Download Mid_term Presentation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

Credit card fraud wikipedia , lookup

Merchant account wikipedia , lookup

Transcript 
Epayment System using Java
April, 11. 2001
Computer Security and Electronic Payment System
Cho won chul
Kim Hee Dae
Lee Jung Hwan
Yoon Won Jung
Index
1. Introduction
2. What is E-payment system ?
3. Comparison between SSL and SET(1)(2)
4. Secure Transmission Schemes in SSL and SET
Protocol(1)(2)
5. The Player and essential security Requirements in
SET
6. Entities of SET protocol in Cybershopping
7. Overview of main Messages in SET
8. Smart Card (Physical layout)
2
Index
9. Software Stack of a Java Card
10. Program Development Process
11. Cyberflex Access Cards(1)(2)
12. What should we implement in this Project
13. Java Card Security package
14. Java Layer in the Host Software Architecture
3
1. Introduction
 Describe typical electronic payment systems for EC
 Compare the relationship between SSL and SET
protocols
 Classify and describe the types of Smart Card used
for payments
 Describe the characteristics of Java Card
 Implement Java Smart Card applying to SET
4
2. What is E-payment system?





E-payment system is the new payment methods with
the emergence of electronic commerce on the
Internet.
Secure payment systems are critical to the success
of EC.
There are four essential security requirements for
safe electronic payments.(Authentication, Encryption,
Integrity, Non-repudiation)
The key security schemes adopted for electronic
payment systems are encryption.
Security schemes are adopted in protocols like SSL
and SET.
5
3. Comparison between SSL and SET(1)
 A part of SSL (Secure Socket Layer) is available on
customers’ browsers



it is basically an encryption mechanism for order taking, queries
and other applications
it does not protect against all security hazards
it is mature, simple, and widely use
 SET ( Secure Electronic Transaction) is a very
comprehensive security protocol



it provides for privacy, authenticity, integrity, and, or Non
repudiation
it is used very infrequently due to its complexity and the need for
a special card reader by the user
it may be abandoned if it is not simplified/improved
6
3. Comparison between SSL and SET (2)
Secure Electronic Transaction(SET) Secure Socket Layer (SSL)
Complex
Simple
SET is tailored to the credit card
payment to the merchants.
SSL is a protocol for generalpurpose secure message
exchanges (encryption).
SSL protocol may use a
certificate, but there is no
payment gateway. So, the
merchants need to receive both
the ordering information and
credit card information, because
the capturing process should be
initiated by the merchants.
SET protocol hides the customer’s
credit card information from
merchants, and also hides the
order information to banks, to
protect privacy. This scheme is
called dual signature.
7
4. Secure Transmission Schemes
in SSL and SET Protocol(1)
Sender’s Computer
1. The message is hashed to a prefixed length of message digest.
2. The message digest is encrypted with the sender’s private
signature key, and a digital signature is created.
3. The composition of message, digital signature, and Sender’s
certificate is encrypted with the symmetric key which is generated at
sender’s computer for every transaction. The result is an encrypted
message. SET protocol uses the DES algorithm instead of RSA for
encryption because DES can be executed much faster than RSA.
4. The Symmetric key itself is encrypted with the receiver’s public
key which was sent to the sender in advance. The result is a digital
envelope.
8
Sender’s Computer
Message
+

Sender’s Private
Signature Key

Message Digest
Digital Signature
Message
+
+

Encrypt
Encrypted
Message
Symmetric Key
Sender’s
Certificate
Receiver’s
Certificate

Encrypt
Receiver’s
Key-Exchange Key
Digital
Envelope
9
4.Secure Transmission Schemes
in SSL and SET Protocol (2)
Receiver’s Computer
5. The encrypted message and digital envelope are transmitted to
receiver’s computer via the Internet.
6. The digital envelope is decrypted with receiver’s private exchange
key.
7. Using the restored symmetric key, the encrypted message can be
restored to the message, digital signature, and sender’s certificate.
8. To confirm the integrity, the digital signature is decrypted by sender’s
public key, obtaining the message digest.
9. The delivered message is hashed to generate message digest.
10. The message digests obtained by steps 8 and 9 respectively, are
compared by the receiver to confirm whether there was any change
during the transmission. This step confirms the integrity.
10
Receiver’s Computer
Receiver’s Private
Key-Exchange Key
Decrypt
Digital
Envelope
Message


