SlideShare ist ein Scribd-Unternehmen logo

Secnet

Als PPT, PDF herunterladen
Suman Madan
Suman Madan

asd

BildungWirtschaft & FinanzenBusiness
1 von 40
Secure Web Transactions Sridhar Iyer K R School of Information Technology IIT Bombay sri@it.iitb.ernet.in http://www.it.iitb.ernet.in/~sri
Overview  Electronic Commerce  Underlying Technologies – Cryptography – Network Security Protocols  Electronic Payment Systems – Credit card-based methods – Electronic Cheques – Anonymous payment – Micropayments – SmartCards
Commerce     Commerce: Exchange of Goods / Services Contracting parties: Buyer and Seller Fundamental principles: Trust and Security Intermediaries: • Direct (Distributors, Retailers) • Indirect (Banks, Regulators)  Money is a medium to facilitate transactions  Attributes of money: – Acceptability, Portability, Divisibility – Security, Anonymity – Durability, Interoperability
E-Commerce  Automation of commercial transactions using computer and communication technologies  Facilitated by Internet and WWW  Business-to-Business: EDI  Business-to-Consumer: WWW retailing  Some features: – Easy, global access, 24 hour availability – Customized products and services – Back Office integration – Additional revenue stream
E-Commerce Steps  Attract prospects to your site – Positive online experience – Value over traditional retail  Convert prospect to customer – Provide customized services – Online ordering, billing and payment  Keep them coming back – Online customer service – Offer more products and conveniences Maximize revenue per sale
E-Commerce Participants
E-Commerce Problems Snooper Unknown customer Unreliable Merchant
E-Commerce risks  Customer's risks – Stolen credentials or password – Dishonest merchant – Disputes over transaction – Inappropriate use of transaction details  Merchant’s risk – Forged or copied instruments – Disputed charges – Insufficient funds in customer’s account – Unauthorized redistribution of purchased items  Main issue: Secure payment scheme
Why is the Internet insecure? S C  Host security – Client – Server (multi-user)  Transmission security – Passive sniffing – Active spoofing and masquerading – Denial of service  Active content – Java, Javascript, ActiveX, DCOM S S C Denial of service Eavesdropping A B A C A C Interception B C Replay/fabrication B A B C
E-Commerce Security  Authorization, Access Control: – protect intranet from hordes: Firewalls  Confidentiality, Data Integrity: – protect contents against snoopers: Encryption  Authentication: – both parties prove identity before starting transaction: Digital certificates  Non-repudiation: – proof that the document originated by you & you only: Digital signature
Encryption (shared key) m: message k: shared key - Sender and receiver agree on a key K - No one else knows K - K is used to derive encryption key EK & decryption key DK - Sender computes and sends EK(Message) - Receiver computes DK(EK(Message)) - Example: DES: Data Encryption Standard
Public key encryption m: message sk: private secret key pk: public key · Separate public key pk and private key sk · Private key is kept secret by receiver · Dsk(Epk(mesg)) = mesg and vice versa · Knowing Ke gives no clue about Kd
Digital signature Sign: sign(sk,m) = Dsk(m) Verify: Epk(sign(sk,m)) = m Sign on small hash function to reduce cost
Signed and secret messages pk2 m pk1 Verify-sign Encrypt(pk1) sign(sk1, m) Encrypt(pk2) Epk2(Dsk1(m) ) Decrypt(sk2) First sign, then encrypt: order is important.
Digital certificates How to establish authenticity of public key? Register public key Download public key
Certification authority
Electronic payments: Issues Secure transfer across internet High reliability: no single failure point Atomic transactions Anonymity of buyer Economic and computational efficiency: allow micropayments  Flexiblility: across different methods  Scalability in number of servers and users     
E-Payments: Secure transfer  SSL: Secure socket layer – below application layer  S-HTTP: Secure HTTP: – On top of http
SSL: Secure Socket Layer  Application protocol independent  Provides connection security as: – Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key – Peer's identity can be authenticated using public (asymmetric) key – Connection is reliable: Message transport includes a message integrity check (hash)  SSL Handshake protocol: – Allows server and client to authenticate each other and negotiate a encryption key
SSL Handshake Protocol  1. Client "Hello": challenge data, cipher specs  2. Server "Hello": connection ID, public key certificate, cipher specs  3. Client "session-key": encrypted with server's public key  4. Client "finish": connection ID signed with client's private key  5. Server "verify": client's challenge data signed with server's private key  6. Server "finish": session ID signed with server's private key  Session IDs and encryption options cached to avoid renegotiation for reconnection
S-HTTP: Secure HTTP  Application level security (HTTP specific)  "Content-Privacy-Domain" header: – Allows use of digital signatures &/ encryption – Various encryption options  Server-Browser negotiate – Property: cryptographic scheme to be used – Value: specific algorithm to be used – Direction: One way/Two way security
Secure end to end protocols
