Lesson 18 Electronic Payment Systems - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

Lesson 18 Electronic Payment Systems

Description:

Secret key extraction makes counterfeit money indistinguishable for E-Cash ... DigiCash's e-cash: stored-value cryptographic coin system ... – PowerPoint PPT presentation

Number of Views:2195
Avg rating:3.0/5.0
Slides: 48
Provided by: Kauf
Category:

less

Transcript and Presenter's Notes

Title: Lesson 18 Electronic Payment Systems


1
Lesson 18Electronic Payment Systems
2
Overview
  • Data Transaction Systems
  • Securing the Transaction
  • Real World Examples

3
Data Transaction Systems
  • Stored Account Systems
  • Modeled after existing electronic payment systems
    such as credit/debit card transactions
  • New way of shifting funds electronically over the
    internet (Paving Cow Paths)
  • Stored Value Payment Systems
  • Use bearer certificates much like hard cash
  • Bearer certificates reside within PCs or smart
    cards

4
Stored Account Systems
  • Uses existing infrastructure for transactions
  • Actual monetary value never leaves bank
  • Accounting in the future through clearing houses
    and settlement systems
  • Hallmarks are
  • High accountability
  • Traceability

5
Stored Account Systems(2)
  • Payment systems have defined their own secure
    technologies
  • 1995 13 trillion, in 3 billion transactions by
    4 clearing houses
  • Fed Reserve Fedwire transfers 1 trillion/day
  • Fraud exists now but risk management models in
    place

6
Stored Account Systems(3)
  • Protocols for supporting credit card types of
    transactions have been defined and implemented
    for E-commerce
  • First Virtuals Internet Payment System
  • Cyber Cashs Secure Internet Payment System
  • Secure Electronic Transaction (SET)
  • Many new technologies emerge daily
  • Security and convenience will rule the market
    place--its a balancing act

7
Stored Value Payment Systems(SVPS)
  • Attempts to replace cash with electronic
    equivalent.E-Cash
  • No More Cow Paths
  • Instantaneous transfer of value, does not require
    bank approval
  • Security stakes are much higher than stored
    account systems
  • Attributes absence of control and auditing

8
SVPS(2)
  • Possible to counterfeit E-Cash
  • Typically used in small-value transaction
  • Small value transaction market 8 trillion
  • Lack of privacy bothers some
  • Finding new cow paths not easy

9
SVPS(3)
  • Author says most exciting, innovative, and risk
    forms of accepting payment
  • Replaces currency with digital equivalent
  • Value placed directly on hardware tokens such as
    PCs or Smart Cards
  • Goal have the advantages of hard currency
    systems over an electronic medium

10
Attributes of Hard Currency
  • ADVANTAGES
  • Not easily traceable
  • Instantaneous payment
  • No bank interference
  • DISADVANTAGES
  • Costly to transport
  • Costly to protect
  • Easily lost or stolen
  • Can be forged
  • Parties must be in close proximity to exchange

11
SVPS Pros/Cons
  • Pros
  • Instantaneous (no approval needed)
  • Potentially Anonymous (traceability hard)
  • Supports low-value payment
  • Cons
  • Secret key from one can be used for many
  • Secret key extraction makes counterfeit money
    indistinguishable for E-Cash
  • SVPS must strike balance between privacy and
    tracking illicit activity

12
How E-Cash Works
  • E-Cash stored in an electronic device, called a
    hardware token
  • Secure processor and non-volatile memory
  • Consumers load money into token
  • Tokens value counter is incremented
  • Or Value loaded as register-based cash
    electronic coins
  • Payment can be made on-line or off-line

13
E-Cash Online Payment
  • Purchaser deals directly with sellers hardware
    token device
  • Bank must be an intermediary
  • Allows for traceability
  • The H/W devices must be interoperable

14
Off-line Payment
  • Buyers H/W token interfaces with sellers device
  • IR, dial-up modem, or the Internet
  • Sellers device increases by transaction amount
  • Buyerss device decreases by transaction amount
  • Safeguards needed to prevent counter
    malfunction
  • E-Cash ultimately must be sold back to issuing
    bank

15
E-Cash Representation
  • A value stored in a counter of a H/W token (aka
    register-based)
  • From of cryptographic tokens called electronic
    coins

E-Coin System A Purse Cents count digital
signature count digital signature 5
count digital signature Token value is sum of
all
Register Based Basic unit 1 cent Token cntr
10000 Token value 100.00
16
Securing E-Cash
  • Security concerns for SV PS SAPS
  • Main reason lack of traceability ? fraud
    potential
  • Main concern potential to illegally add value to
    the H/W token
  • Physical Attacks on H/W token
  • Protocol based attack that mimics a paying device

17
Physical Attacks
  • Physical
  • An attempt to alter non-volatile memory
  • Device needs to be shielded so its tamper
    resistant
  • or device needs to be tamper evident

18
Protocol Attacks
  • Protocol
  • Device counter illegally incremented by fake
    paying device
  • Secure authentication needed to ensure fakes
    dont work
  • Best way is for both devices to share a symmetric
    cryptographic key
  • All devices do not use a master key
  • Secret key master key device unique ID

19
Protocol Attacks(2)
  • Key must be resistant to replay attacks
  • Wiretap captures key and replays the session
  • Challenge/Response systems can thwart replay
    attacks
  • Gives motive for the token bearer to recover
    secret key
  • Greed is a powerful sin

20
Alternative Approach
  • PKE is an alternate
  • Compromise of public key will not allow
    reconstruction of secret key
  • Response to challenge is digital signature
  • Disadvantage is that token cannot contain public
    keys for all paying devices
  • Advantage is ability to prove that accumulated
    value is legit
  • Digital signatures from paying devices authorize
    the accumulated values

