|
|
|
|
|
|
Lesson#24
|
SYMMETRIC KEY ALGORITHMS
|
|
|
|
Cryptographic algorithms are measured in terms of key length.
Following is the list of some popular
symmetric key algorithms:
DES (Data Encryption Standard) – 56 bits
IDEA (International Data Encryption Algorithm (IDEA) – 128 bits
RC2 – (block cipher) 1-2048 bits
RC4 (stream cipher) – 1-2048 bits
Rinjdael – 128-256 bits
Attacks on Symmetric Key Algorithms
Following attacks have been reported on symmetric key
algorithms:
Key Search Attacks
Cryptanalysis
System-based Attacks
Key Search (Brute Force) Attacks
In this type of attack an attempt is made by the attacker to
decrypt the message with every possible key.
Thus, the greater the key length, the more difficult it is to
identify the key.
Cryptanalysis
Encryption algorithms can be defeated by using a combination of
sophisticated mathematics and computing
power so that many encrypted messages can be deciphered without
knowing the key. Such type of an attack
is called cryptanalysis.
System-Based Attacks
In it the attack is made on the cryptographic system that uses
the cryptographic algorithm without actually
attacking the algorithm itself.
Public Key Algorithms
Following is the list some popular public key algorithms:
DSS – Digital Signature Standard based on DSA (Digital Standard
Algorithm) –
key length is between 512-1024 bits
RSA
Elliptic Curves
Attacks on Public Key Algorithms
Key Search Attacks
The public key and its corresponding private key are linked with
each other with the help of a large
composite number. These attacks attempt to derive the private
key from its corresponding public key using
that number. According to an estimate 1024 bit RSA public key
may be factored due to fast computers by
2020. Note that both symmetric and asymmetric algorithms are
based on different techniques. In case of
109
asymmetric algorithms the increase in key length does not much
increase the difficulty level for the attacker
as compared to symmetric algorithms. Thus, a 128-bit RC2
symmetric key may prove to be much stronger
than a 1024 bit RSA asymmetric public key.
Analytical Attacks
Such attacks use some fundamental flaw in the mathematical
problem on which the encryption system itself
is based so as to break the encryption.
Quantum computing is the branch of computer science that deals
with the development of cryptographic
algorithms. It can also be used to find flaws in the
cryptographic system/algorithms and to launch attacks.
Electronic Payment Systems
Most of the electronic payment systems on internet use
cryptography in one way or the other to ensure
confidentiality and security of the payment information. Some of
the popular payment systems on internet
include the credit-card based payment systems, electronic
checks, electronic cash, micro-payment systems
(milicent, payword etc.)
The Process of Using Credit Cards
It may be useful to see how payment is made through a credit
card in the traditional sense. Fig. 1 below
shows the steps to be followed in this regard:
Issuer Bank
Cardholder Account
Acquirer Bank
Merchant Account
Card Brand
Card Holder
1.Issue Credit Card
Merchant
2. Show
Credit Card
4. Capture
3. Authorization
1.Issue Credit Card
6. Amount Transfer
5. Payment Request
Fig. 1
1. A potential cardholder requests an issuing bank in which the
cardholder may have an account,
the issuance of a card brand (like Visa or MasterCard). The
issuing bank approves (or denies)
the application. If approved, a plastic card is physically
delivered to the customer’s address by
mail. The card is activated as soon as the cardholder calls the
bank for initiation and signs the
back of the card.
2. The cardholder shows the card to a merchant whenever he or
she needs to pay for a product or
service.
3. The merchant then asks for approval from the brand company
(Visa etc.) and the transaction is
paid by credit. The merchant keeps a sales slip.
110
4. The merchant sends the slip to the acquirer bank and pays a
fee for the service. This is called a
capturing process.
5. The acquirer bank requests the brand to clear for the credit
amount and gets paid.
6. Then the brand asks for clearance to the issuer bank. The
amount is transferred from issuer to
brand. The same amount is deducted from the cardholder’s account
in the issuing bank.
Note that in case of a credit card the issuer bank charges
interest from the client at a specified rate on the
amount lent. On the other hand, in case of a debit card no such
interest is payable since the customer uses
his/her own money in that case.
Virtual PIN Payment System
It is one of the earliest credit card-based systems launched for
the internet in 1994 by a company; First
Virtual Holdings, Inc. Virtual PIN system does not involve the
use of encryption. Payment is made through
the credit card in this system. The objective was to allow the
selling of low-value information items without
the use of any special client software or hardware.
Both merchants and buyers are required to register with First
Virtual (FV). A buyer registering with FV
forwards his or her credit card details and email address to FV
and in exchange receives a pass phrase called,
Virtual PIN. Buyer makes a telephone call to FV to provide
his/her credit card number. FV establishes a
link between the Virtual PIN and the credit card number without
using the credit card number on the
network. A Merchant goes through a similar registration process.
He provides his bank details to FV and is
given a merchant Virtual PIN. The merchant can now request to
process payments from registered FV
customers. The transfer takes place with the help of Automated
Clearing House (ACH) service. Note that
an ACH is a centralized system to which different banks are
electronically connected forming a network for
clearing payment requests. At the end the payment proceeds from
the credit card issuer bank to the account
of the merchant with acquirer bank (merchant’s bank) through
ACH, after FV deducts a per-transaction
charge for its services.
Fig. 2 below shows the working of Virtual PIN payment system.
Buyer
2. Account ID Valid?
3. Account OK!
5. Transaction Details
1. Account ID
4. Information
Goods 6. Satisfied?
7. Accept/Reject or
Fraud Indication
Web Server
(Selling
Goods)
Web Server
(Selling
Goods)
First Virtual Internet
Payment System
Server
First Virtual Internet
Payment System
Server
Buying with First Virtual
Fig. 2
A buyer browses the web server where FV registered merchant is
selling goods. The buyer is asked to enter
his/her Virtual PIN by the merchant site
(step 1).
Merchant queries the FV Internet Payment System
Server (FVIPSS) to confirm Virtual PIN (step
2). If Virtual PIN is not blacklisted
(step 3),
the merchant
111
may acknowledge this fact to the buyer by email and sends the
goods, and also sends transaction details to
FV (steps 4 & 5).
FVIPSS or simply FV server sends email to the buyer if the goods were
satisfactory
(step 6). There are
three possible answers to that
(step 7). If the answer is “accept”
then the payment
proceeds, in case the answer is “reject” it means that either
the goods have not been received or the buyer is
not satisfied with the quality of goods. Then the payment is not
made to the merchant. If the answer
indicates “fraud” it means that the goods were never ordered. In
such an eventuality the FVIPSS
immediately blacklists Virtual PIN so that it cannot be used in
the future.
Time period may be a few minutes to a few days for answering the
email in step no. 6 above, otherwise
FV shall proceed to arrange the payment. If a Virtual PIN has
been stolen and the buyer does not
indicate fraud within the time period for answering the said
email the bogus transactions are possible
before the Pin is finally blacklisted. A stolen credit card
number can also be used to set up Virtual PIN
associated with an email address controlled by the attacker to
carry out bogus transactions.
|
|
|
|
|