By: John Michael Pierobon
Whether you read my last column where I shared ideas for holiday gifts, you probably have made your list by now.
You do not have to go out to buy those gifts. You can buy them right off the Internet, thus avoiding the traffic, the crowds and the hassle of finding a parking space. All you need to do is park yourself next to your keyboard and mouse and go holiday shopping on the Web.
Is shopping on line safe?
Yes it is, and here is how you can tell that it is. When a blue border appears on your browser window, your browser is communicating with the Web site via a secure channel. Depending on which browser version you have you may also see either a key fused or a pad lock locked in the lower left hand corner of the browser. This indicates that the information being sent over the Internet is encrypted.
How does this encryption work?
Any browser can encrypt a message with a conventional key such as a Data Encryption Standard (DES) key. Almost all secure transactions on the Web work with Secure Sockets Layer (SSL) and the X.509 standard. At the start of the transaction the client browser creates a pair of encryption keys; one public and one private. These keys consist of a unique string of numbers. The client prepares an unsigned certificate which includes a user ID and the user's public key. The client then sends the unsigned certificate to a certificate authority (CA) in a secure manner. The CA receives the unsigned certificate and creates a signature by calculating the hash code of the unsigned certificate and encrypting the hash code with the CA's private key. (The hash code is a small block of data that serves as a time stamp and a fingerprint.) This creates a signature which the CA attaches to the unsigned certificate and returns to the client a signed certificate. Because only the CA possesses its own private key, only the CA can produce the signature.
The user may supply this certificate to anyone who needs the user's public key. To verify that a public key is valid, the recipient -- in this case the merchant selling wares on the Internet -- recovers the hash code from the signature using the CA's public key. Then, the recipient calculates the hash code of the unsigned certificate and compares this with the hash code recovered from the signature. If they match, this is a valid certificate and the merchant may trust that the public key in that certificate belongs to the identified user.
This way the merchant is confident the buyer is who he/she is and that the buyer wants the merchandise. The buyer is confident that the request is valid and has not been tampered with. Furthermore, the encryption makes it hard and extremely time consuming to decipher the information (credit card number, expiration date, etc.) without having the private key of the CA. Private keys are private and CA's are companies whose business depends on the privacy of their keys.
Given that all these credit card transactions are encrypted and are done on a computer without human intervention, shopping over the Internet is safer than shopping by phone or at store where you give out your credit card to make a purchase.