Secure Electronic Transaction

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Using EAP-SIM for WLAN Authentication
CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17
Chapter 8 Web Security.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Secure Electronic Transactions (SET). SET SET is an encryption and security specification designed to protect credit card transactions on the Internet.
Secure Electronic Transaction Creating Debts Online with Confidence.
Supporting Technologies III: Security 11/16 Lecture Notes.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
Secure Electronic Transaction (SET)
1 Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats –integrity –confidentiality.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
电子商务实务 项目四 B2B 交易 目标 1 、了解 B2B 交易的基本流程 2 、熟练掌握平台 B2B 交易相关操作 3 、掌握电子商务技能鉴定培训平台交易大厅相关操作 4 、了解 B2B 的方式及其特点 5 、了解 B2B 平台的类型及其特点 6 、熟悉目前典型的 B2B 第三方支付平台及特点.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Lecture 8 e-money. Today Secure Electronic Transaction (SET) CyberCash On line payment system using e-money ECash NetCash MilliCent CyberCoin.
Secure Socket Layer (SSL) and Secure Electronic Transactions (SET) Network Security Fall Dr. Faisal Kakar
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Chapter 9: Payment System for Electronic Commerce.
EC 营客通产品操作(九) EC 营客通产品操作(九) 400 电话 400 电话. 400 电话有助于提升企业形象,无论企业地址变更、机构 变化、人员变动,联系方式永远不变。且在 EC 上申请的 400 电话可以在 EC 平台上进行统一的 400 电话接听及 400 电话客服的管理。
Network Security Lecture 27 Presented by: Dr. Munam Ali Shah.
广东省电子政府采购网 广东省财政厅政府采购监管处 2011 年 3 月. 目录 1 用户注册登录 2 维护商品品牌 3 维护商品 / 配件信息 4 采购机构管理 5 用户信息维护.
2012 年昆明冶金高等专科学校 生源地贷款培训会. 一、生源地贷款鉴定证明 各地区县级教育部门生源地贷款办理时间一般 从 7 月 1 日开始。学校应尽快办理好学校鉴定证明, 给学生充裕的时间到当地办理.
Gold Coast Campus School of Information Technology 2003/16216/3112INT Network Security 1Copyright © Griffith University, INT / 3112INT Network.
如何申请《教育部学历证书电子注册备案表》 以及《教育部学历认证报告》. 一、如何申请《教育部学历证书电 子注册备案表》中文版 方式一:实名注册过的用户,通过学信档案 申请。 实名注册学信档案实名注册学信档案.
感谢您的关注 联系电话: – 677 手机: QQ :
U niversity of S cience and T echnology of C hina VxWorks 及其应用开发 陈香兰 年 7 月.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
进口食品标签中介服务平台介绍 上海顺益信息科技有限公司. 目录页 平台操作 平台定义 平台功能 进口食品标签中介服务平台介绍.
第二节 财政的基本特征 第二节 财政的基本特征 一、财政分配以政府为主体 二、财政分配一般具有强制性 三、财政分配一般具有无偿性 第一章 财政概论 四、财政分配一般具有非营利性.
1 Chapter 12 Electronic Payment Systems p441 2 Objectives  Four methods for collecting customer payments  Credit and debit card processing  SET protocol.
Henric Johnson1 Chapter 8 WEB Security //Modified by Prof. M. Singhal// Henric Johnson Blekinge Institute of Technology, Sweden
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
CS580 Internet Security Protocols
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
Chapter 5 Business-to-Business Strategies Electronic Commerce.
Henric Johnson1 Secure Electronic Transactions An open encryption and security specification. Protect credit card transaction on the Internet. Companies.
Chapter 7 - Secure Socket Layer (SSL)
Cryptography and Network Security
Secure Electronic Transaction
Cryptography and Network Security
Cryptography and Network Security
Secure Electronic Transaction (SET) University of Windsor
Secure Electronic Transactions (SET)
Electronic Payment Security Technologies
Cryptography and Network Security
Presentation transcript:

Secure Electronic Transaction (SET)

Credit Cards on the Internet Problem: communicate credit card and purchasing data securely to gain consumer trust Authentication of buyer and merchant Confidential transmissions Systems vary by Type of public-key encryption Type of symmetric encryption Message digest algorithm Number of parties having private keys Number of parties having certificates 52