E-Payments: Atomicity  Money atomicity: no creation/destruction of money when transferred  Goods atomicity: no payment w/o goods and viceversa. – Eg: pay on delivery of parcel  Certified delivery: the goods delivered is what was promised: – Open the parcel in front of a trusted 3rd party
Anonymity of purchaser
Payment system types  Credit card-based methods – Credit card over SSL  Electronic Cheques – - NetCheque  Anonymous payments – - Digicash - CAFE  Micropayments  SmartCards - First Virtual -SET
Encrypted credit card payment  Set secure communication channel between buyer and seller  Send credit card number to merchant encrypted using merchant’s public key  Problems: merchant fraud, no customer signature  Ensures money but no goods atomicity  Not suitable for microtransactions
First virtual Customer assigned virtual PIN by phone Customer uses PIN to make purchases Merchant contacts First virtual First virtual send email to customer If customer confirms, payment made to merchant Not goods atomic since customer can refuse to pay  Not suitable for small transactions  Flood customer’s mailbox, delay merchant      
Cybercash  Customer opens account with cybercash, gives credit card number and gets a PIN  Special software on customer side sends PIN, signature, transaction amount to merchant  Merchant forwards to cybercash server that completes credit card transaction  Pros: credit card # not shown to server, fast  Cons: not for microtransactions
SET:Secure Electronic Transactions  Merge of STT, SEPP, iKP  Secure credit card based protocol  Common structure: – Customer digitally signs a purchase along with price and encrypts in bank’s public key – Merchant submits a sales request with price to bank. – Bank compares purchase and sales request. If price match, bank authorizes sales  Avoids merchant fraud, ensures money but no goods atomicity
Electronic Cheques  Leverages the check payments system, a core competency of the banking industry.  Fits within current business practices  Works like a paper check does but in pure electronic form, with fewer manual steps.  Can be used by all bank customers who have checking accounts  Different from Electronic fund transfers
How does echeck work?  Exactly same way as paper  Check writer "writes" the echeck using one of many types of electronic devices  ”Gives" the echeck to the payee electronically.  Payee "deposits" echeck, receives credit,  Payee's bank "clears" the echeck to the paying bank.  Paying bank validates the echeck and "charges" the check writer's account for the check.
Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify police 1. Withdraw money: cyrpographically encoded tokens merchant customer 3. Send token after adding merchant’s identity 4. Check validity and send goods 2. Transform so merchant can check validity but identity hidden
Problems with the protocol  Not money atomic: if crash after 3, money lost – if money actually sent to merchant: returning to bank will alert police – if money not sent: not sending will lead to loss  High cost of cryptographic transformations: not suitable for micropayments  Examples: Digicash
Micropayments on hyperlinks  HTML extended to have pricing details with each link: displayed when user around the link  On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site  Payment for content providers  Attempt to reduce overhead per transaction
Micropayments: NetBill  Customer & merchant have account with NetBill server  Protocol: – Customer request quote from merchant, gets quote and accepts – Merchant sends goods encrypted by key K – Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> – Merchant countersigns EPO, signs K and sends both to NetBill server – NetBill verifies signatures and transfers funds, stores K and crypto-checksum and – NetBill sends receipt to merchant and K to customer
Recent micropayment systems Company Compaq IBM France Telecom Payment system Millicent Unique code mcent IBM payment system Micrommerce mpay microm
Smartcards  8-bit micro, < 5MHz, < 2k RAM, 20k ROM  Download electronic money on a card: wallet on a card  Efficient, secure, paperless, intuitive and speedy  Real and virtual stores accept them  Less susceptible to net attacks since disconnected  Has other uses spanning many industries, from banking to health care
Mondex  Smart card based sales and card to card transfers  Money is secured through a password and transactions are logged on the card  Other operation and features similar to traditional debit cards  Card signs transaction: so no anonymity  Need card reader everywhere  Available only in prototypes
Summary  Various protocols and software infrastructure for ecommerce  Today: credit card over SSL or S-HTTP  Getting there: – smart cards, – digital certificates  Need: – legal base for the entire ecommerce business – global market place for ecommerce
References  State of the art in electronic payment systems, IEEE COMPUTER 30/9 (1997) 28-35  Internet privacy - The quest for anonymity, Communications of the ACM 42/2 (1999) 28-60.  Hyper links: – http://www.javasoft.com/products/commerce/ – http://www.semper.org/ – http://www.echeck.org/ – http://nii-server.isi.edu/info/NetCheque/ – http://www.ec-europe.org/Welcome.html/ – http://www.zdnet.com/icom/e-business/

Empfohlen

Secure Web Transaction
Secure Web TransactionSecure Web Transaction
Secure Web Transactionvikisharma24
 
Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Suraj Dhalwar
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)Omar Ghazi
 
E transaction
E transactionE transaction
E transactionZeeshan Ahmed
 
Electronic transactions 123
Electronic transactions 123Electronic transactions 123
Electronic transactions 123Deva Prasad
 
Protocol Payment in M-commerce Transaction
Protocol Payment in M-commerce TransactionProtocol Payment in M-commerce Transaction
Protocol Payment in M-commerce Transactioniosrjce
 
Account kit and internet banking
Account kit and internet bankingAccount kit and internet banking
Account kit and internet bankingpragya garg
 
E Payment
E PaymentE Payment
E PaymentAnkit Saxena
 

Empfohlen

Secure Web Transaction
Secure Web TransactionSecure Web Transaction
Secure Web Transactionvikisharma24
 
Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Suraj Dhalwar
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)Omar Ghazi
 
E transaction
E transactionE transaction
E transactionZeeshan Ahmed
 
Electronic transactions 123
Electronic transactions 123Electronic transactions 123
Electronic transactions 123Deva Prasad
 
Protocol Payment in M-commerce Transaction
Protocol Payment in M-commerce TransactionProtocol Payment in M-commerce Transaction
Protocol Payment in M-commerce Transactioniosrjce
 
Account kit and internet banking
Account kit and internet bankingAccount kit and internet banking
Account kit and internet bankingpragya garg
 
E Payment
E PaymentE Payment
E PaymentAnkit Saxena
 
Unit v
Unit vUnit v
Unit vlilyMalar1
 
Account Kit and Internet Banking
Account Kit and Internet BankingAccount Kit and Internet Banking
Account Kit and Internet BankingAman Singh (असर)
 
Difference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateDifference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateAboutSSL
 
Step by-step presentation on digital payments
Step by-step presentation on digital paymentsStep by-step presentation on digital payments
Step by-step presentation on digital paymentsMahantesh Biradar
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odooPlanetOdoo
 
Electronic Payment
Electronic PaymentElectronic Payment
Electronic PaymentV.V.Vanniaperumal College for Women
 
Can security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerceCan security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerceMercury Processing Services International
 
Startups Media Release Nsiapay
Startups Media Release NsiapayStartups Media Release Nsiapay
Startups Media Release NsiapayHadi Gunawan
 
Safex pay avantgarde -presentation
Safex pay avantgarde -presentationSafex pay avantgarde -presentation
Safex pay avantgarde -presentationParvezKhan173
 
Fraud and security concern, how it applies in e-Commerce and banking financial
Fraud and security concern, how it applies in e-Commerce and banking financialFraud and security concern, how it applies in e-Commerce and banking financial
Fraud and security concern, how it applies in e-Commerce and banking financialTechnopreneurs Association of Malaysia
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?Rambus Inc
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Upi training
Upi trainingUpi training
Upi trainingSaurabh Madan
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage- Mark - Fullbright
 
Unified payment interface and its security
Unified payment interface and its security Unified payment interface and its security
Unified payment interface and its security Akshay Dixit
 
58
5858
58Fast Remedy
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...Nuzhat Memon
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresNisum
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.pptShahidHussain265137
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.pptvishy230892
 
Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesBangNgoVanCong
 
Secnet
SecnetSecnet
Secnetarjun roy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Difference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateDifference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateAboutSSL
 
Step by-step presentation on digital payments
Step by-step presentation on digital paymentsStep by-step presentation on digital payments
Step by-step presentation on digital paymentsMahantesh Biradar
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odooPlanetOdoo
 
Startups Media Release Nsiapay
Startups Media Release NsiapayStartups Media Release Nsiapay
Startups Media Release NsiapayHadi Gunawan
 
Safex pay avantgarde -presentation
Safex pay avantgarde -presentationSafex pay avantgarde -presentation
Safex pay avantgarde -presentationParvezKhan173
 
Fraud and security concern, how it applies in e-Commerce and banking financial
Fraud and security concern, how it applies in e-Commerce and banking financialFraud and security concern, how it applies in e-Commerce and banking financial
Fraud and security concern, how it applies in e-Commerce and banking financialTechnopreneurs Association of Malaysia
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?Rambus Inc
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage- Mark - Fullbright
 
Unified payment interface and its security
Unified payment interface and its security Unified payment interface and its security
Unified payment interface and its security Akshay Dixit
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...Nuzhat Memon
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresNisum
 

Was ist angesagt? (18)

Unit v
Unit vUnit v
Unit v
 
Account Kit and Internet Banking
Account Kit and Internet BankingAccount Kit and Internet Banking
Account Kit and Internet Banking
 
Difference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateDifference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital Certificate
 
Step by-step presentation on digital payments
Step by-step presentation on digital paymentsStep by-step presentation on digital payments
Step by-step presentation on digital payments
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odoo
 
Electronic Payment
Electronic PaymentElectronic Payment
Electronic Payment
 
Can security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerceCan security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerce
 
Startups Media Release Nsiapay
Startups Media Release NsiapayStartups Media Release Nsiapay
Startups Media Release Nsiapay
 
Safex pay avantgarde -presentation
Safex pay avantgarde -presentationSafex pay avantgarde -presentation
Safex pay avantgarde -presentation
 
Fraud and security concern, how it applies in e-Commerce and banking financial
Fraud and security concern, how it applies in e-Commerce and banking financialFraud and security concern, how it applies in e-Commerce and banking financial
Fraud and security concern, how it applies in e-Commerce and banking financial
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
Upi training
Upi trainingUpi training
Upi training
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage
 
Unified payment interface and its security
Unified payment interface and its security Unified payment interface and its security
Unified payment interface and its security
 
58
5858
58
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 3 Electronic Payme...
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
 

Ähnlich wie Secnet

Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesBangNgoVanCong
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
Online payment system
Online payment systemOnline payment system
Online payment systemmyangel27
 
Final eb ch 09 encryption and e payments modes (2)
Final eb ch 09 encryption and e payments modes (2)Final eb ch 09 encryption and e payments modes (2)
Final eb ch 09 encryption and e payments modes (2)azmatmengal
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment systempankhadi
 
Digital signature and adv payment gateway
Digital signature and adv payment gatewayDigital signature and adv payment gateway
Digital signature and adv payment gatewayKartik Kalpande Patil
 
