Secure Transactions

A technique called symmetric key cryptography was once used to secure information being transmitted across public networks. This method involves encrypting and decrypting a message using the same key, which must be known to both parties in order to keep it private. The key is passed from one party to the other in a separate transmission, making it vulnerable to being stolen as it was passed along.

With public-key cryptography, separate keys are used to encrypt and decrypt a message, so that nothing but the encrypted message needs to be passed along. Each party in a transaction has a "key pair" which consists of two keys with a particular relationship that allows one to encrypt a message that the other can decrypt. One of these keys is made publicly available and the other is a private key. A message encrypted with a person's public key can't be decrypted with that same key, but can be decrypted with the private key that corresponds to it. If you sign a transaction with your bank using your private key, the bank can read it with your corresponding public key and know that only you could have sent it. This is the equivalent of a digital signature.

Public-key cryptography lessens the risk of private information being intercepted, allowing parties to positively identify each other through digital signatures.

Netscape Corporation (now owned by AOL) created the best known secure server technologies. It uses a security protocol called Secure Sockets Layer (SSL) that provides data encryption, server authentication, message integrity and optional client authentication for a TCP/IP connection. When a client program connects with a secure server, they exchange a "handshake" which initiates a secure session. With this protocol, the same server system can run both secure and unsecured web servers simultaneously. This means an organization or company can provide some information to all users using no security, and other information that is secured. For example, a business that sells products online can have its storefront (merchandise catalog) unsecured, but ordering and payment forms can be secure.

Why are these developments important? As the Internet becomes a way to buy and sell products and services, financial transactions become essential. Right now, most transactions involve the exchange of credit card information, either directly over the network, or by phone, to complete a transaction initiated online. Eventually, you will be able to use cash as well as credit, directly over the network.

There are two basic kinds of digital cash, anonymous cash and identified cash. Anonymous cash is just like paying for something with paper cash -- it carries no information about the person making the transaction, and leaves no transaction trail. You create it by using numbered bank accounts and blind signatures. Identified cash, on the other hand, contains information revealing the identity of the person who withdrew it from the bank. Like credit card transactions, identified cash can be tracked as it moves through the system and involves fully identified accounts and non-blind signatures.

For more information about online payments, visit VeriSign (now owned by PayPal).

Last update: Jan 6, 2010