EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (1) Paul Killoran EUROCON 2005 EUROCON 2005 Paul Killoran, Fearghal Morgan & Michael Schukat National University of Ireland, Galway [email protected]SWiFT SWiFT :: A New Secure Wireless Financial :: A New Secure Wireless Financial Transaction :: Transaction :: :: Architecture :: :: Architecture ::
EUROCON 2005. SWiFT :: A New Secure Wireless Financial Transaction :: :: Architecture ::. Paul Killoran, Fearghal Morgan & Michael Schukat National University of Ireland, Galway [email protected]. Introduction. Aim: to develop a more secure alternative to the credit card - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (1) Paul Killoran
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (5) Paul Killoran
SecuritySecurity
E-Card – Merchant communication– Never occurs– Eliminates need for a third secure channel.
Customer authorises bank directly– Must only trust their bank
Centralised control of security (Bank)– All parties communicate through the bank– Bank controls security in the network by supporting
requests of authorised nodes only
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (6) Paul Killoran
ProtocolProtocol
Transaction server established with many retailer nodes connected
E-Card logs onto the network
3 handshaked challenges
Use geographic information to inform bank of its location
E-Card receives list of local retailers
Bank
Retailer
Bank
Retailer Customer
Request Connection
Bank
Retailer Customer
3 Handshake ChallengesMD5, RSA, PIN, Secret Known Values
Bank
Retailer Customer
Current Location
Bank
Retailer Customer
Local Retailers
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (7) Paul Killoran
ProtocolProtocol
Customer approaches a retailer pay point with goods and produces their mobile phone (E-Card)
Customer uses their E-Card to request the Transaction Server to initiate a payment to the retailer
Cashier is informed of this request on their merchant terminal
Bank
Retailer Customer
Bank
Retailer Customer
Initiate TransactionTo Retailer Bob
Bank
Retailer
Inform Bob Of Transaction From Alice
Customer
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (8) Paul Killoran
ProtocolProtocol
Cashier requests payment using the Merchant Terminal
Customer is asked to confirm payment of this amount on their E-Card by entering their PIN
The PIN number is first padded, then hashed using MD5 and finally encrypted using RSA. The result is send to the Transaction Server for authorisation
Bank
Retailer
Request SaleAmount From Alice
Customer
Bank
Retailer Customer
Confirm Sale Amount To Pay To Bob
Bank
Retailer Customer
Verify & Authorise
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (9) Paul Killoran
ProtocolProtocol
If the PIN authorisation is successful, a confirmation is then sent to the Merchant TerminalThe cashier confirms the sale and the agreed amount is transferred between accountsThe E-Card and Merchant Terminals receive a copy each of an e-receiptThe e-receipt is printed by the Merchant Terminal and issued to the customer
Bank
Retailer
Confirm Transaction
Customer
Bank
Retailer
Confirm Sale
Customer
Bank
Retailer
E-Receipt
Customer
E-Receipt
Bank
Retailer CustomerPrinted Reciept
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (10) Paul Killoran
Points to NotePoints to Note
Geographic location
Customer username
Customer initiated
Marketing opportunity
Card-present & card-not-present transactions support
Security– RSA, MD5 & PIN number
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (11) Paul Killoran
ImplementationImplementation
Transaction Server– HTTP requests & responses– Session tracking– Web user interface (account management)
E-Card Application– J2ME & Mobile Information Device Profile (MIDP)– HTTP over WAP– Downloaded MIDlet– Secret shared values
EUROCON 2005 - “Computer as a Tool”, Belgrade, 24 th November 2005 (12) Paul Killoran