SET

1
SET
Secure Electronic Transactions
2
What is SET?

• A technology not a product
• A flexibly defined protocol
• Ensures secure financial transactions
• Relies on cryptographic techniques

3
Motivation

• Growth of the internet and electronic commerce
• Insecurity of existing systems
• Need of a single widely accepted electronic
  transaction standard

4
Alternatives to SET

• SSL (Secure Sockets Layer)
• JEPI (Joint Electronic Payments Initiative)
• DIGICASH (Digital Cash)
• CYBERCASH

5
History of SET 1

• October 1995
• MasterCard, Netscape Corporation, IBM launched
  the
  Secure Electronic Payment Protocol (SEPP)
• VISA, Microsoft launched the
  Secure Transaction technology (STT)

6
History of SET 2

• January 1996
• Two groups joined efforts on
  Secure Electronic
  Transactions (SET)
• February 1996
• First written document were released
• MasterCard and other companies stated they would
  adopt SET

7
SET Business Plan 1

• Confidentiality of payment and merchandise
• Integrity of transmitted data
• Authentication of cardholder account
• Authentication of merchant

8
SET Business Plan 2

• Use of best security practices
• Allow transport security
• Encourage interoperability of networks

9
Participants of the Protocol 1

• Cardholder
• Owner of a valid credit card
• Merchant
• A business entity selling products or service

10
Participants of the Protocol 2

• Payment Gateway (Aquirer)
• Financial institution (e.g. bank) coordinating
  merchants transactions
• Card Issuer
• Company issuing the credit card to the
  cardholder (e.g. MasterCard, VISA)

11
Participants of the Protocol 3

• Certificate Authority (CA)
• An institution responsible of keeping
  certificate databases
• and handling registration requests (e.g. GTE,
  VeriSign)

12
Cryptographic Techniques 1

• Public Key Cryptography
• Two keys
• public key (used for encryption)
• private key (used for decryption)
• Examples RSA, ECC

13
Cryptographic Techniques 2

• Secret Key Cryptography
• Single Key (private)
• Used for encryption and decryption
• Examples DES, CDMF-DES, RC4

14
Cryptographic Techniques 3

• Signatures
• Digital analogue of hand signatures
• Examples DSA, El Gamal
• Hash Functions
• Mappes large amount of data to fixed length
  bit-string
• Examples SHA-1, MD4

15
SET Trust Model

• Each of the participants in a SET payment are
  required to authenticate themselves
• Each participant posseses a public-private key
  pair
• The keys are certified by a trusted third party

16
Functions of the CA

• Issue certificates
• Handle requests
• Receive
• Process
• Approve or reject

17
Structure of the CA

• Hiearchical tree of certificate authorities

Cardholder 1
CCA1
Root CA
Cardholder 2
CCA2
Cardholder 3
18
Phases of Credit Card Payment
Financial Network
Non-SET
Non-SET
Payment Gateway
Card Issuer
SET
Card Holder
Merchant
SET
19
Payment Processes and Transactions 1

• Cardholder Registration
• Cardholder information including identity,
  certificate and expiration date is added to
  cardholder and root databases
• Merchant Registration
• Merchant information including identity,
  certificate and expiration date is added to
  merchant and root databases

20
Payment Processes and Transactions 2

• Purchase Request
• Cardholder requests a purchase by sending
  ordering and payment information to merchant
  after mutual authentication has taken place
  between two parties

21
Payment Processes and Transactions 3

• Payment Authorization
• Merchant sends order and payment information to
  payment gateway which verifies the validity with
  the issuer and returns proper response (appove,
  disapprove or conditional approve) to merchant.
  The merchant takes action according to the
  response.

22
Payment Processes and Transactions 4

• Payment Capture
• This is an optional part which is executed by the
  request of the merchant. The payment gateway
  logges the transaction with the issuer and after
  signing it sends it to the merchant as an
  evidence of the transaction

