Transcript
Submitted to:- Presented By :-Ms.Nidhi Mangal Sahil Sudera
Computer Science
8th SEM.
07ESGCS046
Organization of Presentation 1.1. IntroductionIntroduction2.2. Credit Cards on the InternetCredit Cards on the Internet3.3. Credit Card ProtocolsCredit Card Protocols4.4. SET Business RequirementsSET Business Requirements5.5. Parties in SETParties in SET6.6. SET TransactionsSET Transactions7.7. Symmetric key encryption systemSymmetric key encryption system8.8. Public key encryption systemPublic key encryption system9.9. Message DigestMessage Digest10.10. Digital SignatureDigital Signature11.11. Digital EnvelopeDigital Envelope12.12. Digital CertificateDigital Certificate13.13. Dual SignaturesDual Signatures14.14. SET Supported TransactionsSET Supported Transactions15.15. Card Holder RegistrationCard Holder Registration16.16. Merchant RegistrationMerchant Registration17.17. Purchase RequestPurchase Request18.18. Payment AuthorizationPayment Authorization19.19. SYSTEM CONFIGURATIONSYSTEM CONFIGURATION20.20. Database OrganizationDatabase Organization21.21. Important Source FilesImportant Source Files22.22. ConclusionConclusion23.23. ReferencesReferences
Introduction
• An application-layer security mechanism, consisting of a set of protocols.
• Protect credit card transaction on the Internet.• Companies involved:– MasterCard, Visa, IBM,
Microsoft, Netscape, RSA, Terisa and Verisign• Not a payment system.• It has a complex specification.
Credit Cards on the Internet
• Problem: communicate credit card and purchasing data securely to gain consumer trust– Authentication of buyer and merchant– Confidential transmissions
• Systems vary by– type of public-key encryption– type of symmetric encryption– message digest algorithm– number of parties having private keys– number of parties having certificates
Credit Card Protocols• SSL 1 or 2 parties have private keys• TLS (Transport Layer Security)
– IETF version of SSL
• i KP (IBM)• SEPP (Secure Encryption Payment Protocol)
– MasterCard, IBM, Netscape• STT (Secure Transaction Technology)
– VISA, Microsoft
• SET (Secure Electronic Transactions)– MasterCard, VISA all parties have certificates
OBSOLETE
…but in e-transactions, it is important to Know if you are dealing with a dog.
Identification is the Challenge
SET Business Requirements
• Provide confidentiality of payment and ordering information.
• Ensure the integrity of all transmitted data.• Provide authentication that a cardholder is
a legitimate user of a credit card account• Provide authentication that a merchant
can accept credit card transactions through its relationship with a financial institution
SET Business Requirements (cont’d)
• Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction
• Create a protocol that neither depends on transport security mechanisms nor prevents their use
• Facilitate and encourage interoperability among software and network providers
Secure Electronic Transaction
• Confidentiality: all messages encrypted
• Trust: all parties must have digital certificates
• Privacy: information made available only when and where necessary
Components to build Trust
Data Confidentiality Encryption
Who am I dealing with? Authentication
Message integrity Message Digest
Non-repudiation Digital Signature
Access Control Certificate Attributes
Parties in SET
SET Transactions
Symmetric key encryption system
Same key is used to both encrypt and decrypt data
Examples of encryption systems: DES, 3DES, AES
Public key encryption system
Each user has 2 keys: what one key encrypts,only the other key in the pair can decrypt.Public key can be sent in the open.Private key is never transmitted or shared.Eg. RSA (Rivest, Shamir, and Adleman )
Recipient’s Public Key Recipient’s Private Key
Message Digest
• Used to determine if document has changed• Usually 128-bit or 160-bit “digests”• Infeasible to produce a document matching a digest• A one bit change in the document affects about half the bits in the digest•Eg. SHA-1 (160-bit digest), Secure Hash Algorithm
Hash Algorithm
DigestPlaintext
Digital Signature
Digital Signature
Signer’s Private Key
EncryptedDigestHash
Algorithm
Digest SignedDocument
Verifying the Digital Signature
Hash Algorithm
Digest
Digest??
Signer’sPublic Key
Integrity: One bit change in the content changes the digest
Digital Envelope
Combines the high speed of DES (symmetric encryption) and the key management convenience of RSA (public key encryption)
“DigitalEnvelope”
One timeencryption Key
Recipient’sPublic Key
Digital Certificate• A digital certificate or Digital ID is a computer-based
record that attests to the binding of a public key to an identified subscriber.
• Certificate issued by Certification Authority (CA).
• Certified digital signature attests to message content and to the identity of the signer.
• Combined with a digital time stamp, messages can be proved to have been sent at certain time.
Digital Certificate
X.509 Certificate Version 3
Version
This identifies which version of the X.509 standard applies to this certificate.
Serial Number
The entity that created the certificate is responsible for assigning it a serial number to distinguish it from other certificates it issues.
Signature Algorithm Identifier This identifies the algorithm used by the CA to sign the
certificate.
Issuer Name The X.500 name of the entity that signed the certificate. This is
normally a CA. Validity Period
Each certificate is valid only for a limited amount of time. This period is described by a start date and time and an end date and time.
