The risk of moving to an “e” environment lies in the lack of confidence in the electronic world due to it being virtual, impersonal, and unphysical in nature. This creates major security threats and challenges in the minds of people. These security challenges can be summed up in the following five major elements:

Privacy:

In online transactions, information exchanged should remain private between the sender and the receiver.
One of the first components of electronic security is privacy. The traditional method of privacy is to impose physical limitations, such as being behind closed doors or secure couriers. Privacy equates to confidentiality, letting only selected people view a particular transaction. Electronically, privacy is established through encryption –encoding a message or file so that no one can read it.

To encrypt a file means to scramble a stream of data so that its original contents cannot be read. Restoring the data to its original form is known as decryption. Both encryption and decryption require a key, a digital message, and an encryption algorithm.
Public key encryption solves the problem of key distribution in large groups by introducing the concepts of digital signatures and certificates.

Public-key: Asymmetric encryption. Public key encryption is based on two mathematically related keys that are generated together. Each key in the pair performs the inverse function so what one key encrypts, the other key decrypts, and vice versa. Since each key only encrypts or decrypts in a single direction, public-key encryption is also known as asymmetric encryption.

A public key has two parts. In public-key encryption, one of the keys in the pair is made publicly available, and the other is kept private, either on hardware token such as smart cards or in computer software. To send a protected message using public key encryption, the sender composes a message, and then encrypts it with the recipient’s public key. Once encrypted, it can only be decrypted with the recipient’s private key. As long as only the recipient has access to the private key, the sender can be assured that only the recipient can decrypt the message.

On the Internet, everyone can be anonymous. To engage in a business transaction, each party must be able to prove the other's identity. The sender encrypts the message digest with his or her private key. Therefore, the recipient can be assured that only the sender could have encrypted it, because only the sender possesses the private key. Also, since the recipient also obtains the message in an encrypted fashion, then only the recipient will have the right message to hash and compare with the sender's message digest, which is derived by decrypting the sender's digital signature and obtaining the sender's message digest.

Once a party signs a transaction, it must be protected from tampering or forgery. The integrity of a transaction is particularly important in cases where prices, terms, and quantities are agreed upon as part of the deal. In order to ensure the integrity of data, hashing is used. A hash is a complex, one-way, mathematical function that reduces a message of any length to a unique, string of bits known as the message digest. The same message will always hash to the same message-digest value. So, if even one bit in the message is changed, the message digest will change dramatically. The sender and the recipient each perform the same hash computation on the message. If the hash produces the same value for both parties the document is proved to be un-altered.

After a transaction has been made, it cannot be revoked. Neither party involved in the transaction can deny his or her role in the exchange. Non-repudiation prevents individuals/ parties from making false claims about offers made or accepted. Digital non-repudiation is provided via digital signatures, which are created by hashing a message (file) and encrypting the result with the private key of the authorizer. This binds the digital signature to the digital message (file) being authorized, making it extremely difficult to counterfeit.

Even after eliminating the previously mentioned risk areas, there remains a trust issue. There is always a need for an authoritative body to supervise and control the entire process, and to inject an element of trust and comfort.

Having resolved the first four security issues via technological means, there remains the element of trust. There is a need for an impartial body to issue digital keys, digital signatures and to vouch for the identities of their owners, thereby introducing the element of trust. This trust factor is provided by independent Certificate Authorities, such as Comtrust.

Digital certificates are issued by recognized authorities. A digital certificate is issued by a trusted third-party and is used to prevent someone from assuming a false cryptographic identity. When you use the information in a digital certificate to validate a signature or to find the public key of your recipient, you can be sure of the identity of the certificate’s owner because a certificate is only valid after a recognized authority has digitally signed it.

The CA’s primary function is to verify identity. A certificate authority (CA) is an entity that attests the identity of a person or organization. A certificate authority might be an external company, such as Comtrust, that offers certificate services, or a CA might be an internal organization such as a corporate MIS department. The CA’s primary function is to verify the identity of individuals/entities and to issue digital certificates attesting to that identity. More specifically a CA, such as Comtrust, performs the following duties:

• Register and accept applications from users and organizations

• Validate identities of individuals and organizations

• Issue and revoke certificates

• Publish directory of valid certificates to help relying parties verify validity of certificates

• Publish list of revoked certificates

• Maintain utmost security of its own private key

• Establish trust among members

The solution to these issues is provided by PKI – Public Key Infrastructure. PKI helps organizations replicate security mechanism of the physical world to ensure security in the digital world. The envelopes and secured couriers are replaced with data encryption; physical signatures are replaced with digital signatures; Identity cards, passports and trade licenses are replaced with digital certificates for individuals and servers.