epayment system using java
DESCRIPTION
Epayment System using Java. April, 11. 2001 Computer Security and Electronic Payment System Cho won chul Kim Hee Dae Lee Jung Hwan Yoon Won Jung. Index. 1. Introduction What is E-payment system ? Comparison between SSL and SET(1)(2) - PowerPoint PPT PresentationTRANSCRIPT
Epayment System using JavaEpayment System using Java
April, 11. 2001Computer Security and Electronic Payment System
Cho won chul
Kim Hee Dae
Lee Jung Hwan
Yoon Won Jung
2
IndexIndex
1. Introduction
2. What is E-payment system ?
3. Comparison between SSL and SET(1)(2)
4. Secure Transmission Schemes in SSL and SET Protocol(1)(2)
5. The Player and essential security Requirements in SET
6. Entities of SET protocol in Cybershopping
7. Overview of main Messages in SET
8. Smart Card (Physical layout)
3
IndexIndex
9. Software Stack of a Java Card
10. Program Development Process
11. Cyberflex Access Cards(1)(2)
12. What should we implement in this Project
13. Java Card Security package
14. Java Layer in the Host Software Architecture
4
1. Introduction1. Introduction
Describe typical electronic payment systems for EC
Compare the relationship between SSL and SET protocols
Classify and describe the types of Smart Card used for payments
Describe the characteristics of Java Card
Implement Java Smart Card applying to SET
5
2. What is E-payment system?2. What is E-payment system?
E-payment system is the new payment methods with the emergence of electronic commerce on the Internet.
Secure payment systems are critical to the success of EC.
There are four essential security requirements for safe electronic payments.(Authentication, Encryption, Integrity, Non-repudiation)
The key security schemes adopted for electronic payment systems are encryption.
Security schemes are adopted in protocols like SSL and SET.
6
3. Comparison between SSL and SET(1)3. Comparison between SSL and SET(1)
A part of SSL (Secure Socket Layer) is available on customers’ browsers it is basically an encryption mechanism for order taking, queries
and other applications it does not protect against all security hazards it is mature, simple, and widely use
SET ( Secure Electronic Transaction) is a very comprehensive security protocol it provides for privacy, authenticity, integrity, and, or Non
repudiation it is used very infrequently due to its complexity and the need for
a special card reader by the user it may be abandoned if it is not simplified/improved
7
3. 3. Comparison between SSL and SET (2)Comparison between SSL and SET (2)
Secure Electronic Transaction(SET) Secure Socket Layer (SSL)Complex Simple
SET is tailored to the credit card payment to the merchants.
SSL is a protocol for general-purpose secure message exchanges (encryption).
SET protocol hides the customer’s credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called dual signature.
SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and credit card information, because the capturing process should be initiated by the merchants.
8
4. Secure Transmission Schemes 4. Secure Transmission Schemes in SSL and SET Protocol(1) in SSL and SET Protocol(1)
Sender’s Computer1. The message is hashed to a prefixed length of message digest.
2. The message digest is encrypted with the sender’s private signature key, and a digital signature is created.
3. The composition of message, digital signature, and Sender’s certificate is encrypted with the symmetric key which is generated at sender’s computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA.
4. The Symmetric key itself is encrypted with the receiver’s public key which was sent to the sender in advance. The result is a digital envelope.
9
Sender’s Private Signature Key
Sender’s Certificate
++
Message+
Digital Signature
Receiver’s Certificate
Encrypt
Symmetric Key
Encrypted Message
Receiver’sKey-Exchange Key
EncryptDigital
Envelope
Message
Message Digest
Sender’s ComputerSender’s Computer
10
4.Secure Transmission Schemes 4.Secure Transmission Schemes in SSL and SET Protocol (2) in SSL and SET Protocol (2)
Receiver’s Computer5. The encrypted message and digital envelope are transmitted to receiver’s computer via the Internet.
6. The digital envelope is decrypted with receiver’s private exchange key.
7. Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and sender’s certificate.
8. To confirm the integrity, the digital signature is decrypted by sender’s public key, obtaining the message digest.
9. The delivered message is hashed to generate message digest.
10. The message digests obtained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transmission. This step confirms the integrity.
