Understanding Internet Security

Security over the Internet is a big issue. Some surveys show that 90 percent of Internet users are concerned about Internet security. Fear of Hackers getting your credit card number; someone altering an e-mail message; making sure you are communicating with the person or organization you intend to communicate with. These are all valid concerns, but they need to be examined in the context of our currently accepted "non-Internet" communications and transactions. It often comes as a surprise to many that the security measures applied to accessing this data via the Internet are often much tougher than the measures currently used for releasing the same data over the telephone.

DEFINITIONS

In order to understand Internet security, we need to understand some standard security principles.

• Authentication – Making sure that you are dealing with who you think you are dealing with;
• Non-repudiation – Ways of proving that a communication or transaction was sent or received by an individual;
• Integrity – Determining if data has been tampered with;
• Confidentiality – Making sure the information is made available only to those authorized to receive it;
• Encryption – A way of "coding" information so that it can only be read by the intended receiver;
• Digital Signature – Data that is attached to, or used in the "coding" of, a message or transaction that ensures the identity of the sender and the integrity of the information.

At the present time, there are basically three levels of security available over the Internet. The choice as to which level of security is necessary depends upon the purpose of the transaction and sensitivity of the data that will be captured and transmitted.

The first level of security for Internet transactions involves Secure Sockets Layer (SSL) encryption of identifying data for transmission.  It is one-way security to the Internet host, or merchant.  Most E-commerce merchants use this method to secure the information being transmitted.

Secure Sockets Layer (SSL) is a protocol designed to provide privacy between a web client (you) and a web server. The protocol begins with a handshake phase that negotiates an encryption algorithm and keys and authenticates the server to the client.  Once the handshake is complete and transmission of application data begins, all data is encrypted using the session keys negotiated during the handshake.

In plain English, this means that when your browser connects to a secure web site, the web server and your browser establish a formula that will be used to encrypt the transmissions that follow. Encryption means that all information relating to you and your account is scrambled and locked with a mathematical key during the electronic transfer.  Most browsers have an icon such as a key   or a lock to represent an encrypted mode or session.   A broken key , open lock , or no lock indicates that the session or mode is not encrypted. 

For example, if you are about to send your credit-card number to an unsecured site, Internet Explorer can warn you that the site is not secure. If the site claims to be secure but its security credentials are suspect, Internet Explorer can warn you that the site might have been tampered with or might be misrepresenting itself.

A "Web site certificate" states that a specific Web site is secure and genuine. It ensures that no other Web site can assume the identity of the original secure site. Web site certificates are also dated when they are issued. When you try to open an organization’s Web site, Internet Explorer verifies that the Internet address stored in the certificate is correct and that the current date precedes the expiration date. If the information is not current and valid, Internet Explorer can display a warning.

For example: If you decide to buy a book over the Internet, you would use your browser to go to the bookseller. When you have selected the book, placed it in the shopping cart, and then click on the "Proceed to checkout" link, the following warning will appear.

When you click the OK button, the browser will connect to the secure web site using SSL. This is the point where the web server and your browser establish an algorithm or formula that will be used to encrypt the transmissions that follow. If you look closely at the address line on the browser, you will see that "https" rather than the normal "http" precedes the merchant's web address (URL). This indicates that you are connected to a secure site using the SSL protocol.

You will also notice that a small padlock icon has appeared in the bottom right of your browser as described above. This is an additional indicator of a secure connection. You can now enter your credit card and other personal information needed to complete the purchase.

There are two different types of encryption: domestic-grade encryption and international-grade encryption. The difference between these two types of encryption is one of capability. Domestic-grade encryption is exponentially more powerful than international-grade encryption:

• 40-bit encryption, also called international-grade encryption, means there are 2⁴⁰ possible keys that could fit into the lock that holds your account information. That means there are many billions (a 1 followed by 12 zeroes) of possible keys.
• 128-bit encryption, also called domestic-grade encryption, means there are 2⁸⁸ (a three followed by 26 zeroes) times as many key combinations than there are for 40-bit encryption. That means a computer would require exponentially more processing power than for 40-bit encryption to find the correct key.

Most merchants, and especially financial institutions, recommend that you use a browser with domestic-grade encryption. You can upgrade your version of Netscape Communicator or Microsoft Internet Explorer to a newer version with strong encryption.

Level 2 Security -- Password Access -- 

The next level of security combines Password access with SSL encryption.   This is two-way security for requests to view personal information over the Internet.   Financial institutions, for example, use this level of security when more sensitive material will be displayed, such as your bank balances.

Password security uses Secret Key or symmetrical encryption. It is a long-used method of protecting sensitive information transmissions. This method uses one key, the password, to encrypt or lock information so that it will be unreadable if intercepted by anyone not having the same secret key, such as your bank.

The highest level of Internet security uses Public Key Infrastructure (PKI) technology. This level of security is just as secure as Level 2 (SSL with Password) but includes identity proofing and non-repudiation features necessary for the receipt of benefits or information on a recurring basis.

Unlike passwords that use a Secret Key to encrypt and lock transmitted information, PKI uses a Private  Key and a Public  Key, or asymmetric encryption. A private key is held by one individual and is used for decryption or decoding. A public key is used to encrypt information sent to that individual.  When I receive the encrypted message, I would use my private key (like a decoder ring) to decrypt the message. In this way, I am the only person able to read that message.