internet payment systems varna free university e-business prof. teodora bakardjieva
TRANSCRIPT
Internet payment systemsInternet payment systems
Varna Free University
E-BUSINESS
Prof. Teodora Bakardjieva
27 Sept. 99 2
Outline
• Introduction
• Issues related
• Security
• Outstanding protocols
• Mechanisms
• Advantages and disadvantages
• Conclusion
27 Sept. 99 3
Introduction
• In the past year, the number of users reachable through Internet has increased dramatically
• Potential to establish a new kind of open marketplace for goods and services
27 Sept. 99 4
Introduction (cont)
• Online shops in Internet– Bookshop (Amazon.com)– Flight Resevation and Hotel Reservation
shopping place, etc.
• An effective payment mechanism is needed
27 Sept. 99 5
Issues related
• Security Performance
• Reliability
• Efficiency
• Bandwidth
• Anonymity (mainly in electronic coins)
27 Sept. 99 6
Security
• Internet is not a secure place
• There are attacks from:– eavesdropping– masquerading– message tampering– replay
27 Sept. 99 7
How to solve?
• RSA public key cryptography is widely used for authentication and encryption in the computer industry
• Using public/private (asymmetric) key pair or symmetric session key to prevent eavesdropping
27 Sept. 99 8
How to solve? (cont)
• Using message digest to prevent message tampering
• Using nonce to prevent replay
• Using digital certificate to prevent masquerading
27 Sept. 99 12
Outstanding protocols
• Credit card based– Secure Electronic Transaction (SET)– Secure Socket Layer (SSL)
• Electronic coins– DigiCash– NetCash
27 Sept. 99 13
Credit-card based systems
• Parties involved: cardholder, merchant, issuer, acquirer and payment gateway
• Transfer user's credit-card number to merchant via insecure network
• A trusted third party to authenticate the public key
27 Sept. 99 14
Secure Electronic Transaction (SET)
• Developed by VISA and MasterCard
• To facilitate secure payment card transactions over the Internet
• Digital Certificates create a trust chain throughout the transaction, verifying cardholder and merchant validity
• It is the most secure payment protocol
27 Sept. 99 15
FrameworkFinancial Network
Card Issuer
Payment Gateway
Card Holder
MerchantSET
SET
Non-SETNon-SET
27 Sept. 99 16
Payment processes
• The messages needed to perform a complete purchase transaction usually include:– Initialization (PInitReq/PInitRes)– Purchase order (PReq/PRes)– Authorization (AuthReq/AuthRes)– Capture of payment (CapReq/CapRes)
Typical SET Purchase Trans.Payment GatewayMerchantCardHolder
PInitReq
PInitRes
PReq
PRes
AuthReq
AuthRes
CapReq
CapRes
27 Sept. 99 18
Initialization
CardholderCardholder MerchantMerchant
PInitReq: {BrandID, LID_C, Chall_C}
PInitRes: {TransID, Date, Chall_C, Chall_M}SigM, CA, CM
27 Sept. 99 19
Purchase order
CardholderCardholder MerchantMerchant
PReq: {OI, PI}
Pres: {TransID, [Results], Chall_C}SigM
27 Sept. 99 20
Authorization
MerchantMerchant AcquirerAcquirer IssuerIssuer
{{AuthReq}SigM}PKA
{{AuthRes}SigA}PKM
Existing Financial Network
27 Sept. 99 21
Capture of payment
MerchantMerchant AcquirerAcquirer IssuerIssuer
{{CapRes}SigA}PKM
Existing Financial Network
Clearing
CapReqCapTokenCapToken
27 Sept. 99 22
Advantages
• It is secure enough to protect user's credit-card numbers and personal information from attacks
• hardware independent
• world-wide usage
27 Sept. 99 23
Disadvantages
• User must have credit card
• No transfer of funds between users
• It is not cost-effective when the payment is small
• None of anonymity and it is traceable
27 Sept. 99 24
Electronic cash/coins
• Parties involved: client, merchant and bank
• Client must have an account in the bank
• Less security and encryption
• Suitable for small payment, but not for large payment
27 Sept. 99 25
DigiCash (E-cash)• A fully anonymous electronic cash syste
m• Using blind signature technique• Parties involved: bank, buyer and mercha
nt• Using RSA public-key cryptography• Special client and merchant software are
needed
27 Sept. 99 26
Withdrawing Ecash coins
• User's cyberwallet software calculates how many digital coins are needed to withdraw the requested amount
• software then generates random serial numbers for those coins
• the serial numbers are blinded by multiplying it by a random factor
27 Sept. 99 27
Withdrawing Ecash coins (cont)
• Blinded coins are packaged into a message, digitally signed with user's private key, encrypted with the bank's public key, then sent to the bank
• When the bank receives the message, it checks the signature
• After signing the blind coins, the bank returns them to the user
27 Sept. 99 28
Spending Ecash
27 Sept. 99 29
Advantages
• Cost-effective for small payment
• User can transfer his electronic coins to other user
• No need to apply credit card
• Anonymous feature
• Hardware independent
27 Sept. 99 30
Disadvantages
• It is not suitable for large payment because of lower security
• Client must use wallet software in order to store the withdrawn coins from the bank
• A large database to store used serial numbers to prevent double spending
27 Sept. 99 31
Comparisons
• SET– use credit card– 5 parties involved– no anonymous– large and small
payment
• Ecash– use e-coins– 3 parties involved– anonymous nature– a large database is
needed to log used serial numbers
– small payment
27 Sept. 99 32
Conclusions
• An effective, secure and reliable Internet payment system is needed
• Depending on the payment amount, different level of security is used
• SET protocol is an outstanding payment protocol for secure electronic commerce