Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding

Security Protocols and E-commerce

University of Palestine Eng. Wisam Zaqoot April 2010

ITSS 4201 Internet Insurance and ITSS 4201 Internet Insurance and Information HidingInformation Hiding

Security protocols used in Ecommerce

We already studied various security technologies: Encryption Authentication Key distribution Message integrity Digital signature

We also studied how these techniques are used in securing electronic transactions. Here we will continue by studying some security protocols used in Ecommerce.


Since 1990s a lot of schemes appeared but only a few of them succeeded and became widely implemented. Among the most successful are SSL and SET.

1- Secure Socket Layer protocol (SSL) is used by the vast majority of internet secure transactions. SSL is implemented in all popular browsers and web servers. Furthermore, it is the basis of the the Transport Layer Security (TLS) protocol.

2- Secure Electronic Transactions protocol (SET) which is competing with SSL.


In Ecommerce whether with SSL or SET, usually uses payment credit and debit card infrastructure.

The three major players in this infrastructure: customers, merchants and financial institutions.

We will see that SSL provides security for communication between the first two players (the customer and the merchant), while SET provides security for communication among all three players.

Secure Socket Layer protocol (SSL)

SSL was originally designed by Netscape. It was developed to provide encryption and authentication between a web client and a web server.

SSL begins with a handshake phase that consists of two main steps: Negotiating the encryption algorithm Authenticating identity (optional)

After that, encrypted data can be sent.


Negotiating the encryption algorithm:

SSL session begins with a negotiation between the client and the server about the cipher suite. The cipher suite includes the public key encryption algorithms, symmetric key encryption algorithms, hash functions and key sizes to be used.

The client tells the server which cipher suites it has available, and the server chooses the best mutually acceptable cipher suite.


Authenticating the server: It is an optional step, but in ecommerce, it is

always a good idea to authenticate the server. To authenticate the server, the server presents its

public key certificate to the client. If this certificate is valid, the client can be sure about the identity of the server and the organization that owns it.

Practically, the SSL enabled browser maintains a list of trusted Certification Authorities (CAs) with the public keys of these CAs.


The client and the server exchange information that allows them to agree on the secret key.

For example, with RSA, the client uses the server's public key, obtained from the public key certificate, to encrypt the session key information. The client sends the encrypted session key information to the server.

Only the server can decrypt this message since the server's private key is required for this decryption.

In some cases the server needs to authenticate the client.

Overview of the handshake phase of SSL


Both the client and the server now have access to the same session key.

With each message, they use the cryptographic hash function (chosen in the first step of the negotiation process), to use it in digital signature.

They use the session key and the session key algorithm (chosen in the first step of the negotiation process), to encrypt the data and the message digest.


Notes about SSL: SSL is the basis of the TLS too. SSL and TLS are not limited to web applications. In

fact, they can be used for authentication and data encryption in IMAP mail access.

SSL can be seen as a layer between the application layer and the transport layer. On the sender side, It receives data (for example http messages) from the application layer and encrypts it before directing the encrypted data to a TCP socket. The opposite happens at the receiver side.

Exercise:

Check the certificates accredited by your browser. For example, if you use Internet Explorer 7 choose :

Tools -> Internet Options

-> Content

-> Certificates.

Limitations of SSL in E-commerce: SSL is popular today. SSL enabled servers and

browsers provide a popular platform for card transactions.

In spite of that, SSL was not developed specifically for card payment, but instead for generic secure communication between a client and a server.

Limitations of SSL in E-commerce:

The generic design of SSL may cause problems. For example, by using SSL we can authenticate the customer and the merchant, but we can’t be sure whether the merchant is authorized to accept payment, nor whether the customer is authorized to pay money.

SSL also doesn’t tie a client to a specific card. For these reasons we need a protocol that

handles authentication and authorization for card payments transactions. The answer was the SET protocol.

Secure Electronic Transaction Protocol (SET)

SET was developed in 1996 by Visa, MasterCard, Microsoft, Netscape, IBM among others.

This protocol was designed specifically to secure card payment transactions over the internet. It encrypts payment related messages.

SET can’t be used for general purposes like encrypting arbitrary text of images.

SET involves all three players in E-payment (who are they?).


In SET all three players must have certificates. The customer’s and merchant’s certificates are

issued by their banks in order to assure that they are permitted to make/receive payments by cards.

In a SET transaction, the customers card number is passed to the merchant’s bank. This number is never seen by the merchant as plaintext.



SET is extremely secure since: All players must hold trusted certificates. All parties are authenticated. SET provides privacy, merchant will never see the

customer’s card number. SET provides data integrity SET provides customer non-repudiation guarantee SET provides customer and merchant

authorization.


To handle SET, the customer needs to have an “e-wallet”, which is a software that runs the client side of the SET protocol and stores customer payment-card information.

Why SET failed to win market?

The disadvantages of SET:

SET is not easy to implement. SET requires the customer to install an e-wallet. It is expensive to integrate with legacy

applications. It is more secure than what is usually needed.

Documents

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding