Beruflich Dokumente
Kultur Dokumente
Dr.CungangYang
SecureInternetPaymentSystems 1
INTRODUCTION
IncorporatethePaymentFunctionsinInternetWorld PaymentMethods
Cash CreditCard Cheque Credit&DebitTransfer
SecureInternetPaymentSystems
MAJORINTERNETPAYMENTMETHODS
SecureElectronicTransaction(SET)ProtocolforImplementingCredit
CardPayment ElectronicChequeSystemforSupportingChequePayment ElectronicFundTransfer&ElectronicCashSystemforEmulating PhysicalCashPayment OtherMethodsi.eMicropayment&SmartCardPayment
SET ELECTRONICCHEQUES:
NETCHEQUE DIGICASHCAFE SMARTCARDS
CREDITCARDBASEDMETHODS:CREDITCARDOVERSSL
ANONYMOUSPAYMENTS: MICROPAYMENTS
SecureInternetPaymentSystems
FEATURESOFSECUREPAYMENTMETHODS ANONYMITY:WHETHERTHEPAYMENTMETHODIS
ANONIMOUS
SECURITY:WHETHERTHEMETHODISSECURE OVERHEADCOST:THEOVERHEADCOSTMUSTBE
COMPETENTENOUGH
TRANSFERABILITY:WHETHERTHETRANSACTIONCAN
BEDIVIDEDINTOARBITRARYSMALLPAYMENTSWHOSE SUMISEQUALTOTHEORIGINALPAYMENT
ACCEPTABILITY:WHETHERTHEMETHODIS
ACCEPTEDGLOBALLY
SecureInternetPaymentSystems
4CPAYMENTMETHODS
PAYMENTMETHODSHOULDBE VERYSECURE LOWOVERHEADCOST TANSFERABLE USERFRIENDLY(GLOBALLYACCEPTED) DIVISIBLE ANONYMOUS
SecureInternetPaymentSystems
5
4CPAYMENTMETHODSCOMPARISONS
METHODS/ FEATURES
ANONYMITY SECURITY OVERHEAD COST TRANSFERAB ILITY DIVISIBILITY YES,IN GENERAL GOOD LOWEST,IN GENERAL YES NOT COMPLETELY YES,IN GENERAL
CASH
CREDIT CARD
NO GOOD HIGHER THANCASH& DEBIT NO YES
CHEQUE
NO GOOD HIGHEST,IN GENERAL NO YES
CREDIT/ DEBIT
NO GOOD LOW
NO YES
ACCEPTABILI TY
YES,IN GENERAL
NO,IN GENERAL
NO,IN GENERAL
6
SecureInternetPaymentSystems
SETPROTOCOLFORCREDITCARDPAYMENT METHOD
THECREDITCARDISTHEMOSTCOMMONLYUSED
PAYMENTMETHODGLOBALLY.
BEFORETHEINTRODUCTIONOFSETPROTOCOLTHE
SECURECREDITCARDPAYMENTWASUSUALLYCARRIED OUTOVERANSSLCONNECTION.
SecureInternetPaymentSystems
PROS&CONSOFSSLV/SSET
ADVANTAGEOFSSL:ITENSURESTHESECURE
SecureInternetPaymentSystems
SETNETWORKARCHITECTURE
SecureInternetPaymentSystems
SECURITYREQUIREMENTSSETPROTOCOL
SETAIMSATSATISFYINGTHEFOLLOWINGSECURITY REQUIREMENTSINTHECONTEXTOFCREDITCARD PAYMENT: CONFIDENTIALITY:SENSITIVEMESSAGESARE ENCRYPTEDSOTHATTHEYAREKEPTCONFIDENTIAL INTEGRITY:NEARLYALLMESSAGESAREDIGITALLY SIGNEDTOENSURECONTENTINTEGRITY AUTHENTICITY:AUTHENTICATIONISPERFORMED THROUGHAPUBLICKEYINFRASTRUCTURE.
