SlideShare a Scribd company logo

Secure Web Transaction

V
vikisharma24
Education
1 of 39
Download to read offline
Secure Web Transactions
Overview  Electronic Commerce  Underlying Technologies – Cryptography – Network Security Protocols  Electronic Payment Systems – Credit card-based methods – Electronic Cheques – Anonymous payment – Micropayments – SmartCards
Commerce  Commerce: Exchange of Goods / Services  Contracting parties: Buyer and Seller  Fundamental principles: Trust and Security  Intermediaries: • Direct (Distributors, Retailers) • Indirect (Banks, Regulators)  Money is a medium to facilitate transactions  Attributes of money: – Acceptability, Portability, Divisibility – Security, Anonymity – Durability, Interoperability
E-Commerce  Automation of commercial transactions using computer and communication technologies  Facilitated by Internet and WWW  Business-to-Business: EDI  Business-to-Consumer: WWW retailing  Some features: – Easy, global access, 24 hour availability – Customized products and services – Back Office integration – Additional revenue stream
E-Commerce Steps  Attract prospects to your site – Positive online experience – Value over traditional retail  Convert prospect to customer – Provide customized services – Online ordering, billing and payment  Keep them coming back – Online customer service – Offer more products and conveniences Maximize revenue per sale
E-Commerce Participants
E-Commerce Problems Snooper Unknown customer Unreliable Merchant
E-Commerce risks  Customer's risks – Stolen credentials or password – Dishonest merchant – Disputes over transaction – Inappropriate use of transaction details  Merchant’s risk – Forged or copied instruments – Disputed charges – Insufficient funds in customer’s account – Unauthorized redistribution of purchased items  Main issue: Secure payment scheme
Why is the Internet insecure? S S  Host security – Client – Server (multi-user) C S  Transmission C security Eavesdropping Denial of service – Passive sniffing A B A B – Active spoofing and C C masquerading Replay/fabrication – Denial of service A C B A B  Active content Interception C – Java, Javascript, ActiveX, DCOM
E-Commerce Security  Authorization, Access Control: – protect intranet from hordes: Firewalls  Confidentiality, Data Integrity: – protect contents against snoopers: Encryption  Authentication: – both parties prove identity before starting transaction: Digital certificates  Non-repudiation: – proof that the document originated by you & you only: Digital signature
Encryption (shared key) m: message k: shared key - Sender and receiver agree on a key K - No one else knows K - K is used to derive encryption key EK & decryption key DK - Sender computes and sends EK(Message) - Receiver computes DK(EK(Message)) - Example: DES: Data Encryption Standard
Public key encryption m: message sk: private secret key pk: public key · Separate public key pk and private key sk · Private key is kept secret by receiver · Dsk(Epk(mesg)) = mesg and vice versa · Knowing Ke gives no clue about Kd
Digital signature Sign: sign(sk,m) = Dsk(m) Verify: Epk(sign(sk,m)) = m Sign on small hash function to reduce cost
Signed and secret messages pk2 m pk1 sign(sk1, m) Verify-sign Encrypt(pk1) Encrypt(pk2) Epk2(Dsk1(m) ) Decrypt(sk2) First sign, then encrypt: order is important.
Digital certificates How to establish authenticity of public key? Register public key Download public key
Certification authority
Electronic payments: Issues  Secure transfer across internet  High reliability: no single failure point  Atomic transactions  Anonymity of buyer  Economic and computational efficiency: allow micropayments  Flexiblility: across different methods  Scalability in number of servers and users
E-Payments: Secure transfer  SSL: Secure socket layer – below application layer  S-HTTP: Secure HTTP: – On top of http
SSL: Secure Socket Layer  Application protocol independent  Provides connection security as: – Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key – Peer's identity can be authenticated using public (asymmetric) key – Connection is reliable: Message transport includes a message integrity check (hash)  SSL Handshake protocol: – Allows server and client to authenticate each other and negotiate a encryption key
SSL Handshake Protocol  1. Client "Hello": challenge data, cipher specs  2. Server "Hello": connection ID, public key certificate, cipher specs  3. Client "session-key": encrypted with server's public key  4. Client "finish": connection ID signed with client's private key  5. Server "verify": client's challenge data signed with server's private key  6. Server "finish": session ID signed with server's private key  Session IDs and encryption options cached to avoid renegotiation for reconnection
S-HTTP: Secure HTTP  Application level security (HTTP specific)  "Content-Privacy-Domain" header: – Allows use of digital signatures &/ encryption – Various encryption options  Server-Browser negotiate – Property: cryptographic scheme to be used – Value: specific algorithm to be used – Direction: One way/Two way security
Secure end to end protocols
E-Payments: Atomicity  Money atomicity: no creation/destruction of money when transferred  Goods atomicity: no payment w/o goods and viceversa. – Eg: pay on delivery of parcel  Certified delivery: the goods delivered is what was promised: – Open the parcel in front of a trusted 3rd party
Anonymity of purchaser
Payment system types  Credit card-based methods – Credit card over SSL - First Virtual -SET  Electronic Cheques – - NetCheque  Anonymous payments – - Digicash - CAFE  Micropayments  SmartCards
Encrypted credit card payment  Set secure communication channel between buyer and seller  Send credit card number to merchant encrypted using merchant’s public key  Problems: merchant fraud, no customer signature  Ensures money but no goods atomicity  Not suitable for microtransactions
First virtual  Customer assigned virtual PIN by phone  Customer uses PIN to make purchases  Merchant contacts First virtual  First virtual send email to customer  If customer confirms, payment made to merchant  Not goods atomic since customer can refuse to pay  Not suitable for small transactions  Flood customer’s mailbox, delay merchant
Cybercash  Customer opens account with cybercash, gives credit card number and gets a PIN  Special software on customer side sends PIN, signature, transaction amount to merchant  Merchant forwards to cybercash server that completes credit card transaction  Pros: credit card # not shown to server, fast  Cons: not for microtransactions
SET:Secure Electronic Transactions  Merge of STT, SEPP, iKP  Secure credit card based protocol  Common structure: – Customer digitally signs a purchase along with price and encrypts in bank’s public key – Merchant submits a sales request with price to bank. – Bank compares purchase and sales request. If price match, bank authorizes sales  Avoids merchant fraud, ensures money but no goods atomicity
Electronic Cheques  Leverages the check payments system, a core competency of the banking industry.  Fits within current business practices  Works like a paper check does but in pure electronic form, with fewer manual steps.  Can be used by all bank customers who have checking accounts  Different from Electronic fund transfers
How does echeck work?  Exactly same way as paper  Check writer "writes" the echeck using one of many types of electronic devices  ”Gives" the echeck to the payee electronically.  Payee "deposits" echeck, receives credit,  Payee's bank "clears" the echeck to the paying bank.  Paying bank validates the echeck and "charges" the check writer's account for the check.
Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify police 1. Withdraw money: cyrpographically encoded tokens merchant customer 3. Send token after adding merchant’s identity 4. Check validity and send goods 2. Transform so merchant can check validity but identity hidden
Problems with the protocol  Not money atomic: if crash after 3, money lost – if money actually sent to merchant: returning to bank will alert police – if money not sent: not sending will lead to loss  High cost of cryptographic transformations: not suitable for micropayments  Examples: Digicash
Micropayments on hyperlinks  HTML extended to have pricing details with each link: displayed when user around the link  On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site  Payment for content providers  Attempt to reduce overhead per transaction
Micropayments: NetBill  Customer & merchant have account with NetBill server  Protocol: – Customer request quote from merchant, gets quote and accepts – Merchant sends goods encrypted by key K – Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> – Merchant countersigns EPO, signs K and sends both to NetBill server – NetBill verifies signatures and transfers funds, stores K and crypto-checksum and – NetBill sends receipt to merchant and K to customer
Recent micropayment systems Company Payment Unique system code Compaq Millicent mcent IBM IBM payment mpay system France Micrommerce microm Telecom
Smartcards  8-bit micro, < 5MHz, < 2k RAM, 20k ROM  Download electronic money on a card: wallet on a card  Efficient, secure, paperless, intuitive and speedy  Real and virtual stores accept them  Less susceptible to net attacks since disconnected  Has other uses spanning many industries, from banking to health care
Mondex  Smart card based sales and card to card transfers  Money is secured through a password and transactions are logged on the card  Other operation and features similar to traditional debit cards  Card signs transaction: so no anonymity  Need card reader everywhere  Available only in prototypes
Summary  Various protocols and software infrastructure for ecommerce  Today: credit card over SSL or S-HTTP  Getting there: – smart cards, – digital certificates  Need: – legal base for the entire ecommerce business – global market place for ecommerce

Recommended

Secnet
SecnetSecnet
SecnetSuman Madan
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital SignaturesEhtisham Ali
 
Digital signature 2
Digital signature 2Digital signature 2
Digital signature 2Ankita Dave
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odooPlanetOdoo
 
Digital signature
Digital signatureDigital signature
Digital signatureAbdullah Khosa
 
Digital signature
Digital signatureDigital signature
Digital signatureYash Karanke
 
Difference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateDifference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateAboutSSL
 

Recommended

Secnet
SecnetSecnet
SecnetSuman Madan
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital SignaturesEhtisham Ali
 
Digital signature 2
Digital signature 2Digital signature 2
Digital signature 2Ankita Dave
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odooPlanetOdoo
 
Digital signature
Digital signatureDigital signature
Digital signatureAbdullah Khosa
 
Digital signature
Digital signatureDigital signature
Digital signatureYash Karanke
 
Difference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateDifference Between Digital Signature vs Digital Certificate
Difference Between Digital Signature vs Digital CertificateAboutSSL
 
Digital signature
Digital signatureDigital signature
Digital signatureHossain Md Shakhawat
 
Digital signature
Digital signatureDigital signature
Digital signaturePraseela R
 
Electronic signature
Electronic signatureElectronic signature
Electronic signatureSonu Mishra
 
Seminar presentation on digital signature ppt
Seminar presentation on digital signature pptSeminar presentation on digital signature ppt
Seminar presentation on digital signature pptRavi Ranjan
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesIshwar Dayal
 
digital signature ppt
digital signature pptdigital signature ppt
digital signature pptNitesh Dubey
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesatuljaybhaye
 
B2 TDI Remittances
B2 TDI RemittancesB2 TDI Remittances
B2 TDI RemittancesB2 TDI Limited
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lectureShaikha AlQaydi
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information securityDevam Shah
 
Digital signature
Digital signatureDigital signature
Digital signaturedhivyakesavan3
 
Understanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerUnderstanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerCheapSSLUSA
 
Nem introduction
Nem introductionNem introduction
Nem introductionHelmut Siedl
 
Marino mercedesportfolio201212
Marino mercedesportfolio201212Marino mercedesportfolio201212
Marino mercedesportfolio201212Marino Mercedes
 
Experience and Outcomes of the New German Electronic ID Card
Experience and Outcomes of the New German Electronic ID CardExperience and Outcomes of the New German Electronic ID Card
Experience and Outcomes of the New German Electronic ID CardAtos_Worldline
 
OTP Solution - Mat khau su dung mot lan
OTP Solution - Mat khau su dung mot lanOTP Solution - Mat khau su dung mot lan
OTP Solution - Mat khau su dung mot lanTHANK Truong
 
Apostille presentation
Apostille presentationApostille presentation
Apostille presentationHelmut Siedl
 
on Digital Monies
on Digital Monieson Digital Monies
on Digital MoniesТранслируем.бел
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sigravik09783
 
