Rsa Algorithm And Its Role In Ecommerce

Published Date: 02 Nov 2017

E-commerce is the key driver for future businesses. If

trade has to take place on the Internet, then security and

authentication becomes necessary. RSA work on a prime number

algorithm leading to a patent on September 20, 1983, has made ecommerce

a reality. RSA algorithm works on the concept of

prime number factorization, has found number of uses in various

domains and of transactions not only on the computer but also

outside. The present paper is a comprehensive study of the

evolution of this algorithm along with the development of its

applications. Also, a patent mapping study has been done to

analyze the commercial exploits of this patent.

Keywords� Encryption, Cryptography, E-commerce,

Authentication, Digital Signature

I. INTRODUCTION

Information is an important part of communication. For any

organization to perform successfully, the most important thing

is exchange of information. Earlier this was done with the help

of paper-based documents. But, the arrival of networked

information systems on internet has changed the scenario.

Instead of sending information and data through courier, we

can send it using electronic means. Internet is also now

increasingly being used as an important tool for e-business.

With so many online clients, company stores a lot of

information on online databases, data marts or data warehouses

security has become a tremendously important issue. Also,

with so many people falling prey to cyber crimes, today�s

Internet user is paranoid about the security of his personal

details and the e-transactions. Here comes the need of

cryptography, i.e., conversion of data into a secret code for

transmission over a public network [1].

Cryptography is the study of techniques for secure

communication between two entities transacting or

communication on a public network. It can be classified as:

? Asymmetric (or Public or Shared Key) Cryptography

? Symmetric (or Private or Secret Key) Cryptography

Symmetric (or Private or Secret) key cryptography uses single

key for both Encryption and Decryption process. Two parties

must agree on the same key, before they start communicating.

Key is generally shared via network with the message, and

thus is susceptible to Sniffer programs (that can capture

electronic messages as they traverse the network). Anyone

with the possession of key can decrypt the message, even if he

is not authorizes for it.

Asymmetric (or Public or Shared) key cryptography uses two

separate keys: pubic key and private key for encryption and

decryption respectively. Both the keys are different but are

mathematically related. Hence, whatever is encrypted with a

Public Key may only be decrypted by its corresponding Private

Key and vice versa. Public key can be sent along with the

encrypted message, but the Private Key is kept a secret. And

for decrypting the message, both the keys are required. Hence,

anyone having possession of Public key cannot decrypt the

message without getting hold of Private Key as well.

Asymmetric key cryptography also allows a user to digitally

sign the message the send.

Fig1: Various Cryptographic Algorithms

Among all the Cryptographic algorithms, RSA Algorithm is

the most popular. It permits two parties who have never met

and who can only communicate on an insecure channel to

nonetheless send secure and verifiable messages to each other

[2]. It can be used to authenticate or identify another person or

entity. It uses the concept of prime number factorization. It is

easier to calculate the product of two prime numbers than

finding prime factor of a huge number. Bigger the prime

number, more time is needed in calculating the product or

factorizing it.

RSA was named after its inventors, Ron Rivest, Adi Shamir

and Leonard Adelman developed it in 1977. It was introduced

at the time when the era of electronic mail was expected to

arise. And since then, it has been employed in the most widelyused

Internet electronic communications encryption program,

Pretty Good Privacy (PGP). It is also employed in both the

Netscape Navigator and Microsoft Explorer web browsing

programs in their implementations of the Secure Sockets Layer

(SSL), and by MasterCard and VISA in the Secure Electronic

Transactions (SET) protocol for credit card transactions [2].

RSA involves a public key and private key. The public key can

be known to everyone, it is used to encrypt messages.

Messages encrypted using the public key can only be

decrypted with the private key [3].

The system includes a communications channel coupled to at

least one terminal having an encoding device and to at least

one terminal having a decoding device. A message-to-betransferred

is enciphered to ciphertext at the encoding terminal

by first encoding the message as a number M in a

predetermined set, and then raising that number to a first

predetermined power (associated with the intended receiver)

and finally computing the remainder, or residue, C, when the

exponentiated number is divided by the product of two

predetermined prime numbers (associated with the intended

receiver). The residue C is the ciphertext. The ciphertext is

deciphered to the original message at the decoding terminal in

a similar manner by raising the ciphertext to a second

predetermined power (associated with the intended receiver),

and then computing the residue, M', when the exponentiated

ciphertext is divided by the product of the two predetermined

prime numbers associated with the intended receiver. The

residue M' corresponds to the original encoded message M. [4]

II. FURTHER DETAILS ARE PROVIDED AS FOLLOWS

A. Arithmetic in RSA System [2]

A one way function is one which is comparatively easy to do

in one direction but much harder to do in reverse. The RSA

system uses one way functions of a more complex nature.

RSA system uses modular arithmetic to transform a message

(or pieces of the message, one piece at a time) into unreadable

ciphertext.

One can do multiplication in modular arithmetic much the

same way addition is done. This process is sometimes called

modular reduction. By subtracting out the modulus (and all

multiples of the modulus) a number is "reduced" to a much

smaller number.

The RSA system uses multiplication in modular arithmetic. It

multiplies one number (called the base) by itself a number of

times. The number of times a base is multiplied by itself is

called the exponent.

In the RSA encryption formula, the message (represented by a

number M) is multiplied by itself (e) times (called "raising (M)

to the power (e)"), and the product is then divided by a

modulus (n), leaving the remainder as a ciphertext (C): C = Me

mod n

In the decryption operation, a different exponent, (d) is used to

convert the ciphertext back into the plain text: C = Md mod n

The modulus (n) is a composite number, constructed by

multiplying two prime numbers, (p) and (q), together: n = p * q

The encryption and decryption exponents, (d) and (e), are

related to each other and the modulus (n) in the following way:

d = e-1 mod ((p-1) (q-1))

To calculate the decryption key, one must know the numbers

(p) and (q) (called the factors) used to calculate the modulus

(n). When (n) is a sufficiently large number, it is infeasible,

using known algorithms and the fastest computing techniques,

to calculate the prime number factors of (n).

B. RSA Algo is divided into three steps :

(1) key generation: in which the factors of the modulus (n)

(the prime numbers (p) and (q)) are chosen and multiplied

together to form (n), an encryption exponent (e) is chosen, and

the decryption exponent (d) is calculated using (e), (p), and

(q).

(2) Encryption: in which the message (M) is raised to the

power (e), and then reduced modulo (n).

(3) Decryption: in which the ciphertext (C) is raised to the

power (d), and then reduced modulo (n).

C. Using RSA for Privacy and Digital Signature

When the RSA Algorithm is used in a public key system, the

modulus (n) and one of the exponents (arbitrarily, we can

assume (e)) are published. The other exponent (d) is kept

secret, as are (p) and (q), the factors of (n). Each user holds

their own keys, and knows the public key of the other user(s).

Let A and B be two users.

User A knows its own public key (eA and nA), private key (dA),

and B's public key (eB and nB). B knows the converse: its

public key (eB and nB), private key (dB) and A's public key (eA

and nA).

When user A wants to send a private message to B, that only B

can read, following operation need to be performed on the

message (M): C = MeB mod nB

User B, who is the only one to possess its private key (dB), will

perform the following to recover the message (M): M = CdB

mod nB

To sign the message, A will encrypt the message with its own

private key: C = MdA mod nA

Because only user A possesses da, only it can create this

ciphertext C. Anyone in possession of A�s public key (ea and

na) can verify the signature, however: M = CeA mod nA

It bears note that (p) and (q), the factors of (n), are not needed

for encryption or decryption; they are only used in the key

generation step (creating the modulus (n) and the second

exponent). In addition, while it is important for key generation

purposes that the modulus (n) be the product of two prime

numbers, the exponentiation and modular arithmetic operation

would work just as well with prime numbers (which are by

definition evenly divisible only by themselves and the number

1).

III. SECURITY OF RSA

A. Approaches of attacking RSA [7]

1. Brute force: This involves all possible private keys

2. Mathematical attacks: Factoring the product of two

primes

3. Timing attacks: Depends on running time of

decryption algorithm

4. Chose ciphertext attacks: Exploits properties of RSA

algorithm

5. Title and Author Details

B. Defence against Brute force attack

It is done, using a large key space. Since calculations of key

generation and encryption/decryption are complex, size of the

key is large and the system will run slowly.

