Abstract image of a woman sitting on books and studying on a laptop

Secure Web Transaction

V
vikisharma24

This document discusses secure web transactions and electronic payment systems. It covers underlying technologies like cryptography and network security protocols. It also examines different electronic payment methods including credit cards, electronic checks, anonymous payments, micropayments, and smart cards. The main challenges are providing security, reliability, anonymity, and efficiency for electronic commerce transactions.

Education
1 of 39
Downloaded 191 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Secure Web Transactions
Overview  Electronic Commerce  Underlying Technologies – Cryptography – Network Security Protocols  Electronic Payment Systems – Credit card-based methods – Electronic Cheques – Anonymous payment – Micropayments – SmartCards
Commerce  Commerce: Exchange of Goods / Services  Contracting parties: Buyer and Seller  Fundamental principles: Trust and Security  Intermediaries: • Direct (Distributors, Retailers) • Indirect (Banks, Regulators)  Money is a medium to facilitate transactions  Attributes of money: – Acceptability, Portability, Divisibility – Security, Anonymity – Durability, Interoperability
E-Commerce  Automation of commercial transactions using computer and communication technologies  Facilitated by Internet and WWW  Business-to-Business: EDI  Business-to-Consumer: WWW retailing  Some features: – Easy, global access, 24 hour availability – Customized products and services – Back Office integration – Additional revenue stream
E-Commerce Steps  Attract prospects to your site – Positive online experience – Value over traditional retail  Convert prospect to customer – Provide customized services – Online ordering, billing and payment  Keep them coming back – Online customer service – Offer more products and conveniences Maximize revenue per sale
E-Commerce Participants
E-Commerce Problems Snooper Unknown customer Unreliable Merchant
E-Commerce risks  Customer's risks – Stolen credentials or password – Dishonest merchant – Disputes over transaction – Inappropriate use of transaction details  Merchant’s risk – Forged or copied instruments – Disputed charges – Insufficient funds in customer’s account – Unauthorized redistribution of purchased items  Main issue: Secure payment scheme
Why is the Internet insecure? S S  Host security – Client – Server (multi-user) C S  Transmission C security Eavesdropping Denial of service – Passive sniffing A B A B – Active spoofing and C C masquerading Replay/fabrication – Denial of service A C B A B  Active content Interception C – Java, Javascript, ActiveX, DCOM
E-Commerce Security  Authorization, Access Control: – protect intranet from hordes: Firewalls  Confidentiality, Data Integrity: – protect contents against snoopers: Encryption  Authentication: – both parties prove identity before starting transaction: Digital certificates  Non-repudiation: – proof that the document originated by you & you only: Digital signature
Encryption (shared key) m: message k: shared key - Sender and receiver agree on a key K - No one else knows K - K is used to derive encryption key EK & decryption key DK - Sender computes and sends EK(Message) - Receiver computes DK(EK(Message)) - Example: DES: Data Encryption Standard
Public key encryption m: message sk: private secret key pk: public key · Separate public key pk and private key sk · Private key is kept secret by receiver · Dsk(Epk(mesg)) = mesg and vice versa · Knowing Ke gives no clue about Kd
Digital signature Sign: sign(sk,m) = Dsk(m) Verify: Epk(sign(sk,m)) = m Sign on small hash function to reduce cost
Signed and secret messages pk2 m pk1 sign(sk1, m) Verify-sign Encrypt(pk1) Encrypt(pk2) Epk2(Dsk1(m) ) Decrypt(sk2) First sign, then encrypt: order is important.
Digital certificates How to establish authenticity of public key? Register public key Download public key
Certification authority
Electronic payments: Issues  Secure transfer across internet  High reliability: no single failure point  Atomic transactions  Anonymity of buyer  Economic and computational efficiency: allow micropayments  Flexiblility: across different methods  Scalability in number of servers and users
E-Payments: Secure transfer  SSL: Secure socket layer – below application layer  S-HTTP: Secure HTTP: – On top of http
SSL: Secure Socket Layer  Application protocol independent  Provides connection security as: – Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key – Peer's identity can be authenticated using public (asymmetric) key – Connection is reliable: Message transport includes a message integrity check (hash)  SSL Handshake protocol: – Allows server and client to authenticate each other and negotiate a encryption key
SSL Handshake Protocol  1. Client "Hello": challenge data, cipher specs  2. Server "Hello": connection ID, public key certificate, cipher specs  3. Client "session-key": encrypted with server's public key  4. Client "finish": connection ID signed with client's private key  5. Server "verify": client's challenge data signed with server's private key  6. Server "finish": session ID signed with server's private key  Session IDs and encryption options cached to avoid renegotiation for reconnection
