Beruflich Dokumente
Kultur Dokumente
SET-1
Books ID: B0035
Hidden complexities:
The system and services that can fail include
➢ Web server
➢ Database server
➢ Internet services provider(ISP)
➢ Local loop (Connection between web & ISP)
➢ Commerce software
➢ Credit card gateway
➢ Credit card processor
➢ Fulfillment system
Establishment the trust:
Steps involved in simple retail transaction between buyer and seller is given below
➢ Information sharing
➢ Establishing trust
➢ Negotiation deal
➢ Payment and settlement
➢ Procedure and delivery
➢ After sale services
Customer view:
Merchant view:
(Cipher text)
Internet 1
Original Encrypted
Secret Key Decrypt
Massage
Cybotech Campus
Message Page 4
(Cipher text)
Basics of E-Commerce BT0054
Encrypted Original
Message Message
Recipient
(Cipher Text)
internet
Recipient
Card-issuing bank: The financial institution or other organization that issued the credit
card to the cardholder. This bank bills the consumer for repayment and bears the risk
that the card is used fraudulently. American Express and Discover were previously the
only card-issuing banks for their respective brands, but as of 2007, this is no longer
the case. Cards issued by banks to cardholders in a different country are known
as offshore credit cards.
Merchant: The individual or business accepting credit card payments for products or
services sold to the cardholder.
Acquiring bank: The financial institution accepting payment for the products or
services on behalf of the merchant.
Merchant account: This could refer to the acquiring bank or the independent sales
organization, but in general is the organization that the merchant deals with.
Transaction network: The system that implements the mechanics of the electronic
transactions. May be operated by an independent company, and one company may
operate multiple networks.
Affinity partner: Some institutions lend their names to an issuer to attract customers
that have a strong relationship with that institution, and get paid a fee or a percentage of
the balance for each card issued using their name. Examples of typical affinity partners
are sports teams, universities, charities, professional organizations, and major retailers.
bandwidth for applications, and for prioritized traffic, for example, the Resource
reservation Protocol, or RSVP, has been developed to help reserve bandwidth for
multimedia transmissions such as streaming audio, Video and video conferencing , this
same protocol can be used to priority e-mail for EDI messages or FTP for file transfers.
Routers supporting RSVP are only now becoming available it’ll be some time before a
great deal of the internet routinely supports RSVP. ISPs are also starting to offer their
own end-to-end networks across the United States independently of the Internet’s main
backbone, but still link to it is needed. Aimed at businesses, these networks can be
used to speed along summer Internet traffic. These private commercial networks also
make it easier for companies to form virtual private networks (VPNs) with added
security; replacing private corporate networks can be less costly than leased-line net-
works, even with the additional rates incurred. Private networks also offer another
advantage that they link to the internet, allowing for communication with other partners
and customer without requiring special set ups.
Use of IP spoofing
IP spoofing is used to commit criminal activity online and to breach network security.
Hackers use IP spoofing so they do not get caught spamming and to perpetrate denial
of service attacks. These are attacks that involve massive amounts of information being
sent to computers over a network in an effort to crash the entire network. The hacker
does not get caught because the origin of the messages cannot be determined due to
the bogus IP address.
Ans:
Ans: A practical and secure crypto system needs keys that cannot be
guessed. There should be no way for an outsiders to predict what keys are being used,
or even to guess approximately which keys might have been used. A good key
generator will produce keys that cannot be guessed even if attackers know how the
generator works.
Many procedures called pseudorandom number generators (PRNGs), which generate
hard-to-predict sequences of numbers. For true randomness you must seed these
procedures with initial value. A good PRNG is not enough by itself to produce effective
keys. The generation process must be seeded by a random number that is sufficiently
hard to guess. We need a random technique to generate a random seed value so we
can generate a series of fandom numbers. In practice there are three computer-based
approaches for producing truly random data:
1. Monitor hardware that generates random data.
2. Collect random data from user interaction.
3. Collect hard-to-predict data from inside the computer.
But we will discuss here about only two methods.
Hardware based random number generation is the best though most costly approach.
The generator is usually an electronic circuit that is sensitive to some random physical
event. Like diode noise or cosmic ray bombardment, and converts the event into an
unpredictable sequence of bits. However their rarity makes it expensive to add them to
a system. User interaction is a very good source of random data, though it can be
inconvenient. People are notoriously bad at doing the same thing twice, and random
data can be collected by tracking interactive human behavior. For example PGP e-mail
package collects keystrokes from the user and measures the time between keystrokes
to produce a random seed value.
based fashion and distributing the keys accordingly, they can also be assigned in a flat
fashion (). This has the advantage of greatly reducing database requirements, and
obviates the sender from the need of keeping information about all participants. It is now
possible to exclude participates without knowing whether they were in the group in the
first place.
The table contains 2W KEYS, two keys for exact bit, corresponding to the two values
that bit can take. The key associated with bit b having value v is referred to as kb.v(“Bit
keys”). While the keys in the table could be used to generate a tree-like keying
structure, they can also be used independently of each other.
10. What is Digital signature? Explain how digital signatures are produced.
Ans: The digital signature is the most novel mechanism provided by modern crypto
technology. It is a mechanism that does not involves secret but it protect data from
undetected change. digital signature associates the data with the owner of a specific
private key.
Digital signatures use a private key to produce a crypto checksum. Crypto checksum
based on conventional secret key techniques can only be verified by people, who are
trusted with the secret key, and the technique cannot tell which key holder actually
produced the crypto checksum. Digital signature are tied to a particular private key, so
we can say safely assume that only the private key holder could have produced the
corresponding digital signature. Anyone with the corresponding public key can validate
the hash or checksum themselves, tying the message’s contents to the holder of the
corresponding private key.
Kamal
Ajay’s
Kamal Comp
PUB Kamal
Public Key
Raman forger
Private
Kamal
Key
Cybotech Campus Page 10
Public Key
Basics of E-Commerce BT0054
Void
Void
Encrypt
Pay Decrypt
Rs 1000 Pay
Rs
1000
Using RSA to produce a digital signature: Kamal can uniquely sign any message she
sends by encrypting it with her public key. Anyone even Raman the forger, can decrypt
and read it with her public key. But Raman cannot produce an acceptable forgery
without Kamal’s private key. Kamal’s public key will dectypt the message only if her
private key.
A smooth number is the product of reasonably small primes. If Raman the forger has
the collection of Kamal’s signed messages, and the message texts are composed of
small primes or products of small primes, he can use these messages to construct an
“alphabet” of Kamal’s signature values. He can then construct any “signed” message
that uses an existing value, or a product, or power of the values in his “alphabet”
padding the signed value with random, non-zero data easily defeats this.
If the public key value is 3, then a valid digital signature is generally a cube root. If you
pad on the right with zeroes and then sign, an attacker can generate different text to
sign (zero padded) take its cube root, and add “random” digits to the right to full it up to
the text integer cube root value. This effectively forges the signature.
Kamal protects herself by making it nearly impossible for Raman to construct alternate
messages that produce the same digital signature. The usual approach is to use a hash
function to construct the digital signature. This reduces the problem to one of finding a
second message with the same hash as the first one. Another step Kamal can take is to
sign the message In plaintext before encrypting it, instead of signing the ciphertext
version. However there are occasions where it is worthwhile to be able to validate a
signature without decrypting the underlying data, so signing the plaintext is not always
the best solution.