Project security

04/10/2023 1

Security in e-Business

استاد: آقاي دکتر سخاوتی

مريم سادات حاج اکبری

8861022

04/10/2023 2

Electronic commerce

Type of electronic commerce

Business to business -> such as EDI Customer to business -> such as online stores Customer to customer -> such as Ebay Customer business to public administrator -> such as filling

electronic tax

3

A typical electronic payment system

Paymentgateway

1.Payment info

2.Check account

customer

4.withdra

wal

7.ok

8.Registrat

ionAuthorizati

on transaction

9.Delivery+Confirmation

6.Interbank(clearing) network

3.regist

rati

on

5.depo

sit

04/10/2023 4

E-payment systems

Offline vs. onlineDebit vs. creditMacro vs. Micro

04/10/2023 5

Offline vs. Online

Offline payment system Customer and seller are online but their banking info is

offline.

Use in Airlines Payment mechanism: Crew prints payment’s information and customer’s

credit card by a mechanical device in a paper and then enter online system.

04/10/2023 6

Offline vs. Online

Online payment system

04/10/2023 7

Debit vs. credit

Debit card: Such as Iran banking system -> checks

Credit card: Entities involve in credit system

o Card holdero Card issuing bank -> visa or Master or AMEX ….o Merchanto Name on credit card -> visa or mastero Association

04/10/2023 8

How credit card act?

04/10/2023 9

Macro .VS Micro

Macro system Paid more than the 5$ to 10$

Micro payment Paid less than 5$ to 1$o Example: Public transportation system, Restaurants,

Online Advertising…. Difference:o For any transaction it has a fee about 20 to 30 cent

for payer and payee.

04/10/2023 10

Payment instructure

Cash likeCheck likeCredit cardElectronic moneyElectronic check

04/10/2023 11

Mechanism payment by credit cart

1

2

3

4

04/10/2023 12

Credit card security

Two original Illegal Use from credit card

Eavesdroppers Dishonest

The solution: Encryption & coding such as SSL Will issue next chapter

04/10/2023 13

Electronic money

Define : Scripting money or exchanged only in electronic form

Called as: e- cash, digital cash, digital/electronic currency

Mainly Used as: micro system

Electronic Currencies : Digital or electronic coin

04/10/2023 14

Digital money

Such as Octopus system in Hong Kong It use in transportation system

The best example is pay pal User holds Amount of credits in your account. The user can from their account to other account

holders to give or receive money.

04/10/2023 15

Electronic check

Difference with cash like:In cash like, Electronic payment system the first check customer’s account then delivery product or services

1.Payment info2- invoice

6.Interbank(clearing) network

settlement

3.Signed check

5.E

ndorse

d ch

eck

4.

04/10/2023 16

Electronic wallet

Define: It is a interface for save any financial information.

Usage: Complete electronic forms without re-entering the transaction data when the transaction

The best example is pay pal

Such as digital money and credit cards

Google check out

04/10/2023 17

Electronic payment security

Design a security services

Analysis risk Identify risks, threats, vulnerability Identify Related priorities

Notice: any payment system have needs and special features.

04/10/2023 18

Electronic payment security Problems Traditional payment systems Money can be counterfeited Signature can be forgot Checks can bounce

Problems electronic payment systems Digital documents can be copied perfectly and arbitrarily. A payer’s identity can be associated with every payment

transaction. Digital signatures can be produced by who knows the

private key.

Notice: electronic commerce need

To more attention.

04/10/2023 19

Three types of adversaries!

Outsiders eavesdropping Misusing the collected data (e.g. credit card

numbers )

Active attackers Sending forged message to authorized

Dishonest payment system participants trying to obtain and misuse payment transaction

data that

They are not authorized to see or use

04/10/2023 20

The basic security requirements

Payment authentication

Payment integrity

Payment authorization

Payment confidentiality

04/10/2023 21

Payment authentication

No anonymity -> mechanisms such as MAC – SHA – MD5

With anonymity –> It needs to more security

04/10/2023 22

Payment integrity

Payment integrity requires that payment transaction data cannot be modifiable by unauthorized principals.

payment transaction data: Payer’s identity. Payee’s identity. Content of the purchase. The amount.

04/10/2023 23

Payment authorization

• Payment authorization ensures that no money can be taken from a customer’s account or smart card without his explicit permission

04/10/2023 24

Payment confidentiality

Payment confidentiality covers of one or more pieces of payment transaction data

04/10/2023 25

Payment security services

Payment transaction security services

Digital money security

Electronic checks security

04/10/2023 26

Payment transaction security services

User anonymity Location un-traceabilityPayer anonymityPayment transaction intractabilityConfidentiality of paymentNon-repudiation freshness

04/10/2023 27

User anonymity

User anonymity protects against disclosure of a user’s identity in a network transaction.