21
Securing the TransactionWEB Protocols
  • SSL provides secure channel between Web clients
    and Web servers
  • Layered approach--remember protocol stack
  • Secures channel by providing end-to-end
    encryption of the data
  • Prevents easy packet sniffing
  • S-HTTP application level protocol

22
Protocol and Security SSL
SECURE
NOT SECURE
HTTP
FTP
SMTP
23
(No Transcript)
24
Protocol and Security SHTTP
SECURE
NOT SECURE
HTTP
Security
TCP
IP
25
Securing the Transaction(2)
  • Certificate Authority (CA)
  • Endorses identity of the Web server (or user)
  • No assurance of the quality of Web content
  • Users implicitly trust any sites that come loaded
    in their browser
  • The Little Yellow Lock Warm Fuzzy

26
(No Transcript)
27
Secure Payment Protocols (SPP) vs WEB Protocols
  • SPPs provide a method to assure a merchants
    payment
  • SPPs provide consumers assurance of credit card
    confidentiality
  • Web protocols (like SSL) leave payment details up
    to the merchant
  • Web protocols do not assure merchant will
    safeguard credit card number

28
Real World Examples
  • First Virtual
  • Cybercash
  • Secure Electronic Transactions (SET)
  • Others

29
First Virtual(FV)
  • WWW.fv.com--circa 1994
  • Does not use cryptography or secure
    communications
  • Based on exchange of email messages and customer
    honesty
  • Protocol I simple
  • 1996 180,000 buyers, 2650 merchants

30
FV IN ACTION(1)
31
FV IN ACTION(2)
SEVERAL DAYSLATER
32
CyberCash
  • Cybercash is a downloadable applications software
  • Consumers must generate public/private key pair
    based on RSA encryption technology
  • Merchants must also install CyberCash Library
  • Software free to stimulate acceptance
  • Future could be integrated into browsers
  • More to comeCyberCoin, and E-Cash Soln

33
CyberCash(2)
  • Uses Cryptography to protect transaction data
    during a purchase (does not use SSL)
  • Provides a secure protocol for credit card
    purchases over the internet
  • Uses existing back-end credit card infrastructure
    for settling payment
  • Payment details of credit card transaction are
    specified and implemented in the protocol

34
CyberCash(3)Merchants Perspective
  • There is no separate back-office system for batch
    processing card transaction
  • Payment assured for each transaction before
    product sold
  • Much like point-of-sale(POS) credit card
    transactions in physical stores

35
CyberCash(4)
  • Credit card number is protected--even from
    merchants
  • Card number encrypted with CyberCash public key
  • Only consumer, cybercahs and bank sees the credit
    card number

36
CYBERCASH IN ACTION
37
CYBERCASH IN ACTION
38
Secure Electronic Transaction (SET)
  • SET is an emerging open standard for secure
    credit card payments over the internet
  • Created by Mastercard and Visa
  • Specifies the mechanism for securely processing
    internet-based credit card orders
  • Does not specify the implementation
  • Does not specify the shopping or order process
    for ordering goods, payment selection, and the
    platform or security procedures

39
SET Security Assurances
  • Confidentiality -- secures payment info
  • Data integrity -- uses digital signatures
  • Client Authentication -- uses digital
    certificates identity plus public key
  • Merchant authentication -- uses digital
    certificate

40
SET Steps
  • 1. The customer opens an account with a
  • certificate authority.
  • 2. An issuing authority, like a bank, issues a
  • digital certificate authenticating a
    customer.
  • 3. Other third-party merchants also receive
  • their digital certificate when they open
    their
  • transaction accounts.
  • 4. The customer places an order.

41
SET Steps
  • 5. Customer verifies the merchants digital
  • certificate .
  • 6. Customer sends encrypted purchase details.
  • 7. When the merchant receives the order, the
  • customers own digital certificate is
    checked
  • for authenticity as well.

42
SET Steps
  • 8. The merchant then returns its own
    certificate, order details, customer payment
    information, and the banks digital certificate
    back to the bank to be used to authenticate the
    transaction.
  • 9. The bank will then verify the merchant
    certificate
  • and order information.
  • 10. The bank will digitally sign and return an
  • authorization back to the merchant.
  • 11. When these transactions are finished, the
    order is
  • completed.

43
SET IN ACTION
44
SET IN ACTION
4. Place Order
5. Merchant Certificate Sent
6. Send encrypted purchase details w/ Certificate
2. Buyer Opens Acct
3. Buyer receives Digital Certificate
7. Sends order to Bank w/ customer payment info
digital certificate
8. Bank verifies merchant certificate and order
info
10. ORDER COMPLETE
45
SET Summary
  • Large industry backing
  • Supports credit card transactions on-line
  • Does not support debit card payments
  • Does not address stored-value payment solutions
  • Does not use SSL, but it could
  • Implementations
  • Cybercash
  • RSA Data Securitys S/PAY

46
Other Examples
  • DigiCashs e-cash stored-value cryptographic
    coin system
  • CyberCoin--CyberCashs payment system for on-line
    commerce
  • Designed for small-value payments
  • Smart Cards
  • Conditional Access for Europe (CAFÉ)
  • Mondex
  • Visa Cash

47
Summary
  • Data Transaction Systems
  • Stored Account Systems
  • Stored Value Payment Systems
  • Securing the Transaction
  • SSL, S-HTTP and Secure Payment Protocols (SPP)
  • Real World Examples
  • FV, CyberCash, SET, E-Cash, and others
Write a Comment
User Comments (0)
About PowerShow.com