10.6  Defending Information Systems and E-Commerce                                              315

              Biometric systems can  identify a previously registered  set of procedures or mathematical algorithms used to encrypt
           person by searching through a database for a possible match  or decrypt a message. Typically, the algorithm is not the secret
           based on the person’s observed physical, biological, or  piece of the encryption process. The key (key value) is the
           behavioral traits, or the system can verify a person’s identity  secret piece used with the algorithm to encrypt (or decrypt)
           by matching an individual’s measured biometric traits  the message. For how encryption works, see computer.how-
           against a previously stored version.               stuffworks.com/encryption.htm.
              Examples of biometric features include fingerprints, facial   The major benefits of encryption are as follows:
           recognition, DNA, palm print, hand geometry, iris recogni-
           tion, and even odor/scent. Behavioral traits include voice ID,
           typing rhythm (keystroke dynamics), and signature verifica-  •  Allows users to carry data on their laptops, mobile
           tion. A brief description of some of these follows:
                                                                  devices, and storage devices (e.g., USB flash drives).
                                                                •  Protects backup media while people and data are
                                                                  offsite.
                                                                •  Allows for highly secure virtual private networks
              •  Thumbprint or fingerprint. A thumb- or finger-   (VPNs; see Section 10.7).
                print (finger scan) of users requesting access is   •  Enforces policies regarding who is authorized to han-
                matched against a template containing the finger-  dle specific corporate data.
                prints of authorized people (e.g., used by Apple Pay).  •  Ensures compliance with privacy laws and govern-
              •  Retinal scan. A match is sought between the pat-  ment regulations, and reduces the risk of lawsuits.
                terns of the blood vessels in the retina of the access   •  Protects the organization’s reputation and secrets.
                seekers against the retinal images of authorized peo-
                ple stored in a source database.
              •  Voice ID (voice authentication). A match is sought
                                                                Encryption has two basic options: the symmetric system,
                between the voice pattern of the access seekers and
                the stored voice patterns of the authorized people.  with one secret key, and the asymmetric system, with two
                                                              keys.
              •  Facial recognition. Computer software that views
                an image or video of a person and compares it to an
                image stored in a database (used by Amazon.com     Symmetric (Private) Key Encryption
                and Alibaba).
                                                              In a symmetric (private) key encryption, the same key is
              •  Signature recognition. Signatures of access seekers
                are matched against stored authentic signatures.  used to encrypt and decrypt the plaintext (see Figure 10.8).
                                                              The sender and receiver of the text must share the same key
                                                              without revealing it to anyone else—making it a so-called
                                                              private system.
              Note that Alibaba is using facial recognition for online   A strong key is only one requirement. Transferring the
           payments. You scan your face in front of the camera in your  key between individuals and organizations may make it inse-
           smartphone (see Kan 2015 for details). Amazon is using a  cure. Therefore, in EC, a PKI system is used.
           similar system (Hinckley 2016).
              Other biometrics types are thermal infrared face recogni-    Public Key Infrastructure
           tion, hand geometry, and hand veins. For details, compari-
           sons with regard to human characteristics, and cost–benefit  A  public key infrastructure (PKI) is a comprehensive
           analyses, see findbiometrics.com/solutions.        framework for securing data flow and information exchange
                                                              that overcomes some of the shortcomings of the one-key sys-
             Encryption and the One-Key (Symmetric) System    tem. For example, the symmetric one-key encryption requires
                                                              the writer of a message to reveal the key to the message’s
           Encryption is the process of encoding data into a form  recipient. A person that is sending a message (e.g., vendor)
           (called a ciphertext) that will be difficult, expensive, or time-  may need to distribute the key to thousands of recipients (e.g.,
           consuming  for  an  unauthorized  person  to  understand. All  buyers), and then the key probably would not remain secret.
           encryption methods have five basic components: plaintext,  The PKI solution is using two keys, public and private, as
           ciphertext, an encryption algorithm, the key, and key space.  well as additional features that create a highly secured sys-
           Plaintext is a human-readable text or message. Ciphertext  tem. In addition to the keys, PKI includes digital signatures,
           is an encrypted plaintext. The encryption algorithm is the  hash digests (function), and digital certificates.