The Internet has revolutionized how we communicate because of the power of millions of computers connected to a single worldwide network. The flip side of this strength, unfortunately, is that networks, including the Internet, are susceptible to unauthorized access by unscrupulous people.
Internet users of all types must be aware and knowledgeable about the dangers posed by computer viruses, identity theft, and the spyware and adware software employed by unethical businesspeople.
E-commerce entrepreneurs must also know the ins and outs of conducting secure financial transactions on the Internet-both to protect themselves as well as the financial and privacy concerns of their customers. A host of sensitive information, such as Social Security, bank account and credit-card numbers, is now exchanged over the Internet. Responsible businesses need to understand how to make this information safe and secure during its digital travels.
The process of encryption is how communications over the Internet are made inaccessible to unauthorized interception. Encryption involves scrambling the data by processing it with a mathematical algorithm that converts the communication to an unreadable string of letters and numbers. If the communication is somehow intercepted, it’s impossible for the eavesdropper to interpret it. After the communication reaches its intended recipient, a similar algorithm reverts it back to its original, unencrypted form.
Here’s a description of the two basic types of encryption used to secure communications over the Internet. Both use the analogy of a “key” to lock and unlock communications.
Symmetric-key encryption. In symmetric-key communication, each computer involved in the communication uses a “private key,” which is a type of code, to encrypt and decrypt communications. All the computers in the loop must have access to the code, and secure communication outside the network cannot take place.
For example, in symmetric-key encryption, Computer A uses its private key to encode and send a communication to Computer B, which has access to this same private key. Computer B then uses its private key to decrypt the message and, when applicable, encrypt a response that’s sent back to Computer A. It’s not much different than handing a written coded message to someone and then telling that person how to decipher it.
An example of symmetric-key encryption is Data Encryption Standard (DES) and its successor, Triple DES, which provides a much-greater degree of security than DES.
Public-key encryption. Public-key encryption (also called asymmetric encryption) is more commonly used than older symmetric-key encryption standards like DES because it provides for a greater level of security and encryption flexibility.
This type of encryption involves a combination of public and private keys. In this scenario, Computer A has a private key known only to itself and a public key it distributes to any other computer (Computer B), whether known to Computer A or not, that wants to communicate with it. Computer B then uses its own private key plus the public key provided by Computer A to decrypt and read the message.
The most-popular software offering public-key encryption is PGP (Pretty Good Privacy), which is a client that allows computers to encrypt and securely share e-mail messages or nearly any type of file. PGP is available from PGP Corp. at (http://www.pgp.com), and freeware and shareware versions with similar features are available elsewhere online.
Public-key encryption vs. private key. Public-key encryption is most commonly used in today’s e-commerce websites because it provides a higher-degree of security for data-the chances of someone intercepting and decoding data secured with public-key encryption are amazingly miniscule. That’s because today’s public-key encryption products use 128-bit encryption, as opposed to the 40- and 56-bit encryption offered by public-key encryption like DES.
The higher the bit number, the greater the protection, because higher numbers mean more complex algorithms are being used. In fact, 128-bit encryption means only one of 2128 possible combinations will decipher the code. That’s literally trillions of trillions of possible solutions but only one answer.
Another aspect of secure communications is authentication, the verification that the encrypted communications has come from a reliable source. This requires processes beyond the encryption process.
Usernames and passwords. The most-common authentication involves the use of usernames and passwords, a process you see most every day while using the Internet. For example, while encryption lets you communicate with a secured website, often times, information only can be shared once the user enters the username and password. The computer system receiving the information, checks this information against its secured files, and grants or denies access based upon the username and password provided.
Digital signatures. A digital signature, which uses public-key encryption, is an authentication process in which an electronic signature is added to an encrypted communication to help the recipient determine if the sender is authentic. If the digital signature is altered in any way during transmission, it makes the signature invalid, and the recipient knows the sender is not authentic.
Digital certificates. A digital certificate, like a digital signature, is attached to an encrypted communication for verification purposes. The certificate verifies the sender’s identity and gives the recipient the opportunity to send an encrypted reply.
Certificates are an important feature in e-commerce as they allow customers sending sensitive information over the Internet to know that the information has been encrypted. A certification authority, the organization responsible for ensuring the security of the delivered communications, must issue certificates.
The two largest certification authorities are VeriSign (http://www.verisign.com) and GeoTrust (http://www.geotrust.com). These private companies offer an array of products that enable e-commerce sites to conduct secure financial transactions and other communications over the Internet.
E-commerce websites offering secure transactions capabilities are authorized to display the certification authority’s logo as a sign to customers that their transmitted information will be encrypted.
Another way for customers to determine if the they are on a secured website is when an “s” follows “http” in the Address Bar of their web browser. HTTPS (Hypertext Transfer Protocol Secure) is the Web’s standard encryption mechanism. The protocol is ordinary Hypertext Transfer Protocol (HTTP) operating with Secure Sockets Layer (SSL), which we discuss in the next section of this tutorial.
A small, gold, “locked” padlock displayed on the bottom of a web browser’s interface is another sign that a secured website is being displayed. Double-clicking the padlock provides information about the certificate and the certification authority. This can be useful for customers who want to learn more about the authenticity of the security features on a HTTPS-protected website.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Secure Sockets Layer (SSL) is a widespread use of public-key encryption. The S in HTTPS means SSL is in place to encrypt data transmitted through the website, and is the standard used by the VeriSign and GeoTrust certification authorities (see digital certificates).
While PGP (Pretty Good Privacy) works well for single computer-to-computer encrypted data exchanges, SSL is the industry standard for e-commerce because of its high level of encryption (128-bit, see Public-key encryption vs. private key). It’s also scalable, allowing many users to send secure information to web servers.
More and more, you’ll see SSL referred to as Transport Layer Security (TLS) or perhaps as SSL-TLS. TLS is the successor to SSL, is based upon SSL but, although having only slight differences, is not interchangeable with SSL. Only newer web browser versions support TLS.