Web Security: Web Security: Secure Electronic Transaction Secure - PowerPoint PPT Presentation

Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction Cunsheng Cunsheng Ding Ding HKUST, Hong Kong, CHI NA HKUST, Hong Kong, CHI NA

Secure Elect ronic Transact ions • An applicat ion-layer secur it y mechanism, consist ing of a set of pr ot cols. • Pr ot ect cr edit car d t r ansact ion on t he I nt er net . • Companies involved: – Mast erCard, Visa, I BM, Microsof t , Net scape, RSA, Terisa and Verisign • Not a payment syst em. • I t has a complex specif icat ion: – described in 3 books, wit h 971 pages1 C. Ding -- COMP685C-- L25 2

SET Services • Provides a secure communicat ion channel in a t ransact ion. • Provides t ust by t he use of X.509v3 digit al cert if icat es. • Ensures privacy and dat a int egirit y. C. Ding -- COMP685C-- L25 3

SET Overview • Key Feat ures of SET: – Conf ident ialit y of inf ormat ion – I nt egr it y of dat a – Car dholder account aut hent icat ion – Mer chant aut hent icat ion C. Ding -- COMP685C-- L25 4

SET Part icipant s • Cardholder, Merchant • I ssuer: car dholder’s bank • Acquirer: Merchant ’s bank • Payment Gateway : Oper at ed by t he Acquir er f or payment pr ocessing. • Certif icate Authority (CA) : A t r ust ed aut hor it y t hat issues X.509v3 public-key cer t if icat es f or car dholder s, mer chant s, and payment gat eways. C. Ding -- COMP685C-- L25 5

SET Part icipant s C. Ding -- COMP685C-- L25 6

St eps f or t ransact ions • Cust omers opens t he account and receive a cer t if icat e f r om t he CA • Merchant s have t heir own cert if icat es • Cust omer places an or der • Mer chant is ver if ied by Cust omer • Or der and payment ar e sent • Mer chant r equest s payment aut hor izat ion • Mer chant conf ir ms or der and pr ovides goods or service • Mer chant r equest s payment C. Ding -- COMP685C-- L25 7

Dual Signat ure • Pur pose is t o link t wo messages t hat ar e int ended f or t wo dif f er ent r ecipient s • Mer chant does not need t o know cust omer’s cr edit car d number • Bank does not need t o know cust omer’s order det ails • But bot h it ems must be linked t o r esolve any disput es if required C. Ding -- COMP685C-- L25 8

Const ruct ion of Dual Signat ure PIMD PI (c) H K d Dual POMD Signature || H D OIMD H OI PIMD = PI message digest PI = Payment Information OIMD = OI message digest OI = Order Information POMD = Payment order message digest H = Hash function(SHA-1) D = Decryption (c) K d || = Concatenation = Customer’s private signature key C. Ding -- COMP685C-- L25 9

Phase 1 1.1 I nit ial r equest (I D, nonce) Mer chant Cer t if icat e, 1.3 init ial r esponse 1.2 Verif y merchant 1.5 Verif y Cust omer Or der & Payment I nf or m. 1.4 C. Ding -- COMP685C-- L25 10

I nit ial Request and Response I nitial Request I nitial Response • A signed response: – The nonce f rom t he • The brand (kind, grade) cust omer, anot her nonce of t he credit card t he f or t he cust omer t o cust omer is using. ret urn in t he next • An I D assigned t o t his message. request / response pair – A t ransact ion I D. f or ident if ying t his pair. • Merchant ’s signat ur e cert if icat e. • A nonce used t o ensure t imeliness. • Payment gat eway’s key exchange cert if icat e. C. Ding -- COMP685C-- L25 11

Cust omer Verif ies Merchant • The Cust omer t hen uses t he Merchant ’s public signat ure key t o verif y t he signat ure of t he merchant . Remar k: The det ailed ver if icat ion depends on t he underlying (signing, verif icat ion) algor it hms C. Ding -- COMP685C-- L25 12

