Unit 8

Encryption

Structure
8.1 Introduction
Objectives
8.2 Cryptography
8.3 Encryption
8.4 Digital Signature
8.5 Virtual Private Network
8.6 Summary
8.7 Glossary
8.8 Terminal Questions
8.9 Answers
References

8.1 Introduction
In the previous unit you learnt about security in electronic unit. In this unit, you
will learn about encryption. Encryption is an important cryptography technology
used to transform information using an algorithm to make it unreadable to anyone
except those possessing special knowledge (usually referred to as a key).
Cryptography is the science of writing in a secret code is called cryptography.
Since long, encryption is being used by militaries and governments to facilitate
secret communication as there are several instances of data in transit being
intercepted in recent years. Encryption is also used to protect data in transit,
i.e., data being transferred via networks (such as the Internet and e-commerce),
mobile telephones, wireless microphones, wireless intercom systems, Bluetooth
devices and bank automatic teller machines. Encrypting data in transit also
helps to secure it as it is often difficult to physically secure all access to networks.

Objectives
After studying this unit, you should be able to:
Define cryptography and describe the purposes of cryptography
Summarize the role of encryption in message security
Discuss the various methods of encryption
Identify the various features of digital signature
Discuss the role of virtual private network (VPN) in encryption

E-Commerce

Unit 8

8.2 Cryptography
Cryptography is derived from the Greek words kryptos (hidden, secret) and
grph (I write). It is the practice and study of hiding information. Cryptography
is today considered a branch of both mathematics and computer science, and
is used extensively in information theory, computer security and engineering.
Cryptography is used in applications which require security of data, such as in
the case of ATM cards, computer passwords and electronic commerce.

8.2.1 Purpose of Cryptography

The science of writing in a secret code is called cryto. It is supposed to have
been first used as far back as 1900 BC by an Egyptian scribe. Cryptography is
believed to have appeared soon after writing was invented and used in diplomatic
exchanges and battle plans. With the development of computer communication,
the need for security of communication media also rose. Quite understandably,
then, cryptography began to be used to provide this security while communicating
over any untrusted medium, particularly the Internet.
These security requirements include:
Authentication: That is, giving proof of ones identity.
Privacy/confidentiality: Making sure that no one other than the intended
reader reads the message.
Integrity: Providing assurance to the receiver that the message received
by him is no different from the original one.
Non-repudiation: A mechanism which will prove that the message was
actually sent by the sender and no one else.
Thus, it is seen that cryptography serves a dual purpose: data is protected
from being stolen or altered and users are authenticated. This is done in three
ways: (a) Secret key (or symmetric) cryptography, (b) Public-key (or asymmetric)
cryptography and (c) hash functions. The unencrypted data is referred to as
plaintext. It is encrypted into ciphertext, and then decrypted into usable plaintext.

8.2.2 Encryption as the Basis for Data and Messaging Security

Encryption is a cryptography technology to scramble (encrypt) the data with a
key so that no one can make sense of it while it is being transmitted. When the
data reaches its destination, the information is unscrambled (decrypted) using
the same or a different key.

Sikkim Manipal University

Page No. 134

E-Commerce

Unit 8

The terms used commonly in a cryptography system are as follows:

Intruder: An intruder is any person who does not have the authorization
to access the network or the information.
Plaintext: It is an intelligible message that needs to be converted into
an unreadable message or encrypted message.
Ciphertext: A message in an encrypted form.
Example:
(Encrypted Form)

(Decrypted Form)

Plain Text

Algorithm

Cipher Text

Algorithm

Plain Text

Goods

Next two letters

Iqqfu

Previous two letters

Goods

Sales

Previous one letter

rzkdr

Next one letter

Sales

Encryption is a method by which plaintext can be converted into ciphertext.

Decryption is a method by which a ciphertext can be converted into plaintext.
Algorithm: A cryptography algorithm is a mathematical function.
Key: It is a string of digits.

Self-Assessment Questions
1. Fill in the blanks with appropriate words.
(a) The science of writing in a secret code is called_____________.
(b) _____ is a cryptography technology to scramble (encrypt) the data
with a key so that no one can make sense of it while it is being
transmitted.
(c) _______ is an intelligible message that needs to be converted into
an unreadable message or encrypted message.

