Chapter 11  Analysis and design 5

Availability – how can threats to the continuity and performance of the system be 

eliminated?

Kesh et al. (2002) explore the security requirements for e-commerce in more detail.

There are two main methods of encryption using 

.

1   Secret-  key  (symmetric)  encryption

 involves both parties having an identical (shared) key that is known 

only to them. Only this key can be used to encrypt and decrypt messages. The secret key 

has to be passed from one party to the other before use in much the same way as a copy of 

a secure attaché case key would have to be sent to a receiver of information. This approach 

has traditionally been used to achieve security between two separate parties, such as major 

companies conducting EDI. Here the private key is sent out electronically or by courier to 

ensure it is not copied.

This method is not practical for general e-commerce, as it would not be safe for a pur-

chaser to give a secret key to a merchant since control of it would be lost and it could not 

then be used for other purposes. A merchant would also have to manage many customer 

keys.

 is so called since the keys used by the sender and receiver of infor-

mation are different. The two keys are related by a numerical code, so only the pair of keys 

can be used in combination to encrypt and decrypt information. Figure 11.31 shows how 

 public-  key encryption works in an e-commerce context. A customer can place an order with 

a merchant by automatically looking up the public key of the merchant and then using this 

key to encrypt the message containing their order. The scrambled message is then sent across 

the Internet and on receipt by the merchant is read using the merchant’s private key. In this 

way only the merchant who has the only copy of the private key can read the order. In the 

reverse case the merchant could confirm the customer’s identity by reading identity infor-

mation such as a digital signature encrypted with the private key of the customer using their 

public key.

Pretty Good Privacy (PGP) is a  public-  key encryption system used to encrypt email 

messages.

Consist of keys made up 

of large numbers that are 

used to uniquely identify 

individuals.

Symmetric 

encryption

Both parties to a 

transaction use the 

same key to encode and 

decode messages.

Asymmetric 

encryption

Both parties use a 

related but different key 

to encode and decode 

messages.

Figure 11.31

 Public-  key  or  asymmetric  encryption

Consumer

Merchant

Original

Public

management

Encrypted

order

Encrypted

order

Private

management

Original

order

7/23/14   1:27 PM

590

Download 29,46 Mb.

Do'stlaringiz bilan baham: