Security for E-Payments

z Public key infrastructure (PKI)—a scheme for

securing e-payments using public key
encryption and various technical components
z Foundation of a number of network applications:
{Supply chain management
{Virtual private networks
{Secure e-mail
{Intranet applications

Security for E-Payments

zPublic key encryption

Encryption (cryptography)—the process of scrambling
(encrypting) a message in such a way that it is difficult,
expensive, or time consuming for an unauthorized
person to unscramble (decrypt) it

1
Security for E-Payments (cont.)

zAll encryption has four basic parts:

{Plaintext—an unencrypted message in human-
readable form
{Ciphertext—a plaintext message after it has
been encrypted into unreadable form
{Encryption algorithm—the mathematical
formula used to encrypt the plaintext into
ciphertext and vice versa
{Key—the secret code used to encrypt and
decrypt a message

Security for E-Payments (cont.)

z Two major classes of encryption systems:
{ Symmetric (private key)
z Used to encrypt and decrypt plain text
z Shared by sender and receiver of text
{ Asymmetric (public key)
z Uses a pair of keys
z Public key to encrypt the message
z Private key to decrypt the message

http://www.uic.edu/depts/accc/newsletter/adn26/index.html

2
Security for E-Payments (cont.)

zPublic key encryption—method of

encryption that uses a pair of keys—a
public key to encrypt a message and a
private key (kept only by its owner) to
decrypt it, or vice versa
{Private key—secret encryption code held
only by its owner
{Public key—secret encryption code that is
publicly available to anyone

Private Key Encryption

3
Key Sizes & Time to Try All Possible Keys

Security for E-Payments (cont.)

zDigital signatures—an identifying code that

can be used to authenticate the identity of
the sender of a message or document
zUsed to:
{Authenticate the identity of the sender of a
message or document
{Ensure the original content of the electronic
message or document is unchanged

4
 Security for E-Payments (cont.)

z Digital Signatures—how they work:

1. Create an e-mail message with the contract in
it
2. Using special software, you “hash” the
message, converting it into a string of digits
(message digest)
3. You use your private key to encrypt the hash
(your digital signature

Security for E-Payments (cont.)

4. E-mail the original message along with the

encrypted hash to the receiver
5. Receiver uses the same special software to
hash the message they received
6. Company uses your public key to decrypt the
message hash that you sent. If their hash
matches the decrypted hash, then the
message is valid

5
 Digital Signatures

Security for E-Payments (cont.)

z Digital certificates—
verification that the
holder of a public or Name : “Richard”
private key is who he key-Exchange Key :
Signature Key :
or she claims to be Serial # : 29483756
Other Data : 10236283025273
z Certificate authorities Expires : 6/18/04
(CAs)—third parties Signed : CA’s Signature

that issue digital

certificates

6
Crypto, Digital Signature and Digital
Certificates
z Cryptography provides security by using
encryption
{Ensures privacy
z Digital Signatures are just like a real signature
{DCMA makes them just as legally binding as a signed
paper document
z Digital Certificates uses Cryptographic
techniques to prove Identity

Digital Signature

Encrypted for Confidentiality

DS Plaintext

Sender
Receiver

Add Digital Signature to Each Message

Provides Message-by-Message Authentication

7
 Digital Signature: Sender

To Create the Digital Signature:

Plaintext

1. Hash the plaintext to create Hash

a brief message digest; This is
NOT the digital signature
MD

2. Sign (encrypt) the message Sign (Encrypt) MD with

digest with the sender’s private Sender’s Private Key
key to create the digital DS
Signature

Digital Signature

Send Plaintext plus Digital Signature

Encrypted with Symmetric Session Key

DS Plaintext

Sender
Receiver
Encrypts
Transmission Decrypts

8
 Digital Signature: Receiver
1. Hash the received
plaintext with the same
Received Plaintext DS hashing algorithm the
sender used. This gives
2. the message digest
1. Decrypt with
Hash True Party’s 2. Decrypt the digital
Public Key signature with the sender’s
public key. This also should
MD give the message digest.
MD
3.
Are they Equal? 3. If the two match, the
message is authenticated;
The sender has the true
Party’s private key

Public Key Deception

Impostor Verifier

“I am the True Person.” Must authenticate True Person.

Critical
“Here is TP’s public key.” Deception Believes now has
(Sends Impostor’s public key) TP’s public key

“Here is authentication Believes True Person

based on TP’s private key.” is authenticated
(Really Impostor’s private key) based on Impostor’s public key

Decryption of message from Verifier “True Person,

encrypted with Impostor’s public key, here is a message encrypted
so Impostor can decrypt it with your public key.”

9
Digital Certificates

z Digital certificates are electronic documents

that give the true party’s name and public key
z Applicants claiming to be the true party have
their authentication methods tested by this
public key
z If they are not the true party, they cannot use
the true party’s private key and so will not be
authenticated
z Digital certificates follow the X.509 Standard

Digital Signatures and Digital

Certificates
z Public key authentication requires both a
digital signature and a digital certificate to give
the public key needed to test the digital
Digital
signature Certificate:
Certificate Authority True Party’s
Public Key
Applicant

DS Plaintext

Verifier

10
Standards for E-Payments

zSecure socket layer (SSL)—protocol that

utilizes standard certificates for
authentication and data encryption to ensure
privacy or confidentiality
zTransport Layer Security (TLS)—as of 1996,
another name for the Secure Socket Layer
protocol

Standards for E-Payments (cont.)

zSecure Electronic Transaction

(SET)—a protocol designed to
provide secure online credit card
transactions for both consumers and
merchants; developed jointly by
Netscape, Visa, MasterCard, and
others

11
 Electronic Cards and Smart Cards

zPayment cards—electronic cards that

contain information that can be used for
payment purposes
{Credit cards—provides holder with credit to make
purchases up to a limit fixed by the card issuer
{Charge cards—balance on a charge card is
supposed to be paid in full upon receipt of
monthly statement
{Debit card—cost of a purchase drawn directly
from holder’s checking account (demand-deposit
account)

Electronic Cards and Smart Cards (cont.)

zThe Players
{Cardholder
{Merchant (seller)
{Issuer (your bank)
{Acquirer (merchant’s financial institution,
acquires the sales slips)
{Card association (VISA, MasterCard)
{Third-party processors (outsourcers performing
same duties formerly provided by issuers, etc.)

