1. E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your own online business – The steps of a secure session – Authentication – Digital signature

2. Setting it up You have products to sell Create a Web site – Subscribe for Web hosting, acquire HW/SW as needed Need accounts with a bank, and individual credit card merchant accounts, PayPal, etc. Subscribe to SSL service – E.g. Verisign is now owned by Symantec Maintain database of transactions – E.g. individual purchases

3. Secure Web session Here’s one way to do it. Client wants to buy goods on server’s secure site. Server sends its public key & authentication certificate to client. – Client’s Web browser verifies certificate with CA Client uses RSA with server’s public key to encrypt DES key. Send to server. Server uses own RSA-private key to decrypt DES key. Now, both parties can communicate with DES.

4. Notes Why not just use RSA for everything? – DES is much faster. We just use RSA to communicate the DES key. Client & server have “agreed” on a key, but we did not use Diffie-Hellman. – DES key was chosen by the client, sent to server securely. – Diffie-Hellman by itself can’t authenticate. Authentication goes both ways – CA verifies server identity to client (you). – Bank verifies client (you) to the server.

5. Digital signature A closely related concept using RSA Purpose: verify sender & integrity of message – Useful when resolving disputes: non-repudiation When A sends message to B – Message  private key  D.S. – Append D.S. to the message B receives message (with D.S.) from A – Separate the D.S. from body of the message. – D.S.  public key  output – Verify that the output matches the message. (To save time, the message is usually “hashed”)