SecureInternetPaymentSystems
10
SETNETWORKPARTICIPANTS
A SELLER ,WHICH IS CONNECTED TO AN ACQUIRER A REGISTERED HOLDER OF THE CREDIT CARD WHO IS A BUYER THE BANK THAT ISSUES THE CREDIT CARD TO A CARD HOLDER THE BANK THAT SERVES AS AN AGENT TO LINK A MERCHANT TO MULTIPLE ISSUERS.
THIS IS TYPICALLY CONNECTED TO THE ACQUIRER THE HenricJohnson PAYMENT GATEWAY IS SITUATED BETWEEN THE SET SYSTEM AND THE FINANCIAL NETWORK
11
SecureInternetPaymentSystems
11
SETDIGITALCERTIFICATESYSTEM
SecureInternetPaymentSystems
12
DUALSIGNATUREGENERATION&VERIFICATION
INTHEPHYSICALCREDITCARDSYSTEM THEPAYMENTINSTRUCTIONS(PI)INCLUDINGTHE CARDHOLDERSCREDITCARDNUMBERAND SIGNATUREARENOTKEPTCONFIDENTIAL DATAINTEGRITYCANBASICALLYBEENSUREDBY USINGPRINTEDRECEIPTS CARDHOLDERSAUTHENTICATIONRELIESON SIMPLESIGNATURECHECKINGONLY INANELECTRONICCREDITCARDSYSTEM THEORDERINFORMATION(OI)ANDPICANBE DIGITALLYSIGNEDTOENSUREDATAINTEGRITY THESENSITIVECREDITCARDINFORMATIONMAY STILLBEDISCLOSEDTOOTHERPEOPLE SETINTRODUCESANOVELMETHODCALLEDTHEDUAL SIGNATURE(DS)TOENSUREDATAINTEGRITYWHILE PROTECTINGTHESENSITIVEINFORMATION SecureInternetPaymentSystems
13
SETNETWORKARCHITECTURE
DS = E KRc [ H ( H ( PI ) || H(OI))]
SecureInternetPaymentSystems
14
SecureInternetPaymentSystems
15
HOWTHEMERCHANTANDPAYMENTGATEWAY VERIFYTHEDS?
THEMERCHANTISPROVIDEDWITHOI,H[PI],ANDDS THEDUALSIGNATURECANBEVERIFIEDASFOLLOWS:
STEP1:THEMERCHANTFIRSTFINDSH[H[PI]||H[OI]] STEP2:HETHENDECRYPTSTHEDIGITALSIGNATUREWITH THECARDHOLDERSPUBLICSIGNATUREKEYASFOLLOWS: DRSA[DS|KEYPUBLIC_SIGN,CARDHOLDER] WHERE,KEYPUBLIC_SIGN,CARDHOLDERPUBLICSIGNATUREKEY OFTHECARDHOLDER STEP3:FINALLY,HECOMPARESTHETWOTERMSH[H[PI]|| H[OI]]ANDDRSA[DS|KEYPUBLIC_SIGN,CARDHOLDER] THEYSHOULDBETHESAMEIFTHETRANSMITTEDDSHAS NOTBEENCHANGED;OTHERWISETHEORDERISNOTVALID
SecureInternetPaymentSystems
16
HOWTHEMERCHANTANDPAYMENTGATEWAY VERIFYTHEDS?