12
 Online Credit Card Processing

Electronic Cards and Smart Cards (cont.)

z Credit card z Virtual credit card—
gateway—an online an e-payment system
connection that ties a in which a credit card
merchant’s systems issuer gives a special
to the back-end transaction number
processing systems that can be used
of the credit card online in place of
issuer regular credit card
numbers

13
Electronic Cards and Smart Cards (cont.)

zElectronic wallets (e-wallets)—a software

component in which a user stores credit card
numbers and other personal information;
when shopping online; the user simply clicks
the e-wallet to automatically fill in information
needed to make a purchase
{One-click shopping—saving your order
information on retailer’s Web server
{E-wallet—software downloaded to cardholder’s
desktop that stores same information and allows
one-click-like shopping

Electronic Cards and Smart Cards (cont.)

zSecurity risks with credit cards

{Stolen cards
{Reneging by the customer—authorizes a
payment and later denies it
{Theft of card details stored on merchant’s
computer—isolate computer storing
information so it cannot be accessed directly
from the Web

14
Electronic Cards and Smart Cards (cont.)

zPurchasing cards—special-purpose
payment cards issued to a company’s
employees to be used solely for
purchasing nonstrategic materials and
services up to a preset dollar limit
Instrument of choice for B2B purchasing

E-Cards (cont.)

zBenefits of using purchasing cards

{Productivity gains
{Bill consolidation
{Payment reconciliation
{Preferred pricing
{Management reports
{Control

15
Participants & Process of Using a Purchasing Card

Smart Cards

z Smart card—an electronic card containing an

embedded microchip that enables predefined
operations or the addition, deletion, or
manipulation of information on the card

16
Smart Cards (cont.)

zCategories of smart cards

{Contact card—a smart card containing a
small gold plate on the face that when
inserted in a smart-card reader makes
contact and so passes data to and from the
embedded microchip
{Contactless (proximity) card—a smart card
with an embedded antenna, by means of
which data and applications are passed to
and from a card reader unit or other device

Smart Cards (cont.)

zSecuring smart cards

{Theoretically, it is possible to “hack” into a
smart card
zMost cards can now store the information in
encrypted form
zSame cards can also encrypt and decrypt data
that is downloaded or read from the card
{Cost to the attacker of doing so far exceeds
the benefits

17
 Smart Cards (cont.)

zImportant applications of smart card use:

{Loyalty
{Financial
{Information technology
{Health and social welfare
{Transportation
{Identification

E-Cash and
Innovative Payment Methods

z E-cash—the digital equivalent of paper currency

and coins, which enables secure and
anonymous purchase of low-priced items
z Micropayments—small payments, usually under
$10
z Most of this work in Digital Cash comes from the
research of Dr. David Chaum

18
E-Coin.net

z System consists of three participants:

{User
z Opens an account with eCoin.com
z Downloads a special e-wallet to their desktop PC
z Purchases some eCoins with a credit card
{Merchant—embeds a special eCoin icon in its
payment page
{eCoin server—operates as a broker
z Keeps customer and merchant accounts
z Accepts payment requests from the customer’s e-wallet
z Computes embedded invoices for the merchant

E-Cash and
Payment Card Alternatives (cont.)

zWireless payments
Vodafone “m-pay bill” system that enables
wireless subscribers to use their mobile phones to
make micropayments
zQpass (qpass.com)
Charges to qpass account, are charged to a
specified credit card on a monthly basis

19
Stored-Value Cards

zStores cash downloaded from bank or

credit card account
{Visa cash—a stored-value card designed to
handle small purchases or micropayments;
sponsored by Visa
{Mondex—a stored-value card designed to
handle small purchases or micropayments;
sponsored by Mondex, a subsidiary of
MasterCard

Person-to-Person Payments

zPerson-to-person (P2P) payments—e-

payment schemes (such as
paypal.com) that enable the transfer of
funds between two individuals
{Repaying money borrowed
{Paying for an item purchased at online
auction
{Sending money to students at college
{Sending a gift to a family member

20
Global B2B Payments

zLetters of credit (LC)—a written

agreement by a bank to pay the seller, on
account of the buyer, a sum of money
upon presentation of certain documents
zTradeCard (tradecard.com)—innovative
e-payment method that uses a payment
card

Electronic Letters of Credit (LC)

z Benefits to sellers z Benefits to the buyer

{Credit risk is { Allows buyer to negotiate for a
reduced lower purchase price
{ Buyer can expand its source of
{Payment is highly supply
assured { Funds withdrawn from buyer’s
{Political/country account only after the
risk is reduced documents have been inspected
by the issuing bank

21
TradeCard Payments

z TradeCard allows businesses to effectively and

efficiently complete B2B transactions whether
large or small, domestic or cross-border, or in
multiple currencies
{Buyers and sellers interact with each other via
the TradeCard system
{System
zChecks purchase orders for both parties
zAwaits confirmation from a logistics company that
deliveries have been made and received
zAuthorizes payment completing financial transaction
between the buyer and seller

22