Secure Electronic Transactions Standard by Kelly Murrell - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Secure Electronic Transactions Standard by Kelly Murrell

Description:

... key of the retailer's bank these details can only be decrypted by the bank using ... Asymmetric encryption with a public and a private key. So why session keys? ... – PowerPoint PPT presentation

Number of Views:97
Avg rating:3.0/5.0
Slides: 20
Provided by: kellym6
Category:

less

Transcript and Presenter's Notes

Title: Secure Electronic Transactions Standard by Kelly Murrell


1
Secure Electronic Transactions Standardby Kelly
Murrell
2
Definition
  • Secure Electronic Transaction (SET) is a standard
    developed for protecting the privacy and ensuring
    the authenticity of electronic transactions. i.e.
    for securing credit-card transactions over the
    Internet.
  • It was jointly developed by Visa and MasterCard
    in collaboration with computer vendors such as
    IBM, Microsoft and Netscape.

3
How SETS Works
  • SETS works through the use of public key
    encryption.
  • This involves two keys
  • a private key which is kept secret and
  • a public key which can be distributed to others.
  • If a message is encrypted using one key then it
    can only be decrypted using the other.
  • When the customer encrypts his credit card
    details with the public key of the retailers
    bank these details can only be decrypted by the
    bank using its private key. This standard
    effectively prevents the retailer having access
    to the consumers credit card number at any stage
    in the process.

4
How SETS Works
5
The Technology
  • The SET protocol uses two different encryption
    mechanisms, as well as an authentication
    mechanism. SET uses symmetric encryption, in the
    form of the aging Data Encryption Standard (DES),
    as well as asymmetric, or public-key encryption
    to transmit session keys for DES transactions
    (IBM, 1998).

6
Symmetric Encryption
Symmetric encryption with a single key
7
Asymmetric Encryption
Asymmetric encryption with a public and a private
key
8
So why session keys?
  • Rather than offer the security and protection
    afforded by public-key cryptography, SET simply
    uses session keys (56 bits) which are transmitted
    asymmetrically the remainder of the transaction
    uses symmetric encryption in the form of DES.
  • So now you might ask, "Why not simply use
    asymmetric encryption all the time?" The reason
    is simple - asymmetric crypto is about 10 to 1000
    times more compute intensive than symmetric
    crypto.
  • In fact, some have suggested that the form of
    asymmetric crypto used in SET, which was named
    RSA (Rivest, Shamir, and Adleman - its
    inventors), might just as easily stand for
    "Really Slow Algorithm." Clearly, if your message
    is of any substantial size, you would limit the
    amount of asymmetric crypto that must take place
    unless you have loads of patience and free CPU
    cycles.

9
Why Session Keys 2
  • SET strikes a balance between the pros and cons
    of DES and RSA by using DES to encrypt the bulk
    of the message payload and RSA to distribute the
    DES keys, which are only 56 bits long.

10
Why not SSL?
  • So why not just use SSL?
  • As Jerome indicated, SSL provides a secure
    "electronic pipe" between the consumer and the
    merchant for exchanging payment information. Data
    sent through this pipe is encrypted, so that no
    one other than these two parties will be able to
    read it. In other words, SSL can give us
    confidential communications.
  • However, is that enough?
  • Example
  • Let's say that Shalik wants to buy something from
    Kevins electronic store. Shalik uses her Web
    browser to interact with Kevins merchant server
    to select the items she wants to buy, and saves
    her selections in an electronic shopping cart.
  • Finally, the moment of truth has arrived and
    Shalik needs to send her credit card information
    to Kevin to pay for her purchases. Shaliks
    browser and Kevins merchant server set up a
    secure SSL pipe with Shalik at one end and Kevin
    at the other. They have a secure means for
    exchanging data, but no SET Is this considered
    Safe Surfing?

11
Why not SSL? 2
  • As we would have discussed in class, how does
    Shalik know that Kevin is who he claims to be?
  • After all, anyone can put up a snazzy Web site
    and profess to be the XYZ Corp., but how do you
    really know that they are legit?
  • How does Shalik know that this isn't simply some
    hacker impersonating the XYZ Corp. and collecting
    credit card numbers for personal use?
  • For that matter, how does Kevin (the merchant)
    know that Shalik is who she says she is? How does
    Kevin know that the credit card number she just
    sent really belongs to her and that she didn't
    pick it up from a receipt she found while
    rummaging through the garbage?
  • The simple truth is, that while we may have a
    secure communications pipe, we have no way of
    knowing who we are dealing with.

12
So now we look at the Pros and Cons of SETS
13
ADVANTAGES
  • The SET protocol provides three main advantages,
    that put
  • together, make it safer than other payment
    methods. These
  • advantages are
  • Privacy, via cryptography that renders
    intercepted messages unreadable.
  • Integrity, via hashing and signing assures that
    messages sent are received without alteration.
  • Authentication, via digital certificates which
    assures that the parties involved in the
    transaction are who they claim to be, and
    prevents them from denying that they sent a
    message (i.e. non-repudiation).

14
CRITICISMS
  • Too many delays It has been two years since
    Visa/MasterCard promised to make the Internet
    safe for credit card transactions and thereby
    pave the way for the full potential of
    I-commerce. Now two years later the standard is
    still far from completion.
  • Slow - The price for the higher levels of
    security that SET provides is that the
    transactions become quite slow. Lag times of up
    to 50 seconds have been reported for the
    processing of a typical cardholder initiated
    purchase request to the approval response from
    the acquirer and the finalization of the
    transaction by the merchants server.

15
CRITICISMS 2
  • Expensive - Besides being slow for the
    cardholders to use SET is also relatively
    expensive for the merchants to implement.
  • According to experiences during the Swedish SET
    pilot project the typical costs amount to around
    a quarter million SKr (equivalent to over 30 000
    US).
  • Such high costs simply makes SET unprofitable
    for most smaller merchants, at least as long as
    their online markets remain relatively small.
  • In the future this problem could be solved if
    Web-hosting companies start supplying SET enabled
    services for merchants to connect their
    storefront merchant server applications to.

16
Conclusions and Future Works
  • At a technological level, there are some obvious
  • open questions
  • When will electronic payment systems be 100
    safe?
  • Is it going to become the standard of the future
    for I-commerce or not?

17
Conclusions and Future Works 2
  • It is difficult to say that there will be 100
    safe systems. The bet is more likely to be in
    minimising the problem of hacking and finding
    alternative ways to address the question. In
    technological terms is highly difficult to find
    100 safe systems.
  • Some say SET is simply too complex and expensive,
    others say its what is needed to make I-commerce
    safe and attractive for all parties involved.
  • The fact is that as long as SET is backed by very
    powerful players that have much to gain on
    getting the standard widely adopted (i.e. card
    companies and banks) it stands an undeniable
    chance of being so.

18
Conclusions and Future Works 3
  • MasterCard and Visa have invested heavily in SET,
    both financially and status wise, and cant be
    expected to abandon it in the first case.
  • So, even if merchants wont really want to
    implement the protocol, the financial community
    might come to force SET on them by manipulating
    the interchange rates merchants pay on their
    financial transactions.
  • Presently, all card transactions over the
    Internet (e.g. using SSL) are placed in the
    highest risk category, called Mail
    Order/Telephone Order (MOTO) or Card Not Present
    (CNP), and thereby carry the highest interchange
    rate. By offering lower interchange rates on
    transactions that use SET, the merchants can come
    to be enticed to adopt the protocol, even with
    its limitations.

19
ANY QUESTIONS?
Write a Comment
User Comments (0)
About PowerShow.com