ComputerNetworkSecurity(EE8213)

PREPAREDBY: AtulDave(500530985) ShaukatRaza(500543780) SimranveerBrar(500468450)

GUIDE&MENTORBY:

Dr.CungangYang
SecureInternetPaymentSystems 1

INTRODUCTION

IncorporatethePaymentFunctionsinInternetWorld PaymentMethods
Cash CreditCard Cheque Credit&DebitTransfer

SecureInternetPaymentSystems

MAJORINTERNETPAYMENTMETHODS
SecureElectronicTransaction(SET)ProtocolforImplementingCredit
CardPayment ElectronicChequeSystemforSupportingChequePayment ElectronicFundTransfer&ElectronicCashSystemforEmulating PhysicalCashPayment OtherMethodsi.eMicropayment&SmartCardPayment
SET ELECTRONICCHEQUES:
NETCHEQUE DIGICASHCAFE SMARTCARDS

CREDITCARDBASEDMETHODS:CREDITCARDOVERSSL

ANONYMOUSPAYMENTS: MICROPAYMENTS

SecureInternetPaymentSystems

FEATURESOFSECUREPAYMENTMETHODS ANONYMITY:WHETHERTHEPAYMENTMETHODIS
ANONIMOUS

SECURITY:WHETHERTHEMETHODISSECURE OVERHEADCOST:THEOVERHEADCOSTMUSTBE
COMPETENTENOUGH

TRANSFERABILITY:WHETHERTHETRANSACTIONCAN
BEDIVIDEDINTOARBITRARYSMALLPAYMENTSWHOSE SUMISEQUALTOTHEORIGINALPAYMENT

ACCEPTABILITY:WHETHERTHEMETHODIS
ACCEPTEDGLOBALLY

SecureInternetPaymentSystems

4CPAYMENTMETHODS
PAYMENTMETHODSHOULDBE VERYSECURE LOWOVERHEADCOST TANSFERABLE USERFRIENDLY(GLOBALLYACCEPTED) DIVISIBLE ANONYMOUS
SecureInternetPaymentSystems
5

4CPAYMENTMETHODSCOMPARISONS
METHODS/ FEATURES
ANONYMITY SECURITY OVERHEAD COST TRANSFERAB ILITY DIVISIBILITY YES,IN GENERAL GOOD LOWEST,IN GENERAL YES NOT COMPLETELY YES,IN GENERAL

CASH

CREDIT CARD
NO GOOD HIGHER THANCASH& DEBIT NO YES

CHEQUE
NO GOOD HIGHEST,IN GENERAL NO YES

CREDIT/ DEBIT
NO GOOD LOW

NO YES

ACCEPTABILI TY

YES,IN GENERAL

NO,IN GENERAL

NO,IN GENERAL
6

SecureInternetPaymentSystems

SETPROTOCOLFORCREDITCARDPAYMENT METHOD
THECREDITCARDISTHEMOSTCOMMONLYUSED

PAYMENTMETHODGLOBALLY.

BEFORETHEINTRODUCTIONOFSETPROTOCOLTHE

SECURECREDITCARDPAYMENTWASUSUALLYCARRIED OUTOVERANSSLCONNECTION.

SecureInternetPaymentSystems

PROS&CONSOFSSLV/SSET
ADVANTAGEOFSSL:ITENSURESTHESECURE

TRANSMISSIONOFCREDITCARDINFORMATIONOVER THEINTERNET DISADVANTAGEOFSSL:ITISNOTACOMPLETECREDIT CARDPAYMENTMETHOD FOREXAMPLE:ITCANNOTSUPPORTONLINECREDIT CARDAUTHORIZATION

SETISSPECIALLYDEVELOPEDTOPROVIDESECURE

CREDITCARDPAYMENTOVERTHEINTERNET ITISNOWWIDELYSUPPORTEDBYMAJORCREDIT CARDCOMPANIESINCLUDINGVISAANDMASTERCARD.

SecureInternetPaymentSystems

SETNETWORKARCHITECTURE

SecureInternetPaymentSystems

SECURITYREQUIREMENTSSETPROTOCOL
SETAIMSATSATISFYINGTHEFOLLOWINGSECURITY REQUIREMENTSINTHECONTEXTOFCREDITCARD PAYMENT: CONFIDENTIALITY:SENSITIVEMESSAGESARE ENCRYPTEDSOTHATTHEYAREKEPTCONFIDENTIAL INTEGRITY:NEARLYALLMESSAGESAREDIGITALLY SIGNEDTOENSURECONTENTINTEGRITY AUTHENTICITY:AUTHENTICATIONISPERFORMED THROUGHAPUBLICKEYINFRASTRUCTURE.

