340 Cryptography and Network Security

3. Authentication: The failure of authentication leadsthe attacker to acquire

authentication check are
The major attacks due to lack of network
attack, dictionary attack, cookic replay and credential thef. These attacks
encrypted passwords.
using strong, complex and
4. Session management: Application layer is responsible for managing sessions
security. The threats in the
cations wBhich are crucial to provide man-in-the-middle session managerieNN
session hijacking, session replay and attack. Secure
ro-authentication and cryptographic techniques can be
channel,
threats.
employed
to CormmtnA
5. Auditing and logging: Through auditing andlogging allthe actions carried out
kecp tracked. The major thrcats encountercd are users deleting the history files
ing some operation or refuses to take the responsibility for the action performed.
be avoided by securc logging of all the events occur and relocate the log files

ELECTRONIC TRANSACTION
13.2 SECURE
Global reach of Internet encourages online transactions. Secured encryption technology IS neetad
support secure E-commerce in the Internet. Cryptanalysis or code breaker and US export restricis
on encryption are some of the challenges in encryption technology to provide Secure Electronic Trai.
actions in the Internet. In order to provide solution to these challenges, Secure Electronic Transactn 3. Custo

(SET) was developed. SET is an open encryption and security standardi specification that ensures secue to buy
financial transactions performedin the Internetthrough a debit or credit card received from abank.S p r o v i d

was developed by VISA and MasterCard with the support of GTE, Microsoft, IBM and Netscape. Its 4 Issuer

confidentiality and authentication when two users such as cardholders ad with a

dificult to provide privacy, receives a digital certifcate ai
merchant are communication. In order to provide this, each user 5. Paym
signature from a Certification Authority (CA). In other way, it is: represented as public and prvat: ke, Itsupp
and signature) are verified by each actor
For each transaction, both digital wallets (certificate 6. Certif
Technology (STT), Secure Hne
The SET uses Netscape 's SSL, Microsoft's Secure Transaction merch

key infrastructure. The cardholders intir.

Text Transfer Protocol (S-HTTP) and some aspects of public
insecure network (Internet). The main advantage In Figure
mation is secured by the SET since it travels across an
(OI) and Payment Information (PD), so tu order requ
of SET is that, it securely conceals the Order Information
the details of payment informatian. the custom
bank cannot find order information and the merchant cannot find merchant
acquirer th
13.2.1 Actors in SET tion from
(cardholder), issuer (0ulk.
The main actors in SET are merchant (recipient), acquirer, customer
payment a
the goods
payment gateway and CA, which are illustrated in Figure 13.1.
the compo
selltothe customcts
1. Merchant(Recipient): Merchant is aperson oran enterprise that has goods to payment gateway.
in an electronic environment. Merchant will have atie-up with acquirer through authornza 13.2.2 F
payment card
2. Acquirer: Merchant has an account with the acquirer for payment and
tion. Merchant accepts varioustypes of payment cards withthe assurance
acqurdt
of acquirer. Thedeliveing Initially, b
accounttafter
SET enabL
provides payment authorization to transfer the payment to the merchant the public
the goods tothe customer.
 Applcation Layer
Acquirer Security \ 341

wlente-Teorl ceby I s s u e r

b appl Payment Gateway

tincludc
biNit caithese
on
user can
nerform
Customer

eats can CA Merchant

Certification authority
Fiqure 13.1 SET actors
eeded to
ctcrTrans
ictions -(Cardholder): Cardholder or
customer 1s a person
request, he/shewho0holdsinteracts
In order to initiate purchase
(istomer

msaction pbuy
some
products

with the merchant

es secure issuer. apayment
OVdedby
an card which is
nk. SET financial organization such as bank who
provides payment card to
(Bank):A

ape. It is suer
ders and
H i ha u t h e n t i c a t i o n .

