General

1
Web Security (II)
CS 6262 Fall 02
2
Secure Electronic Transaction

• An open encryption and security specification for
  credit card transaction on the Internet
• Main requirements
• Confidentiality of payment and ordering
  information
• Integrity of all transmitted data
• Authentication of cardholder
• Authentication of merchant

3
Basic Workflow
payment gateway
5 ship order
buyer
3 OI PI
6 payment req
2 order form
1 browse
merchant
4 auth req
4
Dual Signature

• Link order information and payment information
• Meta digest of both OI and PI messages digests
• H(H(PI)H(OI))
• proves the two go together
• does not reveal one half to the others reader
• Meta digest signed with customers private
  signature key
• DSEH(H(PI)H(OI))

5
SET Detailed Steps

• Initiate request/response
• Cardholder purchase request/response
• Merchant authorization request
• Payment gateway authorization response
• Merchant capture request
• Payment gateway capture response

6
Initiate Response

• Mtransaction signed by merchant, merchants
  signing cert, key-exchange cert of payment
  gateway, key-exchange cert of merchant
• Buyer verifies each of 3 certs and merchants
  signature

7
Cardholder Purchase Request

• Mtransaction , buyers signing cert, dual
  signature, OI, PIMD, PIdual signatureOIMD
  symmetrically encrypted, buyers symmetric key
  encrypted in the public key-exchange key of the
  payment gateway
• OI and PI both contain transaction
• Order-related info dual signature, OI, PIMD
• Purchase-related info PIdual signatureOIMD
  symmetrically encrypted
• Digital envelope buyers symmetric key
  encrypted in the public key-exchange key of the
  payment gateway
• Merchant verifies buyers signing cert and dual
  signature

8
Cardholder Purchase Response

• MACK signed by merchant, merchant signing
  cert
• Buyer verifies signature and stores ACK

9
Merchant Authorization Request

• Mpurchase-related info, digital envelope,
  authentication-related info, certificates
• Authorization-related info transaction
  signed by merchants signing key symmetrically
  encrypted, merchants symmetric key encrypted
  with the public key-exchange key of the payment
  gateway
• Certificates cardholders signature key cert,
  merchants signature key cert, merchants
  key-exchange cert

10
Payment Gateway Authorization Response

• Mcard issuers response signed by payment
  gateway symmetrically encrypted, symmetric key
  encrypted with the public key-exchange key of the
  merchant, optional capture token signed by
  payment gateway symmetrically encrypted,
  symmetric key encrypted in the public
  key-exchange key of the merchant, payment
  gateways signing cert
• Merchant opens and verifies issuer response, and
  stores optional capture token

11
Merchant Capture Request

• Merchant fulfills order.
• Mfinal details, transaction signed by
  merchants signing key symmetrically encrypted,
  symmetric key encrypted with the public
  key-exchange key of the payment gateway,
  merchants signing cert and key-exchange cert,
  optional sealed capture token from before.
• Payment gateway opens both envelopes, verifies
  signatures and forwards details to financial
  processors.

12
Payment Gateway Capture Response

• Payment gateway forwards messages to financial
  networks and back.
• Missuers response signed by payment
  gateways signing key symmetrically encrypted,
  symmetric key encrypted with the public
  key-exchange key of the merchant, signing cert of
  the gateway.
• Merchant opens envelopes and verifies signatures,
  then stores the capture response for
  reconciliation when payment is received from
  acquiring bank.

13
SET Security Issues

• Two pairs of PKs per entity
• One pair for signing
• One pair for exchanging keys
• Assumes full PKI is available
• Including revocation
• Merchant does not see payment instrument used