Web Security: Web Security: Secure Electronic Transaction Secure - - PowerPoint PPT Presentation

Web Security: Web Security:

Secure Electronic Transaction Secure Electronic Transaction

Cunsheng Cunsheng Ding Ding HKUST, Hong Kong, CHI NA HKUST, Hong Kong, CHI NA

• C. Ding -- COMP685C-- L25

2

Secure Elect ronic Transact ions

• An applicat ion-layer secur it y mechanism,

consist ing of a set of pr ot cols.

• Pr ot ect cr edit car d t r ansact ion on t he

I nt er net .

• Companies involved:

– Mast erCard, Visa, I BM, Microsof t , Net scape, RSA, Terisa and Verisign

• Not a payment syst em.
• I t has a complex specif icat ion:

– described in 3 books, wit h 971 pages1

• C. Ding -- COMP685C-- L25

3

SET Services

• Provides a secure communicat ion

channel in a t ransact ion.

• Provides t ust by t he use of X.509v3

digit al cert if icat es.

• Ensures privacy and dat a int egirit y.

• C. Ding -- COMP685C-- L25

4

SET Overview

• Key Feat ures of SET:

– Conf ident ialit y of inf ormat ion – I nt egr it y of dat a – Car dholder account aut hent icat ion – Mer chant aut hent icat ion

• C. Ding -- COMP685C-- L25

5

SET Part icipant s

• Cardholder, Merchant
• I ssuer: car dholder’s bank
• Acquirer: Merchant ’s bank
• Payment Gateway: Oper at ed by t he

Acquir er f or payment pr ocessing.

• Certif icate Authority (CA): A t r ust ed

aut hor it y t hat issues X.509v3 public-key cer t if icat es f or car dholder s, mer chant s, and payment gat eways.

• C. Ding -- COMP685C-- L25

6

SET Part icipant s

• C. Ding -- COMP685C-- L25

7

St eps f or t ransact ions

• Cust omers opens t he account and receive

a cer t if icat e f r om t he CA

• Merchant s have t heir own cert if icat es
• Cust omer places an or der
• Mer chant is ver if ied by Cust omer
• Or der and payment ar e sent
• Mer chant r equest s payment aut hor izat ion
• Mer chant conf ir ms or der and pr ovides

goods or service

• Mer chant r equest s payment

• C. Ding -- COMP685C-- L25

8

Dual Signat ure

• Pur pose is t o link t wo messages t hat ar e

int ended f or t wo dif f er ent r ecipient s

• Mer chant does not need t o know

cust omer’s cr edit car d number

• Bank does not need t o know cust omer’s
• rder det ails
• But bot h it ems must be linked t o r esolve

any disput es if required

• C. Ding -- COMP685C-- L25

9

Const ruct ion of Dual Signat ure

PI OI H H D H PIMD POMD OIMD

Dual Signature

Kd

PI = Payment Information OI = Order Information H = Hash function(SHA-1) || = Concatenation || PIMD = PI message digest OIMD = OI message digest POMD = Payment order message digest D = Decryption = Customer’s private signature key (c) (c)

Kd

• C. Ding -- COMP685C-- L25

10

Phase 1

Mer chant Cer t if icat e, init ial r esponse Or der & Payment I nf or m. I nit ial r equest (I D, nonce)

Verif y merchant Verif y Cust omer 1.2 1.3 1.4 1.5 1.1

• C. Ding -- COMP685C-- L25

11

I nit ial Request and Response

I nitial Request

• The brand (kind, grade)
• f t he credit card t he

cust omer is using.

• An I D assigned t o t his

request / response pair f or ident if ying t his pair.

• A nonce used t o ensure

t imeliness. I nitial Response

• A signed response:

– The nonce f rom t he cust omer, anot her nonce f or t he cust omer t o ret urn in t he next message. – A t ransact ion I D.

• Merchant ’s signat ur e

cert if icat e.

• Payment gat eway’s key

exchange cert if icat e.

• C. Ding -- COMP685C-- L25

12

Cust omer Verif ies Merchant

• The Cust omer t hen uses t he

Merchant ’s public signat ure key t o verif y t he signat ure of t he merchant .