the customer
ddigital Payment Gateway is an interface
Gateway: The
ate key.
Pment
transfer and settlement. between the merchant and
Isaugports money
Acquirer.
Certification Authority: An entity that issues
eHyper erchants, acquirer, issuer and payment gateways.
X.509v3 public key certificates
to cardholders,
's infor
vantage 13.1, initially, the customer sends order request to the
Sothat TGqUest and confirms the order to the customers. After
merchant. The merchant verifies the
information and order related confirmation fromthe merchant,
getting
nation. EOstomer sends payment related
information to merchant. The
Eahant extracts order related information and
forwards the payment related theinformation to the
ir through payment gateway. The acquirer
fom the issuer that the customer does not communicates with the issues and gets confirma
(bank), exceed his/her limit. After that the acquirer gives
t authorization message to the merchant
ps to the customer. The CA takes the through payment gateway. Finally merchant delivers
stomers Eponents in the form of certificates. responsibility of providing private and public keys to all
iteway.
horiza 22Functionality of SET
cquirer
ivering , both the
Customer and the merchant should register their details with the CA. Then, the
nables the merchant to authorize the user as
ic key received a legitimate user with a valid card by checking
from the CA. It uses X.509v3 digital certificate andrivest, shamirand adleman
342 Cygtgrty and Network Security

the SET. As
(RSA) Sinaturs to prON
authentication in
keys to each other as digital
initialization procedure,
an Nnhant exchange theë public certiftcates provided he
ln the SEt niatin sent from customer to the menchant are Pl and
order carhe
ensurs that the intomatin
is
sent
prtatd
tiom
to
customer to menchant is not altered
provide the tacility of inform atn
during the ime he SEr
confidentiality,
create a Dual Signature (DS) on privacy
tin The intirmatin nd of
The candhoderenters his her private key to tmEN
Messge Digst (MD
introduced inthe SET to provide the
the order
Nhenticaten
and he
pue
The DS isanew onept which is facility of
Us or Qmatenating two diterent messages
the DS
that are
in such
intended
a
fortn
way that the diflerent privacy
persons in
The Ds
m E Hene, the customer creates
the payment-related
merchant
information can view
merhant cannot view
inomation and hene
View the payment-related intomation
and hence the bunk cannot view the order-related the Similarly,
computes MDs of payment. and
In order to do that, the customer initiallyAlgorith-1 order-related informatien
For computing the MD, Secure Hashing
Message
(SHA-1) is used. These
Digest) and OIMD(Order Information
MDS are denutsd iniomata
PIMD (Pament Infommation Message
values, these two values are concatenated and the result Diges). Atg
creting the PIMD and OIMD Message Digest (POMD). This | is sent into
hash function, The final result is called Payment Order
ther encrypted using the private key of card holdto produce the DS. The process of creating the DSifu POMDis
shown in Figure 13.2.
The SET consists of two phases, namely purchase request andIpurchase response. During the pur:
chase request, the cardholder has to send order- and payment-related information to the merchant and
tothe bank. Inthe purchase response, the merchant responds with the cardholder. If the cardholder
transzction is valid, then the merchant delivers the goods to the cardholder. For creating the purchase
request message, the cardholder initially creates the DS. After creatingthe DS, it generates arandom
infornmation as shown in Figure 133
session key value K, to encrypt the payment-related
key of bank Ku. This
erating the session key, it encrypts the session key using the public and is used for fii
decrypted by using the private key of bank Kr,. This is called digital envelope based on enermi
created
the randomly generated session key by the bank. This digital envelope is creating the digital en
performed using the public key of the bank with the RSA algorithm. After PIM
session key generated by the customen
lope, the customer encrypts the PI, DS and OIMD using the DS
browser software. This provides additional confidentiality to
the PI of the transaction. This esut s in en
digital envelope, PIMD, O1, DS and
denoted as encrpted PI. Finally, the customer sends encrypted P1, whic

certificate of customer (cardholder) to the merchant as shown

in Figure 13.3. the
merchant uses the customers public key
After receiving the payment request from the customer, the
decrypts the DS using the public key of
to verify the cardholder's DS. In order to do that, the merchant (INSU
obtained from the certificate of the customer. Ater o do
the customer. The public key of the customer can be the hash value ofconcatenat
decrypting, the merchant obtains POMD, This POMD is compared with
acqu
Irans

hunk
P SHA-1 PIMD
POMD ntor
PIMD + OIMD

Customer
SHA-1 H OIMD of the
Usins
Figure 13.2 Dual signature process
 Aeplcation Layar Serurity343

