Rediff Logo Infotech Banner Ads Find/Feedback/Site Index
August 25, 1998


Cryptography and e-commerce

Priya Ganapati at Pragati Maidan

Email this story to a friend. Back to IIW coverage index. The cool and plush conference rooms where executive delegates were sitting in anticipation for the last session in the e-commerce forum was in sharp contrast to the chaos in the exhibition areas.

K S Ganesan, head, technology, Microland, did not disappoint.

In a delightful presentation that had the audience smiling most of the time, he dealt with the security issues in the design and presentation of e-commerce.

"We have always said that the Net is the messiah. The Net always solves all my problems. But for a change, let us look at the dragons here," he said.

The next slide had a dragon listing the threats of being on the Net. To illustrate, Ganesan cited some recent server break-ins, including the hacker attack on the Bhabha Atomic Research Centre's Web server.

The Internet poses many threats to the business environment. These include loss of privacy, loss of integrity of data, impersonation of data by unauthorised users and denial of service.

The common attacks on the Internet can be broadly classified into routing, ICMP, wiretapping, denial of service and TCP sequence.

Eavesdropping by unauthorised users, data theft and data corruption are the other security problems.

Ganesanan revealed that a security policy could be defined as per rule RFC2196 in the site security handbooks. He, however, did not elaborate. A security policy can be open or closed and could be based on the IP address.

Ganesan advised all companies to first perform a network security audit that would reveal the logging and authentication mechanism. The nature of traffic and protocols on the local network and the number of security patches applied would also be revealed.

"Companies need to prioritise the entire process. You need to check the password scheme and look for unnecessary accesses based on a need-to-know basis," he warned.

Security loopholes in the TCP/IP stack were also discussed. "It is a connection oriented protocol prone to sequence number attacks. This is because TCP/IP maintains the sequence of packets sent and acknowledges the receipt," Ganesan explained.

However, there is no single security solution to deal with all the protocol issue, he lamented. Ganesan elaborated on the development of security solutions and the most common ones that are implemented.

There are four kinds of firewalls that can be employed to ensure network security. Firewalls can be implemented on packet filtering routers, application level gateways, circuit level gateways or proxies and stateful inspection.

Packet filtering routers restrict incoming telnet, IP address and all the other things that can be done by packet filters. This kind of firewall is cheap and fast but not very secure.

Application level gateways are extremely secure but require specialised user programmes. They are seldom transparent to the users and use special-purpose lock for each application.

Proxies are quite effective but have high performance overheads and require client programmes to be rewritten.

The stateful inspection, however, combines the best of the proxy and the packet-filtering world.

Ganesan dwelled on the encryption/decryption option techniques to ensure privacy of information over the Net.

The term 'key' is used here to indicate a string of numbers and alphabet. When the same key is used for encryption and decryption it is called symmetric encryption. This is also known as 'private key' cryptography.

'Public key' cryptography involves two different keys and is also called asymmetric encryption. A good example of this would be RSA cryptography.

The key length would be the primary challenge in this arena. There are 40, 60, 80 and even 128-bit keys available. But 80-bit keys have already been broken into!

Ganesan quoted some mind-boggling statistics. A 40-bit key can be broken in 0.2 seconds if $1million is spent on the process and in just 2 microseconds if $1billion is spent.

Back to IIW coverage index. In comparison, a 128-bit key would take 10(18) years to break if $1billion is spent and 10(13) years if $1 billion is utilised.

Tell us what you think of this story