Upload
atul-dave
View
20
Download
0
Embed Size (px)
DESCRIPTION
this is the presentation may be helpful to students
Citation preview
PREPAREDBY:
AtulDave(500530985)ShaukatRaza(500543780)SimranveerBrar(500468450)
ComputerNetworkSecurity(EE8213)
GUIDE&MENTORBY:
Dr.CungangYang
1SecureInternetPaymentSystems
IncorporatethePaymentFunctionsinInternetWorld
PaymentMethods
CashCreditCardChequeCredit&DebitTransfer
INTRODUCTION
SecureInternetPaymentSystems 2
SecureElectronicTransaction(SET)ProtocolforImplementingCreditCardPaymentElectronicChequeSystemforSupportingChequePaymentElectronicFundTransfer&ElectronicCashSystemforEmulatingPhysicalCashPaymentOtherMethodsi.eMicropayment&SmartCardPayment
CREDITCARDBASEDMETHODS:CREDITCARDOVERSSLSETELECTRONICCHEQUES:
NETCHEQUEANONYMOUSPAYMENTS:
DIGICASHCAFEMICROPAYMENTS
SMARTCARDS
MAJORINTERNETPAYMENTMETHODS
SecureInternetPaymentSystems 3
ANONYMITY:WHETHERTHEPAYMENTMETHODISANONIMOUS
SECURITY:WHETHERTHEMETHODISSECURE
OVERHEADCOST:THEOVERHEADCOSTMUSTBECOMPETENTENOUGH
TRANSFERABILITY:WHETHERTHETRANSACTIONCANBEDIVIDEDINTOARBITRARYSMALLPAYMENTSWHOSESUMISEQUALTOTHEORIGINALPAYMENT
ACCEPTABILITY:WHETHERTHEMETHODISACCEPTEDGLOBALLY
FEATURESOFSECUREPAYMENTMETHODS
SecureInternetPaymentSystems 4
PAYMENTMETHODSHOULDBE
VERYSECURE
LOWOVERHEADCOST
TANSFERABLE
USERFRIENDLY(GLOBALLYACCEPTED)
DIVISIBLE
ANONYMOUS
4CPAYMENTMETHODS
SecureInternetPaymentSystems 5
4CPAYMENTMETHODSCOMPARISONS
SecureInternetPaymentSystems
METHODS/FEATURES
CASH CREDITCARD
CHEQUE CREDIT/DEBIT
ANONYMITY YES,INGENERAL
NO NO NO
SECURITY GOOD GOOD GOOD GOOD
OVERHEADCOST
LOWEST,INGENERAL
HIGHERTHANCASH&
DEBIT
HIGHEST,INGENERAL
LOW
TRANSFERABILITY
YES NO NO NO
DIVISIBILITY NOTCOMPLETELY
YES YES YES
ACCEPTABILITY
YES,INGENERAL
YES,INGENERAL
NO,INGENERAL
NO,INGENERAL
6
THECREDITCARDISTHEMOSTCOMMONLYUSEDPAYMENTMETHODGLOBALLY.
BEFORETHEINTRODUCTIONOFSETPROTOCOLTHESECURECREDITCARDPAYMENTWASUSUALLYCARRIEDOUTOVERANSSLCONNECTION.
SETPROTOCOLFORCREDITCARDPAYMENTMETHOD
SecureInternetPaymentSystems 7
ADVANTAGEOFSSL:ITENSURESTHESECURETRANSMISSIONOFCREDITCARDINFORMATIONOVERTHEINTERNETDISADVANTAGEOFSSL:ITISNOTACOMPLETECREDITCARDPAYMENTMETHODFOREXAMPLE:ITCANNOTSUPPORTONLINECREDITCARDAUTHORIZATION
SETISSPECIALLYDEVELOPEDTOPROVIDESECURECREDITCARDPAYMENTOVERTHEINTERNETITISNOWWIDELYSUPPORTEDBYMAJORCREDITCARDCOMPANIESINCLUDINGVISAANDMASTERCARD.
PROS&CONSOFSSLV/SSET
SecureInternetPaymentSystems 8
SETNETWORKARCHITECTURE
SecureInternetPaymentSystems 9
SETAIMSATSATISFYINGTHEFOLLOWINGSECURITYREQUIREMENTSINTHECONTEXTOFCREDITCARDPAYMENT:
CONFIDENTIALITY:SENSITIVEMESSAGESAREENCRYPTEDSOTHATTHEYAREKEPTCONFIDENTIAL
INTEGRITY:NEARLYALLMESSAGESAREDIGITALLYSIGNEDTOENSURECONTENTINTEGRITY
AUTHENTICITY:AUTHENTICATIONISPERFORMEDTHROUGHAPUBLICKEYINFRASTRUCTURE.
