Card payment security using RSA

Abstract
E-commerce has presented a new way of doing transactions all over the world using
internet. The success of ecommerce depends greatly on how its information technology is
used. Over the years the rate at which ecommerce sensitive information is sent over the
internet and network has increased drastically. It is for this reason that every company
wants to ensure that its ecommerce information is secured. There is need for ecommerce
information transmitted via the internet and computer networks to be protected. There is
substantial growth in the areas of credit card fraud and identity theft because the internet is
a public network with thousands of millions of users. Amongst users are crackers or
hackers that carry out the credit card fraud and identity theft in numerous ways facilitated
by poor internet security; a concern regarding the exchange of money securely and
conveniently over the internet increases. The criticality, danger, and higher priority
importance of any e-commerce money transfer makes it a hot area of research interest in
modern computer science and informatics. E-commerce industry is slowly addressing
security issues on their internal networks but security protection for the consumers is still
in its infancy, thus posing a barrier to the development of e-commerce. There is a growing
need for technological solutions to globally secure ecommerce transaction information by
using appropriate data security technology. The technology solution proposed for solving
this security problem is the RSA cryptosystem. This research paper focuses on securing
ecommerce information sent through the computer network and internet using RSA
cryptography. It elucidates the implementation of RSA algorithm and shows that
ecommerce security powered with RSA cryptography is very important in ecommerce
transaction. While many attacks exist, the system has proven to be very secure.
 1. INTRODUCTION
E-commerce or electronic commerce is trading in product or services conducted via
computer networks such as the internet. It is considered to be the sales aspect of e-business
consisting of the exchange of data to facilitate the financing, payment and security of
business transactions. E-commerce refers to a wide range of online business activities for
products and services. High degree of confidence needed in authenticity and privacy of
such transactions can be difficult to maintain where they are exchanged over an unsecured
public network such as the Internet. E-commerce also pertains to any form of business
transaction in which the parties interact electronically rather than by physical exchanges or
direct physical contact. A security objective is the contribution to security that a system is
intended to achieve. Security has emerged as an increasingly important issue in the
development and success of an E-commerce organization. Gaining access to sensitive
information and replay are some common threats that hackers impose to E-commerce
systems. Trojan horse programs launched against client systems pose the greatest threat to
e-commerce because they can bypass or subvert most of the authentication and
authorization mechanisms used in an ecommerce transaction. Privacy has become a major
concern for consumers with the rise of identity theft and impersonation and any concern
for consumers must be treated as a major concern for e-Commerce providers.
E-commerce security has its own particular nuances and is one of the highest visible
security components that affect the end user through their daily payment interaction with
business. E-commerce shares security concerns with other technologies in the field.
Privacy concerns have been found, revealing a lack of trust in a variety of contexts,
including commerce, electronic health records, e-recruitment technology and social
networking, and this has directly influenced users. Security is one of the principal and
continuing concerns that restrict customers and organizations engaged with ecommerce.
The e-commerce industry is slowly addressing security issues on their internal networks.
There are guidelines for securing systems and networks available for the ecommerce
systems personnel to read and implement. Educating the consumer on security issues is
still in the infancy stage but will prove to be the most critical element of the e-commerce
security architecture.
A. Literature Study
The success or failure of an e-commerce operation hinges on myriad of factors,
including but not limited to the business model, the team, the customers, the investors, the
product, and the security of data transmissions and storage. Data security has taken on
heightened importance since series of high-profile "cracker" attacks have humbled popular
Web sites resulting in the impersonation of Microsoft employees for the purposes of digital
certification and the misuse of credit card numbers of customers at business-to-consumer
(B2C) e-commerce destinations. Security is on the mind of every e-commerce entrepreneur
who solicits, stores, or communicates any sensitive information. An arms race is underway:
technologists are building new security measures while others are working to crack the
security systems. One of the most effective means of ensuring data security and integrity
is encryption.

Encryption is a generic term that refers to the act of encoding data, in this context
so that those data can be securely transmitted via the Internet. Professor Lawrence Lessig
of Stanford Law School put it thus, "Here is something that will sound very extreme but is
at most, I think, a slight exaggeration: encryption technologies are the most important
technological breakthroughs in the last one thousand years” as in. Rivest described it as “a
means of communication in the presence of adversaries” in. Encryption can protect the data
at the simplest level by preventing other people from reading the data. In the event that
someone intercepts a data transmission and manages to deceive any user identification
scheme, the data that they see appear gibberish without a way to decode it. Encryption
technologies can help in other ways as well by establishing the identity of users (or
abusers); control the unauthorized transmission or forwarding of data; verify the integrity
of the data (i.e., that it has not been altered in any way); and ensure that users take
responsibility for data that they have transmitted. Encryption can therefore be used either
to keep communications secret (defensively) or to identify people involved in
communications (offensively).
The basic means of encrypting data involves a symmetric cryptosystem. The same
key is used to encrypt and to decrypt data. Think about a regular, garden-variety code,
which has only one key: two kids in a tree-house, pretending to be spies, might tell one
another that their messages will be encoded according to a scheme where each number,
from 1 to 26, refers to a letter of the alphabet (so that 1 = A, 2 = B, 3 = C, etc.). The key
refers to the scheme that helps match up the encoded information with the real message.
Or perhaps the kids got a little more sophisticated and used a computer to generate a
random match-up of the 26 letters with 26 numbers (so that 6 = A, 13 = B, 2 = C, etc.).
These codes might work for a while, managing to confuse a nosy younger brother who
wants to know what the notes they are passing mean but the codes are fairly easy to crack.
Much more complex codes, generated by algorithms, can be broken by powerful computers
when only one key exists.
Public Key Encryption (PKE) or asymmetric encryption is much more important
than symmetric encryption for the purposes of e-commerce. The big improvement brought
by Public Key Encryption was the introduction of the second key - which makes a world
of difference in terms of protecting the integrity of data. Public Key Encryption relies on
two keys, one of which is public and one of which is private. If you have one key, you
cannot infer the other key. Here's how it works: I have a public key, and I give that key out
to anyone with whom I wish to communicate. You take my public key and use it to encrypt
a message. You send that message in coded form over the network. Anyone else who sees
the message cannot read it because they have only the public key. The message only makes
sense when it gets to me as I have the only copy of the private key which does the
decrypting magic to turn the encrypted message into readable text.
Public Key Encryption ostensibly creates a world in which it does not matter if the
physical network is insecure. Even if - as in the case of a distributed network like the
Internet, where the data passes through many hands, in the form of routers and switches
and hubs - information could be captured the encryption scheme keeps the data in a
meaningless form unless the cracker has the private key. RSA is one of the first practicable
public-key encryption algorithms and is widely used for secure data transmission. In such
a cryptosystem, the encryption key is public and differs from the decryption key which is
kept secret. In RSA, this asymmetry is based on the practical difficulty of factoring the
product of two large prime numbers the factoring problem. RSA stands for Ron Rivest,
Adi Shamir and Leonard Adleman, who first publicly described the algorithm in 1977.
B. Motivation
Since the invention of the World Wide Web (WWW) in 1989, Internet-based electronic
commerce has been transformed from a mere idea into reality. Consumers browse through
catalogues, searching for best offers, order goods, and pay for them electronically.
Information services can be subscribed online, and many newspapers and scientific
journals are even readable via the Internet. Most financial institutions have some sort of
online presence, allowing their customers to access and manage their accounts make
financial transactions, trade stocks, and so forth. Electronic mails are exchanged within and
between enterprises and often already replace fax copies. Soon there is arguably no
enterprise left that has no Internet presence, if only for advertisement reasons. In early 1998
more than 2 million web servers were connected to the Internet, and more than 300 million
host computers. And even if actual Internet business or ecommerce is still marginal: the
expectations are high. For instance, Anderson consulting predicts ecommerce or Internet
business to grow from $10 billion in 1998 to $500 billion in 2002 in.
Thus, doing some electronic commerce business on the Internet is already an easy task
as is cheating and snooping. Several reasons contribute to this insecurity: The Internet does
not offer much security per-se. Eavesdropping and acting under false identity is simple.
Stealing data is undetectable in most cases. Popular PC operating systems offer little or no
security against virus or other malicious software, which means that users cannot even trust
the information displayed on their own screens. At the same time, user awareness for
security risks is threateningly low.The first concern for both business and consumer of
entering the e-commerce market is the potential for loss of assets and privacy due to
breaches in the commercial transactions and corporate computer systems. However, this is
not to say that e-commerce potential is being totally ignored by consumers as in, in fact
according to internet analyst World Wide Worx, the number of online banking accounts in
South Africa grew by 28% to 1.04 million in 2003 and that these figures are expected to
increase to 30% in 2004 as in. Electronic banking in America is also on the increase as 17
percent of Americans used online banking services by the end of 2002 and this figure will
continue to grow by 14 percent up to the end of 2007. These figures show that despite some
security concerns electronic commerce related activities such as e-banking continue to
grow as in.
However, some security concerns may be well founded when some of the statistics
relating to electronic commerce security are considered. Fraud is increasing at a rapid rate.
According to a survey by Net Effect Systems while 94 percent of online consumers use the
Internet to shop, just 10 percent say they prefer to buy things online. 74 percent of
consumers cited security and privacy concerns. Therefore, if the security and privacy
problems are addressed e-shoppers will be converted into e-buyers, and the e-commerce
will be pushed a big step forward as in. Below is the table showing the report of fraud by
consumers from 2001 to 2003 as in.

Three possible worries facing an e-commerce customer are;

 If I transmit a credit card number over the internet – can people other than the
recipient read it?
 If I agree to pay N400 for goods – can this information be captured and changed?
 I am buying something from company X, is it really company X?
This raises some important Information Security issues:
 Confidentiality: protecting information from unauthorised disclosure;
 Integrity: protecting information from unauthorised modification, and ensuring that
information is accurate and complete;
 Authentication – Ensuring that the person you are making the transaction with is
who he says he is.
C. RSA Cryptography
RSA is the first algorithm known to be suitable for signing as well as encryption,
and one of the first great advances in public key cryptography. It is named for the three
MIT mathematicians who developed it — Ronald Rivest, Adi Shamir, and Leonard
Adleman.
RSA today is used in hundreds of software products and can be used for key
exchange, digital signatures, or encryption of small blocks of data. RSA uses a variable
size encryption block and a variable size key. The key-pair is derived from a very large
number, n, that is the product of two prime numbers chosen according to special rules;
these primes may be 100 or more digits in length each, yielding an n with roughly twice
as many digits as the prime factors. The public key information includes n and a
derivative of one of the factors of n; an attacker cannot determine the prime factors of
n (and, therefore, the private key) from this information alone and that is what makes
the RSA algorithm so secure. Regardless, one presumed protection of RSA is that users
can easily increase the key size to always stay ahead of the computer processing curve
as in.
 RSA is very widely used today for secure Internet communication (browsers,
S/MIME, SSL, S/WAN, PGP, and Microsoft Outlook), operating systems (Sun,
Microsoft, Apple,Novell) and hardware (cell phones, ATM machines, wireless Ethernet
cards, Mondex smart cards, Palm Pilots). Prasithsangaree and his colleague
Krishnamurthy have analyzed the Energy Consumption of RC4 (RSA) and AES
Algorithms in Wireless LANs in the year 2003.They have evaluated the performance
of RC4 and AES encryption algorithms in [9]. The performance metrics were
encryption throughput, CPU work load, energy cost and key size variation. Experiments
show that the RC4 is fast and energy efficient for encrypting large packets. However,
AES was more efficient than RC4 for a smaller packet size. The tradeoffs with security
are not completely clear In the Comparative Analysis of AES and RC4 Algorithms for
Better Utilization as in [10], the performance metrics were throughput, CPU process
time, memory utilization, encryption and decryption time and key size variation.
Experiments show that the RC4 is fast and energy efficient for encryption and
decryption. Based on the analysis done as part of the research, RC4 is better than AES.
we compare the encryption time of AES and RC4 algorithm over different packet size.
RC4 takes less time to encrypt files with respect to AES. The large prime number is not
easily factorized. Apparently in this research paper the RSA algorithm is developed to
secure ecommerce transaction with the large prime numbers.
 2. RESEARCH METHODOLOGY
The design of the RSA security software partly evolved from the need for an all-
embracing information security system and partly from the need for a user-friendly
package that can fulfill any large ecommerce organization’s information security needs.
Changes of system are necessitated by a number of factors ranging from growth of
ecommerce business to change in national law. For instance, there could be
• Changes in business policies and regulations
• Change in government policies and regulations
• New innovations/development of better methods of system operations.
For any of these reasons or more, a system can be forced to change. As online
business outfit grows, so do the security threats and vulnerabilities grow, there is a
continuous search for a better method of securing online transaction information. In this
study, information was acquired through two sources namely; Primary source and
Secondary source.

Primary source: Information from this source was given priority because It is firsthand
information. Primary data are those got from questionnaires, personal Interviews,
observations, etc. as in.
Questionnaire In this study, 419 questionnaires were distributed to customers of
different ages, genders, and educational levels. Out of the 419 distributed questionnaires,
261 questionnaires were returned back. After checking the returned questionnaire, the
researchers rejected one questionnaire as it was not filled correctly. Thus 260
questionnaires were used in this study. In the questionnaire, questions on how the IT staff
handled the security of transaction information, their mode of securing as well as storing
of such transaction information were asked.
Secondary Source: Information from this source is second hand information. Secondary
data are those gathered from pamphlets, journals, newspapers, books, internet and records
available at the organization under study as in [11] In this study, so many journals, book,
articles and books were consulted online.
 A. Existed system
In order to conduct online transactions, customers reveal their personal and financial
information to e-commerce merchants and banks online. Therefore, the security and
privacy features of the transaction information are considered as important factors.
Results showed that 72.6% of respondents are reluctant to reveal their sensitive
information to the merchants or bank’s web sites because of lack of information security.
In addition to this, 63.4% of respondents believe that the endorsement of these e-commerce
web sites with a security seal would positively affect their trust to conduct online
transactions. In addition to this, 77% of respondents recommend that merchants and banks
should use strong cryptography protocols to protect their information during the transaction
process and in web servers.
B. Proposed Design
A Modular is a system component that provides services to other components but would
not normally be considered as a separate system as in. A separable component is one that
is interchangeable with others for assembling into units of differing size, complexity or
function as in. Therefore, RSA cryptosystem is designed along modular techniques. This
necessitated the decomposition of the system into clearly defined subsystems such that the
initial requirements specifications were met. The software system comprises the following
subsystems: splash-screen subsystem, Admin/login subsystem, Task bar/Key generation
subsystem, Encryption subsystem, Decryption subsystem, Track Transaction subsystem,
View record subsystem, Log out/Exit subsystem.

Advantages of proposed design:

E-commerce security using RSA cryptosystem is designed to achieve a more secured
system and it is structured to include the following:
 i. A relational database support and dependency: This feature promotes the
efficient use and storage of data. It equally optimizes data organization by the
use of tables in the database.
ii. Efficient System Resource Usage: The transaction information databases are
normally saved as compressed database before and after their use by the system
thus reducing the disk storage space they might take.
iii. Customizable data structure: By this RSA, the cryptographic software can be
readily adopted to serve within different corporate settings.
iv. Backup feature: With this system, the user has the options of backing data up in
the database to removable disks. This is a strong maintenance culture that can
facilitate data recovery and smooth system running in times of system crash or
any other System Error.

C. RSA Cryptosystem
In the transmission of the credit card data during ecommerce transactions, we need to
hide our confidential data from other users. For this purpose we use encryption algorithms
to encrypt our data. Encryption is the process of using algorithmic schemes to transform
plain text information into a non-readable form called cipher-text. A key (or algorithm) is
required to decrypt the information and return it to its original plain text format. Anytime
that live cardholder data is in the clear – that is, in plain text format that is readable by a
person or computer – it is extremely vulnerable to theft. Of course, cyber thieves know this
and look for ways to capture a copy of that data. For example, it’s possible for a thief to
siphon off the card data as it is transmitted in plain text from a card reader to the point of
sale (POS) server or the merchant’s central server. (This is what is suspected to have
happened in data breaches involving Hannaford Bros., TJX and the Dave & Buster’s
restaurant chain.).Encryption of either the data itself or the transmission path the data takes
along the network, or both, can vastly reduce the vulnerability of the data, which in turn
reduces a merchant’s business risks. There are multiple approaches to encryption in the
payment process. A merchant will need to evaluate its own environment to determine
which approach or approaches would work best to meet its needs but in this research, RSA
cryptosystem is used for the proposed system. In data-level encryption, the payload within
the tunnel is encrypted. That is, encryption is applied to sensitive data elements such as the
card number, the track data, the card security code (i.e., CVV, CVV2, etc.) and the
expiration date. Depending on where in the process the data elements are encrypted, the
merchant could be protected from internal fraud as well as external fraud. If the card data
that a merchant wants to protect is encrypted at the point of capture – for example, at the
customer-facing PIN entry device in a multi-lane retailer or at the data entry web page of
an e-commerce site – and if that data stays encrypted until it is received by the processor,
the data is protected all along the way. This is what often is called end-to-end encryption.
Even if the transaction is intercepted at any point along the way, the encrypted card data is
unreadable and it means nothing to anyone other than the processor that holds the
decryption key.
Where possible and practical, data encryption is preferable to having only session level
encryption. Of course, a merchant can combine session encryption with data encryption for
a “belt and suspenders” approach to security. Encrypted data moving through an encrypted
tunnel would be doubly secured. Asymmetric encryption uses two separate keys, each of
which has a specific function. A public key encrypts the data, while a private key decrypt
the data.

The public key can be freely distributed without the key management challenges of
symmetric keys since it can only encrypt and never decrypt data.
 In a payment environment, the public key can be distributed to a merchant or to the end
POS device, and that device can store the key in hardware or software. Even if that key is
extracted by someone who shouldn’t have rights to it, all that the person can do is encrypt
data with the key; he can’t decrypt anything. On the other hand, the corresponding private
key where the decryption occurs must be handled very securely.
The RSA algorithm is the most commonly used public key encryption algorithm in
asymmetric cryptography. Two keys are used: Public Key and Private Key.
So in a public key cryptosystem, the sender encrypts the data using the public key of
the receiver and uses an encryption algorithm that is also decided by the receiver and the
receiver sends only the encryption algorithm and public key. But by using the public key,
data can only be encrypted but not decrypted, and the data is only decrypted by the private
key that only the receiver has. So no one can hack our data. In simple terms:
Public Key: Shared with the public that wants to send us data.
Private Key: Kept secret so that when someone sends us data encrypted by our Public
Key, we can decrypt the data using the Private Key.
1) Bases for RSA cryptosystem: The RSA cryptosystem is based on the dramatic
difference between the ease of finding large primes and the difficulty of factoring
the product of two large prime numbers (the integer factorization problem. The RSA
algorithm involves three steps: key generation, encryption and decryption.
2) Key generation: RSA involves a public key and a private key. The public key can
be known by everyone and is used for encrypting messages. Messages encrypted
with the public key can only be decrypted in a reasonable amount of time using the
private key. The keys for the RSA algorithm are generated the following way:
Choose two distinct prime number p and q. For security purposes, the integers p and q
should be chosen at random, and should be of similar bit-length. Prime integers can be
efficiently found using a primality test.
Compute n = pq.
n is used as the modulus for both the public and private keys. Its length, usually
expressed in bits, is the key length.
Compute φ(n) = φ(p)φ(q) = (p − 1)(q − 1) = n - (p + q -1), where φ is Euler’s totient
function.
Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1; i.e., e and φ(n) are
coprime.
e is released as the public key exponent.
e having a short bit-length and small Hamming weight results in more efficient
encryption – most commonly 2 16 + 1 = 65,537. However, much smaller values of e
(such as 3) have been shown to be less secure in some settings.
Determine d as d ≡ e −1 (mod φ(n)); i.e., d is the multiplicative inverse of e (modulo
φ(n)).
This is more clearly stated as: solve for d given d⋅e ≡ 1 (mod φ(n)) This is often
computed using the extended Euclidean algorithm. Using the pseudocode in the
Modular integers section, inputs a and n correspond to e and φ(n), respectively. d is
kept as the private key exponent.
The public key consists of the modulus n and the public (or encryption) exponent e.
The private key consists of the modulus n and the private (or decryption) exponent d,
which must be kept secret. p, q, and φ(n) must also be kept secret because they can be
used to calculate d as in.
 After getting the public and private key the main thing is how to encrypt and decrypt
using RSA.

3) RSA Encryption:
Alice transmits her public key (n, e) to Bob and keeps the private key d secret. Bob then
wishes to send message M to Alice. He first turns M into an integer m, such that 0 ≤ m < n
by using an agreed-upon reversible protocol known as a padding scheme. He then
computes the ciphertext c corresponding to
C=me (mod n)
This can be done quickly using the method of exponentiation by squaring. Bob then
transmits c to Alice.
 4) RSA Decryption:
Alice can recover m from c by using her private key exponent d via computing.
M=Cd(mod n)
Given m, she can recover the original message M by reversing the padding scheme.
 5) A worked example:
Here is an example of RSA encryption and decryption. The parameters used here are
artificially small, but one can also use OpenSSL to generate and examine a real key-pair.
Choose two distinct prime numbers, such as

Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e
leaves us only to check that e is not a divisor of 3120.
 3. RESULT
The name of the software developed is RSA Ecommerce Security System (RSA-
ESS). The software captures the sending/transfer of encrypted credit card payment
information online by a customer in a remote system and the decryption/use of such
payment information by the bank staff to withdraw from customer account and credit the
merchant account during an ecommerce transaction. It is organized into various
subsystems/modules as reflected in the design.
IV. CONCLUSION
In this research, a detailed implementation of 1024-bit RSA encryption/decryption
algorithm is presented for use in securing ecommerce payment information. This algorithm
is implemented using VB.NET. The whole design was tested using Visual Basic.net virtual
environment tool. The system speed achieved was 36.3 MHz which comply with the speed
of smart card used in e-commerce. The RSA algorithm has remained a secure scheme for
sending encrypted messages for almost 40 years, earning Rivest, Shamir, and Adleman the
Association for Computing Machinery’s 2002 Alan Turing Award, among one of the
highest honors in computer science. RSA keys are typically 1024 to 2048 bits long, though
some experts believe that 1024-bit keys could be broken in the near future. It is generally
believed that 4096-bit keys are unlikely to be broken in the foreseeable future, meaning
that RSA should remain secure as long as n is chosen to be sufficiently large. It is currently
recommended that n be at least 2048 bits long.
V.REFERENCES
[1]. L. lessig: code and other laws of cyberspace, New York: basic books, 1999
[2]. A. J. Menezes, P.C. Vanoorschot, S.A Vanstone, Handbook of Applied Crytography,
CPC Press, 1996 [3]. P. Li, Topics in E-commerce (reports): issues of security and privacy
in E-commerce, 2013
[4]. A. Ghosh, E-Commerce Security: weak links, best defences. Canada: Wiley, 1998.
[5]. T.Burrows, A million SA e-bank accounts, more coming. Available:
www.itweb.co.za/sections/internet/2004/0403031143.asp?A=EBU&S=e-
Business&O=E&CiRestriction [6]. Gartner Group. Online banking goes mainstream in
US, 10 March, 2003.
[7]. Consumer Sentinel, Three-year trend for sentinel complaints, 2004. Available:
www.consumer.gov/sentinel/states03/3year_trens.pdf
[8]. G.C. Kessler, An Overview of Cryptography. Available: www.
Garykessler.net/library/crypto.html#intro, 1998.
[9]. P. Prasithsangaree and P. Krishnamurthy, Analysis of Energy Consumption of RC4
and AES Algorithms in Wireless LANs. Proceedings of the IEEE GLOBECOM, pp: 1445-
1449, 2003.
[10]. S.Nidhi and J.P.S.Raina. "Comparative Analysis of AES and RC4 Algorithms for
Better Utilization"International Journal of Computer Trends and Technology, Vol.1 (3),
pp: 259-263 July to Aug., 2011.
[11]. E.O. Chukwuemeka and O. R. Oji, Applied Social and Behavioral Research,
Guideline for thesis writing. Enugu: John Jacob’s Classic, 1999.
[12]. V. Nwaocha, Software Engineering Methodologies. National Open University of
Nigeria, Victoria Island, Lagos, 2008.
[13]. C.B. Obi, Design and development of personnel information system: Project Paper,
Caritas University, Enugu, Nigeria, 2013.
[14]. B. Persis, P. Mandiw and M. Kumar, A modified RSA cryptosystem based on ‘n’
prime numbers: International Journal of Engineering and Computer Science, vol. 1(2), pp:
63-66, 2012.