Use Digital Signature in E Commerce

(1)

Use Digital Signature in E-Commerce

Firas Amer Mohammed

Ministry of higher Education and Scientific Research [email protected]

Abstract

In recent years we have seen that almost anything has found its place in cyberspace. The internet revolution makes the commerce more easy and flexible, in the other hand people used internet have to protect their trade and authenticated other side.

In this work, some relative systems with proposed method were illustrated, then selected subsystems are described, real results were discussed.

The performance of system were tested by two ways actual consuming time for proposed system, proposed system applies RSA as strong asymmetric cryptosystem Algorithm for providing authentication, as well as using SHA-1 as hashing function Algorithm for providing integrity.

Keywords

Digital Signature, Digital signature algorithms, Electronic- commerce, E-commerce, Hash function,SHA-1Algorithm, RSA Algorithm, modular arithmetic, modular power.

1. Introduction

E-Commerce (Electronic Commerce) is a modern term describing the growing of on-line economy. Since the Internet began, thousands of new companies have come in to existence and are trading goods and services electronically. The E-Commerce business may be for products sold directly to the consuming public or directly to other businesses B2B (Business to Business trade). E-Commerce is conducted with low overhead and in most cases without even storefronts. [Tla06]

Electronic Commerce offers a variety of benefits: faster disclosure of the most advantageous provider of the desire product or service in an optional location in the world at the optional time; more affordable business transactions in connection with market, design, production, flow of orders and transport. Therefore possibilities are opening for an interactive communication also among the customers, who have never been in a business or similar relationship. New business possibilities are available, thus creating new ways for increasing of production and decreasing of costs and new ways to approach the customers. [Sma08]

2. Basic Function of Electronic-Commerce Systems

Electronic commerce support on-line buying that will be in the billions of dollars in 2009. Electronic sales in a recent quarter are double those of the entire previous year .In some instance, companies create electronic-commerce capabilities out of a fear of falling behind competitors or as a result of the general momentum to expand the use of an existing Internet presence, but the primary value proposition is the prospect of increased revenue from new markets and creation of new, lower-cost, electronic-distribution channels.

 Customer's perspective

(2)

The need of digital signature

Every day, people sign their names to letters, credit card receipts, and other documents, demonstrating they are in agreement with the contents. That is, they authenticate that they are in fact the sender or originator of the item. This allows others to verify that a particular message did indeed originate from the signer. However, this is not foolproof, since people can 'lift' signatures off one document and place them on another, thereby creating fraudulent documents. Written signatures are also vulnerable to forgery because it is possible to reproduce a signature on other documents as well as to alter documents after they have been signed.

Digital signatures and hand-written signatures both rely on the fact that it is very hard to find two people with the same signature. [Rla07]

The fast development of computer network has facilitated electronic commerce; many business transactions are now shifting to the Internet. On the other hand, dispute of transactions is a common problem that could jeopardize business. For instance, the following disputes may arise when transferring an electronic messagemfrom Alice to Bob.

 Alice claims that she has sentmto Bob while Bob denies having received it; (repudiation of delivery).

 Bob claims that he received m from Alice while Alice denies sending it; (repudiation of origin).

In order to settle these disputes by a third party arbitrator, Alice and Bob need to present evidence to prove their own claims. Digital signature is an important security mechanism for generating non-repudiation evidence, and is receiving legal recognition. [Aei03]

Digital signature and E-Commerce

Paper-based documents, such as a letters and contracts, have historically been manually signed to indicate that the signer verifies the integrity of the contents and stands ready to uphold any promises contained within. Hand written signatures have been particularly regarded as a good authentication method since they carry certain peculiarities that make them easy to perform, verify and tie to its authors. But something as easy to accomplish in the tangible world looses most of its value in the virtual world. Prior to automated copying machines, it was much more difficult to duplicate or modify the original document along with the handwritten signature. Now that documents are stored and transferred in electronic form, the ability to manually sign the electronic document has largely disappeared along with the protection and degree of trust that the signature offered.

Yet Commerce is highly dependable on trust. The development of trust between businesses, consumers and other stakeholders is seen as crucial to the expansion of e-business markets and the full exploitation of technological developments in this area. The explosive growth of the internet, its vulnerabilities, and the lack of clear rules in international e-commerce have raised legitimate concerns with respect to the adequacy of consumer protection measures in the on-line environment. Many studies show that one of the main reasons for which people decide not use the internet for commercial purpose is the lack of confidence in the new environment .

