SSL, PKI, Encrypt, Decrypt… Anybody?

(Basics of Secured, Online Transaction - a series)

More and more people today are transacting business over the Internet. It was almost a year ago when the University started online (i.e., web-based) enlistment and enrolment. However, we are still in the preliminary phase of doing things online and there is a lot more to come. So it would be helpful to familiarize ourselves today of the common terminologies and the basic principles typically used in online transactions.

One of the primary concerns in doing business over the Internet is security. Would it really be secured to send personal information such as credit card number via the network? Many standards, policies, and procedures are used to ensure the security of these transactions thus, making the Internet an alternative and effective method in doing business. Some of the common terms used with regard to secured web transactions are:

SSL Secure Sockets Layer; the industry standard for secured web-based communications.
IPSec - Internet Protocol Security; IPSec is a set of standards developed to increase the security of IP-based networks (e.g., the Internet).
PKI Public Key Infrastructure; A public key infrastructure (PKI) includes all the policies and procedures for sending information privately and securely across an unsecured network. This is done with the use of PKI wherein everyone in the system owns a unique pair of keys (usually an alphanumeric code). One of the keys, called the public key is widely distributed and used for encoding information. The other key, called the private key, is a closely held secret used to decrypt the incoming information. Under this system, a person who needs to send information to a second person can encrypt it with that person's public key. The information can only be decrypted by the owner of the secret private key, making it safe from interception. This system can also be used to create unforgeable digital signatures.

Amazon as well as other companies offering online credit card payments use SSL. In the future, the My.LaSalle, the University portal would also be accepting online payments secured by SSL. For instance in paying tuition online, with SSL, anything a student types would be encrypted before it is sent to the University's server. Without encryption, a technically equipped person can "see" the information sent to another party. With encryption, it is extremely difficult or nearly impossible to decrypt the data. The University will then decrypt and process the information, and encrypt it again and send it to the bank. The bank would then check to see if it is a good credit card number with a good credit. Then the credit card number that is temporarily stored in the University's server is destroyed. This security process is far more enhanced than the one used in traditional credit card transactions (e.g., in supermarkets and shops) where the data sent to the credit card company are not encrypted.

There are some simple ways to know if your the transaction is secure. First, the web address or URL (Universal Resource Locator) starts with https://. The usual unsecured URL starts with http://. Second, for Netscape Communicator, the padlock in the lower left corner is closed ("locked"), otherwise it is opened ("unlocked"). For Microsoft Internet Explorer (IE), the padlock icon appears at the bottom bar of the IE window. Otherwise, there is no padlock icon. As an example, assuming you have a Yahoo! Account, visit their site using this web address http://mail.yahoo.com. In the box where you need to key in your Yahoo! ID (or user name) and password, you can choose which mode to use -- standard or secure. There is no encryption in standard mode unlike in the secure mode. If you click on "Secure", you will see a padlock icon beside "Sign In". You will also see that your web browser will display a padlock as described above. These tell you that your log-in transaction is secure. Yahoo! uses SSL to secure the log-in process.

For more examples, try to visit Internet sites where you can buy something. One of the most popular ones is Amazon. You can even try out the local sites like Equitable PCI Bank's FASTNet, UCPB's one-time payment, and BPI's Express Online.

It would just be a matter of time when DLSU would start to do full-blast transactions over the Internet. And it is important that we know the basics of secured online transactions so we would be confident in using this facility whenever it becomes available to us.

In our next article, we will discuss bank repudiation. This is the procedure for resolving complaints or inconsistencies - e.g., a credit card user contests a transaction, which he/she did not perform.

Related article:
The second article in the series about Basics of Secured, Online Transaction, was entitled Online Banking