S.m.o.k.e. technologies
S.m.o.k.e. technologiesS.m.o.k.e. technologies
S.m.o.k.e. technologiesshub99
 
Ecommerce 27-1.pptx
Ecommerce 27-1.pptxEcommerce 27-1.pptx
Ecommerce 27-1.pptxAkash588342
 
Payment systems for electronic commerce
Payment systems for electronic commercePayment systems for electronic commerce
Payment systems for electronic commerceNishant Pahad
 
Electronic Payment Systems Shortened
Electronic Payment Systems ShortenedElectronic Payment Systems Shortened
Electronic Payment Systems ShortenedRitesh Verma
 

Ähnlich wie Secnet (20)

secnet.ppt
secnet.pptsecnet.ppt
secnet.ppt
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.ppt
 
Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying Technologies
 
Secnet
SecnetSecnet
Secnet
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 
E commerce
E commerceE commerce
E commerce
 
Online payment system
Online payment systemOnline payment system
Online payment system
 
Ch 2
Ch 2Ch 2
Ch 2
 
Final eb ch 09 encryption and e payments modes (2)
Final eb ch 09 encryption and e payments modes (2)Final eb ch 09 encryption and e payments modes (2)
Final eb ch 09 encryption and e payments modes (2)
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 
E-Business security
E-Business security E-Business security
E-Business security
 
SET (1).ppt
SET (1).pptSET (1).ppt
SET (1).ppt
 
Digital signature and adv payment gateway
Digital signature and adv payment gatewayDigital signature and adv payment gateway
Digital signature and adv payment gateway
 
S.m.o.k.e. technologies
S.m.o.k.e. technologiesS.m.o.k.e. technologies
S.m.o.k.e. technologies
 
Ecommerce 27-1.pptx
Ecommerce 27-1.pptxEcommerce 27-1.pptx
Ecommerce 27-1.pptx
 
Class 13
Class 13Class 13
Class 13
 
Electronic payment by ahmad
Electronic payment by ahmadElectronic payment by ahmad
Electronic payment by ahmad
 
Payment systems for electronic commerce
Payment systems for electronic commercePayment systems for electronic commerce
Payment systems for electronic commerce
 
Electronic Payment Systems Shortened
Electronic Payment Systems ShortenedElectronic Payment Systems Shortened
Electronic Payment Systems Shortened
 

Kürzlich hochgeladen

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 

Kürzlich hochgeladen (20)

