Assignment on Secure Electronic Transaction

8/10/2019 Assignment on Secure Electronic Transaction

1/10

CENTRL UNIVERSITY OF BIH R

PROJECT REPORT ON

SECURE ELECTRONIC TR NS CTION

Submitted by Submitted to

Subhash Prasad Mr. Nemi Chandra Rathore

3rd Sem MSc (cs) Dept of Computer Science

Enrolment No-CUB1302312014 CUB Patna

Dept of Computer Science

CUB Patna


2/10

INTRODUCTION

WHAT IS SECURE ELECTRONIC TRANSACTION:-

SET is an open encryption and security specification designed to

protect credit card transactions on the Internet. This is the protocol which is

used by the every credit card company to protect credit card transaction. We

are using credit card to buy some product online and pay the money by the

credit card this Secure Electronic Transaction help to protect to some third

parties does not access our credit card for fraud purpose. We are usedInternet to pay the money by credit card to our merchant but our channel is

not secure. We are not sure our channel is secure but Secure Electronic

Transaction protocol used some algorithm to make our payment process is

secure to know one able to access our credit card by some hacker or fraud

parties.

REQUIREMENTS THAT SECURE ELECTRONIC TRANSACTION MUST

PROVIDE:-

Provide confidentiality of ordering and payment information.

Ensure the integrity of all transmitted data

Provide authentication that a cardholder is a legitimate user of a

credit card account.

Provide authentication that a merchant can accept credit card

transactions through its relationship with a financial institution.


3/10

HISTORY OF SECURE ELECTRONIC TRANSACTION:-

Secure Electronic Transaction was developed by the SET

Consortium, established in 1996 by VISA and MasterCard in cooperation.

The consortiums goal was to combine the card associationssimilar but

incompatible protocols into a single standard. MasterCard and Visa realized

that for E-commerce payment processing. Software vendors were coming up

with new and conflicting standards. Microsoft mainly takes these on one

hand, and IBM on the other. After this lots of improvement in the area of

secure electronic transaction because our measure issues are to provide the

security of our credit card holder.

Secure Electronic Transaction allowed parties to exchange the informationsecurely from one parties to other parties and also identify each other

without knowing the third one or illegal person who are not in the part of the

our system. The consortium provide the certificate for every parties on

based on x5.09 and in this certificate all the rules regulation and also criteria

mentioned there. SET consortium used cryptographic algorithm to encrypt

our secure message into some non understandable syntax where non

authorized parties are able to decrypt the message or understand the

content of the message. Consortium provides the certificate to each users

credit card number uniquely.

SET consortium was became standard payment method on the internet

between the merchants and the buyers and the credit card companies. But

this consortium did not gain more publicity from the market as well buyers

because of some reasons and also not gain to widespread use by the user,

buyers, and also credit card companies.

There are some reasons are given below.

Network effect - need to install client software. Cost and complexity for merchants to offer support, contrasted with the

comparatively low cost and simplicity of the existingSSLbased

alternative.

Client-side certificate distribution logistics.
http://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Transport_Layer_Security


4/10

KEY FEATURES:-

Confidentiality of information.

A credit card holders personal and payment information is secured

travels across the network. One of the most interesting features of theSecure Electronic Transaction is that seller as merchant never see the

credit card number of the card holder providing by the banks. Here for

achieving the confidentiality of information Secure Electronic

Transaction protocol used Data Encryption System (DES) because DES

provides the confidentiality.

Integrity of Data.

Payment information sent from card holders to merchants includes

order information, personal information and payment instructions.Secure Electronic Transaction guarantees that these message contents

are not changed by the third party or adversary because all the

message contents are sending by the insecure channel. SET used RSA

for achieving the digital signature means checking the message

contents. This message is came from a valid source or not.

Cardholder account authentication.

Secure Electronic Transaction enables merchants to verify that a card

holder is having valid card account number. This protocol uses x.509certificates and digital signature to verify the card holder account

authentication. Without proper verification of the card holder account

authentication there will be no process is done.

Merchant authentication.

Secure Electronic Transaction enables cardholders to verify that a

merchant has a relationship with a financial institution allowing it to

accept payment cards. Here also certificate x.509 is to verify the

merchant. Every merchant has also a unique x.509 certificate. Thisprotocol used RSA for verifying the merchant authentication.


5/10

X.509 Authentication Service:-

This is an authentication service which includes a public certificate

associated with each user uniquely. Certificates are created by the some

trusted authority (Certificate Authority) generally this is the government

authority. This certificate is present in the public domain which means every

one able to see this certificate. Certificate authority signs two keys for a

single financial institution. The institution is to make one key as a public and

keep secret one key as a secret. Which is not known for any others also does

not known for certifying authority as well.

