Digital Signatures and Suppress-Replay Attacks

Digital signatures are seen as the most important development in public-key cryptography. Sun Developer Network states, “A digital signature is a string of bits that is computed from some data (the data being “signed”) and the private key of an entity. The signature can be used to verify that the data came from the entity and was not modified in transit” (The Java Tutorial, n.d.). Digital signatures should have the properties of author verification, verification of the date and time of the signature, authenticate the contents at the time of the signature, as well as be verifiable by a third party in order to resolve disputes. Based on these properties, there are several requirements for a digital signature. The first of these requirements is that the signature must be a bit pattern that depends on the message being signed. The next requirement is declared in order to prevent forgery and denial. It states that the signature must use some information that is unique to the sender. The third requirement is that it must be fairly easy to generate the digital signature. Being relatively easy to recognize and verify the digital signature is another requirement. The fifth requirement states that it must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. The last requirement is that it must be practical to store a copy of the digital signature. Many approaches for the implementation of digital signatures have been proposed, and they fall into the direct and arbitrated digital signature approaches (Stallings, 2003).

The direct digital signature involves only communication between the source and destination parties, and the arbitrated digital signature schemes include the use of an arbitrator. The direct digital signature is created by encrypting the entire message or a hash code of the message with the sender’s private key. Further confidentiality can be provided by encrypting the message in its entirety and adding signature using either the receiver’s public key or a secret key shared between the sender and receiver. One weakness in the direct signature scheme is that a sender can later deny having sent a message. Another weakness is the threat of a private key being stole and sending a message using the signature. Both weaknesses are the primary reason for the arbitrated digital signature scheme. In arbitrated scheme, a sender’s message must first go through an arbiter that runs a series of tests to check the origin and content before it is sent to the receiver. Because the arbiter plays such a crucial role, the sender and receiver must have a significant amount of trust in this arbitrator. This trust in the arbiter ensures the sender that no one can forge his signature and assures the receiver that the sender cannot disown his signature (Stallings, 2003).

The issue of replay attacks is a main concern when dealing with mutual authentication when both parties are confirming the other’s identity and exchanging session keys. The primary issues with mutual authentication lies in the key exchange: confidentiality and timelines. Timelines are susceptible to replay attacks that disrupt operations by presenting parties with messages that appear genuine but are not. One type of replay attack is suppress-reply attack that can occur in the Denning protocol. The Denning protocol uses a timestamps to increase security. The issue here revolves around the reliance on clocks that are synchronized throughout the network. It is stated, “…that the distributed clocks can become unsynchronized as a result of sabotage on or faults in the clocks or the synchronization mechanism” (Stallings, 2003 p. 387). Li Gong states, “…the recipient remains vulnerable to accepting the message as a current one, even after the sender has detected its clock error and resynchronized the clock, unless the postdated message has meanwhile been somehow invalidated,” which is unlikely. If the clock of the sender is ahead of the receivers and the message is intercepted, the opponent can replay the message when the timestamp becomes current. This type of attack is known as suppress-replay attack.

In order to address the concern of suppress-replay attack, an improved protocol was presented. Here are the detailed steps.

1. “A initiates the authentication exchange by generating a nonce, Na, and sending that plus its identifier to B in plaintext. This nonce will be returned to A in an encrypted message that includes the session key, assuring A of its timelines.

2. B alerts the KDC that a session key is needed. Its message to the KDC includes its identifier and a nonce, Nb. This nonce will be returned to B in an encrypted message that includes the session key, assuring B of its timeliness. B’s message to the KDC also includes a block encrypted with the secret key shared by B and the KDC. This block is used to instruct the KDC to issue credentials to A; the block specifies the intended recipient of the credentials, a suggested expiration time for the credentials, and the nonce received from A.

3. The KDC passes on to A B’s nonce and a block encrypted with the secret key by A for subsequent authentications, as will be seen. The KDC also sends A a block encrypted with the secret key shared by A and the KDC. This block verifies that B has received A’s initial message (IDB) and that this is a timely message and not a replay (Na), and it provides A with a session key (KS) and the time limit on its use (Tb).