Mechanism: Chain of mixes

04/10/2023 28

Location untraceability

Location untraceability protects against disclosure of where a payment transaction originated.

Mechanism: Chain of mixes

04/10/2023 29

Payer anonymity

Payer anonymity protects against disclosure of a payer’s identity in a payment transaction.

Mechanism: psedudonyms

04/10/2023 30

Payment transaction intractability

Payment transaction intractability protects against linking of two different payment transactions involving the same customer.

Mechanism: Hash function

04/10/2023 31

Confidentiality of payment

Confidentiality of payment transaction data selectively protects against disclosure of specific parts of payment transaction data to selected principals from the group authorized principals.

Mechanism: Hash function

04/10/2023 32

Non-repudiation

Non-repudiation of payment messages protects against denial of the origin of protocol message exchanged in a payment transaction.

Mechanism: Digital signature

04/10/2023 33

Freshness

Freshness of payment transaction messages protects against replaying of payment transactions messages.

Mechanism: Nonces and Time Stamps

04/10/2023 34

Payment transaction security

An electronic payment transaction is an execution of a protocol by which an amount of money is taken from a payer and given to payee

04/10/2023 35

User anonymity and location untraceability

User anonymity and location un-traceability can be provided separately.

A pure user anonymity security service would protected against disclosure of a user’s identity.

For example, a user’s employing pseudonyms instead of his or her real name.

Problem: if a network transaction can be traced back to the originating host, and if the host is used by a known network user only,

This anonymity is obviously not sufficient

04/10/2023 36

location untraceability

A pure location untraceability security service would protect against disclosure of where a message originates.

One possible solution is to route the network traffic through a set of anonymizing host.

The requires that at least one of the hosts on the network path be honest.

04/10/2023 37

Chain of mixes

A user anonymity and location untraceability mechanism based on a series of anonymizing hosts or mixes has been proposed by D. Chaum.

A

B

C

X

Y

Z

Mix

04/10/2023 38

Chain of mixes

The problem of having a mix trusted by all participants can be solved by using a matrix (or network) of mixes instead of just one.

04/10/2023 39

Chain of mixes

If A wants to send an anonymous and untraceable message to Y, as in the example with one mix, the protocol goes as follows:

04/10/2023 40

Payer Anonymity

The simplest way to ensure payer anonymity with respect to the payee is for the payer to use pseudonyms instead of his or her real identity.

If one wants be sure that two different payment transactions by the same payer cannot be linked, then payment transaction untraceability must also be provided.

04/10/2023 41

Pseudonyms

Send email

First virtual Holding, IncStarted to operate the first internet payment system that was based on the Existing Internet infrastructure, that is e-mail and telnet

04/10/2023 42

Pseudorandom Function

Payment Transaction Untraceability IDC = hk (RC ,BAN)

Payment Transaction Data confidentiality IDC = hk (RC ,BAN) IDC = hk (SALTc, DESC)

Payment instruction: credit card info- account number- ... It should be secret from view merchant.

Oder information: what buy?- where buy?- how delivery?... It should be secret from view acquirer bank, issuer bank...

04/10/2023 43

Secure Electronic TransactionSET

SET is an open encryption and security specification designed to protect credit card transaction on the internet.

Important feature of SET: it prevents the merchant from learning the card holder’s credit card number.

04/10/2023 44

Dual Signature

The purpose of dual Signature is to link two message that are intended for two different recipients

04/10/2023 45

Nonrepudiation of Payment Transaction Messages

Digital Signature:To explain the nonrepudiation issues in a payment transaction protocolwe will use a simplified model based on the 3KP payment protocol

Nonrepudiation messages.

04/10/2023 46

Freshness of Payment Transaction Messages

This service protects against replay attacks. In other words, it prevents eavesdroppers or dishonest participants from reusing the messages exchanged during a payment transaction.

Nonces and Time Stamps

04/10/2023 47

IOTP

The Internet Open Trading Protocol (IOTP) is an electronic payment framework for Internet commerce whose purpose is to ensure interoperability

among different payment systems.

IOTP is payment system-independent. That means that any electronic payment system (e.g., SET, DigiCash) can be used within the framework.

IOTP messages are well-formed XML (Extensible Markup Language) documents.

04/10/2023 48

IOTP

Format for electronic payment

It is for any transaction

It modify for any message

Data integrity + nonrepudiation -> Digital certificate+ Digital signature

Confidentiality -> ssl+tls

04/10/2023 49

Fine