Internet payment systems

1
Internet payment systems

• presented by steve
• 27 Sept., 1999.

2
Outline

• Introduction
• Issues related
• Security
• Outstanding protocols
• Mechanisms
• Advantages and disadvantages
• Conclusion

3
Introduction

• In the past year, the number of users reachable
  through Internet has increased dramatically
• Potential to establish a new kind of open
  marketplace for goods and services

4
Introduction (cont')

• Online shops in Internet
• Bookshop (Amazon.com)
• Flight Resevation and Hotel Reservation
  (Expedia.com)
• shopping place, etc.
• An effective payment mechanism is needed

5
Issues related

• Security (major concern!!!)
• Performance
• Reliability
• Efficiency
• Bandwidth
• Anonymity (mainly in electronic coins)

6
Security

• Internet is not a secure place
• There are attacks from
• eavesdropping
• masquerading
• message tampering
• replay

7
How to solve?

• RSA public key cryptography is widely used for
  authentication and encryption in the computer
  industry
• Using public/private (asymmetric) key pair or
  symmetric session key to prevent eavesdropping

8
How to solve? (cont')

• Using message digest to prevent message tampering
• Using nonce to prevent replay
• Using digital certificate to prevent masquerading

9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
Outstanding protocols

• Credit card based
• Secure Electronic Transaction (SET)
• Secure Socket Layer (SSL)
• Electronic coins
• DigiCash
• NetCash

13
Credit-card based systems

• Parties involved cardholder, merchant, issuer,
  acquirer and payment gateway
• Transfer user's credit-card number to merchant
  via insecure network
• A trusted third party to authenticate the public
  key

14
Secure Electronic Transaction (SET)

• Developed by VISA and MasterCard
• To facilitate secure payment card transactions
  over the Internet
• Digital Certificates create a trust chain
  throughout the transaction, verifying cardholder
  and merchant validity
• It is the most secure payment protocol

15
Framework
Non-SET
Non-SET
SET
SET
16
Payment processes

• The messages needed to perform a complete
  purchase transaction usually include
• Initialization (PInitReq/PInitRes)
• Purchase order (PReq/PRes)
• Authorization (AuthReq/AuthRes)
• Capture of payment (CapReq/CapRes)

17
Typical SET Purchase Trans.
Payment Gateway
CardHolder
PInitReq
PInitRes
PReq
AuthReq
AuthRes
PRes
CapReq
CapRes
18
Initialization
PInitReq BrandID, LID_C, Chall_C
Cardholder
Merchant
PInitRes TransID, Date, Chall_C, Chall_MSigM,
CA, CM
19
Purchase order
PReq OI, PI
Cardholder
Merchant
Pres TransID, Results, Chall_CSigM
20
Authorization
AuthReqSigMPKA
Merchant
Acquirer
Issuer
Existing Financial Network
AuthResSigAPKM
21
Capture of payment
CapReq
CapToken
CapToken
Clearing
Merchant
Acquirer
Issuer
Existing Financial Network
CapResSigAPKM
22
Advantages

• It is secure enough to protect user's credit-card
  numbers and personal information from attacks
• hardware independent
• world-wide usage

23
Disadvantages

• User must have credit card
• No transfer of funds between users
• It is not cost-effective when the payment is
  small
• None of anonymity and it is traceable

24
Electronic cash/coins

• Parties involved client, merchant and bank
• Client must have an account in the bank
• Less security and encryption
• Suitable for small payment, but not for large
  payment

25
DigiCash (E-cash)

• A fully anonymous electronic cash system
• Using blind signature technique
• Parties involved bank, buyer and merchant
• Using RSA public-key cryptography
• Special client and merchant software are needed

26
Withdrawing Ecash coins

• User's cyberwallet software calculates how many
  digital coins are needed to withdraw the
  requested amount
• software then generates random serial numbers for
  those coins
• the serial numbers are blinded by multiplying it
  by a random factor

27
Withdrawing Ecash coins (cont')

• Blinded coins are packaged into a message,
  digitally signed with user's private key,
  encrypted with the bank's public key, then sent
  to the bank
• When the bank receives the message, it checks the
  signature
• After signing the blind coins, the bank returns
  them to the user

28
Spending Ecash
29
Advantages

• Cost-effective for small payment
• User can transfer his electronic coins to other
  user
• No need to apply credit card
• Anonymous feature
• Hardware independent

30
Disadvantages

• It is not suitable for large payment because of
  lower security
• Client must use wallet software in order to store
  the withdrawn coins from the bank
• A large database to store used serial numbers to
  prevent double spending

31
Comparisons

• SET
• use credit card
• 5 parties involved
• no anonymous
• large and small payment

• Ecash
• use e-coins
• 3 parties involved
• anonymous nature
• a large database is needed to log used serial
  numbers
• small payment

32
Conclusions

• An effective, secure and reliable Internet
  payment system is needed
• Depending on the payment amount, different level
  of security is used
• SET protocol is an outstanding payment protocol
  for secure electronic commerce