secured internet payment
DESCRIPTION
this is the presentation may be helpful to studentsTRANSCRIPT
-
PREPAREDBY:
AtulDave(500530985)ShaukatRaza(500543780)SimranveerBrar(500468450)
ComputerNetworkSecurity(EE8213)
GUIDE&MENTORBY:
Dr.CungangYang
1SecureInternetPaymentSystems
-
IncorporatethePaymentFunctionsinInternetWorld
PaymentMethods
CashCreditCardChequeCredit&DebitTransfer
INTRODUCTION
SecureInternetPaymentSystems 2
-
SecureElectronicTransaction(SET)ProtocolforImplementingCreditCardPaymentElectronicChequeSystemforSupportingChequePaymentElectronicFundTransfer&ElectronicCashSystemforEmulatingPhysicalCashPaymentOtherMethodsi.eMicropayment&SmartCardPayment
CREDITCARDBASEDMETHODS:CREDITCARDOVERSSLSETELECTRONICCHEQUES:
NETCHEQUEANONYMOUSPAYMENTS:
DIGICASHCAFEMICROPAYMENTS
SMARTCARDS
MAJORINTERNETPAYMENTMETHODS
SecureInternetPaymentSystems 3
-
ANONYMITY:WHETHERTHEPAYMENTMETHODISANONIMOUS
SECURITY:WHETHERTHEMETHODISSECURE
OVERHEADCOST:THEOVERHEADCOSTMUSTBECOMPETENTENOUGH
TRANSFERABILITY:WHETHERTHETRANSACTIONCANBEDIVIDEDINTOARBITRARYSMALLPAYMENTSWHOSESUMISEQUALTOTHEORIGINALPAYMENT
ACCEPTABILITY:WHETHERTHEMETHODISACCEPTEDGLOBALLY
FEATURESOFSECUREPAYMENTMETHODS
SecureInternetPaymentSystems 4
-
PAYMENTMETHODSHOULDBE
VERYSECURE
LOWOVERHEADCOST
TANSFERABLE
USERFRIENDLY(GLOBALLYACCEPTED)
DIVISIBLE
ANONYMOUS
4CPAYMENTMETHODS
SecureInternetPaymentSystems 5
-
4CPAYMENTMETHODSCOMPARISONS
SecureInternetPaymentSystems
METHODS/FEATURES
CASH CREDITCARD
CHEQUE CREDIT/DEBIT
ANONYMITY YES,INGENERAL
NO NO NO
SECURITY GOOD GOOD GOOD GOOD
OVERHEADCOST
LOWEST,INGENERAL
HIGHERTHANCASH&
DEBIT
HIGHEST,INGENERAL
LOW
TRANSFERABILITY
YES NO NO NO
DIVISIBILITY NOTCOMPLETELY
YES YES YES
ACCEPTABILITY
YES,INGENERAL
YES,INGENERAL
NO,INGENERAL
NO,INGENERAL
6
-
THECREDITCARDISTHEMOSTCOMMONLYUSEDPAYMENTMETHODGLOBALLY.
BEFORETHEINTRODUCTIONOFSETPROTOCOLTHESECURECREDITCARDPAYMENTWASUSUALLYCARRIEDOUTOVERANSSLCONNECTION.
SETPROTOCOLFORCREDITCARDPAYMENTMETHOD
SecureInternetPaymentSystems 7
-
ADVANTAGEOFSSL:ITENSURESTHESECURETRANSMISSIONOFCREDITCARDINFORMATIONOVERTHEINTERNETDISADVANTAGEOFSSL:ITISNOTACOMPLETECREDITCARDPAYMENTMETHODFOREXAMPLE:ITCANNOTSUPPORTONLINECREDITCARDAUTHORIZATION
SETISSPECIALLYDEVELOPEDTOPROVIDESECURECREDITCARDPAYMENTOVERTHEINTERNETITISNOWWIDELYSUPPORTEDBYMAJORCREDITCARDCOMPANIESINCLUDINGVISAANDMASTERCARD.
PROS&CONSOFSSLV/SSET
SecureInternetPaymentSystems 8
-
SETNETWORKARCHITECTURE
SecureInternetPaymentSystems 9
-
SETAIMSATSATISFYINGTHEFOLLOWINGSECURITYREQUIREMENTSINTHECONTEXTOFCREDITCARDPAYMENT:
CONFIDENTIALITY:SENSITIVEMESSAGESAREENCRYPTEDSOTHATTHEYAREKEPTCONFIDENTIAL
INTEGRITY:NEARLYALLMESSAGESAREDIGITALLYSIGNEDTOENSURECONTENTINTEGRITY
AUTHENTICITY:AUTHENTICATIONISPERFORMEDTHROUGHAPUBLICKEYINFRASTRUCTURE.
