Download presentation
Presentation is loading. Please wait.
1
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 6-1© 2007 Prentice-Hall, Inc ELC 200 Day 22
2
6-2 © 2007 Prentice-Hall, Inc Agenda Assignment 8 Due Assignment 9 Posted (optional) –Due April 28 Quiz 4 on April 24 –Chapters 12-16 –25 M/C questions –Extra Credit on next quiz First example of paper money (world) First example of paper money in USA First Digital Cash Company and its founder Framework presentation on April 28 –E-mail your PowerPoint to tonyg@maine.edu 30 min before classtonyg@maine.edu Framework paper due on May 1 –Upload in Blackboard by 2 PM –No class Finish discussion on Encryption Discussion on Getting the Money
3
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment Encryption: A Matter of Trust
4
12-4 © 2007 Prentice-Hall, Inc Public Key Deception Impostor “I am the True Person.” “Here is TP’s public key.” (Sends Impostor’s public key) “Here is authentication based on TP’s private key.” (Really Impostor’s private key) Decryption of message from Verifier encrypted with Impostor’s public key, so Impostor can decrypt it Verifier Must authenticate True Person. Believes now has TP’s public key Believes True Person is authenticated based on Impostor’s public key “True Person, here is a message encrypted with your public key.” Critical Deception
5
12-5 © 2007 Prentice-Hall, Inc Digital Certificates Digital certificates are electronic documents that give the true party’s name and public key Applicants claiming to be the true party have their authentication methods tested by this public key If they are not the true party, they cannot use the true party’s private key and so will not be authenticated Digital certificates follow the X.509 Standard
6
12-6 © 2007 Prentice-Hall, Inc Digital Certificates Digital certificates are the heart of secure online transactions A digital certificate is a software program that can be installed in a browser Your digital certificate identifies you to Web sites equipped to check it automatically Digital certificate is an electronic document issued by a certificate authority to establish a merchant’s identity Certificate authority (CA) is a trusted entity that issues and revokes public-key certificates and manages key-pairs
7
12-7 © 2007 Prentice-Hall, Inc Third-Party Services Certificate authority verifies certificates intended for use by other distinct legal entities Certificate policy is a set of rules that identifies how, when, and for what reasons certificates are used within the assigned organization Directory service is a repository that distributes certificates as requested by message originators
8
12-8 © 2007 Prentice-Hall, Inc Four Classes of Digital Certificates Class 1 certificates contain minimum checks on the user’s background Class 2 certificates check for information like real name, Social Security number, and the date of birth Class 3 certificates are the strongest type Class 4 certificates are the most thorough
9
12-9 © 2007 Prentice-Hall, Inc Authentication and Trust Digital Signature is a special signature for signing electronic correspondence, produced by encrypting the message digest with the sender’s private key Authentication is verifying that a message or document, in fact, comes from the claimed sender Hash function is a formula that converts a message of a given length into a string of digits called a message digest Cryptographic hash functions are generally used to construct the message digest
10
12-10 © 2007 Prentice-Hall, Inc Crypto, Digital Signature and Digital Certificates Cryptography provides security by using encryption –Ensures privacy Digital Signatures are just like a real signature –DCMA makes them just as legally binding as a signed paper document Digital Certificates uses Cryptographic techniques to prove Identity
11
12-11 © 2007 Prentice-Hall, Inc The Digital Signature Process
12
12-12 © 2007 Prentice-Hall, Inc Digital Signature Sender Receiver DSPlaintext Add Digital Signature to Each Message Provides Message-by-Message Authentication Encrypted for Confidentiality
13
12-13 © 2007 Prentice-Hall, Inc Digital Signature: Sender DS Plaintext MD Hash Sign (Encrypt) MD with Sender’s Private Key To Create the Digital Signature: 1.Hash the plaintext to create a brief message digest; This is NOT the digital signature 2. Sign (encrypt) the message digest with the sender’s private key to create the digital Signature
14
12-14 © 2007 Prentice-Hall, Inc Digital Signature Sender Encrypts Receiver Decrypts Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DSPlaintext Transmission
15
12-15 © 2007 Prentice-Hall, Inc Digital Signature: Receiver DSReceived Plaintext MD 1. Hash 2. Decrypt with True Party’s Public Key 3. Are they Equal? 1. Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Party’s private key
16
12-16 © 2007 Prentice-Hall, Inc Digital Signatures and Digital Certificates Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature DSPlaintext Applicant Verifier Certificate Authority Digital Certificate: True Party’s Public Key