THEPAYMENTGATEWAYISPROVIDEDWITHPI,H[OI], ANDDS BYUSINGTHEDUALSIGNATUREMETHOD,EACH CARDHOLDERCANLINKOIANDPIWHILERELEASING ONLYTHENECESSARYINFORMATIONTOTHERELEVANT PARTY IFEITHERTHEOIORPIISCHANGED,THEDUAL SIGNATUREWILLNOLONGERBEVALID
SecureInternetPaymentSystems
17
DIGITALENVELOPE
SecureInternetPaymentSystems
18
DIGITALENVELOPE
ARANDOMDESKEY(KEYRANDOM)FIRSTGENERATEDTO ENCRYPTTHEMESSAGE,I.E.EDES[MIKEYRANDOM] KEYRANDOMISTHENENCRYPTEDBYTHEVBS'SPUBLIC KEY_EXCHANGEKEY,SAYKEYPUBLIC_EXCHANGEI.E. ERSA[KEYRANDOMIKEYPUBLIC_EXCHANGE.VBS] EDES[MIKEYRANDOM1ANDERSA[KEYRANDOMI KEYPUHLIC_EXCHANGE.VBSLARESENTTOTHEVBS TOOBTAINTHEMESSAGEM,VBSFIRSTOBTAINS KEYRANDOMBYDECRYPTINGERSA[KEYRANDOMIKEYPUHLIC EXCHANGE,VBS]I.E.DRSA[ERSA[KEYRANDOMIKEYPUBLIC EXCHANGE,VBS1IKEYPRIVATE_EXCHANGE,VBS=KEYRANDOM, WHEREKEYPRIVATEEXCHANGE,VBSDENOTESTHEPRIVATE KEYEXCHANGEKEYOFTHEVBS AFTEROBTAININGKEYRANDOMTHEVBSCANOBTAINM BYDECRYPTINGEDES[MIKEYRANDOM],I.E.TOFIND DDES[EDES[MIKEYRANDOM1IKEYRANDOM]=M SecureInternetPaymentSystems 19
SETPROTOCOLARCHITECTURE
SecureInternetPaymentSystems
20
SETPROTOCOLPHASES
SETPROTOCOLHASFOURPHASES:
FIRSTTHECARDHOLDERSENDSAPURCHASE
INITIATIONREQUESTTOTHEMERCHANTFOR INITIALIZINGTHEPAYMENT THENTHEMERCHANTRETURNSARESPONSE MESSAGETOTHECARDHOLDER INTHESECONDPHASE,THECARDHOLDERSENDSTHE PURCHASEORDERTOGETHERWITHTHEPAYMENT INSTRUCTIONTOTHEMERCHANT INTHETHIRDPHASE,THEMERCHANTOBTAINSTHE AUTHORIZATIONFROMTHEISSUERVIATHEPAYMENT GATEWAY FINALLY,THEMERCHANTREQUESTSAMONEY TRANSFERTOITSACCOUNT
SecureInternetPaymentSystems
21
OTHERTRANSACTIONINFORMATION
THEMERCHANTSENDSTHEFOLLOWINGTOTHEPAYMENT GATEWAY THEENCRYPTEDAUTHORIZATIONREQUESTANDTHE ENCRYPTEDKEYB CARDHOLDERSANDMERCHANTSCERTIFICATES THEFOLLOWINGINFORMATIONASRECEIVEDFROMTHE CARDHOLDER: PI+DI+H[OI](ALLENCRYPTEDUSINGKEYA) KEYA+CARDHOLDERINFORMATION(ALLENCRYPTED USINGTHEPAYMENTGATEWAYSPUBLICKEY EXCHANGEKEY) AFTERRECEIVINGTHEAUTHORIZATIONREQUEST,THE PAYMENTGATEWAYPROCESSESITASFOLLOWS OBTAINKEYBBYMEANSOFDECRYPTIONANDUSESITTO DECRYPTTHEAUTHORIZATIONREQUEST VERIFIESMERCHANTSCERTIFICATESANDDIGITAL SIGNATUREONTHEAUTHORIZATIONREQUEST OBTAINKEYAANDTHECARDHOLDERINFORMATIONBY MEANSOFDECRYPTION USESKEYATOOBTAINTHEPI,DSANDH[OI] VERIFIESTHEDSACCORDINGLY
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems
23
PAYMENTAUTHORIZATION
