Internet payment systems

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 9 months ago)

57 views

Internet payment systems

Varna Free University

E
-
BUSINESS

Prof. Teodora Bakardjieva


27 Sept. 99

2

Outline


Introduction


Issues related


Security


Outstanding protocols


Mechanisms


Advantages and disadvantages


Conclusion

27 Sept. 99

3

Introduction


In the past year, the number of users
reachable through Internet has
increased dramatically


Potential to establish a new kind of
open marketplace for goods and
services

27 Sept. 99

4

Introduction (cont)


Online shops in Internet


Bookshop (Amazon.com)


Flight Resevation and Hotel Reservation
shopping place, etc.


An effective payment mechanism is
needed

27 Sept. 99

5

Issues related


Security Performance


Reliability


Efficiency


Bandwidth


Anonymity (mainly in electronic coins)

27 Sept. 99

6

Security


Internet is not a secure place


There are attacks from:


eavesdropping


masquerading


message tampering


replay


27 Sept. 99

7

How to solve?


RSA public key cryptography is widely
used for
authentication and encryption

in the computer industry


Using public/private (asymmetric) key
pair or symmetric session key to
prevent eavesdropping

27 Sept. 99

8

How to solve? (cont)


Using message digest to prevent
message tampering


Using nonce to prevent replay


Using digital certificate to prevent
masquerading

27 Sept. 99

12

Outstanding protocols


Credit card based


Secure Electronic Transaction (SET)


Secure Socket Layer (SSL)


Electronic coins


DigiCash


NetCash

27 Sept. 99

13

Credit
-
card based systems


Parties involved: cardholder, merchant,
issuer, acquirer and payment gateway


Transfer user's credit
-
card number to
merchant via insecure network


A trusted third party to authenticate the
public key

27 Sept. 99

14

Secure Electronic Transaction
(SET)


Developed by VISA and MasterCard


To facilitate secure payment card
transactions over the Internet


Digital Certificates create a trust chain
throughout the transaction, verifying
cardholder and merchant validity


It is the most secure payment protocol

27 Sept. 99

15

Framework

Financial
Network

Card
Issuer

Payment
Gateway

Card
Holder

Merchant

SET

SET

Non
-
SET

Non
-
SET

27 Sept. 99

16

Payment processes


The messages needed to perform a
complete purchase transaction usually
include:


Initialization (PInitReq/PInitRes)


Purchase order (PReq/PRes)


Authorization (AuthReq/AuthRes)


Capture of payment (CapReq/CapRes)

Typical SET Purchase Trans.

Payment Gateway

Merchant

CardHolder

PInitReq

PInitRes

PReq

PRes

AuthReq

AuthRes

CapReq

CapRes

27 Sept. 99

18

Initialization

Cardholder

Merchant

PInitReq: {BrandID, LID_C, Chall_C}

PInitRes: {TransID, Date, Chall_C, Chall_M}Sig
M
,


C
A
, C
M

27 Sept. 99

19

Purchase order

Cardholder

Merchant

PReq: {OI, PI}

Pres: {TransID, [Results], Chall_C}Sig
M

27 Sept. 99

20

Authorization

Merchant

Acquirer

Issuer

{{AuthReq}Sig
M
}PK
A

{{AuthRes}Sig
A
}PK
M

Existing
Financial
Network

27 Sept. 99

21

Capture of payment

Merchant

Acquirer

Issuer

{{CapRes}Sig
A
}PK
M

Existing
Financial
Network

Clearing

CapReq

CapToken

CapToken

27 Sept. 99

22

Advantages


It is secure enough to protect user's
credit
-
card numbers and personal
information from attacks


hardware independent


world
-
wide usage


27 Sept. 99

23

Disadvantages


User must have credit card


No transfer of funds between users


It is not cost
-
effective when the payment
is small


None of anonymity and it is traceable

27 Sept. 99

24

Electronic cash/coins


Parties involved: client, merchant and
bank


Client must have an account in the bank


Less security and encryption


Suitable for small payment, but not for
large payment

27 Sept. 99

25

DigiCash (E
-
cash)


A fully anonymous electronic cash
system


Using blind signature technique


Parties involved: bank, buyer and
merchant


Using RSA public
-
key cryptography


Special client and merchant software
are needed

27 Sept. 99

26

Withdrawing Ecash coins


User
's cyberwallet software calculates
how many digital coins are needed to
withdraw the requested amount


software then generates
random
serial
numbers for those coins


the serial numbers are blinded by
multiplying it by a random factor

27 Sept. 99

27

Withdrawing Ecash coins
(cont)


Blinded coins are packaged into a
message, digitally signed with user
'
s
private key, encrypted with the bank
'
s
public key, then sent to the bank


When the bank receives the message, it
checks the signature


After signing the blind coins, the bank
returns them to the user

27 Sept. 99

28

Spending Ecash

27 Sept. 99

29

Advantages


Cost
-
effective for small payment


User can transfer his electronic coins to
other user


No need to apply credit card


Anonymous feature


Hardware independent

27 Sept. 99

30

Disadvantages


It is not suitable for large payment
because of lower security


Client must use wallet software in order
to store the withdrawn coins from the
bank


A large database to store used serial
numbers to prevent double spending

27 Sept. 99

31

Comparisons


SET


use credit card


5 parties involved


no anonymous


large and small
payment



Ecash


use e
-
coins


3 parties involved


anonymous nature


a large database is
needed to log used
serial numbers


small payment

27 Sept. 99

32

Conclusions


An effective, secure and reliable
Internet payment system is needed


Depending on the payment amount,
different level of security is used


SET protocol is an outstanding payment
protocol for secure electronic commerce