Remar k: The det ailed ver if icat ion depends

• n t he underlying (signing, verif icat ion)

algor it hms

• C. Ding -- COMP685C-- L25

13

Purchase request

Request message

E E

Digital Envelope OI PIMD Cardholder certificate + + + + + + + Dual Signature Passed on by merchant to payment gateway PI Dual Signature OIMD

Ks K e

Received by merchant

Ks = Temporary symmetric key Ke = Bank’s public key-exchange key

(b)

(b)

E = Encryption (RSA for asymmetric; DES for symmetric)

• C. Ding -- COMP685C-- L25

14

Payment / Order Relat ed I nf ormat ion

• Payment -relat ed
• The PI : payment I nf
• The dual signat ur e
• The OI MD

– OI message digest

• The digit al envelope

– it cont ains secret key

• Or der -relat ed
• The OI
• The dual signat ur e
• The PI MD

– PI message digest

• C. Ding -- COMP685C-- L25

15

Verif icat ion of Purchase Request and Cust omer by Merchant : Pict orial

Digital Envelope OI PIMD Cardholder certificate + + + + + Dual Signature Request message Passed on by merchant to payment gateway

||

E H H

Compare

Ke

POMD POMD OIMD E = Encryption (RSA) Ke = Customer’s public key

(c)

(c)

• C. Ding -- COMP685C-- L25

16

Phase 2

Aut hor izat ion Request

• C. Ding -- COMP685C-- L25

17

Aut hor izat ion Request :

Mer chant ==> Payment Gat eway

• Payment -relat ed
• The PI : payment I nf
• The dual signat ure
• The OI MD

– OI message digest

• The digit al envelope
• Aut horizat ion-relat ed
• An aut horizat ion block:

– t ransact ion I D, signed wit h merchant ’s privat e key, and encrypt ed wit h a session key generat ed by t he merchant .

• A digit al envelope:

– session key encrypt ed wit h t he gat eway’s public key.

Cardholder’s cert if icat e

• C. Ding -- COMP685C-- L25

18

The f ollow-up by t he Gat eway

• Verif y all cert if icat es.
• Decrypt s t he digit al envelop of t he aut horizat ion

block t o obt ain t he session key and t hen decrypt s t he aut horizat ion block.

• Verif ies t he merchant ’s signat ure on t he

aut horizat ion block.

• Decrypt s t he digit al envelope of t he payment block t o
• bt ain t he symmet ric key and t hen decrypt t he

payment block.

• Verif ies t hat t he t ransact ion I D received f rom t he

merchant mat ches t hat in t he PI received (indirect ly) f rom t he cust omer.

• C. Ding -- COMP685C-- L25

19

Phase 3

Request s and receives an aut horizat ion f rom t he issuer

• C. Ding -- COMP685C-- L25

20

Phase 4

Aut horizat ion Response

• C. Ding -- COMP685C-- L25

21

Aut horizat ion Response

• Authorization- Related I nf ormation:

– aut horizat ion block, signed wit h gat eway’s privat e key and encrypt ed wit h a session key generat ed by t he Gat eway. – An envelope, t he session key encrypt ed wit h t he merchant ’s public key.

• Capture token inf ormation:

– This inf ormat ion will be used t o ef f ect payment lat er. – I t has t he same f orm as t he aut horizat ion-relat ed inf ormat ion above.

• Certif icate: The gat eway’s signat ure key cert if icat e.

• C. Ding -- COMP685C-- L25

22

Phases 5 and 6

• Phase 5:

– Merchant delivers goods af t er get t ing t he aut horizat ion response f rom t he payment gat eway.

• Phase 6: Payment

capt ur e

– involves all part ies. – Det ails omit t ed.

• C. Ding -- COMP685C-- L25

23

Securit y

• SET has been developed t o make t rading via t he

I nt ernet secure.

• I t ensures:

– That bot h part ies are "genuine". – That t he cust omer is prot ect ed against misuse

• f payment cards.

– That alt erat ions cannot be made t o orders wit hout being discovered. – That orders can only be read by t he cust omer and t he company concerned. – That payment inf ormat ion can only be read by t he acquirer and t he cust omer.

• C. Ding -- COMP685C-- L25

24

Ref erences

• W. St allings, Cr ypt ogr aphy and Net wor k

Secur it y 3/ e, Pear son, 2003

• S. Macgregor, Web Securit y &

Commer ce. Cambr idge, MA: O’Reilly and Associat es, 1997.

• G. Dr ew, Using SET f or Secur e

Elect r onic Commer ce, Upper Saddle River, NJ : Prent ice Hall, 1999.