Title: ECT%20455/HCI%20513%20E-Commerce%20Web%20Site%20Engineering
1ECT 455/HCI 513 E-Commerce Web Site Engineering
- Electronic Payment Systems
- Internet Transaction Security
2Online Payment Systems
- Online payment is the foundation of systems for
EC. - How does it mesh with the past and current
currency systems? - credit cards, debit cards, ATM, banks
- Political Challenges
- What about taxes?
3Electronic Payment Systems
- Efficient and effective payment services accepted
by consumers and businesses are essential to
e-commerce. - Requirements
- Convenient for web purchasing
- Transportable over the network
- Strong enough to thwart electronic interference
- Cost-effective for extremely low-value
transactions
4Electronic Payment Systems
- Banking and Financial Payments
- Bank-to-bank transfer (EFT)
- Home Banking -- CitiBank, Wells Fargo
- Payment through an Intermediary
- Open Market
- First Virtual (FirstVirtual Pin)
Both refer to their earlier business models
5Electronic Payment Systems
- Electronic Currency Payment Systems
- Electronic Cash -- CyberCash, Internetcash.com
- Electronic Checks -- NetCheque
- e-Wallets (Visa)
- Smart Cards
- American Express (blue smart card)
- Visa
- Micropayments
- echarge
6More
- Retailing Payment Systems
- Credit Cards -- Visa or MasterCard
- Private Label Credit/Debit Cards
- Charge Cards -- American Express echarge
- Peer-to-peer payments (between consumers)
- PayPal (billpoint)
7Credit-Card Transactions
- Popular form of payment for online purchases
- Resistance due to security concerns
- Many cards offer capabilities for online and
offline purchases - Prodigy Internet Mastercard
- American Express Blue
8Online Credit-Card Transaction
- To accept credit-card payments, a merchant must
have a merchant account - Traditional merchant accounts accept only POS
(point-of-sale) transactions - Transactions that occur when you present your
credit card at a store - Card-not-present (CNP) transaction
- Merchant does not see actual card being used in
the purchase - Authentication
- The person is, in fact, who they say they are
9Credit-Card Transaction Enablers
- Credit-Card Transaction Enablers
- Companies that have established business
relationships with financial institutions that
will accept online credit-card payments for
merchant clients - Trintech
- Cybercash (Verisign)
10E-Wallets
- E-wallets
- Keep track of your billing and shipping
information so that it can be entered with one
click at participating sites - Store e-checks, e-cash and credit-card
information - Credit-card companies offer a variety of
e-wallets - Visa e-wallets
- MBNA e-wallet allows one-click shopping at member
sites - A group of e-wallet vendors have standardized
technology with Electronic Commerce Modeling
Language (ECML)
11Digital Currency
- Digital cash
- Stored electronically, used to make online
electronic payments - Similar to traditional bank accounts
- Used with other payment technologies (digital
wallets) - Alleviates some security fears online credit-card
transactions - Allows those with no credit cards to shop online
- Merchants accepting digital-cash payments avoid
credit-card transaction fees
12Smart Cards
- Smart card
- Card with computer chip embedded on its face,
holds more information than ordinary credit card
with magnetic strip - Contact smart cards
- To read information on smart cards and update
information, contact smart cards need to be
placed in a smart card reader - Contactless smart cards
- Have both a coiled antenna and a computer chip
inside, enabling the cards to transmit
information - Can require the user to have a password, giving
the smart card a security advantage over credit
cards - Information can be designated as "read only" or
as "no access" - Possibility of personal identity theft
13Internet security
- Consumers entering highly confidential
information - Number of security attacks increasing
- Four requirements of a secure transaction
- Privacy information not read by third party
- Integrity information not compromised or
altered - Authentication sender and receiver prove
identities - Non-repudiation legally prove message was sent
and received - Availability
- Computer systems continually accessible
14Secret-key Cryptography
- Encrypting and decrypting a message using a
symmetric key
15Secret-key Cryptography
- Distributing a session key with a key
distribution center
16Secret-key Cryptography
- Secret-key cryptography
- Same key to encrypt and decrypt message
- Sender sends message and key to receiver
- Problems with secret-key cryptography
- Key must be transmitted to receiver
- Different key for every receiver
- Key distribution centers used to reduce these
problems - Generates session key and sends it to sender and
receiver encrypted with the unique key - Encryption algorithms
- Dunn Encryption Standard (DES), Triple DES,
Advanced Encryption Standard (AES)
17Key Management
- Key management
- Handling and security of private keys
- Key generation
- The process by which keys are created
- Must be truly random
18Public Key Cryptography
- Public key cryptography
- Asymmetric two inversely related keys
- Private key
- Public key
- If public key encrypts only private can decrypt
and vice versa - Each party has both a public and a private key
- Either the public key or the private key can be
used to encrypt a message - Encrypted with public key and private key
- Proves identity while maintaining security
- RSA public key algorithm www.rsasecurity.com
19Public Key Encryption and Decryption
20Public Key Cryptography
- Authentication with a public-key algorithm
21Digital Signatures
- Digital signature
- Authenticates senders identity
- Run plaintext through hash function
- Gives message a mathematical value called hash
value - Hash value also known as message digest
- Collision
- Occurs when multiple messages have same hash
value - Encrypt message digest with private-key
- Send signature, encrypted message (with
public-key) and hash function - Timestamping
- Binds a time and date to message, solves
non-repudiation - Third party, time-stamping agency, timestamps
messages
22Using a digital signature to validate data
integrity
23Digital Certificate
- A certificate is an electronic document used to
identify an individual, a server, a company, or
some other entity and to associate that identity
with a public key. - Public-key cryptography uses certificates to
address the problem of impersonation - Certificate authorities (CAs) are entities that
validate identities and issue certificates. They
can be either independent third parties or
organizations running their own
certificate-issuing server software
24Digital Certificate
- A digital certificate includes
- the public key
- the name of the entity it identifies
- an expiration date
- the name of the CA that issued the certificate
- a serial number, and other information. Most
importantly, a certificate always includes the
digital signature of the issuing CA. - The CA's digital signature allows the certificate
to function as a "letter of introduction" for
users who know and trust the CA but don't know
the entity identified by the certificate.