Dual s i g n a t u r e

Ks
Digtal enyalope
OIMD
Ku,

IMO

Dual signature

Merchant
Certificate of customer

Figure 13.3 Purchase request message created

by the
customer
PIMD and
OIMD as shown in Figure 13.4. If both are equal,
validlone. In this phase, the merchant cannot
then the merchant
as a find any accepts the received
DS
form when it is sent to the merchant. payment-related
Moreover, merchant obtainsintormation since it is
inencrypted merchant cannot perform atacks to find oniy the PIMD from
shich the
he Pl (credit card details) is preserved. payment-related information and thus security of
Once the DS is verified, the merchant forwards the encrypted Pl
and digital
(suer) through the payment gateway and waits for payment authorization from theenvelope tothe bank
odo that, the merchant forwards the encrypted PI through the payment bank side. In order
acquirer in turn forwards that information to the bank to check whether
gateway to the acquirer. The
the debit credit card used for
transaction contains sufficient amount for completing the transaction. In
db the merchant so that bank this case, the
cannot find the order-related information. In order details are
knk ohtains only the OIMD from which the bank addition to that.
information and thus security of the order information is cannot perform any attack to fnd order-related
nd dËgital envelope, the bank decrypts the digital envelope to preserved. After receiving the encrypted Pl
of the bank. After finding the session key, the bank decrypts find the session key using the private key
the encrypted Pl to get Pl, OIMD and DS.
Using thePl and OIMD, the bank computes the POMD as shown in
Figure 13.5. After that, the bank
 Security
Cryptography and Network
344

Encrypted PI

Digital envelope

PIMD POMD

H
Compare
OIMD
Dual signature
D

Certificate of customer POMD

Ku

Figure 13.4 Verification of DS and purchase response

Encrypted PI

D PI OIMD DS

Digital envelope
D Ks D

H Compare

POMD

Figure 13.5 Verification of payment information

 Application Layer Security
13.1
Commonly used algorithms in SET 345
Table

Algorithm
Expansion Key size
(bits)
S. No.

DataEncryption Standard
Functionality
56
1.
DES
Protects financial data
key system) (private
Advanced Encryption Standard 128
AES
Speed and
Commercial Data Masking than DES security increased
CDMF
Facility 40
3 Protects acquirer (cardholder
RSA
Rivest-Shamir-Adleman
1024
message)
4
Public key cryptosystem
SHA-1
Secure Hashing Algorithm-1 160
5. Hash algorithm condenses
Hash Message Authentication message to fixed length
HMAC
Code 128
6. Message authentication code
used with SHA-1
MD5 Message Digest 5
128
Digest function
DS to get POMD. Fimally, it compares both the
the.
decrypts

replyto merchant through the acquirer.

POMD values. If both
hank gives are equal, then
receiving thee payment authorization reply the
After from the
tothe cardholder. After some time, the merchant acquirer, the merchant
orproducts for which the can claim the delivers the goods
transactions
acquirer has given amount
for allthe
Usedin
SET is measured by how hard to break it,
which
authorization reply.The strength ofthe acquirer
from
depends onetc.factors such as the encryption
key contiguration of computer, the algorithms used for encryption,
length of the
13.2.3 SET Algorithms
Ammmetric and asymmetric algorithms are used in the SET
ln symmetric encryption, asecret key is used to encrypt the and are mentioned in Table 131
numbers or letters. data. The secret key may be a
string of
For symmetric encryption, the SET
les which are considered as a key uses DES algorithm. Asymmetric encryption has two related
pair.
The encrypted message can be decrypted A public key can be used by anyone who sends messages.
with a receiver's private key that makes
the secret message.
13.3 E-MAIL SECURITY
ttal is the electronic substitute of a
sideraions..E-mail security represents postcard, because of this, it needs extraordinary policy con
an E-mail the collective measures used to protect the
Imore E-mail account. It permits an individual or organization to access and content
account. While making defend the complete access to one
policies for E-mail account management, the organizations