SecureInternetPaymentSystems

10

SETNETWORKPARTICIPANTS

A SELLER ,WHICH IS CONNECTED TO AN ACQUIRER A REGISTERED HOLDER OF THE CREDIT CARD WHO IS A BUYER THE BANK THAT ISSUES THE CREDIT CARD TO A CARD HOLDER THE BANK THAT SERVES AS AN AGENT TO LINK A MERCHANT TO MULTIPLE ISSUERS.

THIS IS TYPICALLY CONNECTED TO THE ACQUIRER THE HenricJohnson PAYMENT GATEWAY IS SITUATED BETWEEN THE SET SYSTEM AND THE FINANCIAL NETWORK

11

SecureInternetPaymentSystems

11

SETDIGITALCERTIFICATESYSTEM

SecureInternetPaymentSystems

12

DUALSIGNATUREGENERATION&VERIFICATION
INTHEPHYSICALCREDITCARDSYSTEM THEPAYMENTINSTRUCTIONS(PI)INCLUDINGTHE CARDHOLDERSCREDITCARDNUMBERAND SIGNATUREARENOTKEPTCONFIDENTIAL DATAINTEGRITYCANBASICALLYBEENSUREDBY USINGPRINTEDRECEIPTS CARDHOLDERSAUTHENTICATIONRELIESON SIMPLESIGNATURECHECKINGONLY INANELECTRONICCREDITCARDSYSTEM THEORDERINFORMATION(OI)ANDPICANBE DIGITALLYSIGNEDTOENSUREDATAINTEGRITY THESENSITIVECREDITCARDINFORMATIONMAY STILLBEDISCLOSEDTOOTHERPEOPLE SETINTRODUCESANOVELMETHODCALLEDTHEDUAL SIGNATURE(DS)TOENSUREDATAINTEGRITYWHILE PROTECTINGTHESENSITIVEINFORMATION SecureInternetPaymentSystems
13

SETNETWORKARCHITECTURE

DS = E KRc [ H ( H ( PI ) || H(OI))]
SecureInternetPaymentSystems
14

SETPROTOCOLFORCREDITCARDPAYMENT FLOW CHART OFTHE PROCESS

SecureInternetPaymentSystems

15

HOWTHEMERCHANTANDPAYMENTGATEWAY VERIFYTHEDS?
THEMERCHANTISPROVIDEDWITHOI,H[PI],ANDDS THEDUALSIGNATURECANBEVERIFIEDASFOLLOWS:

STEP1:THEMERCHANTFIRSTFINDSH[H[PI]||H[OI]] STEP2:HETHENDECRYPTSTHEDIGITALSIGNATUREWITH THECARDHOLDERSPUBLICSIGNATUREKEYASFOLLOWS: DRSA[DS|KEYPUBLIC_SIGN,CARDHOLDER] WHERE,KEYPUBLIC_SIGN,CARDHOLDERPUBLICSIGNATUREKEY OFTHECARDHOLDER STEP3:FINALLY,HECOMPARESTHETWOTERMSH[H[PI]|| H[OI]]ANDDRSA[DS|KEYPUBLIC_SIGN,CARDHOLDER] THEYSHOULDBETHESAMEIFTHETRANSMITTEDDSHAS NOTBEENCHANGED;OTHERWISETHEORDERISNOTVALID

SecureInternetPaymentSystems

16

HOWTHEMERCHANTANDPAYMENTGATEWAY VERIFYTHEDS?
THEPAYMENTGATEWAYISPROVIDEDWITHPI,H[OI], ANDDS BYUSINGTHEDUALSIGNATUREMETHOD,EACH CARDHOLDERCANLINKOIANDPIWHILERELEASING ONLYTHENECESSARYINFORMATIONTOTHERELEVANT PARTY IFEITHERTHEOIORPIISCHANGED,THEDUAL SIGNATUREWILLNOLONGERBEVALID

SecureInternetPaymentSystems

17

DIGITALENVELOPE

SecureInternetPaymentSystems

18

DIGITALENVELOPE
ARANDOMDESKEY(KEYRANDOM)FIRSTGENERATEDTO ENCRYPTTHEMESSAGE,I.E.EDES[MIKEYRANDOM] KEYRANDOMISTHENENCRYPTEDBYTHEVBS'SPUBLIC KEY_EXCHANGEKEY,SAYKEYPUBLIC_EXCHANGEI.E. ERSA[KEYRANDOMIKEYPUBLIC_EXCHANGE.VBS] EDES[MIKEYRANDOM1ANDERSA[KEYRANDOMI KEYPUHLIC_EXCHANGE.VBSLARESENTTOTHEVBS TOOBTAINTHEMESSAGEM,VBSFIRSTOBTAINS KEYRANDOMBYDECRYPTINGERSA[KEYRANDOMIKEYPUHLIC EXCHANGE,VBS]I.E.DRSA[ERSA[KEYRANDOMIKEYPUBLIC EXCHANGE,VBS1IKEYPRIVATE_EXCHANGE,VBS=KEYRANDOM, WHEREKEYPRIVATEEXCHANGE,VBSDENOTESTHEPRIVATE KEYEXCHANGEKEYOFTHEVBS AFTEROBTAININGKEYRANDOMTHEVBSCANOBTAINM BYDECRYPTINGEDES[MIKEYRANDOM],I.E.TOFIND DDES[EDES[MIKEYRANDOM1IKEYRANDOM]=M SecureInternetPaymentSystems 19

SETPROTOCOLARCHITECTURE

SecureInternetPaymentSystems

20

SETPROTOCOLPHASES
SETPROTOCOLHASFOURPHASES:

INITIATION PURCHASE AUTHORIZATION CAPTURE

FIRSTTHECARDHOLDERSENDSAPURCHASE

INITIATIONREQUESTTOTHEMERCHANTFOR INITIALIZINGTHEPAYMENT THENTHEMERCHANTRETURNSARESPONSE MESSAGETOTHECARDHOLDER INTHESECONDPHASE,THECARDHOLDERSENDSTHE PURCHASEORDERTOGETHERWITHTHEPAYMENT INSTRUCTIONTOTHEMERCHANT INTHETHIRDPHASE,THEMERCHANTOBTAINSTHE AUTHORIZATIONFROMTHEISSUERVIATHEPAYMENT GATEWAY FINALLY,THEMERCHANTREQUESTSAMONEY TRANSFERTOITSACCOUNT

SecureInternetPaymentSystems

21

PAYMENTAUTHORIZATION THEMERCHANTNEEDSTOOBTAINPAYMENT AUTHORIZATIONFROMTHEACQUIRER THEAUTHORIZATIONREQUESTCONSISTSOF:

TRANSACTIONID AMOUNTREQUESTED MESSAGEDIGESTOFORDERDESCRIPTION

THEAUTHORIZATIONREQUESTISENCRYPTED BYUSINGKEYB(PRIVATEKEYOFMERCHANT). KEYBISTHENENCRYPTEDBYUSINGPUBLIC KEYEXCHANGEKEYOFTHEPAYMENT GATEWAYTOFORMTHEDIGITALENVELOPE

SecureInternetPaymentSystems
22

OTHERTRANSACTIONINFORMATION

THEMERCHANTSENDSTHEFOLLOWINGTOTHEPAYMENT GATEWAY THEENCRYPTEDAUTHORIZATIONREQUESTANDTHE ENCRYPTEDKEYB CARDHOLDERSANDMERCHANTSCERTIFICATES THEFOLLOWINGINFORMATIONASRECEIVEDFROMTHE CARDHOLDER: PI+DI+H[OI](ALLENCRYPTEDUSINGKEYA) KEYA+CARDHOLDERINFORMATION(ALLENCRYPTED USINGTHEPAYMENTGATEWAYSPUBLICKEY EXCHANGEKEY) AFTERRECEIVINGTHEAUTHORIZATIONREQUEST,THE PAYMENTGATEWAYPROCESSESITASFOLLOWS OBTAINKEYBBYMEANSOFDECRYPTIONANDUSESITTO DECRYPTTHEAUTHORIZATIONREQUEST VERIFIESMERCHANTSCERTIFICATESANDDIGITAL SIGNATUREONTHEAUTHORIZATIONREQUEST OBTAINKEYAANDTHECARDHOLDERINFORMATIONBY MEANSOFDECRYPTION USESKEYATOOBTAINTHEPI,DSANDH[OI] VERIFIESTHEDSACCORDINGLY

PAYMENTAUTHORIZATION

SecureInternetPaymentSystems

23

PAYMENTAUTHORIZATION
THEPAYMENTGATEWAYALSOVERIFIESTHATTHE RECEIVEDTRANSACTIONIDISTHESAMEASTHEONEIN THEPI BYCHECKINGTHEORDERDESCRIPTIONINTHE AUTHORIZATIONREQUESTMESSAGE,ITCANBE VERIFIEDTHATTHEORDERHASBEENACCEPTEDBYTHE CARDHOLDERANDTHEMERCHANT UPONALLSUCCESSFULVERIFICATIONS,THEPAYMENT GATEWAYFORWARDSTHEAUTHORIZATIONREQUEST TOTHEISSUERVIATHECURRENTPAYMENTSYSTEM AFTERTHERECEIVINGTHEAUTHORIZATIONFROMTHE ISSUERTHROUGHTHECURRENTSYSTEM,THEPAYMENT GATEWAYSENDSANAUTHORIZATIONRESPONSETOTHE MERCHANT

SecureInternetPaymentSystems

24

PAYMENTAUTHORIZATION
THEPAYMENTGATEWAYSENDSTHEFOLLOWINGTOTHE
MERCHANT SIGNEDAUTHORIZATIONRESPONSE(ENCRYPTEDBYKEYC)
KEYC(ENCRYPTEDBYMERCHANTSPUBLICKEYEXCHANGE

KEY)

SIGNEDCAPTURETOKEN(ENCRYPTEDBYKEYD) KEYD+CARDHOLDERINFORMATION(ENCRYPTEDBY

PAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY)

AFTERRECEIVINGTHEAUTHORIZATIONRESPONSEFROMTHE
PAYMENTGATEWAY,THEMERCHANTOBTAINSKEYCBY DECRYPTIONANDUSESITTODECRYPTAUTHORIZATION RESPONSE

THEMERCHANTVERIFIESTHEPAYMENTGATEWAYS
CERTIFICATEANDTHEDIGITALSIGNATUREONTHE AUTHORIZATIONRESPONSE COMPLETETHEORDERACCORDINGLY

AFTEROBTAININGTHEAUTHORIZATION,THEMERCHANTTHEN
SecureInternetPaymentSystems

25

PAYMENTCAPTURE

TOBEGINWITHTHEPAYMENTCAPTURE

PROCESS,THEMERCHANTGENERATESCAPTURE REQUESTTHATINCLUDESTRANSACTIONID, CAPTUREAMOUNTANDOTHERINFORMATION ABOUTTHECAPTUREREQUEST

THECAPTUREREQUESTISFIRSTSIGNEDBY

USINGTHEPRIVATEKEYOFTHEMERCHANTAND THENENCRYPTEDWITHARANDOMSYMMETRIC KEYE

EISTHENENCRYPTEDBYUSINGPUBLICKEY

EXCHANGEOFTHEPAYMENTGATEWAYTOFORM THEDIGITALENVELOPE
SecureInternetPaymentSystems
26

PAYMENTCAPTURE
THEMERCHANTSENDSTHEFOLLOWINGTOTHEPAYMENT
GATEWAY: SIGNEDCAPTUREREQUEST(ENCRYPTEDBYUSINGKEYE) KEYE(ENCRYPTEDBYUSINGPAYMENTGATEWAYS PUBLICKEYEXCHANGEKEY) SIGNEDCAPTURETOKEN(ENCRYPTEDBYUSINGKEYD) KEYD+CARDHOLDERINFORMATION(ENCRYPTEDBY USINGPAYMENTGATEWAYSPUBLICKEYEXCHANGEKEY) MERCHANTSDIGITALCERTIFICATES AFTERRECEIVINGTHECAPTUREREQUEST,THEPAYMENT GATEWAYOBTAINSKEYEBYDECRYPTIONANDUSESITTO DECRYPTCAPTUREREQUEST

THEPAYMENTGATEWAYALSOVERIFIESTHEDIGITAL

SIGNATUREOFTHECAPTUREREQUESTBYUSINGMERCHANTS PUBLICKEY

SecureInternetPaymentSystems

27

PAYMENTCAPTURE

THEPAYMENTGATEWAYOBTAINSKEYDBY

DECRYPTION,USESTHEKEYTODECRYPTTHECAPTURE TOKEN,ANDVERIFIESTHECAPTURETOKEN

AFTERSUCCESSFULVERIFICATIONTHEPAYMENT

GATEWAYSENDSAPAYMENTTRANSFERREQUESTTO THEISSUERVIATHECURRENTSYSTEM

THECAPTURERESPONSECREATEDBYPAYMENT

GATEWAYISSIGNEDBYUSINGITSPRIVATESIGNATURE KEYANDISENCRYPTEDBYRANDOMSYMMETRICKEYF

FISENCRYPTEDBYUSINGMERCHANTSPUBLICKEY
EXCHANGEKEYTOFORMTHEDIGITALENVELOPE

SecureInternetPaymentSystems

28

PAYMENTCAPTURE

THEPAYMENTGATEWAYFORWARDSTHE

FOLLOWINGINFORMATIONTOTHEMERCHANT:
SIGNEDCAPTURERESPONSE(ENCRYPTEDBY

KEYF) KEY)

KEYF(ENCRYPTEDBYPUBLICKEYEXCHANGE

PAYMENTGATEWAYSDIGITALCERTIFICATES AFTERRECEIVINGTHECAPTURERESPONSE,

THEMERCHANTDECRYPTSITACCORDINGLY ANDVERIFIESTHEDIGITALSIGNATURE.
SecureInternetPaymentSystems

29

SMARTCARD ANINTERNETPAYMENTMETHOD. FIRSTGENERATIONSMARTCARDSCREDIT CARDSANDBANKCARDS. SMARTCARDSARE INTELLIGENT INTERACTIVE AND INTEROPERABLE.

SecureInternetPaymentSystems

30

SMARTCARDCOMPONENTS
CENTRALPROCESSINGUNIT:8BITMICROPROCESSOR THATCONTROLSTHEOPERATIONOFTHESMART CARD. RAM:USEDTOSTORETEMPORARYDATA. EPROM:USEDTOSTORELONGTERMDATALIKE CRYPTOGRAPHICKEYS. ROM:USEDTOSTOREPERMANENTDATASUCHAS THEOPERATINGSYSTEM. I/OINTERFACE:ITPROVIDESDATAINPUT/OUTPUT FUNCTIONS
SecureInternetPaymentSystems
31

SMARTCARDCOMPONENTS

LEVERAGESTHECHECKPAYMENTSSYSTEM,A FITSWITHINCURRENTBUSINESSPRACTICES

CORECOMPETENCYOFTHEBANKINGINDUSTRY.

WORKSLIKEAPAPERCHECKDOESBUTINPURE
ELECTRONICFORM,WITHFEWERMANUALSTEPS.

CANBEUSEDBYALLBANKCUSTOMERSWHO
HAVECHECKINGACCOUNTS

DIFFERENTFROMELECTRONICFUNDTRANSFERS
SecureInternetPaymentSystems
32

HOWDOESELECTRONICCHEQUEWORK?

EXACTLYSAMEWAYASPAPER CHECKWRITER"WRITES"THEECHECKUSING
ONEOFMANYTYPESOFELECTRONICDEVICES

GIVES"THEECHECKTOTHEPAYEE
ELECTRONICALLY.

PAYEE"DEPOSITS"ECHECK,RECEIVESCREDIT, PAYEE'SBANK"CLEARS"THEECHECKTOTHE
PAYINGBANK.

PAYINGBANKVALIDATESTHEECHECKAND
SecureInternetPaymentSystems

"CHARGES"THECHECKWRITER'SACCOUNTFOR THECHECK.
33

ANONYMOUSEPAYMENTPROCESS
1. WITHDRAW MONEY:
G CRYPTOGRAPHICALLY ENCODED N I D TOKENS D A R I TY E T FT EN A D I N K E T S TO AN CUSTOMER ND CH SE ER . 3 M

5. DEPOSIT TOKEN AT BANK.

IF DOUBLE SPENT REVEAL IDENTITY AND NOTIFY POLICE

MERCHANT

2. TRANSFORM SO MERCHANT CAN CHECK

VALIDITY BUT IDENTITY HIDDEN

4. CHECK VALIDITY AND SEND GOODS

SecureInternetPaymentSystems

34

REFERENCES
Stateoftheartinelectronicpaymentsystems,IEEECOMPUTER30/9(1997) 2835 InternetprivacyThequestforanonymity,CommunicationsoftheACM42/2 (1999)2860. Hyperlinks: http://www.javasoft.com/products/commerce/ http://www.semper.org/ http://www.echeck.org/ http://niiserver.isi.edu/info/NetCheque/
http://www.eceurope.org/Welcome.html/ http://www.zdnet.com/icom/ebusiness/
Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 Garfinkel, S., and Spafford, G. Web Security & Commerce. OReilly and Associates, 1997

DataSecurityforeTransaction.RetrievedonApril12th2008,fromWeblink: http://www.comp.nus.edu.sg/~jervis/cs3235/set.html

SETCo(documentsandglossaryofterms)

SecureInternetPaymentSystems

35

QUESTION&ANSWER

SecureInternetPaymentSystems

36

THANK YOU

SecureInternetPaymentSystems

37