E-COMMERCE, CRYPTOGRAPHY & DIGITAL SIGNATURES
More than any other tool in cyberspace, cryptography will play a vital role in e-commerce transactions. Dealings that involve electronic payment systems, virtual private networks and digital signatures will inevitably utilize cryptography. Where once the disclosure of confidential information over the Internet (such as credit card numbers and other sensitive transactional information) was attended by the risk of interception or worse, alteration, cryptography renders such transactions virtually invulnerable against those risks. Thus, it is expected that with the increasing concern for security in the Internet, the number of transactions utilizing cryptography will grow.
Cryptography is generally understood to encompass encryption and decryption. Encryption is the transformation of data such as plaintext, into an unintelligible format called cipher text that cannot be read without the appropriate "key". Decryption is the opposite of encryption and renders unintelligible data readable by the application of the "key". There are two popular types of cryptographic systems: secret key and public key.
In secret key cryptography, also known as symmetric cryptography, the same key is used for encryption and decryption. However, the use of secret keys proved to be inconvenient and entailed unnecessary expense. In response to these issues, public key cryptography was developed. In this system, also known as asymmetric cryptography, algorithms are used to create two mathematically-related keys. One key is kept by its owner and undisclosed (the private key) while the other is published and made easily available on the network (the public key). Under this system, the sender can use his private key to encrypt a message and the receiver can use the sender's public key to decrypt the same. For ease of access, public keys are published together with the names of their owners in directories readily accessible over the Internet. A party to an electronic contract need only refer to the directory to relate a particular public key to the identity of its owner.
Although the directories provide a name or identity associated with a public key, for purposes of entering into transactions however there will still be concerns regarding the accuracy of the information in such directories. Hence, the need for a trusted third party to attest to the relationship between a public key and its owner. This third party is called a certification authority or "CA". Typically, the CA issues the public and private keys but only after the person to whom such keys are issued presents himself personally at the CA's offices to prove his identity. Once the CA has verified his identity, it will then issue a digital certificate identifying him to the public key. The creation of an open and public cryptographic system has been called the public key infrastructure or PKI.
Of particular interest are "digital signatures" which are essential in e-commerce transactions because of the role they play in the creation, validity and enforcement of electronic contracts. Digital signatures are not digitized or scanned images of a person's signature. It is, instead, a method by which a person's communication of an offer or consent (whether by e-mail or through a click of an "I Accept" button on an on-line session) can be independently verified for authenticity and integrity.
Here's how it works: if Pepe were to affix a digital signature to his e-mail contract, he must initially use a "hash" function to create a compressed form of the e-mail called the "message digest." Pepe then applies his private key to the message digest to encrypt the same. Thereafter, he sends the message digest and the e-mail to Pilar who then decrypts the message digest using Pepe's public key. Pilar then applies the same hash function to the e-mail which generates a second message digest and determines if the latter digest is identical with the message digest decrypted using Pepe's public key. If they are identical, then the Pepe's signature is authenticated. If they are not identical then this could mean that an error occurred during transmission or the message was altered.
The use of the hash function on the message and its comparison with the message digest decrypted from the Pepes public key enables the Pilar to verify any alteration in the message during transit. This ensures message integrity. In addition, since the message digest was decrypted using the Pepe's public key, it denotes that it was encrypted using the Pepe's private key that is in his possession - a fact certified to by the Pepe's CA which issues a digital certificate. This proves that the message was sent by the Pepe and by no one else -- thus forming the basis of non-repudiation. Taken together, message integrity and non-repudiation, authenticate the message to a degree sufficient to attach liability to the parties.
The ease by which electronic transactions can be proven using PKI can only spur the growth of e-commerce. As demonstrated, PKI raises electronic contracts to the same level as physical contracts as a method of proving the electronic transaction. Coupled with CAs of unquestioned integrity, PKI has the potential to enable transactions between total strangers without depriving them of remedies in case of breach. In the context of an open system such as the Internet, this would be invaluable.