In our last article, we looked at the essential elements associated with ensuring that a valid contract has been entered into between to parties. To recap these essential elements are authenticity – you are dealing with who you think you are dealing with, confidentiality – no one else is privy to the details of the transaction, integrity – information communicated with the recipient is received unaltered and non-repudiation – the sender cannot deny having been the author of the communication. Let us for a moment review how these things are achieved in traditional paper-based commerce and communication. Let us say Jane runs a small business and she wishes to purchase a number of items from Widget Corp. run by another small business owner John, in the United Kingdom. For convenience we are going to ignore for the moment, how the owners of these two companies established business relations in the first place. We are considering the situation where a relationship has already been established, and these business owners wish to enter into a specific transaction.
To order the items from Widget Corp in the UK, Jane will send them a purchase order which she signs. Insofar as John at Widget Corp has already by some means acquired a specimen of Jane’s signature, then Widget feels assured that she indeed sent the purchase order. The signature assures them of authenticity. Depending on the level of confidentiality required, transmission of transmission of the Purchase Order could have been undertaken by ordinary mail, courier, fax etc or even delivered in person. All of these are essentially “best effort” delivery services, but generally we depend on the post offices, courier services and telephone networks to deliver our messages to the intended recipients and to no one else. In extremely sensitive cases, closed secure communications networks may be used or the actual document may be written in some code or cipher, the key to which is by some means known to the receiver.
In order to ensure that what is sent is what is delivered, a number of devices are usually used. In multi-page documents, sometimes each page is signed or initialed so that no one page can be substituted without having recourse to forging the initials or signature. Additionally, any corrections/alterations to the final paper copy are usually initialed. If Jane’s purchase order ran into multiple pages, she would initial each page and sign in the designated spot. Initialing each page makes it more difficult for someone to violate the integrity of that document. Additionally in case of a dispute, say Jane contested that on two of a seven-page order was not the same as that which she sent, the actual paper would also be examined for consistency, watermarks, age, constitution of ink etc.
The signature (and the process of initialing if used) is also the device that is meant to ensure non-repudiation. The property of non-repudiation is assumed to hold in this case, based on the assumption that no two persons write exactly alike thus even an excellent forgery is distinct from an original signature and is therefore detectable. Or even more fundamentally, given a specimen of any person’s handwriting, the expert is assumed to be able to tell whether any other specimen (such as a signature in dispute) was made by the same person.
We have seen in traditional paper-based commerce how these elements of authenticity, confidentiality, integrity and non-repudiation are assured. Authenticity, integrity and non-repudiation are essentially assured through the device of a signature (though sometimes other sophisticated means are used to detect forgery), while confidentiality is protected by the various means through which the actual message is delivered from Company A to Company B and whether it is coded or encrypted.
Securing these elements for electronic commerce is based on the mathematical discipline of cryptology and I mention this mathematical origin to stress that such disciplines are fundamental to the applied sciences that constitute information and communications technology. To return to cryptology in the context of e-commerce, in the simplest conception, we would have three elements namely a message an encrypting function or programme, and a key. The unencrypted message is usually referred to as a “cleartext message” or simply “cleartext”, while the encrypted message is usually referred to as cyphertext. The key can be thought of as a password on which the encryption is based.
In order to encrypt a given message, you supply both the message and the (key) to the encrypting programme which outputs an encrypted form of the message (cyphertext) that is unintelligible. It is important to note that the cyphertext is a function of both the message and the key, that is to say, given the same message, if a different key is supplied to the encrypting programme, a different stream of cyphertext will result. This is important for distinguishing messages sent by different persons. In order to decrypt the message, you supply the programme with the encrypted message and a key and the programme returns the cleartext message. Now hopefully the preceding was not all cyphertext to readers.
The most important model that is at the foundation of securing electronic transactions and rendering them valid records of agreements between parties, is based on asymmetric key encryption. In the preceding description of the encryption/decryption process, many people may have assumed that the key (password) used to encrypt the message is the same key used to decrypt the message. If so this would be an example of symmetric key methods with which most people would be instinctively and intuitively familiar. With asymmetric methods, the keys for encryption and decryption are different (thus asymmetrical).
This asymmetry is extremely useful for the purposes of making electronic documents valid records of agreements entered into by parties. To see why this is so, consider the purchase order exchanged between Jane and John. With a symmetric key, Jane must know the key (password) to encrypt the message containing the purchase order, and John must also know the key to decrypt the message because the encrypting and decrypting keys are one and the same. In the event of a dispute, we cannot say with certainty that either Jane or John was the originator of the message, since they both have (and must have) access to the password. With an asymmetric key model however, Jane can use one key to encrypt the message which is sent to John who can then decrypt it with the other key. The encrypting key used by Jane does not have to be known to John in order for him to decrypt her message.
While cryptology is usually associated with ensuring secrecy or privacy of communication with even this little example, the potential utility of this science in terms of providing for digital signatures which are at basis of e-commerce should be emerging in the mind of the reader. In our next article, we develop more fully the technical basis on which asymmetric key encryption assures the fundamental elements of recording transactions. We will also see that the financial crisis forces John to fold his small business but he luckily finds a job at another small company in the UK called Cell2AllComers. Jane remains at her small business Cybercrime Reduction Investi-gation, and Management Enterprises (C.R.I.M.E.) Incorporated where she comes into contact with her old friend John during the course of trying to purchase a cellular intercept machine to use in the course of her work.