set applications dr. ayşe başar bener. why set? security concern of: –consumers –merchants...
TRANSCRIPT
SET APPLICATIONS
Dr. Ayşe Başar Bener
WHY SET?• Security concern of:
– Consumers– Merchants– Issuer, Acquirer and Settlement Banks
• Growth in volume of credit card transactions over the internet– Need a protocol that protects consumers and merchants
alike, allowing each to verify the identities of the other parties without necessarily revealing credit card information
– This level of authentication does not exist in other cryptography-based protocols: SSL
SET: A Brief History
• Visa and Microsoft:– Secure Transaction Technology (STT): 1995
• MasterCard, Netscape, IBM, CyberCash:– Secure Electronic Payment Protocol (SEPP):
1996
SET: A Brief History
• STT ans SEPP:– Change the bankers’ treatment of internet-based credit
card transactions– Require all parties to have digital certificates– Required having public key certificate autorities– Use industry standard public key cryptography
techniques: Rivest, Shamir, Adelman (RSA)– Encrypt only credit card numbers and transactional data
rather than the entire browser and shopping sessions– Enable using any type of credit card regardless of its
issuer
SET: July 1997• Objectives:
– Provide confidentiality of payment information
– Ensure the integrity of all transmitted data
– Provide authentication that a Cardholder is a legitimate user of a branded payment card account
– Provide authentication that a Merchant can accept payment card transactions through its bank
– Ensure the use of best security practices and system design techniques to protect all legitimate parties
– Facilitate and encourage interoperability among software and network providers
SET
• Out-of-band:– Phases that are not included under SET– Activities that their implementation is left up to
the involved parties– Systems required for using SET
• Merchants and banks need to customise their own applications in order to plug into SET infrastructure
PAYMENT SYSTEMS• Closed Loop Systems
– Amex, Discover, Diners Club– The bank serves as a broker between the user of
its cards and the Merchants
• Open Loop Systems– Cardholder and Merchant having different
banks and the transaction is settled by a bank that is different than the either two
– Visa and MasterCard
Credit cards- a successful model
Cardholders Issuers
Suppliers Merchant Acquirers
Monthly Statement
Voucher
Signs Voucher
VoucherPrice of Goods Minus Interchange Fee ( 1%)
Goods
Price of Goods + Annual Fee + Interest
Price of Goods Minus Merchant Service Charge ( 1.65%)
Credit Card Arrangements
Source: Office of Fair Trade, March 1994
SETTLEMENT PROCESS
BINACCT # Amt
123
123
960
812
50
50
123 1001 50
50
50
50
50
456 225
653 678
978 842
965 433
Cards Processing Bank
Banks
interchange
Bank 123
Acct
960
812
1001
Debit
50
50
50
Credit
Bank 225
Acct
456
Debit
50
Credit
SET: enter the Certificate Authority
Source: Visa SET Presentation, 1996
Certification Authority
Cardholder Internet Merchant
AcquirerIssuer
Payment Gateway
Internet
Payment Network
SET Electronic Commerce Components
SET-security
• Implemented through Public-Private Key (PPK) cryptography through digital certificates
• SET’s Participants– Cardholders
– Merchants
– Acquirer payment gateways
– Credit and Debit Card Brand Associations
– Certificate Authorities
Digital Certificates
• Owner’s public key
• Owner’s name
• Expiration date of the public key
• Name of the certificate issuer
• Serial number of the certificate
• Digital signature of the certificate issuer
Source: Identrus
Multiple CAsTrust - Technical Architecture
Source: Identrus
Trust - Core Operating Flows
Digital Signatures
Tampering
Hostile Network
AA BBinverse
mathematical transformation
signature check
mathematical transformation
unsigned data
publicdirectory
Ali’s publickey
(not secret)
Ali’sprivate
key(secret)
SignedData
+ Message
Ali
Ali
or
SECURE ELECTRONIC TRANSACTIONS (SET)
• SET is implemented as pairs of request and response messages that serve the same functions as a POS terminal on a private network.
