`Technology
`
`The Advanced Guide for
`World Wide Web Information Providers
`
`Nancy J. Yeager
`Robert E. McGrath
`
`National Center for Supercomputing Applications
`
`Morgan Kaufmann Publishers, Inc.
`SAN FRANCISCO, CALIFORNIA
`
`-
`
`A
`
`- -- -' -. -- -- '
`
`Petitioner Apple - Ex. 1065, p. 1
`
`
`
`Sponsoring Editor
`Production Manager
`Production Editor
`Text Design
`Cover Design
`Cover Photograph
`Copyeditor
`Proofreader
`Composition
`Illustration
`Indexer
`Printer
`
`Michael B. Morgan
`Yonie Overton
`Elisabeth Beller
`Mark Ong, Side by Side Studios
`Martin Heirakuji Graphic Design
`Photonica/Joshua Sheldon
`Ken DellaPenta
`Judith Abrahms
`Nancy Logan
`Cherie Plumlee
`Valerie Robbins
`Courier Corporation
`
`Morgan Kaufmann Publishers, Inc.
`Editorial and Sales Office
`340 Pine Street, Sixth Floor
`San Francisco, CA 94104-3205
`USA
`
`Telephone
`Facsimile
`www
`
`415/392-2665
`415/982-2665
`mkp@mkp.com
`http:/ /www.mkp.com
`
`Order toll free 800/745-7323
`
`© 1996 by Morgan Kaufmann Publishers, Inc.
`All rights reserved
`Printed in the United States of America
`
`00 99 98 97 96
`
`5 4 3 2 1
`
`,
`
`No part of this publication may be reproduced, stored in a retrieval system, or transmit(cid:173)
`ted in any form or by any means-electronic, mechanical, photocopying, recording, or
`otherwise-without the prior written permission of the publisher.
`
`Library of Congress Cataloging-in-Publication Data is available for this book.
`
`ISBN 1-55860-376-X
`
`Petitioner Apple - Ex. 1065, p. 2
`
`
`
`CHAPTER EIGHT
`
`Digital Commerce:
`Risks, Requirements,
`and Technologies
`
`Wether you are a Web service provider or a casual Web user, it is important to understand
`your level of risk in using a secure Web service. This chapter will aid you in that
`task by defining requirements for secure services, describing security-enabling
`technologies, and presenting a method to evaluate a secure Web service. Lastly,
`we will critique several existing secure Web system models against the require(cid:173)
`ments and methods we have defined.
`The Web was designed and is highly successful as an easy-to-use method for
`distributing public information. The Web is wide open. All information on the
`Web is public, and the Web is built upon a public network, the Internet. Many
`commercial Web services contain catalogs of products, services, and prices, and
`corporations use the Web to distribute information widely. Many users now
`want to take the technology one step further, to disseminate information in a
`controlled way. To do this, they need to incorporate confidentiality and access
`control to a subset of their Web documents. The same security mechanisms that
`restrict access to a set of documents to qualified .individuals could be used to
`popularize commercial transactions over the Web. These mechanisms can also
`be used to address online privacy issues, such as protecting the confidentiality of
`medical records or credit ratings.
`
`Petitioner Apple - Ex. 1065, p. 3
`
`
`
`320
`
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`
`Computer security measures are intended to reduce the risks of using the sys(cid:173)
`tem. The introduction of security mechanisms can never totally eliminate all
`risk; it can only diminish risks to an acceptable level. Any consideration of secu(cid:173)
`rity must begin with risks: what are the risks and how can they be addressed?
`Besides reducing risks, security technologies aim to increase confidence and
`trust in the system. Customers will not use a system if they do not trust it to
`safeguard their assets and interests.
`Who will be liable when the security services fail in a commercial Web
`service-the service provider or the customer? The answer for commercial Web
`services is still, as yet, undefined. However, as has been seen in similar electronic
`commerce systems, the service provider may be liable, in varying degrees, for
`the technological failures of the system (Anderson 1994; Gifford et al. 1995) .
`Whether you are the customer or the service provider, liability is serious busi(cid:173)
`ness, and your risks warrant a closer analysis.
