Authentication

Another aspect of secure communications is authentication, the verification that the encrypted communications has come from a reliable source. This requires processes beyond the encryption process.Usernames and passwords. The most-common authentication involves the use of usernames and passwords, a process you see most every day while using the Internet. For example, while encryption lets you communicate with a secured website, often times, information only can be shared once the user enters the username and password. The computer system receiving the information, checks this information against its secured files, and grants or denies access based upon the username and password provided.

Digital signatures. A digital signature, which uses public-key encryption, is an authentication process in which an electronic signature is added to an encrypted communication to help the recipient determine if the sender is authentic. If the digital signature is altered in any way during transmission, it makes the signature invalid, and the recipient knows the sender is not authentic.

Digital certificates. A digital certificate, like a digital signature, is attached to an encrypted communication for verification purposes. The certificate verifies the sender's identity and gives the recipient the opportunity to send an encrypted reply.

Certificates are an important feature in e-commerce as they allow customers sending sensitive information over the Internet to know that the information has been encrypted. A certification authority, the organization responsible for ensuring the security of the delivered communications, must issue certificates.

The two largest certification authorities are VeriSign (http://www.verisign.com) and GeoTrust (http://www.geotrust.com). These private companies offer an array of products that enable e-commerce sites to conduct secure financial transactions and other communications over the Internet.

E-commerce websites offering secure transactions capabilities are authorized to display the certification authority's logo as a sign to customers that their transmitted information will be encrypted.

Another way for customers to determine if the they are on a secured website is when an "s" follows "http" in the Address Bar of their web browser. HTTPS (Hypertext Transfer Protocol Secure) is the Web's standard encryption mechanism. The protocol is ordinary Hypertext Transfer Protocol (HTTP) operating with Secure Sockets Layer (SSL), which we discuss in the next section of this tutorial.

A small, gold, "locked" padlock displayed on the bottom of a web browser's interface is another sign that a secured website is being displayed. Double-clicking the padlock provides information about the certificate and the certification authority. This can be useful for customers who want to learn more about the authenticity of the security features on a HTTPS-protected website.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Secure Sockets Layer (SSL) is a widespread use of public-key encryption. The S in HTTPS means SSL is in place to encrypt data transmitted through the website, and is the standard used by the VeriSign and GeoTrust certification authorities (see digital certificates).

While PGP (Pretty Good Privacy) works well for single computer-to-computer encrypted data exchanges, SSL is the industry standard for e-commerce because of its high level of encryption (128-bit, see Public-key encryption vs. private key). It's also scalable, allowing many users to send secure information to web servers.

More and more, you'll see SSL referred to as Transport Layer Security (TLS) or perhaps as SSL-TLS. TLS is the successor to SSL, is based upon SSL but, although having only slight differences, is not interchangeable with SSL. Only newer web browser versions support TLS.