ecurity now a days has become a great concern for all and with the proliferation of Internet users all over the world, online security is common table talk among online shoppers. We are also becoming more aware that electronic data and internet transactions may not be so secure.

I have a friend who asked me about credit card theft while shopping online and I replied that is as secure as using it to pay for lunch at the local pub. This person does not use his credit card to buy anything on a web site, yet he does not think twice about calling into a ticket agency to buy a pair of tickets for the theater.

Why is there such mistrust in computer systems, and why do we trust the person taking our order over the phone? It is more likely, in my opinion, that the person processing my payment to take my card number and be able to reuse it and buy things, ironically enough, over the internet (Note, this has not happened to me nor anyone I know).

This is my view: we trust that the person taking our order and payment at a 3D establishment (3D here means real life, a place with a door and people in it taking your order) has common sense and we give the benefit of the doubt that the person taking our order is of average intelligence to realize that if the card were to be used illicitly we, and the credit card company, can trace back were it was used last and hence pint point the person who took our payment, and hence take action towards the thief. If found out, the person risks losing his/her job and go to jail in the process.

In the internet we can't easily trace the misusing of a credit card number (if stolen). It takes expertise to find the thief and is an expensive thief hunt, which may or may not result in the apprehenssion of the card burglar.

The question is, does it happen? Do people steal credit card numbers?
Likely, but not as often as in the 3D world. To steal a credit card number while it is being used on the Internet, it requires certain computer and networking know how and requires time and patience.

So, if you are buying some gadget or a book on a web site your credit card number is more or less secure. Not 100% secure (nothing is), but it is secure enough that you can buy your gadget or book today and go to sleep with the excitement that you will get the merchandise sometime in the future (we can hope at least, as delivery systems are a different story) and that your 16 digit number has not been stolen while shopping.

You must know that this number is sometimes stored at the merchants database systems. This is another threat to your security. What happens if a hacker breaks into these computers? It has happened, and sometimes the news runs wild reporting on it (perhaps they have nothing better for a story and the media makes this out to be news worthy). And it happens, it happens more often that reported, but big companies hosting these databases don't really say much about it. Why would they? It's their reputation. I'm almost certain these corporations storing credit card numbers try really hard to prevent such events and spend millions of dollars while trying. But we know that nothing is 100% secure on the internet, unless we unplug every computer in the network, but then we would have a very boring Internet.

So what do companies do to secure your transaction while you buy things over the web?
They use something called Public Key Encryption. Encryption is nothing new and has been used in the past. There are different methods of encryption. Some methods of encryption aree simple which could be broken in minutes or hours and other a little bit more challenging to break.

Note that in our year of 2002 AD (the futuristic times) the advancements in mathematics have allowed for virtually unbreakable encryption schemes. I say virtually because these schemes depend on the mathematical world of Number Theory and though these schemes are very hard to break using brute force, they could eventually be broken. Brute force here means very powerful computers performing mathematical calculations trying to find the opening key (or number) in the encrypted stream of data.

Resent encryption schemes are based on large prime numbers and their factors. Large prime numbers are very hard to compute, but I'm sure sometime in the future someone will find a way to find them instantly. Perhaps quantum computing or some clever theorem not invented yet. But right now and in the foreseeable future (10 years+) prime numbers will be a big part of encryption.

What are prime numbers?
Prime number are the basis of all numbers and have been a big playground for mathematicians for centuries. They have the distinct property, among others, of being divisible only by 1 and the number itself and it has to be greater than 1. So, 2 is a prime number. 3 is also a prime number. 4 is not, because it can be composed of 2 X 2 = 4. 5 is a prime number. 6 is not, because 2 X 3 = 6. And they keep going to infinity. And it is infinity because, as in all mathematics, there is a theorem that states that there are an infinite number of primes. And of course it is proven, otherwise it would be called a "conjecture." (If you are really keen and want to know more about prime numbers or make sure I'm not making all this up, go here or a Google search gives about a million results on prime numbers - enjoy).

Why trust our data to prime numbers if they can be found using mathematics?
Every number is composed of prime numbers or prime divisors (I.e. 12 = 3 X 2 X 2) and if we have a very large number, it becomes very difficult to find the prime divisors (very large primes are called Mersenne Primes). Hence, using primes to encrypt data is very secure, if the numbers used are very large.

And so PKE (Private Key Encryption) is widely used and works on the premise of a pair of 2 prime numbers or keys:

Public Key Encryption defined (this is an excerpt from a document I wrote in 1999):

Public key encryption is a technique that uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key and a private key. The public key is made public by distributing it widely. The private key is never distributed; it is always kept secret.


Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key.

So if you think of these keys as being prime numbers (which they are) you have one key in your posetion and another key is on the server where you are purchasing your product online.

Where are these keys if you were never given one directly?

The user key or certificate is embedded into the web browser. Companies that build web browsers embed such capability so that ecommerce can happen (Netscape's whole business was based on this premise: provide a browser with PKE so that their propetriary server could be used while someone is buying something on the web - Server software was expensive, browser software was not - but I digress).

And the web server selling you whatever item over the Internet does his part in getting the key or certificate by buying it from a trusted company who especializes in selling such certificates (Why are they trusted, that you will have to find out for yourself).

40 bit encryption, 128 bit encryption. What is this?
Once in while you hear the term 40 bit encryption key, 128 bit key (The current standard and widely used). All it means is that the web browser you use is ready and capable of encrypting data with a 128 bit key when doing a transaction in a server that supports PKE.

The use of PKE guaranties that after the first connection to the server, all future transactions are encrypted with your key and it guarantees that all other transactions originate from your web browser.

If someone were to intercept your communication (not very easy to do) while buying a book on some web site and the hacker is able to send a tampered transaction (buying another book you didn't ask for on your credit card), the server replies back with an error stating that the origin of the transaction is not who they say they are and hence the request must be bogus.

Also, note that if your credit card information is being passed trough the wires is in fact encrypted with a 128 bit key (very large number) and hence it is virtually impossible to break and get any real information out of the stream (like your credit card number or pernsonal information). This is due to the fact that very large numbers are composed of very large primes, and very large primes are extremely hard to find.

Who uses PKE or Public Key Encryption?
Most applications that require a sender and a receiver (I.e. cell phones, Web sites, etc) use this scheme of protection and if the issuer claims security or secure transactions. PKE is virtually unbreakable until someone finds a clever way to factor very large prime numbers rather instantly.

The ilusion of security
Security in an insecure world is a matter of trust. And for now, buying things over the internet is virtually secure. Unless someone breaks into the computers of the provider, which is another security nightmare. So for now, I will continue buying over the Internet as I don't think my 16 digit card number is in great danger and also, the clever thief who steals my number, will be shocked to find his $9.99 book he wants to charge to my credit card gets rejected. Or if it goes through, it's $9.99 which is less than my current bank fees.

As for my friend asking if it is secure to use his credit card over the internet, I say: "It is virtually secure."

On a side note you may have heard the term SSL, which stands for Secure Socket Layer. This is the Internet protocol used in every secure transaction. Have you ever noticed the "Lock" icon turning to the closed position, now you know it's because of PKE and the SSL protocol. (SSL is another blog entry, maybe).