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 

Secnet

  • 1. Secure Web Transactions Sridhar Iyer K R School of Information Technology IIT Bombay sri@it.iitb.ernet.in http://www.it.iitb.ernet.in/~sri
  • 2. Overview  Electronic Commerce  Underlying Technologies – Cryptography – Network Security Protocols  Electronic Payment Systems – Credit card-based methods – Electronic Cheques – Anonymous payment – Micropayments – SmartCards
  • 3. Commerce     Commerce: Exchange of Goods / Services Contracting parties: Buyer and Seller Fundamental principles: Trust and Security Intermediaries: • Direct (Distributors, Retailers) • Indirect (Banks, Regulators)  Money is a medium to facilitate transactions  Attributes of money: – Acceptability, Portability, Divisibility – Security, Anonymity – Durability, Interoperability
  • 4. E-Commerce  Automation of commercial transactions using computer and communication technologies  Facilitated by Internet and WWW  Business-to-Business: EDI  Business-to-Consumer: WWW retailing  Some features: – Easy, global access, 24 hour availability – Customized products and services – Back Office integration – Additional revenue stream
  • 5. E-Commerce Steps  Attract prospects to your site – Positive online experience – Value over traditional retail  Convert prospect to customer – Provide customized services – Online ordering, billing and payment  Keep them coming back – Online customer service – Offer more products and conveniences Maximize revenue per sale
  • 8. E-Commerce risks  Customer's risks – Stolen credentials or password – Dishonest merchant – Disputes over transaction – Inappropriate use of transaction details  Merchant’s risk – Forged or copied instruments – Disputed charges – Insufficient funds in customer’s account – Unauthorized redistribution of purchased items  Main issue: Secure payment scheme
  • 9. Why is the Internet insecure? S C  Host security – Client – Server (multi-user)  Transmission security – Passive sniffing – Active spoofing and masquerading – Denial of service  Active content – Java, Javascript, ActiveX, DCOM S S C Denial of service Eavesdropping A B A C A C Interception B C Replay/fabrication B A B C
  • 10. E-Commerce Security  Authorization, Access Control: – protect intranet from hordes: Firewalls  Confidentiality, Data Integrity: – protect contents against snoopers: Encryption  Authentication: – both parties prove identity before starting transaction: Digital certificates  Non-repudiation: – proof that the document originated by you & you only: Digital signature
  • 11. Encryption (shared key) m: message k: shared key - Sender and receiver agree on a key K - No one else knows K - K is used to derive encryption key EK & decryption key DK - Sender computes and sends EK(Message) - Receiver computes DK(EK(Message)) - Example: DES: Data Encryption Standard
  • 12. Public key encryption m: message sk: private secret key pk: public key · Separate public key pk and private key sk · Private key is kept secret by receiver · Dsk(Epk(mesg)) = mesg and vice versa · Knowing Ke gives no clue about Kd
  • 13. Digital signature Sign: sign(sk,m) = Dsk(m) Verify: Epk(sign(sk,m)) = m Sign on small hash function to reduce cost
  • 14. Signed and secret messages pk2 m pk1 Verify-sign Encrypt(pk1) sign(sk1, m) Encrypt(pk2) Epk2(Dsk1(m) ) Decrypt(sk2) First sign, then encrypt: order is important.
  • 15. Digital certificates How to establish authenticity of public key? Register public key Download public key
  • 17. Electronic payments: Issues Secure transfer across internet High reliability: no single failure point Atomic transactions Anonymity of buyer Economic and computational efficiency: allow micropayments  Flexiblility: across different methods  Scalability in number of servers and users     
  • 18. E-Payments: Secure transfer  SSL: Secure socket layer – below application layer  S-HTTP: Secure HTTP: – On top of http
  • 19. SSL: Secure Socket Layer  Application protocol independent  Provides connection security as: – Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key – Peer's identity can be authenticated using public (asymmetric) key – Connection is reliable: Message transport includes a message integrity check (hash)  SSL Handshake protocol: – Allows server and client to authenticate each other and negotiate a encryption key
  • 20. SSL Handshake Protocol  1. Client "Hello": challenge data, cipher specs  2. Server "Hello": connection ID, public key certificate, cipher specs  3. Client "session-key": encrypted with server's public key  4. Client "finish": connection ID signed with client's private key  5. Server "verify": client's challenge data signed with server's private key  6. Server "finish": session ID signed with server's private key  Session IDs and encryption options cached to avoid renegotiation for reconnection
  • 21. S-HTTP: Secure HTTP  Application level security (HTTP specific)  "Content-Privacy-Domain" header: – Allows use of digital signatures &/ encryption – Various encryption options  Server-Browser negotiate – Property: cryptographic scheme to be used – Value: specific algorithm to be used – Direction: One way/Two way security
  • 22. Secure end to end protocols