SECURITYREQUIREMENTSSETPROTOCOL
SecureInternetPaymentSystems 10
SETNETWORKPARTICIPANTS
SecureInternetPaymentSystems
HenricJohnson 11
A SELLER ,WHICH IS CONNECTED TO AN ACQUIRER
A REGISTERED HOLDER OF THE CREDIT CARD WHO IS A BUYER
THE BANK THAT ISSUES THE CREDIT CARD TO A CARD HOLDER
THE BANK THAT SERVES AS AN AGENT TO LINK A MERCHANT TO MULTIPLE ISSUERS.
THIS IS TYPICALLY CONNECTED TO THE ACQUIRER THE PAYMENT GATEWAY IS SITUATED BETWEEN THE SET SYSTEM AND THE FINANCIAL NETWORK
11
SETDIGITALCERTIFICATESYSTEM
SecureInternetPaymentSystems 12
INTHEPHYSICALCREDITCARDSYSTEMTHEPAYMENTINSTRUCTIONS(PI)INCLUDINGTHECARDHOLDERSCREDITCARDNUMBERANDSIGNATUREARENOTKEPTCONFIDENTIALDATAINTEGRITYCANBASICALLYBEENSUREDBYUSINGPRINTEDRECEIPTSCARDHOLDERSAUTHENTICATIONRELIESONSIMPLESIGNATURECHECKINGONLY
INANELECTRONICCREDITCARDSYSTEMTHEORDERINFORMATION(OI)ANDPICANBEDIGITALLYSIGNEDTOENSUREDATAINTEGRITYTHESENSITIVECREDITCARDINFORMATIONMAYSTILLBEDISCLOSEDTOOTHERPEOPLE
SETINTRODUCESANOVELMETHODCALLEDTHEDUALSIGNATURE(DS)TOENSUREDATAINTEGRITYWHILEPROTECTINGTHESENSITIVEINFORMATION
DUALSIGNATUREGENERATION&VERIFICATION
SecureInternetPaymentSystems 13
SETNETWORKARCHITECTURE
SecureInternetPaymentSystems
H(OI))]||)(([ PIHHEDScKR
=
14
SETPROTOCOLFORCREDITCARDPAYMENT
SecureInternetPaymentSystems
FLOWCHARTOFTHEPROCESS
15
THEMERCHANTISPROVIDEDWITHOI,H[PI],ANDDSTHEDUALSIGNATURECANBEVERIFIEDASFOLLOWS:
STEP1:THEMERCHANTFIRSTFINDSH[H[PI]||H[OI]]STEP2:HETHENDECRYPTSTHEDIGITALSIGNATUREWITHTHECARDHOLDERSPUBLICSIGNATUREKEYASFOLLOWS:DRSA[DS|KEYPUBLIC_SIGN,CARDHOLDER]WHERE,KEYPUBLIC_SIGN,CARDHOLDERPUBLICSIGNATUREKEYOFTHECARDHOLDER
STEP3:FINALLY,HECOMPARESTHETWOTERMSH[H[PI]||H[OI]]ANDDRSA[DS|KEYPUBLIC_SIGN,CARDHOLDER]
THEYSHOULDBETHESAMEIFTHETRANSMITTEDDSHASNOTBEENCHANGED;OTHERWISETHEORDERISNOTVALID
HOWTHEMERCHANTANDPAYMENTGATEWAYVERIFYTHEDS?
SecureInternetPaymentSystems 16
THEPAYMENTGATEWAYISPROVIDEDWITHPI,H[OI],ANDDS
BYUSINGTHEDUALSIGNATUREMETHOD,EACHCARDHOLDERCANLINKOIANDPIWHILERELEASINGONLYTHENECESSARYINFORMATIONTOTHERELEVANTPARTY
IFEITHERTHEOIORPIISCHANGED,THEDUALSIGNATUREWILLNOLONGERBEVALID
HOWTHEMERCHANTANDPAYMENTGATEWAYVERIFYTHEDS?
