Saturday 3 January 2009

E-Security Concern

It was at night. Everyone at the house was busy with something. Mom was cooking dinner. The oldest brother was still at work, he usually comes late. The older sisters were still at Uni. Mohammed was studying hard as he was in the 12th grade. Dad was out of the house visiting Uncle Ahmed. Sara was reading the newspaper and Abdulrahman was playing XBOX 360. Everything looked old in the living room except for the XBOX 360. All were sitting on an old mat.

"Internet pirates find new ways to deceive people" Sara said as she was reading the newspaper.
"I cannot believe that there are people who spend their time doing such things", commented Abdulrahman as he was pressing the buttons of the XBOX 360 controller.
"There are always good and bad people" said Sara.
"I am losing faith on the Internet although it has great benefits and made the world smaller than the small café across the street", said Abdulrahman.
He added: "I don’t know why make the buzz about E-Commerce and E-Government when we cannot be sure that transactions are secure."


"Well, there are security standards developed to secure transactions online. It is not just hackers and crackers out there. There are also security experts working hard to develop methods, not only to ensure secure transactions but also authentication, integrity, non-repudiation and confidentiality." Sara said.
"What kind of measures are you talking about?" asked Abdulrahman.
"There are known transactional security standards such as encryption, digital signatures and digital certificates that are being used in today's online business", answered Sara.
"I have heard of encryption, but honestly I am not sure of what it means. I do not think that I came across digital signatures and certificates before" said Abdulrahman.
"That is the problem. We lack awareness. People are not aware of such important things that affect their experience of today's business trend as a lot of organisations are moving toward offering their products and services online" Sara said as she was getting excited about the conversation.
"Ok, can you tell me more about securing transactions online?" asked Abdulrahman as he pressed the (pause) button on the controller and paid full attention.

Sara folded the newspaper so nicely and started explaining: "Encryption basically means changing the data being sent to scrambled data, so even if it is interrupted by a third-party, it cannot be read."
"So how can the recipient read the data?" asked Abdulrahman.
"There is a special key that is used to encrypt the data. The same key is used to decrypt the data so it becomes readable. This key is known as the private key and it consists of a series of characters. It varies in length depending on the strength of the encryption" answered Sara.
"Isn't exchanging the private key risky?" wondered Abdulrahman.
"It is and that is why public key encryption was introduced. Public key encryption uses a pair of keys: one is private and one is public" said Sara.
"So how does it work?" asked Abdulrahman.
"The data is encrypted using the public key and can only be decrypted using the private key. This means the public key can be distributed safely to the other users. This process ensures data integrity because nobody can alter the data during its transmission", answered Sara.
She added: "Digital signatures work exactly the same as public key encryption but in reverse, in which a message can be decrypted by a public key only if it is encrypted by its pair private key. This is used to authenticate users ensuring non-repudiation."
"What do you exactly mean by non-repudiation?" asked Abdulrahaman.
"Non-repudiation means that each party is assured that the counterparty will not be able to deny being the originator or the recipient of information"
Abdulrahman said: "That makes sense. What about certificates?"
"A certificate is a security credential that certifies the identity of its owners. It has some records such as the name of the owner, which is usually a website or a company that owns the website, the owner's public key, issue date, expiration date and the name of the certificate authority.", answered Sara.
"Authority?" wondered Abdulrahman.
"A certificate authority, also known as CA is a trusted third-party that issues the digital certificate and creates the public and private keys used for encryption. VeriSign is a well-known CA", explained Sara
She added: "Certificates ensure two-way authentication as both the sender and receiver relies on a trusted CA to verify their identity and transmissions are encrypted by public keys and digitally signed by private keys. Today, Certificates provide the highest level of authentication and is considered to be the heart of secure electronic transactions."
Abdulrahman seemed to be thinking deeply trying to visualize the process. "This means that public key encryption, digital signatures and certificates are related", he said.
Sara commented: "That is true. In fact, the system that combines organisations with assigned public and private keys, digital certificates, and the certificate authorities that issue and verify security credentials, and authenticate the validity of each party involved in Internet transactions, is called public key infrastructure or PKI."
"PKI. I should remember this term", said Abdulrahman.

"You know that websites start with http", Sara said.
"Yes and it means hyper-text transfer protocol, which defines how a web page is transferred on the internet from the server to the browser to be displayed to the user", said Abdulrahman.
"Correct, and those websites that use encryption start with https", added Sara.
"What does the 's' stand for?", asked Abdulrahman.
"The 's' means that the web page uses SSL to encrypt data and transfer it through the internet to the server. You can notice https in websites that provide online banking and online booking for example. Such websites must have valid certificates. ", answered Sara.
She added: "People must not give confidential information such as credit card numbers to web pages that do not use SSL and thus do not start with https."
"Very important information, but what is SSL?" said Abudulrahman.
"SSL stands for Secure Sockets Layer and is a security protocol that uses public and private key encryption and digital certificates to secure the transaction process on the Internet. It manages authentication, data integrity and encryption in one process. It can authenticate servers, encrypt data and verify client identity. It is available in all major browsers", Sara added.