8.3 Encryption
8.3.1 Methods of Encryption
There are three types of cryptography or methods of encryption:
Secret key or private key or symmetric key cryptography
Public key or asymmetric key cryptography
Hash function
Sikkim Manipal University

Page No. 135

E-Commerce

Unit 8

1. Secret key or symmetic key cryptography

In this scheme, both the sender and the recipient possess the same key to
encrypt and decrypt the data. Figure 8.1 shows how secret or private key
cryptography works.
Original
Message

Encrypted
Message
Secret Key

Encrypt

Internet

Encrypted
Message

Original
Message
Secret Key

Decrypt

Figure 8.1 Schematic Diagram of Secret Key Cryptography

Data Encryption Standard

Data Encryption Standard (DES) is an example of secret key cryptography. It
was developed by IBM. DES is block cipher-based scheme which encrypts a
64-bit data block using a 56-bit key. The block is transformed in such a way that
it involves sixteen iterations. This done by using the security key.
To take an example, suppose, A encrypts a message with a secret key
and e-mails it to B, who on receiving it, checks the header to identify the sender.
B then has to take the duplicate of the secret key to decrypt the message.
Drawbacks of secret key cryptography
Both parties must agree upon a shared secret key.
If there are n correspondents, you have to keep track of n different
secret keys. If the same key is used by more than one correspondent,
the common key holders can read each others mail.
Symmetric encryption schemes are also subject to authenticity
problems. Since both the sender and the recipient have the same
secret key, the identity of originator or recipient cannot be proved.
Both can encrypt or decrypt the message.
Sikkim Manipal University

Page No. 136

E-Commerce

Unit 8

2. Triple Encryption
As discussed, the DES is a block cipher and employs shared secret encryption.
But, nowadays DES is considered unsafe for various applications primarily due
to the 56-bit key size which is too small. Triple DES is considered as an improved
version to overcome many of the shortcomings of DES. The triple encryption
technology is based on DES and is sometimes referred as Triple DES or 3DES.
The event follows an Encrypt-Decrypt-Encrypt (EDE) sequence. Decrypt
sequence is just the same encrypting operation with the keys reversed. It is
based on the DES algorithm and can easily modify the existing software to use
Triple DES. It has a longer key length that helps in eliminating many of the
shortcut attacks used to reduce the amount of time it takes to break DES. Thus,
Triple DES is considered as an exceptional and dependable option to fulfill the
security requirements of highly sensitive information.
Triple DES mode of operation takes three 64-bit keys for an overall key
length of 192 bits. In Private Key Encryption, the user can just type in the complete
192-bit (24 character) key rather than entering each of the three keys individually.
The procedure for encryption is exactly the same as regular DES, but it is repeated
three times. The data is encrypted with the first key, decrypted with the second
key and finally encrypted again with the third key (Refer to Figure 8.2).

Figure 8.2 Triple DES Mode

3. Public key cryptography

This scheme operates on a double key, called pair key, one of which is used to
encrypt the message and the other is used to decrypt it. This can be viewed as
two parts; one part of the key pair, the private key, is known only by the designated
owner. The other part, the public key, is published widely but is still associated
with the owner of the private key. Figure 8.3 shows how public key encryption
works.
Sikkim Manipal University

Page No. 137

E-Commerce

Unit 8

Original
Message

Encrypted
Message
Public Key

Encrypt
(Cipher Text)

Internet

Encrypted
Message

Original
Message
Private Key

Decrypt

(Cipher Text)

Figure 8.3 Schematic Diagram of Public Key Cryptography

Encryption and Decryption

Data encrypted with a public key can only be decrypted with a private key.
Data encrypted with a private key can only be decrypted with a public key.
Advantages of public key cryptography
Message confidentiality can be proved: The sender uses the recipients
public key to encrypt a message, so that only the private key holder can
decrypt the message, and no one else.
Authenticity of the message originator can be proved: The receiver
uses his private key to encrypt a message, to which only the sender has
access.
Easy to distribute public key: The public key of the pair can be easily
distributed.
Hash function
Hash function is a formula that converts a message of a given length into a
string of digits called a message digest. A mathematical transformation is used
by the hash function to encrypt information such that it is irreversible. The
encrypted ciphertext message cannot be decrypted back to plaintext.