`In order to begin analyzing the risk incurred by digital commerce or secure
`Web systems, let's first look at the process of a real-world commercial transac(cid:173)
`tion model.
`
`8.1 A Familiar Model for Commercial
`Transactions: Credit Cards
`
`When credit cards were first introduced, many doubted that the general public
`would trust such a mechanism for commerce. Today the Web is at the same point
`in its commercial evolution: no one knows whether it will be widely accepted as
`a vehicle for commerce.
`In a credit card transaction, the ownership of a credit card identifies an indi(cid:173)
`vidual for the purpose of the commercial transaction. The owner has possession
`of the card and his or her signature matches the one that is signed on the receipt
`of goods. As we look at commercial transactions of all kinds we will find that
`this identification process-that the owner of the card is truly the individual
`authorized to use the card-
`is the most crucial measure for assessing a secure
`transaction of any kind. The better the identification process, the less the risk
`assumed by the service provider or customer.
`In the case of credit cards, some merchants and customers have abbreviated
`the identification process; they don't require a signature or don't review the sig(cid:173)
`nature. For example, when the customer presents only the number (the proof of
`possession) of the card over the telephone, there is little way to bind the autho(cid:173)
`rized user's identity with ownership of the card. Abbreviating the identification
`process in this way decreases the effectiveness of the mechanism and increases
`the risk of an illegal transaction. If a signature is not required, it is much easier
`
`Petitioner Apple - Ex. 1065, p. 4
`
`
`
`8.2 Identifying Yourself
`
`321
`
`for a disreputable third party to intercept the credit card number (and expira(cid:173)
`tion date) and purchase goods and services; therefore, the risk of loss due to
`fr aud is greatly increased. Today credit card companies accept the liability for
`stolen card numbers, provide help to customers with stolen card numbers, and
`charge more for their services to businesses that accept credit card numbers over
`the phone. The convenience of telephone transactions outweighs the risk of
`losses due to fraud. However, the business, and ultimately the customer, pays
`more for this added convenience.
`
`8.2 Identifying Yourself
`
`As we look at commercial transactions of all kinds, we will find that this identi(cid:173)
`fication process is the most important measure of effectiveness for secure trans(cid:173)
`actions. First an individual asserts or claims an identity and then that assertion
`is verified. This assertion and verification together are called the authentication
`process.
`\
`In the human world, the identity of each person is founded on their physical
`existence. When there is a person standing in front of us, we use all our senses to
`identify them, by what they look like, how they sound, what they do and say,
`and so on. On a computer system these natural cues are entirely missing. To the
`computer, a person is just a collection of data; it has no way to tell which body
`the data is supposed to belong to, or even if the person ever really existed out(cid:173)
`side the computer. In one sense, the problem of authentication is to come up
`with some way that the computer can tell people· apart and verify a person's hon(cid:173)
`esty when he asserts an identity.
`Most commercial transactions and secure applications employ some form of
`authentication. There are three factors that can be used in the authentication
`process (Miller 1994):
`
`1. Knowledge-something a person knows
`2. Possession- something a person owns
`3. Characteristic- something a person is
`
`All of these may serve to uniquely identify one individual person.
`Many authentication systems operate on two-factor authentication, requiring
`two different sources of identification. The idea, of course, is that when the two
`means of identification match, it is likely that only the right person could supply
`that matching identification.
`Credit card users use two-factor authentication for purchasing goods and
`services: you present a card (possession) and you sign for the purchase (an indi(cid:173)
`vidual's characteristic signature). Automatic teller machines use two-factor
`authentication-you present a bank account card (possession) and input a per(cid:173)
`sonal identification number (PIN) (knowledge).
`
`Petitioner Apple - Ex. 1065, p. 5
`
`
`
`322
`
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`
`8.2.1 Biometrics
`
`The last authentication factor, the characteristic, is so well developed that it has
`been recognized as a scientific field. Biometrics is the study of the measurement
`of physiological and behavioral traits. It is used to study human diversity and
`may also be used for identification based on physiological or behavioral traits.
`Biometric methods analyze human physiological traits such as fingerprints,
`size and shape of hand and fingers, and retinal patterns. Biometric methods can
`also analyze behavioral characteristics such as an individual's signature, voice, or
`speech patterns. Even the speed and pattern of an individual's typing at a key(cid:173)
`board has been examined as a behavioral biometric identification method.