Secure Electronic Transaction (SET) Developed by Visa and MasterCard Designed to protect credit card transactions Confidentiality: all messages encrypted Trust: all parties must have digital certificates Privacy: information made available only when and where necessary

SET的体系结构 SET支付系统的主要参与方有: 商家,提供在线商店或商品光盘给消费者;  持卡人,即消费者,他们通过web浏览器或客户端软件购物; 商家,提供在线商店或商品光盘给消费者; 发卡人,它是一金融机构,为持卡人开帐户,并且发放支付卡; 收款银行,它为商家建立帐户,并且处理支付卡的认证和支付事宜 支付网关,是由受款银行或指定的第三方操纵的设备,它处理商家的支付信息,

Participants in the SET System

商家:出售商品或服务的个人或机构,通常通过WEB网页或电子邮件进行出售。商家还必须和收单行达成协议,保证可以接受支付卡付款。 SET的体系结构 商家 持卡人 认证机构 发卡行 发卡行:一个金融机构,为持卡人建立一个帐户并发行支付卡,一个发卡行保证对经过授权的交易进行付款。 支付网关 收单行

SET的体系结构 商家 持卡人 认证机构 发卡行 收单行 支付网关 收单行:一个金融机构,为商家建立一个帐户并处理支付卡授权和支付。 支付网关:收单行的一个操作设备,用于处理支付卡授权和支付

SET Business Requirements Provide confidentiality of payment and ordering information Ensure the integrity of all transmitted data Provide authentication that a cardholder is a legitimate user of a credit card account Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution

SET Business Requirements (cont’d) Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction Create a protocol that neither depends on transport security mechanisms nor prevents their use Facilitate and encourage interoperability among software and network providers

SET Transactions

SET Transactions The customer opens an account with a card issuer. MasterCard, Visa, etc. The customer receives a X.509 V3 certificate signed by a bank. X.509 V3 A merchant who accepts a certain brand of card must possess two X.509 V3 certificates. One for signing & one for key exchange The customer places an order for a product or service with a merchant. The merchant sends a copy of its certificate for verification. SET Transaction: Customer Opens An Account: Customer obtains a credit card account with a bank that supports electronic payment and SET. Customer Receives A Certificate: After suitable verification of identity, the customer receives an X.509v3 digital certificate signed by the bank. It verifies the customer’s RSA public key and its expiration date. Merchants Have Own Certificates: A merchant who accepts a bank card must be in possession of two certificates for the two public keys owned by the merchant: One for signing messages One for key exchange Merchant has a copy of payment gateway’s public-key certificate. Customer Places An Order: Customer send a list of items to be purchases to the merchant, who returns an order form containing the list of items to be purchased to the merchant. Merchant returns an order form containing the list of items, their price, a total price, and an order number. Merchant is Verified: In addition to the order form, the merchant sends a copy of the certificate so that the customer can verify that he or she is dealing with a valid store.

SET Transactions The customer sends order and payment information to the merchant. The merchant requests payment authorization from the payment gateway prior to shipment. The merchant confirms order to the customer. The merchant provides the goods or service to the customer. The merchant requests payment from the payment gateway. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing

Key Technologies of SET Confidentiality of information: DES Integrity of data: RSA digital signatures with SHA-1 hash codes Cardholder account authentication: X.509v3 digital certificates with RSA signatures Merchant authentication: X.509v3 digital certificates with RSA signatures Privacy: separation of order and payment information using dual signatures

Dual Signatures Links two messages securely but allows only one party to read each. MESSAGE 1 MESSAGE 2 HASH 1 & 2 WITH SHA CONCATENATE DIGESTS TOGETHER DIGEST 1 DIGEST 2 HASH WITH SHA TO CREATE NEW DIGEST NEW DIGEST ENCRYPT NEW DIGEST WITH SIGNER’S PRIVATE KEY PRIVATE KEY DUAL SIGNATURE

Dual Signature for SET Concept: Link Two Messages Intended for Two Different Receivers: Order Information (OI): Customer to Merchant Payment Information (PI): Customer to Bank Goal: Limit Information to A “Need-to-Know” Basis: Merchant does not need credit card number. Bank does not need details of customer order. Afford the customer extra protection in terms of privacy by keeping these items separate. This link is needed to prove that payment is intended for this order and not some other one. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing

Why Dual Signature? Suppose that customers send the merchant two messages: The signed order information (OI). The signed payment information (PI). In addition, the merchant passes the payment information (PI) to the bank. If the merchant can capture another order information (OI) from this customer, the merchant could claim this order goes with the payment information (PI) rather than the original. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing

Dual Signature Operation The operation for dual signature is as follows: Take the hash (SHA-1) of the payment and order information. These two hash values are concatenated [H(PI) || H(OI)] and then the result is hashed. Customer encrypts the final hash with a private key creating the dual signature. DS = EKRC [ H(H(PI) || H(OI)) ] SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing

Dual Signature Operation H PIMD OIMD PI OI DS KRc || POMD H SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing

DS Verification by Merchant The merchant has the public key of the customer obtained from the customer’s certificate. Now, the merchant can compute two values: H(PIMD || H(OI)) DKUC[DS] Should be equal! SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing

DS Verification by Bank The bank is in possession of DS, PI, the message digest for OI (OIMD), and the customer’s public key, then the bank can compute the following: H(H(PI) || OIMD) DKUC [ DS ] SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing

What did we accomplish? The merchant has received OI and verified the signature. The bank has received PI and verified the signature. The customer has linked the OI and PI and can prove the linkage. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing

SET Supported Transactions 1 card holder registration 2 merchant registration 3 purchase request 4 payment authorization 5 payment capture 52

3 Purchase Request Browsing, Selecting, and Ordering is Done Purchasing Involves 4 Messages: (1)Initiate Request (2)Initiate Response (3)Purchase Request (4)Purchase Response

Purchase Request: (1)Initiate Request Basic Requirements: Cardholder Must Have Copy of Certificates for Merchant and Payment Gateway Customer Requests the Certificates in the Initiate Request Message to Merchant Brand of Credit Card ID Assigned to this Request/response pair by customer Nonce

Purchase Request: (2)Initiate Response Merchant Generates a Response Signs with Private Signature Key Include Customer Nonce Include Merchant Nonce (Returned in Next Message) Transaction ID for Purchase Transaction In Addition … Merchant’s Signature Certificate Payment Gateway’s Key Exchange Certificate

Purchase Request: (3)Purchase Request Cardholder Verifies Two Certificates Using Their CAs and Creates the OI and PI. Message Includes: Purchase-related Information Order-related Information Cardholder Certificate

(3)Purchase Request The cardholder generates a one-time symmetric encryption key, KS, Cardholder Sends Purchase Request Message: Message Includes: Purchase-related Information: Forwarded to the Payment Gateway by the Merchant PI Dual Signature calculated over PI and OI and signed with the customer’s private signature key OI Message Digest (OIMD) Digital Envelope Order-related Information: Information needed by Merchant OI Dual Signature PI Message Digest (PIMD) Cardholder Certificate: Contains the Cardholder’s public signature key Used by Merchant and by Payment Gateway

(4)Merchant Verifies Purchase Request When the merchant receives the Purchase Request message, it performs the following actions: Verify the cardholder certificates by means of its CA signatures. Verifies the dual signature using the customer’s public key signature. Merchant Handles Purchase Request Message: When Merchant receives the Purchase Request Message: Verifies the Cardholder Certificate using its CA Signatures Verifies the Dual Signature using the customer’s public signature key. This ensures that the order has not been tampered with in transit and that it was signed using the cardholder’s private key. Process the order and forward the payment information to the payment gateway for authorization. Send a purchase response to cardholder.

Merchant Verification (cont’d) Processes the order and forwards the payment information to the payment gateway for authorization. Sends a purchase response to the cardholder. Merchant Handles Purchase Request Message: When Merchant receives the Purchase Request Message: Verifies the Cardholder Certificate using its CA Signatures Verifies the Dual Signature using the customer’s public signature key. This ensures that the order has not been tampered with in transit and that it was signed using the cardholder’s private key. Process the order and forward the payment information to the payment gateway for authorization. Send a purchase response to cardholder.