S-HTTP: Secure HTTP  Application level security (HTTP specific)  "Content-Privacy-Domain" header: – Allows use of digital signatures &/ encryption – Various encryption options  Server-Browser negotiate – Property: cryptographic scheme to be used – Value: specific algorithm to be used – Direction: One way/Two way security
Secure end to end protocols
E-Payments: Atomicity  Money atomicity: no creation/destruction of money when transferred  Goods atomicity: no payment w/o goods and viceversa. – Eg: pay on delivery of parcel  Certified delivery: the goods delivered is what was promised: – Open the parcel in front of a trusted 3rd party
Anonymity of purchaser
Payment system types  Credit card-based methods – Credit card over SSL - First Virtual -SET  Electronic Cheques – - NetCheque  Anonymous payments – - Digicash - CAFE  Micropayments  SmartCards
Encrypted credit card payment  Set secure communication channel between buyer and seller  Send credit card number to merchant encrypted using merchant’s public key  Problems: merchant fraud, no customer signature  Ensures money but no goods atomicity  Not suitable for microtransactions
First virtual  Customer assigned virtual PIN by phone  Customer uses PIN to make purchases  Merchant contacts First virtual  First virtual send email to customer  If customer confirms, payment made to merchant  Not goods atomic since customer can refuse to pay  Not suitable for small transactions  Flood customer’s mailbox, delay merchant
Cybercash  Customer opens account with cybercash, gives credit card number and gets a PIN  Special software on customer side sends PIN, signature, transaction amount to merchant  Merchant forwards to cybercash server that completes credit card transaction  Pros: credit card # not shown to server, fast  Cons: not for microtransactions
SET:Secure Electronic Transactions  Merge of STT, SEPP, iKP  Secure credit card based protocol  Common structure: – Customer digitally signs a purchase along with price and encrypts in bank’s public key – Merchant submits a sales request with price to bank. – Bank compares purchase and sales request. If price match, bank authorizes sales  Avoids merchant fraud, ensures money but no goods atomicity
Electronic Cheques  Leverages the check payments system, a core competency of the banking industry.  Fits within current business practices  Works like a paper check does but in pure electronic form, with fewer manual steps.  Can be used by all bank customers who have checking accounts  Different from Electronic fund transfers
How does echeck work?  Exactly same way as paper  Check writer "writes" the echeck using one of many types of electronic devices  ”Gives" the echeck to the payee electronically.  Payee "deposits" echeck, receives credit,  Payee's bank "clears" the echeck to the paying bank.  Paying bank validates the echeck and "charges" the check writer's account for the check.
Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify police 1. Withdraw money: cyrpographically encoded tokens merchant customer 3. Send token after adding merchant’s identity 4. Check validity and send goods 2. Transform so merchant can check validity but identity hidden
Problems with the protocol  Not money atomic: if crash after 3, money lost – if money actually sent to merchant: returning to bank will alert police – if money not sent: not sending will lead to loss  High cost of cryptographic transformations: not suitable for micropayments  Examples: Digicash
Micropayments on hyperlinks  HTML extended to have pricing details with each link: displayed when user around the link  On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site  Payment for content providers  Attempt to reduce overhead per transaction
Micropayments: NetBill  Customer & merchant have account with NetBill server  Protocol: – Customer request quote from merchant, gets quote and accepts – Merchant sends goods encrypted by key K – Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> – Merchant countersigns EPO, signs K and sends both to NetBill server – NetBill verifies signatures and transfers funds, stores K and crypto-checksum and – NetBill sends receipt to merchant and K to customer
Recent micropayment systems Company Payment Unique system code Compaq Millicent mcent IBM IBM payment mpay system France Micrommerce microm Telecom
Smartcards  8-bit micro, < 5MHz, < 2k RAM, 20k ROM  Download electronic money on a card: wallet on a card  Efficient, secure, paperless, intuitive and speedy  Real and virtual stores accept them  Less susceptible to net attacks since disconnected  Has other uses spanning many industries, from banking to health care
Mondex  Smart card based sales and card to card transfers  Money is secured through a password and transactions are logged on the card  Other operation and features similar to traditional debit cards  Card signs transaction: so no anonymity  Need card reader everywhere  Available only in prototypes
Summary  Various protocols and software infrastructure for ecommerce  Today: credit card over SSL or S-HTTP  Getting there: – smart cards, – digital certificates  Need: – legal base for the entire ecommerce business – global market place for ecommerce

