Securing Electronic Transactions

University of Palestine Eng. Wisam Zaqoot April 2010

ITSS 4201 Internet Insurance and ITSS 4201 Internet Insurance and Information HidingInformation Hiding

Securing electronic transactions

We will address here the following electronic transactions categories:

1. Purchases carried out online

2. Bank transactions and money transfer

3. Transactions handled via Email

4. Wireless transactions

Securing electronic transactions

1. Securing the purchases: The merchants, banks, PSPs, CAs and many

others are responsible of arranging a secure environment to handle e-commerce transactions.

The following figure shows how Public Key Infrastructure (PKI) can be used by the company A which wants to send a purchase order to the company B. The company B will respond by sending a purchase order confirmation to A.

The following figure shows how PKI solves the needs of authentication, confidentiality, integrity and nonrepudiation.

Securing electronic transactions

Securing electronic transactions

2. Securing Bank transactions and money transfer:

E-banks today offer their users virtually all the facilities provided by conventional banks.

A customer can check his balance, transfer money between accounts, set up automatic payments, etc.

Securing electronic transactions

3. Securing transactions handled via Email: Email systems didn’t originally include support

for security. In many cases we want to keep messages

content secret, for example when handling e-commerce orders

via emails where the customer sends his credit card number to the merchant.

sometimes we are more interested in authenticating messages, like when submitting bids by email.

Securing the Email

The most famous email encryption scheme today is the Pretty Good Privacy (PGP).

PGP appeared in 1991 and became the de-facto standard.

PGP is available free and commercially, and it is also available as a plug-in for many email user agents (like Ms’s Exchange and outlook).

Securing the Email, PGP

PGP design contains a group of operations to security. It uses symmetric key encryption, asymmetric key encryption and digital signature. In addition, PGP provides data compression.

Depending on the version, PGP software uses MD5 or SHA for calculating the message digest, uses 3DES, CAST or IDEA for symmetric key encryption and uses RSA for asymmetric key encryption.

Securing the Email, PGP

PGP scheme of Email encryption

Securing the Email, PGP

As it is shown in the previous figure, the message m is hashed and then the resulted message digest is encrypted using the sender’s private key dA, this is a normal digital signature. The digital signature with the message itself will be encrypted using the symmetric key Ksym. And the symmetric key itself will be encrypted using the public key of the receiver eB, and this collection of things represents the secured email message that will be sent.

Securing electronic transactions

4. Wireless transactions: wireless transactions are a growing field in ecommerce.

A lot of technologies were developed to provide security for wireless communications, but in general the wireless communications still not that secure. WTLS is a protocol that works under the WAP

protocol. WTLS uses cryptography and digital certificates to establish a secure transmission session between a WAP server and a cell phone.

Wireless Equivalent Privacy (WEP) is a protocol that provides encryption and authentication of wireless transmission to and from a WLAN.

What’s next?

Next, we will talk about security protocols used to achieve security in Ecommerce.