4. A transmits the ticket to B, together with the B’s nonce, the latter encrypted with the session key. The ticket provides B with the secret key that is used to decrypt EKS[Nb] to recover the nonce. The fact that B’s nonce is encrypted with the session key authenticates that the message came from A and is not a replay” (Stallings, 2003 pgs. 387-388).

This protocol is not vulnerable to suppress-replay attacks due to the fact that the nonces the recipient will choose in the future are unpredictable to the sender (Gong, n.d.).

In conclusion, digital signatures are seen as the most important development in public-key cryptography and include direct and arbitrated digital signature approaches. The direct digital signature involves only communication between the source and destination parties, and the arbitrated digital signature schemes include the use of an arbitrator. Suppress-replay attacks can occur if the clock of the sender is ahead of the receivers and the message is intercepted. This allows the opponent to replay the message when the timestamp becomes current. This issue is overcome by the implementation of a protocol that uses timestamps that do not require synchronized clocks because the receiver B checks only self-generated timestamps (Stallings, 2003).

Works Cited

Gong, Li (n.d.). A Security Risk of Depending on Synchronized Clocks. ORA Corporation and Cornell University. Retrieved November 5, 2005, from https://portal.acm.org

Stallings, William. (2003). Cryptography and Network Security: Principles and Practices. New Jersey: Pearson Education, Inc.

The Java Tutorial (n.d.). Sun Developer Network. Retrieved November 5, 2005, from http://java.sun.com/docs/books/tutorial/index.html


Necessity of M-Commerce Applications in Today’s Digital Era

Ecommerce has created a buzz in the online market since its arrival. Day to day activities like ticket booking, shopping, bill payments and money transactions would never have been easy without the help of ecommerce. In recent years due to the mobile revolution, more people have shifted to the convenient way of using internet with their mobile phones and tablets. The growth of mobile commerce has outpaced the growth of ecommerce in the recent years.

Owing to this fact m-commerce applications have become a necessity for the growth and survival of online businesses.

If you have an ecommerce store which is not mobile friendly then you should start working in this direction to survive in the online domain soon. Here are some reasons which can convince you to make your platform mobile ready.

  1. Convenient option for users– Customer satisfaction is the ultimate goal of every business. If a customer is not satisfied with the products and services then making profit is next to impossible. M-commerce applications guarantee ease of use because of the easy to handle interface designed especially for the mobile users. Almost every user will choose a mobile app instead of shopping from the websites for fulfilling their needs. This happens because mobile apps are more user friendly as compared to websites.
  2. Notifications make a huge impact– How do you inform your customers about the exciting offers and discounts? Email marketing is a good option but PUSH notifications have worked very well in grabbing attention of the users instantly. M-commerce applications are designed in such a way that keeping the customers updated 24*7 becomes easier. This is one of the easiest ways of marketing effectively and increasing the number of loyal customers.
  3. Better ROI guaranteed – M-commerce applications have progressed to such an extent that better ROI is guaranteed. The entire end to end process of shopping right from signing in till payments and checkouts is managed in a way such that users visit back for shopping again. This is one of the main reasons that attracts multiple users and results in better ROI with the onetime investment.

With these three vital reasons, having a platform which makes the ordering process quick and easy for the customers have become extremely essential. The small screen helps in gaining huge profit so start making your ecommerce store mobile friendly right now.

Conclusion: Along with the changing trends, the way of shopping has shifted to m-commerce applications which provide multiple features to the customers. Making a choice as per the requirements of your business which includes common factors like great customization, integration and user-friendly nature becomes a challenging task.


The Culture Of Free In A Digital Universe

Who among us doesn’t like getting something for free? Whether times are tough or not most of us appreciate not paying for something we want or like.

The world wide web has taken this to new heights. There are all sorts of sites with all sorts of content which we access for free.

Music, Art, Entertainment, Books, Sports, Games… you name it. In fact, how many of you when faced with a pay-wall for premium content simply decide to go elsewhere? I know – I’ve done the same thing.