+
Symmetric
Key
Decrypt

Message Digest
+
Sender’s
Certificate
Encrypted
Message

compare

Decrypt
Digital Signature
Sender’s Public Signature Key
Message Digest
11
5. The Player and essential security
Requirements in SET
 The player
 Cardholder
 Merchant (seller)
 Issuer (your bank)
 Acquirer (Merchant’s financial institution, acquires the sales slips)
 Brand (Visa, Master Card)
 Payment Gateway (e-payment infra-structure)
 Essential Security Requirements in SET
 Authentication
 Encryption
 Integrity
 Non-repudiation
12
6.Entities of SET protocol in
Cybershopping
IC Card
Reader
Customer y
Customer x
With Digital Wallets
Certificate
Authority
Electronic Shopping Mall
Payment
Gateway
Protocol
X.25
Merchant A Merchant B
Credit Card
Brand
13
7.Overview of main Messages in SET
:Over the Internet
Card Reader
Card Holder
Certificate
Request
:Over Financial Network
CA
Cardholder
Registration
Request to Verity the
information
Issue
Response
Certificate
Purchase
Request
Purchase
Response
Purchase
Request
Authorization
Request
Payment
Authorization
Payment
Gateway
Response
Response
Capture Request
Payment
Capture
Authorization
Request
Response
Clearing Request
Authorization
Request
Capture Request
Merchant
Registration
Certificate
Merchant
Response
CA
Acquirer
14
8. Smart Card (Physical layout)
ROM(16K)
- OS
- Com
- Security
CPU
- 8 bit
- 5 MHz
- crypto-coprocessor
EEPROM
(16K)
RAM
- 4 kb
- File System
- Program files
- Keys
- Passwords
- Applications
15
9. Software Stack of a Java Card
 FrameWork provide Java Card API
 JVM executes the bytecode of the applet
and of the library functions
 Applet is a small program developed by
application designer.
16
10. Program Development Process
17
11.Cyberflex(TM) Access Cards(1)
 Manufacture : Schlumberger
 General Characteristics :
- Communication protocol : ISO T=0
- Data transmission baud rate :
9600 bit/sec by default, up to 55,800 bit/sec
- Nonvolatile memory :
16 KB of EEPROM (13.5 KB available for cardlet, keys, and
certificate )
- APDU buffer : 255 + 5 bytes
- Access control structure :
As many as 8 identities per directory/program
- Fast native file system
18
Cyberflex(TM) Access Cards(2)
 Cryptographic Features
- Host system generation of DES keys and RSA keys(512, 768, 1024 bits)
- Enciphering and deciphering data with DES or 3DES keys in CBC mode
- External Authentication with DES or 3DES keys
- Internal Authentication with DES or 3DES keys in EBC mode, or with
RSA digital signatures
- SHA-1 and MAC hashing(carried out by Java APIs, not by APDUs)
19
12. What should we implement in this
Project
Cardholder Registration
Client
- Certificate Request to CA
Read from Card reader (Authentication)
Purchase Request (simultaneously)
- to Issuer to get the certificate
- to Merchant
Design the protocol using DES-3,RSA,etc.
Purchase Response to Client
Authorization Request to gateway
Capture Request to gateway
Response processing
- to Client, Payment, CA
Merchant
Authorization process
- request to Issue
- response to Merchant
Capture process
- request to Issue
PG
Request to Verify the Certificate
CA
- Response from Card Holder
- Request to Issue
Merchant Registration
- Authorization Request (to Acquirer)
- response to Merchant
Verify Card Holder information
ISSUE
- send confirm to CA
Authorization process
- response to Gateway
Capture process
- clearing request from gateway
- bill to client
Merchant Authorization process
- response to CA
Acquirer
20
13. Java Card Security package needed
in this project
 Key
 DSAKey
 SecretKey
 DSAPrivateKey
 DESKey
 DSAPublicKey
 PrivateKey
 KeyBuilder
 PublicKey
 MessageDigest
 RSAPrivateKey
 Signature
 RSAPrivateCrtKey
 RandomData
 RSAPublicKey
 CrytoException
21
14.Java Layer in the Host Software
Architecture
22
Related documents
Oral Communication - An-Najah National University
Oral Communication - An-Najah National University
Communication in Business
Communication in Business
International Management
International Management
Communication Process
Communication Process
Successful Communication
Successful Communication
Chapter 1 Glossary - Fundamentals of Business Communication 2012
Chapter 1 Glossary - Fundamentals of Business Communication 2012
Communicatio Skill
Communicatio Skill
Document
Document
integrated marketing communications
integrated marketing communications
Release of Information - Oregon Early Learning Division
Release of Information - Oregon Early Learning Division
Why You Need To Get Your Message Across
Why You Need To Get Your Message Across
Student Health Center Marchetti Towers East 3518 Laclede Avenue
Student Health Center Marchetti Towers East 3518 Laclede Avenue
types of communication
types of communication
Care Authorization to Obtain Patient Information
Care Authorization to Obtain Patient Information
Authorization to Obtain Patient Information
Authorization to Obtain Patient Information
Association for Molecular Pathology Certificate of
Association for Molecular Pathology Certificate of
Saint Louis University Authorization to Obtain Patient Information
Saint Louis University Authorization to Obtain Patient Information