More Related Content

PPT
Secnet
Suman Madan
 
PPTX
Digital Signatures
Ehtisham Ali
 
PPTX
Digital signature 2
Ankita Dave
 
PPT
Digital certificates
Sheetal Verma
 
PPTX
How to design a digital signature in odoo
PlanetOdoo
 
PPTX
Digital signature
Abdullah Khosa
 
PPTX
Digital signature
Yash Karanke
 
PPTX
Difference Between Digital Signature vs Digital Certificate
AboutSSL
 
Secnet
Suman Madan
 
Digital Signatures
Ehtisham Ali
 
Digital signature 2
Ankita Dave
 
Digital certificates
Sheetal Verma
 
How to design a digital signature in odoo
PlanetOdoo
 
Digital signature
Abdullah Khosa
 
Digital signature
Yash Karanke
 
Difference Between Digital Signature vs Digital Certificate
AboutSSL
 

What's hot (20)

PPT
Digital signature
Hossain Md Shakhawat
 
PPTX
Digital signature
Praseela R
 
PPTX
Electronic signature
Sonu Mishra
 
PPTX
Seminar presentation on digital signature ppt
Ravi Ranjan
 
PDF
Digital signatures
Ishwar Dayal
 
PPTX
digital signature ppt
Nitesh Dubey
 
PPTX
Digital signatures
atuljaybhaye
 
PPTX
B2 TDI Remittances
B2 TDI Limited
 
PPTX
Week3 lecture
Shaikha AlQaydi
 
PPTX
Digital certificates and information security
Devam Shah
 
PPTX
Digital signature
dhivyakesavan3
 
PDF
Understanding Digital Certificates & Secure Sockets Layer
CheapSSLUSA
 
PPTX
Nem introduction
Helmut Siedl
 
PPTX
Marino mercedesportfolio201212
Marino Mercedes
 
PDF
Experience and Outcomes of the New German Electronic ID Card
Atos_Worldline
 
PDF
OTP Solution - Mat khau su dung mot lan
THANK Truong
 
PPTX
Apostille presentation
Helmut Siedl
 
PDF
on Digital Monies
Транслируем.бел
 
PPT
E business--dig sig
ravik09783
 
TXT
Action mode
Ludger Rabacal
 
Digital signature
Hossain Md Shakhawat
 
Digital signature
Praseela R
 
Electronic signature
Sonu Mishra
 
Seminar presentation on digital signature ppt
Ravi Ranjan
 
Digital signatures
Ishwar Dayal
 
digital signature ppt
Nitesh Dubey
 
Digital signatures
atuljaybhaye
 
B2 TDI Remittances
B2 TDI Limited
 
Week3 lecture
Shaikha AlQaydi
 
Digital certificates and information security
Devam Shah
 
Digital signature
dhivyakesavan3
 
Understanding Digital Certificates & Secure Sockets Layer
CheapSSLUSA
 
Nem introduction
Helmut Siedl
 
Marino mercedesportfolio201212
Marino Mercedes
 
Experience and Outcomes of the New German Electronic ID Card
Atos_Worldline
 
OTP Solution - Mat khau su dung mot lan
THANK Truong
 
Apostille presentation
Helmut Siedl
 
on Digital Monies
Транслируем.бел
 
E business--dig sig
ravik09783
 
Action mode
Ludger Rabacal
 
Ad

Viewers also liked (11)

PPTX
Cyber cash
Chitra Lekha
 
PPTX
Web client security
Ziv Birer
 
PPT
Marketing bab2
Siti Norhanida Hairudin
 
PDF
Common features
Luis Cordeiro
 
PPT
secure electronics transaction
Harsh Mehta
 
PPT
Information Security & Cryptography
Arun ACE
 
PPT
HTTP Basics
sanjoysanyal
 
PPTX
HyperText Transfer Protocol (HTTP)
Gurjot Singh
 
PDF
The Complete Starter Guide To Tumblr Marketing
Viraltag Inc.
 
PPTX
Digital Marketing Overview
Anton Koekemoer
 
PDF
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Cyber cash
Chitra Lekha
 
Web client security
Ziv Birer
 
Marketing bab2
Siti Norhanida Hairudin
 
Common features
Luis Cordeiro
 
secure electronics transaction
Harsh Mehta
 
Information Security & Cryptography
Arun ACE
 
HTTP Basics
sanjoysanyal
 
HyperText Transfer Protocol (HTTP)
Gurjot Singh
 
The Complete Starter Guide To Tumblr Marketing
Viraltag Inc.
 
Digital Marketing Overview
Anton Koekemoer
 
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Ad

Similar to Secure Web Transaction (20)

PPT
secnet.ppt
vishy230892
 
PPT
Secure Web Transactions Electronic Commerce Underlying Technologies
BangNgoVanCong
 
PPT
Secnet
arjun roy
 
PPT
Secure payment systems
Abdulaziz Mohd
 
PPTX
Project security
mh77ha
 
PPTX
Project security
maryam H
 
PPTX
Secure Electronic Transaction (SET)
Syed Taimoor Hussain Shah
 
PPTX
Payment card security By Hitesh Asnani SVIT
hiteshasnani94
 
PDF
E-Commerce security
Tawhid Rahman
 
PDF
Security fundamentals for e commerce(400)
COOL1190
 
PPT
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
Shandy Aditya
 
DOCX
Preventing Internet Fraud By Preventing Identity Theft
Diane M. Metcalf
 
PPT
Electronic payment by ahmad
Mohd. Ahmad Siddiqi
 
PPT
E commerce unit 2
Akhil Kaushik
 
PPT
E Payment
Ankit Saxena
 
PDF
Design and Development of an E-Commerce Security Using RSA Cryptosystem
AM Publications,India
 
PDF
E-Business security
Surendhranatha Reddy
 
DOCX
E commerce for tybcom introduction
Aditya
 
PDF
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
AIRCC Publishing Corporation
 
PDF
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ijcsit
 
secnet.ppt
vishy230892
 
Secure Web Transactions Electronic Commerce Underlying Technologies
BangNgoVanCong
 
Secnet
arjun roy
 
Secure payment systems
Abdulaziz Mohd
 
Project security
mh77ha
 
Project security
maryam H
 
Secure Electronic Transaction (SET)
Syed Taimoor Hussain Shah
 
Payment card security By Hitesh Asnani SVIT
hiteshasnani94
 
E-Commerce security
Tawhid Rahman
 
Security fundamentals for e commerce(400)
COOL1190
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
Shandy Aditya
 
Preventing Internet Fraud By Preventing Identity Theft
Diane M. Metcalf
 
Electronic payment by ahmad
Mohd. Ahmad Siddiqi
 
E commerce unit 2
Akhil Kaushik
 
E Payment
Ankit Saxena
 
Design and Development of an E-Commerce Security Using RSA Cryptosystem
AM Publications,India
 
E-Business security
Surendhranatha Reddy
 
E commerce for tybcom introduction
Aditya
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
AIRCC Publishing Corporation
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ijcsit
 

Recently uploaded (20)

PDF
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
PPTX
PLASMA AND ITS CONSTITUENTS 123.pptx
sweet2th18
 