You probably have to really want the content to decide to pay for it, because in most cases you can get what you’re after somewhere else for free.

But this “free” content does have a price. The creators of the content certainly incur expenses in order to produce the content. So, how is it that there’s so much content available for “free”?

There are several dynamics at play. In most cases the owners of large web site operations are able to monetize the traffic they receive by selling advertising, which allows them to offer content for free.

If you’re able to prove that you get millions of visits each day, advertisers find this valuable and are willing to pay for the privilege of being visible on the site. Or they pay for the clicks they receive on the ads displayed on the site.

In order to continue to receive millions of visits each day, these sites require new and interesting content all of the time. After all, if the sites you visit have the same thing each day, you probably won’t frequent them very often. So, how do you solve the problem of acquiring new and interesting content continuously?

If you’re a News site – you rely on reporters to develop and report on stories as part of the news cycle. This is a very expensive operation, afterall the reporters have to be paid for their efforts. Some News sites rely on donations from their visitors to support their operations and conduct periodic fund raising campaigns to keep their operations going. Other sites are owned by larger organizations which consider it valuable to maintain a presence on the internet and can afford the news gathering effort although they still tend to sell advertising.

A number of the large social media sites discovered the best way to acquire new and interesting content continuously was to allow their visitors to provide the content themselves.

Every photo, post, update, etc. is content provided for free by the visitors and then monetized by the sites. Now this may seem like a pretty fair arrangement in this context. The visitors (you and me) get a nice site with all sorts of fresh content, we’re able to connect and share with friends, and they don’t charge us anything. It’s FREE! Yay us!

You may not think of yourself as a content creator – but broadly defined, when you upload photos, or post videos of your dog or cat doing dog and cat stuff, or make a post providing some of your life lessons – you are a content creator.

However, let’s think of content creators a bit more narrowly defined. Let’s look at Writers, Musicians, Singers, Artists, Videographers, etc. In many cases these content creators produce their content at great expense to themselves. If they are unknown content creators then one of their first tasks is to find a platform or forum to gain exposure for their content.

There are many specialized web sites which cater to these specific areas – whereby the content creator is enticed to provide their content for free to the site with the carrot being that they will gain exposure for their content and gather new fans of their work along the way. Many of these sites even provide a means for the content creator to sell their content directly to the visitors of the site. This sounds wonderful in theory.

The content creator gets to have their content exposed to lots of people, far more than the content creator might be able to reach on their own. The content creator has a platform to offer their content for sale to those who are interested, with perhaps a small cut to the website owner. A win for everybody, right?

Well, not quite. There’s still the culture of free to overcome. We visitors have become accustomed to receiving our content for free. And while we might like some content, maybe even like it enough to give it careful consideration, but when it comes down to clicking the “BUY” button, there’s a tendency to move on, because we don’t have to have it. And there’s more free content available somewhere else.

It is still a win for the site owner – because they are able to monetize the visits and sell advertising. However, in this scenario the content creator is left trying to figure out what they need to do to close the deal with the consumer.

Of course it is the job of the content creator to make their content as compelling as possible so that a consumer will deem it worth acquiring. But the Culture of Free is a difficult hurdle to overcome in this context. Prior to so much content becoming digitized, it was necessary to acquire it via whatever means of distribution was available. Absent that, there were not many legal free means of accessing or acquiring content – beyond free broadcast radio or television, or in the case of print media – heading to the newstand or the bookstore.

Content creators are faced with an ever expanding landscape where everyone is vying for attention and so much is offered for free it has the effect of devaluing the creative efforts of content creators. Some would argue that the cream will still rise to the top, even in this environment. And that content creators simply have to be more innovative with drawing attention to their work, and produce more compelling content.

Ultimately, I believe that content creators are far better served by taking all the steps that they can to direct traffic to their own websites. Content creators may still choose to make some of their content available for free to their visitors – but at least any monetization would benefit the content creators directly.

And yes, I do recognize the irony that this article will probably appear on some of the larger sites I refer to which aggregate content for free from content creators such as myself.