320 likes | 447 Views
Varna Free University. Internet payment systems. E-BUSINESS. Prof. Teodora Bakardjieva. Outline. Introduction Issues related Security Outstanding protocols Mechanisms Advantages and disadvantages Conclusion. Introduction.
E N D
Varna Free University Internet payment systems E-BUSINESS Prof. Teodora Bakardjieva
Outline • Introduction • Issues related • Security • Outstanding protocols • Mechanisms • Advantages and disadvantages • Conclusion 27 Sept. 99
Introduction • In the past year, the number of users reachable through Internet has increased dramatically • Potential to establish a new kind of open marketplace for goods and services 27 Sept. 99
Introduction (cont) • Online shops in Internet • Bookshop (Amazon.com) • Flight Resevation and Hotel Reservation shopping place, etc. • An effective payment mechanism is needed 27 Sept. 99
Issues related • Security Performance • Reliability • Efficiency • Bandwidth • Anonymity (mainly in electronic coins) 27 Sept. 99
Security • Internet is not a secure place • There are attacks from: • eavesdropping • masquerading • message tampering • replay 27 Sept. 99
How to solve? • RSA public key cryptography is widely used for authentication and encryption in the computer industry • Using public/private (asymmetric) key pair or symmetric session key to prevent eavesdropping 27 Sept. 99
How to solve? (cont) • Using message digest to prevent message tampering • Using nonce to prevent replay • Using digital certificate to prevent masquerading 27 Sept. 99
Outstanding protocols • Credit card based • Secure Electronic Transaction (SET) • Secure Socket Layer (SSL) • Electronic coins • DigiCash • NetCash 27 Sept. 99
Credit-card based systems • Parties involved: cardholder, merchant, issuer, acquirer and payment gateway • Transfer user's credit-card number to merchant via insecure network • A trusted third party to authenticate the public key 27 Sept. 99
Secure Electronic Transaction (SET) • Developed by VISA and MasterCard • To facilitate secure payment card transactions over the Internet • Digital Certificates create a trust chain throughout the transaction, verifying cardholder and merchant validity • It is the most secure payment protocol 27 Sept. 99
Financial Network Card Issuer Payment Gateway Card Holder Merchant Framework Non-SET Non-SET SET SET 27 Sept. 99
Payment processes • The messages needed to perform a complete purchase transaction usually include: • Initialization (PInitReq/PInitRes) • Purchase order (PReq/PRes) • Authorization (AuthReq/AuthRes) • Capture of payment (CapReq/CapRes) 27 Sept. 99
Merchant Typical SET Purchase Trans. CardHolder Payment Gateway PInitReq PInitRes PReq AuthReq AuthRes PRes CapReq CapRes
Initialization PInitReq: {BrandID, LID_C, Chall_C} Cardholder Merchant PInitRes: {TransID, Date, Chall_C, Chall_M}SigM, CA, CM 27 Sept. 99
Purchase order PReq: {OI, PI} Cardholder Merchant Pres: {TransID, [Results], Chall_C}SigM 27 Sept. 99
Authorization {{AuthReq}SigM}PKA Merchant Acquirer Issuer Existing Financial Network {{AuthRes}SigA}PKM 27 Sept. 99
Capture of payment CapReq CapToken CapToken Clearing Merchant Acquirer Issuer Existing Financial Network {{CapRes}SigA}PKM 27 Sept. 99
Advantages • It is secure enough to protect user's credit-card numbers and personal information from attacks • hardware independent • world-wide usage 27 Sept. 99
Disadvantages • User must have credit card • No transfer of funds between users • It is not cost-effective when the payment is small • None of anonymity and it is traceable 27 Sept. 99
Electronic cash/coins • Parties involved: client, merchant and bank • Client must have an account in the bank • Less security and encryption • Suitable for small payment, but not for large payment 27 Sept. 99
DigiCash (E-cash) • A fully anonymous electronic cash system • Using blind signature technique • Parties involved: bank, buyer and merchant • Using RSA public-key cryptography • Special client and merchant software are needed 27 Sept. 99
Withdrawing Ecash coins • User's cyberwallet software calculates how many digital coins are needed to withdraw the requested amount • software then generates random serial numbers for those coins • the serial numbers are blinded by multiplying it by a random factor 27 Sept. 99
Withdrawing Ecash coins (cont) • Blinded coins are packaged into a message, digitally signed with user's private key, encrypted with the bank's public key, then sent to the bank • When the bank receives the message, it checks the signature • After signing the blind coins, the bank returns them to the user 27 Sept. 99
Spending Ecash 27 Sept. 99
Advantages • Cost-effective for small payment • User can transfer his electronic coins to other user • No need to apply credit card • Anonymous feature • Hardware independent 27 Sept. 99
Disadvantages • It is not suitable for large payment because of lower security • Client must use wallet software in order to store the withdrawn coins from the bank • A large database to store used serial numbers to prevent double spending 27 Sept. 99
Comparisons • SET • use credit card • 5 parties involved • no anonymous • large and small payment • Ecash • use e-coins • 3 parties involved • anonymous nature • a large database is needed to log used serial numbers • small payment 27 Sept. 99
Conclusions • An effective, secure and reliable Internet payment system is needed • Depending on the payment amount, different level of security is used • SET protocol is an outstanding payment protocol for secure electronic commerce 27 Sept. 99