"Thanks sister. You made my day", said Abudulrahman.
Sara had always wanted to spread awareness of e-commerce. She was so happy as she started to fulfill her dream and as she walked towards the kitchen to help Mom in preparing dinner, she said: "You are most welcome; it is our responsibility to educate the society, not only of the benefits of going online, but also of the best practices of being online."


------
To view certificates:
Internet Explorer: Tools>Internet Options>Content (Tab)>Certificates (Button)
Firefox: Tools>Options>Advanced>Encryption (Tab)>View Certificates (Button)
Flock: Tools>Options>Advanced>Encryption (Tab)>View Certificates (Button)

11 comments:

زوّان السبتي said...

Hey Suleiman,
After reading the first few lines in the e-mail you sent me, I left everything and clicked the link to read the remaining of the scenario.

Impressive as expected …

Straight forward dialogue… gives the reader the understanding of the concept in hand

Applause :)

Have a nice day

Best,
*ZS

Sulaiman Al Rawahi said...

Hi Z,

Hope things are going alright with ya.

Thanks for the nice comments.

This is the purpose of having the post in a different style; to transfer the knowledge of such an important topic in a creative, yet simple way.

More to come...

Zeena said...

Hello Sulaiman,

It is like a camera moving towards different directions describing the setting of this conversation. Interesting, impressive and well described scene to discuss a heavy technical subject in such attractive way.

Sulaiman, you could grab our attention and put us in the place where the described scene is running. Congratulations for having such spectacular and wonderful writing capabilities.

Today, I was watching the news in Al Arabia channel and there was a report about hacking Israeli websites by Arab hackers.These hackers removed the original pictures of the websites and replaced them by pictures of Gaza children who were brutally killed by Israeli Military. Although this may seem a crime in itself as it is meant to be an illegal access and interference, it is a heroic work in such circumstances.

That’s why; the E-security Concern is also concerned about rules, regulations, ethics and respect for cultures to create a safe e-environment.

I wish you and Sara all the best on your journey to spread the awareness of E-commerce.

Z...

Sulaiman Al Rawahi said...

Zeena,
Thanks for your valuable comments and continuous support.

I am glad that I was able to move the camera in different directions in our living room and to make you visualize the conversation.

I am also happy that I was able to deliver such an important topic in a way that makes it clearer and that is the purpose of this post.

With regards to regulations, Chapter 4 of the E-Transactions Law, that was issued under the Royal Decree No. 69/2008, covered securing online transactions. Also, Chapter 5 covered the authorized authority of implementing the e-transactions law and its responsibilities and roles. In addition to that, Chapter 6 covered certificates and certification services. Finally, Chapter 9 covered the punishments of different illegal acts.

It is important to mention that the Royal Decree No. 69/2008 was issued on the 17th of May 2008. The 17th of May is the World's Information Society Day. It is also the World's Telecommunications Day.

The e-transactions law is just a promising start towards not only a digital society, but a society that knows what it takes to be digital. And I can tell you that I can see it happening. Let us join forces to build our society... a knowledgeable one.

Anonymous said...

Hi Sulaiman,
The article is very well presented. I could visualize Ahmed and Sara speaking.

It is very impressive, easy to understand. Making people aware about these concepts is very important. And you have succeded in presenting it... All The best ....Keep writing

Sulaiman Al Rawahi said...

Hi Deepti,
Thanks for your input. Hope you enjoyed reading the post and sure there is more to come.

My brother Abdulrahman is a bit unhappy because Zeena did not mention his name and Deepti called him Ahmed. :-D

Anonymous said...

I am really sorry about that. AbdulRehman , it was just a slip of thought. Hope you are having quality time with your family especially with Sara.

Zeena said...

Hi Sulaiman,
I'm also sorry for not mentioning Abdulrahman's name. Just tell him that I believe he'll be one of the change makers in the society if he and Sara kept on spreading these kinds of thoughts and ideas.

Wishing you all the success.

Deepti said...

Hi Sulaiman,
Your blog is very intersting and informative and impressive... We need more of such write-ups.. so keep writing....

Sulaiman Al Rawahi said...

Hi Deepti,
Thanks for your nice comment.
I am currently writing a post and it is gonna be posted soon.

Sulaiman Al Rawahi said...

To comment on this post, please visit http://ensiyab.blogspot.com/2009/01/e-security-concern.html