`Physiological measurements are not always convenient or unobtrusive. The
`most positive identification possible is a DNA sample, but it is not reasonable to
`perform such an expensive procedure to verify a credit card purchase! Behav(cid:173)
`ioral biometric techniques may be easier to measure but are subject to more
`variability than physiological biometric techniques. For example, the quality of
`your voice may change if you have a cold and your signature may change as you
`mature. No method is perfect, so it is important to consider the likely~ mistakes
`and their consequences. Biometric identification methods may fail in two ways:
`they may mistakenly confirm an identity when it is the wrong person (a false
`acceptance) and they may mistakenly reject the identity of the right person (a
`false rejection) (Miller 1994). Different biometric methods have different likeli(cid:173)
`hoods of each type of error, which are expressed in two numbers, the false accep(cid:173)
`tance rate (FAR) and the false rejection rate (FRR). The selection of a biometric
`method must be tailored to each application's security requirements, based on
`the consequences of each type of mistake.
`Consider, for example, the high security requirements of an entrance to a
`military laboratory. We would need a biometric method that could not easily be
`fooled into admitting unauthorized personnel. We would also require our bio(cid:173)
`metric method to permit authorized applicants to enter the secured facility.
`Otherwise, qualified applicants would become frustrated and might eventually
`give up their entrance attempts. In this example, it would be of the utmost
`importance to deny access to unauthorized individuals-our biometric method
`must have a small FAR. If need be, we could tolerate a method that denied access
`to a few authorized applicants; we could always provide them with the phone
`number of a security officer to call. So we could tolerate a few false rejections(cid:173)
`or a relatively high FRR. We could select fingerprints as a biometric system for
`authentication at our secure site. Fingerprints have a FAR ofless than .0001 per(cid:173)
`cent and a FRR of 2 to 3 percent. In other words, it is very unlikely that someone
`else's fingerprint will be taken to be yours, but the identification system some(cid:173)
`times might not recognize your fingerprint as your own.
`The requirements of military security are completely different from the needs
`of commerce. What are the requirements for digital commerce? First, costs must
`
`Petitioner Apple - Ex. 1065, p. 6
`
`
`
`8.3 The Web, Security, and the Internet
`
`323
`
`be kept reasonable. And second, customer satisfaction and convenience are
`paramount concerns. The service provider cannot afford to aggravate even a
`small number of customers or it will lose their business. Incorrectly rejecting the
`identity of a customer is very bad for business. So, unlike the military example,
`digital commerce demands a very low FRR. Furthermore, even a reliable method
`must be very quick and must be inexpensive enough to be widely used. It is better
`to lose a little money to thieves than to lose good customers because of an incon(cid:173)
`venient or expensive identification method.
`Most biometric methods cannot be used in digital commerce because they
`are either too expensive for the service provider or too inconvenient or too slow
`to satisfy the customer. Consider, for example, an automated signature verifica(cid:173)
`tion system for use by banks for account and credit card verification. The sys(cid:173)
`tem's cost is not prohibitive, only $1000. Banks have been slow to use this bio(cid:173)
`metric method, though, because they are afraid their customers would not
`tolerate the system's FRR of their perfectly legitimate transactions (Miller 1994).
`
`8.3 The Web, Security, and the Internet
`
`We have seen in Chapter 7 that there are no privacy guarantees on the Internet
`today. With the right tools and a bit of technical expertise, someone can eaves(cid:173)
`drop on conversations and capture data. For this reason, conducting digital com(cid:173)
`merce transactions on a public network like the Internet is risky business. But
`each day U.S. banks securely transfer a trillion dollars electronically (Adam
`1992). How is this done securely? Typically, commercial transaction services,
`like electronic banking applications, operate over private networks, such as their
`own leased networks or the networks that make up the telephone system. The
`privacy of the standard telephone service today relies on the physical security of
`the network-
`the fact that no one can easily tap the telephone line. So these pri(cid:173)
`vate networks are a more secure place to conduct transactions.