SecureInternetPaymentSystems 17
DIGITALENVELOPE
SecureInternetPaymentSystems 18
ARANDOMDESKEY(KEYRANDOM)FIRSTGENERATEDTOENCRYPTTHEMESSAGE,I.E.EDES[MIKEYRANDOM]KEYRANDOMISTHENENCRYPTEDBYTHEVBS'SPUBLICKEY_EXCHANGEKEY,SAYKEYPUBLIC_EXCHANGEI.E.ERSA[KEYRANDOMIKEYPUBLIC_EXCHANGE.VBS]EDES[MIKEYRANDOM1ANDERSA[KEYRANDOMIKEYPUHLIC_EXCHANGE.VBSLARESENTTOTHEVBS
TOOBTAINTHEMESSAGEM,VBSFIRSTOBTAINSKEYRANDOMBYDECRYPTINGERSA[KEYRANDOMIKEYPUHLICEXCHANGE,VBS]I.E.DRSA[ERSA[KEYRANDOMIKEYPUBLICEXCHANGE,VBS1IKEYPRIVATE_EXCHANGE,VBS=KEYRANDOM,WHEREKEYPRIVATEEXCHANGE,VBSDENOTESTHEPRIVATEKEYEXCHANGEKEYOFTHEVBSAFTEROBTAININGKEYRANDOMTHEVBSCANOBTAINMBYDECRYPTINGEDES[MIKEYRANDOM],I.E.TOFINDDDES[EDES[MIKEYRANDOM1IKEYRANDOM]=M
DIGITALENVELOPE
SecureInternetPaymentSystems 19
SETPROTOCOLARCHITECTURE
SecureInternetPaymentSystems 20
SETPROTOCOLHASFOURPHASES:INITIATIONPURCHASEAUTHORIZATIONCAPTUREFIRSTTHECARDHOLDERSENDSAPURCHASEINITIATIONREQUESTTOTHEMERCHANTFORINITIALIZINGTHEPAYMENTTHENTHEMERCHANTRETURNSARESPONSEMESSAGETOTHECARDHOLDERINTHESECONDPHASE,THECARDHOLDERSENDSTHEPURCHASEORDERTOGETHERWITHTHEPAYMENTINSTRUCTIONTOTHEMERCHANTINTHETHIRDPHASE,THEMERCHANTOBTAINSTHEAUTHORIZATIONFROMTHEISSUERVIATHEPAYMENTGATEWAYFINALLY,THEMERCHANTREQUESTSAMONEYTRANSFERTOITSACCOUNT
SETPROTOCOLPHASES
SecureInternetPaymentSystems 21
THEMERCHANTNEEDSTOOBTAINPAYMENTAUTHORIZATIONFROMTHEACQUIRER
THEAUTHORIZATIONREQUESTCONSISTSOF:TRANSACTIONIDAMOUNTREQUESTEDMESSAGEDIGESTOFORDERDESCRIPTIONOTHERTRANSACTIONINFORMATION
THEAUTHORIZATIONREQUESTISENCRYPTEDBYUSINGKEYB(PRIVATEKEYOFMERCHANT).
KEYBISTHENENCRYPTEDBYUSINGPUBLICKEYEXCHANGEKEYOFTHEPAYMENTGATEWAYTOFORMTHEDIGITALENVELOPE
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems 22
THEMERCHANTSENDSTHEFOLLOWINGTOTHEPAYMENTGATEWAY
THEENCRYPTEDAUTHORIZATIONREQUESTANDTHEENCRYPTEDKEYBCARDHOLDERSANDMERCHANTSCERTIFICATESTHEFOLLOWINGINFORMATIONASRECEIVEDFROMTHECARDHOLDER:
PI+DI+H[OI](ALLENCRYPTEDUSINGKEYA)KEYA+CARDHOLDERINFORMATION(ALLENCRYPTEDUSINGTHEPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)
AFTERRECEIVINGTHEAUTHORIZATIONREQUEST,THEPAYMENTGATEWAYPROCESSESITASFOLLOWS
OBTAINKEYBBYMEANSOFDECRYPTIONANDUSESITTODECRYPTTHEAUTHORIZATIONREQUESTVERIFIESMERCHANTSCERTIFICATESANDDIGITALSIGNATUREONTHEAUTHORIZATIONREQUESTOBTAINKEYAANDTHECARDHOLDERINFORMATIONBYMEANSOFDECRYPTIONUSESKEYATOOBTAINTHEPI,DSANDH[OI]VERIFIESTHEDSACCORDINGLY
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems 23
THEPAYMENTGATEWAYALSOVERIFIESTHATTHERECEIVEDTRANSACTIONIDISTHESAMEASTHEONEINTHEPI
BYCHECKINGTHEORDERDESCRIPTIONINTHEAUTHORIZATIONREQUESTMESSAGE,ITCANBEVERIFIEDTHATTHEORDERHASBEENACCEPTEDBYTHECARDHOLDERANDTHEMERCHANTUPONALLSUCCESSFULVERIFICATIONS,THEPAYMENTGATEWAYFORWARDSTHEAUTHORIZATIONREQUESTTOTHEISSUERVIATHECURRENTPAYMENTSYSTEM
