What does Database Security mean?

Database security refers to the collective measures used to protect and secure a database or database management
software from illegitimate use and malicious threats and attacks.
It is a broad term that includes a multitude of processes, tools and methodologies that ensure security within a database
environment.
Database security covers and enforces security on all aspects and components of databases. This includes:

 Data stored in database

 Database server
 Database management system (DBMS)
 Other database workflow applications

Database security is generally planned, implemented and maintained by a database administrator and or other information
security professional.
Some of the ways database security is analyzed and implemented include:

 Restricting unauthorized access and use by implementing strong and multifactor access and data management
controls

 Load/stress testing and capacity testing of a database to ensure it does not crash in a distributed denial of service
(DDoS) attack or user overload

 Physical security of the database server and backup equipment from theft and natural disasters

 Reviewing existing system for any known or unknown vulnerabilities and defining and implementing a road
map/plan to mitigate them
 Internet security is a branch of computer security specifically related to the Internet, often involving browser
security but also network security on a more general level, as it applies to other applications or operating
systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. [1] The
Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud,
such as phishing[2], online viruses, trojans, worms and more.
 Many methods are used to protect the transfer of data, including encryption and from-the-ground-up engineering.
The current focus is on prevention as much as on real time protection against well known and new threats.

Threats[edit]
Malicious software[edit]
A computer user can be tricked or forced into downloading software onto a computer that is of malicious intent. Such
software comes in many forms, such as viruses, Trojan horses, spyware, and worms.

 Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive
information, or gain access to private computer systems. Malware is defined by its malicious intent, acting against
the requirements of the computer user, and does not include software that causes unintentional harm due to some
deficiency. The term badware is sometimes used, and applied to both true (malicious) malware and unintentionally
harmful software.
 A botnet is a network of zombie computers that have been taken over by a robot or bot that performs large-scale
malicious acts for the creator of the botnet.
 Computer Viruses are programs that can replicate their structures or effects by infecting other files or structures on a
computer. The common use of a virus is to take over a computer to steal data.
 Computer worms are programs that can replicate themselves throughout a computer network, performing malicious
tasks throughout.
 Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a
ransom paid to the creator(s) of the malware in order for the restriction to be removed.
 Scareware is scam software with malicious payloads, usually of limited or no benefit, that are sold to consumers via
certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the
perception of a threat, generally directed at an unsuspecting user.
 Spyware refers to programs that surreptitiously monitor activity on a computer system and report that information to
others without the user's consent.
 A Trojan horse, commonly known as a Trojan, is a general term for malicious software that pretends to be harmless,
so that a user willingly allows it to be downloaded onto the computer.
Denial-of-service attacks[edit]
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a
computer resource unavailable to its intended users. Another way of understanding DDoS is seeing it as attacks in cloud
computing environment that are growing due to the essential characteristics of cloud computing.[3] Although the means to
carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts to prevent
an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. According to businesses who
participated in an international business security survey, 25% of respondents experienced a DoS attack in 2007 and
16.8% experienced one in 2010.[4]
Phishing[edit]
Main article: Phishing

Phishing is an attack which targets online users for extraction of their sensitive information such as username, password
and credit card information.[5] Phishing occurs when the attacker pretends to be a trustworthy entity, either via email or
web page. Victims are directed to fake web pages, which are dressed to look legitimate, via spoof emails, instant
messenger/social media or other avenues. Often tactics such as email spoofing are used to make emails appear to be from
legitimate senders, or long complex subdomains hide the real website host.[6][7] Insurance group RSA said that phishing
accounted for worldwide losses of $1.5 billion in 2012.[8]
Application vulnerabilities[edit]
Main article: Application security

Applications used to access Internet resources may contain security vulnerabilities such as memory safety bugs or flawed
authentication checks. The most severe of these bugs can give network attackers full control over the computer. Most
security applications and suites are incapable of adequate defense against these kinds of attacks. [9][10]