`This section considers the requirements for digital commerce: what must be
`done to make the Internet a viable business environment. Imagine you are the
`purchasing agent for a pharmaceutical company that produces aspirin. You pur(cid:173)
`chase a chemical called phenol as a raw material for your manufacturing process
`from your major supplier, Victor Chemical Company. VCC is an advanced com(cid:173)
`pany; it has a Web page that displays its entire product line, complete with cata(cid:173)
`log numbers, availability, and current prices.
`Recently, Victor enhanced its online Web service with the capability to place
`chemical orders via its Web service. As a regular customer of Victor Chemical,
`you have a standing credit account number. The Web service displays a form,
`such as the example shown in Figure 8.1, for the customer to fill in with their
`credit card number or standing account number. This form is sent over the net(cid:173)
`work to Victor's Web server, as explained in Chapter 3. Your order is received at
`
`Petitioner Apple - Ex. 1065, p. 7
`
`
`
`324
`
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`
`[C;~~~7J~:~:-:~~i~~-~~·r·~~~'7~~::-;j~;~~~~~~~~:.~f~."il~~;~gjfl
`File Options
`Help
`
`··to
`
`.
`
`I
`
`Title:
`
`(Yi!;!QLGnemical On-line Ca~]Qg Orders
`
`URL:
`
`i!LttB;(lwww.vcc.CQm/orders.htm '
`
`·"
`
`c
`
`:.:· ·:i·ii
`
`-,,
`
`,..,
`
`Victor Chemical On-line Catalog Orders
`
`This catalog contains the latest products and prices for Victor Chemical Company.
`
`Use the on-line form to place orders.
`
`Products
`
`Phenol
`Chlorine
`Fullerine
`
`$100/liter
`$100/liter
`$1000/nanoliter
`
`I
`I
`I
`I
`I
`
`To place an order, please fill in the following information:
`
`Product:
`
`Quantity:
`
`Total Price:
`
`Account number:
`
`iSubmit Query I
`
`- '•
`
`l
`
`.-;: A[C:.:.;.~·~" ".'·: .-
`
`I
`
`I.:< I
`
`I
`
`•'1,
`
`..
`.::•::
`.....
`
`•
`
`[B".i'i:'kh Forward I ~Home I iOpen ... 1
`
`Figure 8.1 Placing a purchase order via the Web.
`
`Victor and charged to the account number submitted. What's actually happen(cid:173)
`ing as you transmit your account number and what are the risks? Is it safe to use
`this new facility?
`To answer this question, it is easiest to break the problem down into its com(cid:173)
`ponents. We must look at how secure the message is upon creation, transmis(cid:173)
`sion, and receipt: the end-to-end security of the transaction. The Web forms
`service is a Web application running on top of an insecure public network, the
`Internet.
`So your credit account number could be captured as it is transmitted to
`Victor's Web server. Additionally, someone may be able to masquerade as you
`on your computer and send bogus messages. The receiver would have no way to
`tell that the message was not legitimate.
`
`Petitioner Apple - Ex. 1065, p. 8
`
`
`
`8.4 Interim Digital Commerce Services for the Web
`
`325
`
`Even if nothing unusual occurs, many transactions on the Internet are trace(cid:173)
`able. The sources and destinations of the messages can be discovered by snoop(cid:173)
`ers. This in itself may deter the use of the Internet for some purposes. People
`often do not want their business transactions monitored.
`
`8.4 Interim Digital Commerce Services for
`the Web
`
`Despite the lack of security guarantees, many people want to use the Internet for
`commerce today, so several creative schemes have sprung up to circumvent the
`Internet security problems (Cain and McGrath 1995; Werner and DeAngelis
`1995; Sefferud 1995). In many of these systems, an Internet commerce service
`acts as a go-between for the business and the customers, collecting the customers'
`credit card information over the telephone.
`In one system (Werner and DeAngleli~ 1995), the customer shopping on the
`Web fills out the Web form with their ddired purchases, their phone number,
`and a time when they will be available at the given phone number to supply their
`credit card information. The business collects the order and then either calls the
`customer back manually or uses a programmed voice robot to call the customer
`at the specified time to collect the customer's credit card number. This scheme is
`clearly only as secure as any phone-order business and is not nearly as conve(cid:173)
`nient for the customer.