C. Mathematical and timing attack: Factoring Problem

Three approaches to attacking RSA mathematically,

1. Factor n into its two prime factors. This enables calculation

of f(n)=(p-1)*(q-1), which in turn enables determination

of d = e-1(mod f(n))

2. Determine f(n) directly, without first determining p and q.

again, this enables determination of d = e-1(mod f(n))

3. Determine d directly, without first determining f(n)

For a large n with large prime factors, factoring is a hard

problem, but it is not as hard as it used to be. The threat to

larger key sizes is twofold: the continuing increase in

computing power and the continuing refinement of factoring

algorithms. In addition to specifying the size of n, a number of

other constraints have been suggested by researchers. To avoid

values of n that may be factored more easily, the algorithm�s

inventors suggest the following constraints on p and q.

1. p and q should differ in length by only a few digits. Thus,

for a 1024-bit key (309 decimal digits), both p and q should be

on the order of magnitude of 1075 to 10100

2. Both (p-1) and (q-1) should contain a large prime factor.

3. GCD (p-1, q-1) should be small. In addition, it has been

demonstrated that if e<n and d<n 1/4, then, d can be easily

determined.

D. Timing Atack

A snooper can determine a private key by keeping track of

how long a computer takes to decipher messages. Timing

attacks are applicable not just to RSA, but to other public-key

cryptography systems.

This attack is alarming for two reasons: It comes from a

completely unexpected direction, and it is a ciphertext-only

attack. A timing attack is somewhat analogous to a burglar

guessing the combination of a safe by observing how long it

takes for someone to turn the dial from number to number.

Although the timing attack is a serious threat, there are simple

counter measures that can be used, including the following:

� Constant exponentiation time: Ensure that all

exponentiations take the same amount of time before returning

a result. This is a simple fix but does degrade performance.

� Random delay: Better performance could be achieved by

adding a random delay to the exponentiation algorithm to

confuse the timing attack. Kocher points out that if defenders

don�t add enough noise; attackers could still succeed by

collecting additional measurements to compensate for the

random delays.

� Blinding: Multiply the ciphertext by a random number before

performing exponentiation. This process prevents the attacker

from knowing what cipher-text bits are being processed inside

the computer and therefore prevents the bit-by-bit analysis

essential to the timing attack.

IV.RSA ALGORITHM AND ECOMMERCE

RSA is used extensively to secure critical data when so much

electronic data interchange is taking place in form of ecommerce.

Security features needed in e-commerce:

Authentication, Authorization, Encryption/Decryption and

Auditing.

The patent for the RSA algorithm (U.S. Patent 4,405,829) was

issued on September 20, 1983, exclusively licensed to RSA

Security Inc. by the Massachusetts Institute of Technology,

with an expiration date of September 20, 2000 [9]. RSA Patent

covers most of the commonly used techniques for public key

encryption and digital signatures. And a patent license was

necessary from the owner to employ any of these techniques.

On September 6, 2000, RSA Security Inc. made the RSA

algorithm publicly available and waived its rights to enforce

the RSA patent for any development activities that include the

algorithm. Since then, RSA patent has been used extensively

for a variety of applications ranging from Bluetooth, Master

card, VISA, e-banking, e-communication, digitally signing the

documents, e-Seal, Netscape Navigator and Microsoft Explorer.

TABLE I

APPLICATIONS

Patent No

&

Date

of

Publication

/Issue

Title

&

Assignee/

Inventor

Technology Application

US4405829

09/20/1983

Cryptographic

communication

s system and

method

Ronald L.

Rivest, Adi

Shamir,

Leonard M.

Adleman

(MIT)

Communication

s channel

coupled to one

terminal having

encoding device

and other as

decoding

device. Message

is enciphered to

ciphertext at

encoding

terminal while

deciphered at

decoding

terminal.

Secure

communication

between two

terminals.

US5870473

02/09/1999

Electronic

transfer system

and method

CyberCash, Inc

Temporary

session keys

Electronic funds

transfer between

customer and

merchant

US6199053

03/06/2001

Digital

signature

purpose

encoding

Intel

Corporation

The hash value

is used in a

digital signature

function to bind

the purpose to a

digital signature

Detect and

disallow

improper or

unauthorized

transactions.