(3)

of an electronic document. Policies governing the collection of information for digital signatures, and the architecture and legal liabilities associated with these technologies, raise important privacy and consumer protection issues. [Ela09]

3. One-way Function

A one-way function is a mathematical function that is significantly easier to compute in one direction (the forward direction) than in the opposite direction (the inverse direction). It might be possible, for example, to compute the function in the forward direction in seconds but to compute its inverse could take months or years, if at all possible. A trapdoor one-way function is a one-way function for which the inverse direction is easy given a certain piece of information (the trapdoor), but difficult otherwise.[Rla07].

One-way functions are relatively easy to compute, but significantly harder to reverse. That is, given x it is easy to compute f(x), but given f(x) it is hard to compute x. In this context, "hard" is defined as something like: It would take millions of years to compute x from f(x) even if all the computers in the world were assigned to solve the problem. [Wik08]

The notion of a one-way function is central to public-key cryptography.

All public key algorithms are based on one way function, which depend on this fact:-[Bsc95]

A function f is a "one way function" if: (a) y =f(x) is easy to compute, (b) x=f-1_(y) _{is very hard to compute}

Modular Arithmetic

Modular arithmetic is the commonly used arithmetic in public key cryptography. Modular arithmetic deals only with integers. Since it involves no floating-point operations, the mathematical calculations are more accurate and efficient than the real number arithmetic. Modular arithmetic over a number n involves arithmetic operations on integers between 0 and n – 1, where n is called the modulus. If the number happens to be out of this range in any of the operation the result, r, is wrapped around in to the range 0 and n – 1 by repeated subtraction of the modulus n from the result r. This is equivalent in taking the remainder of division operation r/n.

For e.g. for modulo 23 arithmetic n=23, Let a=15, b=20

(a+b) mod n = (15+20) mod 23 = 35 mod 23 = 12

Since the result of a+b=35 which is out of the range [0, 22], the result is wrapped around in to the range [0 22] by subtracting 35 with 23 till the result is in range [0, 22].

a mod b is thus explained as remainder of division a/b.

Subtraction and multiplication can also be explained similarly.

A negative number is added repeatedly with n till it can be represented in the range [0, n-1]. The modular division a/b mod p is defined as

(a*b-1_{) mod (p* b}-1_{) is the multiplicative inverse of b.}

Multiplicative inverse of number b with respect to mod p is defined as a number b-1_such that ( b*b-1_{) mod p = 1.}

(4)

Modular arithmetic is a congruent relation. Congruence is shown by the symbol ‘≡’. For a' modulus n two numbers a and b are said to be congruent if a mod n = b mod n. i.e. a ≡ b (mod n) if, a mod n = b mod n

For example consider the modulus 7 i.e. n = 7

Then the numbers 2, 9, 16, 23 etc are congruent to each other since (2 mod 7) = (9 mod 7) = (16 mod 7) = (23 mod 7) etc.

4. Properties of Modular Arithmetic

P1.a≡b mod n implies a–b=k*n, where k is an integer

P2.a mod n + b mod n ≡ a+b (mod n), also true for other operators ‘-’, ‘*’ P3.a+b≡b+a (mod n) , also true for other operators ‘-’and‘*’

P4.a≡a mod n

P5.a≡b mod n implies b≡a mod n

P6. Fermat’s little theorem, if M and p are coprime (two numbers are coprime if their greatest common divisor equal 1) then Mp-1≡1(mod p)

P7. If p and q are coprime and also if a≡b(mod p) and a≡b(mod q) then a≡b(mod pq). [Ano09]

5. Public-key Cryptosystem

Public-key cryptosystems are based on one-way functions. The public key gives information about the particular instance of the function; the private key gives information about the trapdoor. Whoever knows the trapdoor can compute the function easily in both directions, but anyone lacking the trapdoor can only perform the function easily in the forward direction. The forward direction is used for encryption and signature verification; the inverse direction is used for decryption and signature generation.

In almost all public-key systems, the size of the key corresponds to the size of the inputs to the one-way function; the larger the key, the greater the difference between the efforts necessary to compute the function in the forward and inverse directions (for someone lacking the trapdoor). For a digital signature to be secure for years, for example, it is necessary to use a trapdoor one-way function with inputs large enough that someone without the trapdoor would need many years to compute the inverse function (that is, to generate a legitimate signature).

