Transcript Internet payment systems

Varna Free University
E-BUSINESS
Internet payment systems
Prof. Teodora Bakardjieva
Outline
•
•
•
•
•
•
•
Introduction
Issues related
Security
Outstanding protocols
Mechanisms
Advantages and disadvantages
Conclusion
27 Sept. 99
2
Introduction
• In the past year, the number of users
reachable through Internet has
increased dramatically
• Potential to establish a new kind of
open marketplace for goods and
services
27 Sept. 99
3
Introduction (cont)
• Online shops in Internet
– Bookshop (Amazon.com)
– Flight Resevation and Hotel Reservation
shopping place, etc.
• An effective payment mechanism is
needed
27 Sept. 99
4
Issues related
•
•
•
•
•
Security Performance
Reliability
Efficiency
Bandwidth
Anonymity (mainly in electronic coins)
27 Sept. 99
5
Security
• Internet is not a secure place
• There are attacks from:
– eavesdropping
– masquerading
– message tampering
– replay
27 Sept. 99
6
How to solve?
• RSA public key cryptography is widely
used for authentication and encryption
in the computer industry
• Using public/private (asymmetric) key
pair or symmetric session key to
prevent eavesdropping
27 Sept. 99
7
How to solve? (cont)
• Using message digest to prevent
message tampering
• Using nonce to prevent replay
• Using digital certificate to prevent
masquerading
27 Sept. 99
8
Outstanding protocols
• Credit card based
– Secure Electronic Transaction (SET)
– Secure Socket Layer (SSL)
• Electronic coins
– DigiCash
– NetCash
27 Sept. 99
12
Credit-card based systems
• Parties involved: cardholder, merchant,
issuer, acquirer and payment gateway
• Transfer user's credit-card number to
merchant via insecure network
• A trusted third party to authenticate the
public key
27 Sept. 99
13
Secure Electronic Transaction
(SET)
• Developed by VISA and MasterCard
• To facilitate secure payment card
transactions over the Internet
• Digital Certificates create a trust chain
throughout the transaction, verifying
cardholder and merchant validity
• It is the most secure payment protocol
27 Sept. 99
14
Framework
Non-SET
Financial
Network
Card
Issuer
Non-SET
Payment
Gateway
SET
Card
Holder
SET
27 Sept. 99
Merchant
15
Payment processes
• The messages needed to perform a
complete purchase transaction usually
include:
– Initialization (PInitReq/PInitRes)
– Purchase order (PReq/PRes)
– Authorization (AuthReq/AuthRes)
– Capture of payment (CapReq/CapRes)
27 Sept. 99
16
Typical SET Purchase Trans.
CardHolder
Merchant
Payment Gateway
PInitReq
PInitRes
PReq
AuthReq
AuthRes
PRes
CapReq
CapRes
Initialization
PInitReq: {BrandID, LID_C, Chall_C}
Cardholder
Merchant
PInitRes: {TransID, Date, Chall_C, Chall_M}SigM,
CA, CM
27 Sept. 99
18
Purchase order
PReq: {OI, PI}
Cardholder
Merchant
Pres: {TransID, [Results], Chall_C}SigM
27 Sept. 99
19
Authorization
{{AuthReq}SigM}PKA
Merchant
Acquirer
{{AuthRes}SigA}PKM
27 Sept. 99
Issuer
Existing
Financial
Network
20
Capture of payment
CapReq
CapToken
CapToken
Clearing
Merchant
Acquirer
{{CapRes}SigA}PKM
27 Sept. 99
Issuer
Existing
Financial
Network
21
Advantages
• It is secure enough to protect user's
credit-card numbers and personal
information from attacks
• hardware independent
• world-wide usage
27 Sept. 99
22
Disadvantages
• User must have credit card
• No transfer of funds between users
• It is not cost-effective when the payment
is small
• None of anonymity and it is traceable
27 Sept. 99
23
Electronic cash/coins
• Parties involved: client, merchant and
bank
• Client must have an account in the bank
• Less security and encryption
• Suitable for small payment, but not for
large payment
27 Sept. 99
24
DigiCash (E-cash)
• A fully anonymous electronic cash
system
• Using blind signature technique
• Parties involved: bank, buyer and
merchant
• Using RSA public-key cryptography
• Special client and merchant software
are needed
27 Sept. 99
25
Withdrawing Ecash coins
• User's cyberwallet software calculates
how many digital coins are needed to
withdraw the requested amount
• software then generates random serial
numbers for those coins
• the serial numbers are blinded by
multiplying it by a random factor
27 Sept. 99
26
Withdrawing Ecash coins
(cont)
• Blinded coins are packaged into a
message, digitally signed with user's
private key, encrypted with the bank's
public key, then sent to the bank
• When the bank receives the message, it
checks the signature
• After signing the blind coins, the bank
returns them to the user
27 Sept. 99
27
Spending Ecash
27 Sept. 99
28
Advantages
• Cost-effective for small payment
• User can transfer his electronic coins to
other user
• No need to apply credit card
• Anonymous feature
• Hardware independent
27 Sept. 99
29
Disadvantages
• It is not suitable for large payment
because of lower security
• Client must use wallet software in order
to store the withdrawn coins from the
bank
• A large database to store used serial
numbers to prevent double spending
27 Sept. 99
30
Comparisons
• SET
• Ecash
– use credit card
– 5 parties involved
– no anonymous
– large and small
payment
27 Sept. 99
– use e-coins
– 3 parties involved
– anonymous nature
– a large database is
needed to log used
serial numbers
– small payment
31
Conclusions
• An effective, secure and reliable
Internet payment system is needed
• Depending on the payment amount,
different level of security is used
• SET protocol is an outstanding payment
protocol for secure electronic commerce
27 Sept. 99
32