Wednesday, December 29, 2021

Cryptography – Examples

 1.WhatsApp Encryption:

End-to-end encryption in WhatsApp is a notable example of cryptographic encryption these days. This functionality is available in WhatsApp via the asymmetry model or through public-key techniques. Only the intended recipient is aware of the real message. After installing WhatsApp, public keys are registered with the server, and messages are sent.

2. Digital signatures:

Digital signatures are another real-time application of cryptography. When two clients need to sign paperwork for a commercial transaction. However, if two clients never meet, they may not believe each other. Then, encryption in digital signatures guarantees improved authenticity and security.

3. Email Encryption/Decryption:

Email encryption protects the content of emails from anyone outside of the email discussion who wants to access a participant’s information. An email is no longer readable by a human when it is encrypted. Your emails can only be unlocked and encrypted with your private email key.

4. Authentication of SIM cards:

The SIM must be authenticated before it may be used to access the network. The operator generates a random number and sends it to the mobile device. This random number, together with the secret key Ki, is fed into the A3 algorithm (it is this Ki that recently has been compromised). The result of this computation is returned to the operator, who compares it to the result of the calculation he performed himself.

5. Disk Encryption:

Disk encryption software encrypts your whole hard disc, eliminating the need to worry about leaving any traces of unencrypted data on your disc. PGP may be used to encrypt data as well. In this example, PGP encrypts the file with IDEA using the user’s private key and a password given by the user. To unlock the file, the same password and key are needed.

Types of Cryptography

1Secret Key Cryptography (Symmetric Cryptography)

2Public Key Cryptography (Asymmetric Cryptography)

3Hash Functions

1Secret Key Cryptography (Symmetric Cryptography):

Secret Key Cryptography, also known as symmetric cryptography, encrypts data with a single key. Because symmetric cryptography uses the same key for both encryption and decryption, it is the simplest kind of cryptography.

The cryptographic method encrypts the data using the key in a cypher, and when the data has to be retrieved again, a person entrusted with the secret key can decode the data. Secret Key Cryptography may be used on both in-transit and at-rest data, although it is most often employed on at-rest data since revealing the secret to the message’s receiver might lead to compromise.

Secret-key or symmetric-key encryption algorithms generate a predetermined number of bits known as a block cypher with a secret key that the creator/sender uses to encrypt data and the receiver uses to decrypt it.

It is written as P = D(K,E( P) )

Where,

K = Encryption and decryption key

P = Plain text

D = Decryption

E§ = Encryption of plain text

Some of the examples of Secret Key Cryptography are as follows:

  • AES
  • DES
  • Caesar Cipher

2Public Key Cryptography (Asymmetric Cryptography):

The Public Key to encrypt data, cryptography, also known as asymmetric cryptography, employs the use of two keys. The first key is used for encryption, while the second key is utilized to decode the communication.

One key is kept secret and is known as the “private key,” while the other is released openly and may be used by anybody, therefore the “public key.” The keys’ mathematical relationship is such that the private key cannot be deduced from the public key, while the public key can be deduced from the private key. The private key should not be disseminated and should be kept only by the owner. Any other entity can be granted the public key.

Public-key or asymmetric-key encryption algorithms encrypt information with a public key associated with the creator/sender and decode that information with a private key known only to the originator (unless it is exposed or they want to share it).

It is written as P = D(Kd,E(Ke,P)).

Where,

Ke = Encryption key

Kd = Decryption Key

D = Decryption

E(Ke,P) = Plain text encryption using an encryption key

P = Plain text

Some of the examples of Private Key Cryptography are as follows:

  • ECC
  • Diffie-Hellman
  • DSS

3Hash Functions:

Hash functions are one-way, irreversible functions that secure data at the expense of not being able to recover the original message. Hashing is a method of converting a given string into a set length string. A decent hashing algorithm will provide distinct outputs for each input. The only method to crack a hash is to test every conceivable input until you obtain the same hash. A hash can be used to hash data (for example, passwords) and in certificates.

Some of the most well-known hashing algorithms are as follows:

  • MD5
  • SHA-1
  • SHA-2 family which includes SHA-224, SHA-256, SHA-384, and SHA-512
  • SHA-3
  • Blake 2
  • Blake 3
  • Whirlpool

Monday, December 27, 2021

Card Tokenization

In India, RBI announced new rules for Tokenization, which is going to effective from Jan 1st 2022. Lot of my colleagues, friends are asking whats the impact to end users. Just wanted to write few things about Tokenization and that impact.

What is card tokenisation?

When you shop online or even book tickets on travel portals, you tend to save your credit card details in those websites. So, you just don’t need to remember your card details each time you shop. Just enter the CVV and you check out in a matter of seconds.

But that was risky. If your online site or travel portal gets hacked, your card details could be leaked. Besides, you may have also saved your card details on some website years ago and forgotten all about that. “There is a high chance some of the merchants will not know how to store secure card information,”

Enter tokenisation. This is a process of converting your card details into a unique token that is specific to your card and only to one merchant at a time. This code masks the true details of your card, without which no one can misuse your card. This token can be saved on the online portal’s server.

