Encryption and Electronic Commerce

The encryption of information is essential for the conduct of secure commercial activity over the Internet. Encryption mechanisms use sophisticated communications protocols like SSL (Secure Socket Layer) and SET (Secure Electronic Transaction), which enable credit card details to be given over the network in order to make purchases without fear of the details falling into unauthorized hands. Encryption is an integral part of systems for electronic payments, digital money (e-cash) and inter-bank money transfers. Apart from simply providing privacy (for example by encoding e-mail messages and other computer files), encryption can also be used in the process of signing by computer, known as a digital signature (Internet Law, 4th and 16th May 1997).

Alongside these developments, governments and intelligence agencies are becoming increasingly concerned. The perfection and availability of encryption techniques enables terrorists and organized crime to communicate securely. If encrypted messages are intercepted, it would at best take months or even years to decrypt them. The accepted view in respect of the decoding of a 200 digit code is that it would take eight mainframe computer months to decrypt it. On the one hand this is reassuring for commercial organizations and individuals, since the decrypting of credit card details, for example, ceases to be economically viable and is out of the reach of computer hackers. On the other hand, law enforcement agencies have serious cause for concern. The inevitable result is a clash between the traditional legal prohibitions against developing and using codes, and the fact that every day millions of people are using them, even without knowing it, for on-line commerce. There is therefore a growing need for the revision of the traditional laws concerning encryption.

The traditional method of encryption is called "symmetrical encryption" or "secret key encryption" - a single code which is used for both encoding and decoding the message. This necessitates prior coordination between the parties to it. It does not make it possible for two parties who have come together for the first time (for example an Internet trader and his customer) to transfer encrypted data between each other (the details of on-line transactions and credit cards). Had the development of encryption stopped at this technique, it is doubtful whether secure commercial transactions could have been executed over the Internet.

Modern encryption methods make use of a double key and are known as "asymmetrical encryption" - one code is used for encoding the message and a completely different one for decoding it. The protocol underlying the technology was developed in 1976 by Diffie and Hellman and was first applied by Shamir (Prof. Adi Shamir of the Weizman Institute in Israel), Rivest and Adellman shortly afterwards. These three are responsible for today's de facto standard of asymmetrical encryption which is called RSA (http://www.rsa.com).

The method is based on two complementary keys which are given to each user - one code is publicly known ("the public key") and the other is secret ("the private key"). What is encrypted by means of one code can only be decrypted with the other code and vice versa. Thus, for example, one out of 24 (!) lines of code in the public key produced by the new version of the widely available encryption code PGP (Pretty Good Privacy) appears as follows:


(A version of the program, whose export out of the USA is permitted, is available at the Internet site http://www.pgpi.com.

The power of a code is analysed according to the length of the keys used in creating it. PGP can create 128 to 2048 bit encryption keys, which is considered very strong. The American administration currently only permits the export of 40 bit or sometimes 56 bit means of encryption. The software companies complain that these do not guarantee adequate privacy. On 26th February 1998 RSA.com reported that a 56 bit DES (Data Encryption Standard) code, as adopted by the US administration, had been deciphered in only 39 working days by tens of thousands of computers connected to the Internet, to which the decrypting team was allowed access whilst the computers were idle.

The user can and wants to distribute his public key publicly. He can do so as part of an e-mail message, he can post the key on the Internet or deliver it for publication on sites which are specifically for that purpose. The user wishes to do so because anyone can then send him a message encoded by means of the public key. From the moment that the message has been encoded, even the public key which created it cannot decipher it. Only the holder of the private key (i.e. the addressee) can decode the message and read what is intended for him.

Credit card details are encrypted in a similar way en route from the user's computer to the virtual shop where he has, for example, just bought a book or recording.

Digital signatures are also made by means of encryption. Here someone signs a document by means of his unique private key. (Were he to sign using the public key, anyone could sign the document in his name.) The signature identifies its signatory with absolute certainty. In this way commercial contracts can be signed over the Internet without the parties having to travel around the globe or the documents being physically sent from one continent to another. When the signed document reaches its addressee, a message certifying the identity of the signatory will appear on screen. A sophisticated "hush" function will also certify that the document has not been revised since it was signed. Many states in the USA have already enacted statutes regulating the use of digital signatures and establishing their legal status. The most sophisticated act is the Digital Signature Act of the State of Utah, which became effective on 1st May 1995.

Next Article: Israeli law on encryption.

Translated by Word Power