Cipherspace
Have you ever
wondered how we are going to identify one another as we move further
into the cyber world in which Internet and other such gateways to
anonymous Electronic Commerce become ubiquitous, and we all become
strangers to one another until otherwise positively
identified?
Yeah, me too. I
havenít thought much about it either. But, the truth is, we
are standing on the technologyís edge and the plans are being
drawn out before us. The question is, will we be comfortable in this
new community being created, and will we know how to get around? For
most of you, it is important that you have more than a general idea
of these concepts, because your customers will be asking you the
questions when they get lost. (You are planning to include eCommerce
in your service and product mix, right?)
Of course, one of
the first questions is about security and what the nature of the risk
really is. Arenít Internet transactions already very difficult
to steal, because they travel all over the Internet in pieces? Do
merchants need to add security to their Web sites, and if so, is SSL
enough? Will Visa and MasterCard require commerce-enabled sites to
have SET, and will the implementation costs of SET be worth any
potential savings in Interchange?
One thing that
will help shape answers to these questions is the value of the
information being exchanged. If the information is of minimal
importance and can be seen by anyone, then little or no
identification protocols will be necessary. If it is of more
importance, and carries critical confidential financial information,
then we must be sure that only the proper recipients receive it and
are able to read it. This process will require layers of security
measures such as encryption, electronic signatures, and even digital
certificates.
You are probably
already involved in setting up encryption for your physical
merchants, selling PIN-based debit acceptance, and providing PIN
encryption, even though you may not yet have personal knowledge of
the process. As more virtual payments take place, and more of the
evolving new payment mechanisms go looking for ISOs to be their
low-cost feet-on-the-street, you will find that these concepts will
be discussed more often, perhaps creating barriers to market entry or
eliminating some sales opportunities for your
business.
While the concepts
of electronic security may seem difficult to understand and perhaps
unnecessary to some of us, for businesses to have comfort in this new
world of anonymous eCommerce we need Privacy, Authentication,
Integrity and Non-repudiation or denial of electronic
transactions.
If you
havenít heard these four eCommerce needs defined before, they
mean that as we send transactions electronically all over the world,
we must maintain privacy for all involved. We must also be able to
authenticate who the parties are, both the seller and the buyer. We
must be able to assure that the data sent, in particular the
financial data, has not been tampered with along the way. Finally, we
must be able to assure that in the end, the parties have no reason to
say that they didnít send or receive the message, services, or
payment.
The developing
acronym for this is P.A.I.N: Privacy, Authentication, Integrity, and
Non-repudiation. This of course is more Retail eSpeak Authorization
Language, making this whole subject somewhat of a R.E.A.L. P.A.I.N.,
but nonetheless, we need at least a 10,000-feet familiarity with the
subject.
One of the first
principles that we must understand is that some very forward thinking
people believe that in the future of eCommerce, being proficient at
Cipherspace, (not cyberspace), is going to define the real players.
What this means is that Digital Cryptography will be synonymous with
eCommerce.
Accepting the fact
that only a small number of people in this country (or the world for
that matter) will ever completely understand all the complexities of
electronic security (who really understands SSL.)1 We
should all know why it is necessary, what the process is, and what
protections the various methods actually provide.
So letís
start with the basics. When we as individuals first learn math, we
learn to add. The reason is that addition is fundamental to
subsequent and higher math. We next learn multiplication, which is
built on the previous knowledge. We learn, as an example, that
2+2+2+2 is also 2x4. Now, I know I may already be losing the
math-challenged audience, but stay with me.
First off
"encryption" is like "addition," it is a basic function, and "Digital
Signature." is like "multiplication". This means that Digital
Signatures are another way to perform (higher function) encryption.
As a basic encryption process, we can move each letter in the
alphabet four characters to the right, making an A into an E, a D
into an H, etc. We can then render a message written with this cipher
key (4) and the message receiver can decipher the message by
translating it on their end. This of course requires that all message
originators and receivers have the "key" and that the same "key" will
both encrypt and decipher.
After we have
mastered addition and multiplication, we learn to factor. This means
we learn that 2+2+2+2, is 2x4 and can also be expressed as 23.
Digital Certificates are similar to factoring.
