Wayner aims to show “how bundles of bits can be made to encapsulate promise” (p. 179). The question is how to create trust in a business environment--the Internet--where people never meet face-to-face, have no physical location or representation, and can vanish into (cyber)space by logging off. The answer, in one word, is cryptography.
In order to do business online, it is necessary to identify, authenticate, guarantee against repudiation, and verify individuals and organizations along these dimensions. It is also useful to exchange tokens of value (money). Each of these goals can be approached by embedding certain intriguing algorithms (on which digital encryption is based) in business systems.
The introduction reviews the many technical and political challenges faced by a project to create digital media of exchange, including digital cash. Near the top of the list of technical challenges is deciding which algorithm to use. The political challenge is clearly indicated by the number of times the author repeats that sufficiently strong encryption cannot be exported without permission from the US government. Transcending all other issues is how to create trust in an untrustworthy world. This book emphasizes the technical solution to the problem of trust in an elegant and plausible way.
The major encryption solutions are reviewed in the most complex and difficult chapter of the book. Private-key algorithms, as represented by the Data Encryption Standard (DES), are discussed in enough detail to satisfy a programmer who is designing a system. Since this 56-bit DES key is considered too weak, the author favors Rivest, Shamir, and Adelman’s RSA public-key encryption system. The beauty of public-key encryption is that it allows secret communication between people who will never meet and have no other communication channel.
Digital signatures are closely related to the RSA public-key system. They involve a mathematical function that is easy to calculate in one direction but computationally intractable in the opposite direction. When these signatures are subjected to a blinding factor, in a process invented and patented by David Chaum, the basis for digital cash is born.
The majority of the text is an evaluation of different electronic commerce solutions. Cybercash is mostly an extension of the credit card system, albeit one of the most robust and sophisticated, from a business perspective. Digicash, on the other hand, founded by David Chaum, is designed around a token-based solution. One valuable feature of this book is a section on vendors at the end of each chapter. For example, the anonymity of cash means that if you lose it, it is gone. The convenience of credit card–like solutions means that data on your buying habits might end up in somebody’s data warehouse. The author provides an excellent briefing on Secure Electronic Transaction from Visa and MasterCard. All the tradeoffs involved in distributing and maintaining digital signatures through an infrastructure of certification authorities are considered.
SmartCards take digital cash further by detaching the money from a central approval server such as Digicash’s Ecash server. The card is offline most of the time, and is only occasionally connected to get a cash infusion. At that time, checks against double spending and counterfeiting are enacted. The problem of maintaining a centralized database of valid serial numbers seems to the author to be amenable to technical solutions.
The chapter on security (along with many related passages in other chapters) provides a valuable discussion of the attacks to which digital transaction systems are subject. Wayner treats hardware, software, and algorithmic weaknesses and makes security policy recommendations. One interesting attack on a smart card includes putting it in a microwave oven. The secret half of an RSA key used to be recoverable if the card made errors due to flipping bits because it was bombarded with large particles. A chilling section on algorithmic failure covers the cracking of Rivest’s sample 129-digit number by a team from Bell Research in eight months in 1994 instead of the predicted 40 quadrillion years.
The audience for this book includes programmers, managers, and administrators who want an overview of current electronic commerce vendors and systems. Wayner provides a strong discussion of the tradeoffs between token-based and account-based money. He believes that the problems of double spending and illegal activities, such as money laundering, can be addressed by technical means. Although programmers will require more resources than this book, it is a good place to start.