US2002013

8848

09/26/2002

Service gateway

for interactive

television

Alao, Rachad,

Delpuch, Alain,

Henrard, Jose,

Lam, Waiman,

Kidd, Taylor

proxy between a

client and

various

communication

protocols.

asymmetrical

routing, data

compression

and encryption

to optimize

client

processing

power and

communication

link bandwidth.

US6668322

12/23/2003

Access

management

system and

method

employing

secure

credentials

Sun

Microsystems,

Inc

Authentication

schemes (e.g.,

those based on

passwords,

certificates,

biometric

techniques,

smart cards,

etc.) are

associated with

trust level of

certain

information

resource.

By using

session

credentials,

access is

granted without

the need for

further login

credentials and

authentication.

US6718361

04/06/2004

Method and

apparatus for

reliable and

scalable

distribution of

data files in

distributed

networks

Network

Appliance Inc

A unique

contentmanagement

front-end

provides

efficient

controls for

triggering

distribution of

digitized data

content to

selected groups

Provides a

system and

apparatus for

efficient and

reliable, control

and distribution

of data files or

portions of files,

applications, or

other data

objects in largescale

distributed

of a large

number of

remote

computer

servers.

networks

US6891953

05/10/2005

Method and

system for

binding

enhanced

software

features to a

persona

Microsoft

Corporation

The server

architecture

includes a retail

site which sells

content items to

consumers, a

fulfillment site

which provides

to consumers

the content

items sold by

the retail site,

and an

activation site

which enables

consumer

reading devices

to use content

items having an

enhanced level

of copy

protection

A server

architecture for

a digital rights

management

system that

distributes and

protects rights

in content

US7124101

10/17/2006

Asset tracking

in a networkbased

supply

chain

environment

Accenture LLP

When network

events about the

assets are

recieved, the

events can be

filtered,

correlated and

isolated. These

events can then

be translated

into a standard

object form for

facilitating the

determination of

the problem

causing the

network event.

Controls the

network and

manages

resources for

managing

network assets

through in a

network-based

supply chain

framework

US2007027

5739

11/29/2007

Method and

System for

Authorising

Short Message

Service

Messages

Three B

Technologies

PYT LTD

A system for

delivering the

SMS messages

includes

receiving means

for receiving

SMS from

sender,

transmission

means for

sending an

automatic

verification

request to the

sender

requesting a

verification

response,

receiving means

for receiving the

verification

response from

the sender, and

delivering

means for

delivering SMS

message to the

recipient upon

Short message

service (SMS)

messages are

sent by a sender

to a recipient

over a

communications

network. An

SMS message is

received from

the sender.

receiving the

verification

response

US2008022

2049

09/11/2008

Digital

Signature

Authentication

Loomis, Nancy,

Saville, Julie

E. Authenticat

e with help of

transaction card

using digital

signatures

F. Financial

institution can

authenticate the

consumer with

the help of

digital signature

US

7430755

09/30/2008

Method and

system for

providing

persistence in a

secure network

access

FS Networks,

Inc.

G. A session

ID are used

along with

client

certificates

H. A security

handshake is

performed with

a client device

to establish a

secure session

and determining

the target.

US

7620980

11/17/2009

Secure data

broker

Sun

Microsystems,

Inc.

I. Allow

registered or

verified

messages to be

brokered across

a security

barrier.

J. provides a

restricted

message based

data exchange

between a client

application and

a secured

information

resource

US

7673793

03/09/2010

Fraud analyst

smart cookie

Digital Envoy,

Inc

K. Authenticat

e a transaction

using a cookie

stored on a

client device

and a behaviour

profile stored on

a server.

L. uses an

online fraud

mitigation

engine to detect

phishing

intrusions and

identity theft

US7933835

04/26/2011

Secure money

transfer systems

and methods

using biometric

keys associated

therewith

The Western

Union

Company

Biometric

sample

comprises a

selection from

the group

consisting of: a

voiceprint, a

fingerprint, a

retinal scan, and

a DNA sample.

Transferring

funds from a

sender to a

recipient

US2012014

4464

06/07/2012

Method and

system for

improved

security

Fakhrai,

Delaram,

Moshfeghi,

Mehran

Bridge server

perform

authentication

tasks to allow a

user to access a

server(s) with

multiple

security levels

User can

securely

accesses a

variety of target

servers for

email, ebanking,

credit

card purchases,

ecommerce,

brokerage

services,

corporate

databases, and

online content.

US8266711

09/11/2012

Method for

controlling

information

supplied from

memory device

ScanDisk

Technologies

The public and

confidential

information is

stored in a nonvolatile

storage

medium, and a

controller

controls the

Access Privilege

to access

memory card

data

Inc supply of

information.

US8321690

11/27/2012

Protecting

digital media of

various content

types

Microsoft

Corporation

Tools encrypt

data segments

of a media file

and add a

descriptor to

each of those

segments

Descriptors

enable receiver

of the encrypted

media file to

decrypt the file

and consume it

according to the

correct digital

rights

management

policy.

Fig 2: Number of patents published per year since 1987

The inception of the internet and arrival of e-commerce

has been a driving force behind technological innovation in

the area of security and authentication [10]. Figure 2 starts

from 1987 as online trading was started by that time and

the need of secured transmission arose. In 1994, e-banking

started and people can manage their bank accounts

electronically. By 1995, eBay became an important means

of trading goods online. In 1999, customers were not

comfortable in sharing their data online. By 2000, hackers

made their way into e-commerce or e-banking business

systems. In late 2001, due to government regulations,

industries were forced to implement privacy standards

complying ISO 17799. And arrival of wireless networks

made the security of resource sharing vulnerable to hackers.

Thus a major number of patents were filed in the era since

1999, which can be seen in Figure 2 by a steep upward

curve.

Since its development, RSA has been used widely to

provide security in almost all the infrastructures. Electronic

industry has been benefited a great deal. Since the boom of

electronic business, firms became global and shifted their

business processes on Internet. This made the use of

cryptographic algorithms a necessity. And since RSA was

made public in 2000, it was made available to general

public also. Thus with the advancement of technology,

many inventions were made in order to, increase the

security offered by RSA.

RSA has been used with partially blind signatures for

mobile and smartcard industry to notify bank about

expiration of e-cash [11]. Session key concept was

introduced to enhance security performance of RSA; in it a

temporary session key is assigned during the session and is

destroyed at the conclusion. Use of session key, makes it

difficult to crack private key [12]. Biometric authentication

was also introduced with RSA; while issuing credit/debit

cards, banks stored the encrypted iris details along with

credit/debit card number and other personal details [13].

Chinese Remainder theorem was also introduced with RSA

which increased the speed of RSA algorithm [14]. RSA

based secure electronic cash payment system was also

introduced; which composed of three protocols: withdrawal,

payment and deposit [15]. An electronic seal system based

on RSA algorithm and public-key was also introduced; it

combined the concept of one way hash function and digital

watermarking. It makes electronic documents tamper proof

and seal can�t be replicated [16]. Implementation of RSA

algorithm using SOPC technology also introduced; it

reduced the cost of implementation [17]. A new secure

mechanism for Bluetooth network was introduced; in

which any mobile device may interconnect securely to

exchange data over Piconet and Scatternet [18]. Digital

signature with RSA Encryption algorithm to enhance data

security of cloud in cloud computing was also introduced

[19]. An improved version of RSA k-RSA was introduced;

it is more secure, ast and requires less storage than RSA

[20]. A technology based on RSA which generates

cryptographic keys using email ID was introduced; it

avoids the need of certificates [21]. A card was introduced

that offer end-to-end encryption of voice and SMS, thus

ensuring privacy of communication [22].

The growth in filing of authentication related patents since

1990 can be seen in figure 1, both in number of

applications and as a fraction of all patent filings per year.

These lines are on an overall upward trend, with a surge in

filings in the early 2000s that is common to many

technologies linked to security and authentication

especially in e-commerce. The two main reasons:

Ecommerce started becoming popular and RSA came into

public domain.

Thus, a lot of research has been made in various application

domains, which can be seen in Figure 3 below.

Fig 3: various application domains

V. CONCLUSION

Even after thirty five years after it was first invented, RSA

still remains a most popular and widely implemented

Public Key cryptosystem worldwide. As the technology is

advancing and hackers are becoming more and more tech

savvy, there has been a continuous need of improvement in

security methods used. Security Analysts are continuously

improving original RSA by adding various functionalities

to enhance its security performance. Even though, many

algorithms are there but RSA holds a major position in Ecommerce

and Network Security.