Action mode
Action modeAction mode
Action modeLudger Rabacal
 
Cyber cash
Cyber cashCyber cash
Cyber cashChitra Lekha
 
Web client security
Web client securityWeb client security
Web client securityZiv Birer
 

More Related Content

What's hot

Digital signature
Digital signatureDigital signature
Digital signaturePraseela R
 
Electronic signature
Electronic signatureElectronic signature
Electronic signatureSonu Mishra
 
Seminar presentation on digital signature ppt
Seminar presentation on digital signature pptSeminar presentation on digital signature ppt
Seminar presentation on digital signature pptRavi Ranjan
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesIshwar Dayal
 
digital signature ppt
digital signature pptdigital signature ppt
digital signature pptNitesh Dubey
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesatuljaybhaye
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information securityDevam Shah
 
Understanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerUnderstanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerCheapSSLUSA
 
Marino mercedesportfolio201212
Marino mercedesportfolio201212Marino mercedesportfolio201212
Marino mercedesportfolio201212Marino Mercedes
 
Experience and Outcomes of the New German Electronic ID Card
Experience and Outcomes of the New German Electronic ID CardExperience and Outcomes of the New German Electronic ID Card
Experience and Outcomes of the New German Electronic ID CardAtos_Worldline
 
OTP Solution - Mat khau su dung mot lan
OTP Solution - Mat khau su dung mot lanOTP Solution - Mat khau su dung mot lan
OTP Solution - Mat khau su dung mot lanTHANK Truong
 
Apostille presentation
Apostille presentationApostille presentation
Apostille presentationHelmut Siedl
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sigravik09783
 

What's hot (20)

Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Electronic signature
Electronic signatureElectronic signature
Electronic signature
 
Seminar presentation on digital signature ppt
Seminar presentation on digital signature pptSeminar presentation on digital signature ppt
Seminar presentation on digital signature ppt
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
digital signature ppt
digital signature pptdigital signature ppt
digital signature ppt
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
B2 TDI Remittances
B2 TDI RemittancesB2 TDI Remittances
B2 TDI Remittances
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lecture
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information security
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Understanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerUnderstanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets Layer
 
Nem introduction
Nem introductionNem introduction
Nem introduction
 
Marino mercedesportfolio201212
Marino mercedesportfolio201212Marino mercedesportfolio201212
Marino mercedesportfolio201212
 
Experience and Outcomes of the New German Electronic ID Card
Experience and Outcomes of the New German Electronic ID CardExperience and Outcomes of the New German Electronic ID Card
Experience and Outcomes of the New German Electronic ID Card
 
OTP Solution - Mat khau su dung mot lan
OTP Solution - Mat khau su dung mot lanOTP Solution - Mat khau su dung mot lan
OTP Solution - Mat khau su dung mot lan
 
Apostille presentation
Apostille presentationApostille presentation
Apostille presentation
 
on Digital Monies
on Digital Monieson Digital Monies
on Digital Monies
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sig
 
Action mode
Action modeAction mode
Action mode
 

Viewers also liked

Web client security
Web client securityWeb client security
Web client securityZiv Birer
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transactionHarsh Mehta
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & CryptographyArun ACE
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)Gurjot Singh
 
The Complete Starter Guide To Tumblr Marketing
The Complete Starter Guide To Tumblr MarketingThe Complete Starter Guide To Tumblr Marketing
The Complete Starter Guide To Tumblr MarketingViraltag Inc.
 
Digital Marketing Overview
Digital Marketing OverviewDigital Marketing Overview
Digital Marketing OverviewAnton Koekemoer
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Viewers also liked (11)

Cyber cash
Cyber cashCyber cash
Cyber cash
 
Web client security
Web client securityWeb client security
Web client security
 
Marketing bab2
Marketing bab2Marketing bab2
Marketing bab2
 
Common features
Common featuresCommon features
Common features
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transaction
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)
 
The Complete Starter Guide To Tumblr Marketing
The Complete Starter Guide To Tumblr MarketingThe Complete Starter Guide To Tumblr Marketing
The Complete Starter Guide To Tumblr Marketing
 
Digital Marketing Overview
Digital Marketing OverviewDigital Marketing Overview
Digital Marketing Overview
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Similar to Secure Web Transaction

Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesBangNgoVanCong
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systemsAbdulaziz Mohd
 
Electronic Payment Systems
Electronic Payment SystemsElectronic Payment Systems
Electronic Payment Systemsitsvineeth209
 
ch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptSonukumarRawat
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
E-commerce security using asymmetric key algorithm
E-commerce security using asymmetric key algorithmE-commerce security using asymmetric key algorithm
E-commerce security using asymmetric key algorithmgauravv7536
 
Digital signature and adv payment gateway
Digital signature and adv payment gatewayDigital signature and adv payment gateway
Digital signature and adv payment gatewayKartik Kalpande Patil
 
Final eb ch 09 encryption and e payments modes (2)
Final eb ch 09 encryption and e payments modes (2)Final eb ch 09 encryption and e payments modes (2)
Final eb ch 09 encryption and e payments modes (2)azmatmengal
 
Ecommerce 27-1.pptx
Ecommerce 27-1.pptxEcommerce 27-1.pptx
Ecommerce 27-1.pptxAkash588342
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 

Similar to Secure Web Transaction (20)

secnet.ppt
secnet.pptsecnet.ppt
secnet.ppt
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.ppt
 
Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying Technologies
 
Secnet
SecnetSecnet
Secnet
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 
E-Business security
E-Business security E-Business security
E-Business security
 
Ecommerce Chap 08
Ecommerce Chap 08Ecommerce Chap 08
Ecommerce Chap 08
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
Electronic Payment Systems
Electronic Payment SystemsElectronic Payment Systems
Electronic Payment Systems
 
ch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.ppt
 
Security and trust in e payment
Security and trust in e paymentSecurity and trust in e payment
Security and trust in e payment
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 
E-commerce security using asymmetric key algorithm
E-commerce security using asymmetric key algorithmE-commerce security using asymmetric key algorithm
E-commerce security using asymmetric key algorithm
 
Digital signature and adv payment gateway
Digital signature and adv payment gatewayDigital signature and adv payment gateway
Digital signature and adv payment gateway
 
Final eb ch 09 encryption and e payments modes (2)
Final eb ch 09 encryption and e payments modes (2)Final eb ch 09 encryption and e payments modes (2)
Final eb ch 09 encryption and e payments modes (2)
 
Ecommerce 27-1.pptx
Ecommerce 27-1.pptxEcommerce 27-1.pptx
Ecommerce 27-1.pptx
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
EMV Overview
EMV OverviewEMV Overview
EMV Overview
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
ch17.ppt
ch17.pptch17.ppt
ch17.ppt
 

Recently uploaded

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 

Recently uploaded (20)