Sikkim Manipal University

Page No. 138

E-Commerce

Unit 8

Encrypt
(Hash function
Message digest)

Digital Signature
With senders private
key

Sender

Receiver

How it works: X sends a message to Y

(a) The sender generates a message.

(b) A Message Digest of the message is created using the hash function.
(c) The sender attaches the digital signature to the end of the message.
(d) The sender encrypts both message and signature with the receivers public
key.
(e) Using a private key, the entire message is encrypted by the receiver.
(f) The receiver calculates the message digest using the hash function.
The receiver uses the same hash function that the sender uses, and which
has been agreed upon in advance. The main advantage of using the hash
function for encryption is that even if an unauthorized person accesses Xs
public key, he will not be able to get to the hash function-generated key; thus
making the digital signature authentic and secure.
Activity 1
Search on the Internet for public key cryptography and find out the
disadvantages of using it.

Self-Assessment Questions
2. State whether the following statements are true or false:
(a) In secret key cryptography, only the sender possesses the same
key to encrypt and decrypt the data.
(b) Data Encryption Standard (DES) is an example of public key
cryptography.
(c) Triple DES mode of operation takes three 64-bit keys for an overall
key length of 192 bits.
(d) Data encrypted with a public key can only be decrypted with a private
key.
Sikkim Manipal University

Page No. 139

E-Commerce

Unit 8

8.4 Digital Signature

Digital signatures are used for authenticating e-commerce business transactions.
The authentications refer to legal, financial and other document-related issues.
Digital signatures are just like handwritten signatures which determine
authentications.
A digital signature consists of two parts:
(i) Signature in the document: signer authentication
(ii) Document authentication
(i) Signer authentication: A signature should indicate who signed a
document, message or record and should be difficult for another person
to produce without authorization.
(ii) Document authentication: A signature should identify what is signed so
that:
Sender can not remove the content of messages after signing it.
The receiver cannot make any changes in the message.

8.4.1 Validity of Digital Signatures

Generally, a key expires after a certain period that could range from six months
to a year. A signed document with an expired key is not acceptable. The contract
is registered with a digital time stamping service at the time it is signed; the
signature can be authenticated even after expiry of the key. If every party on the
contract keeps a copy of the timestamp, all of them can prove that the contract
was signed using valid keys. Actually, the timestamp can prove the validity of
the contract even if one signatorys key gets compromised at any instant after
the contract is signed.
A digital time stamping (DTS) service issues timestamps which associate
a date and time with a digital document in a cryptographically strong way. The
digital timestamp can be used at a later date to prove that an electronic document
existed at the time stated on its timestamp.
Because keys are intended to be public and are widely distributed, anyone
can easily create a private/public key pair and distribute the public key, claiming
it belonged to someone else. One solution to this problem is a public-key
certificate. A public-key certificate is a data structure, digitally signed by a
Certifying Authority (CA).

Sikkim Manipal University

Page No. 140

E-Commerce

Unit 8

Certificates authority
Certificates authority is an organization or institution that issues digital certificate
to companies and organizations that are accessible via the Internet. These
certificates are issued for a certain period of time and are used as an assurance
of the security of a website. It is also known as trusted third party. CAs form
characteristics of many public key infrastructure (PKI) schemes. There are many
commercial CAs that charge for their services. There are also several providers
issuing digital certificates to the public without any cost. Generally, institutions
and governments have their own CAs.
Certificates authority issues digital certificates that consist of the
identification details of the owner and his public key. The corresponding private
key is in a similar manner not made available publicly, but kept as a secret by
the end-user, who generates a key pair. The certificate also acts as evidence by
the CA such that the public key contained in the certificate is related to the
person, organization, server or other entities noted in the certificate. If the user
believes in the Certificate Authority (CA) and is able to validate the CAs signature,
then he can also validate the requirement of a certain public key that belongs to
whoever is identified in the certificate.

