chapter 8 internet security protocols (cont’d). 2 secure electronic transaction (set) an open...
TRANSCRIPT
Chapter 8
Internet Security Protocols (cont’d)
2
Secure Electronic Transaction (SET) An open encryption and security specification
that is designed for protecting credit card transactions on the Internet.
Done in 1996 by MasterCard and Visa and joined by IBM, Microsoft, Netscape, RSA, Terisa and VeriSign.
1998, the 1st generation of SET-compliant products appeared in the market.
3
SET (cont’d)
Need for SET MasterCard and Visa realized that for e-
commerce payment processing, s/w vendors were coming up with new and conflicting standards. Microsoft drove these on one hand, and IBM on the
other. SET is not a payment system. It is a set of
security protocols and formats that enable the users to employ the existing credit card payment infrastructure on the Internet in a secure manner.
4
SET (cont’d)
SET services can be summarized as follows: Provide a secure communication channel among
all the parties involved in an e-commerce transaction.
Provide authentication by the use of digital certificates.
Ensure confidentiality, because the information is only available to the parties involved in a transaction, and that too only when and where necessary.
5
SET Participants
Cardholder: an authorized holder of a payment card such as MasterCard or Visa that has been issued by an Issuer.
Merchant: a person or an organization that wants to sell goods or services to cardholders.
Issuer: a financial institution (such as a bank) that provides a payment card to a cardholder.
6
SET Participants (cont’d)
Acquirer: a financial institution that has a relationship with merchants for processing payment card authorizations and payments.
Payment Gateway: Act as an interface between SET and the existing card
payment networks for payment authorizations. Certification Authority (CA): an authority that is
trusted to provide public key certificates to cardholders, merchants and payment gateways.
7
SET Process1. The customer open an account.2. The customer receives a certificate. 3. The merchant receives a certificate.4. The customer places an order.5. The merchant is verified.6. The order and payment details are sent.7. The merchant requests payment authorizations.8. The payment gateway authorizes the payment.9. The merchant confirms the order.10. The merchant provides goods or services.11. The merchant requests payment
8
How SET Achieves its Objectives Main concern with online payment
mechanism: Customer sends credit card details in clear text
which provides an intruder to use it with malicious intentions. Solution: SSL
The credit card number is available to the merchant, who can misuse it. Solution: SET
9
How SET Achieves its Objectives (cont’d) The way SET hides the cardholder’s credit
card details from the merchant by the concept of digital envelope.
10
How SET Achieves its Objectives (cont’d)
SET s/w prepares the Payment Information (PI) on the card holder’s computer exactly the same way as it happens in any Web-based payment system.
Cardholder’s computer creates a one-time session key.
Cardholder’s computer encrypts the PI using one-time session key. (PIEO)
Cardholder’s computer wraps the one-time session key with the public key of the payment gateway to form a digital envelope (OEP)
Send the encrypted PI (PIEO) & (OEP) to the merchant (who has to pass it on to the payment gayteway).
11
SET Internals
Major transactions supported by SET: Purchase Request Payment Authorization Payment Capture
12
SET Internals: Purchase Request Step1: Initiate request
3 agencies involved:1. The agency that issues credit cards (FI)2. CA3. Payment Gateway (PG), which can be the same as the acquirer
Cardholder
Please send me digital certificates of you and that of the payment gateway. Here is a unique id to identify our interaction and here is my credit card issuer’s name
Merchant
13
SET Internals: Purchase Request Step 2: Initiate Response
Cardholder
Here is my transaction id and here are the digital certificates of the payment gateway, and myself as you had requested for.
Merchant
14
SET Internals: Purchase Request Step 3: Purchase request
Cardholder
Here are my OI and PI details. I am also sending my digital certificate that contains my public key, so that you and the payment gateway can decrypt the order/payment details.
Merchant
15
SET Internals: Purchase Request To ensure the merchant and the PG received the
information that they require, Dual Signature is used.
16
SET Internals: Purchase Request (cont’d)Step1: Merchant calculates its own OIMD, and uses it and the PIMD
received from the cardholder to generate its own POMD (say POMD1).
OI H OIMD
PIMD+ H POMD1
Step 2: Merchant decrypts DS received from the cardholder to retrieve the POMD, as was calculated by the cardholder (say POMD2).
DS D POMD2
Step 3: Merchant compares POMD1 with POMD2. If they are equal, it trusts the message, as it is assured that the message came from the cardholder.
POMD2POMD1POMD1 = ? If yes, accept; else reject message
Verification of cardholder’s authenticity by the merchant.
17
SET Internals: Purchase Request (cont’d)Step1: Payment gateway calculates its own PIMD, and uses it and the OIMD
received from the cardholder to generate its own POMD (say POMD1).
PI H PIMD
OIMD+ H POMD1
Step 2: Payment gateway decrypts DS received from the cardholder to retrieve the POMD, as was calculated by the cardholder (say POMD2).
DS D POMD2
Step 3: Payment gateway compares POMD1 with POMD2. If they are equal, it trusts the message, as it is assured that the message came from the cardholder.
POMD2POMD1POMD1 = ? If yes, accept; else reject message
Verification of cardholder’s authenticity by the payment gateway
18
SET Internals: Purchase Request Step 4: Purchase response
Cardholder
Ok, here is the result of processing your order
Merchant
19
SET Internals: Payment Authorization Consist of 2 messages:
Authorization Request Authorization Response
Merchant
Here are:a) Purchase Informationb) Authorization informationc) Cardholder’s and my certificates. Payment
Gateway
Authorization Request
20
SET Internals: Payment Authorization
Merchant
Validations were ok! Here are the authorization information, token information and my digital certificate. Payment
Gateway
Authorization Response
21
SET Internals: Payment Capture Contains 2 messages:
Capture Request Capture Response
Merchant
I need to have the payment for this purchase. Here are the transaction id, amount and my digital certificate. Payment
Gateway
Capture Request
22
SET Internals: Payment Capture
Merchant
Payment to you is authorized. Here are the details. Also enclosed is my digital certificate.
Payment Gateway
Capture Response
23
SET Conclusion
SSL and SET are both used for facilitating using secure exchange of information.
SSL is used for exchange information of any kind between only two parties (a client and a server).
SET is designed for conducting e-commerce transactions
24
SSL VERSUS SETIssue SSL SET
Main aim Exchange of data in an encrypted form
E-commerce related payment mechanism
Certification Two parties exchange certificates All the involved parties must be certified by a trusted third party
Authentication Mechanisms in place, but not very strong
Strong mechanisms for authenticating all the parties involved
Risk of merchant fraud
Possible, since customer gives financial data to merchant
Unlikely, since customer gives financial data to payment gateway
Action in case of customer fraud
Merchant is liable Payment gateway is liable
Practical usage High Low at the moment, expected to grow