23
Cardholder Registration 1
Cardholder
CCA
CardCInitReq
Send initiate request
initiate request
Generate and sign initiate response
Signed(CardCInitRes), Certificates
Send response and certificates
Verify signature and certificates with root CA
initiate response
Encrypted(RegFormReq)
Encrypt registration form request with random key
registration form request
24
Cardholder Registration 2
Cardholder
CCA
Encrypted(SecKey, PAN)
Encrypt random key and cardholders primary
account number with CCAs public key
Decrypt secret key and card account number
encrypted secret key and account number
Decrypt registration form request using secret
key
Signed(RegFormRes)
Prepare registration form response, sign and
send to cardholder
Verify signature with root CA, decrypt
signed registration form response
Verify Compare decrypted signature with hash of
registration form, if valid prepare
public-private key pair
25
Cardholder Registration 3
Cardholder
CCA
Fill out registration form and request
certificate Prepare message certificate request,
cardholders public key, a new secret key Sign
the hash of the message with cardholders private
key Encrypt message and signature with third new
secret key Encrypt secret key and account
information with CCAs public key
Encrypted(Message, Signature), Encrypted(Secret
Key, AccInfo)
certification request and account info
26
Cardholder Registration 4
Cardholder
CCA
Decrypt third secret key and primary account
number using CCAs private key
Decrypt certificate request, registration form,
signature using third secret key
Check validity of signature
Verify the information in registration request
If valid, generate certificate
Encrypted(CertRes)
Send certificate response encrypted with second
secret key
Verify certificate request with root CA
encrypted certificate response
27
Merchant Registration 1
Merchant
MCA
Me-AqCInitReq
Send initiation request
merchant initiation request
Choose appropriate form, sign and send to merchant
Signed(Me-AqCInitRes), certificates
Verify MCAs signature with root CA
merchant initiation response
Generate encryption and signature keys
Complete registration form, generate certificate
request containing cardholders public keys
28
Merchant Registration 2
MCA
Merchant
Sign certificate request, encrypt the signature
with new secret key
Create message using account data and secret
key Encrypt message using MCAs public key
Encrypted(CertReq, SecKey)
Decrypt envelope using MCAs public key Decrypt
registration request using secret key
merchant certification request
29
Merchant Registration 3
Merchant
MCA
Verify signature and check validity of form with
aquirer If successful create and sign
certificate Encrypt certificate with new secret
key Encrypt secret key with merchants public key
Decrypt secret key with merchants private
key, Decrypt certificate with secret
key Validate certificate with root CA Store
certificates
Encrypted(certificate), Encrypted(Key)
encrypted certificate and key
30
Purchase Request 1
Cardholder
Merchant
PInitReq
Send purchase initiation request
Assign unique transaction identifier to
message Create and sign purchase initiation
response Send merchant and payment gateway
certificates with response
purchase initiation request
Signed(PInitRes), certificates
Check validity of certificates with root
CA Strore certificates Verify merchants
signature by decrypting with merchants public key
and comparing with the hash of the purchase
initiation response
signed response and certificates
31
Purchase Request 2
Merchant
Cardholder
Create order information and payment
information Sign the mutual hash of order
information and payment information Encrypt
payment information with new secret key, then
encyrpt this and the symmetric key with payment
gateways public key
Signed(Hash(OI, PI))
signed hash of order and payment information
PIDualSigned
Check validity of signature, certificate and
order information
encrypted payment information, order information,
certificate
32
Purchase Request 3
Merchant
Cardholder
Process request (including payment
authorization) Create purchase
response including merchant signature
certificate If authorized complete order
form Sign and send purchase response
Signed(PRes)
Verify merchants signature and finalize
transaction
signed purchase response
33
Payment Authorization 1
Merchant
Payment Gateway
Create and sign authorization request using
payment information and certificates Encrypt
authorization request with a secret key Encrypt
secret key with payment gateways public key
Encrypted(AuthReq), Encrypted(SecKey), PIDualSigne
d
Decrypt secret key using payment gateways private
key
Encrypted authorization request and secret key
34
Payment Authorization 2
Payment Gateway
Merchant
Decrypt authorization request using secret
key Verify merchant signature Verify double
signature by computing the hash of order and
payment information and comparing it with the
decrypted double signature Compare the payment
information from the cardholder with the payment
information from the merchant
35
Payment Authorization 3
Payment Gateway
Merchant
If valid, format authorization request and check
validity with issuer Prepare authentication
response from issuers response and payment
gateways signature certificate Encrypt this with
new secret key K1 Encrypt K1 with merchants
public key
36
Payment Authorization 4
Merchant
Payment Gateway
If capture is required by the aquirer generate
new secret key K2 and encrypt K2 with merchants
public key and encrypt capture token with
K2 Send authentication response to merchant and
pass response information to merchant
Encrypted(AuthRes) Encyrpted(K1,
K2) Encrypted(CapTok)
Verify payment gateways certificates and decrypt
K1 and K2 if present with merchants private
key Decrypt capture token with K2 and store for
future use Complete by delivering goods
refferal information
37
Payment Capture 1
Merchant
Payment Gateway
Create capture request including final
transaction amount and order information. Sign
capture request and encrypt with new secret key
K3 Encrypt K3 with payment gateways public
key Send capture request, encrypted key and the
capture token encypted with the payment gateways
public key to payment gateway
Encrypted(CapReq), Encyrpted(K3),
Encrypted(CapTok)
Verify certificates and decrypt K3 then decrypt
capture request with K3 Decrypt capture token
with payment gateways public key
encrypted capture request, secret key and capture
token
38
Payment Capture 2
Merchant
Payment Gateway
Format clearing request including order
information, capture token and send to
issuer Create capture response including a
signed certificate of payment gateway Encrypt
capture response with new secret key K4 and
encrypt K4 with merchants public key Send
capture response and K4 to merchant
Encrypted(CapRes), Encyrpted(K4)
Verify certificate, decrypt K4, using K4 decrypt
capture response Store capture response
encrypted capture response and secret key
39
Shortcomings of SET

• Reluctance of consumers to shop on the internet
• Difficult and expensive to implement
• Hard to install and use for consumers
• Global compliance problems
• Interoperability problems

40
References
1 - Secure Electronic Transactions
Introduction and Technical Reference by Larry
Loeb 1998 Artech House Publishers 2 -
Electronic Payment Systems by Donal OMahony,
Michael Peirce and Hitesh Tewari 1997
Artech House Publishers
41
References (contd)
3 - Secure Electronic Transactions,
MasterCard, Oct. 1998 4 - Secure Electronic
Transactions (SET) Specification-Book 1
Business Description MasterCard and VISA
Corporation, June. 1996