17
12-17 © 2007 Prentice-Hall, Inc Managing Cryptographic Keys Key management is the process of making keys known to the systems that need them and making sure keys are protected against disclosure or substitution Key Life Cycle –Key generation and registration –Key distribution –Key backup and recovery Key escrow : location where keys held in trust by a third party reside –http://pgp.mit.edu/http://pgp.mit.edu/ Notary service : company that provides encryption- oriented services including key escrow, key recovery, time stamping, trusted intermediary, and archiving –Key revocation and destruction
18
12-18 © 2007 Prentice-Hall, Inc Internet Security Protocols Two key protocols for secure World Wide Web transactions are: –Secure Socket Layer (SSL) is a protocol for secure Web transactions, secures data packets at the network layer –Secure HTTP (S-HTTP) is a protocol that secures Web transactions and nothing else Secure Electronic Transaction (SET) is a protocol used for handling funds transfers from credit card issuers to a merchant’s bank account –A digital certificate customers can request from their issuing bank by filling out a form on the bank’s Web site –A digital wallet is an online shopping device that seals personal information in a free plug-in that can be invoked when making a purchase
19
12-19 © 2007 Prentice-Hall, Inc Secure E-mail Pretty Good Privacy (PGP) is a protocol that encrypts the data with a one-time algorithm and then encrypts the key to the algorithm using public-key cryptography –http://www.pgp.com/http://www.pgp.com/ –http://www.gnupg.org/http://www.gnupg.org/ S/MIME (Multipurpose Internet Mail Extension) is a powerful protocol that provides security for different data types and attachments to e-mails Message Security Protocol (MSP) is a protocol that secures e-mail attachments across multiple platforms
20
12-20 © 2007 Prentice-Hall, Inc Implications for E-Commerce Developing high-powered and reliable encryption methods is a top priority for many organizations Most encryption systems have prevention as the sole means of defense Merchants face a number of choices when considering encryption methods A major concern is the cost associated with different encryption methods Government regulations present considerable problems for businesses
21
12-21 © 2007 Prentice-Hall, Inc Chapter Summary Encryption addresses message transmission security requirements Encryption satisfies requirements for authentication, integrity, and nonrepudiation There are two classes of key-based algorithms –Secret key –Public key Cryptanalysis is the science of deciphering encrypted messages without knowing the right key
22
12-22 © 2007 Prentice-Hall, Inc Chapter Summary (Cont’d) One way to implement public-key authentication is to send a digital signature with each message A digital certificate is an electronic document issued by a certificate authority (CA) to establish a merchant’s identity by verifying its name and public key Security measures installed to minimize vulnerability to the exchange of information includes –SSL –SHTTP –SET –S/MIME
23
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment Getting the Money
24
The focus of this chapter is on several learning objectives Real-world and electronic cash and their unique features and uses The key requirements for Internet-based payments The many ways people pay to purchase goods and services on the Internet Business-to-business methods of payment Paying for goods and services via the mobile phone Issues and implications behind electronic money transactions and payments
25
BRIEF HISTORY OF MONEY Barter Medium of Exchange –Tokens –Notational Money –Credit System
26
Real-World Cash Money –Medium of exchange to simplify transactions –Standard of value –Store of value to facilitate the concept of saving Cash continues to be the most widely used form of payment –Convenience –Wide acceptance –Anonymity –No cost of use –No audit trail
27
Electronic Money (E-Money) E-money is an electronic medium for making payments –Credit cards –Smart cards –Debit cards –Electronic funds transfer Identified e-money (digital cash) is a notational money system that generates an audit trail and can be traced Anonymous e-money is a notational money system that cannot be traced Types of e-money –Identified and online (+I+L) –Identified and off-line (+I-L) –Anonymous and online (-I+L) –Anonymous and off-line (-I-L)
28
US Cash Largest US bill is $100 $1,000,000 weighs 20 pounds and is 643 cubic inches (8”X6”X13”) and would fit in a large briefcase One ton of $100 dollars bill is 10 billion dollars The US Federal Deficit is $11,200,320,070,871.32 –http://www.brillig.com/debt_clock/http://www.brillig.com/debt_clock/ –This is equal to 22 Million pounds of $100 dollar bills –It would require 2700 tractor trailers to hold all the cash it would require to pay off the federal debt (36 miles of trucks parked bumper to bumper!)
