E-commerce. What are the relationships among: Client (i.e. you) Server Bank Certification authority Other things to consider: How to set up your own online business The steps of a secure session Authentication Digital signature . Setting it up. You have products to sell
E-commerce What are the relationships among: Client (i.e. you) Server Bank Certification authority Other things to consider: How to set up your own online business The steps of a secure session Authentication Digital signature
Setting it up You have products to sell Create a Web site Subscribe for Web hosting, acquire HW/SW as needed Need accounts with a bank, and individual credit card merchant accounts, PayPal, etc. Subscribe to SSL service E.g. Verisign is now owned by Symantec Maintain database of transactions E.g. individual purchases
Secure Web session Here’s one way to do it. Client wants to buy goods on server’s secure site. Server sends its public key & authentication certificate to client. Client’s Web browser verifies certificate with CA Client uses RSA with server’s public key to encrypt DES key. Send to server. Server uses own RSA-private key to decrypt DES key. Now, both parties can communicate with DES.
Notes Why not just use RSA for everything? DES is much faster. We just use RSA to communicate the DES key. Client & server have “agreed” on a key, but we did not use Diffie-Hellman. DES key was chosen by the client, sent to server securely. Diffie-Hellman by itself can’t authenticate. Authentication goes both ways CA verifies server identity to client (you). Bank verifies client (you) to the server.
Digital signature A closely related concept using RSA Purpose: verify sender & integrity of message Useful when resolving disputes: non-repudiation When A sends message to B Message private key D.S. Append D.S. to the message B receives message (with D.S.) from A Separate the D.S. from body of the message. D.S. public key output Verify that the output matches the message. (To save time, the message is usually “hashed”)