THEPAYMENTGATEWAYALSOVERIFIESTHATTHE RECEIVEDTRANSACTIONIDISTHESAMEASTHEONEIN THEPI BYCHECKINGTHEORDERDESCRIPTIONINTHE AUTHORIZATIONREQUESTMESSAGE,ITCANBE VERIFIEDTHATTHEORDERHASBEENACCEPTEDBYTHE CARDHOLDERANDTHEMERCHANT UPONALLSUCCESSFULVERIFICATIONS,THEPAYMENT GATEWAYFORWARDSTHEAUTHORIZATIONREQUEST TOTHEISSUERVIATHECURRENTPAYMENTSYSTEM AFTERTHERECEIVINGTHEAUTHORIZATIONFROMTHE ISSUERTHROUGHTHECURRENTSYSTEM,THEPAYMENT GATEWAYSENDSANAUTHORIZATIONRESPONSETOTHE MERCHANT
SecureInternetPaymentSystems
24
PAYMENTAUTHORIZATION
THEPAYMENTGATEWAYSENDSTHEFOLLOWINGTOTHE
MERCHANT SIGNEDAUTHORIZATIONRESPONSE(ENCRYPTEDBYKEYC)
KEYC(ENCRYPTEDBYMERCHANTSPUBLICKEYEXCHANGE
KEY)
SIGNEDCAPTURETOKEN(ENCRYPTEDBYKEYD) KEYD+CARDHOLDERINFORMATION(ENCRYPTEDBY
PAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)
AFTERRECEIVINGTHEAUTHORIZATIONRESPONSEFROMTHE
PAYMENTGATEWAY,THEMERCHANTOBTAINSKEYCBY DECRYPTIONANDUSESITTODECRYPTAUTHORIZATION RESPONSE
THEMERCHANTVERIFIESTHEPAYMENTGATEWAYS
CERTIFICATEANDTHEDIGITALSIGNATUREONTHE AUTHORIZATIONRESPONSE COMPLETETHEORDERACCORDINGLY
AFTEROBTAININGTHEAUTHORIZATION,THEMERCHANTTHEN
SecureInternetPaymentSystems
25
PAYMENTCAPTURE
TOBEGINWITHTHEPAYMENTCAPTURE
THECAPTUREREQUESTISFIRSTSIGNEDBY
EISTHENENCRYPTEDBYUSINGPUBLICKEY
EXCHANGEOFTHEPAYMENTGATEWAYTOFORM THEDIGITALENVELOPE
SecureInternetPaymentSystems
26
PAYMENTCAPTURE
THEMERCHANTSENDSTHEFOLLOWINGTOTHEPAYMENT
GATEWAY: SIGNEDCAPTUREREQUEST(ENCRYPTEDBYUSINGKEYE) KEYE(ENCRYPTEDBYUSINGPAYMENTGATEWAYS PUBLICKEYEXCHANGEKEY) SIGNEDCAPTURETOKEN(ENCRYPTEDBYUSINGKEYD) KEYD+CARDHOLDERINFORMATION(ENCRYPTEDBY USINGPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY) MERCHANTSDIGITALCERTIFICATES AFTERRECEIVINGTHECAPTUREREQUEST,THEPAYMENT GATEWAYOBTAINSKEYEBYDECRYPTIONANDUSESITTO DECRYPTCAPTUREREQUEST
THEPAYMENTGATEWAYALSOVERIFIESTHEDIGITAL
SIGNATUREOFTHECAPTUREREQUESTBYUSINGMERCHANTS PUBLICKEY
SecureInternetPaymentSystems
27
PAYMENTCAPTURE
THEPAYMENTGATEWAYOBTAINSKEYDBY
DECRYPTION,USESTHEKEYTODECRYPTTHECAPTURE TOKEN,ANDVERIFIESTHECAPTURETOKEN
AFTERSUCCESSFULVERIFICATIONTHEPAYMENT
GATEWAYSENDSAPAYMENTTRANSFERREQUESTTO THEISSUERVIATHECURRENTSYSTEM
THECAPTURERESPONSECREATEDBYPAYMENT
GATEWAYISSIGNEDBYUSINGITSPRIVATESIGNATURE KEYANDISENCRYPTEDBYRANDOMSYMMETRICKEYF
FISENCRYPTEDBYUSINGMERCHANTSPUBLICKEY
EXCHANGEKEYTOFORMTHEDIGITALENVELOPE
SecureInternetPaymentSystems
28
PAYMENTCAPTURE
THEPAYMENTGATEWAYFORWARDSTHE
FOLLOWINGINFORMATIONTOTHEMERCHANT:
SIGNEDCAPTURERESPONSE(ENCRYPTEDBY
KEYF) KEY)
KEYF(ENCRYPTEDBYPUBLICKEYEXCHANGE
PAYMENTGATEWAYSDIGITALCERTIFICATES AFTERRECEIVINGTHECAPTURERESPONSE,
THEMERCHANTDECRYPTSITACCORDINGLY ANDVERIFIESTHEDIGITALSIGNATURE.