`In another scheme (Sefferud 1995), an internet commerce broker (ICB) acts
`as a go-between, collecting the credit card information of customers, collecting
`payment from the customers for purchases, and crediting the seller's account
`(see Figure 8.2). Here's how the scheme works:
`
`1. The customer registers (over the phone) with the ICB and supplies credit
`card information. The ICB assigns the customer an ICB account number.
`Thereafter, the customer uses his ICB account number to make purchases.
`2. As a customer places a transaction with a seller, he supplies his ICB account
`number.
`3. The seller reports the transaction to the ICB.
`4. The seller may validate the customer's ICB account number with the ICB
`before (or after) sending the purchased item to the customer.
`5. The requested item, typically a document, is sent to the customer.
`6. After the ICB receives the transaction report from the seller, it sends
`electronic mail to the customer asking for verification that they purchased
`the item.
`7. The customer confirms via electronic mail that they did indeed purchase
`the item.
`8. The ICB charges the customer's credit card account for the purchased item.
`
`Petitioner Apple - Ex. 1065, p. 9
`
`
`
`326
`
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`
`Customer
`
`Web
`- - - - Secure phone network
`
`Figure 8.2 Interim digital commerce services on the Web.
`
`This system is tailored to selling information, or "information commerce"(cid:173)
`transactions not involving the purchase of physical goods or services. This would
`mean customers could purchase many documents on the Web, each for a small
`charge. The ICB collects all the transactions during a payment cycle. At the end
`of a payment cycle, the ICB bills the customer in the conventional way by calling
`a credit card processor over secure phone lines. The ICB then transfers remu(cid:173)
`nerations into the seller's ICB account. The seller bears the risk of nonpayment
`by the customer. Deadbeat customers run the risk of having their accounts ter(cid:173)
`minated by the ICB. This system assumes that the phone and electronic-mail
`services over the Internet are trustworthy. We have learned that Internet services
`like electronic mail are not necessarily secure.
`
`Petitioner Apple - Ex. 1065, p. 10
`
`
`
`8.5 Requirements for Digital Commerce
`
`327
`
`These schemes have limited usefulness in the long term. They fall short in
`customer convenience and they do not provide what we suspect businesses really
`want to offer: spontaneous, secure commercial transactions via the Web. Let's
`take a closer look at the requirements for such a system.
`
`8.5 Requirements for Digital Commerce
`
`Let's return to the example of the Victor Chemical Company's Web service and
`summarize the security requirements we would want and expect from a Web
`service. The system must provide three important assurances: confidentiality,
`authenticity, and message integrity. It would also be desirable to have the option
`to execute spontaneous secure transactions and to use anonymous (cash) trans(cid:173)
`actions.
`
`l. Confidentiality The Web service must ensure that private transactions can't
`be captured and read by others. Nq one should be able to eavesdrop on
`our conversation and capture the ac~ount number we are transmitting in
`our order form. If the eavesdropper had the account number, they could
`connect to the Victor Chemical Web order form and purchase goods in
`our name.
`2. Authenticity The Web service must ensure that "we are who we say we are."
`Both parties must be confident of each other's identity. Without this assur(cid:173)
`ance, someone could make illegal purchases in our name or masquerade
`as the Victor Chemical Company's Web server and collect our credit
`account number as we submit our order form.
`3. Message integrity The Web service must ensure that the message received is
`actually the message sent. It must not be possible to intercept and alter
`part or all of our order as it is transmitted over the network.
`4. Option for spontaneous secure transactions We might prefer to conduct a
`transaction in a secure fashion with whomever we wanted, whenever we
`wanted. We might prefer not to have to register or have a login created on
`each Web server that conducted our transactions.
`5. Option for anonymous transactions Wouldn't it be great if we had a cash
`equivalent in digital electronic form? This service would ensure that your
`purchase couldn't be logged and traced back to you. This is important
`because when each transaction is traceable, it is very easy for computers to
`accumulate large amounts of information about people based on what
`they buy.