SECURITYREQUIREMENTSSETPROTOCOL
SecureInternetPaymentSystems 10
-
SETNETWORKPARTICIPANTS
SecureInternetPaymentSystems
HenricJohnson 11
A SELLER ,WHICH IS CONNECTED TO AN ACQUIRER
A REGISTERED HOLDER OF THE CREDIT CARD WHO IS A BUYER
THE BANK THAT ISSUES THE CREDIT CARD TO A CARD HOLDER
THE BANK THAT SERVES AS AN AGENT TO LINK A MERCHANT TO MULTIPLE ISSUERS.
THIS IS TYPICALLY CONNECTED TO THE ACQUIRER THE PAYMENT GATEWAY IS SITUATED BETWEEN THE SET SYSTEM AND THE FINANCIAL NETWORK
11
-
SETDIGITALCERTIFICATESYSTEM
SecureInternetPaymentSystems 12
-
INTHEPHYSICALCREDITCARDSYSTEMTHEPAYMENTINSTRUCTIONS(PI)INCLUDINGTHECARDHOLDERSCREDITCARDNUMBERANDSIGNATUREARENOTKEPTCONFIDENTIALDATAINTEGRITYCANBASICALLYBEENSUREDBYUSINGPRINTEDRECEIPTSCARDHOLDERSAUTHENTICATIONRELIESONSIMPLESIGNATURECHECKINGONLY
INANELECTRONICCREDITCARDSYSTEMTHEORDERINFORMATION(OI)ANDPICANBEDIGITALLYSIGNEDTOENSUREDATAINTEGRITYTHESENSITIVECREDITCARDINFORMATIONMAYSTILLBEDISCLOSEDTOOTHERPEOPLE
SETINTRODUCESANOVELMETHODCALLEDTHEDUALSIGNATURE(DS)TOENSUREDATAINTEGRITYWHILEPROTECTINGTHESENSITIVEINFORMATION
DUALSIGNATUREGENERATION&VERIFICATION
SecureInternetPaymentSystems 13
-
SETNETWORKARCHITECTURE
SecureInternetPaymentSystems
H(OI))]||)(([ PIHHEDScKR
=
14
-
SETPROTOCOLFORCREDITCARDPAYMENT
SecureInternetPaymentSystems
FLOWCHARTOFTHEPROCESS
15
-
THEMERCHANTISPROVIDEDWITHOI,H[PI],ANDDSTHEDUALSIGNATURECANBEVERIFIEDASFOLLOWS:
STEP1:THEMERCHANTFIRSTFINDSH[H[PI]||H[OI]]STEP2:HETHENDECRYPTSTHEDIGITALSIGNATUREWITHTHECARDHOLDERSPUBLICSIGNATUREKEYASFOLLOWS:DRSA[DS|KEYPUBLIC_SIGN,CARDHOLDER]WHERE,KEYPUBLIC_SIGN,CARDHOLDERPUBLICSIGNATUREKEYOFTHECARDHOLDER
STEP3:FINALLY,HECOMPARESTHETWOTERMSH[H[PI]||H[OI]]ANDDRSA[DS|KEYPUBLIC_SIGN,CARDHOLDER]
THEYSHOULDBETHESAMEIFTHETRANSMITTEDDSHASNOTBEENCHANGED;OTHERWISETHEORDERISNOTVALID
HOWTHEMERCHANTANDPAYMENTGATEWAYVERIFYTHEDS?
SecureInternetPaymentSystems 16
-
THEPAYMENTGATEWAYISPROVIDEDWITHPI,H[OI],ANDDS
BYUSINGTHEDUALSIGNATUREMETHOD,EACHCARDHOLDERCANLINKOIANDPIWHILERELEASINGONLYTHENECESSARYINFORMATIONTOTHERELEVANTPARTY
IFEITHERTHEOIORPIISCHANGED,THEDUALSIGNATUREWILLNOLONGERBEVALID
HOWTHEMERCHANTANDPAYMENTGATEWAYVERIFYTHEDS?
SecureInternetPaymentSystems 17
-
DIGITALENVELOPE
SecureInternetPaymentSystems 18
-
ARANDOMDESKEY(KEYRANDOM)FIRSTGENERATEDTOENCRYPTTHEMESSAGE,I.E.EDES[MIKEYRANDOM]KEYRANDOMISTHENENCRYPTEDBYTHEVBS'SPUBLICKEY_EXCHANGEKEY,SAYKEYPUBLIC_EXCHANGEI.E.ERSA[KEYRANDOMIKEYPUBLIC_EXCHANGE.VBS]EDES[MIKEYRANDOM1ANDERSA[KEYRANDOMIKEYPUHLIC_EXCHANGE.VBSLARESENTTOTHEVBS
TOOBTAINTHEMESSAGEM,VBSFIRSTOBTAINSKEYRANDOMBYDECRYPTINGERSA[KEYRANDOMIKEYPUHLICEXCHANGE,VBS]I.E.DRSA[ERSA[KEYRANDOMIKEYPUBLICEXCHANGE,VBS1IKEYPRIVATE_EXCHANGE,VBS=KEYRANDOM,WHEREKEYPRIVATEEXCHANGE,VBSDENOTESTHEPRIVATEKEYEXCHANGEKEYOFTHEVBSAFTEROBTAININGKEYRANDOMTHEVBSCANOBTAINMBYDECRYPTINGEDES[MIKEYRANDOM],I.E.TOFINDDDES[EDES[MIKEYRANDOM1IKEYRANDOM]=M
DIGITALENVELOPE
SecureInternetPaymentSystems 19
-
SETPROTOCOLARCHITECTURE
SecureInternetPaymentSystems 20
-
SETPROTOCOLHASFOURPHASES:INITIATIONPURCHASEAUTHORIZATIONCAPTUREFIRSTTHECARDHOLDERSENDSAPURCHASEINITIATIONREQUESTTOTHEMERCHANTFORINITIALIZINGTHEPAYMENTTHENTHEMERCHANTRETURNSARESPONSEMESSAGETOTHECARDHOLDERINTHESECONDPHASE,THECARDHOLDERSENDSTHEPURCHASEORDERTOGETHERWITHTHEPAYMENTINSTRUCTIONTOTHEMERCHANTINTHETHIRDPHASE,THEMERCHANTOBTAINSTHEAUTHORIZATIONFROMTHEISSUERVIATHEPAYMENTGATEWAYFINALLY,THEMERCHANTREQUESTSAMONEYTRANSFERTOITSACCOUNT
SETPROTOCOLPHASES
SecureInternetPaymentSystems 21
-
THEMERCHANTNEEDSTOOBTAINPAYMENTAUTHORIZATIONFROMTHEACQUIRER
THEAUTHORIZATIONREQUESTCONSISTSOF:TRANSACTIONIDAMOUNTREQUESTEDMESSAGEDIGESTOFORDERDESCRIPTIONOTHERTRANSACTIONINFORMATION
THEAUTHORIZATIONREQUESTISENCRYPTEDBYUSINGKEYB(PRIVATEKEYOFMERCHANT).
KEYBISTHENENCRYPTEDBYUSINGPUBLICKEYEXCHANGEKEYOFTHEPAYMENTGATEWAYTOFORMTHEDIGITALENVELOPE
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems 22
-
THEMERCHANTSENDSTHEFOLLOWINGTOTHEPAYMENTGATEWAY
THEENCRYPTEDAUTHORIZATIONREQUESTANDTHEENCRYPTEDKEYBCARDHOLDERSANDMERCHANTSCERTIFICATESTHEFOLLOWINGINFORMATIONASRECEIVEDFROMTHECARDHOLDER:
PI+DI+H[OI](ALLENCRYPTEDUSINGKEYA)KEYA+CARDHOLDERINFORMATION(ALLENCRYPTEDUSINGTHEPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)
AFTERRECEIVINGTHEAUTHORIZATIONREQUEST,THEPAYMENTGATEWAYPROCESSESITASFOLLOWS
OBTAINKEYBBYMEANSOFDECRYPTIONANDUSESITTODECRYPTTHEAUTHORIZATIONREQUESTVERIFIESMERCHANTSCERTIFICATESANDDIGITALSIGNATUREONTHEAUTHORIZATIONREQUESTOBTAINKEYAANDTHECARDHOLDERINFORMATIONBYMEANSOFDECRYPTIONUSESKEYATOOBTAINTHEPI,DSANDH[OI]VERIFIESTHEDSACCORDINGLY
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems 23
-
THEPAYMENTGATEWAYALSOVERIFIESTHATTHERECEIVEDTRANSACTIONIDISTHESAMEASTHEONEINTHEPI
BYCHECKINGTHEORDERDESCRIPTIONINTHEAUTHORIZATIONREQUESTMESSAGE,ITCANBEVERIFIEDTHATTHEORDERHASBEENACCEPTEDBYTHECARDHOLDERANDTHEMERCHANTUPONALLSUCCESSFULVERIFICATIONS,THEPAYMENTGATEWAYFORWARDSTHEAUTHORIZATIONREQUESTTOTHEISSUERVIATHECURRENTPAYMENTSYSTEM
AFTERTHERECEIVINGTHEAUTHORIZATIONFROMTHEISSUERTHROUGHTHECURRENTSYSTEM,THEPAYMENTGATEWAYSENDSANAUTHORIZATIONRESPONSETOTHEMERCHANT
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems 24
-
THEPAYMENTGATEWAYSENDSTHEFOLLOWINGTOTHEMERCHANTSIGNEDAUTHORIZATIONRESPONSE(ENCRYPTEDBYKEYC)
KEYC(ENCRYPTEDBYMERCHANTSPUBLICKEYEXCHANGEKEY)SIGNEDCAPTURETOKEN(ENCRYPTEDBYKEYD)KEYD+CARDHOLDERINFORMATION(ENCRYPTEDBYPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)
AFTERRECEIVINGTHEAUTHORIZATIONRESPONSEFROMTHEPAYMENTGATEWAY,THEMERCHANTOBTAINSKEYCBYDECRYPTIONANDUSESITTODECRYPTAUTHORIZATIONRESPONSETHEMERCHANTVERIFIESTHEPAYMENTGATEWAYSCERTIFICATEANDTHEDIGITALSIGNATUREONTHEAUTHORIZATIONRESPONSEAFTEROBTAININGTHEAUTHORIZATION,THEMERCHANTTHENCOMPLETETHEORDERACCORDINGLY
PAYMENTAUTHORIZATION
SecureInternetPaymentSystems 25
-
TOBEGINWITHTHEPAYMENTCAPTUREPROCESS,THEMERCHANTGENERATESCAPTUREREQUESTTHATINCLUDESTRANSACTIONID,CAPTUREAMOUNTANDOTHERINFORMATIONABOUTTHECAPTUREREQUEST
THECAPTUREREQUESTISFIRSTSIGNEDBYUSINGTHEPRIVATEKEYOFTHEMERCHANTANDTHENENCRYPTEDWITHARANDOMSYMMETRICKEYE
EISTHENENCRYPTEDBYUSINGPUBLICKEYEXCHANGEOFTHEPAYMENTGATEWAYTOFORMTHEDIGITALENVELOPE
PAYMENTCAPTURE
SecureInternetPaymentSystems 26
-
THEMERCHANTSENDSTHEFOLLOWINGTOTHEPAYMENTGATEWAY:
SIGNEDCAPTUREREQUEST(ENCRYPTEDBYUSINGKEYE)KEYE(ENCRYPTEDBYUSINGPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)SIGNEDCAPTURETOKEN(ENCRYPTEDBYUSINGKEYD)KEYD+CARDHOLDERINFORMATION(ENCRYPTEDBYUSINGPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)MERCHANTSDIGITALCERTIFICATES
AFTERRECEIVINGTHECAPTUREREQUEST,THEPAYMENTGATEWAYOBTAINSKEYEBYDECRYPTIONANDUSESITTODECRYPTCAPTUREREQUEST
THEPAYMENTGATEWAYALSOVERIFIESTHEDIGITALSIGNATUREOFTHECAPTUREREQUESTBYUSINGMERCHANTSPUBLICKEY
PAYMENTCAPTURE
SecureInternetPaymentSystems 27
-
THEPAYMENTGATEWAYOBTAINSKEYDBYDECRYPTION,USESTHEKEYTODECRYPTTHECAPTURETOKEN,ANDVERIFIESTHECAPTURETOKEN
AFTERSUCCESSFULVERIFICATIONTHEPAYMENTGATEWAYSENDSAPAYMENTTRANSFERREQUESTTOTHEISSUERVIATHECURRENTSYSTEM
THECAPTURERESPONSECREATEDBYPAYMENTGATEWAYISSIGNEDBYUSINGITSPRIVATESIGNATUREKEYANDISENCRYPTEDBYRANDOMSYMMETRICKEYF
FISENCRYPTEDBYUSINGMERCHANTSPUBLICKEYEXCHANGEKEYTOFORMTHEDIGITALENVELOPE
PAYMENTCAPTURE
SecureInternetPaymentSystems 28
-
THEPAYMENTGATEWAYFORWARDSTHEFOLLOWINGINFORMATIONTOTHEMERCHANT:
SIGNEDCAPTURERESPONSE(ENCRYPTEDBYKEYF)
KEYF(ENCRYPTEDBYPUBLICKEYEXCHANGEKEY)
PAYMENTGATEWAYSDIGITALCERTIFICATES
AFTERRECEIVINGTHECAPTURERESPONSE,THEMERCHANTDECRYPTSITACCORDINGLYANDVERIFIESTHEDIGITALSIGNATURE.
PAYMENTCAPTURE
SecureInternetPaymentSystems 29
-
ANINTERNETPAYMENTMETHOD.FIRSTGENERATIONSMARTCARDSCREDITCARDSANDBANKCARDS.SMARTCARDSAREINTELLIGENTINTERACTIVEANDINTEROPERABLE.
SMARTCARD
SecureInternetPaymentSystems 30
-
CENTRALPROCESSINGUNIT:8BITMICROPROCESSORTHATCONTROLSTHEOPERATIONOFTHESMARTCARD.
RAM:USEDTOSTORETEMPORARYDATA.
EPROM:USEDTOSTORELONGTERMDATALIKECRYPTOGRAPHICKEYS.
ROM:USEDTOSTOREPERMANENTDATASUCHASTHEOPERATINGSYSTEM.
I/OINTERFACE:ITPROVIDESDATAINPUT/OUTPUTFUNCTIONS
SMARTCARDCOMPONENTS
SecureInternetPaymentSystems 31
-
LEVERAGESTHECHECKPAYMENTSSYSTEM,ACORECOMPETENCYOFTHEBANKINGINDUSTRY.
FITSWITHINCURRENTBUSINESSPRACTICES
WORKSLIKEAPAPERCHECKDOESBUTINPUREELECTRONICFORM,WITHFEWERMANUALSTEPS.
CANBEUSEDBYALLBANKCUSTOMERSWHOHAVECHECKINGACCOUNTS
DIFFERENTFROMELECTRONICFUNDTRANSFERS
SMARTCARDCOMPONENTS
SecureInternetPaymentSystems 32
-
EXACTLYSAMEWAYASPAPER
CHECKWRITER"WRITES"THEECHECKUSINGONEOFMANYTYPESOFELECTRONICDEVICES
GIVES"THEECHECKTOTHEPAYEEELECTRONICALLY.
PAYEE"DEPOSITS"ECHECK,RECEIVESCREDIT,
PAYEE'SBANK"CLEARS"THEECHECKTOTHEPAYINGBANK.
PAYINGBANKVALIDATESTHEECHECKAND"CHARGES"THECHECKWRITER'SACCOUNTFORTHECHECK.
HOWDOESELECTRONICCHEQUEWORK?
SecureInternetPaymentSystems 33
-
ANONYMOUSEPAYMENTPROCESS
SecureInternetPaymentSystems
1. WITHDRAW MONEY:CRYPTOGRAPHICALLY ENCODED
TOKENS
2. TRANSFORM SO MERCHANT CAN CHECK VALIDITY BUT IDENTITY HIDDEN
3. SE
ND TO
KEN A
FTER
ADDIN
G
MERC
HANT
S IDE
NTITY
4. CHECK VALIDITY AND SEND GOODS
5. DEPOSIT TOKEN AT BANK.IF DOUBLE SPENT REVEAL
IDENTITY AND NOTIFY POLICE
CUSTOMER MERCHANT
34
-
Stateoftheartinelectronicpaymentsystems,IEEECOMPUTER30/9(1997)2835InternetprivacyThequestforanonymity,CommunicationsoftheACM42/2(1999)2860.Hyperlinks:
http://www.javasoft.com/products/commerce/
http://www.semper.org/
http://www.echeck.org/
http://niiserver.isi.edu/info/NetCheque/
http://www.eceurope.org/Welcome.html/http://www.zdnet.com/icom/ebusiness/
Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999Garfinkel, S., and Spafford, G. Web Security & Commerce. OReilly and Associates, 1997
SETCo(documentsandglossaryofterms)DataSecurityforeTransaction.RetrievedonApril12th2008,fromWeblink:
http://www.comp.nus.edu.sg/~jervis/cs3235/set.html
REFERENCES
SecureInternetPaymentSystems 35
-
QUESTION&ANSWER
SecureInternetPaymentSystems 36
-
THANK YOU
SecureInternetPaymentSystems 37
SECURE INTERNET PAYMENT SYSTEMSSlide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37