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

Secure Web Transaction

  • 2. Overview  Electronic Commerce  Underlying Technologies – Cryptography – Network Security Protocols  Electronic Payment Systems – Credit card-based methods – Electronic Cheques – Anonymous payment – Micropayments – SmartCards
  • 3. Commerce  Commerce: Exchange of Goods / Services  Contracting parties: Buyer and Seller  Fundamental principles: Trust and Security  Intermediaries: • Direct (Distributors, Retailers) • Indirect (Banks, Regulators)  Money is a medium to facilitate transactions  Attributes of money: – Acceptability, Portability, Divisibility – Security, Anonymity – Durability, Interoperability
  • 4. E-Commerce  Automation of commercial transactions using computer and communication technologies  Facilitated by Internet and WWW  Business-to-Business: EDI  Business-to-Consumer: WWW retailing  Some features: – Easy, global access, 24 hour availability – Customized products and services – Back Office integration – Additional revenue stream
  • 5. E-Commerce Steps  Attract prospects to your site – Positive online experience – Value over traditional retail  Convert prospect to customer – Provide customized services – Online ordering, billing and payment  Keep them coming back – Online customer service – Offer more products and conveniences Maximize revenue per sale
  • 7. E-Commerce Problems Snooper Unknown customer Unreliable Merchant
  • 8. E-Commerce risks  Customer's risks – Stolen credentials or password – Dishonest merchant – Disputes over transaction – Inappropriate use of transaction details  Merchant’s risk – Forged or copied instruments – Disputed charges – Insufficient funds in customer’s account – Unauthorized redistribution of purchased items  Main issue: Secure payment scheme
  • 9. Why is the Internet insecure? S S  Host security – Client – Server (multi-user) C S  Transmission C security Eavesdropping Denial of service – Passive sniffing A B A B – Active spoofing and C C masquerading Replay/fabrication – Denial of service A C B A B  Active content Interception C – Java, Javascript, ActiveX, DCOM
  • 10. E-Commerce Security  Authorization, Access Control: – protect intranet from hordes: Firewalls  Confidentiality, Data Integrity: – protect contents against snoopers: Encryption  Authentication: – both parties prove identity before starting transaction: Digital certificates  Non-repudiation: – proof that the document originated by you & you only: Digital signature
  • 11. Encryption (shared key) m: message k: shared key - Sender and receiver agree on a key K - No one else knows K - K is used to derive encryption key EK & decryption key DK - Sender computes and sends EK(Message) - Receiver computes DK(EK(Message)) - Example: DES: Data Encryption Standard
  • 12. Public key encryption m: message sk: private secret key pk: public key · Separate public key pk and private key sk · Private key is kept secret by receiver · Dsk(Epk(mesg)) = mesg and vice versa · Knowing Ke gives no clue about Kd
  • 13. Digital signature Sign: sign(sk,m) = Dsk(m) Verify: Epk(sign(sk,m)) = m Sign on small hash function to reduce cost
  • 14. Signed and secret messages pk2 m pk1 sign(sk1, m) Verify-sign Encrypt(pk1) Encrypt(pk2) Epk2(Dsk1(m) ) Decrypt(sk2) First sign, then encrypt: order is important.
  • 15. Digital certificates How to establish authenticity of public key? Register public key Download public key
  • 17. Electronic payments: Issues  Secure transfer across internet  High reliability: no single failure point  Atomic transactions  Anonymity of buyer  Economic and computational efficiency: allow micropayments  Flexiblility: across different methods  Scalability in number of servers and users
  • 18. E-Payments: Secure transfer  SSL: Secure socket layer – below application layer  S-HTTP: Secure HTTP: – On top of http
  • 19. SSL: Secure Socket Layer  Application protocol independent  Provides connection security as: – Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key – Peer's identity can be authenticated using public (asymmetric) key – Connection is reliable: Message transport includes a message integrity check (hash)  SSL Handshake protocol: – Allows server and client to authenticate each other and negotiate a encryption key
  • 20. SSL Handshake Protocol  1. Client "Hello": challenge data, cipher specs  2. Server "Hello": connection ID, public key certificate, cipher specs  3. Client "session-key": encrypted with server's public key  4. Client "finish": connection ID signed with client's private key  5. Server "verify": client's challenge data signed with server's private key  6. Server "finish": session ID signed with server's private key  Session IDs and encryption options cached to avoid renegotiation for reconnection
  • 21. S-HTTP: Secure HTTP  Application level security (HTTP specific)  "Content-Privacy-Domain" header: – Allows use of digital signatures &/ encryption – Various encryption options  Server-Browser negotiate – Property: cryptographic scheme to be used – Value: specific algorithm to be used – Direction: One way/Two way security