Digital certificate
A digital certificate serves as an electronic identity card that establishes the
users credentials when business deals are transacted across the Web. A digital
certificate is defined as a method to electronically verify for authenticity. The
digital certificate is just like an identity card, such as a drivers license. Digital
certificate is issued by a number of certificate authorities; it is used to prove that
a website, or a visitor to a website, is the entity or person they claim to be; An
electronic credential issued by a certification authority to establish the identity
of an organization when doing business on the Internet.
Contents of digital certificate
A digital certificate contains the following details:
Certificate Holders Name, organization and address.
The name of certificate authority who has issued this certificate.
Public key of the holders for cryptographic use.
Time limit, these certificates are issued for durations of six months to a
year.
Digital certificate identification number.
Sikkim Manipal University

Page No. 141

E-Commerce

Unit 8

A digital certificate contains a public key that is used for encrypting messages
and digital signatures. It also has the digital signature of the certificate authority.
By this signature a recipient can verify that the certificate is genuine. Sometimedigital certificates conform to a standard, X.509. It can be kept in registries so
that authenticating users can look up other users public keys.

8.4.2 Non-Repudiation and Message Integrity

Digital identity is based on message integrity, non-repudiation and confidentiality.
Integrity ensures that a message or transaction has not been tampered with.
Non-repudiation ensures that the contents of the message sent are intact and
provides evidence for the existence of a message or transaction. The user and
the recipient cannot dispute the contents, once sent. The contents are protected
as confidential which means that only authorized individuals or groups can access
the contents of a message or transaction. In certain cases, these features are
not necessary and hence are considered as luxury. However, there are scenarios
where these features are most critical. For managing digital identity strategy,
clarity of these features is very important.

Integrity
Integrity is the basic requirement of a highly dependable identity infrastructure.
Identity systems serve the purpose of exchanging credentials as well as
messages and transactions pertaining to attributes, provisioning of information
and other data. Integrity builds a trust that the contents have not been tampered,
which is important in this environment. To understand this better, let us take an
example of a document that represents identity credentials. It is important to
validate the authenticity of the credentials to be sure of their originality.
Non-repudiation
Non-repudiation is the activity of presenting of tamper-proof evidence proving
that a message was sent or received. Critical identity-related acts should be
protected even though the messages or transactions can be disputed. For
understanding this better, let us take the instance of two people, Nadia and Joe,
who are exchanging messages. In one case, Nadia denies sending a message
to Joe that he claims to have received. The ability to counter Nadias denial is
called Non-repudiation of Origin (NRO). In the second scenario, Nadia claims
to have sent Joe a message that he denies having received. Provision of evidence
to counter Bobs claim is called Non-Repudiation of Receipt (NRR).

Sikkim Manipal University

Page No. 142

E-Commerce

Unit 8

Activity 2
Search on the Internet for the term digital signature and find out how it
ensures non-repudiation of data.

Self-Assessment Questions
3. Fill in the blanks with appropriate words.
(a) ______ are used to authenticate e-commerce business transactions.
(b) A ______ service issues timestamps which associate a date and
time with a digital document in a cryptographically strong way.
(c) A _____ is defined as a method to electronically verify for authenticity.

8.5 Virtual Private Network

A virbtual private network (VPN) establishes virtual connection between client
and server. It is a network that uses a public communication infrastructure,
such as the Internet, to provide remote offices (other place) or individual users
with secure access to their organizations network. A virtual private network can
be compared with a system of owned or leased lines that can only be used by
one organization. The goal of a VPN is to provide the organization with the
same capabilities, but at a much lower cost.
A VPN works on the shared public infrastructure while maintaining privacy
through security procedures and tunneling protocols such as the Layer Two
Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the
sending end and decrypting it at the receiving end, send the data through a
tunnel that cannot be entered by data that is not properly encrypted. An
additional level of security involves encrypting not only the data, but also the
originating and receiving network addresses.
One popular technology to accomplish these goals is VPN . A VPN is a
private network that uses a public network (usually the Internet) to connect
remote sites or users together. The VPN uses virtual connections routed through
the Internet from the businesss private network to the remote site or employee.
By using a VPN, businesses ensure security anyone intercepting the encrypted
data cant read it.

