CS 10051 - Chapter 13

Chapter 13 - E-commerce & Information Security

(13.1) - Introduction

The Internet has been around since 1969 and the World Wide Web appeared in the early 1990s. Recently more and more businesses have been using the Web for Electronic Commerce - instead of physically going to a store to buy items, customers access the Web site of a business to order items and charge them to credit cards for delivery by a shipper to their home.

The figures on page 587 of the text show the estimates of the Census Bureau on how much E-commerce occurs. During the first quarter of the year 2000, $5 billion of retail goods were sold over the Web (0.7% of total U.S. Retail Sales.) The amount grows higher and higher each year so during the first quarter of the year 2005, $19.8 billion of retail goods were sold on the Web (2.3% of total U.S. Retail Sales.)

(13.2) - E-commerce

Sections (13.2.1) and (13.2.2) in the text give some advice to anyone contemplating setting up an E-commerce site.

(13.2.3) - Anatomy of a Transaction

An E-commerce web site has three goals:

Draw potential customers to the site.
Keep them there.
Set up optimum conditions for the customers to complete their purchases.

Figure 13.1 shows the steps that a typical online transaction takes.

(13.3) - Databases

As shown in Figure 13.3:

a database is a collection of files,
a file is a set of records,
each record contains a number of fields,
each field uses a number of bytes, and
each byte contains eight bits.

As an example, Figure 13.6 shows an employees file of a corporation. The file contains a record or tuple for each of the five employees and each record has six fields showing six attributes of the employee - each employee has a unique ID so that is a primary key of this file.

ID	LastName	FirstName	Birtdate	PayRate	HoursWorked
116	Kay	Janet	3/29/1956	$16.60	94
123	Perreira	Francine	8/15/1987	$8.50	185
149	Takasano	Frederick	5/23/1966	$12.35	250
171	Kay	John	11/17/1954	$17.80	245
165	Honou	Morris	6/9/1988	$6.70	53

The database can be queried using statements in SQL. For example,

     SELECT ID, LastName, FirstName, Birthdate, PayRate, HoursWorked
     FROM Employees
     WHERE ID = 123;

will retrieve all the information in the file for employee ID 132 and

     SELECT LastName, FirstName, PayRate
     FROM Employees
     WHERE LastName = 'Kay';

will retrieve the names and pay rates of the employees whose last name is Kay.

Figure 13.7 shows the InsurancePolicies file for this corporation.

EmployeeID	PlanType	DateIssued
171	B2	10/18/1974
171	C1	6/21/1982
149	B2	8/16/1990
149	A1	5/23/1995
149	C2	12/18/1999

This file has a composite primary key because it takes both EmployeeID and PlanType to identify a particular tuple.

The description and monthly cost of each insurance plan is kept in the InsurancePlans file as shown in Figure 13.8.

The SQL query:

     SELECT LastName, FirstName, PlanType
     FROM Employees, InsurancePolicies
     WHERE LastName = 'Takasano'
     AND FirstName = 'Frederick' 
     AND ID = EmployeeID;

will retrieve the plans used by Frederick Takasano.

(13.4) - Information Security

Information security means protecting data (both stored in a computer and transmitted over a network) so unauthorized persons can't read it and change it.

Data can be encrypted so one needs to know the decoding key to read it. Another important aspect of information security on the Internet is authentication - is the Web site you are communicating with really the right Web site or is it some other site pretending to be the right site?

(13.4.1) - Encryption Overview

Cryptography is the science of secret writing - a message plaintext is encoded into ciphertext before it is sent to keep its meaning secret if it is intercepted by the wrong parties. Only the party that knows how to decrypt the ciphertext can restore the plaintext.

(13.4.2) - Simple Encryption Algorithms

The simplest encryption algorithms are shift ciphers. For example shift the letters in the alphabet three places:

     PlainText:  ABCDEFGHIJKLMNOPQRSTUVWXYZ
     CipherText: DEFGHIJKLMNOPQRSTUVWXYZABC

Substitution ciphers permute the letters in the alphabet with a more complicated permutation:

     PlainText:  ABCDEFGHIJKLMNOPQRSTUVWXYZ
     CipherText: NAOBPCQDRESFTGUHVIWJXKYLZM

Block ciphers are even more complicated. Instead of a simple character-to-character substitution mix the pieces of several characters together to form each character in the ciphertext. The text shows a block cipher that mixes two characters together. To encode some plaintext:

Group the plaintext into 2-character blocks.
Substitute a number in the range of 0 to 25 for each character in each block: S(A) = 1, S(B) = 2, ..., S(Z) = 0.
If S₁ and S₂ are the two numbers in a block then calculate C₁ and C₂ in the ciphertext with: C₁ = S₁*3 + S₂*2
C₂ = S₁*5 + S₂*3 using modulo 26 arithmetic.