Remedies[edit]
Network layer security[edit]
TCP/IP protocols may be secured with cryptographic methods and security protocols. These protocols include Secure
Sockets Layer (SSL), succeeded by Transport Layer Security(TLS) for web traffic, Pretty Good Privacy (PGP) for email,
and IPsec for the network layer security.
Internet Protocol Security (IPsec)[edit]
IPsec is designed to protect TCP/IP communication in a secure manner. It is a set of security extensions developed by
the Internet Task Force (IETF). It provides security and authentication at the IP layer by transforming data using
encryption. Two main types of transformation that form the basis of IPsec: the Authentication Header (AH) and ESP.
These two protocols provide data integrity, data origin authentication, and anti-replay service. These protocols can be
used alone or in combination to provide the desired set of security services for the Internet Protocol (IP) layer.
The basic components of the IPsec security architecture are described in terms of the following functionalities:

 Security protocols for AH and ESP

 Security association for policy management and traffic processing
 Manual and automatic key management for the Internet key exchange (IKE)
 Algorithms for authentication and encryption
The set of security services provided at the IP layer includes access control, data origin integrity, protection against
replays, and confidentiality. The algorithm allows these sets to work independently without affecting other parts of the
implementation. The IPsec implementation is operated in a host or security gateway environment giving protection to IP
traffic.
Multi-factor authentication[edit]
Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after
successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the
following categories: knowledge (something they know), possession (something they have), and inherence (something
they are).[11][12] Internet resources, such as websites and email, may be secured using multi-factor authentication.
Security token[edit]
Some online sites offer customers the ability to use a six-digit code which randomly changes every 30–60 seconds on
a security token. The keys on the security token have built in mathematical computations and manipulate numbers based
on the current time built into the device. This means that every thirty seconds there is only a certain array of numbers
possible which would be correct to validate access to the online account. The website that the user is logging into would
be made aware of that device's serial number and would know the computation and correct time built into the device to
verify that the number given is indeed one of the handful of six-digit numbers that works in that given 30-60 second
cycle. After 30–60 seconds the device will present a new random six-digit number which can log into the website.[13]
Electronic mail security[edit]
Background[edit]
Email messages are composed, delivered, and stored in a multiple step process, which starts with the message's
composition. When the user finishes composing the message and sends it, the message is transformed into a standard
format: an RFC 2822 formatted message. Afterwards, the message can be transmitted. Using a network connection, the
mail client, referred to as a mail user agent (MUA), connects to a mail transfer agent (MTA) operating on the mail server.
The mail client then provides the sender’s identity to the server. Next, using the mail server commands, the client sends
the recipient list to the mail server. The client then supplies the message. Once the mail server receives and processes the
message, several events occur: recipient server identification, connection establishment, and message transmission.
Using Domain Name System (DNS) services, the sender’s mail server determines the mail server(s) for the recipient(s).
Then, the server opens up a connection(s) to the recipient mail server(s) and sends the message employing a process
similar to that used by the originating client, delivering the message to the recipient(s).
Pretty Good Privacy (PGP)[edit]
Pretty Good Privacy provides confidentiality by encrypting messages to be transmitted or data files to be stored using an
encryption algorithm such as Triple DES or CAST-128. Email messages can be protected by using cryptography in
various ways, such as the following:

 Signing an email message to ensure its integrity and confirm the identity of its sender.
 Encrypting the body of an email message to ensure its confidentiality.
 Encrypting the communications between mail servers to protect the confidentiality of both message body and
message header.
The first two methods, message signing and message body encryption, are often used together; however, encrypting
the transmissions between mail servers is typically used only when two organizations want to protect emails
regularly sent between each other. For example, the organizations could establish a virtual private network (VPN) to
encrypt the communications between their mail servers over the Internet.[14] Unlike methods that can only encrypt a
message body, a VPN can encrypt entire messages, including email header information such as senders, recipients,
and subjects. In some cases, organizations may need to protect header information. However, a VPN solution alone
cannot provide a message signing mechanism, nor can it provide protection for email messages along the entire route
from sender to recipient.
Multipurpose Internet Mail Extensions (MIME)[edit]
MIME transforms non-ASCII data at the sender's site to Network Virtual Terminal (NVT) ASCII data and delivers it
to client's Simple Mail Transfer Protocol (SMTP) to be sent through the Internet.[15] The server SMTP at the
receiver's side receives the NVT ASCII data and delivers it to MIME to be transformed back to the original non-
ASCII data.
Message Authentication Code[edit]
A Message authentication code (MAC) is a cryptography method that uses a secret key to encrypt a message. This
method outputs a MAC value that can be decrypted by the receiver, using the same secret key used by the sender.
The Message Authentication Code protects both a message's data integrity as well as its authenticity.[16]
Firewalls[edit]
A computer firewall controls access between networks. It generally consists of gateways and filters which vary from
one firewall to another. Firewalls also screen network traffic and are able to block traffic that is dangerous. Firewalls
act as the intermediate server between SMTP and Hypertext Transfer Protocol (HTTP) connections.[17]
Role of firewalls in web security[edit]
Firewalls impose restrictions on incoming and outgoing Network packets to and from private networks. Incoming or
outgoing traffic must pass through the firewall; only authorized traffic is allowed to pass through it. Firewalls create
checkpoints between an internal private network and the public Internet, also known as choke points (borrowed from
 the identical military term of a combat limiting geographical feature). Firewalls can create choke points based on IP
source and TCP port number. They can also serve as the platform for IPsec. Using tunnel mode capability, firewall
can be used to implement VPNs. Firewalls can also limit network exposure by hiding the internal network system
and information from the public Internet.
Types of firewall[edit]
Packet filter[edit]
A packet filter is a first generation firewall that processes network traffic on a packet-by-packet basis. Its main job is
to filter traffic from a remote IP host, so a router is needed to connect the internal network to the Internet. The router
is known as a screening router, which screens packets leaving and entering the network.
Stateful packet inspection[edit]
In a stateful firewall the circuit-level gateway is a proxy server that operates at the network level of an Open Systems
Interconnection (OSI) model and statically defines what traffic will be allowed. Circuit proxies will forward Network
packets (formatted unit of data ) containing a given port number, if the port is permitted by the algorithm. The main
advantage of a proxy server is its ability to provide Network Address Translation (NAT), which can hide the user's IP
address from the Internet, effectively protecting all internal information from the Internet.
Application-level gateway[edit]
An application-level firewall is a third generation firewall where a proxy server operates at the very top of the OSI
model, the IP suite application level. A network packet is forwarded only if a connection is established using a
known protocol. Application-level gateways are notable for analyzing entire messages rather than individual packets
of data when the data are being sent or received.
Browser choice[edit]
Main article: Browser security

Web browser statistics tend to affect the amount a Web browser is exploited. For example, Internet Explorer 6, which
used to own a majority of the Web browser market share,[18] is considered extremely insecure[19] because
vulnerabilities were exploited due to its former popularity. Since browser choice is now more evenly distributed
(Internet Explorer at 28.5%, Firefox at 18.4%, Google Chrome at 40.8%, and so on),[18] vulnerabilities are exploited
in many different browsers.[20][21][22]

Internet security products[edit]

Antivirus[edit]
Antivirus software and Internet security programs can protect a programmable device from attack by detecting and
eliminating viruses; Antivirus software was mainly shareware in the early years of the Internet, [when?] but there are
now[when?] several free security applications on the Internet to choose from for all platforms.[23]
Password managers[edit]
A password manager is a software application that helps a user store and organize passwords. Password managers
usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong
password which grants the user access to their entire password database from top to bottom.[24]
Security suites[edit]
So called security suites were first offered for sale in 2003 (McAfee) and contain a suite of firewalls, anti-virus, anti-
spyware and more.[25] They also offer theft protection, portable storage device safety check, private Internet
browsing, cloud anti-spam, a file shredder or make security-related decisions (answering popup windows) and
several were free of charge.[26]
Storage and disposal of data
The following regulations apply to any research approved by the IRB through expedited or full review. Furthermore,
research automatically exempt from review or which received an IRB approved exemption, while not constrained by the
following storage and disposal regulations are encouraged to adhere to relevant regulations that protect the confidentiality
of research subjects.