X.509 CERTIFICATE FORMAT:-


6/10

SECURE ELCETRONIC TRANSACTION PARTICIPANTS:-

Cardholder

This is an authorized holder of a payment card like MasterCard, VISA that

has been issued by some authorized issuer. Credit card companies issues

the credit card to our user who are taking the service from the card

issued company. This card is verifying by the issued company. Only valid

card holder user can take the service from the issuing credit card

company.

Merchant

A merchant is a business person or business organization who trades of

our product to earn profit. Merchant or business organization sells ourproduct to your buyer and takes the money by the help of credit card. A

merchant that accepts credit cards must have a relationship with an

acquirer.

Issuer

Generally banks are providing the service of credit card to the users. Like

the SBI, ICICI, HDFC etc are the banks are issuing the credit card his

users to by the product by the credit card.

Acquirer

An acquiring bank is a bank or financial institution that processes credit

or debit card payments on behalf of a merchant. This is a financial

institution that establishes an account with the merchant and processes

credit card authorizations and payments. The acquirer provides

authorization to the merchant that a given card accounts is active and

that the proposed purchase does not exceed the credit limit.

Payment gateway

Payment gateway is function that provides the interface between Secure

Electronic Transaction and backward or card holder. Securely your

payment is done or not that is the task of payment gateway.
http://en.wikipedia.org/wiki/Merchanthttp://en.wikipedia.org/wiki/Issuing_bankhttp://en.wikipedia.org/wiki/Acquiring_bankhttp://en.wikipedia.org/wiki/Payment_gatewayhttp://en.wikipedia.org/wiki/Payment_gatewayhttp://en.wikipedia.org/wiki/Acquiring_bankhttp://en.wikipedia.org/wiki/Issuing_bankhttp://en.wikipedia.org/wiki/Merchant


7/10

Certification authority

Certificate authority is the authority that provides the digital signature.

That provides the public key for the card holder, merchant and payment

gateway. Public key and digital signature presents on the public domainfor everyone.

Events required for a Successful SET Transaction:-

Customer Opens an account:-

Customer gets a credit account from some credit card issuing

organization that supports electronic payment and Secure ElectronicTransaction.

Customer receives a certificate:-

Customer receives a x.509 certificate signed by the particular

organization who provide the credit card account.

Merchant Certificates:-

Merchant also have their certificate.

The merchant must have twocertificates for the two public keys it owns. They use one for singing the

messages and one for key exchange. The merchant also needs a copy of

the payment gateways public-key certificate.

Customer Placed Orders:-

His certificate

His order details, unencrypted

His bank account details encrypted with the bank's public key
http://en.wikipedia.org/wiki/Certification_authorityhttp://en.wikipedia.org/wiki/Certification_authority


8/10

Merchant Verification:-

The merchant sends an order form to the customer, as well as a copy of the

merchants certificate, so the customer can verify that his dealing with a valid

store.

Order and Payment Sent:-

The customer sends the order details and payment details as well as

customer certificate to the merchant. Merchant can verify the dealing is from

valid customer or not.

Merchant Requests PI authorization:

The merchant forwards the PI to the payment gateway, to determinewhether the customer has sufficient funds/credit for the purchase.

Merchant confirms the order:-

Merchant sends the confirmation message to the customer. Your order has

been confirmed or not.

Merchants ships goods and services:-

According to your details merchants shipped the goods.

Merchant requests payment:

This request for payment is sent to the payment gateway, which handles

payment processing.


9/10

DUAL SIGNATURE:-

The purpose of the dual signature is to link two messages that are intended

for two different recipients. In this case, the customer wants to send the

order information (OI) to the merchant and the payment information (PI) to

the bank. The merchant doesn't need to know the customer's credit card

number, and the bank doesn't need to know the details of the customer's

order. The customer is afforded extra protection in terms of privacy by

keeping these two items separate. However, the two items must be linked in

a way that can be used to resolve disputes if necessary. The link is needed

so that the customer can prove that this payment is intended for this order

and not for some other goods or services.


10/10

Payment Gateway Authorization:-

verifies all certificates

decrypts digital envelope of authorization block to obtain symmetric

key & then decrypts authorization block

verifies merchant's signature on authorization block

decrypts digital envelope of payment block to obtain symmetric key

& then decrypts payment block

verifies dual signature on payment block

verifies that transaction ID received from merchant matches that inPI received (indirectly) from customer

requests & receives an authorization from issuer

sends authorization response back to merchant

THANK YOU.

REGARDS

SUBHASH PRASAD

Documents

Assignment on Secure Electronic Transaction