`
`Petitioner Apple - Ex. 1065, p. 11
`
`
`
`328
`
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`
`8.6 Technology to Meet These Requirements
`
`Today there is a whole range of security applications that meet these security
`service requirements to various degrees: phone cards, ATM cards, security cards
`or smartcards (for office and computer room access), and road toll payment
`card systems. In the future, Web applications for commerce, education, and
`health care will be called upon to meet these security requirements.
`Let's look at the basic technologies that enable computer programs to meet
`these security requirements before we examine the special problems of integrat(cid:173)
`ing these security services into the World Wide Web.
`
`8.6.1 Cryptography
`
`Computer applications use cryptographic algorithms to provide a wide range of
`security services. An algorithm is a procedure or set of rules to solve a problem.
`A cryptographic algorithm is, in its simplest form, two sets of rules. One set of
`rules scrambles, or encrypts, the messages so that they cannot be un<!erstood.
`The other set of rules unscrambles, or decrypts, the messages so that they can
`once again be easily read. Cryptography can be used to protect information by
`restricting access to only a set of authorized individuals-those who have the
`ability to unscramble the message.
`Conceptually, TV cable service providers use a form of cryptography to limit
`access to some of the TV channels they provide. The TV cable service providers
`begin with a pure TV channel signal. They then scramble, or encrypt, the signal.
`This message in an unintelligible form is called ciphertext, and the encryption
`process is a cryptographic algorithm, or a cipher. The scrambled signal is then
`broadcast through the cable company's network to all customers. If the customer
`has paid for the TV channel, the cable company provides to the customer a device
`called a decoder. This decoder decrypts the scrambled TV signal, converting it
`back to the regular signal, and displays it on the TV. Those customers who have
`not paid for the TV channel do not have the correct decoder, and they see only a
`jumbled mess on the pay channel. So pay-per-view cable TV service is restricted
`through cryptography, and what the customer buys is the ability to decode the
`signal.
`Cryptography has been used in wartime since before the Roman Empire for
`communicating military strategies (Kahn 1967). In classical cryptography, all
`operations are performed on characters. Individual characters or groups of char(cid:173)
`acters within a word or phrase are substituted or transposed. Everyone is proba(cid:173)
`bly familiar with newspaper cryptograms, in which a message is encoded by sub(cid:173)
`stituting letters. An A in the message is changed to a B in the cryptogram, B is
`
`Petitioner Apple - Ex. 1065, p. 12
`
`
`
`8.6 Technology to Meet These Requirements
`
`329
`
`changed to C, and so on. Figure 8.3 shows a simple example of a cryptogram
`constructed by a simple substitution cipher-essentially the same type of code
`used by Julius Caesar two thousand years ago.
`Cryptographic experts within a given army devised algorithms for trans(cid:173)
`posing and substituting characters in their messages. Naturally, there also
`developed a set of skilled cipher analysts, or cryptanalysts, for capturing and
`decoding their enemies' ciphertext. The skills of these cryptographers and crypt(cid:173)
`analysts have proven to be key to winning wars, perhaps most notably World
`War II (Kahn 1967; Bamford 1983).
`Many character-based cryptographic algorithms, such as newspaper cryp(cid:173)
`tograms, are easily cracked; that is, they can be deciphered by people other than
`the intended recipient. With the advent of computers, the complexity of crypto(cid:173)
`graphic algorithms increased dramatically, as did the ability to crack codes.
`Cryptography is not based on words or letters of human language when exe(cid:173)
`cuted by a computer. Instead, the cryptographic operations and operands are
`based on the computer's language: binary numbers, or bits. The bits that repre(cid:173)
`sent the contents of a message (text, pictures, audio) are subject to mathematical
`operations, such as addition, subtraction, 'multiplication, and division.
`Computers use cryptography in the same way as the TV cable service. The
`data generated by a computer program begins as an unscrambled, or plaintext,
`message. An encryption algorithm on the sender's computer converts the mes(cid:173)
`sage to ciphertext. The message is transmitted over the computer network as
`ciphertext. The receiver decrypts the ciphertext, converting the message back to
`its original plaintext form. This process is illustrated in Figure 8.4.
