Guarding Your Turf

and Laura Rush,
Managing Editor, E-Commerce Guide

It''s no secret that the lack of user confidence in e-commerce transactions is the greatest inhibitor to the growth of e-commerce. Companies use the Web for many functions, including as a sales channel, for communicating with partners and clients, for connecting to back-end data-systems, and for performing e-business transactions. Companies that do business on the Net are faced with security issues that must be addressed in order to protect sensitive information and to minimize risk.

The inherent problem with doing business over the Net is that data traveling over public networks can be easily compromised. This can affect both the customers as well as the business owners. Customers will submit information via the Net only if they are confident that their personal information, such as credit card numbers, financial data, or even their medical history, is secure. Therefore, companies must find ways to ensure the security of transactions, sensitive information, applications and online communications. Ensuring security is more than making your Web server secure - it also involves authenticating employees, customers, remote offices, suppliers and partners.

A growing number of organizations are building public key infrastructures (PKI) to solve these e-business security issues. PKIs are a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction. Certificate authorities are trusted third-party organizations or companies that issue digital certificates, digital signatures and public-private key pairs. For e-businesses, these certificates can serve as validation that a company is who they claim to be, and not an imposter. CAs can also issue digital certificates to individuals. In other words, digital certificates are the electronic equivalent of a business license or a passport. Many companies are turning to digital certificates as a secure means of communicating and doing business with customers, employees and suppliers.

How Digital Encryption and Digital Certificates Work
Cryptography is an ancient art. Throughout history, most messages were made and kept private with "single key cryptography." The Old Testament even mentions a technique for disguising messages called atbash: It substituted the last letter of a word with the first, the penultimate letter with the second and so on. The Babylonians, Egyptians, Greeks and Romans all had similar ciphering schemes. Today, cryptography has become an advanced science. In physical transactions, identification and authentication issues are solved with seals or signatures, as on a check or photo I.D. such as a driver''s license. In electronic transactions, the equivalent of a signature or seal must be encoded into the information being transmitted in order to ensure the validity of the message contents and sender. To create the electronic equivalent of a signature, advanced cryptography is used in the form of public and private (multiple) keys.

How It All Began The beginning of this technology, now known as public key encryption began with the 1976 publication of a paper in an electrical engineering journal entitled " The IEEE Transactions on Information Theory." It was written Dr. Martin Hellman, a computer scientist at Stanford University and his student, Whitfield Diffie. In it they proposed a solution to the "key interception problem" through the use of one way mathematical functions that were impossible to reverse unless there was some special knowledge of how they were constructed. Captivated by this possibility, Dr. Ronald Rivest and Dr. Adi Shamir, both MIT Professors of Mathematics began working on finding a one way function in order to create a public key cryptographic system. They engaged Dr. Leonard Adleman, then a new Assistant Professor, to test their equations by breaking the code. Dr. Adleman was, unfortunately, successful the first forty-two times he was given this assignment--he broke the algorithms. Then, so the story goes, "late one night after a Passover dinner, Dr. Rivest called Dr. Adleman with the 43rd idea, this time based on a different factoring set...the code was theoretically unbreakable according to the mathematics involved." The number generated by the algorithm would take years, perhaps centuries, of computing to factor. But the makers of the code could do it easily because they knew the factoring elements of the large number that was created by it. Dr. Rivest published a paper with the description of what they had done --and it was an instant hit. It was called RSA after its three inventors.

Public Key Encryption
Public Key encryption is a cryptographic system that uses two keys -- a public key known to everyone (but still associated with the owner) and a private or secret key known only to the recipient of the message, or a designated owner. These key pairs have a unique feature in that data encrypted with one key can be decrypted with the other key in the pair. The keys can be used in two ways: to provide message confidentiality and to prove authenticity of a message''s sender. As a merchant the safest way to distribute your public key to your correspondents, or customers, is through a CA. The CA will serve as a repository of digital certificates, and potential customers can request verification of your public key from a CA. Digital certificates usually include the holder''s name, name of the CA, a public key, a time limit for the use of the certificate, the class of the certificate, and an identification number. Your "private key" is installed on your server; nobody else has access to it.

Secret Decoder Rings vs. Public Key Cryptography
Thereare two obvious problems in sending enciphered messages: 1) how do we know that the message is secure and private and 2) how do we know if a message is true, reliable, authentic and un-tampered with? Public key encryption technology offers a solution. Suppose John wants to send a message to Jane without anyone else being able to intercept it and Jane needs to be sure that the message is indeed from John and not from anyone else. Essentially this is the same problem of sending and receiving e-cash -- the sender and the receiver need to be assured that the transaction is reliable, secure and authentic.

In the traditional encryption schemes, John uses a system to disguise his message, thus protecting it. The problem, however, is not so much with the specific message as it is with the key that deciphers it. How can the key be safely exchanged between the parties that need to have it? What if an outsider gets the key and then has access to the information contained in the messages? The solution is a complex set of very high prime number algorithms that have a specific relationship to one another. These are known as "digital signatures" and they are extremely hard to break.

The situation below represents a scenario that could take place using traditional cryptographic methods:
John is an online merchant, and Jane is a customer at his shop. A message containing credit card and other personal information needs to be transferred from Jane to John in order for a purchase to be made. Therefore, John creates two identical secret keys and one is sent to Jane. Jane emails her order, which contains her credit card information. The message is encoded, or locked with the key sent by John and the entire message is forwarded to John. Upon receipt, John unlocks the message with his duplicate key and gets the order information. There are two points where it can fail: A copy of the key is intercepted, or en route the message is intercepted, opened and contents are read, altered, or stolen.

The same situation can be resolved using public key cryptography. The message is transferred, except this time, separate locking and unlocking keys are generated. Only the locking key is sent to Jane. Jane places a message (her credit card information) in the email. The message is then encyphered with the locking key and forwarded to John. John unlocks the message with the unlocking key and gets the information and is able to fulfill the order. If a copy of the locking key is intercepted, or the message is intercepted, it remains secure because the stolen key only "locks" the contents - the locking key it is incapable of decyphering the message. The important concept here is that even if the channels are not secure, the message itself can still be protected.

This technique provides a solution for securing messages, that is, securing "the value" to be digitally transferred over electronic networks. The second problem, namely the authentication of the message, is solved by this solution too. For instance, how does John know that the message comes from Jane (and not someone pretending to be Jane with her stolen credit card)? Or, how does J.C. Penny know that Mrs. Smith is ordering an outdoor grille and sending along the correct amount of money? How does Mrs. Smith know that she is actually sending her money to J.C. Penny and not to Charlie''s Scam Bank Account, Inc.? After all, it is possible that an imposter could have deceptively posted a public key for J.C. Penny and made it available in the hopes that unsuspecting customers would e-mail him money! The answer is in checking the authenticity of the public key with a Certification Authority and obtaining an Authorization Certificate (AC).

Can I see Some I.D.?
Basically, the CA compares the relationship of Jane''s officially registered key against the one sent to them (from John) for verification. Once a correct identification has been made, the transaction can proceed. An imposter could only forge Jane''s digital signature if he had a copy of her private key--which she theoretically gives to no one (not even to John or even to her mother!). In this way the information/message/money is safe, correct, reliable and authentic.

Pros and Cons of Using PK Encryption
Many law enforcement officials argue that strong encryption will be a boon to criminal activities from money laundering to terrorism. They want to be able to eavesdrop on electronic messages, in much the same way that they can now tap into telephone conversations. However, because the algorithms for protecting data are so strong that they are impenetrable, officials argue that this technology should be controlled and limited. In the United States, cryptography falls into the same jurisdiction as munitions and firearms; it is policed by the same agencies. The Clinton Administration has been trying, unsuccessfully, to control the use of cryptography by making it illegal to export programs that contain more than 56 keys without special permission. Such permission was granted in 1995 to Netscape Communications for an algorithm with a 128 key length for use exclusively with financial information transported through its very popular worldwide Web browser. This dispensation was granted mainly to promote the growth of electronic commerce. 128 keys are now standard in the financial community for electronic transactions over the Internet. Currently, they are considered safe. Stronger keys are used over private networks and for international transactions by banking and government institutions--as long as they are not for export from the United States. There are no limits on key strength in many countries.

Where Do I Get a Digital Certificate? There are several companies and organizations that issue digital certificates. A few of the more well known ones include: Verisign, Truste, GTE CyberTrust, Entrust Technologies, Netscape, Cylink

How Do I Get A Digital Certificate?
Now that you know how public key encryption is used in conjunction with digital certificates, how do you go about getting one for your e-commerce site? In order to receive a digital certificate, a company applies at one of the organizations that offer them. Some commercial CAs include VeriSign, CyberTrust, and Nortel. Governmental authorities include the U.S. Postal Service. The CA issues a digital certificate containing the applicant''s public key and a variety of other identifying information.

Users must pay a fee to obtain a digital certificate from the commercial or government CA. Fees are based on the class of certificate that is being requested. (Four different classes exist, depending on what degree the holder has been verified. For example, Level 1 involves the fewest checks on the holder''s background - only name and email addresses are verified.) It takes anywhere from one day to a few months before a certificate is approved, so if you''re planning on opening up for business soon, we suggest you apply for your digital certificate today. The typical cost is approximately $300 for the initial account setup, and then $75 per year thereafter.

Do I Need Any Special Hardware or Software?
If you''re running a web site, chances are, you''re running it on a server. Web server packages for e-commerce sites come in a publishing version or a commerce version. The publishing version is used for the content and interactive portion of an unsecured form, while the commerce version supports the secure sockets layer (SSL) or S-HTTP protocols. These protocols form the basis of encryption between Web browsers (on the user''s end) and Web servers. In order to make your server secure, the software must support SSL or S-HTTP. Supporting these protocols is the basis for adding encryption capabilities through digital certificates. Currently, SSL is the more popular of the two and most packages support it. Digital certificates are required for implementing a public key cryptography system on a Web server.

A number of vendors--including Netscape, IBM, O''Reilly & Associates, Process Software, and Microsoft--provide commercial-grade HTTP servers capable of supporting SSL. If you already have one of these products, then you are already halfway to supporting secure transactions at your site.

Don''t be misled into thinking that a certificate is automatically provided or that it comes with your Web server; you have to request one for each domain and server within your organization that you intend to host SSL on. To read more about commerce servers, check out internet.com''s ServerWatch.

Don Sussis is an eCommerce advisor and business consultant. He frequently writes about ebusiness and enterprise. He can be reached at dons@interested.com.

Laura Rush us the E-Commerce Guide''s Managing Editor. She can be reached at lrush@internet.com.