Encryption techniques in online transaction via credit

cardSubmitted by

Deepika Dash

Information and Communication technology

Roll No:- 10IT61B02

Introduction

• The internet and world wide web have changed the way that customer can purchase almost everything online.

• On the other hand the Internet encourages merchants to expand their businesses beyond traditional markets and boundaries by building their own Web sites and providing their e-business solutions.

• Web sites that provide online shopping capabilities for users must provide a balance between giving customers easy access to their Web sites and providing security to protect themselves as well as their customers.

Contd..

• e-commerce sites also have some additional concerns because customers trust them with credit card or online shopping card numbers and other personal information, which requires a kind of hiding and encryption to be provided to prevent hackers from stealing customers' information.

• Here we will discuss some of the most popular techniques used in securing online shopping payment via credit d.

Motivations

• Security Requirements

- Confidentiality

- Integrity

- Availability

- Accountability

• Security Threats

- Threats to confidentiality

- Threats to integrity

- Threats to availability

- Threats to Accountability

Techniques for secure online shopping process

• The principle of 'Risk vs. Reward' is central to the payments world.

• The techniques used in securing online shopping payments are:

1. Secure Electronic Transaction (SET).

2. Secure Sockets Layer (SSL).

3. Visa: Payer Authentication Service (3D Secure).

4. Biometric authentication

Secure Electronic Transaction

• Secure Electronic Transaction is a technical specifications for securing payment card transactions over open networks such as the internet.

• SET is based on specially developed encryption technology from RSA, data security.

Secure Socket Layer(SSL)

• SSL represents an encryption system used on servers to ensure privacy when transmitting information across the World Wide Web.

• SSL-enabled servers encrypt sensitive data into cipher text before sending it to clients, preventing third parties from reading the data, even if they intercept this data en route.

• Using SSL on a Web server helps ensure that information transmitted between a client, such as a Web browser and a server, remains private, and enables the clients to authenticate the identity of the server.

Visa: Payer Authentication Service (3D Secure)

• Payer authentication provides merchants with the electronic equivalent of a signed sales receipt.

• Under the umbrella of Visa's 3-Domain (3-D) Secure initiative, Internet merchants can participate in payer authentication.

• It validates that a consumer shopping on a merchant's Web site is the legitimate cardholder.

Biometric authentication

• Consists of methods for uniquely recognizing human, based upon one or more intrinsic physical or behavioral traits.

• Electronic internet Shopping Card(EISC) which contains the shopping card information and one of cardholder’s biometric ( finger print).

Secure Electronic Transaction (SET)

SET

• Technique Specification for securing payment card transaction over open networks such as the internet.

• SET makes use of

1. Netscape’s Secure Socket Layer(SSL)

2. Microsoft’s Secure Transaction Technology(STT)

3. Terisa System’s Secure Hypertext

Transfer Protocol(s-HTTP)

4. Some aspects of a public key Infrastructure

Participants in SET system

SET transaction

Advantages of SET

• Privacy by Cryptography

- RSA [7]

- DES [7]• Integrity by Hashing Algorithm

- Digital signature [7]• Authentication by Digital Certificate

Disadvantage of SET

• Interoperability• Integration with legacy system• Slow and Expensive

Secure Socket Layer (SSL)

SSL

• SSL was first used by Netscape.To ensure security of data sent through

HTTP, LDAP or POP3.• Uses TCP to provide reliable end-to-

end secure service.• In general, SSL can be used for

secure data transfer for any network service running over TCP/IP.

Basic Objectives of SSL

• The main objectives are:Authenticate the client and server to

each other.Ensure data integrity.Ensure data privacy.

Required for both the protocol data and also the application data.

SSL Architecture

• SSL consists of two layers of protocols:SSL Record Protocol

Ensures data security and integrity.Protocols required to establish SSL

connection. Three protocols used in this layer:

SSL Handshake Protocol

SSL ChangeCipherSpec Protocol

SSL Alert Protocol

SSL HandshakeProtocol

SSL Changecipherspec protocol

SSL Alert Protocol

SSL Record Protocol

TCP

IP

Application Data

H

Fragments

Compressed Data

Add MAC

Encrypt Data

TCP packet

MAC

H: SSL record protocol

SSL Record Protocol

SSL record header consists of: Content type:

– identifies the type of payload (that is, the higher level protocol being used)

Major version: – for SSL 3.0, the value is 3.

Minor version: – for SSL 3.0, the value is 0.

Compressed length: – size of the compressed data in bytes.

The Higher Layer Protocols

• SSL Alert ProtocolUsed to send session messages

associated with data exchange and functioning of the protocol.

Each message consists of two bytes: First byte is either 1 (warning) or 2 (fatal). If

“fatal”, the SSL session is terminated. Second byte contains one of the defined

error codes.

Higher Layer Protocols

• SSL ChangeCipherSpec ProtocolConsists of a single message that

carries the value of 1.Purpose of this message is to cause the

pending session state to be established as a fixed state. Define the set of protocols to be used. Must be sent from client to server, and vice

versa.

SSL Handshake Protocol

Client sends to the server SSL version Random (used to protect key exchange) Session ID CipherSuite

Server sends back SSL version Random (a different number is generated) Session ID CipherSuite

BIOMETRICPERSONAL AUTHENTICATION

Finger print as a Biometric Authentication System

• Finger prints are unique for every individuals using which verification can be provided.

• Uniqueness is provided by topographic relief of ridge structure and ridge anomalies known as MINUTIAE POINTS.

• Representation is of 2 types

- Local

- Global• MINUTIAE POINTS are common due to :

- capture individual information

- storage sufficient

- robust to various sources of finger print degradation

A Fingerprint Uniqueness

EISC-ONLINE SHOPPING SYSTEM

• ELECTRONIC INTERNET SHOPPING CARD– authenticates the cardholder and to complete the online shopping transaction by generating a special image containing information to complete the transaction.

System proposes 3 techniques: Fingerprint verification technique as a biometric

personal authentication system. Extraction of minutiae Determination of core point of

fingerprint Fragile steganography algorithm

Data hiding encrypting

Embedding the extracted features and encrypted

ESIC System Component

From a technical point of view, the proposed system can be divided into the following stages:

EISC issuers side(creation stage) EISC customer side(E-payment stage) EISC issuers side(validation stage)

Overview of online transaction using EISC

Advantage

• Meets different kind of security objective

- Confidentiality

- Integrity

- Availability

Disadvantage

• Safety is not enough• Cost may be high• May need special software to be

installed in the customers machine.

CONCLUSION

• Methods to encrypt information during online transaction give customer confidence to shop online.

• SSL is the most popular protocol used in credit card industry for secure transaction.

• SET is also used SSL as one of its protocol. The only difference is that, in SET we use 4 digital signatures, 6 certificates which is not required in SSL once session is started between client and server .

• ESIC is a better way to provide security using biometric authentication. But it requires additional overhead.

• The credit card industry has its interest dispersed in a large number of service organizations, such as autonomous banks, so that it will be very difficult to agree on a universal standard. Still it is standardized for the secure transaction of large amount of money.

REFERENCES

[1].Knorr K. and Rohrig S., 2000. Security of Electronic Business Applications: Structure and Quantification, First International Conference, EC-Web 2000, London, UK, Sep 2000

[2].financialsecurity.techtarget.com/definition/Secure-Electronic-Transaction

[3].Secure online transaction by biometric authentication and steganography[ IEEE Xplore.ieee.org]

REFERENCES

[4].Secure Electronic Transaction: a market survey and a test implementation of SET technology, Master Thesis, UPPSALA University. 1998[IEEE Xplore]

[5].Ross A. 2003. Information Fusion in Fingerprint

Authentication. PhD thesis, Michigan State University, 2003 [IEEE Xplore]

[6].NEW TECHNOLOGIES IN CREDIT CARD AUTHENTICATION,Pieter de Bruyne,Institute for Communications Technology,ETH Zentrum [IEEE, Xplore]

[7]. Cryptography and network security by B.A.Farozaun and D.Mukhopadhaya, 2nd edition, Tata macgraw Hill