The new tokenization rule that comes into effect from January 1 2022, prohibits all online shopping portals from saving your card numbers, CVV, expiry date etc. on their servers. So, you either make a token before you buy an item and save that token on the particular website (for future use) or enter your card details every time you buy stuff off the internet.

“In the past, there have been instances of data leaks from merchant websites; digital transactions are also growing significantly, requiring added safety. So, this is a precautionary step mandated by the regulator to enhance card data security,” 

How does this card tokenisation work?

At check-out time on an online shopping portal, enter your card details and opt for tokenisation. Your merchant forwards it to the respective bank or the card networks (VISA, Rupay, Mastercard, etc). A token is generated and sent back to your merchant, which then saves it for you. Now, the next time you come back to shop, just select this saved token at check-out time. You will see the same masked card details and last four digits of your card number. You will need to enter your CVV and complete the transaction. Tokenisation is not mandatory, but it makes it easier to shop repeatedly.

“As a customer, you don’t need to remember the token. The end-customer experience is not changing while making the payment,” 

Is the tokenization service free?

Yes, tokenisation of card is absolutely free, and can be availed by anyone. Currently, tokenisation is applicable only to domestic cards. International cards are not covered by this guideline. You can request for tokenisation on any number of cards to perform a transaction. “If a merchant has not integrated with the card network and bank issuing the cards by December 31, you will have to enter the card details every time, as you cannot store your card details in the token format,” 

Does a card have different tokens for different merchants?

One token is limited to just one card and one merchant (online portal). For instance, if you have, say, an ICICI Bank credit card tokenised on Amazon, then, this same card will have a different token on Flipkart. However, as a customer you don’t need to know or remember the token linked with the card. You can tokenise multiple cards with the same merchant, or tokenise the same card with multiple merchants.

What is the best way to manage my tokens?

If you have multiple cards and like to shop online frequently, there’s a better way to manage your tokens. Say, you want to remove some tokens you had got long ago from a specific website. Mathur of Razorpay says that an issuer bank will now provide a dedicated portal (on its own bank’s website) to manage tokenised cards. In simple words, your dashboard would now show you a list of your cards and where (merchants) you have tokenized them. Delete the tokenised cards of websites you do not use frequently.

What will happen to the token once the card gets replaced or renewed or reissued or upgraded?

You need to visit the merchant page and create a fresh token. That is because your new card (credit or debit) comes with a new number and CVV. 

Sunday, December 19, 2021

BaaS - How Banking as a Service works

 


Digital Payments - In Future

Digital payments must be 

  • Faceless, 
  • Cashless and 
  • via completely electronic means of end to end transaction 

without compromising availability, provenance and traceability, repudiation and of course information security. 

Since last decade digital payments have garnered a lot of interest and adoption from the users and positively influenced the digital agenda for enterprises and governments.

According to Gartner,

  • 5 countries will launch digital initiatives to remove cash from circulation by 2023 fully replacing cash by digital means
  • Global cash in circulation will reduce after decades of year-on-year increases by 2024
  • Consumers using mobile proximity payment methods will be almost 2 billion, up from 2019’s figure of less than 1 billion, by 2024

Future Technologies of Digital Payments
Use of Biometric - Using unique fingerprints and facial recognition, digital payments can be enabled via authenticating the users and authorizing the transactions, offering accurate, secure, instant and hassle-free way, rather than remembering various PINs and passwords from multiple entities and keeping track all the time. Most of the digital payment players leverage device based authentications and tokenize the transactions without need of user interventions. Most of the payment wallets running on the mobile devices have successfully paved way of this method and good amount of research and development is happening in this area.
Use of Voice/Speech Analytics and AI/ML based algorithms - They have been around for few years now and are driving the way we control our home appliances, even interact while driving, etc. As these technologies will become more efficient and accurate the digital payments would be the ones to leverage them in real life. This will help create more secure and simple way to trade and transact within the digital payment domain.
Near Field / Contactless - Using proximity of device via EVM & RFIDs, POS machines via NFC - there are many ways embedded workflows can be built to provide easy and secure way to transact. There are major credit card players already issuing the contactless that will work with ATMs and POS terminals and even interact with the mobile devices by and between the stakeholders involved in the workflow.
DLT's – Digital Ledgers / Blockchains’ foray with digital currency is well known and many regulators are finding ways to strike a balance between autonomous currencies and digital payments, which is significantly decentralized, anti-fraud and business continuity driven DLT’s will surpass our expectations and establish the technological governance to fool proof the digital transactions in years to come.
AI/ML and Data Science – It will substantially improve the insights on the volume and velocity of digital transactions which is a common barrier for fraud detection, risk management and regulatory mandates etc. Use of AI/ML coupled with established data science practices will pave way for governments and banks for traceability, customer acquisition and retention, royalty management, credit scores, marketing etc., expanding the canvas of intelligence of digital payment transactions.
The first wave of the digital payments started a few years ago. Users can no longer be constrained by banking hours, type of devices, physical cards etc., to transact by and between entities. 

AI - In Banking