`When used by computers today, cryptographic algorithms are carefully
`designed ordered sequences of mathematical operations that use one or more
`variables called keys. Enciphering and deciphering operations are based on
`binary-number keys. These keys are inputs to cryptographic algorithms just as
`the seed variable is input to a random number generator (Knuth 1981). The
`unique key chosen makes the result of encrypting data using the algorithm
`unique; selection of a different key causes the ciphertext produced to be differ(cid:173)
`ent. The whole idea is that the ciphertext is different for each message and for
`each different key. The original message can be recovered from the ciphertext
`only by using the correct key and the same cryptographic algorithm used to
`encipher it.
`
`Secret message:
`
`The lark is on the wing.
`
`Ciphertext:
`
`Ui f mbs l jt po uif xjoh.
`Figure 8.3 A cryptogram constructed using a letter-by-letter substitution.
`
`Petitioner Apple - Ex. 1065, p. 13
`
`
`
`330
`
`Chapter 8: Digital Commerce: Risks, Requirements, and Technologies
`
`Sender and
`rece iver use
`
`' ~~
`
`pskltij shfdp
`
`Figure 8.4 Private key cryptography. The encoder and the decoder are identical and use
`the same key.
`
`Keys can be any size, but typically they are very large numbers. The Data
`Encryption Standard (DES), a widely used cryptographic algorithm, uses a 56-
`bit key. A 56-bit number (25
`' ) can represent a number as large as 7 x 10". To get
`an idea of the size of this number, 10'8 (or 2") is an estimate of the total lifetime
`of the universe expressed in seconds. The entire number of people alive on the
`) . Some implementations of anoth(cid:173)
`Earth is about 5 X 109 (5 billion people, or 232
`er popular algorithm, the Rivest, Shamir, and Adleman (RSA) algorithm, use
`2048-bit keys (Bidzos 1991; Garfinkel1995; Schneier 1994). Imagine the magni(cid:173)
`tude of a number that 2048 bits would represent! If written out in zeros and
`ones, this key would be more than a page long!
`In digital commerce systems, the possession of a key is associated with a user's
`identity- each user may own a unique key. The computers determine who is
`who by the cryptographic key that is presented. Since a person may maintain
`more than one role in their life, they may well need a set of keys to use. For exam(cid:173)
`ple, I might use one key to represent my identity as bank president and conduct
`
`Petitioner Apple - Ex. 1065, p. 14
`
`
`
`8.6 Technology to Meet These Requirements
`
`331
`
`a bank transaction on behalf of a bank patron. While at home, I might use
`another key to establish my identity as an individual customer of the bank and
`withdraw money from my personal account. And I would have an entirely dif(cid:173)
`ferent key to borrow books from the library.
`The cryptographic algorithms that we have been discussing belong to a class
`of algorithms called private key cryptography, because the decoding key must be
`kept secret to protect the information. Private key cryptography is one of three
`classes of algorithms used by computer applications today to fulfill the require(cid:173)
`ments for digital commerce. The other two are public key cryptography and
`hashing algorithms. The next sections look at each of these three classes of
`algorithms.
`
`8.6.2 Private Key Cryptography
`
`Private key cryptography enables computer applications to fulfill the require(cid:173)
`ment of confidentiality: private transactions and data can't be captured and read
`by others. We have seen how this requir~ent is fulfilled for the cable TV ser(cid:173)
`vice. The encrypted TV signal can be saf~ly sent over public satellite and cable
`channels. If the data is captured on the network, it can't be read because it is
`ciphertext. One would need a decoder with the correct key to read the cipher(cid:173)
`text.
`Private key cryptography uses one key, known to both the sender and the
`receiver of the message. This key is used to encrypt and to decrypt the transmit(cid:173)
`ted message. Data can be recovered from ciphertext only by using exactly the
`same key and the same algorithm used to encipher it (National Institute of Stan(cid:173)
`dards 1993a). Figure 8.5 shows how this works. Since the key must be kept secret,
`it is called a private key. The encryption and decryption operations are some(cid:173)
`times described as being symmetric, so private key cryptography is also called a
`symmetric key system.
`
`8.6.3 Public Key Cryptography
`
`Public key cryptography is used to fulfill the authenticity requirement: "I am
`who I say I am." Unlike private key cryptography, public key cryptography uses
`two keys, a matched keypair. The keypair consists of a private component and a
`publ