Investigators should be cognizant of the fact that any guarantees made to research subjects during the consent process
(e.g., limited access to the data, anonymity, confidentiality etc.) remain in force after the study concludes and throughout
the data storage process. It is the investigator’s responsibility to ensure secure storage of the data that maintains these
guarantees and to demonstrate to the satisfaction of the IRB that these guarantees are being met throughout the conduct of
the study and the data storage period.
A) STORAGE OF NON-SENSITIVE DATA
Data is non-sensitive when it has been obtained anonymously from subjects such that no identifiers can link any data to
individual subjects (See Note 1 below). In this case, data storage need only be secure to the extent it can be retrieved
easily by the principal investigator in response to a request for ethical review by the IRB Executive Committee. If stored
electronically, the data file must be backed up on an independent storage device.

B) STORAGE OF SENSITIVE DATA

Data is sensitive when it contains identifiers that can link any data to individual subjects (See Note 1 below). In this case,
the investigator has a special obligation to maintain more secure data storage that protects the confidentiality of research
subjects. When the principal investigator is not a student, sensitive data may be stored on campus or off campus as
regulated below. When the principal investigator is a student, however, sensitive data must be stored on campus by
his/her faculty supervisor as regulated below.

 On campus – Hard copies of the data must be stored in a locked cabinet in a locked room. Data must be “de-
identified” and the identifiers stored in a separate location. If stored electronically as well, data must be stored on a
password protected hard drive.
 Off campus – Hard copies of the data must be stored in a locked location, under the personal control and supervision
of the investigator or to which only the investigator has access. Data must be “de-identified” and the identifiers
stored in a separate location. If stored electronically as well, the data must be stored on a password protected and
encrypted device.
C) STORAGE DURATION
Both non-sensitive and sensitive data must be stored for a minimum of three years after the conclusion of the study.
Principal investigators and faculty supervisors of student research may extend storage duration beyond the minimum for
reasonable cause. However, research data in either hard copy or electronic form should not be maintained in perpetuity.
The sensitivity of the data and the reasons for maintaining the data should be the primary factors determining the length
of retention beyond the minimum.

D) DISPOSAL OF DATA
Following the storage period, both non-sensitive and sensitive data must be destroyed in the manner which protects the
confidentiality of the research subjects. Hard copies of the data should be shredded and electronic data files should be
deleted from all storage devices including any recycling bins.

Note 1 – Obtained data is deemed sensitive if any of the following identifiers is linked to the responses of individual
subjects. Beyond the information noted below, it is the responsibility of the investigator to determine if other solicited
information (such as sexor ethnicity) may function as subject identifiers in special circumstances, warranting
classification of his/her data as sensitive.

1. Names
2. Postal address information, other than town or city, state, and zip
3. Telephone numbers
4. Fax numbers
5. Electronic mail addresses
6. Social security numbers
7. Medical record numbers
8. Health plan beneficiary numbers
9. Account numbers
10. Certificate/license numbers
11. Vehicle identifiers, serial numbers and license plate numbers
12. Device identifiers and serial number
13. Web universal resource locators (URLs)
14. Internet protocol (IP) address numbers
15. Biometric identifiers, including fingerprints and voiceprints
16. Full-face, oblique or full-profile photos and any comparable images
17. Any other unique identifying number, characteristic, or code
18. University ID numbers or login
E-commerce payment system
An e-commerce payment system facilitates the acceptance of electronic payment for online transactions. Also
known as a sample of Electronic Data Interchange (EDI), e-commerce payment systems have become increasingly
popular due to the widespread use of the internet-based shopping and banking.
Over the years, credit cards have become one of the most common forms of payment for e-commerce transactions.
In North America almost 90% of online retail transactions were made with this payment type.[1] Turban et al. goes on
to explain that it would be difficult for an online retailer to operate without supporting credit and debit cards due to
their widespread use. Increased security measures include use of the card verification number (CVN) which detects
fraud by comparing the verification number printed on the signature strip on the back of the card with the
information on file with the cardholder's issuing bank.[2] Also online merchants have to comply with stringent rules
stipulated by the credit and debit card issuers (Visa and MasterCard)[3] this means that merchants must have
security protocol and procedures in place to ensure transactions are more secure. This can also include having a
certificate from an authorized certification authority (CA) who provides PKI (Public-Key infrastructure) for securing
credit and debit card transactions.
Despite widespread use in North America, there are still a large number of countries such as China and India that
have some problems to overcome in regard to credit card security. In the meantime, the use of smartcards has
become extremely popular. A smartcard is similar to a credit card; however it contains an embedded 8-bit
microprocessor and uses electronic cash which transfers from the consumers’ card to the sellers’ device. A popular
smartcard initiative is the VISA Smartcard[4]. Using the VISA smartcard you can transfer electronic cash to your card
from your bank account, and you can then use your card at various retailers and on the internet.
There are companies that enable financial transactions to take place over the internet, such as PayPal. Many of the
mediaries permit consumers to establish an account quickly, and to transfer funds into their on-line accounts from a
traditional bank account (typically via ACH transactions), and vice versa, after verification of the consumer's identity
and authority to access such bank accounts. Also, the larger mediaries further allow transactions to and from credit
card accounts, although such credit card transactions are usually assessed a fee (either to the recipient or the
sender) to recoup the transaction fees charged to the mediary.
The speed and simplicity with which cyber-mediary accounts can be established and used have contributed to their
widespread use, although the risk of abuse, theft and other problems—with disgruntled users frequently accusing
the mediaries themselves of wrongful behavior is associated with them.

Methods of online payment

Credit cards constitute a popular method of online payment but can be expensive for the merchant to accept
because of transaction fees primarily. Debit cards constitute an excellent alternative with similar security but usually
much cheaper charges. Besides card-based payments, alternative payment methods have emerged and
sometimes even claimed market leadership. Wallets like PayPal and Alipay are playing major roles in the
ecosystem. Bitcoin payment processors are a cheaper alternative for accepting payments online which also offer
better protection from fraud.

Bank payments
This is a system that does not involve any sort of physical card. It is used by customers who have accounts enabled
with Internet banking. Instead of entering card details on the purchaser's site, in this system the payment gateway
allows one to specify which bank they wish to pay from. Then the user is redirected to the bank's website, where
one can authenticate oneself and then approve the payment. Typically there will also be some form of two-factor
authentication. Some services, like Trustly, let merchants embed its iframe on their website so consumers can pay
without being redirected away from the original site.
It is typically seen as being safer than using credit cards, with the result that nearly all merchant accounts in India
offer it as an option.
A very similar system, known as iDEAL, is popular in the Netherlands.

PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet.
Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as cheques
and money orders. It is subject to the US economic sanction list and other rules and interventions required by US
laws or government. PayPal is an acquirer, a performing payment processing for online vendors, auction sites, and
other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the
amount received. The fees depend on the currency used, the payment option used, the country of the sender, the
country of the recipient, the amount sent and the recipient's account type. In addition, eBay purchases made by
credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002,
PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay's North First Street satellite office campus. The company also has significant operations in Omaha,
Scottsdale, Charlotte and Austin in the United States; Chennai in India; Dublin in Ireland; Berlin in Germany; and
Tel Aviv in Israel. From July 2007, PayPal has operated across the European Union as a Luxembourg-based bank.

Paymentwall
Paymentwall, an e-commerce solutions providing company launched in 2010, offers a wide range of online payment
methods that its clients can integrate on their website.[5]

Google Wallet
Google Wallet was launched in 2011, serving a similar function as PayPal to facilitate payments and transfer money
online. It also features a security that has not been cracked to date[when?], and the ability to send payments as
attachments via email.[6]

Mobile Money Wallets

In developing countries many people don't have access to banking facilities, especially in tier II and tier III cities.
Taking the example of India, there are more mobile phone users than there are people with active bank accounts.
Telecom operators, in such locations, have started offering mobile money wallets which allow adding funds easily
through their existing mobile subscription number, by visiting physical recharge points close to their homes and
offices and converting their cash into mobile wallet currency. This can be used for online transaction and
eCommerce purchases. Many payment options such as Zaad Services by Telecoms company in Somaliland
(Independent State in Northern Somalia), Airtel Moneyand M-Pesa in Kenya, ATW are being accepted as alternate
payment options on various eCommerce websites.