To gain an
understanding of Digital Signatures, we must accept that sometimes it
will not be enough to be able to decipher a message, but rather we
will need to know beyond a doubt who sent the message. This means
that we must change the key pairs from being Symmetric (same key to
encrypt and decrypt) to Asymmetric Key Cryptography, in which the key
pairs are not the same.
Hereís how
it works: The sender signs with his private key, and your trading
partner verifies the message with the sender, or initiatorís
public key. Any tampering is detected by using message digests, or
what are sometimes called Hash totals, determining the characteristic
of the message mathematically. So, this means that a Digital
Signature is an algorithm (or cipher) using the originatorís
private key. It allows your partners to verify that a message or
payment instruction came from the sender and it was not tampered with
along the way. In case of a dispute, anyone can mathematically prove
whether the message came from the sender, based upon the
senderís public key.
So, as you can
see, Digital Signatures are simply encryption expanded, with Digital
Certificates being Digital Signatures amplified to a higher
power.
Now that we all
have that, letís consider the question of message routing and
what the need actually is for encryption. Prior to the Internet,
payment information generally traveled on traditional key switched
lines, or what are sometimes called circuit source and target, or
end-to-end communications. The call originated at one end of the
line, and traveled directly to the receiver on the other end. With
the invention of TCP/IP (an Internet protocol that breaks up messages
into small packages which each travel in different directions, only
to be restored on the other end) these transactions are generally
more secure today than on previous switched traffic.
While TCP/IP
enabled Internet routing creates some security, SSL includes how many
packets there are to the process, so the recipient can be assured
that the message was not modified along the way.
While we may not
all fully understand internet security, and certainly most of us will
not be called upon to actually set-up SSL on a server or ever debate
the merits of the SET protocol, we should understand that some people
in our industry believe that digital certificates will eventually
change everything we now think we know about payments.
How, You
Say?
Throughout
history, the cost of a single transaction has had a direct
relationship with the size of the firm. In most cases businesses are
looking over their shoulder for the new enterprise which will have
significantly lower costs, because that company can make them
obsolete. So it could be with the emergence of Internet transactions
which carry a Digital Certificate.
Imagine
transactions floating throughout the world that have zero
communications cost. Imagine still that the transaction denomination
is but a fraction of a cent, and each has a digital certificate. This
means that in essence, they become electronic bearer bonds. Now
imagine that the certificate authority is the U.S.
government.
With this design,
all other forms of payment could be eliminated. No need for
interchange, as in credit cards today, because the message is the
payment, and the payment is the message. Checks are just
authorizations to pay, based on a signature, and forwarded to a
drawee bank. Imagine the check is an encrypted message digitally
signed and authenticated and the message is the payment, due to the
certificate authority backing or guaranteeing the
transaction.
For those who see
a cipher-based future rather than a cyber-based future, financial
services will develop along the following lines:
- Nothing but
Net
All enterprise
time not spent maximizing the benefits of the Web (from the
reduction of communications cost to the improvement of our
customers ability to help themselves to our data about them or our
services) is a waste of time.
- Geodesic
Transactions
All actions
should be directed at eliminating everyone between our
product/service and our customer. One-on-one is the only
future.
- Costs will
decline three orders of magnitude.
Since the name of
the game is "Nothing but Net," and costs decline by 50% every 18
months on the Web, all other business models will fail if their costs
do not also decline three orders of magnitude every 18
months.
In writing this
story something occurred to me. Can you imagine being among a few
people who had just become aware of the invention of the light bulb,
and then having someone (thinking out of the box) say that some day
there will be a city in the western desert that will use millions of
these. In fact, they will really do nothing more than spell out
words, and make the night into day.
Then, of
course, some traditionalist would ask, why? And the answer would be
because it will scream out "leisure time" to all that come near, and
it will operate 24 hours a day, 365 days a year.
While all of
these thoughts may be too Star Trekkie for you, security, signature,
and certificate authorities all have these possibilities in their
future.
Closing
Thought
I recently heard
someone say that all the fun stuff that is happening on the Internet
is the result of "out of the box" thinking. We must keep reminding
ourselves that the money is in the box.
1 Secure Sockets
Layer, a 128-bit encryption method.
[Return]