PPTX
MMW-CHAPTER-1-final.pptx major Elementary Education
kimberlydespair4
 
PPTX
principlesofmanagementsem1slides-131211060335-phpapp01 (1).ppt
Jeyasunitha
 
PDF
Hospital Case Study .architecture design
Amlan Priyadarshan
 
PPTX
Neurology of Systemic disease all systems
BisratAlex2
 
PDF
Fun with Grammar (Communicative Activities for the Azar Grammar Series)
JohanaWulandari2
 
PPTX
Thinking Routines and Learning Engagements.pptx
n646vnqyjz
 
PPTX
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
PDF
BSc-Zoology-02Sem-DrVijay-Comparative anatomy of vertebrates.pdf
ps6013234
 
PPT
hemostasis and its significance, physiology
rakshasb
 
PPT
hsl powerpoint resource goyloveh feb 07.ppt
bhadevandana246
 
PDF
Chevening Scholarship Application and Interview Preparation Guide
Leneka Rhoden
 
PDF
Laparoscopic Imaging Systems at World Laparoscopy Hospital
mohitsuren827
 
PPTX
Unit 1 aayurveda and nutrition presentation
branstark0011
 
PPTX
IT infrastructure and emerging technologies
dhananjaymane12
 
PDF
Kalaari-SaaS-Founder-Playbook-2024-Edition-.pdf
savannetflix
 
PPTX
4. Diagnosis and treatment planning in RPD.pptx
rakshasb
 
DOCX
EDUCATIONAL ASSESSMENT ASSIGNMENT SEMESTER MAY 2025.docx
muhammadsyahir916
 
PDF
CHALLENGES FACED BY TEACHERS WHEN TEACHING LEARNERS WITH DEVELOPMENTAL DISABI...
HarlynCaballero1
 
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
PLASMA AND ITS CONSTITUENTS 123.pptx
sweet2th18
 
MMW-CHAPTER-1-final.pptx major Elementary Education
kimberlydespair4
 
principlesofmanagementsem1slides-131211060335-phpapp01 (1).ppt
Jeyasunitha
 
Hospital Case Study .architecture design
Amlan Priyadarshan
 
Neurology of Systemic disease all systems
BisratAlex2
 
Fun with Grammar (Communicative Activities for the Azar Grammar Series)
JohanaWulandari2
 
Thinking Routines and Learning Engagements.pptx
n646vnqyjz
 
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
BSc-Zoology-02Sem-DrVijay-Comparative anatomy of vertebrates.pdf
ps6013234
 
hemostasis and its significance, physiology
rakshasb
 
hsl powerpoint resource goyloveh feb 07.ppt
bhadevandana246
 
Chevening Scholarship Application and Interview Preparation Guide
Leneka Rhoden
 
Laparoscopic Imaging Systems at World Laparoscopy Hospital
mohitsuren827
 
Unit 1 aayurveda and nutrition presentation
branstark0011
 
IT infrastructure and emerging technologies
dhananjaymane12
 
Kalaari-SaaS-Founder-Playbook-2024-Edition-.pdf
savannetflix
 
4. Diagnosis and treatment planning in RPD.pptx
rakshasb
 
EDUCATIONAL ASSESSMENT ASSIGNMENT SEMESTER MAY 2025.docx
muhammadsyahir916
 
CHALLENGES FACED BY TEACHERS WHEN TEACHING LEARNERS WITH DEVELOPMENTAL DISABI...
HarlynCaballero1
 

Secure Web Transaction

  • 2. Overview  Electronic Commerce  Underlying Technologies – Cryptography – Network Security Protocols  Electronic Payment Systems – Credit card-based methods – Electronic Cheques – Anonymous payment – Micropayments – SmartCards
  • 3. Commerce  Commerce: Exchange of Goods / Services  Contracting parties: Buyer and Seller  Fundamental principles: Trust and Security  Intermediaries: • Direct (Distributors, Retailers) • Indirect (Banks, Regulators)  Money is a medium to facilitate transactions  Attributes of money: – Acceptability, Portability, Divisibility – Security, Anonymity – Durability, Interoperability
  • 4. E-Commerce  Automation of commercial transactions using computer and communication technologies  Facilitated by Internet and WWW  Business-to-Business: EDI  Business-to-Consumer: WWW retailing  Some features: – Easy, global access, 24 hour availability – Customized products and services – Back Office integration – Additional revenue stream
  • 5. E-Commerce Steps  Attract prospects to your site – Positive online experience – Value over traditional retail  Convert prospect to customer – Provide customized services – Online ordering, billing and payment  Keep them coming back – Online customer service – Offer more products and conveniences Maximize revenue per sale
  • 7. E-Commerce Problems Snooper Unknown customer Unreliable Merchant
  • 8. E-Commerce risks  Customer's risks – Stolen credentials or password – Dishonest merchant – Disputes over transaction – Inappropriate use of transaction details  Merchant’s risk – Forged or copied instruments – Disputed charges – Insufficient funds in customer’s account – Unauthorized redistribution of purchased items  Main issue: Secure payment scheme
  • 9. Why is the Internet insecure? S S  Host security – Client – Server (multi-user) C S  Transmission C security Eavesdropping Denial of service – Passive sniffing A B A B – Active spoofing and C C masquerading Replay/fabrication – Denial of service A C B A B  Active content Interception C – Java, Javascript, ActiveX, DCOM
  • 10. E-Commerce Security  Authorization, Access Control: – protect intranet from hordes: Firewalls  Confidentiality, Data Integrity: – protect contents against snoopers: Encryption  Authentication: – both parties prove identity before starting transaction: Digital certificates  Non-repudiation: – proof that the document originated by you & you only: Digital signature
  • 11. Encryption (shared key) m: message k: shared key - Sender and receiver agree on a key K - No one else knows K - K is used to derive encryption key EK & decryption key DK - Sender computes and sends EK(Message) - Receiver computes DK(EK(Message)) - Example: DES: Data Encryption Standard
  • 12. Public key encryption m: message sk: private secret key pk: public key · Separate public key pk and private key sk · Private key is kept secret by receiver · Dsk(Epk(mesg)) = mesg and vice versa · Knowing Ke gives no clue about Kd
  • 13. Digital signature Sign: sign(sk,m) = Dsk(m) Verify: Epk(sign(sk,m)) = m Sign on small hash function to reduce cost
  • 14. Signed and secret messages pk2 m pk1 sign(sk1, m) Verify-sign Encrypt(pk1) Encrypt(pk2) Epk2(Dsk1(m) ) Decrypt(sk2) First sign, then encrypt: order is important.
  • 15. Digital certificates How to establish authenticity of public key? Register public key Download public key
  • 17. Electronic payments: Issues  Secure transfer across internet  High reliability: no single failure point  Atomic transactions  Anonymity of buyer  Economic and computational efficiency: allow micropayments  Flexiblility: across different methods  Scalability in number of servers and users
  • 18. E-Payments: Secure transfer  SSL: Secure socket layer – below application layer  S-HTTP: Secure HTTP: – On top of http
  • 19. SSL: Secure Socket Layer  Application protocol independent  Provides connection security as: – Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key – Peer's identity can be authenticated using public (asymmetric) key – Connection is reliable: Message transport includes a message integrity check (hash)  SSL Handshake protocol: – Allows server and client to authenticate each other and negotiate a encryption key
  • 20. SSL Handshake Protocol  1. Client "Hello": challenge data, cipher specs  2. Server "Hello": connection ID, public key certificate, cipher specs  3. Client "session-key": encrypted with server's public key  4. Client "finish": connection ID signed with client's private key  5. Server "verify": client's challenge data signed with server's private key  6. Server "finish": session ID signed with server's private key  Session IDs and encryption options cached to avoid renegotiation for reconnection
