Title: ARUN RAJ'R
1Presented By
- ARUN RAJ.R
- JES VARGHESE
- NEERAJ.R
- SATHEESH.S
2Organization of Presentation
- Introduction
- Credit Cards on the Internet
- Credit Card Protocols
- SET Business Requirements
- Parties in SET
- SET Transactions
- Symmetric key encryption system
- Public key encryption system
- Message Digest
- Digital Signature
- Digital Envelope
- Digital Certificate
- Dual Signatures
- SET Supported Transactions
- Card Holder Registration
- Merchant Registration
- Purchase Request
- Payment Authorization
- SYSTEM CONFIGURATION
3Introduction
- An application-layer security mechanism,
consisting of a set of protocols. - Protect credit card transaction on the Internet.
- Companies involved MasterCard, Visa, IBM,
Microsoft, Netscape, RSA, Terisa and Verisign - Not a payment system.
- It has a complex specification.
4Credit Cards on the Internet
- Problem communicate credit card and purchasing
data securely to gain consumer trust - Authentication of buyer and merchant
- Confidential transmissions
- Systems vary by
- type of public-key encryption
- type of symmetric encryption
- message digest algorithm
- number of parties having private keys
- number of parties having certificates
5Credit Card Protocols
- SSL 1 or 2 parties have private keys
- TLS (Transport Layer Security)
- IETF version of SSL
- i KP (IBM)
- SEPP (Secure Encryption Payment Protocol)
- MasterCard, IBM, Netscape
- STT (Secure Transaction Technology)
- VISA, Microsoft
- SET (Secure Electronic Transactions)
- MasterCard, VISA all parties have certificates
OBSOLETE
6Identification is the Challenge
but in e-transactions, it is important to Know
if you are dealing with a dog.
7SET Business Requirements
- Provide confidentiality of payment and ordering
information. - Ensure the integrity of all transmitted data.
- Provide authentication that a cardholder is a
legitimate user of a credit card account - Provide authentication that a merchant can accept
credit card transactions through its relationship
with a financial institution
8SET Business Requirements (contd)
- Ensure the use of the best security practices and
system design techniques to protect all
legitimate parties in an electronic commerce
transaction - Create a protocol that neither depends on
transport security mechanisms nor prevents their
use - Facilitate and encourage interoperability among
software and network providers
9Secure Electronic Transaction
- Confidentiality all messages encrypted
- Trust all parties must have digital certificates
- Privacy information made available only when and
where necessary
10Components to build Trust
- Data Confidentiality ? Encryption
- Who am I dealing with? ? Authentication
- Message integrity ? Message Digest
- Non-repudiation ? Digital Signature
- Access Control ? Certificate Attributes
11Parties in SET
12SET Transactions
13Symmetric key encryption system
- Same key is used to both encrypt and decrypt data
Examples of encryption systems DES, 3DES, AES
14Public key encryption system
Recipients Public Key
Recipients Private Key
Each user has 2 keys what one key encrypts, only
the other key in the pair can decrypt. Public key
can be sent in the open. Private key is never
transmitted or shared. Eg. RSA (Rivest, Shamir,
and Adleman )
15Message Digest
- Used to determine if document has changed
- Usually 128-bit or 160-bit digests
- Infeasible to produce a document matching a
digest - A one bit change in the document affects about
half the bits in the digest - Eg. SHA-1 (160-bit digest), Secure Hash Algorithm
16Digital Signature
17Digital Signature
Signers Private Key
Encrypted Digest
Digest
Hash Algorithm
18Verifying the Digital Signature
Digest
Hash Algorithm
Digest
Signers Public Key
Integrity One bit change in the content changes
the digest
19Digital Envelope
One time encryption Key
Digital Envelope
Recipients Public Key
- Combines the high speed of DES (symmetric
encryption) and the key management convenience of
RSA (public key encryption)
20Digital Certificate
- A digital certificate or Digital ID is a
computer-based record that attests to the binding
of a public key to an identified subscriber. - Certificate issued by Certification Authority
(CA). - Certified digital signature attests to message
content and to the identity of the signer. - Combined with a digital time stamp, messages can
be proved to have been sent at certain time.
21Digital Certificate
22X.509 Certificate Version 3
- Version
- This identifies which version of the X.509
standard applies to this certificate. - Serial Number
- The entity that created the certificate is
responsible for assigning it a serial number to
distinguish it from other certificates it issues. - Signature Algorithm Identifier
- This identifies the algorithm used by the CA to
sign the certificate.
