It was at night. Everyone at the house was busy with something. Mom was cooking dinner. The oldest brother was still at work, he usually comes late. The older sisters were still at Uni. Mohammed was studying hard as he was in the 12th grade. Dad was out of the house visiting Uncle Ahmed. Sara was reading the newspaper and Abdulrahman was playing XBOX 360. Everything looked old in the living room except for the XBOX 360. All were sitting on an old mat.
"Internet pirates find new ways to deceive people" Sara said as she was reading the newspaper.
"I cannot believe that there are people who spend their time doing such things", commented Abdulrahman as he was pressing the buttons of the XBOX 360 controller.
"There are always good and bad people" said Sara.
"I am losing faith on the Internet although it has great benefits and made the world smaller than the small café across the street", said Abdulrahman.
He added: "I don’t know why make the buzz about E-Commerce and E-Government when we cannot be sure that transactions are secure."
"Well, there are security standards developed to secure transactions online. It is not just hackers and crackers out there. There are also security experts working hard to develop methods, not only to ensure secure transactions but also authentication, integrity, non-repudiation and confidentiality." Sara said.
"What kind of measures are you talking about?" asked Abdulrahman.
"There are known transactional security standards such as encryption, digital signatures and digital certificates that are being used in today's online business", answered Sara.
"I have heard of encryption, but honestly I am not sure of what it means. I do not think that I came across digital signatures and certificates before" said Abdulrahman.
"That is the problem. We lack awareness. People are not aware of such important things that affect their experience of today's business trend as a lot of organisations are moving toward offering their products and services online" Sara said as she was getting excited about the conversation.
"Ok, can you tell me more about securing transactions online?" asked Abdulrahman as he pressed the (pause) button on the controller and paid full attention.
Sara folded the newspaper so nicely and started explaining: "Encryption basically means changing the data being sent to scrambled data, so even if it is interrupted by a third-party, it cannot be read."
"So how can the recipient read the data?" asked Abdulrahman.
"There is a special key that is used to encrypt the data. The same key is used to decrypt the data so it becomes readable. This key is known as the private key and it consists of a series of characters. It varies in length depending on the strength of the encryption" answered Sara.
"Isn't exchanging the private key risky?" wondered Abdulrahman.
"It is and that is why public key encryption was introduced. Public key encryption uses a pair of keys: one is private and one is public" said Sara.
"So how does it work?" asked Abdulrahman.
"The data is encrypted using the public key and can only be decrypted using the private key. This means the public key can be distributed safely to the other users. This process ensures data integrity because nobody can alter the data during its transmission", answered Sara.
She added: "Digital signatures work exactly the same as public key encryption but in reverse, in which a message can be decrypted by a public key only if it is encrypted by its pair private key. This is used to authenticate users ensuring non-repudiation."
"What do you exactly mean by non-repudiation?" asked Abdulrahaman.
"Non-repudiation means that each party is assured that the counterparty will not be able to deny being the originator or the recipient of information"
Abdulrahman said: "That makes sense. What about certificates?"
"A certificate is a security credential that certifies the identity of its owners. It has some records such as the name of the owner, which is usually a website or a company that owns the website, the owner's public key, issue date, expiration date and the name of the certificate authority.", answered Sara.
"Authority?" wondered Abdulrahman.
"A certificate authority, also known as CA is a trusted third-party that issues the digital certificate and creates the public and private keys used for encryption. VeriSign is a well-known CA", explained Sara
She added: "Certificates ensure two-way authentication as both the sender and receiver relies on a trusted CA to verify their identity and transmissions are encrypted by public keys and digitally signed by private keys. Today, Certificates provide the highest level of authentication and is considered to be the heart of secure electronic transactions."
Abdulrahman seemed to be thinking deeply trying to visualize the process. "This means that public key encryption, digital signatures and certificates are related", he said.
Sara commented: "That is true. In fact, the system that combines organisations with assigned public and private keys, digital certificates, and the certificate authorities that issue and verify security credentials, and authenticate the validity of each party involved in Internet transactions, is called public key infrastructure or PKI."
"PKI. I should remember this term", said Abdulrahman.
"You know that websites start with http", Sara said.
"Yes and it means hyper-text transfer protocol, which defines how a web page is transferred on the internet from the server to the browser to be displayed to the user", said Abdulrahman.
"Correct, and those websites that use encryption start with https", added Sara.
"What does the 's' stand for?", asked Abdulrahman.
"The 's' means that the web page uses SSL to encrypt data and transfer it through the internet to the server. You can notice https in websites that provide online banking and online booking for example. Such websites must have valid certificates. ", answered Sara.
She added: "People must not give confidential information such as credit card numbers to web pages that do not use SSL and thus do not start with https."
"Very important information, but what is SSL?" said Abudulrahman.
"SSL stands for Secure Sockets Layer and is a security protocol that uses public and private key encryption and digital certificates to secure the transaction process on the Internet. It manages authentication, data integrity and encryption in one process. It can authenticate servers, encrypt data and verify client identity. It is available in all major browsers", Sara added.
"Thanks sister. You made my day", said Abudulrahman.
Sara had always wanted to spread awareness of e-commerce. She was so happy as she started to fulfill her dream and as she walked towards the kitchen to help Mom in preparing dinner, she said: "You are most welcome; it is our responsibility to educate the society, not only of the benefits of going online, but also of the best practices of being online."
To view certificates:
Internet Explorer: Tools>Internet Options>Content (Tab)>Certificates (Button)
Firefox: Tools>Options>Advanced>Encryption (Tab)>View Certificates (Button)
Flock: Tools>Options>Advanced>Encryption (Tab)>View Certificates (Button)