  • 21. S-HTTP: Secure HTTP  Application level security (HTTP specific)  "Content-Privacy-Domain" header: – Allows use of digital signatures &/ encryption – Various encryption options  Server-Browser negotiate – Property: cryptographic scheme to be used – Value: specific algorithm to be used – Direction: One way/Two way security
  • 22. Secure end to end protocols
  • 23. E-Payments: Atomicity  Money atomicity: no creation/destruction of money when transferred  Goods atomicity: no payment w/o goods and viceversa. – Eg: pay on delivery of parcel  Certified delivery: the goods delivered is what was promised: – Open the parcel in front of a trusted 3rd party
  • 25. Payment system types  Credit card-based methods – Credit card over SSL - First Virtual -SET  Electronic Cheques – - NetCheque  Anonymous payments – - Digicash - CAFE  Micropayments  SmartCards
  • 26. Encrypted credit card payment  Set secure communication channel between buyer and seller  Send credit card number to merchant encrypted using merchant’s public key  Problems: merchant fraud, no customer signature  Ensures money but no goods atomicity  Not suitable for microtransactions
  • 27. First virtual  Customer assigned virtual PIN by phone  Customer uses PIN to make purchases  Merchant contacts First virtual  First virtual send email to customer  If customer confirms, payment made to merchant  Not goods atomic since customer can refuse to pay  Not suitable for small transactions  Flood customer’s mailbox, delay merchant
  • 28. Cybercash  Customer opens account with cybercash, gives credit card number and gets a PIN  Special software on customer side sends PIN, signature, transaction amount to merchant  Merchant forwards to cybercash server that completes credit card transaction  Pros: credit card # not shown to server, fast  Cons: not for microtransactions
  • 29. SET:Secure Electronic Transactions  Merge of STT, SEPP, iKP  Secure credit card based protocol  Common structure: – Customer digitally signs a purchase along with price and encrypts in bank’s public key – Merchant submits a sales request with price to bank. – Bank compares purchase and sales request. If price match, bank authorizes sales  Avoids merchant fraud, ensures money but no goods atomicity
  • 30. Electronic Cheques  Leverages the check payments system, a core competency of the banking industry.  Fits within current business practices  Works like a paper check does but in pure electronic form, with fewer manual steps.  Can be used by all bank customers who have checking accounts  Different from Electronic fund transfers
  • 31. How does echeck work?  Exactly same way as paper  Check writer "writes" the echeck using one of many types of electronic devices  ”Gives" the echeck to the payee electronically.  Payee "deposits" echeck, receives credit,  Payee's bank "clears" the echeck to the paying bank.  Paying bank validates the echeck and "charges" the check writer's account for the check.
  • 32. Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify police 1. Withdraw money: cyrpographically encoded tokens merchant customer 3. Send token after adding merchant’s identity 4. Check validity and send goods 2. Transform so merchant can check validity but identity hidden
  • 33. Problems with the protocol  Not money atomic: if crash after 3, money lost – if money actually sent to merchant: returning to bank will alert police – if money not sent: not sending will lead to loss  High cost of cryptographic transformations: not suitable for micropayments  Examples: Digicash
  • 34. Micropayments on hyperlinks  HTML extended to have pricing details with each link: displayed when user around the link  On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site  Payment for content providers  Attempt to reduce overhead per transaction
  • 35. Micropayments: NetBill  Customer & merchant have account with NetBill server  Protocol: – Customer request quote from merchant, gets quote and accepts – Merchant sends goods encrypted by key K – Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> – Merchant countersigns EPO, signs K and sends both to NetBill server – NetBill verifies signatures and transfers funds, stores K and crypto-checksum and – NetBill sends receipt to merchant and K to customer
  • 36. Recent micropayment systems Company Payment Unique system code Compaq Millicent mcent IBM IBM payment mpay system France Micrommerce microm Telecom
  • 37. Smartcards  8-bit micro, < 5MHz, < 2k RAM, 20k ROM  Download electronic money on a card: wallet on a card  Efficient, secure, paperless, intuitive and speedy  Real and virtual stores accept them  Less susceptible to net attacks since disconnected  Has other uses spanning many industries, from banking to health care
  • 38. Mondex  Smart card based sales and card to card transfers  Money is secured through a password and transactions are logged on the card  Other operation and features similar to traditional debit cards  Card signs transaction: so no anonymity  Need card reader everywhere  Available only in prototypes
  • 39. Summary  Various protocols and software infrastructure for ecommerce  Today: credit card over SSL or S-HTTP  Getting there: – smart cards, – digital certificates  Need: – legal base for the entire ecommerce business – global market place for ecommerce