Australian National University

Faculty of Engineering and Information Technology

COMP3410

Information Technology in Electronic Commerce

Tutorial 4 - Security Issues in E-Commerce

The first part of this is a tutorial to enable you to better understand the material covered in the lectures on security. The second part is hands on and gets you to use some tools to do some encryption, decryption, hashing and so on.

Tutorial

1. What is symmetric cryptography? Describe its characteristics.

2. What is asymmetric cryptography? Describe its characteristics.

3. Define the terms integrity, confidentiality, authentication and non-repudiation in the context of computer security.
4. How does RSA work? Given the RSA system, is DES of any use at all?

5. What is a digital signature? What services can it provide?

6. What is a public key certificate? How is it verified?

7. A session key distribution protocol using symmetric key cipher could be as follows:

   	(1) A -> B: A, Ek[Kab]
   	(2) B -> A: EKab[M]
   	

   where k is the secret key shared between A and B, Kab is the session key, and Ek and EKab stand for encryption with the secret key k and session key Kab, respectively.
   In the first step of the protocol, A says to B: "I am A, and I want to talk to you securely. Please find our session key encrypted with our secret key." In the second step, B replies to A with message M encrypted using the session key. Is there a security flaw in the protocol? What is it, if you can find one?

Lab

You will use two applications, md5sum and gpg in the lab session. You will need to run these from command line, so open up an xterm. Read the manual pages for these commands (use the command man) to find out about their usage.

1. Create a plain text file with some message in it. Use md5sum to generate a hash for this. Generate the hash again and make sure the two hashes are identical. Now change the file a little by, say, adding an extra space. Generate the hash again. Compare the two hashes.
2. Use gpg to do the following:

   1. Encrypt the file using symmetric key encryption. Decrypt the file and make sure the two are identical (you can use the diff command for this purpose).
   2. Generate a public/private key pair. Add this to your key ring. List information about this key and see what it contains.
   3. Encrypt the file using public-key cryptography. Decrypt this and check that the two are identical.
   4. Sign your file. Create a detached signature file, as well as a single file containing the message and the signature. Verify that the signature is correct.
   5. Exchange public keys with your friend. Encryt a message with his/her public key, send it and ask him/her to decrypt it. And vice versa. Do the same now, except that you encrypt the message with your private key.
   6. Send a signed message to your friend and get him/her to verify it.
   7. Now send a confidential, authenticated message to your friend and ask him/her to verify it.
   8. You can play around with removing a key from the key ring, adding new keys, changing the level of trust and revoking keys. Note that revoke permanently revokes the specified key and that there is no way to undo this.