For example, if a block of plaintext is DE then S₁ = 4 and S₂ = 5 so:

C₁ = 4*3 + 5*2 = 12 + 10 = 22
C₂ = 4*5 + 5*3 = 20 + 15 = 35.

But 35 = 9 in modulo 26 arithmetic so the ciphertext is (22 9).

Decoding uses the following algorithm.

If C₁ and C₂ are the two numbers in a ciphertext block then calculate S₁ and S₂ in the plaintext with: S₁ = C₁*23 + C₂*2
S₂ = C₁*5 + C₂*23 using modulo 26 arithmetic.
Substitute a character in the alphabet for each number in each plaintext block: S(A) = 1, S(B) = 2, ..., S(Z) = 0.
Combine the 2-character plaintext blocks to get the original plaintext.

For example, if the numbers in a ciphertext block are 22 9 then C₁ = 22 and C₂ = 9 so:

S₁ = 22*23 + 9*2 = 524 = 4 modulo 26
S₂ = 22*5 + 9*23 = 317 = 5 modulo 26

So the characters in this plaintext block are DE.

(13.4.3) - DES

DES (Data Encryption Standard) is a much more complicated encryption algorithm shown in Figure 13.11.

(13.4.4) - Public Key Systems

The encryption algorithms described above are symmetric because encryption and decryption use the same key. An asymmetric algorithm uses different keys for encryption and decryption. A public-key system uses an asymmetric algorithm where the encryption key is broadcast to every one but the decryption key is kept secret.

The most popular public-key system is RSA, named for its developers Rivest, Shamir, and Adleman. It is based on the mathematics of number theory and its security depends on the fact that it is very difficult to find the factors of the product of two very large prime numbers. To develop an RSA public-key system a Web site:

Picks two different very large prime numbers, P and Q (each number should have hundreds of digits.)
Calculates N = P * Q.
Calculates M = (P - 1 ) * (Q - 1 ).
Picks its public-key, E, to be some number relatively prime to M (the GCD of E and M = 1.)
Tells the world that the numbers in its public-key are E and N.
Calculates its private-key, D, so that D * E = 1 modulo M - the Web site keeps P, Q, and D secret.

To transmit some plaintext T, to the Web-site, a client uses the site's public-key to calculate U = T ^E modulo N and sends ciphertext U to the Web site. When the Web-site receives U from the client it uses its private-key to calculate the plaintext, T = U ^D modulo N.

To reply to the client with plaintext R, the Web-site uses its private-key to calculate S = R ^D modulo N and sends ciphertext S to the client. When the client receives S from the Web-site he/she uses the public-key to calculate the plaintext R = S ^E modulo N.

A Simple Example of an RSA Public-Key System

To keep this example simple, we pick some small prime numbers, P = 5 and Q = 11. Then N = 5 * 11 = 55 and M = 4 * 10 = 40. We pick public-key E = 7 and calculate the private-key D = 23 ( 7 * 23 = 161 = 1 modulo 40.)

Plaintext T can be any integer from 0 to N-1 = 54. A client can use the tables below to find the ciphertext U = T ⁷ modulo 55 for any T.

Plaintext T	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27
Ciphertext U T ⁷ modulo 55	0	1	18	42	49	25	41	28	2	4	10	11	23	7	9	5	36	8	17	24	15	21	33	12	29	20	16	3

Plaintext T	28	29	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44	45	46	47	48	49	50	51	52	53	54
Ciphertext U T ⁷ modulo 55	52	39	35	26	43	22	34	40	31	38	47	19	50	46	48	32	44	45	51	53	27	14	30	6	13	37	54

When the Web-site receives ciphertext U from a client it can use its private-key to calculate T = U ²³ modulo 55. Here, since there are only 55 possible values for T we can easily search the second row of these tables to find U and read the corresponding value of T in the first row.

Note that there are nine values of T (0, 1, 10, 11, 21, 34, 44, 45, and 54) where U = T. For any RSA public-key system where N > 9 there will be nine of the N possible plaintext values where ciphertext = plaintext.

Figure 13.12 in the text shows how a client and a Web site can exchange data securely.

The client sends a request to initiate RSA/DES encryption.
The Web server responds with its authentication certificate and its public-key.
The client uses the server's public-key to send the DES key it wants to use. An eavesdropper doesn't know the server's private-key and can't read the DES key.
The Web server uses the DES key to sends its acknowledgment to the client.
The client and the Web server use the DES key to exchange data securely.

Kenneth E. Batcher - 4/14/2008