23X.509 Certificate Version 3
- Issuer Name
- The X.500 name of the entity that signed the
certificate. This is normally a CA. - Validity Period
- Each certificate is valid only for a limited
amount of time. This period is described by a
start date and time and an end date and time. - Subject Name
- The name of the entity whose public key the
certificate identifies. - Subject Public Key Information
- This is the public key of the entity being named,
together with an algorithm identifier which
specifies which public key crypto system this key
belongs to and any associated key parameters.
24X.509 Certificate Version 3
25X.509 Certificate Version 3
26Dual Signatures
- Links two messages securely but allows only one
party to read each. Used in SET.
MESSAGE 1
MESSAGE 2
HASH 1 2 WITH SHA
CONCATENATE DIGESTS TOGETHER
DIGEST 2
DIGEST 1
HASH WITH SHA TO CREATE NEW DIGEST
NEW DIGEST
ENCRYPT NEW DIGEST WITH SIGNERS PRIVATE KEY
PRIVATE KEY
DUAL SIGNATURE
27SET Transactions
28SET Supported Transactions
- certificate query
- purchase inquiry
- purchase notification
- sale transaction
- authorization reversal
- capture reversal
- credit reversal
- card holder registration
- merchant registration
- purchase request
- payment authorization
- payment capture
29Card Holder Registration
30Card Holder Registration
31Card Holder Registration
32Card Holder Registration
Cardholder Initiates Registration
33Card Holder Registration
CA Sends Response
34Card Holder Registration
Cardholder Requests Registration Form
35Card Holder Registration
CA Sends Registration Form
36Card Holder Registration
Cardholder Requests Certificate
37Card Holder Registration
CA Sends Certificate
1.
2.
38Card Holder Registration
Cardholder Receives Certificate
39SET Supported Transactions
- certificate query
- purchase inquiry
- purchase notification
- sale transaction
- authorization reversal
- capture reversal
- credit reversal
- card holder registration
- merchant registration
- purchase request
- payment authorization
- payment capture
40Merchant Registration
41SET Supported Transactions
- certificate query
- purchase inquiry
- purchase notification
- sale transaction
- authorization reversal
- capture reversal
- credit reversal
- card holder registration
- merchant registration
- purchase request
- payment authorization
- payment capture
42Purchase Request
43Purchase Request
Customer Browses for Products
44Purchase Request
Select the Card for Payment
45Purchase Request
46Purchase Request
Cardholder Initiates Request
47Purchase Request
Merchant Sends Response
48Purchase Request
The Cardholder Sends Request
49Purchase Request
Cardholder Sends Purchase Request
50Purchase Request
Merchant Processes Purchase Request Message
51Purchase Request
Merchant Sends Purchase Response
52SET Supported Transactions
- certificate query
- purchase inquiry
- purchase notification
- sale transaction
- authorization reversal
- capture reversal
- credit reversal
- card holder registration
- merchant registration
- purchase request
- payment authorization
- payment capture
53Payment Authorization
Payment Authorization Process
54SYSTEM CONFIGURATION
- Hardware requirements
- Any 32-bit processor
- Memory of minimum 128 MB RAM
- Sufficient Hard Disk Free space
- Mouse preferred for ease of use
- Software requirements
- Development tool Java 1.3 or above, Bouncy
Castle Provider - Operating system Compatible to all OS
- Back end Microsoft SQL Server / Microsoft Access
- Any Web Browser
55Database Organization
A database is used at the Cardholder Machine to
store his Card Details
56Important Source Files
57Important Source Files
58Conclusion
With the help of the above discussions, the SET
protocol appears to be complete, sound, robust
and reasonably secure for the purpose of
credit-card transactions. However, it is
important that the encryption algorithms and
key-sizes used, will be robust enough to prevent
observation by hostile entities. The secure
electronic transactions protocol (SET) is
important for the success of electronic commerce.
Secure electronic transactions will be an
important part of electronic commerce in the
future. Without such security, the interests of
the merchant, the consumer, and the credit or
economic institution cannot be served.
59References
- William Stallings, Cryptography and Network
Security 3/e, Pearson, 2003 - http//www.setco.org/download/set_bk2.pdf
- http//www.cl.cam.ac.uk/Research/Security/resource
s/SET/intro.html - Jonathan B. Knudsen, Java Cryptography, First
Edition May 1998 - Herb Schildt, Java 2 Complete Reference 4/e,
Osborne,1999
60Thank you