25Encryption Transaction SecuritySecret vs.
Public Key Encryption
- Secret-Key Encryption (single key)
- Symmetric encryption, DES
- Use a shared secret key for encryption and
decryption - Key distribution disclosure
- fast, for bulk data encryption
- Public-Key Encryption (Pair of keys)
- Asymmetric encryption, RSA (Rivest, Shamin,
Adlemann) - Private/Public keys
- Need digital certificates and trusted 3rd parties
- Slower
- For less demanding applications
26Client Authentication
- Password-Based Authentication.
- A server might require a user to type a name and
password before granting access to the server. - The server maintains a list of names and
passwords if a particular name is on the list,
and if the user types the correct password, the
server grants access. - Certificate-Based Authentication.
- Client authentication based on certificates is
part of the SSL protocol. - The client digitally signs a randomly generated
piece of data and sends both the certificate and
the signed data across the network. - The server uses techniques of public-key
cryptography to validate the signature and
confirm the validity of the certificate
27 Using a password to authenticate a client to a
server
28 Using a certificate to authenticate a client to
a server
29Public Key Infrastructure, Certificates and
Certification Authorities
- Public Key Infrastructure (PKI)
- Integrates public key cryptography with digital
certificates and certification authorities - Digital certificate
- Digital document issued by certification
authority - Includes name of subject, subjects public key,
serial number, expiration date and signature of
trusted third party - Verisign (www.verisign.com)
- Leading certificate authority
- Periodically changing key pairs helps security
30SET Secure Electronic Transaction
- The SET protocol is a collection of encryption
and security specification used as an
industry-wide, open standard for ensuring secure
payment transaction over the Internet. - A payment protocol to accelerate development of
e-commerce and to bolster consumer confidence
31SET Secure Electronic Transaction
- SET establishes a method for interoperability of
secure transactions software over multiple,
popular hardware platforms and operating systems - Developed by Visa and MasterCard, with GTE, IBM,
Microsoft, Netscape, SAIC, Terisa Systems and
Verisign. - Based on encryption technology from RSA Data
Security.
32SET Secure Electronic Transaction
- Use digital certificates to authenticate all the
parties involved in a transaction - SET-compliant software validates both merchant
and cardholder before exchange of information - Employs public-key encryption and digital
signature - Complete documentation in visa.com
33Secure Electronic Transaction (SET)
- SET protocol
- Designed to protect e-commerce payments
- Certifies customer, merchant and merchants bank
- Requirements
- Merchants must have a digital certificate and SET
software - Customers must have a digital certificate and
digital wallet - Digital wallet
- Stores credit card information and identification
- Merchant never sees the customers personal
information - Sent straight to banks
- Microsoft Authenticode
- Authenticates file downloads
- Informs users of the downloads author
34Advantages of SET Over Channel Encryption
- Participants are authenticated via certificates
- Financial institutions provide assurance, not
software - SET allows a wallet to clearly distinguish a
payment from other uses of web forms - SET prevents terminated merchants from obtaining
account information (three party transaction)
35Merchant Benefits of SET
- More sales
- Increased trust in merchant
- Visa global acceptance
- Cost Savings
- Fewer losses from chargebacks
- Assured payment
- Reduced overhead
- Automated payment process
36Secure Sockets Layer (SSL)
- A transport-level technology for authentication
and data encryption between a Web server and a
Web browser. - SSL negotiates point-to-point security between a
client and a server. - SSL secures the routes of Internet communication,
but it does not protect you from unscrupulous or
careless people. - Source www.Netscape.com
- Use Public Key
- Do not protect private information.
37Secure Sockets layer (SSL)
- SSL
- Uses public-key technology and digital
certificates to authenticate the server in a
transaction - Protects information as it travels over Internet
- Does not protect once stored on receivers server
- Peripheral component interconnect (PCI) cards
- Installed on servers to secure data for an SSL
transaction
38SET versus SSL
- SET
- Three party protocol
- Application protocol
- Trust requirement All participants have been
authenticated for a specific role in payment card
transaction processing
- SSL
- Two party protocol
- TCP/IP Communication protocol
- Trust requirement communicating with a trustable
server