secure electronic transaction final diagrams

Presented ByARUN RAJ.R

JES VARGHESE

NEERAJ.R

SATHEESH.S

Organization of Presentation 1.1. IntroductionIntroduction2.2. Credit Cards on the InternetCredit Cards on the Internet3.3. Credit Card ProtocolsCredit Card Protocols4.4. SET Business RequirementsSET Business Requirements5.5. Parties in SETParties in SET6.6. SET TransactionsSET Transactions7.7. Symmetric key encryption systemSymmetric key encryption system8.8. Public key encryption systemPublic key encryption system9.9. Message DigestMessage Digest10.10. Digital SignatureDigital Signature11.11. Digital EnvelopeDigital Envelope12.12. Digital CertificateDigital Certificate13.13. Dual SignaturesDual Signatures14.14. SET Supported TransactionsSET Supported Transactions15.15. Card Holder RegistrationCard Holder Registration16.16. Merchant RegistrationMerchant Registration17.17. Purchase RequestPurchase Request18.18. Payment AuthorizationPayment Authorization19.19. SYSTEM CONFIGURATIONSYSTEM CONFIGURATION20.20. Database OrganizationDatabase Organization21.21. Important Source FilesImportant Source Files22.22. ConclusionConclusion23.23. ReferencesReferences

Introduction

• An application-layer security mechanism, consisting of a set of protocols.

• Protect credit card transaction on the Internet.• Companies involved:– MasterCard, Visa, IBM,

Microsoft, Netscape, RSA, Terisa and Verisign• Not a payment system.• It has a complex specification.

Credit Cards on the Internet

• Problem: communicate credit card and purchasing data securely to gain consumer trust– Authentication of buyer and merchant– Confidential transmissions

• Systems vary by– type of public-key encryption– type of symmetric encryption– message digest algorithm– number of parties having private keys– number of parties having certificates

Credit Card Protocols• SSL 1 or 2 parties have private keys• TLS (Transport Layer Security)

– IETF version of SSL

• i KP (IBM)• SEPP (Secure Encryption Payment Protocol)

– MasterCard, IBM, Netscape• STT (Secure Transaction Technology)

– VISA, Microsoft

• SET (Secure Electronic Transactions)– MasterCard, VISA all parties have certificates

OBSOLETE

…but in e-transactions, it is important to Know if you are dealing with a dog.

Identification is the Challenge

SET Business Requirements

• Provide confidentiality of payment and ordering information.

• Ensure the integrity of all transmitted data.• Provide authentication that a cardholder is

a legitimate user of a credit card account• Provide authentication that a merchant

can accept credit card transactions through its relationship with a financial institution

SET Business Requirements (cont’d)

• Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction

• Create a protocol that neither depends on transport security mechanisms nor prevents their use

• Facilitate and encourage interoperability among software and network providers

Secure Electronic Transaction

• Confidentiality: all messages encrypted

• Trust: all parties must have digital certificates

• Privacy: information made available only when and where necessary

Components to build Trust

Data Confidentiality Encryption

Who am I dealing with? Authentication

Message integrity Message Digest

Non-repudiation Digital Signature

Access Control Certificate Attributes

Parties in SET

SET Transactions

Symmetric key encryption system

Same key is used to both encrypt and decrypt data

Examples of encryption systems: DES, 3DES, AES

Public key encryption system

Each user has 2 keys: what one key encrypts,only the other key in the pair can decrypt.Public key can be sent in the open.Private key is never transmitted or shared.Eg. RSA (Rivest, Shamir, and Adleman )

Recipient’s Public Key Recipient’s Private Key

Message Digest

• Used to determine if document has changed• Usually 128-bit or 160-bit “digests”• Infeasible to produce a document matching a digest• A one bit change in the document affects about half the bits in the digest•Eg. SHA-1 (160-bit digest), Secure Hash Algorithm

Hash Algorithm

DigestPlaintext

Digital Signature

Digital Signature

EncryptedDigest

Signer’s Private Key

SignedDocument

HashAlgorithm

Digest

Verifying the Digital Signature

??Hash Algorithm

Digest

Digest

Signer’sPublic Key

Integrity: One bit change in the content changes the digest

Digital Envelope

Combines the high speed of DES (symmetric encryption) and the key management convenience of RSA (public key encryption)

“DigitalEnvelope”

One timeencryption Key

Recipient’sPublic Key

Digital Certificate• A digital certificate or Digital ID is a computer-based

record that attests to the binding of a public key to an identified subscriber.

• Certificate issued by Certification Authority (CA).

• Certified digital signature attests to message content and to the identity of the signer.

• Combined with a digital time stamp, messages can be proved to have been sent at certain time.

Digital Certificate

X.509 Certificate Version 3

Version

This identifies which version of the X.509 standard applies to this certificate.

Serial Number

The entity that created the certificate is responsible for assigning it a serial number to distinguish it from other certificates it issues.

Signature Algorithm Identifier This identifies the algorithm used by the CA to sign the

certificate.

Issuer Name The X.500 name of the entity that signed the certificate. This is

normally a CA. Validity Period

Each certificate is valid only for a limited amount of time. This period is described by a start date and time and an end date and time.

