Upload
subhash-sagar
View
214
Download
0
Embed Size (px)
Citation preview
8/10/2019 Assignment on Secure Electronic Transaction
1/10
CENTRL UNIVERSITY OF BIH R
PROJECT REPORT ON
SECURE ELECTRONIC TR NS CTION
Submitted by Submitted to
Subhash Prasad Mr. Nemi Chandra Rathore
3rd Sem MSc (cs) Dept of Computer Science
Enrolment No-CUB1302312014 CUB Patna
Dept of Computer Science
CUB Patna
8/10/2019 Assignment on Secure Electronic Transaction
2/10
INTRODUCTION
WHAT IS SECURE ELECTRONIC TRANSACTION:-
SET is an open encryption and security specification designed to
protect credit card transactions on the Internet. This is the protocol which is
used by the every credit card company to protect credit card transaction. We
are using credit card to buy some product online and pay the money by the
credit card this Secure Electronic Transaction help to protect to some third
parties does not access our credit card for fraud purpose. We are usedInternet to pay the money by credit card to our merchant but our channel is
not secure. We are not sure our channel is secure but Secure Electronic
Transaction protocol used some algorithm to make our payment process is
secure to know one able to access our credit card by some hacker or fraud
parties.
REQUIREMENTS THAT SECURE ELECTRONIC TRANSACTION MUST
PROVIDE:-
Provide confidentiality of ordering and payment information.
Ensure the integrity of all transmitted data
Provide authentication that a cardholder is a legitimate user of a
credit card account.
Provide authentication that a merchant can accept credit card
transactions through its relationship with a financial institution.
8/10/2019 Assignment on Secure Electronic Transaction
3/10
HISTORY OF SECURE ELECTRONIC TRANSACTION:-
Secure Electronic Transaction was developed by the SET
Consortium, established in 1996 by VISA and MasterCard in cooperation.
The consortiums goal was to combine the card associationssimilar but
incompatible protocols into a single standard. MasterCard and Visa realized
that for E-commerce payment processing. Software vendors were coming up
with new and conflicting standards. Microsoft mainly takes these on one
hand, and IBM on the other. After this lots of improvement in the area of
secure electronic transaction because our measure issues are to provide the
security of our credit card holder.
Secure Electronic Transaction allowed parties to exchange the informationsecurely from one parties to other parties and also identify each other
without knowing the third one or illegal person who are not in the part of the
our system. The consortium provide the certificate for every parties on
based on x5.09 and in this certificate all the rules regulation and also criteria
mentioned there. SET consortium used cryptographic algorithm to encrypt
our secure message into some non understandable syntax where non
authorized parties are able to decrypt the message or understand the
content of the message. Consortium provides the certificate to each users
credit card number uniquely.
SET consortium was became standard payment method on the internet
between the merchants and the buyers and the credit card companies. But
this consortium did not gain more publicity from the market as well buyers
because of some reasons and also not gain to widespread use by the user,
buyers, and also credit card companies.
There are some reasons are given below.
Network effect - need to install client software. Cost and complexity for merchants to offer support, contrasted with the
comparatively low cost and simplicity of the existingSSLbased
alternative.
Client-side certificate distribution logistics.
http://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Transport_Layer_Security8/10/2019 Assignment on Secure Electronic Transaction
4/10
KEY FEATURES:-
Confidentiality of information.
A credit card holders personal and payment information is secured
travels across the network. One of the most interesting features of theSecure Electronic Transaction is that seller as merchant never see the
credit card number of the card holder providing by the banks. Here for
achieving the confidentiality of information Secure Electronic
Transaction protocol used Data Encryption System (DES) because DES
provides the confidentiality.
Integrity of Data.
Payment information sent from card holders to merchants includes
order information, personal information and payment instructions.Secure Electronic Transaction guarantees that these message contents
are not changed by the third party or adversary because all the
message contents are sending by the insecure channel. SET used RSA
for achieving the digital signature means checking the message
contents. This message is came from a valid source or not.
Cardholder account authentication.
Secure Electronic Transaction enables merchants to verify that a card
holder is having valid card account number. This protocol uses x.509certificates and digital signature to verify the card holder account
authentication. Without proper verification of the card holder account
authentication there will be no process is done.
Merchant authentication.
Secure Electronic Transaction enables cardholders to verify that a
merchant has a relationship with a financial institution allowing it to
accept payment cards. Here also certificate x.509 is to verify the
merchant. Every merchant has also a unique x.509 certificate. Thisprotocol used RSA for verifying the merchant authentication.
8/10/2019 Assignment on Secure Electronic Transaction
5/10
X.509 Authentication Service:-
This is an authentication service which includes a public certificate
associated with each user uniquely. Certificates are created by the some
trusted authority (Certificate Authority) generally this is the government
authority. This certificate is present in the public domain which means every
one able to see this certificate. Certificate authority signs two keys for a
single financial institution. The institution is to make one key as a public and
keep secret one key as a secret. Which is not known for any others also does
not known for certifying authority as well.
X.509 CERTIFICATE FORMAT:-
8/10/2019 Assignment on Secure Electronic Transaction
6/10
SECURE ELCETRONIC TRANSACTION PARTICIPANTS:-
Cardholder
This is an authorized holder of a payment card like MasterCard, VISA that
has been issued by some authorized issuer. Credit card companies issues
the credit card to our user who are taking the service from the card
issued company. This card is verifying by the issued company. Only valid
card holder user can take the service from the issuing credit card
company.
Merchant
A merchant is a business person or business organization who trades of
our product to earn profit. Merchant or business organization sells ourproduct to your buyer and takes the money by the help of credit card. A
merchant that accepts credit cards must have a relationship with an
acquirer.
Issuer
Generally banks are providing the service of credit card to the users. Like
the SBI, ICICI, HDFC etc are the banks are issuing the credit card his
users to by the product by the credit card.
Acquirer
An acquiring bank is a bank or financial institution that processes credit
or debit card payments on behalf of a merchant. This is a financial
institution that establishes an account with the merchant and processes
credit card authorizations and payments. The acquirer provides
authorization to the merchant that a given card accounts is active and
that the proposed purchase does not exceed the credit limit.
Payment gateway
Payment gateway is function that provides the interface between Secure
Electronic Transaction and backward or card holder. Securely your
payment is done or not that is the task of payment gateway.
http://en.wikipedia.org/wiki/Merchanthttp://en.wikipedia.org/wiki/Issuing_bankhttp://en.wikipedia.org/wiki/Acquiring_bankhttp://en.wikipedia.org/wiki/Payment_gatewayhttp://en.wikipedia.org/wiki/Payment_gatewayhttp://en.wikipedia.org/wiki/Acquiring_bankhttp://en.wikipedia.org/wiki/Issuing_bankhttp://en.wikipedia.org/wiki/Merchant8/10/2019 Assignment on Secure Electronic Transaction
7/10
Certification authority
Certificate authority is the authority that provides the digital signature.
That provides the public key for the card holder, merchant and payment
gateway. Public key and digital signature presents on the public domainfor everyone.
Events required for a Successful SET Transaction:-
Customer Opens an account:-
Customer gets a credit account from some credit card issuing
organization that supports electronic payment and Secure ElectronicTransaction.
Customer receives a certificate:-
Customer receives a x.509 certificate signed by the particular
organization who provide the credit card account.
Merchant Certificates:-
Merchant also have their certificate.
The merchant must have twocertificates for the two public keys it owns. They use one for singing the
messages and one for key exchange. The merchant also needs a copy of
the payment gateways public-key certificate.
Customer Placed Orders:-
His certificate
His order details, unencrypted
His bank account details encrypted with the bank's public key
http://en.wikipedia.org/wiki/Certification_authorityhttp://en.wikipedia.org/wiki/Certification_authority8/10/2019 Assignment on Secure Electronic Transaction
8/10
Merchant Verification:-
The merchant sends an order form to the customer, as well as a copy of the
merchants certificate, so the customer can verify that his dealing with a valid
store.
Order and Payment Sent:-
The customer sends the order details and payment details as well as
customer certificate to the merchant. Merchant can verify the dealing is from
valid customer or not.
Merchant Requests PI authorization:
The merchant forwards the PI to the payment gateway, to determinewhether the customer has sufficient funds/credit for the purchase.
Merchant confirms the order:-
Merchant sends the confirmation message to the customer. Your order has
been confirmed or not.
Merchants ships goods and services:-
According to your details merchants shipped the goods.
Merchant requests payment:
This request for payment is sent to the payment gateway, which handles
payment processing.
8/10/2019 Assignment on Secure Electronic Transaction
9/10
DUAL SIGNATURE:-
The purpose of the dual signature is to link two messages that are intended
for two different recipients. In this case, the customer wants to send the
order information (OI) to the merchant and the payment information (PI) to
the bank. The merchant doesn't need to know the customer's credit card
number, and the bank doesn't need to know the details of the customer's
order. The customer is afforded extra protection in terms of privacy by
keeping these two items separate. However, the two items must be linked in
a way that can be used to resolve disputes if necessary. The link is needed
so that the customer can prove that this payment is intended for this order
and not for some other goods or services.
8/10/2019 Assignment on Secure Electronic Transaction
10/10
Payment Gateway Authorization:-
verifies all certificates
decrypts digital envelope of authorization block to obtain symmetric
key & then decrypts authorization block
verifies merchant's signature on authorization block
decrypts digital envelope of payment block to obtain symmetric key
& then decrypts payment block
verifies dual signature on payment block
verifies that transaction ID received from merchant matches that inPI received (indirectly) from customer
requests & receives an authorization from issuer
sends authorization response back to merchant
THANK YOU.
REGARDS
SUBHASH PRASAD