Chapter 11 Analysis and design
5
Availability – how can threats to the continuity and performance of the system be
eliminated?
Kesh et al. (2002) explore the security requirements for e-commerce in more detail.
Approaches to developing secure systems
Digital certificates
There are two main methods of encryption using
digital certificates
.
1 Secret- key (symmetric) encryption
Symmetric encryption
involves both parties having an identical (shared) key that is known
only to them. Only this key can be used to encrypt and decrypt messages. The secret key
has to be passed from one party to the other before use in much the same way as a copy of
a secure attaché case key would have to be sent to a receiver of information. This approach
has traditionally been used to achieve security between two separate parties, such as major
companies conducting EDI. Here the private key is sent out electronically or by courier to
ensure it is not copied.
This method is not practical for general e-commerce, as it would not be safe for a pur-
chaser to give a secret key to a merchant since control of it would be lost and it could not
then be used for other purposes. A merchant would also have to manage many customer
keys.
2 Public- key (asymmetric) encryption
Asymmetric encryption
is so called since the keys used by the sender and receiver of infor-
mation are different. The two keys are related by a numerical code, so only the pair of keys
can be used in combination to encrypt and decrypt information. Figure 11.31 shows how
public- key encryption works in an e-commerce context. A customer can place an order with
a merchant by automatically looking up the public key of the merchant and then using this
key to encrypt the message containing their order. The scrambled message is then sent across
the Internet and on receipt by the merchant is read using the merchant’s private key. In this
way only the merchant who has the only copy of the private key can read the order. In the
reverse case the merchant could confirm the customer’s identity by reading identity infor-
mation such as a digital signature encrypted with the private key of the customer using their
public key.
Pretty Good Privacy (PGP) is a public- key encryption system used to encrypt email
messages.
Digital certificates
(keys)
Consist of keys made up
of large numbers that are
used to uniquely identify
individuals.
Symmetric
encryption
Both parties to a
transaction use the
same key to encode and
decode messages.
Asymmetric
encryption
Both parties use a
related but different key
to encode and decode
messages.
Figure 11.31
Public- key or asymmetric encryption
Consumer
Merchant
Original
order
Public
key
management
Encrypted
order
Internet
Encrypted
order
Private
key
management
Original
order
M11_CHAF6542_06_SE_C11.indd 589
7/23/14 1:27 PM
590
Do'stlaringiz bilan baham: |