSL and SET.
![SET Protocol Process (Cont…)
Customer
Bank
Merchant
1. MPb[CPv{MPb(OI)+BPb(PI)}]
2. BPb[MPv[CPv{MPb(OI)+BPb(PI)}]]](https://image.slidesharecdn.com/roleofca-170109070422/85/Role-of-Certification-Authority-in-E-Commerce-25-320.jpg)
Role of Certification Authority in E-Commerce
- 1. Role of Certification Authority in E-Commerce M. Faisal Naqvi Research Consultant (Technical), ECAC
- 2. Obstacle in growth of E-Commerce Why most people don’t use E-Commerce? • Lack of trust • Fraudulent Merchants • Hacking/Cracking • Credit Card Information Theft • Privacy issues
- 3. Technical Requirements of User of E-Commerce • Confidentiality :- Privacy from third person • Integrity:- Change in message during transit should be detected • Authenticity:- Identity of sender should be detected • Non-repudiation:- Denial of sender should not be possible • Anonymity:- Info. of Customer & Transaction should be confidential from dealing party. • Availability
- 4. How Requirements can be Fulfilled? • Cryptography i.e. – Encryption (Encoding) – Decryption (Decoding) CALL ME Plain Text E DBMM NF Cipher Text D CALL ME Plain Text Alice Bob
- 5. Main Cryptographic Techniques 1. Secret Key Cryptography 2. Public Key Cryptography a) For Confidentiality b) For Authenticity & Integrity
- 6. 1. Secret Key Cryptography • Also called Symmetric Key Cryptography • Only one key is used for encryption as well as for decryption • e.g. Digital Encryption Standard (DES) CALL ME Plain Text E DBMM NF Cipher Text D CALL ME Plain Text Alice BobKey=1 Key=1
- 7. 2. Public Key Cryptography • Also called Asymmetric Key Cryptography • For each party there is a Key pair i.e.: 1. Private Key (known to owner only) 2. Public Key (Published, known to Everyone) • When we encrypt using Pub. Key it can only be decrypted using Pvt. Key and vice versa. • e.g. Rivest Shamir Adelman (RSA) Algorithm
- 8. 2. Public Key Cryptography (Cont...) • Public Key Cryptography can be used in two ways: a) Encryption with Pub. Key & Decryption with Pvt. Key (to achieve Confidentiality). b) Encryption with Pvt. Key & Decryption with Pub. Key (to achieve Authenticity and Integrity)
- 9. 2. Public Key Cryptography (Cont...) For Confidentiality • Sender Encrypts the Message with the Public Key of the Recipient • The Recipient Decrypts the Encrypted Message, with his own Private Key 10,000 Plain Text E 5,000 Cipher Text D 10,000 Plain Text Bob Bob’s Public Key=0.5 Bob’s Private Key=2Public
- 10. 2. Public Key Cryptography (Cont...) For Authenticity & Integrity of Message • The Sender Encrypts the Message, with his own Private Key. • The Recipient Decrypts the Encrypted Message with the Public Key of the Sender. 10,000 Plain Text E 20,000 Cipher Text D 10,000 Plain Text Bob Bob’s Private Key=2 Bob’s Public Key=0.5 Public
- 11. Achieving Authenticity, Integrity and Confidentiality simultaneously... Cipher Digital Sign 1. Sender’s Pvt. Sender 2. Recipient’s Pub. 3. Recipient’s Pvt. 4. Sender’s Pub. Doc. Digital Sign Doc. Recipient
- 12. Achieving Authenticity, Integrity and Confidentiality simultaneously (Cont…) 1. The Sender Encrypts the Message, with his own Pvt. Key. (for Authenticity and Integrity) 2. Then Sender Encrypts the result, with the Pub. Key of Recipient. (For confidentiality) 3. The Recipient decrypts the cipher, with his own Pvt. Key (to open confidentiality) 4. Then Recipient decrypts the result, with the Pub. Key of Sender (to Authenticate)
- 13. Need of a Certification Authority (CA) Issues • How someone can Publish his Public Key? • How someone can verify that a Public Key belongs to a particular Person? Solution • Public Key can be Published through a Third Party, Trusted by both Sender & Recipient. • This Trusted Third Party is called Certification Authority (CA) • CA verifies and certifies, by issuing a Digital Certificate, that a particular “Public Key” belongs to a “Particular Person” and publishes the same through Web.
