110 likes | 236 Views
Secure Credit Card Transactions on an Untrusted Channel. Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24. Outline. Introduction M otivation Scheme Security analysis Performance evaluation Advantage vs. weakness Comment. Introduction.
E N D
Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun (孫翠鴻) Date: 2010/9/24
Outline • Introduction • Motivation • Scheme • Security analysis • Performance evaluation • Advantage vs. weakness • Comment
Introduction • Credit cards based payment system • Entity: customer, merchant, credit card issuer and bank. • Credit card: credit card number, Card Verification Value (CVV). • Transaction: billing digest, information about the customer.
Introduction • Secure Socket Layer (SSL) • Establish a trusted connection between two parties. • HTTPS (Secure HTTP) • Send messages securely using SSL. • Both two need public keys and certificates, besides, the operations process are complex.
Motivation • SSL and HTTPS are complex because they involve key-management, user credentials and certificates. • Smart cards require extra infrastructure like smart card reader and middleware. • This paper want to let the transaction become more simpler and easy to achieve security.
Scheme Common key KBMi (ex. customer credit card data) Common key KBMi Credit card confidentially
Scheme 1.Request phase 2.Verification phase 3.Authentication Phase 4.Response Phase UI1: customer related non critical data. UI2: importance to the merchant data. h = HCVV(UI1, UCI, T, CVV) T: time stamp. UCI : customer critical information. CVV: Card Verifier Value. TID: transaction id. rc and rm: response values generated by the issuer. TID = H(h,UI1,T)
Scheme • Authentication Phase • Issuer has a database containing customer credit card data. A1 Retrieve CVV and UCI from database. A2 Compute hash value h1. A3 Comparing h and h1 consistency. A4 Generate response values A5 Send acknowledgement to bank. Accept: Reject: : common key between the bank and the merchant i.
Security analysis • Replay Attack • Forgery Attack • Man-in-the-Middle Attack • Guessing Attack
Performance evaluation • Complexity Comparison Request phase:exor operation, hash operation (bank). Verification phase: hash operation (merchant), intersection operation (issuer). Authentication phase: exor operations (issuer).
Advantage vs. weakness • Advantage • Can resist 4 type important attack. • No need complex computing. • No need extra overhead like smart card, reader and middleware. • Just use hash function and a common key. • just use a one round protocol. • Weakness • Common key may be weak.