Download - Project security
04/10/2023 1
Security in e-Business
استاد: آقاي دکتر سخاوتی
مريم سادات حاج اکبری
8861022
04/10/2023 2
Electronic commerce
Type of electronic commerce
Business to business -> such as EDI Customer to business -> such as online stores Customer to customer -> such as Ebay Customer business to public administrator -> such as filling
electronic tax
3
A typical electronic payment system
Paymentgateway
1.Payment info
2.Check account
customer
4.withdra
wal
7.ok
8.Registrat
ionAuthorizati
on transaction
9.Delivery+Confirmation
6.Interbank(clearing) network
3.regist
rati
on
5.depo
sit
04/10/2023 4
E-payment systems
Offline vs. onlineDebit vs. creditMacro vs. Micro
04/10/2023 5
Offline vs. Online
Offline payment system Customer and seller are online but their banking info is
offline.
Use in Airlines Payment mechanism: Crew prints payment’s information and customer’s
credit card by a mechanical device in a paper and then enter online system.
04/10/2023 6
Offline vs. Online
Online payment system
04/10/2023 7
Debit vs. credit
Debit card: Such as Iran banking system -> checks
Credit card: Entities involve in credit system
o Card holdero Card issuing bank -> visa or Master or AMEX ….o Merchanto Name on credit card -> visa or mastero Association
04/10/2023 8
How credit card act?
04/10/2023 9
Macro .VS Micro
Macro system Paid more than the 5$ to 10$
Micro payment Paid less than 5$ to 1$o Example: Public transportation system, Restaurants,
Online Advertising…. Difference:o For any transaction it has a fee about 20 to 30 cent
for payer and payee.
04/10/2023 10
Payment instructure
Cash likeCheck likeCredit cardElectronic moneyElectronic check
04/10/2023 11
Mechanism payment by credit cart
1
2
3
4
04/10/2023 12
Credit card security
Two original Illegal Use from credit card
Eavesdroppers Dishonest
The solution: Encryption & coding such as SSL Will issue next chapter
04/10/2023 13
Electronic money
Define : Scripting money or exchanged only in electronic form
Called as: e- cash, digital cash, digital/electronic currency
Mainly Used as: micro system
Electronic Currencies : Digital or electronic coin
04/10/2023 14
Digital money
Such as Octopus system in Hong Kong It use in transportation system
The best example is pay pal User holds Amount of credits in your account. The user can from their account to other account
holders to give or receive money.
04/10/2023 15
Electronic check
Difference with cash like:In cash like, Electronic payment system the first check customer’s account then delivery product or services
1.Payment info2- invoice
6.Interbank(clearing) network
settlement
3.Signed check
5.E
ndorse
d ch
eck
4.
04/10/2023 16
Electronic wallet
Define: It is a interface for save any financial information.
Usage: Complete electronic forms without re-entering the transaction data when the transaction
The best example is pay pal
Such as digital money and credit cards
Google check out
04/10/2023 17
Electronic payment security
Design a security services
Analysis risk Identify risks, threats, vulnerability Identify Related priorities
Notice: any payment system have needs and special features.
04/10/2023 18
Electronic payment security Problems Traditional payment systems Money can be counterfeited Signature can be forgot Checks can bounce
Problems electronic payment systems Digital documents can be copied perfectly and arbitrarily. A payer’s identity can be associated with every payment
transaction. Digital signatures can be produced by who knows the
private key.
Notice: electronic commerce need
To more attention.
04/10/2023 19
Three types of adversaries!
Outsiders eavesdropping Misusing the collected data (e.g. credit card
numbers )
Active attackers Sending forged message to authorized
Dishonest payment system participants trying to obtain and misuse payment transaction
data that
They are not authorized to see or use
04/10/2023 20
The basic security requirements
Payment authentication
Payment integrity
Payment authorization
Payment confidentiality
04/10/2023 21
Payment authentication
No anonymity -> mechanisms such as MAC – SHA – MD5
With anonymity –> It needs to more security
04/10/2023 22
Payment integrity
Payment integrity requires that payment transaction data cannot be modifiable by unauthorized principals.
payment transaction data: Payer’s identity. Payee’s identity. Content of the purchase. The amount.
04/10/2023 23
Payment authorization
• Payment authorization ensures that no money can be taken from a customer’s account or smart card without his explicit permission
04/10/2023 24
Payment confidentiality
Payment confidentiality covers of one or more pieces of payment transaction data
04/10/2023 25
Payment security services
Payment transaction security services
Digital money security
Electronic checks security
04/10/2023 26
Payment transaction security services
User anonymity Location un-traceabilityPayer anonymityPayment transaction intractabilityConfidentiality of paymentNon-repudiation freshness
04/10/2023 27
User anonymity
User anonymity protects against disclosure of a user’s identity in a network transaction.
