220 likes | 381 Views
Epayment System using Java. April, 11. 2001 Computer Security and Electronic Payment System Cho won chul Kim Hee Dae Lee Jung Hwan Yoon Won Jung. Index. 1. Introduction What is E-payment system ? Comparison between SSL and SET(1)(2)
E N D
Epayment System using Java April, 11. 2001 Computer Security and Electronic Payment System Cho won chul Kim Hee Dae Lee Jung Hwan Yoon Won Jung
Index 1. Introduction • What is E-payment system ? • Comparison between SSL and SET(1)(2) • Secure Transmission Schemes in SSL and SET Protocol(1)(2) • The Player and essential security Requirements in SET • Entities of SET protocol in Cybershopping • Overview of main Messages in SET • Smart Card (Physical layout)
Index • Software Stack of a Java Card • Program Development Process • Cyberflex Access Cards(1)(2) • What should we implement in this Project • Java Card Security package • Java Layer in the Host Software Architecture
1. Introduction • Describe typical electronic payment systems for EC • Compare the relationship between SSL and SET protocols • Classify and describe the types of Smart Card used for payments • Describe the characteristics of Java Card • Implement Java Smart Card applying to SET
2. What is E-payment system? • E-payment system is the new payment methods with the emergence of electronic commerce on the Internet. • Secure payment systems are critical to the success of EC. • There are four essential security requirements for safe electronic payments.(Authentication, Encryption, Integrity, Non-repudiation) • The key security schemes adopted for electronic payment systems are encryption. • Security schemes are adopted in protocols like SSL and SET.
3. Comparison between SSL and SET(1) • A part of SSL (Secure Socket Layer) is available on customers’ browsers • it is basically an encryption mechanism for order taking, queries and other applications • it does not protect against all security hazards • it is mature, simple, and widely use • SET ( Secure Electronic Transaction) is a very comprehensive security protocol • it provides for privacy, authenticity, integrity, and, or Non repudiation • it is used very infrequently due to its complexity and the need for a special card reader by the user • it may be abandoned if it is not simplified/improved
Complex Simple SET is tailored to the credit card payment to the merchants. SSL is a protocol for general-purpose secure message exchanges (encryption). SET protocol hides the customer’s credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called dual signature. SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and credit card information, because the capturing process should be initiated by the merchants. 3. Comparison between SSL and SET (2) Secure Socket Layer (SSL) Secure Electronic Transaction(SET)
4. Secure Transmission Schemes in SSL and SET Protocol(1) Sender’s Computer 1. The message is hashed to a prefixed length of message digest. 2. The message digest is encrypted with the sender’s private signature key, and a digital signature is created. 3. The composition of message, digital signature, and Sender’s certificate is encrypted with the symmetric key which is generated at sender’s computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA. 4. The Symmetric key itself is encrypted with the receiver’s public key which was sent to the sender in advance. The result is a digital envelope.
Sender’s Computer Sender’s Private Signature Key Message Message Digest Digital Signature + Message + Encrypted Message Encrypt + Symmetric Key Sender’s Certificate Digital Envelope Receiver’s Certificate Encrypt Receiver’s Key-Exchange Key
4.Secure Transmission Schemes in SSL and SET Protocol (2) Receiver’s Computer 5. The encrypted message and digital envelope are transmitted to receiver’s computer via the Internet. 6. The digital envelope is decrypted with receiver’s private exchange key. 7. Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and sender’s certificate. 8. To confirm the integrity, the digital signature is decrypted by sender’s public key, obtaining the message digest. 9. The delivered message is hashed to generate message digest. 10. The message digests obtained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transmission. This step confirms the integrity.
Message Digest Digital Signature Sender’s Certificate Digital Envelope Receiver’s Computer Receiver’s Private Key-Exchange Key Decrypt Message Message Digest + Symmetric Key + Decrypt compare Encrypted Message Decrypt Sender’s Public Signature Key
5. The Player and essential security Requirements in SET • The player • Cardholder • Merchant (seller) • Issuer (your bank) • Acquirer (Merchant’s financial institution, acquires the sales slips) • Brand (Visa, Master Card) • Payment Gateway (e-payment infra-structure) • Essential Security Requirements in SET • Authentication • Encryption • Integrity • Non-repudiation
IC Card Reader Customer y Customer x With Digital Wallets Certificate Authority Electronic Shopping Mall Payment Gateway Merchant A Merchant B Protocol X.25 Credit Card Brand 6.Entities of SET protocol in Cybershopping
7.Overview of main Messages in SET :Over the Internet :Over Financial Network Card Reader Card Holder CA Issue Request to Verity the information Certificate Request Cardholder Registration Response Certificate Purchase Request Purchase Response Purchase Request Payment Gateway Authorization Request Authorization Request Payment Authorization Response Response Capture Request Payment Capture Response Clearing Request Authorization Request Capture Request Merchant Registration Certificate Response Merchant CA Acquirer
8. Smart Card (Physical layout) • ROM(16K) • OS • Com • Security • EEPROM • (16K) • File System • Program files • Keys • Passwords • Applications • CPU • 8 bit • 5 MHz • crypto-coprocessor RAM - 4 kb
9. Software Stack of a Java Card • FrameWork provide Java Card API • JVM executes the bytecode of the applet and of the library functions • Applet is a small program developed by application designer.
11.Cyberflex(TM)Access Cards(1) • Manufacture : Schlumberger • General Characteristics : - Communication protocol : ISO T=0 - Data transmission baud rate : 9600 bit/sec by default, up to 55,800 bit/sec - Nonvolatile memory : 16 KB of EEPROM (13.5 KB available for cardlet, keys, and certificate ) - APDU buffer : 255 + 5 bytes - Access control structure : As many as 8 identities per directory/program - Fast native file system
Cyberflex(TM) Access Cards(2) • Cryptographic Features - Host system generation of DES keys and RSA keys(512, 768, 1024 bits) - Enciphering and deciphering data with DES or 3DES keys in CBC mode - External Authentication with DES or 3DES keys - Internal Authentication with DES or 3DES keys in EBC mode, or with RSA digital signatures - SHA-1 and MAC hashing(carried out by Java APIs, not by APDUs)
Cardholder Registration - Certificate Request to CA Read from Card reader (Authentication) Purchase Request (simultaneously) - to Issuer to get the certificate - to Merchant Design the protocol using DES-3,RSA,etc. Request to Verify the Certificate - Response from Card Holder - Request to Issue Merchant Registration - Authorization Request (to Acquirer) - response to Merchant CA Client Verify Card Holder information - send confirm to CA Authorization process - response to Gateway Capture process - clearing request from gateway - bill to client Purchase Response to Client Authorization Request to gateway Capture Request to gateway Response processing - to Client, Payment, CA ISSUE Merchant Authorization process - request to Issue - response to Merchant Capture process - request to Issue PG Merchant Authorization process - response to CA Acquirer 12. What should we implement in this Project
13. Java Card Security package needed in this project • Key • SecretKey • DESKey • PrivateKey • PublicKey • RSAPrivateKey • RSAPrivateCrtKey • RSAPublicKey • DSAKey • DSAPrivateKey • DSAPublicKey • KeyBuilder • MessageDigest • Signature • RandomData • CrytoException