Braintree
Braintree provides developers with SDKs and adjusted API interfaces in six programming languages as well as with
ready-made solutions for baskets. PayPal's Commerce feature, that was launched recently, means that dealers can
integrate Purchase buttons into such apps like Pinterest or Facebook Messenger. Stripe's Relay feature may look
similar to it. Braintree also has a phone support that is available for all customers. PayPal purchased Braintree in
2013. One of the main problems with PayPal was in a redirection of the user from the seller's website to the PayPal
server, and it required the user to be a registered service user. It was a reason for discontent from both parties, so
the purchase of Braintree solved the problem.[citation needed]

Stripe
Stripe supports more than one hundred currencies and it offers a few methods of online payment. Apart
from debit and credit cards, Apple Pay, and Android Pay, Stripe support Bitcoin and American Express Checkout.In
2015, Stripe added a Relay product that allows developers to create a Purchase button in the third-party apps
like Facebook, Pinterest, and Twitter.[7] Also, only Stripe allows users to receive payment via AliPay.

ATM vs. debit cards

ATM cards

An ATM card is a PIN-based card. That means that in addition to using it at ATMs, you may also be
able to use it to make purchases (by entering your Personal Identification Number) if the merchant is
using one of the same electronic ATM networks that’s listed on the back of your card.
Debit card

A debit card looks just like a regular ATM card, and you can use it at ATMs. The difference is that a
debit card has a Visa® or Mastercard® logo on its face. That means you can use a debit card
wherever Visa® or Mastercard® debit cards are accepted, for example, department stores,
restaurants, or online.

Credit card

A debit card is not a credit card. When you use a debit card, the money is deducted from your
checking account. With a credit card, you’re borrowing money to be repaid later.

ATM and debit cards allow you to use ATMs, a safe and convenient way to manage your money.
There are millions of ATMs worldwide and you can use many ATMs 24 hours a day, 7 days week.
ATM and debit cards are also a convenient way to make purchases without carrying cash that help
you keep better track of the money you spend.

Debit card
A debit card (also known as a bank card, plastic card or check card) is a plastic payment card that can be used
instead of cashwhen making purchases. It is similar to a credit card, but unlike a credit card, the money comes
directly from the user's bank accountwhen performing a transaction.
Some cards may carry a stored value with which a payment is made, while most relay a message to the
cardholder's bank to withdraw funds from a payer's designated bank account. In some cases, the primary account
number is assigned exclusively for use on the Internet and there is no physical card.
In many countries, the use of debit cards has become so widespread that their volume has overtaken or entirely
replaced cheques and, in some instances, cash transactions. The development of debit cards, unlike credit
cards and charge cards, has generally been country specific resulting in a number of different systems around the
world, which were often incompatible. Since the mid-2000s, a number of initiatives have allowed debit cards issued
in one country to be used in other countries and allowed their use for internet and phone purchases.
Unlike credit and charge cards, payments using a debit card are immediately transferred from the cardholder's
designated bank account, instead of them paying the money back at a later date.
Debit cards usually also allow for instant withdrawal of cash, acting as an ATM card for withdrawing cash.
Merchants may also offer cashback facilities to customers, where a customer can withdraw cash along with their
purchase.

