1 / 32

Secure Electronic Transaction (SET) for Credit-Card Transactions in the Internet

CS 490-002/590-001 Network Security. Secure Electronic Transaction (SET) for Credit-Card Transactions in the Internet. Department of Computer Science Southern Illinois University Edwardsville Fall, 2019 Dr. Hiroshi Fujinoki E-mail: hfujino@siue.edu. SET/001.

Download Presentation

Secure Electronic Transaction (SET) for Credit-Card Transactions in the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CS 490-002/590-001 Network Security Secure Electronic Transaction (SET) for Credit-Card Transactions in the Internet Department of Computer Science Southern Illinois University Edwardsville Fall, 2019 Dr. Hiroshi Fujinoki E-mail: hfujino@siue.edu SET/001

  2.  Support for credit-card transactions Card-holder’s host (browser) Merchant’s host (server) Internet Certificate Authority Certificate Certificate Payment Gateway Payment Network Credit-Card Issuer Acquire (Credit-Card Company) trust trust CS 490-002/590-001 Network Security Just encryption and data integrity are not good enough! SSL/009

  3. Two Different Types of Information a CC Customer Issues in SET Order Information (OI) • Product name and product ID code(s) • Number of the ordered products • Any other product-related information the merchant should know Payment Information (PI) The merchant only need to know the total payment amount Should be hidden from the merchant CS 490-002/590-001 Network Security • Your credit-card account number • Your full name • Your credit-card expiration date • Payment amount SET/002

  4. Requirements in CC transactions using the Internet Card-holder’s host (browser) Merchant’s host (server) Internet Assumed to be safe (that’s the reason a private network is used here)  Confidentiality for order and payment information from customer to merchant  Integrity for all transmitted data  Authentication of a legitimate card-holder  Confidentiality  Integrity Authentication for merchant Payment Gateway Payment Network Credit-Card Issuer Acquire (Credit-Card Company) CS 490-002/590-001 Network Security (digital signature) (certificate) SET/003

  5. Requirements in CC transactions using the Internet CS 490-002/590-001 Network Security  Confidentiality of Information  Integrity of Data  Cardholder account authentication  Merchant authentication  Sender-No-Repudiation  Receiver-No-Repudiation SET/004

  6. Requirements in CC transactions using the Internet “Dual Signature” and “Envelope” CS 490-002/590-001 Network Security  Confidentiality of Information • Cardholder account and payment information is secured as it travels across the Internet • Although a cardholder transmits OI and PI in a single message, SET prevents a merchant from seeing the cardholder’s credit card information in PI • Merchant can see only the contents in OI, which includes, product, product price and other information regarding the product • Merchant can not see what is in PI • Merchant just forwards PI to the credit-card company and waits for approval. • Confidentiality for information merchants transmitted through the Internet • 3DES encryption is used in SET SET/005

  7. Requirements in CC transactions using the Internet Card-holder’s host (browser) Merchant’s host (server) OI OI PI PI Internet • Order Information (OI) • Payment Information (PI) PI PI OI Payment Gateway Payment Network Credit-Card Issuer Acquire (Credit-Card Company) CS 490-002/590-001 Network Security SET/006

  8. Requirements in CC transactions using the Internet Information transmitted through the Internet will never be modified Card-holder’s host (browser) Merchant’s host (server) Merchant’s host (server) Internet Internet Digital Signature (using messages hash) Payment Gateway Acquire (Credit-Card Company) CS 490-002/590-001 Network Security  Integrity of Data • Order information • Payment information • Payment information • Approval request SET/007

  9. Requirements in CC transactions using the Internet Requirements  and  take care of • Confidentiality • Integrity during TX Card-holder’s host (browser) Merchant’s host (server) X.509 Digital Certificate issued to this customer show his/her certificate • Customer name • Credit card account # • etc. Yes, they are all correct! But neither of  or  guarantees the message is from this customer • Does this account exist? • Is the customer name correct? Acquire (Credit-Card Company) Customer Database CS 490-002/590-001 Network Security  Cardholder account authentication How can this merchant make sure if this customer is a legitimate customer? Essential for guaranteeing sender non-repudiation SET/008

  10. Requirements in CC transactions using the Internet Card-holder’s host (browser) Merchant’s host (server) X.509 Digital Certificate issued to this merchant show his/her certificate I want to buy this product! Sure. I am merchant X. Please pay $500 to “Merchant X”! CS 490-002/590-001 Network Security Essential for guaranteeing receiver non-repudiation  Merchant authentication How can this customer be sure that the merchant you are talking to is really the one you should? SET/009

  11. Extra Requirements in SET: How can your acquire be sure for both of you? Card-holder’s host (browser) Merchant’s host (server) Internet PI OI OI PI PI OI Payment Gateway Acquire (Credit-Card Company) CS 490-002/590-001 Network Security How can this acquire be sure that: • OI and PI originated from the legitimate customer. • PI from the legitimate merchant. SET/010

  12. Procedure in credit-card transactions using SET  Customer opens an account  Customer receives a certificate The public key she gives to a merchant on ordering something  Merchants have their own certificates CS 490-002/590-001 Network Security • A customer applies and obtains a credit card account • The issuer creates customer’s X.509 certificate and digitally signs the certificate. • The customer’s X.509 certificate contains her RSA public key. • The customer receives her digital certificate after a suitable verification of identity. • A merchant applies to participate in a credit card. • A CA creates merchant’s X.509 certificate and digitally signs the certificate. • The merchant receives his digital certificate after a suitable verification of identity. SET/011

  13. Procedure in credit-card transactions using SET (continued)  Customer places an order  The customer verifies the merchant  Customer sends order and payment information (continued to the next slide) CS 490-002/590-001 Network Security • A customer browses the web-site of a merchant and selects items. • The customer sends a list of items to be purchased to the merchant. • The merchant replies with an order form that contains: the list of the ordered products, item prices, total costs and the order number. • The merchant sends you his certificate with the order form. • The customer examines the merchant certificate to authenticate the identity of this merchant • The customer sends OI and PI to the merchant, along with the customer’s certificate. SET/012

  14. Procedure in credit-card transactions using SET (continued)  Customer sends order and payment information  The merchant requests payment authorization CS 490-002/590-001 Network Security • The customer sends OI and PI to the merchant, along with the customer’s certificate. • The OI is used to confirm the purchase of the products. • The PI is used to obtain payment approval from the CC (and the bank) company, which contains the credit-card details for the customer. • The PI is encrypted in such a way that the merchant can not read the credit-card information for the customer. • The merchant verifies the customer’s identify using the customer’s certificate. • The merchant sends PI to the payment gateway, requesting authorization that the customer’s available credit is sufficient for this purchase. • The merchant waits for the CC’s authorization (or approval). SET/013

  15. Procedure in credit-card transactions using SET (continued)  The merchant confirms the order  The merchant provides good or service to the customer  The merchant requests payment to the customer’s CC CS 490-002/590-001 Network Security • When an approval successfully comes back from the CC, the merchant sends confirmation of the order and purchase to the customer. • The merchant ships the ordered products (or provides the services) to the customer. • The record of this order is forwarded to the CC to request the payment SET/014

  16. SET Dual Signature Credit-card company does this for this merchant SET D. S. CS 490-002/590-001 Network Security • You transmit OI and PI as a pair to the certified merchant - Because merchant needs to confirm payment - Because order and payment-confirmation must be linked • Your PI contains information about your credit-card account - If possible, you don’t want your merchant to see those information • All what your merchant can know is if your credit-card company has approved your purchase and the company will pay correct amount • You transmit both OI and PI in one message to the merchant • Your merchant can’t see what’s in PI but forward it to the CC company • The merchant will receive a response to the PI from the CC company SET/015

  17. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) Merchant Certificate S3 P3 Client Certificate Time P2 P1 Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S2 S1 Initiate Response PI Payment Gateway OI Encrypt CS 490-002/590-001 Network Security SET/016

  18. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) Merchant Certificate S3 P3 Client Certificate Time P2 P1 PI OI Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S1 S2 Initiate Response Payment Gateway Purchase Request OI Encrypt PI CS 490-002/590-001 Network Security SET/017

  19. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) Merchant Certificate S3 P3 Client Certificate Time P1 P2 PI OI Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S1 S2 Initiate Response Payment Gateway Purchase Request OI Encrypt This is not what we (client) want! PI CS 490-002/590-001 Network Security SET/018

  20. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) Merchant Certificate S3 P3 Client Certificate Time P2 P1 Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S2 S1 Initiate Response PI Payment Gateway OI CS 490-002/590-001 Network Security SET/019

  21. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) Merchant Certificate S3 P3 Client Certificate Time P2 P1 PI PI OI OI Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S2 S1 Initiate Response Payment Gateway Purchase Request CS 490-002/590-001 Network Security SET/020

  22. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) Merchant Certificate S3 P3 Client Certificate Time P1 P2 PI PI PI OI Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S2 S1 Initiate Response Payment Gateway This merchant can not decrypt this PI message Purchase Request OI Approval Request CS 490-002/590-001 Network Security This merchant can not confirm integrity of this message (Has it been modified during the transmission?) SET/021

  23. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) Merchant Certificate S3 P3 Client Certificate Time P2 P1 PI PI OI Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S1 S2 Initiate Response Payment Gateway This merchant can not decrypt this PI message Purchase Request OI PI Approval Request CS 490-002/590-001 Network Security SET/022

  24. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) SS Merchant Certificate S3 P3 Client Certificate Time P1 P2 Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S1 S2 Initiate Response This client creates a symmetric secret key PI Payment Gateway OI Encrypt Encrypt Encrypt CS 490-002/590-001 Network Security SET/023

  25. SET Dual Signature Card-holder’s host (browser) Merchant’s host (server) SS SS Merchant Certificate S3 P3 Client Certificate Time P2 P1 Credit-Card Comp’s Certificate Transmit its certificate Initiate Request Request for Certificate S1 S2 Initiate Response This client creates a symmetric secret key PI Payment Gateway Purchase Request OI Approval Request PI PI OI CS 490-002/590-001 Network Security SET/024

  26. SET Dual Signature • OIMD = OI Message Digest • PIMD = PI Message Digest • POMD = PI/OI Message Digest Card-holder’s host (browser) Merchant’s host (server) (OIMD) (encryption) (hash) (hash) (Dual Signature) (POMD) PI OI S1 RSA (PIMD) (hash) Customer Private Signature Key SHA-1 SHA-1 SHA-1 CS 490-002/590-001 Network Security SET/025

  27. SET Dual Signature Customer’s Certificate Encrypt Encrypt (OIMD) (encryption) (hash) (hash) (Dual Signature) (POMD) S3 PI P3 P3 OI S1 P1 SS Acquire (Credit-Card Company) RSA (PIMD) (hash) Customer Private Signature Key Digital Envelope SHA-1 SHA-1 SHA-1 CS 490-002/590-001 Network Security SET/026

  28. SET Dual Signature Encrypt Encrypt (OIMD) (encryption) (hash) (hash) (Dual Signature) (POMD) PI OI S1 SS RSA (PIMD) (hash) Customer Private Signature Key SHA-1 SHA-1 SHA-1 CS 490-002/590-001 Network Security P3 SET/027

  29. SET Dual Signature COMPARE (POMD’) (PIMD) (OIMD’) (hash) (hash) (OIMD’) (POMD) (POMD) decrypt P1 P1 Acquire (Credit-Card Company) The merchant uses this information for processing order OI SHA-1 SHA-1 CS 490-002/590-001 Network Security SET/028

  30. SET Dual Signature Digital Envelope from the customer S3 P3 (hash) Dual Signature from the customer 1 2 3 (PIMD’) • How things work after this? SS Acquire (Credit-Card Company) SHA-1 CS 490-002/590-001 Network Security • Is there anything missing? SET/029

  31. SET Dual Signature Why does this customer has to use SS-key (why not P3)? Customer’s Certificate Encrypt Encrypt (OIMD) (encryption) (hash) (hash) (Dual Signature) (POMD) S3 PI P3 P3 OI S1 P1 SS Acquire (Credit-Card Company) RSA (PIMD) (hash) Customer Private Signature Key Digital Envelope SHA-1 SHA-1 SHA-1 CS 490-002/590-001 Network Security SET/030

  32. Discussions CS 490-002/590-001 Network Security SET/014

More Related