Embed Size (px)
Citation preview
SETSECURE ELECTRONIC TRANSACTIONS
“Use your mentality, Wake up to reality”
---From the song, “I've got you under my skin” by Cole Porter
Ctrl-V Members
Taimoor Hussain (Roll No. 59) Wajid Ali (Roll No. 58) Shahid Iqbal (Roll No. 22)
Outline
Background SET Security Architecture
Mandatory Digital Certificates Dual Signatures Digital Wallet
Complexity
Outline
Attempted Solutions SET / EMV 3-D SET
Conclusion References
Background
Alternative Shopping Method in 1996 Cryptography as a magic-pill PKC (Public Key Cryptography)
Encryption Digital Signature Entity Authentication
SET ?
Invented by GTE, IBM, MasterCard, Microsoft, Netscape, SAIC, Terisa Systems, VeriSign, and Visa.
Symmetric & Asymmetric Cryptography 3-DES & 1024-bit RSA
Fill security issues of SSL / TLS Software and Hardware Public Key Certificates Digital Signatures
SET Participants• Authorized holder of a payment card
that has been issued by an issuer.Card Holder
• A person or organization with goods or services to sell to the cardholder.Merchant
• Financial institution that provides the cardholder with the payment card.
Issuer
• Financial institution that establishes an account with a merchant and processes payment card authorizations and payments.
Acquirer
SET Participants
• Function interface between SET and the existing bankcard payment networks or authorization and payment functions.
Payment Gateway
• An entity that is trusted to issue X.509v3 public‐key certificates for cardholders, merchants, and payment gateways.
Certificate Authority
Important Features
• 3-DESConfidentiality
• RSA digital Signature, using SHA-1 hash CodeIntegrity
• X.509v3 digital certificates with RSA signatures to legitimate the Cardholder Account.
Cardholder Authentication
• X.509v3 digital certificates with RSA signatures to legitimate the Merchant Account.
Merchant Authentication
SET Components and Participants
Security Architecture
Utilizes PKI to address limitations found in SSL/TLS.
Mandatory Digital Certificates
use of digital signatures to authenticate identity of customer and merchant.
Mandatory Digital Certificates
CA issues Digital Certificates to the Issuing Bank or ‘The Issuer’ (CERTISS = Sign(SKCA)[PKISS])
the Acquiring Bank or ‘The Acquirer’ (CERTACC = Sign(SKCA)[PKACC])
Customer gets its own Digital Certificate from the Issuing Bank CERTCUS = Sign(SKISS)[PKCUS]
Merchant gets its own Digital Certificate from the Acquiring bank CERTMER = Sign(SKISS)[PKMER]
Mandatory Digital Certificates Process
Asymmetric key pair for the customer must be generated. E-consumer’s public key must be sent to the customer’s bank
(‘the issuer’). Generates a public key certificate for the customer using the
issuer’s private signature key. System “root” public key along with customer’s public key. Customer’s private key is saved to Digital Wallet with password
protected.
Dual Signature
To link two messages that are going to different recipients. Order Information (OI): Customer to Merchant Payment Information (PI): Customer to Bank
The customer needs to send OI and PI to merchant and bank respectively.
The merchant does not need to know the customers credit card number.
The bank does not need to know what the customer is buying.
Dual Signature
The operation for dual signature is as follows: Take the hash (SHA-1) of the payment and order information. These two hash values are concatenated [H(PI) || H(OI)] and then the result is
hashed. Customer encrypts the final hash with a private key creating the dual signature.
DS = EKRC [ H(H(PI) || H(OI)) ]
DS Verification by Merchant
The merchant has the public key of the customer obtained from the customer’s certificate.
Now, the merchant can compute two values:H(PIMD || H(OI))DKUC[DS]
Should be equal!
DS Verification by Bank
The bank is in possession of DS, PI, the message digest for OI (OIMD), and the customer’s public key, then the bank can compute the following:
H(H(PI) || OIMD)DKUC [ DS ]
Digital Wallet
For Customer’s self Authentication. By Password Private key is gotten
Transmits OI and PI Encrypted with separate public keys to Merchant
Sign(SKCUS) {E(PKMER)[OI]|E(PKACC)[PI]}
Merchant sent it to The issuing bank and the acquiring bank to verify
SET Process
The customer opens an account with a card issuer. MasterCard, Visa, etc.
The customer receives a X.509 V3 certificate signed by a bank. X.509 V3
A merchant who accepts a certain brand of card must possess two X.509 V3 certificates.
One for signing & one for key exchange
The customer places an order for a product or service with a merchant’s website.
The merchant sends a copy of its certificate for verification.
SET Process
The customer sends order and payment information to the merchant.
The merchant requests payment authorization from the payment gateway prior to shipment.
The merchant confirms order to the customer. The merchant provides the goods or service to the customer. The merchant requests payment from the payment gateway.
SET Process
Complexity of SET
“Magic Pill” became “Toxic Pill”. PKI and registration process is a massive overhead (By Bellis). PKI is not compatible with the infrastructure(1990s) because
Merchants can’t see Credit Card Numbers (By Treese and Stewart).
Overhead for obtaining the digital certificates and Special software must be installed on both sides (C-M) and Private key is stored in Digital Wallet with Password Protected but Password Protection on system is not secure (By Lieb).
e-commerce transactions slow (By Whinnet) Users sometimes interrupted the transactions.
ATTEMPTED SOLUTIONS TO SET PROBLEMS
Included in SET PIN Chip Server Based Digital Wallet
ATTEMPTED SOLUTIONS TO SET
SET / EMV 3-D SET
SET / EMV
PIN and Chip To the secrecy of private keys
PIN extensions provided authentication process. Magnetic Strips were replaced by IC Cards
Used without separate merchant terminals No need to generate key pairs and certificates for consumers
Already in IC Cards No longer Private Key in PC
IC Card
SET / EMV Problems
Required an additional IC Card Reader with Consumer PC Complex Cryptographic mechanisms POS (Point of Sale) for Merchants to communicate
from Cardholder With Payment Gateway (installed on acquiring bank’s servers)
3-D SET
Server-based wallet extensions based on three-domain (3D) architecture
Digital wallet software and the digital certificate on issuer’s server Enabled the payment gateway and merchant certificates to be kept
at an acquirer server 3D SET was built upon the relationships between three ‘domains’ :
acquirer (the relationship between the merchant and the acquiring’s bank)
Issuer (the relationship between the cardholder/consumer and the issuer) Interoperability (the acquirer and issuer domains are supported by the
inter-operability domain)
3-D SET
Complex cryptographic mechanisms Did not require an additional device
Conclusion
SET was not rejected if It had the same architecture like 3-D SET
3-D SET was the new Design as a Magic Pill
References
[1] S. Farrell and M. Zolotarev, “XML and PKI-what’s the story?”Network Security, vol. 2001, pp. 7-10, September 2001.
[2] F. Piper, “Some trends in research in cryptography and securitymechanisms,” Computers and Security, vol. 22, pp. 22-25, January2003.
[3] L. Loeb, Secure Electronic Transactions: Introduction and TechnicalReference, Boston: Artech House, 1998.
[4] M. S. Merkow, J. Breithaupt, and K. L. Wheeler, Building SETApplications for Secure Transactions, John Wiley and Sons, New
York, 1998.[5] Secure Electronic Transaction LLC (SETCo), SET Secure Electronic
Transaction Specification, version 1.0 ed., May 1997.
References
[6] K. Chen, H. Lee, and B. Mayer, “The impact of security control onbusiness-to-consumer electronic commerce,” Human SystemsManagement, vol. 20, no. 2, pp. 139,147, 2001.
[7] D. Birch, “Secure electronic commerce – i: The certificate businesspublic key infrastructure will be big business,” Computer Law &Security Review, vol. 13, no. 6, pp. 454-456, 1997.
[8] http://www.informit.com/articles/article.aspx?p=26857
[9] http://www.slideshare.net/HARRY-MEHTA/secure-electronics-transaction
[10] E. Bellis, Beautiful Security, ch. Beautiful Trade: RethinkingE-Commerce Security, Sebastopol: O’Reilly, 2009.
References
[11] G. W. Treese and L. C. Stewart, Designing Systems for InternetCommerce, Massachusetts: Addison-Wesley, 1998.
[12] J. Lieb, “Getting secure online-an overview,” Commerce Net-TheStrategies Report, vol. 1, pp. 1-4, July 1999.
[13] Ford and M. S. Baum, Secure Electronic Commerce, Prentice Hall,2001.
[14] Secure Electronic Transaction LLC (SETCo), Common Chip Extension-Application for SETCo Approval, version 1.0 ed., September 1999.
[15] Secure Electronic Transaction LLC (SETCo), Online PIN Extensionsto SET Secure Electronic Transaction, version 1.0 ed., May 1999.
References
[16] P. Jarupunphol and C. J. Mitchell, “Measuring SSL and SET againste-commerce consumer requirements,” in Proceedings of theInternational Network Conference (INC 2002), Plymouth UniversityPress, pp. 323-330, July 2002.
[17] P. Jarupunphol and C. J. Mitchell, “The future of SET,” in Proceedings of UKAIS 2002, Leeds Metropolitan University, pp. 9-17, April 2002.
[18] IBM e-business, Internet Wallet Choices and Answers for Business and Technical Managers, 1999
[19] P. Jarupunphol, “A critical analysis of 3-D Secure,” in Proceedings ofthe 3rd Electronic Commerce Research and Development (E-COM-03),Gdansk, Poland, pp. 87-94, October 2003.
[20] R. Anderson, Security Engineering-A Guide to Building DependableDistributed Systems. John Wiley and Sons, 2001.
References
[21] K. Wrona, M. Schuba, and G. Zavagli, “Mobile payment- state of the art and open problems,” in Proceedings of 2nd
International Workshop IACSIT International Journal ofEngineering and Technology, Vol. 5, No. 2, April 2013 WELCOM(L. Fiege, G. Mühl, and U. G. Wilhelm, eds.), Lecture Notes in Computer Science,
Springer-Verlag, Berlin, vol. 2232, pp. 88-100, 2001.
[22] http://www.slideshare.net/Slyoldawg/jlfrank-sinatra
[23] Network Security Essentials: Applications and Standards By William Stalling