Credit card
An example of the front in a typical credit card:

1. Issuing Bank Logo

2. EMV chip (only on "smart cards")
3. Hologram
4. Card number
5. Card Network Logo
6. Expiration Date
7. Card Holder Name
8. Contactless Chip

An example of the reverse side of a typical credit card:

1. Magnetic Stripe
2. Signature Strip
3. Card Security Code
A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods
and servicesbased on the cardholder's promise to the card issuer to pay them for the amounts so paid plus the
other agreed charges.[1] The card issuer (usually a bank) creates a revolving account and grants a line of credit to
the cardholder, from which the cardholder can borrow money for payment to a merchant or as a cash advance. In
other words, credit cards combine payment services with extensions of credit.[2] Complex fee structures in the credit
card industry may limit customers' ability to comparison shop, helping to ensure that the industry is not price-
competitive and helping to maximize industry profits. Due to concerns about this, many legislatures have regulated
credit card fees.[3]
A credit card is different from a charge card, where it requires the balance to be repaid in full each month.[4] In
contrast, credit cards allow the consumers a continuing balance of debt, subject to interest being charged. A credit
card also differs from a cash card, which can be used like currency by the owner of the card. A credit card differs
from a charge card also in that a credit card typically involves a third-party entity that pays the seller and is
reimbursed by the buyer, whereas a charge card simply defers payment by the buyer until a later date.

Digital signature
A digital signature is a mathematical scheme for presenting the authenticity of digital messages or documents. A
valid digital signature gives a recipient reason to believe that the message was created by a known sender
(authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message
was not altered in transit (integrity).[1]
Digital signatures are a standard element of most cryptographic protocol suites, and are commonly used for
software distribution, financial transactions, contract management software, and in other cases where it is important
to detect forgery or tampering.

Explanation
Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic
data that carries the intent of a signature,[2] but not all electronic signatures use digital signatures.[3][4] In some
countries, including the United States, Algeria[5], Turkey, India,[6] Brazil, Indonesia, Mexico,[7] Saudi
Arabia,[8], Uruguay[9], Switzerlandand the countries of the European Union,[10][11] electronic signatures have legal
significance.
Digital signatures employ asymmetric cryptography. In many instances they provide a layer of validation and
security to messages sent through a non-secure channel: Properly implemented, a digital signature gives the
receiver reason to believe the message was sent by the claimed sender. Digital seals and signatures are equivalent
to handwritten signatures and stamped seals.[12] Digital signatures are equivalent to traditional handwritten
signatures in many respects, but properly implemented digital signatures are more difficult to forge than the
handwritten type. Digital signature schemes, in the sense used here, are cryptographically based, and must be
implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer
cannot successfully claim they did not sign a message, while also claiming their private key remains secret. Further,
some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is
exposed, the signature is valid. Digitally signed messages may be anything representable as a bitstring: examples
include electronic mail, contracts, or a message sent via some other cryptographic protocol.

Definition
 A key generation algorithm that selects a private key uniformly at random from a set of possible private keys.
The algorithm outputs the private key and a corresponding public key.
 A signing algorithm that, given a message and a private key, produces a signature.
 A signature verifying algorithm that, given the message, public key and signature, either accepts or rejects the
message's claim to authenticity.
Two main properties are required. First, the authenticity of a signature generated from a fixed message and fixed
private key can be verified by using the corresponding public key. Secondly, it should be computationally infeasible
to generate a valid signature for a party without knowing that party's private key. A digital signature is an
authentication mechanism that enables the creator of the message to attach a code that acts as a signature.
The Digital Signature Algorithm (DSA), developed by the National Institute of Standards and Technology, is one
of many examples of a signing algorithm.
In the following discussion, 1n refers to a unary number.
Formally, a digital signature scheme is a triple of probabilistic polynomial time algorithms, (G, S, V), satisfying:

 G (key-generator) generates a public key (pk), and a corresponding private key (sk), on input 1n, where n is the
security parameter.
 S (signing) returns a tag, t, on the inputs: the private key (sk), and a string (x).
 V (verifying) outputs accepted or rejected on the inputs: the public key (pk), a string (x), and a tag (t).
For correctness, S and V must satisfy
Pr [ (pk, sk) ← G(1n), V( pk, x, S(sk, x) ) = accepted ] = 1.[13]
A digital signature scheme is secure if for every non-uniform probabilistic polynomial time adversary, A
Pr [ (pk, sk) ← G(1n), (x, t) ← AS(sk, · )(pk, 1n), x ∉ Q, V(pk, x, t) = accepted] < negl(n),
where AS(sk, · ) denotes that A has access to the oracle, S(sk, · ), and Q denotes the set of the queries
on S made by A, which knows the public key, pk, and the security parameter, n. Note that we require any
adversary cannot directly query the string, x, on S.[14]