Purchase Response Message Message that Acknowledges the Order and References Corresponding Transaction Number Block is Signed by Merchant Using its Private Key Block and Signature Are Sent to Customer Along with Merchant’s Signature Certificate Upon Reception Verifies Merchant Certificate Verifies Signature on Response Block Takes the Appropriate Action

Payment Process The payment process is broken down into two steps: Payment authorization Payment capture Authorization Request Message: Purchase-related Information: Customer Information PI Dual Signature OI Message Digest (OIMD) Digital Envelope Authorization-related Information: Merchant Information Authorization Block: Transaction ID Signed with Merchant’s Private Key Encrypted with One-time Key Generated by Merchant Digital Envelope: Encrypt One-time Key with Private Key Certificates: Cardholder’s Signature Key Certificate (Verify Dual Sign.) Merchant’s Signature Key Certificate (Verify Merchant) Merchant’s Key-exchange Certificate (Gateway I/F)

4 Payment Authorization (1)Authorization Request (2)Authorization Response Authorization Request Message: Purchase-related Information: Customer Information PI Dual Signature OI Message Digest (OIMD) Digital Envelope Authorization-related Information: Merchant Information Authorization Block: Transaction ID Signed with Merchant’s Private Key Encrypted with One-time Key Generated by Merchant Digital Envelope: Encrypt One-time Key with Private Key Certificates: Cardholder’s Signature Key Certificate (Verify Dual Sign.) Merchant’s Signature Key Certificate (Verify Merchant) Merchant’s Key-exchange Certificate (Gateway I/F)

(1)Authorization Request The merchant sends an authorization request message to the payment gateway consisting of the following: Purchase-related information PI Dual signature calculated over the PI & OI and signed with customer’s private key. The OI message digest (OIMD) The digital envelop Authorization-related information Certificates Authorization Request Message: Purchase-related Information: Customer Information PI Dual Signature OI Message Digest (OIMD) Digital Envelope Authorization-related Information: Merchant Information Authorization Block: Transaction ID Signed with Merchant’s Private Key Encrypted with One-time Key Generated by Merchant Digital Envelope: Encrypt One-time Key with Private Key Certificates: Cardholder’s Signature Key Certificate (Verify Dual Sign.) Merchant’s Signature Key Certificate (Verify Merchant) Merchant’s Key-exchange Certificate (Gateway I/F)

Authorization-related information An authorization block including: A transaction ID Signed with merchant’s private key Encrypted one-time session key Certificates Cardholder’s signature key certificate Merchant’s signature key certificate Merchant’s key exchange certificate Authorization Request Message: Purchase-related Information: Customer Information PI Dual Signature OI Message Digest (OIMD) Digital Envelope Authorization-related Information: Merchant Information Authorization Block: Transaction ID Signed with Merchant’s Private Key Encrypted with One-time Key Generated by Merchant Digital Envelope: Encrypt One-time Key with Private Key Certificates: Cardholder’s Signature Key Certificate (Verify Dual Sign.) Merchant’s Signature Key Certificate (Verify Merchant) Merchant’s Key-exchange Certificate (Gateway I/F)

Payment: Payment Gateway Verify All Certificates Decrypt Authorization Block Digital Envelope to Obtain Symmetric Key and Decrypt Block Verify Merchant Signature on Authorization Block Decrypt Payment Block Digital Envelope to Obtain Symmetric Key and Decrypt Block Verify Dual Signature on Payment Block Verify Received Transaction ID Received from Merchant Matches PI Received from Customer Request and Receive Issuer Authorization

(2)Authorization Response Authorization Response Message Authorization-related Information Capture Token Information Certificate Authorization Response Message: Authorization-related Information: Authorization blocks Signed by Gateway’s private key Encrypted with one-time symmetric key generated by Gateway Digital envelope containing one-time key encrypted with Merchant’s public key Capture Token Information: Information to be used to effect payment. Block Signed, encrypted Capture Token with Digital Envelope Not processed by merchant Must be returned with a payment request Certificate: The Gateway’s signature key certificate.

SET Overhead Simple purchase transaction: Scaling: Four messages between merchant and customer Two messages between merchant and payment gateway 6 digital signatures 9 RSA encryption/decryption cycles 4 DES encryption/decryption cycles 4 certificate verifications Scaling: Multiple servers need copies of all certificates 52