All practical public-key cryptosystems are based on functions that are believed to be one-way, but no function has been proven to be so. This means it is theoretically possible to discover algorithms that can compute the inverse direction easily without a trapdoor for some of the one-way functions; this development would render any cryptosystem based on these one-way functions insecure and useless. On the other hand, further research in theoretical computer science may result in concrete lower bounds on the difficulty of inverting certain functions; this would be a landmark event with significant positive ramifications for cryptography. [Rla07]

Public-key is commonly used to identify a cryptographic method that uses an asymmetric-key pair: a public-key and a private-key. Public-key encryption uses that key pair for encryption and decryption. The public-key is made public and is distributed widely and freely.

(5)

 RSA Algorithm

In cryptography, RSA is an algorithm for public key cryptography. It is the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. [Wik09]

RSA gets its security from the difficulty of factoring large numbers. The public and private keys are functions of a pair of large 1100 to 200 digits or even large prime numbers. Recovering the plaintext from the public key and the cipher text is conjectured to be equivalent to factoring the product of the two primes.

 Digital Signature Algorithm (DSA)

DSA is an algorithm for creating signatures. Unlike other public key algorithms like the RSA algorithm, it can only sign and cannot encrypt information.

DSA was made public on August 30, 1991 in the Federal Register. [NIST] (The American National Institute of Standards and Technology) proposed this brand new, unproven algorithm as the national standard for digital signatures, over the well known and widely used RSA[ Drs95].

DSA was developed primarily by David Kravitz, an employee of the shadowy NSA. It was later revealed that the NSA forced NIST to adopt DSA over RSA as part of the NSA's strategy of delaying the deployment of strong crypto. Because DSA could only sign and not encrypt, products that used DSA for signatures would not get encryption "for free".

The algorithm DSA uses internally is restricted to signing of messages of exactly 160 bits, so the DSA first computes the SHA1 hash of the real message and signs that. This means that DSA implicitly relies on the cryptographic security of SHA1, and any flaw in that algorithm will alsocompromiseDSA.[ Yda96]

6. ElGamal Signature Scheme

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete algorithms. It was described by Taher ElGamal in 1984.The ElGamal signature scheme allows that a verifier can confirm the authenticity of a message m sent by the signer sent to him over an insecure channel. [Tel85]

 Security

A third party can forge signatures either by finding the signer's secret key x or by finding collision in the hash function H(m) ≡ H(M) (mod p-1). Both problems are believed to be difficult.

(6)

7. Complexity of Proposed System

The complexity concerns itself with the computational complexity of algorithms, giving us an upper bound on their computing requirements. The computational complexity of an algorithm involves both the CPU time requirements and the memory requirements of said algorithm. Even if an algorithm is very fast (i.e. its time requirements are low), if it requires a prodigious amount of memory, it will not be practical. One of the advantages of describing the complexity of an algorithm in this manner is that it is not tied to any particular computer system. The complexity of an algorithm is the same whether you are running it on any type of computers. It will become apparent that seemingly huge differences in CPU power are negligible compared to the order-of-magnitude complexity .

When determining the complexity of an algorithm, we are measuring how fast the computing requirements grow as the size of the input grows. We express this in “Big O” notation, usually using the variable n as the size of the input. We only pay attention to the fastest growing element of the algorithm, ignoring all constants and slower growing elements. So if you discover that an algorithm takes 2n3₋ _3n₊₁_{steps to complete, we say}

that its complexity isO (n3₎_{. For this algorithm, if the length of input}_n_{increases by one bit,}

the running time will increase by approximately 3n2 ₊ _3n ₊₁ _{time units. In Table}

(2),illustrates the various classes of algorithms and examples of their running times. From this table, it is apparent that if you have a cryptographic algorithm that requires exponential time to break, you can rest assured that, barring any fantastic leaps in the computer industry, it will not be broken.

Table (2) Complexity Order

Class Complexity # of Operations_{for n= 10}6 Time at 106O/S

Constant O(1) 1 1μsec.

Liner O(n) 106 _1sec.

Quadratic O(n2₎ ₁₀12 _{11.6 days}

Cubic O(n3₎ ₁₀18 _{32,000 yrs.}

Exponential O(2

n₎

10301,030

1030,000 _{times the age of} the universe

The first four classes in the table above are said to be polynomial, i.e. they can be solved in polynomial time. As you can see, problems requiring exponential time grow at astronomical rates. There is a subset of exponential algorithms, ones that are called super polynomial. Their complexities areO (cf (n)₎_{where c is a constant and}_{f (n)}_{is more complex}

than constant but less than linear. [Jsa08]

(7)

While the complexity of our project depends on the type of hash function and length of private key and other functions (intruder needs to know this information to break the system), the length of private key is 20 bits(to facilitate the computational operations), in spite of this length is relatively small but intruder needs 1048576 operations to know the private key, and other complexities will suppose to be x, then the overall complexity value will be approximately (220_{+x). The notation is O(2}n_{) where n=20 means the complexity is} higher than 220_{when we neglect the value of other functions x.}

8. Experiments Description

 First experiment:

In this form the user print the received message in a textbox and then clicked on the command "generate hash value (1) from the received message" to display hash value (1) and then the user clicked on the command "show signature" to display the signature, after that the user clicked on the command "decipher the signature to generate the hash value (2)" to display hash value (2), at the end the user clicked on the command "compare" to display the result whether the signature is valid or not valid. This form contain note tell the user about the signature if it is an authoritative or not.