29
Properties Of Money Online/offline represents risk –Online is on the spot validated transaction –An offline transactions is validated later Identified and Online (+I+L) –Credit cards and debit cards Identified and Offline (+I-L) –Checks, Money orders Anonymous and Online (-I+L) –Cash payments Anonymous and Offline (-I-L) –ATM deposit –Electronic cash (but not real cash)
30
ACID TEST Atomicity –All or nothing Consistency –All agree Isolation –Doesn’t effect other transactions Durability –Can go back to previous state (i.e. reversible)
31
ICES TEST Interoperability –Ability to move between system Conservation –Temporal consistency and durability Economy –Cost of use Scalability –Multiple users
32
TRANSACTION PROPERTIES TokenAtomicityConsistencyIsolationDurabilityInteroperabilityConservationEconomyScalability CashYYYYYYNYY CheckNYYNYNYNY Credit CardNNYNYN-NY Postal Money Order ?????????
33
Requirements for Internet-based Payments Electronic payments are financial transactions made without the use of paper documents such as cash or checks Internet-based Payment Systems Models –Electronic currency is the network equivalent of cash –Credit and debit cards are the electronic equivalent of checks Properties important to an electronic payment system: –Acceptability –Ease of integration –Customer base –Ease of use and ease of access
34
ELECTRONIC TRANSACTION SYSTEMS CyberCash –http://www.cybercash.com/http://www.cybercash.com/ –Bought by Verisign, then by PayPal Netbill –http://www.netbill.com/http://www.netbill.com/ –No longer active First Virtual –No longer in internet payment systems Paypal –www.paypal.comwww.paypal.com
35
Active payment systems (2008) http://www.paysimple.com/ http://www.mypaynet.com http://checkout.google.com/sell?promo=sha2 http://www.authorize.net/ http://www.worldpay.com/ https://www.paypal.com/ http://www.westernunion.com https://www.ikobo.com/ https://www.xoom.com/
36
How PayPal Works
37
Secure Internet Credit Card Payment
38
How Would You Like to Pay? Types of electronic payment media –Trusted third-party type –Notational fund transfer-related type –Digital cash or electronic money
39
Paying with Credit Cards A merchant must accept credit cards You must first open a merchant account with your bank Charges the merchant pays for online transactions are equivalent to the charges for phoning in the transaction The Web merchant needs some form of secure and encrypted line, usually (SSL) The merchant needs a shopping cart program that allows users to collect their purchases
40
Classical Flow of a SET Transaction
41
Debit Cards Look exactly like credits cards, except they directly tap your checking account every time you make a purchase or a withdrawal Using a debit card frees you from having to carry cash or a checkbook Debit cards are more readily accepted by merchants than are checks It is generally easier to get a debit card than a credit card Use of PIN creates identified & online transaction –Hard to dispute!
42
Debit Cards (Cont’d) Returned debit card purchases are treated just like returns for items purchased by cash or check The debit card is a quick pay now process Using a debit card may mean less protection for items that are never delivered, for defective items, or for items that were mis-represented Cardholders might overspend their limit before anyone finds out
43
Smart Cards Uses for Smart Cards –Provides users with the ability to make a purchase –Holds cash, ID information, and a key to a house or an office –Three categories of applications Authenticate an individual’s claim of personal identification Authorization for things like drug prescription fulfillment and voting purposes Transaction processing –Provides encryption and decryption of messages to ensure security, integrity, and confidentiality –Acts as a carrier of value
44
Smart Card Applications Government Identification Health care Loyalty Telecommunications Transportation Financial
45
DigiCash, E-Cash and E-Wallet Digital cash leaves no audit trail From a regulatory point of view, digital cash is not any different from any other kind of electronic financial payment medium PayPal.com combines e-mail and the credit card network to send real cash E-wallet is an electronic payment system that operates like a carrier of e-cash and information in the same way a real-world wallet functions Amazon.com’s 1-Click system, http://www.Amazon.com http://www.Amazon.com
46
Electronic Funds Transfer and Automated Clearinghouse Electronic fund transfer (EFT) is a computer- based system that facilitates the transfer of money or the processing of financial transactions between two financial institutions Automated Clearinghouse (ACH) is where bank transactions, involving more than one institution, are routed to debit and credit the correct accounts
47
ACH - Generic Life Cycle of Check Clearance
48
Check Numbers http://en.wikipedia.org/wiki/Demand_draft http://www.qchex.com/
49
Mobile-specific Transaction Architecture
50
General Guide to E-Payment Use a secure Web browser Read the Web site’s privacy policy carefully Determine the merchant’s refund policies in advance of the final purchase Investigate the trustworthiness of the merchant before you initiate a purchase Keep a record of all online transactions and check e-mail and other contacts regularly Review your credit card statements line-by-line to ensure authenticity
51
Issues Regarding Electronic Payment Methods and Methodologies Consumer needs Corporate processes Corporate strategy Regulation of competition Economic and social processes
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.