SecureInternetPaymentSystems
29
SecureInternetPaymentSystems
30
SMARTCARDCOMPONENTS
CENTRALPROCESSINGUNIT:8BITMICROPROCESSOR THATCONTROLSTHEOPERATIONOFTHESMART CARD. RAM:USEDTOSTORETEMPORARYDATA. EPROM:USEDTOSTORELONGTERMDATALIKE CRYPTOGRAPHICKEYS. ROM:USEDTOSTOREPERMANENTDATASUCHAS THEOPERATINGSYSTEM. I/OINTERFACE:ITPROVIDESDATAINPUT/OUTPUT FUNCTIONS
SecureInternetPaymentSystems
31
SMARTCARDCOMPONENTS
LEVERAGESTHECHECKPAYMENTSSYSTEM,A FITSWITHINCURRENTBUSINESSPRACTICES
CORECOMPETENCYOFTHEBANKINGINDUSTRY.
WORKSLIKEAPAPERCHECKDOESBUTINPURE
ELECTRONICFORM,WITHFEWERMANUALSTEPS.
CANBEUSEDBYALLBANKCUSTOMERSWHO
HAVECHECKINGACCOUNTS
DIFFERENTFROMELECTRONICFUNDTRANSFERS
SecureInternetPaymentSystems
32
HOWDOESELECTRONICCHEQUEWORK?
EXACTLYSAMEWAYASPAPER CHECKWRITER"WRITES"THEECHECKUSING
ONEOFMANYTYPESOFELECTRONICDEVICES
GIVES"THEECHECKTOTHEPAYEE
ELECTRONICALLY.
PAYEE"DEPOSITS"ECHECK,RECEIVESCREDIT, PAYEE'SBANK"CLEARS"THEECHECKTOTHE
PAYINGBANK.
PAYINGBANKVALIDATESTHEECHECKAND
SecureInternetPaymentSystems
"CHARGES"THECHECKWRITER'SACCOUNTFOR THECHECK.
33
ANONYMOUSEPAYMENTPROCESS
1. WITHDRAW MONEY:
G CRYPTOGRAPHICALLY ENCODED N I D TOKENS D A R I TY E T FT EN A D I N K E T S TO AN CUSTOMER ND CH SE ER . 3 M
MERCHANT
SecureInternetPaymentSystems
34
REFERENCES
Stateoftheartinelectronicpaymentsystems,IEEECOMPUTER30/9(1997) 2835 InternetprivacyThequestforanonymity,CommunicationsoftheACM42/2 (1999)2860. Hyperlinks: http://www.javasoft.com/products/commerce/ http://www.semper.org/ http://www.echeck.org/ http://niiserver.isi.edu/info/NetCheque/
http://www.eceurope.org/Welcome.html/ http://www.zdnet.com/icom/ebusiness/
Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 Garfinkel, S., and Spafford, G. Web Security & Commerce. OReilly and Associates, 1997
DataSecurityforeTransaction.RetrievedonApril12th2008,fromWeblink: http://www.comp.nus.edu.sg/~jervis/cs3235/set.html
SETCo(documentsandglossaryofterms)
SecureInternetPaymentSystems
35
QUESTION&ANSWER
SecureInternetPaymentSystems
36
THANK YOU
SecureInternetPaymentSystems
37