Figure (1) First Experiment

By assuming that the message and hash value received without corruption, the user must entered the received message in textbox ,and clicked on the command “ generate hash value (1) from the received message” to display the hash value of the received message ,the command “show signature” will display the send’s message ,by clicking in the command “ decipher the signature to generate the hash value (2)”, the hash value (2) will displayed ,when the user click on the command “compare” the result of the verification will displayed.

[image:7.595.173.454.293.533.2]

(8)

 Second experiment:

Figure (2) Second Experiment

By assuming the received message is not matched the send

message:-Suppose the user enter a different message when the user clicked on the command "generate hash value (1) form the received message" hash value (1) will generate, the signature is displayed by using the command "show signature", to display hash value (2) the user clicked on "decipher the signature" to generate the hash value (2) and used the command “compare” to generate the result, which is "not valid" because the sent message is not matched the received message

 Third experiment:

Figure (3) Third Experiment

By assuming the received signature is not matched the send’s

[image:8.595.173.456.110.329.2] [image:8.595.174.454.466.674.2]

(9)

In this experiment the result will be not valid because the sent signature is not matched the received signature.



_{Form 1 (Help)}

Figure (4) Form1 (Help) This form explain the mechanism of the digital signature.

9. Conclusion

SHA-1 algorithm has been used as a hash function which work as a compression function that takes input message and return a shorter fixed length as output (unique 160 bit), SHA-1 enable us to ensure the integrity of the received message .

Also the RSA algorithm was used for key generation and to encrypt the hash value by using private key of the signer to generate the signature.

[image:9.595.85.518.123.396.2]

(10)

Refrences

[Tla06] Tandon Laxaman, "E-commerce", Mohit publications, New Delhi, 2006. [Sma08] Silie Marin, " Electronic commerce and Electronic signature Act", 2008

viewed on December 13, 2008 atWW :http:// www.e_ uprava. gov. si/ end/e _ uprava /en/ECAS_Act_in_English.pdf.

[Rla07] RSA Laboratories," Crypto FAQ, Simple Application of cryptography", 2007, viewed on January 12, 2009 at WWW:http://www.rsa.com/rsalabs/nod.asp

[Aei03] Abd El-Salam,"Public Key Cryptosystems and its Application in Digital Signature", 2003, viewed on January 14, 2009 at

WWW:http://www.icict.gov.eg/icict2003/papers/certification%20in%20e-services/Nareman%20paper.pdf

[Ela09] Eitel .M.Lauria,"digital Signatures A gateway to trustable electronic commerce", 2001,viewed on January 20, 2009 at WWW:http://www.commerec.state.ut.us

[Ano09] Anoop MS, "Public Key Cryptography", viewed on February 02, 2009 at

WWW:http://www.tataelxsi.com/whitepapers/pub-key2.pdf2.pdf-id=publickey_TEL.pdf

[Bsc95] Bruce Schneier,"Applaied Cryptography", 1995.

[Wik08] Wikipedia, "Cryptographic hash function", viewed on February 10,2008atWWW:http://www.en.wikipedia.org/wiki/cryptographic_hash_function [Nca97] Nick Carruthers,"Digital Signature Schemes", 1997, viewed on February 12, 2009

atww.unc.edu / ^ carrutt /Nick_carruthers_thesis.pdf

[Wik09] Wikipedia, The free encyclopedia,"RSA Security" viewed on January 03, 2009 at www:http: //www. en.wikipedia .org /wiki/RSA_91k

[Yda96] Youd David, "An introduction to Digital Signature", 1996 viewed on December 30,2008 at www:http://www.Youdzone.com /Signature.html

[Tel85] Taher ELGamal, "A public Key Cryptosystem and a Signature scheme Based on Discrete Logarithms", 1985, viewed on February 15, 2009 at www:http://www.en,wikipedia.org/wiki/ElGamal_signature_scheme