Subject Name The name of the entity whose public key the certificate identifies.

Subject Public Key Information This is the public key of the entity being named, together with an

algorithm identifier which specifies which public key crypto system this key belongs to and any associated key parameters.

X.509 Certificate Version 3

X.509 Certificate Version 3

X.509 Certificate Version 3

Dual Signatures

• Links two messages securely but allows only one party to read each. Used in SET.

MESSAGE 1

DIGEST 1

NEW DIGEST

HASH 1 & 2WITH SHA

MESSAGE 2

DIGEST 2

CONCATENATE DIGESTSTOGETHER

HASH WITH SHA TOCREATE NEW DIGEST

DUAL SIGNATURE

PRIVATE KEYENCRYPT NEW DIGESTWITH SIGNER’S PRIVATE KEY

SET Transactions

SET Supported Transactions

card holder registration merchant registration purchase request payment authorization payment capture

certificate query

purchase inquiry

purchase notification

sale transaction

authorization reversal

capture reversal

credit reversal

Card Holder Registration

Card Holder Registration

Card Holder Registration

Card Holder Registration

Cardholder Initiates Registration

Card Holder Registration

CA Sends Response

Card Holder Registration

Cardholder Requests Registration Form

Card Holder RegistrationCA Sends Registration Form

Card Holder RegistrationCardholder Requests Certificate

Card Holder RegistrationCA Sends Certificate

1.

2.

Card Holder RegistrationCardholder Receives Certificate

SET Supported Transactions

card holder registration merchant registration purchase request payment authorization payment capture

certificate query

purchase inquiry

purchase notification

sale transaction

authorization reversal

capture reversal

credit reversal

Merchant Registration

SET Supported Transactions

card holder registration merchant registration purchase request payment authorization payment capture

certificate query

purchase inquiry

purchase notification

sale transaction

authorization reversal

capture reversal

credit reversal

Purchase Request

Purchase RequestCustomer Browses for Products

Purchase RequestSelect the Card for Payment

Purchase Request

Purchase RequestCardholder Initiates Request

Purchase RequestMerchant Sends Response

Purchase Request

The Cardholder Sends Request

Purchase Request

Cardholder Sends Purchase Request

Purchase Request

Merchant Processes Purchase Request Message

Purchase RequestMerchant Sends Purchase Response

SET Supported Transactions

card holder registration merchant registration purchase request payment authorization payment capture

certificate query

purchase inquiry

purchase notification

sale transaction

authorization reversal

capture reversal

credit reversal

Payment Authorization

Payment Authorization Process

SYSTEM CONFIGURATION

Hardware requirements•Any 32-bit processor•Memory of minimum 128 MB RAM•Sufficient Hard Disk Free space•Mouse preferred for ease of useSoftware requirements•Development tool: Java 1.3 or above, Bouncy Castle Provider•Operating system: Compatible to all OS•Back end: Microsoft SQL Server / Microsoft Access•Any Web Browser

Database Organization

A database is used at the Cardholder Machine to store his Card Details

Important Source Files

Source File Important Classes Description

ConnectionManager.java ConnectionManager Manages Database Connection

DigitalSignature.java DigitalSignature Create and Verify Digital Signatures.

DualSignClass.java DualSignature Create and Verify Dual Signatures.

NETClient.java Packet, NETClient Prepare messages to send and manage message reception from server.

RSAClass.java RSACipher Performs RSA Encryption and Decryption on blocks of plaintext.

SymmetricCipher.java SymmetricCipher, SymmetricKey

Performs 3DES Encryption and Manage Symmetric Keys

Important Source FilesSource File Important Classes Description

FileSystemManager.java RSAKeyFile, X509v3File

Manages Storage of RSA Keys and X509 v3 Certificates

X509Generator.java X509Generator Create X509 v3 Digital Certificate

DualSignClass.java DualSignature Create and Verify Dual Signatures.

X509Verifier.java X509Verifier Verify the validity of X509v3 Certificates.

CardHolderReg.java CardHolderReg Manage Cardholder Registration request and responses.

PurchRequest.java PurchaseRequest Manage Purchase Request

ReqCert.java ReqCert Manage Certificate Request.

SetApplication.java SetApplication Main Class that outlines other functions.

Conclusion

With the help of the above discussions, the SET protocol appears to be complete, sound, robust and reasonably secure for the purpose of credit-card transactions. However, it is important that the encryption algorithms and key-sizes used, will be robust enough to prevent observation by hostile entities. The secure electronic transactions protocol (SET) is important for the success of electronic commerce. Secure electronic transactions will be an important part of electronic commerce in the future. Without such security, the interests of the merchant, the consumer, and the credit or economic institution cannotbe served.

References

• William Stallings, Cryptography and Network Security 3/e, Pearson, 2003• http://www.setco.org/download/set_bk2.pdf•http://www.cl.cam.ac.uk/Research/Security/resources/SET/intro.html

• Jonathan B. Knudsen, Java Cryptography, First Edition May 1998• Herb Schildt, Java 2 Complete Reference 4/e, Osborne,1999

Thank you