• These message pairs are wrapped in cryptography before being placed onto the public internet to hide their contents
• SET uses digital certificates for authentication of the customer and the merchant
SET
• Each participant in a SET transaction requires a specific certificate– uniquely identify the participant
– confirms privileges as a card holder or a as a merchant
• cardholder certificates are constructed– physical piece of plastic
– signature at the back of it
SET
• Merchant certificates assure transaction acquirer and the cardholders that– legitimate operator
– honest brand
• SET certificate management and processing– certificates are kept current, safe, and always ready for
use
SET• Steps in SET
– all SET software and digital certificates need to be in place
– the shopping experience– item selection– check out– form of payment selection– payment initiation processing– payment authorisation request– delivery of goods– capture and settlement
SET
• Digital certificates– owner’s public key
– owner’s name
– expiration date of the public key
– name of the certificate issuer
– serial number of the certificate
– digital signature of the certificate issuer
SET
• Digital signature– on-line substitution for the written signature
– an authentication that you are who you claim to be
– legally binding endorsement of the document that you transmit
– helps to ensure that the information in the message is not altered in any way
– Digital certificates are essential for SET• used to sign messages prior to their transmission
SET
• Step 1:– a cardholder selects the payment card on the
Merchant’s SET payment module
• Step 2:– The merchant SET payment module sends to
cardholder e-wallet (specific to the card brand selected):
• merchant signature and key exchange certificates
• payment gateway signature and key exchange certificates
SET
• Step 3:– the cardholder e-wallet begins to screen the tree of trust
among the certificate chain supplied
– upon a successful screening, the e-wallet returns a copy of the cardholder signature to use in signing messages
– cardholders normally will not process key exchange certificates since they are not responsible for message processing work.
SET
• Step 4:– with certificate exchange and trust tree screening steps
complete, all parties are now authenticated and processing will begin
– message protection and confidentiality can be assured, since all parties now “trust” one another.
SET• Roles and responsibilities- cardholders
– a web browser that contains an e-wallet component• netscape and IE support e-wallet plug-ins or e-wallet programs• visit a web site and download one
– once e-wallet works properly, then obtain a digital certificate for each credit card
• visit CA on-line
– keep your private key component private through password protection
– when sending messages through the Internet, make sure that the browser supports Secure Sockets Layer (SSL) encryption.
SET• Roles and responsibilities- merchants
– merchant server POS software performs the tasks of cryptographic processing, message preparation, and merchant certificate management
– merchant servers communicate with both the cardholder’s web browser/e-wallet and acquirer payment gateways that serve the banks and payment card companies.
– Merchant POS software also communicates with the acquirer’s payment gateway for authorisation of charge requests, settlement of charges, and batch administration work.
SET
• Roles and responsibilities- acquirer payment gateways– operated on behalf of many financial institutions
– check currency and legitimacy of all certificates presented
– maintain an appropriate interface to traditional banking systems that permits the Internet to behave as though it is a private leased line connection to the banking networks
SET
• Roles and responsibilities- payment card brand associations (Visa, Mastercard, Amex)– maintain the SET root key that is used to sign all Brand
certificates and establish brand certificate authority hierarchies
– establish brand certificates for legitimate SET uses
– no direct interactions with other parties
SET• Roles and responsibilities- certificate authorities
– gather authentication information from cardholders, merchants, and payment gateway operators who request certificates
– forward the authentication data to the Issuer or Acquirer for verification
– renewal processing of the previously issued certificates– maintain brand root keys– certify the presence of other CAs– Revoke certificates on cancelled accounts as instructed by the card
issuers– maintain the certificate revocation list for all compromised private
keys.
Garanti Bank Avrupa’da ilk SET işlemini gerçekleştiren ilk 10
banka arasındadır.
Visa ve Mastercard ile ilk görüşmeler, SET pilot grubuna katılma
Nisan 97 Temmuz 97 Şubat 98
Dünyadaki ilk SET uyumlu işlem San Fransisco’da gerçekleştirildi.
Garanti Bank, Spektrum Office Superstore ile birlikte Türkiye’deki ilk SET işlemini gerçekleştirdi.
SET pilot çalışmasında yer alan 4 banka1. Gesellschaft für Zahlungssysteme-Germany2. Sumimoto Credit Service-Japan3. Bank of America-USA4. Garanti Bankasi-Turkey
“Güvenli Alışverişler”
- 82 online mağaza, çalışması süren 80 mağaza daha
- SET ve SSL çözümleriyle müşteri bilgileri güvende (müşteri ve mağaza arasında SSL, mağaza ve banka arasında SET)
- Online mağaza açmak isteyen firmalara tüm desteği verirken aynı zamanda pazarı bilgilendirmek
- Yüsek sayıda işlem gerçekleşmiyor ama gelişme trendi yüksek