Documente Academic
Documente Profesional
Documente Cultură
and Security
1
Learning Objectives
Security requirements
Authentication: A way to verify the buyer’s identity
before payments are made
Integrity: Ensuring that information will not be
accidentally or maliciously altered or destroyed,
usually during transmission
Encryption: A process of making messages
indecipherable except by those who have an
authorized decryption key
Non-repudiation: Merchants need protection
against the customer’s unjustifiable denial of placed
orders, and customers need protection against the
merchants’ unjustifiable denial of past payment
Security Schemes
Secret Key Cryptography (symmetric)
Sender Receiver
Sender Receiver
Security Schemes (cont.)
Digital Signature
Analogous to handwritten signature
Name : “Richard”
key-Exchange Key :
Signature Key :
Serial # : 29483756
Other Data : 10236283025273
Expires : 6/18/96
Signed : CA’s Signature
Security Schemes (cont.)
Certificate Authority - e.g. VeriSign
Public or private, comes in levels (hierarchy)
A trusted third party services
Issuer of digital certificates
Verifying that a public key indeed belongs to a
certain individual
RCA : Root Certificate Authority
RCA
BCA : Brand Certificate Authority
BCA GCA : Geo-political Certificate Authority
CCA : Cardholder Certificate Authority
GCA MCA : Merchant Certificate Authority
PCA : Payment Gateway
CCA MCA PCA Certificate Authority
Hierarchy of Certificate Authorities
Certificate authority needs to be verified by a government or well trusted entity ( e.g., post office)
Electronic Credit Card System
on the Internet
The Players
Cardholder
Merchant (seller)
Issuer (your bank)
Acquirer (merchant’s financial institution,
acquires the sales slips)
Brand (VISA, Master Card)
Electronic Credit Card System
on the Internet (cont.)
The process of using credit cards offline
A cardholder requests the issuance of a
card brand (like Visa and MasterCard) The authorization of card issuance
to an issuer bank in which the by the issuer bank, or its designated
cardholder may have an account. brand company, may require
customer’s physical visit to an office.
A plastic card is physically delivered
to the customer’s address by mail. The card can be in effect as the
cardholder calls the bank for
The cardholder shows the card to a initiation and signs on the back of
merchant to pay a requested the card.
amount. Then the merchant asks
for approval from the brand Upon the approval, the merchant
company. requests payment to the merchant’s
acquirer bank, and pays fee for the
The acquirer bank requests the
service. This process is called a
issuer bank to pay for the credit
“capturing process”
amount.
Cardholder Merchant
credit
card Payment authorization,
payment data
Card Brand Company
account debit data payment data
payment data
amount transfer
+
Encrypt
+ Symmetric
Key
Sender’s Encrypted
Certificate Message
Receiver’s
Encrypt
Certificate
Receiver’s Digital
Key-Exchange Key Envelope
16
Secure Electronic Transaction (SET)
Protocol (cont.)
Receiver’s Computer
5. The encrypted message and digital envelope are transmitted to
receiver’s computer via the Internet.
6. The digital envelope is decrypted with receiver’s private
exchange key.
7. Using the restored symmetric key, the encrypted message can be
restored to the message, digital signature, and sender’s
certificate.
8. To confirm the integrity, the digital signature is decrypted by
sender’s public key, obtaining the message digest.
9. The delivered message is hashed to generate message digest.
10. The message digests obtained by steps 8 and 9 respectively,
are compared by the receiver to confirm whether there was any
change during the transmission. This step confirms the integrity.
17
Receiver’s Computer
Receiver’s Private
Key-Exchange Key
Decrypt
Digital
Envelope
Message
Message Digest
Decrypt +
Symmetric
Key
+
Encrypted
Sender’s compare
Message Certificate
Decrypt
Sender’s Public
Digital Signature Message Digest
Signature Key
18
IC Card
Reader Customer y
Customer x
With Digital Wallets
Certificate
Authority
Protocol
X.25
Credit Card
Brand
Complex Simple
Payment Payment
Gateway Gateway
Bank Bank
VAN VAN
Automated
Clearinghouse
An Architecture of Electronic Fund Transfer on the Internet
Debit Cards
Smart Cards
The concept of e-cash is used in the non-Internet
environment
Plastic cards with magnetic stripes (old technology)
Includes IC chips with programmable functions on
them which makes cards “smart”
One e-cash card for one application
Recharge the card only at designated locations,
such as bank office or a kiosk. Future: recharge at
your PC
e.g. Mondex & VisaCash
Mondex Makes Shopping Easy
An onymous card
is necessary to The stored value in
keep the certificates for IC card can be delivered
credit cards, EFT, and in an anonymous mode
electronic checkbooks