Secure Web Transactions
A secure framework based on Pretty Good Privacy
By Andrew Davison
This article describes a secure framework for transactions over the Web, based on the Pretty Good Privacy (PGP) encryption program. The strengths of this approach are that no changes are required to the HTTP protocol, or to the Web client or server software, and the source code for PGP is published. In addition, there is no need to register with a third-party financial organization; the customer simply needs a credit card.
PGP (see "
Online".) encryption programs use public-key cryptography, which means that each user must generate a public and private key. PGP also supports key rings, which can contain either the public keys a user collects over time, or multiple private keys for communicating with different groups.
Securing the private key ring is very important, and PGP guards each key with a pass phrase.
A user should also safeguard his public key ring, since it contains trusted public keys.
PGP allows a key to be assigned a trust parameter, and also for the key to be signed. A trusted individual's digital signature on a key indicates that it trustworthy -- a key signature cannot be forged since it employs the private key of the signer. Therefore, always sign your own public key.
Essential PGP Commands
PGP has a rich set of commands, but I'll concentrate on the operations necessary for using the secure-transaction code.<>