  • 23. E-Payments: Atomicity  Money atomicity: no creation/destruction of money when transferred  Goods atomicity: no payment w/o goods and viceversa. – Eg: pay on delivery of parcel  Certified delivery: the goods delivered is what was promised: – Open the parcel in front of a trusted 3rd party
  • 25. Payment system types  Credit card-based methods – Credit card over SSL  Electronic Cheques – - NetCheque  Anonymous payments – - Digicash - CAFE  Micropayments  SmartCards - First Virtual -SET
  • 26. Encrypted credit card payment  Set secure communication channel between buyer and seller  Send credit card number to merchant encrypted using merchant’s public key  Problems: merchant fraud, no customer signature  Ensures money but no goods atomicity  Not suitable for microtransactions
  • 27. First virtual Customer assigned virtual PIN by phone Customer uses PIN to make purchases Merchant contacts First virtual First virtual send email to customer If customer confirms, payment made to merchant Not goods atomic since customer can refuse to pay  Not suitable for small transactions  Flood customer’s mailbox, delay merchant      
  • 28. Cybercash  Customer opens account with cybercash, gives credit card number and gets a PIN  Special software on customer side sends PIN, signature, transaction amount to merchant  Merchant forwards to cybercash server that completes credit card transaction  Pros: credit card # not shown to server, fast  Cons: not for microtransactions
  • 29. SET:Secure Electronic Transactions  Merge of STT, SEPP, iKP  Secure credit card based protocol  Common structure: – Customer digitally signs a purchase along with price and encrypts in bank’s public key – Merchant submits a sales request with price to bank. – Bank compares purchase and sales request. If price match, bank authorizes sales  Avoids merchant fraud, ensures money but no goods atomicity
  • 30. Electronic Cheques  Leverages the check payments system, a core competency of the banking industry.  Fits within current business practices  Works like a paper check does but in pure electronic form, with fewer manual steps.  Can be used by all bank customers who have checking accounts  Different from Electronic fund transfers
  • 31. How does echeck work?  Exactly same way as paper  Check writer "writes" the echeck using one of many types of electronic devices  ”Gives" the echeck to the payee electronically.  Payee "deposits" echeck, receives credit,  Payee's bank "clears" the echeck to the paying bank.  Paying bank validates the echeck and "charges" the check writer's account for the check.
  • 32. Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify police 1. Withdraw money: cyrpographically encoded tokens merchant customer 3. Send token after adding merchant’s identity 4. Check validity and send goods 2. Transform so merchant can check validity but identity hidden
  • 33. Problems with the protocol  Not money atomic: if crash after 3, money lost – if money actually sent to merchant: returning to bank will alert police – if money not sent: not sending will lead to loss  High cost of cryptographic transformations: not suitable for micropayments  Examples: Digicash
  • 34. Micropayments on hyperlinks  HTML extended to have pricing details with each link: displayed when user around the link  On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site  Payment for content providers  Attempt to reduce overhead per transaction
  • 35. Micropayments: NetBill  Customer & merchant have account with NetBill server  Protocol: – Customer request quote from merchant, gets quote and accepts – Merchant sends goods encrypted by key K – Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> – Merchant countersigns EPO, signs K and sends both to NetBill server – NetBill verifies signatures and transfers funds, stores K and crypto-checksum and – NetBill sends receipt to merchant and K to customer
  • 37. Smartcards  8-bit micro, < 5MHz, < 2k RAM, 20k ROM  Download electronic money on a card: wallet on a card  Efficient, secure, paperless, intuitive and speedy  Real and virtual stores accept them  Less susceptible to net attacks since disconnected  Has other uses spanning many industries, from banking to health care
  • 38. Mondex  Smart card based sales and card to card transfers  Money is secured through a password and transactions are logged on the card  Other operation and features similar to traditional debit cards  Card signs transaction: so no anonymity  Need card reader everywhere  Available only in prototypes
  • 39. Summary  Various protocols and software infrastructure for ecommerce  Today: credit card over SSL or S-HTTP  Getting there: – smart cards, – digital certificates  Need: – legal base for the entire ecommerce business – global market place for ecommerce
  • 40. References  State of the art in electronic payment systems, IEEE COMPUTER 30/9 (1997) 28-35  Internet privacy - The quest for anonymity, Communications of the ACM 42/2 (1999) 28-60.  Hyper links: – http://www.javasoft.com/products/commerce/ – http://www.semper.org/ – http://www.echeck.org/ – http://nii-server.isi.edu/info/NetCheque/ – http://www.ec-europe.org/Welcome.html/ – http://www.zdnet.com/icom/e-business/