Secure Web Transactions Overview Electronic Commerce Underlying Technologies

Secure Web Transactions

Overview § Electronic Commerce § Underlying Technologies – Cryptography – Network Security Protocols § Electronic Payment Systems – Credit card-based methods – Electronic Cheques – Anonymous payment – Micropayments – Smart. Cards

Commerce § § Commerce: Exchange of Goods / Services Contracting parties: Buyer and Seller Fundamental principles: Trust and Security Intermediaries: • Direct (Distributors, Retailers) • Indirect (Banks, Regulators) § Money is a medium to facilitate transactions § Attributes of money: – Acceptability, Portability, Divisibility – Security, Anonymity – Durability, Interoperability

E-Commerce § Automation of commercial transactions using computer and communication technologies § Facilitated by Internet and WWW § Business-to-Business: EDI § Business-to-Consumer: WWW retailing § Some features: – – Easy, global access, 24 hour availability Customized products and services Back Office integration Additional revenue stream

E-Commerce Steps § Attract prospects to your site – Positive online experience – Value over traditional retail § Convert prospect to customer – Provide customized services – Online ordering, billing and payment § Keep them coming back – Online customer service – Offer more products and conveniences Maximize revenue per sale

E-Commerce Participants

E-Commerce Problems Snooper Unknown customer Unreliable Merchant

E-Commerce risks § Customer's risks – Stolen credentials or password – Dishonest merchant – Disputes over transaction – Inappropriate use of transaction details § