-
Internet payment systemsVarna Free UniversityE-BUSINESSProf.
Teodora Bakardjieva
27 Sept. 99
-
OutlineIntroductionIssues relatedSecurityOutstanding
protocolsMechanismsAdvantages and disadvantagesConclusion
27 Sept. 99
-
IntroductionIn the past year, the number of users reachable
through Internet has increased dramaticallyPotential to establish a
new kind of open marketplace for goods and services
27 Sept. 99
-
Introduction (cont)Online shops in InternetBookshop
(Amazon.com)Flight Resevation and Hotel Reservation shopping place,
etc.An effective payment mechanism is needed
27 Sept. 99
-
Issues relatedSecurity
PerformanceReliabilityEfficiencyBandwidthAnonymity (mainly in
electronic coins)
27 Sept. 99
-
SecurityInternet is not a secure placeThere are attacks
from:eavesdroppingmasqueradingmessage tamperingreplay
27 Sept. 99
-
How to solve?RSA public key cryptography is widely used for
authentication and encryption in the computer industryUsing
public/private (asymmetric) key pair or symmetric session key to
prevent eavesdropping
27 Sept. 99
-
How to solve? (cont)Using message digest to prevent message
tamperingUsing nonce to prevent replayUsing digital certificate to
prevent masquerading
27 Sept. 99
-
27 Sept. 99
-
27 Sept. 99
-
27 Sept. 99
-
Outstanding protocolsCredit card basedSecure Electronic
Transaction (SET)Secure Socket Layer (SSL)Electronic
coinsDigiCashNetCash
27 Sept. 99
-
Credit-card based systemsParties involved: cardholder, merchant,
issuer, acquirer and payment gatewayTransfer user's credit-card
number to merchant via insecure networkA trusted third party to
authenticate the public key
27 Sept. 99
-
Secure Electronic Transaction (SET)Developed by VISA and
MasterCardTo facilitate secure payment card transactions over the
InternetDigital Certificates create a trust chain throughout the
transaction, verifying cardholder and merchant validityIt is the
most secure payment protocol
27 Sept. 99
-
FrameworkSETSETNon-SETNon-SET
27 Sept. 99
-
Payment processesThe messages needed to perform a complete
purchase transaction usually include:Initialization
(PInitReq/PInitRes)Purchase order (PReq/PRes)Authorization
(AuthReq/AuthRes)Capture of payment (CapReq/CapRes)
27 Sept. 99
-
Typical SET Purchase Trans.Payment
GatewayCardHolderPInitReqPInitResPReqPResAuthReqAuthResCapReqCapRes
27 Sept. 99
-
InitializationCardholderMerchantPInitReq: {BrandID, LID_C,
Chall_C}PInitRes: {TransID, Date, Chall_C, Chall_M}SigM, CA, CM
27 Sept. 99
-
Purchase orderCardholderMerchantPReq: {OI, PI}Pres: {TransID,
[Results], Chall_C}SigM
27 Sept. 99
-
AuthorizationMerchantAcquirerIssuer{{AuthReq}SigM}PKA{{AuthRes}SigA}PKMExisting
Financial Network
27 Sept. 99
-
Capture of
paymentMerchantAcquirerIssuer{{CapRes}SigA}PKMExisting Financial
NetworkClearingCapReqCapTokenCapToken
27 Sept. 99
-
AdvantagesIt is secure enough to protect user's credit-card
numbers and personal information from attackshardware
independentworld-wide usage
27 Sept. 99
-
DisadvantagesUser must have credit cardNo transfer of funds
between usersIt is not cost-effective when the payment is smallNone
of anonymity and it is traceable
27 Sept. 99
-
Electronic cash/coinsParties involved: client, merchant and
bankClient must have an account in the bankLess security and
encryptionSuitable for small payment, but not for large payment
27 Sept. 99
-
DigiCash (E-cash)A fully anonymous electronic cash systemUsing
blind signature techniqueParties involved: bank, buyer and
merchantUsing RSA public-key cryptographySpecial client and
merchant software are needed
27 Sept. 99
-
Withdrawing Ecash coinsUser's cyberwallet software calculates
how many digital coins are needed to withdraw the requested
amountsoftware then generates random serial numbers for those
coinsthe serial numbers are blinded by multiplying it by a random
factor
27 Sept. 99
-
Withdrawing Ecash coins (cont)Blinded coins are packaged into a
message, digitally signed with user's private key, encrypted with
the bank's public key, then sent to the bankWhen the bank receives
the message, it checks the signatureAfter signing the blind coins,
the bank returns them to the user
27 Sept. 99
-
Spending Ecash
27 Sept. 99
-
AdvantagesCost-effective for small paymentUser can transfer his
electronic coins to other userNo need to apply credit cardAnonymous
featureHardware independent
27 Sept. 99
-
DisadvantagesIt is not suitable for large payment because of
lower securityClient must use wallet software in order to store the
withdrawn coins from the bankA large database to store used serial
numbers to prevent double spending
27 Sept. 99
-
ComparisonsSETuse credit card5 parties involvedno anonymouslarge
and small payment
Ecashuse e-coins3 parties involvedanonymous naturea large
database is needed to log used serial numberssmall payment
27 Sept. 99
-
ConclusionsAn effective, secure and reliable Internet payment
system is neededDepending on the payment amount, different level of
security is usedSET protocol is an outstanding payment protocol for
secure electronic commerce
27 Sept. 99