Subject Name The name of the entity whose public key the certificate identifies.
Subject Public Key Information This is the public key of the entity being named, together with an
algorithm identifier which specifies which public key crypto system this key belongs to and any associated key parameters.
X.509 Certificate Version 3
X.509 Certificate Version 3
X.509 Certificate Version 3
Dual Signatures
• Links two messages securely but allows only one party to read each. Used in SET.
MESSAGE 1
DIGEST 1
NEW DIGEST
HASH 1 & 2WITH SHA
MESSAGE 2
DIGEST 2
CONCATENATE DIGESTSTOGETHER
HASH WITH SHA TOCREATE NEW DIGEST
DUAL SIGNATURE
PRIVATE KEYENCRYPT NEW DIGESTWITH SIGNER’S PRIVATE KEY
SET Transactions
SET Supported Transactions
card holder registration merchant registration purchase request payment authorization payment capture
certificate query
purchase inquiry
purchase notification
sale transaction
authorization reversal
capture reversal
credit reversal
Card Holder Registration
Card Holder Registration
Card Holder Registration
Card Holder Registration
Cardholder Initiates Registration
Card Holder Registration
CA Sends Response
Card Holder Registration
Cardholder Requests Registration Form
Card Holder RegistrationCA Sends Registration Form
Card Holder RegistrationCardholder Requests Certificate
Card Holder RegistrationCA Sends Certificate
1.
2.
Card Holder RegistrationCardholder Receives Certificate
SET Supported Transactions
card holder registration merchant registration purchase request payment authorization payment capture
certificate query
purchase inquiry
purchase notification
sale transaction
authorization reversal
capture reversal
credit reversal
Merchant Registration
SET Supported Transactions
card holder registration merchant registration purchase request payment authorization payment capture
certificate query
purchase inquiry
purchase notification
sale transaction
authorization reversal
capture reversal
credit reversal
Purchase Request
Purchase RequestCustomer Browses for Products
Purchase RequestSelect the Card for Payment
Purchase Request
Purchase RequestCardholder Initiates Request
Purchase RequestMerchant Sends Response
Purchase Request
The Cardholder Sends Request
Purchase Request
Cardholder Sends Purchase Request
Purchase Request
Merchant Processes Purchase Request Message
Purchase RequestMerchant Sends Purchase Response
SET Supported Transactions
card holder registration merchant registration purchase request payment authorization payment capture
certificate query
purchase inquiry
purchase notification
sale transaction
authorization reversal
capture reversal
credit reversal
Payment Authorization
Payment Authorization Process
SYSTEM CONFIGURATION
Hardware requirements•Any 32-bit processor•Memory of minimum 128 MB RAM•Sufficient Hard Disk Free space•Mouse preferred for ease of useSoftware requirements•Development tool: Java 1.3 or above, Bouncy Castle Provider•Operating system: Compatible to all OS•Back end: Microsoft SQL Server / Microsoft Access•Any Web Browser
Database Organization
A database is used at the Cardholder Machine to store his Card Details
Important Source Files
Source File Important Classes Description
ConnectionManager.java ConnectionManager Manages Database Connection
DigitalSignature.java DigitalSignature Create and Verify Digital Signatures.
DualSignClass.java DualSignature Create and Verify Dual Signatures.
NETClient.java Packet, NETClient Prepare messages to send and manage message reception from server.
RSAClass.java RSACipher Performs RSA Encryption and Decryption on blocks of plaintext.
SymmetricCipher.java SymmetricCipher, SymmetricKey
Performs 3DES Encryption and Manage Symmetric Keys
Important Source FilesSource File Important Classes Description
FileSystemManager.java RSAKeyFile, X509v3File
Manages Storage of RSA Keys and X509 v3 Certificates
X509Generator.java X509Generator Create X509 v3 Digital Certificate
DualSignClass.java DualSignature Create and Verify Dual Signatures.
X509Verifier.java X509Verifier Verify the validity of X509v3 Certificates.
CardHolderReg.java CardHolderReg Manage Cardholder Registration request and responses.
PurchRequest.java PurchaseRequest Manage Purchase Request
ReqCert.java ReqCert Manage Certificate Request.
SetApplication.java SetApplication Main Class that outlines other functions.
Conclusion
With the help of the above discussions, the SET protocol appears to be complete, sound, robust and reasonably secure for the purpose of credit-card transactions. However, it is important that the encryption algorithms and key-sizes used, will be robust enough to prevent observation by hostile entities. The secure electronic transactions protocol (SET) is important for the success of electronic commerce. Secure electronic transactions will be an important part of electronic commerce in the future. Without such security, the interests of the merchant, the consumer, and the credit or economic institution cannotbe served.
References
• William Stallings, Cryptography and Network Security 3/e, Pearson, 2003• http://www.setco.org/download/set_bk2.pdf•http://www.cl.cam.ac.uk/Research/Security/resources/SET/intro.html
• Jonathan B. Knudsen, Java Cryptography, First Edition May 1998• Herb Schildt, Java 2 Complete Reference 4/e, Osborne,1999
Thank you
top related