11
Decrypt
Symmetric Key
Encrypted Message
Sender’s Certificate
+
+
Message
compare
DigitalEnvelope
Receiver’s Private Key-Exchange Key
Decrypt
Message DigestDigital Signature
Sender’s Public Signature Key
Decrypt
Message Digest
Receiver’s ComputerReceiver’s Computer
12
5. The Player and essential security 5. The Player and essential security Requirements in SET Requirements in SET
The player Cardholder Merchant (seller) Issuer (your bank) Acquirer (Merchant’s financial institution, acquires the sales slips) Brand (Visa, Master Card) Payment Gateway (e-payment infra-structure)
Essential Security Requirements in SET Authentication Encryption Integrity Non-repudiation
13
6.Entities of SET protocol in 6.Entities of SET protocol in Cybershopping Cybershopping
IC CardReader Customer x
Customer y
With Digital WalletsCertificateAuthority
Electronic Shopping Mall
Merchant A Merchant B
Credit CardBrand
ProtocolX.25
Payment Gateway
14
7.Overview of main Messages in SET7.Overview of main Messages in SET
CardholderRegistration
PurchaseRequest
PaymentAuthorization
PaymentCapture
MerchantRegistration
Authorization
RequestResponse
Capture Request
Response
Capture Request
Certificate
Certificate Request
Certificate
Request to Verity the information
Response
Response
Authorization
Request
Clearing Request
Authorization
Request
Response
Acquirer
Card Holder CA Issue
Merchant CA
Payment Gateway
Card Reader
Purchase Response
Purchase Request
:Over the Internet :Over Financial Network
15
8. 8. Smart Card (Physical layout) Smart Card (Physical layout)
ROM(16K)- OS- Com- Security
CPU- 8 bit- 5 MHz- crypto-coprocessor
RAM- 4 kb
EEPROM(16K)- File System- Program files- Keys- Passwords- Applications
16
9. 9. Software Stack of a Java CardSoftware Stack of a Java Card
FrameWork provide Java Card API JVM executes the bytecode of the applet and of the library functions Applet is a small program developed by
application designer.
17
10. 10. Program Development ProcessProgram Development Process
18
11.Cyberflex11.Cyberflex(TM(TM)) Access Cards(1)Access Cards(1)
Manufacture : Schlumberger
General Characteristics : - Communication protocol : ISO T=0
- Data transmission baud rate :
9600 bit/sec by default, up to 55,800 bit/sec
- Nonvolatile memory :
16 KB of EEPROM (13.5 KB available for cardlet, keys, and
certificate )
- APDU buffer : 255 + 5 bytes
- Access control structure :
As many as 8 identities per directory/program
- Fast native file system
19
CyberflexCyberflex(TM(TM)) Access Cards(2) Access Cards(2)
Cryptographic Features
- Host system generation of DES keys and RSA keys(512, 768, 1024 bits)
- Enciphering and deciphering data with DES or 3DES keys in CBC mode
- External Authentication with DES or 3DES keys
- Internal Authentication with DES or 3DES keys in EBC mode, or with RSA digital signatures
- SHA-1 and MAC hashing(carried out by Java APIs, not by APDUs)
20
12. 12. What should we implement in thisWhat should we implement in this Project Project
Cardholder Registration - Certificate Request to CA Read from Card reader (Authentication) Purchase Request (simultaneously) - to Issuer to get the certificate - to Merchant Design the protocol using DES-3,RSA,etc.
Purchase Response to ClientAuthorization Request to gatewayCapture Request to gatewayResponse processing - to Client, Payment, CA
Request to Verify the Certificate - Response from Card Holder - Request to IssueMerchant Registration - Authorization Request (to Acquirer) - response to Merchant
Authorization process - request to Issue - response to MerchantCapture process - request to Issue
Merchant Authorization process - response to CA
Verify Card Holder information - send confirm to CAAuthorization process - response to Gateway Capture process - clearing request from gateway - bill to client
Client
Merchant
PG
CA
ISSUE
Acquirer
21
13. Java Card Security package needed 13. Java Card Security package needed in this projectin this project
Key SecretKey DESKey PrivateKey PublicKey RSAPrivateKey RSAPrivateCrtKey RSAPublicKey
DSAKey DSAPrivateKey DSAPublicKey KeyBuilder MessageDigest Signature RandomData CrytoException
22
14.Java Layer in the Host Software 14.Java Layer in the Host Software ArchitectureArchitecture