Sikkim Manipal University

Page No. 143

E-Commerce

Unit 8

VPN was not the first technology to make remote connections. Leased
lines, such as ISDN (integrated services digital network, 128 Kbps), are private
network connections that a telecommunications company could lease to its
customers. Leased lines provided a company with a way to expand its private
network beyond its immediate geographic area. These connections form a single
wide-area network (WAN) for the organization. Though leased lines are reliable
and secure, the leases are expensive, with costs rising as the distance between
offices and work places increases.

Self-Assessment Questions
4. State whether the following statements are true or false:
(a) A virtual private network (VPN) is a network that uses a private
communication infrastructure.
(b) The goal of a VPN is to provide the organization with the same
capabilities, but at a much lower cost.

8.6 Summary
Let us recapitulate the important concepts discussed in this unit:
The science of writing in a secret code is called cartography. It is supposed
to have been first used as far back as 1900 BC by an Egyptian scribe.
Encryption is a cryptography technology to scramble (encrypt) the data
with a key so that no one can make sense of it while it is being transmitted.
Encryption is a method by which plaintext can be converted into a
ciphertext.
Decryption is a method by which a ciphertext can be converted into a
plaintext.
In secret key cryptography, both the sender and the recipient possess the
same key to encrypt and decrypt the data.
Data Encryption Standard (DES) is a block cipher based scheme which
encrypts a 64 bit data block using a 56 bit key. The block is transformed
in such a way that it involves 16 iterations.
Public key cryptography operates on a double key, called pair key, one of
which is used to encrypt the message and the other is used to decrypt it.
Sikkim Manipal University

Page No. 144

E-Commerce

Unit 8

Digital signatures are used for authenticating e-commerce business

transactions. The authentications refer to legal, financial and other
document-related issues.
Hash function is a formula that converts a message of a given length into
a string of digits called a message digest.
Certificates authority is an organization or institution that issues digital
certificate to companies and organizations that are accessible via the
Internet.
Digital identity is based on message integrity, non-repudiation and
confidentiality.
A virtual private network (VPN) establishes virtual connection between
client and server. It is a network that uses a public communication
infrastructure, such as the Internet, to provide remote offices (other place)
or individual users with secure access to their organizations network.
A VPN works on the shared public infrastructure while maintaining privacy
through security procedures and tunneling protocols such as the Layer
Two Tunneling Protocol (L2TP).

8.7 Glossary
Cryptography: The science of writing in a secret code
Encryption: A cryptography technology to scramble (encrypt) the data
with a key so that no one can make sense of it while it is being transmitted
Intruder: Any person who does not have the authorization to access the
network or the information
Plaintext: An unreadable message that needs to be converted into an
intelligible message or encrypted message.
Ciphertext: A message in an encrypted form.
Hash function: is a formula that converts a message of a given length
into a string of digits called a message digest.
Non-repudiation: is the activity of presenting of tamper-proof evidence
proving that a message was sent or received

Sikkim Manipal University

Page No. 145

E-Commerce

Unit 8

8.8 Terminal Questions

1. Discuss the meaning and purpose of cryptography.
2. Compare the features of secret key cryptography and those of public key
cryptography.
3. Explain how hash function operates.
4. Describe how digital signatures are validated.
5. Explain the method of ensuring non-Repudiation and message integrity
of message.
6. What is virtual private network (VPN)? Discuss how it works.

8.9 Answers
Answers to Self-Assessment Questions
1. (a) Cryptography; (b) Encryption; (c) Plaintext
2. (a) False; (b) False; (c) True; (d) True
3. (a) Digital signatures; (b) Digital time stamping; (c) Digital certificate
4. (a) False; (b) True

Answers to Terminal Questions

1. Refer to Section 8.2
2. Refer to Section 8.3
3. Refer to Section 8.3
4. Refer to Section 8.4.1
5. Refer to Section 8.4.2
6. Refer to Section 8.5

Sikkim Manipal University

Page No. 146

E-Commerce

Unit 8

References
1. Turban, Efraim, Jae Kuy Lee and Michael Chung. Electronic Commerce:
A Managerial Perspective. Prentice-Hall, 1999.
2. Whitley, David. E-Commerce: Strategy, Technologies and Applications.
Tata McGraw-Hill, 1998.

Sikkim Manipal University

Page No. 147