Mechanism: Chain of mixes
04/10/2023 28
Location untraceability
Location untraceability protects against disclosure of where a payment transaction originated.
Mechanism: Chain of mixes
04/10/2023 29
Payer anonymity
Payer anonymity protects against disclosure of a payer’s identity in a payment transaction.
Mechanism: psedudonyms
04/10/2023 30
Payment transaction intractability
Payment transaction intractability protects against linking of two different payment transactions involving the same customer.
Mechanism: Hash function
04/10/2023 31
Confidentiality of payment
Confidentiality of payment transaction data selectively protects against disclosure of specific parts of payment transaction data to selected principals from the group authorized principals.
Mechanism: Hash function
04/10/2023 32
Non-repudiation
Non-repudiation of payment messages protects against denial of the origin of protocol message exchanged in a payment transaction.
Mechanism: Digital signature
04/10/2023 33
Freshness
Freshness of payment transaction messages protects against replaying of payment transactions messages.
Mechanism: Nonces and Time Stamps
04/10/2023 34
Payment transaction security
An electronic payment transaction is an execution of a protocol by which an amount of money is taken from a payer and given to payee
04/10/2023 35
User anonymity and location untraceability
User anonymity and location un-traceability can be provided separately.
A pure user anonymity security service would protected against disclosure of a user’s identity.
For example, a user’s employing pseudonyms instead of his or her real name.
Problem: if a network transaction can be traced back to the originating host, and if the host is used by a known network user only,
This anonymity is obviously not sufficient
04/10/2023 36
location untraceability
A pure location untraceability security service would protect against disclosure of where a message originates.
One possible solution is to route the network traffic through a set of anonymizing host.
The requires that at least one of the hosts on the network path be honest.
04/10/2023 37
Chain of mixes
A user anonymity and location untraceability mechanism based on a series of anonymizing hosts or mixes has been proposed by D. Chaum.
A
B
C
X
Y
Z
Mix
04/10/2023 38
Chain of mixes
The problem of having a mix trusted by all participants can be solved by using a matrix (or network) of mixes instead of just one.
04/10/2023 39
Chain of mixes
If A wants to send an anonymous and untraceable message to Y, as in the example with one mix, the protocol goes as follows:
04/10/2023 40
Payer Anonymity
The simplest way to ensure payer anonymity with respect to the payee is for the payer to use pseudonyms instead of his or her real identity.
If one wants be sure that two different payment transactions by the same payer cannot be linked, then payment transaction untraceability must also be provided.
04/10/2023 41
Pseudonyms
Send email
First virtual Holding, IncStarted to operate the first internet payment system that was based on the Existing Internet infrastructure, that is e-mail and telnet
04/10/2023 42
Pseudorandom Function
Payment Transaction Untraceability IDC = hk (RC ,BAN)
Payment Transaction Data confidentiality IDC = hk (RC ,BAN) IDC = hk (SALTc, DESC)
Payment instruction: credit card info- account number- ... It should be secret from view merchant.
Oder information: what buy?- where buy?- how delivery?... It should be secret from view acquirer bank, issuer bank...
04/10/2023 43
Secure Electronic TransactionSET
SET is an open encryption and security specification designed to protect credit card transaction on the internet.
Important feature of SET: it prevents the merchant from learning the card holder’s credit card number.
04/10/2023 44
Dual Signature
The purpose of dual Signature is to link two message that are intended for two different recipients
04/10/2023 45
Nonrepudiation of Payment Transaction Messages
Digital Signature:To explain the nonrepudiation issues in a payment transaction protocolwe will use a simplified model based on the 3KP payment protocol
Nonrepudiation messages.
04/10/2023 46
Freshness of Payment Transaction Messages
This service protects against replay attacks. In other words, it prevents eavesdroppers or dishonest participants from reusing the messages exchanged during a payment transaction.
Nonces and Time Stamps
04/10/2023 47
IOTP
The Internet Open Trading Protocol (IOTP) is an electronic payment framework for Internet commerce whose purpose is to ensure interoperability
among different payment systems.
IOTP is payment system-independent. That means that any electronic payment system (e.g., SET, DigiCash) can be used within the framework.
IOTP messages are well-formed XML (Extensible Markup Language) documents.
04/10/2023 48
IOTP
Format for electronic payment
It is for any transaction
It modify for any message
Data integrity + nonrepudiation -> Digital certificate+ Digital signature
Confidentiality -> ssl+tls
04/10/2023 49
Fine