AFTERTHERECEIVINGTHEAUTHORIZATIONFROMTHEISSUERTHROUGHTHECURRENTSYSTEM,THEPAYMENTGATEWAYSENDSANAUTHORIZATIONRESPONSETOTHEMERCHANT
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems 24
THEPAYMENTGATEWAYSENDSTHEFOLLOWINGTOTHEMERCHANTSIGNEDAUTHORIZATIONRESPONSE(ENCRYPTEDBYKEYC)
KEYC(ENCRYPTEDBYMERCHANTSPUBLICKEYEXCHANGEKEY)SIGNEDCAPTURETOKEN(ENCRYPTEDBYKEYD)KEYD+CARDHOLDERINFORMATION(ENCRYPTEDBYPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)
AFTERRECEIVINGTHEAUTHORIZATIONRESPONSEFROMTHEPAYMENTGATEWAY,THEMERCHANTOBTAINSKEYCBYDECRYPTIONANDUSESITTODECRYPTAUTHORIZATIONRESPONSETHEMERCHANTVERIFIESTHEPAYMENTGATEWAYSCERTIFICATEANDTHEDIGITALSIGNATUREONTHEAUTHORIZATIONRESPONSEAFTEROBTAININGTHEAUTHORIZATION,THEMERCHANTTHENCOMPLETETHEORDERACCORDINGLY
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems 25
TOBEGINWITHTHEPAYMENTCAPTUREPROCESS,THEMERCHANTGENERATESCAPTUREREQUESTTHATINCLUDESTRANSACTIONID,CAPTUREAMOUNTANDOTHERINFORMATIONABOUTTHECAPTUREREQUEST
THECAPTUREREQUESTISFIRSTSIGNEDBYUSINGTHEPRIVATEKEYOFTHEMERCHANTANDTHENENCRYPTEDWITHARANDOMSYMMETRICKEYE
EISTHENENCRYPTEDBYUSINGPUBLICKEYEXCHANGEOFTHEPAYMENTGATEWAYTOFORMTHEDIGITALENVELOPE
PAYMENTCAPTURE
SecureInternetPaymentSystems 26
THEMERCHANTSENDSTHEFOLLOWINGTOTHEPAYMENTGATEWAY:
SIGNEDCAPTUREREQUEST(ENCRYPTEDBYUSINGKEYE)KEYE(ENCRYPTEDBYUSINGPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)SIGNEDCAPTURETOKEN(ENCRYPTEDBYUSINGKEYD)KEYD+CARDHOLDERINFORMATION(ENCRYPTEDBYUSINGPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)MERCHANTSDIGITALCERTIFICATES
AFTERRECEIVINGTHECAPTUREREQUEST,THEPAYMENTGATEWAYOBTAINSKEYEBYDECRYPTIONANDUSESITTODECRYPTCAPTUREREQUEST
THEPAYMENTGATEWAYALSOVERIFIESTHEDIGITALSIGNATUREOFTHECAPTUREREQUESTBYUSINGMERCHANTSPUBLICKEY
PAYMENTCAPTURE
SecureInternetPaymentSystems 27
THEPAYMENTGATEWAYOBTAINSKEYDBYDECRYPTION,USESTHEKEYTODECRYPTTHECAPTURETOKEN,ANDVERIFIESTHECAPTURETOKEN
AFTERSUCCESSFULVERIFICATIONTHEPAYMENTGATEWAYSENDSAPAYMENTTRANSFERREQUESTTOTHEISSUERVIATHECURRENTSYSTEM
THECAPTURERESPONSECREATEDBYPAYMENTGATEWAYISSIGNEDBYUSINGITSPRIVATESIGNATUREKEYANDISENCRYPTEDBYRANDOMSYMMETRICKEYF
FISENCRYPTEDBYUSINGMERCHANTSPUBLICKEYEXCHANGEKEYTOFORMTHEDIGITALENVELOPE
PAYMENTCAPTURE
SecureInternetPaymentSystems 28
THEPAYMENTGATEWAYFORWARDSTHEFOLLOWINGINFORMATIONTOTHEMERCHANT:
SIGNEDCAPTURERESPONSE(ENCRYPTEDBYKEYF)
KEYF(ENCRYPTEDBYPUBLICKEYEXCHANGEKEY)
PAYMENTGATEWAYSDIGITALCERTIFICATES
AFTERRECEIVINGTHECAPTURERESPONSE,THEMERCHANTDECRYPTSITACCORDINGLYANDVERIFIESTHEDIGITALSIGNATURE.
PAYMENTCAPTURE
SecureInternetPaymentSystems 29
ANINTERNETPAYMENTMETHOD.FIRSTGENERATIONSMARTCARDSCREDITCARDSANDBANKCARDS.SMARTCARDSAREINTELLIGENTINTERACTIVEANDINTEROPERABLE.
SMARTCARD
SecureInternetPaymentSystems 30
CENTRALPROCESSINGUNIT:8BITMICROPROCESSORTHATCONTROLSTHEOPERATIONOFTHESMARTCARD.
RAM:USEDTOSTORETEMPORARYDATA.
EPROM:USEDTOSTORELONGTERMDATALIKECRYPTOGRAPHICKEYS.
ROM:USEDTOSTOREPERMANENTDATASUCHASTHEOPERATINGSYSTEM.
I/OINTERFACE:ITPROVIDESDATAINPUT/OUTPUTFUNCTIONS
SMARTCARDCOMPONENTS
SecureInternetPaymentSystems 31
LEVERAGESTHECHECKPAYMENTSSYSTEM,ACORECOMPETENCYOFTHEBANKINGINDUSTRY.
FITSWITHINCURRENTBUSINESSPRACTICES
WORKSLIKEAPAPERCHECKDOESBUTINPUREELECTRONICFORM,WITHFEWERMANUALSTEPS.
CANBEUSEDBYALLBANKCUSTOMERSWHOHAVECHECKINGACCOUNTS
DIFFERENTFROMELECTRONICFUNDTRANSFERS
SMARTCARDCOMPONENTS
SecureInternetPaymentSystems 32
EXACTLYSAMEWAYASPAPER
CHECKWRITER"WRITES"THEECHECKUSINGONEOFMANYTYPESOFELECTRONICDEVICES
GIVES"THEECHECKTOTHEPAYEEELECTRONICALLY.
PAYEE"DEPOSITS"ECHECK,RECEIVESCREDIT,
PAYEE'SBANK"CLEARS"THEECHECKTOTHEPAYINGBANK.
PAYINGBANKVALIDATESTHEECHECKAND"CHARGES"THECHECKWRITER'SACCOUNTFORTHECHECK.
HOWDOESELECTRONICCHEQUEWORK?
SecureInternetPaymentSystems 33
ANONYMOUSEPAYMENTPROCESS
SecureInternetPaymentSystems
1. WITHDRAW MONEY:CRYPTOGRAPHICALLY ENCODED
TOKENS
2. TRANSFORM SO MERCHANT CAN CHECK VALIDITY BUT IDENTITY HIDDEN
3. SE
ND TO
KEN A
FTER
ADDIN
G
MERC
HANT
S IDE
NTITY
4. CHECK VALIDITY AND SEND GOODS
5. DEPOSIT TOKEN AT BANK.IF DOUBLE SPENT REVEAL
IDENTITY AND NOTIFY POLICE
CUSTOMER MERCHANT
34
Stateoftheartinelectronicpaymentsystems,IEEECOMPUTER30/9(1997)2835InternetprivacyThequestforanonymity,CommunicationsoftheACM42/2(1999)2860.Hyperlinks:
http://www.javasoft.com/products/commerce/
http://www.semper.org/
http://www.echeck.org/
http://niiserver.isi.edu/info/NetCheque/
http://www.eceurope.org/Welcome.html/http://www.zdnet.com/icom/ebusiness/
Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999Garfinkel, S., and Spafford, G. Web Security & Commerce. OReilly and Associates, 1997
SETCo(documentsandglossaryofterms)DataSecurityforeTransaction.RetrievedonApril12th2008,fromWeblink:
http://www.comp.nus.edu.sg/~jervis/cs3235/set.html
REFERENCES
SecureInternetPaymentSystems 35
QUESTION&ANSWER
SecureInternetPaymentSystems 36
THANK YOU
SecureInternetPaymentSystems 37
SECURE INTERNET PAYMENT SYSTEMSSlide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37