  • 22. Secure end to end protocols
  • 23. E-Payments: Atomicity  Money atomicity: no creation/destruction of money when transferred  Goods atomicity: no payment w/o goods and viceversa. – Eg: pay on delivery of parcel  Certified delivery: the goods delivered is what was promised: – Open the parcel in front of a trusted 3rd party
  • 25. Payment system types  Credit card-based methods – Credit card over SSL - First Virtual -SET  Electronic Cheques – - NetCheque  Anonymous payments – - Digicash - CAFE  Micropayments  SmartCards
  • 26. Encrypted credit card payment  Set secure communication channel between buyer and seller  Send credit card number to merchant encrypted using merchant’s public key  Problems: merchant fraud, no customer signature  Ensures money but no goods atomicity  Not suitable for microtransactions
  • 27. First virtual  Customer assigned virtual PIN by phone  Customer uses PIN to make purchases  Merchant contacts First virtual  First virtual send email to customer  If customer confirms, payment made to merchant  Not goods atomic since customer can refuse to pay  Not suitable for small transactions  Flood customer’s mailbox, delay merchant
  • 28. Cybercash  Customer opens account with cybercash, gives credit card number and gets a PIN  Special software on customer side sends PIN, signature, transaction amount to merchant  Merchant forwards to cybercash server that completes credit card transaction  Pros: credit card # not shown to server, fast  Cons: not for microtransactions
  • 29. SET:Secure Electronic Transactions  Merge of STT, SEPP, iKP  Secure credit card based protocol  Common structure: – Customer digitally signs a purchase along with price and encrypts in bank’s public key – Merchant submits a sales request with price to bank. – Bank compares purchase and sales request. If price match, bank authorizes sales  Avoids merchant fraud, ensures money but no goods atomicity
  • 30. Electronic Cheques  Leverages the check payments system, a core competency of the banking industry.  Fits within current business practices  Works like a paper check does but in pure electronic form, with fewer manual steps.  Can be used by all bank customers who have checking accounts  Different from Electronic fund transfers
  • 31. How does echeck work?  Exactly same way as paper  Check writer "writes" the echeck using one of many types of electronic devices  ”Gives" the echeck to the payee electronically.  Payee "deposits" echeck, receives credit,  Payee's bank "clears" the echeck to the paying bank.  Paying bank validates the echeck and "charges" the check writer's account for the check.
  • 32. Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify police 1. Withdraw money: cyrpographically encoded tokens merchant customer 3. Send token after adding merchant’s identity 4. Check validity and send goods 2. Transform so merchant can check validity but identity hidden
  • 33. Problems with the protocol  Not money atomic: if crash after 3, money lost – if money actually sent to merchant: returning to bank will alert police – if money not sent: not sending will lead to loss  High cost of cryptographic transformations: not suitable for micropayments  Examples: Digicash
  • 34. Micropayments on hyperlinks  HTML extended to have pricing details with each link: displayed when user around the link  On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site  Payment for content providers  Attempt to reduce overhead per transaction
  • 35. Micropayments: NetBill  Customer & merchant have account with NetBill server  Protocol: – Customer request quote from merchant, gets quote and accepts – Merchant sends goods encrypted by key K – Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> – Merchant countersigns EPO, signs K and sends both to NetBill server – NetBill verifies signatures and transfers funds, stores K and crypto-checksum and – NetBill sends receipt to merchant and K to customer
  • 36. Recent micropayment systems Company Payment Unique system code Compaq Millicent mcent IBM IBM payment mpay system France Micrommerce microm Telecom
  • 37. Smartcards  8-bit micro, < 5MHz, < 2k RAM, 20k ROM  Download electronic money on a card: wallet on a card  Efficient, secure, paperless, intuitive and speedy  Real and virtual stores accept them  Less susceptible to net attacks since disconnected  Has other uses spanning many industries, from banking to health care
  • 38. Mondex  Smart card based sales and card to card transfers  Money is secured through a password and transactions are logged on the card  Other operation and features similar to traditional debit cards  Card signs transaction: so no anonymity  Need card reader everywhere  Available only in prototypes
  • 39. Summary  Various protocols and software infrastructure for ecommerce  Today: credit card over SSL or S-HTTP  Getting there: – smart cards, – digital certificates  Need: – legal base for the entire ecommerce business – global market place for ecommerce