Electronic Commerce Encryption John Wordsworth Department of Computer

Electronic Commerce Encryption John Wordsworth Department of Computer Science The University of Reading J. B. Wordsworth@rdg. ac. uk Room 129, Ext 6544 April 2002 3 CSG 1 1

Lecture objectives Understand the use of encryption for secret communication. Understand the principles of symmetric encryption systems. Understand the principles of asymmetric encryption systems and the use of public and private keys. Describe how the HTTPS protocol is used to set up secure communications between a client and a server. Explain how a challenge/response algorithm avoids the need for passwords to be transmitted. Describe some methods of cryptoanalysis. April 2002 3 CSG 1 2

What is encryption? A means of making a text secret, so that only the sender and receiver can understand it. plain text encrypt key plain text April 2002 cypher text key decrypt 3 CSG 1 cypher text 3

Some simple(? ) cryptographic systems Substitution cyphers Rearrangement cyphers Progressive cyphers Playfair codes etc April 2002 3 CSG 1 4

Symmetric encryption The same key is used for encryption and decryption. The key is known only to the sender and receiver. The algorithm is (usually) well-known. Algorithms: DES, IDEA, RC 4. The longer the key, the harder it is to break, but the longer it takes to operate the alogorithm. Key management is a problem. April 2002 3 CSG 1 5

Asymmetric encryption Two keys are used, one public, one private. Alice freely distributes her public key, but keeps her private key to herself. Bob, wishing to communicate secretly with Alice, encrypts his plain text with Alice’s public key, using a well-known algorithm (probably RSA). The cypher text can only be decrypted with Alice’s private key, so only Alice can read it. April 2002 3 CSG 1 6

The magic of RSA What is encrypted with the private key can be decrypted with the public key. Security depends on not being able to derive the private key from the public key. Needs long keys (say 1024 bits) to be secure. Is very slow compared with symmetric algorithms (DES, for example). April 2002 3 CSG 1 7

Secure sockets layer and HTTPS client server I like RC 4, DES, or none here’s my certificate; let’s use RC 4 create RC 4 key and encrypt with server’s public key here’s our RC 4 key RC 4 -encrypted April 2002 3 CSG 1 decrypt RC 4 key with private key 8

Challenge/response algorithm Alice wishes to use her workstation to log on to a remote system. The remote system and Alice both know Alice’s password p. The remote system computes: challenge c = CA(p), response r = RA(c, p) The remote system sends the challenge to the workstation. The workstation asks Alice for password q, computes RA(c, q), and sends it to the remote system. If q = r, Alice is admitted. The password was never transmitted. April 2002 3 CSG 1 9

Cryptoanalysis Brute force attack Man-in-the-middle attack Known plain text attack Social engineering Implementation Replay April 2002 3 CSG 1 10

Key points Encryption and decryption are important facilities for electronic commerce. Symmetric encryption is fast, and relies on a secret key known only to the two parties. Asymmetric encryption is slow, and relies on a public key know to all, and a private key known only to the recipient. HTTPS uses asymmetric and symmetric encryption. Encryption algorithms, keys, and messages are under constant attack from cryptoanalysts. April 2002 3 CSG 1 11