Applications of digital signatures

As organizations move away from paper documents with ink signatures or authenticity stamps, digital signatures
can provide added assurances of the evidence to provenance, identity, and status of an electronic document as
well as acknowledging informed consent and approval by a signatory. The United States Government Printing
Office (GPO) publishes electronic versions of the budget, public and private laws, and congressional bills with
digital signatures. Universities including Penn State, University of Chicago, and Stanford are publishing electronic
student transcripts with digital signatures.
Below are some common reasons for applying a digital signature to communications:

Authentication
Although messages may often include information about the entity sending a message, that information may not be
accurate. Digital signatures can be used to authenticate the source of messages. When ownership of a digital
signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user.
The importance of high confidence in sender authenticity is especially obvious in a financial context. For example,
suppose a bank's branch office sends instructions to the central office requesting a change in the balance of an
account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on
such a request could be a grave mistake.

Public-key cryptography
An unpredictable (typically large and random) number is used to begin generation of an acceptable pair of keys suitable for use
by an asymmetric key algorithm.

In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired
private key can decrypt. Security depends on the secrecy of the private key.

In the Diffie–Hellman key exchangescheme, each party generates a public/private key pair and distributes the public key. After
obtaining an authentic copy of each other's public keys, Alice and Bobcan compute a shared secret offline. The shared secret
can be used, for instance, as the key for a symmetric cipher.

Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs
of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This
accomplishes two functions: authentication, where the public key verifies that a holder of the paired private key sent
the message, and encryption, where only the paired private key holder can decrypt the message encrypted with the
public key.
In a public key encryption system, any person can encrypt a message using the receiver's public key. That
encrypted message can only be decrypted with the receiver's private key. To be practical, the generation of a public
and private key -pair must be computationally economical. The strength of a public key cryptography system relies
on the computational effort (work factor in cryptography) required to find the private key from its paired public key.
Effective security only requires keeping the private key private; the public key can be openly distributed without
compromising security.[1]
Public key cryptography systems often rely on cryptographic algorithms based on mathematical problems that
currently admit no efficient solution, particularly those inherent in certain integer factorization, discrete logarithm,
and elliptic curve relationships. Public key algorithms, unlike symmetric key algorithms, do not require a secure
channel for the initial exchange of one or more secret keysbetween the parties.[2]
Because of the computational complexity of asymmetric encryption, it is usually used only for small blocks of data,
typically the transfer of a symmetric encryption key (e.g. a session key). This symmetric key is then used to encrypt
the rest of the potentially long message sequence. The symmetric encryption/decryption is based on simpler
algorithms and is much faster.[3]
In a public key signature system, a person can combine a message with a private key to create a short digital
signature on the message. Anyone with the corresponding public key can combine a message, a putative digital
signature on it, and the known public key to verify whether the signature was valid, i.e. made by the owner of the
corresponding private key. Changing the message, even replacing a single letter, will cause verification to fail. In a
secure signature system, it is computationally infeasible for anyone who does not know the private key to deduce it
from the public key or any number of signatures, or to find a valid signature on any message for which a signature
has not hitherto been seen. Thus the authenticity of a message can be demonstrated by the signature, provided the
owner of the private key keeps the private key secret.[4][5]
Public key algorithms are fundamental security ingredients in cryptosystems, applications and protocols. They
underpin various Internet standards, such as Transport Layer Security (TLS), S/MIME, PGP, and GPG. Some
public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital
signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA).
Public key cryptography finds application in, among others, the information technology security
discipline, information security. Information security (IS) is concerned with all aspects of protecting electronic
information assets against security threats.[6] Public key cryptography is used as a method of assuring the
confidentiality, authenticity and non-repudiability of electronic communications and data storage.