- 14. What CA publish about a Digital Certificate ? Ibrar Ahmad
- 15. How CA Works? CA : • accepts Application to issue Digital Certificate • verifies Identity of Subscriber • verifies that subscriber has corresponding Pvt. key • generates Digital Certificate • publishes Digital Certificate of its subscriber on its web site so that anyone can download Digital Cert. of any other person from the CA’s web site • accepts Request to Revoke the Certificate • publishes Certificate Revocation List (CRL) so that anyone can check whether Cert. is Revoked
- 16. What is Public Key Infrastructure (PKI)? • PKI includes: – Sender(s) – Recipient(s) – and CA(s) • By using Cryptography to fulfill all requirements jointly or severally: – Confidentiality – Integrity – Authenticity – Non-repudiation – Reliability – Accountability – Anonymity
- 17. Importance of PKI PKI: • Provides secure and trusted e-communication environment. • Is inevitable for e-commerce, e-business & e- governance etc.
- 18. Some Public Sector organizations using PKI (Existing and Planning) • Pakistan Army • Securities And Exchange Commission Pakistan (SECP ) • State Bank of Pakistan • NADRA • Ministry of IT/E-Government • CBR • Customs • Project for Improvement of Financial Reporting and Auditing (PIFRA) • National Telecommunications and Information Technology Security Board (NTISB) • Institute of Physics (Quaid-e-Azam University) • Pakistan Telecommunication Authority
- 19. Some Private Sector organizations using PKI (Existing and Planning) • NIFT affiliate of VeriSign • Khanani and Kalia International • Live Securities (Online Brokerage House) • EUGridPMA • Academia Sinica Grid Computing Certification Authority • Pakistan Inter-Active Communications (Pvt.) Limited
- 20. Use of PKI in E-Commerce Some Protocols based on PKI: • Secure Socket Layer (SSL) • Secure Electronic Transaction (SET)
- 21. Secure Socket Layer (SSL) • Most commonly used (e.g. Hotmail, Yahoo) • Simplest • only confidentiality and integrity is achieved • Authenticity is not the part of Protocol • Only server’s Digital Certificate is required • Not a payment protocol specifically • For any secure communication
- 22. Secure Socket Layer Process Server Client 2. Server’s Public Key 1. Client Generate Secret Key 3. Secret Key encrypted with Server’s Pub. Key 4. Server decrypts Secret Key using its Pvt. Key 5. Communicate securely using secret key
- 23. Secure Electronic Transaction (SET) • Most Comprehensive • Confidentiality, Integrity, Authenticity, Non Repudiation and Anonymity/Privacy can also be achieved • Comparatively Complex • Digital Certificates of Merchant, Bank and Customer is required • Specifically a Payment Protocol
- 24. SET Protocol Process • OI = Order Information (Products/Services) • PI = Payment Information (Credit Card etc.) • C = Customer • M = Merchant • B = Bank • Pb = Public • Pv = Private
- 25. SET Protocol Process (Cont…) Customer Bank Merchant 1. MPb[CPv{MPb(OI)+BPb(PI)}] 2. BPb[MPv[CPv{MPb(OI)+BPb(PI)}]]
- 26. ?
- 27. Thank You
Editor's Notes
- #12: To make understanding simple, concept of digital envelop and hash is intentionally omitted.
- #19: Pak Army http://www.kalsoft.com.pk/kalsoft/kcs/pki.asp SECP http://pakistan.gov.pk/e-government-directorate/tendersdisplay.jsp?div=e-government-directorate&file=PKIRFPSECPv31.xml&path=e-government-directorate/ http://www.ppra.org.pk/download.asp?tenderid= 2578 SBP www.sbp.org.pk/about/Strategic_Plan_BOD.pdf NADRA http://www.nadra.gov.pk/DesktopModules/top/topmore.aspx?tabID=0&ItemID=35&bID=0&Mid=2925 CBR http://www.cbr.gov.pk/tenders/2005/EOI-2005-1stMayBackGround.pdf