Purchase request Request message PI Passed on by merchant to payment + Digital Envelope E gateway + + PIMD Dual Signature K s + Received by OI + merchant OIMD E + Dual Signature (b) + Cardholder certificate K e K s = Temporary symmetric key (b) K e = Bank’s public key-exchange key E = Encryption (RSA for asymmetric; DES for symmetric) C. Ding -- COMP685C-- L25 13

Payment / Order Relat ed I nf ormat ion • Payment -relat ed • Or der -relat ed • The PI : payment I nf • The OI • The dual signat ur e • The dual signat ur e • The OI MD • The PI MD – OI message digest – PI message digest • The digit al envelope – it cont ains secret key C. Ding -- COMP685C-- L25 14

Verif icat ion of Purchase Request and Cust omer by Merchant : Pict orial Request message E = Encryption (RSA) (c) K e = Customer’s public key Passed on by merchant to payment + Digital Envelope gateway + POMD PIMD || H + OI Compare H OIMD + Dual Signature E POMD + Cardholder certificate (c) Ke C. Ding -- COMP685C-- L25 15

Phase 2 Aut hor izat ion Request C. Ding -- COMP685C-- L25 16

Aut hor izat ion Request : Mer chant ==> Payment Gat eway • Payment -relat ed • Aut horizat ion-relat ed • The PI : payment I nf • An aut horizat ion block: – t ransact ion I D, signed • The dual signat ure wit h merchant ’s privat e • The OI MD key, and encrypt ed wit h a – OI message digest session key generat ed by t he merchant . • The digit al envelope • A digit al envelope: – session key encrypt ed Cardholder’s cert if icat e wit h t he gat eway’s public key. C. Ding -- COMP685C-- L25 17

The f ollow-up by t he Gat eway • Verif y all cert if icat es. • Decrypt s t he digit al envelop of t he aut horizat ion block t o obt ain t he session key and t hen decrypt s t he aut horizat ion block. • Verif ies t he merchant ’s signat ure on t he aut horizat ion block. • Decrypt s t he digit al envelope of t he payment block t o obt ain t he symmet ric key and t hen decrypt t he payment block. • Verif ies t hat t he t ransact ion I D received f rom t he merchant mat ches t hat in t he PI received (indirect ly) f rom t he cust omer. C. Ding -- COMP685C-- L25 18

Phase 3 Request s and receives an aut horizat ion f rom t he issuer C. Ding -- COMP685C-- L25 19

Phase 4 Aut horizat ion Response C. Ding -- COMP685C-- L25 20

Aut horizat ion Response • Authorization- Related I nf ormation: – aut horizat ion block, signed wit h gat eway’s privat e key and encrypt ed wit h a session key generat ed by t he Gat eway. – An envelope, t he session key encrypt ed wit h t he merchant ’s public key. • Capture token inf ormation: – This inf ormat ion will be used t o ef f ect payment lat er. – I t has t he same f orm as t he aut horizat ion-relat ed inf ormat ion above. • Certif icate: The gat eway’s signat ure key cert if icat e. C. Ding -- COMP685C-- L25 21

Phases 5 and 6 • Phase 5: • Phase 6: Payment capt ur e – Merchant delivers goods af t er get t ing – involves all part ies. t he aut horizat ion – Det ails omit t ed. response f rom t he payment gat eway. C. Ding -- COMP685C-- L25 22

Securit y • SET has been developed t o make t rading via t he I nt ernet secure. • I t ensures: – That bot h part ies are "genuine". – That t he cust omer is prot ect ed against misuse of payment cards. – That alt erat ions cannot be made t o orders wit hout being discovered. – That orders can only be read by t he cust omer and t he company concerned. – That payment inf ormat ion can only be read by t he acquirer and t he cust omer. C. Ding -- COMP685C-- L25 23

Ref erences • W. St allings, Cr ypt ogr aphy and Net wor k Secur it y 3/ e, Pear son, 2003 • S. Macgregor, Web Securit y & Commer ce. Cambr idge, MA: O’Reilly and Associat es, 1997. • G. Dr ew, Using SET f or Secur e Elect r onic Commer ce, Upper Saddle River, NJ : Prent ice Hall, 1999. C. Ding -- COMP685C-- L25 24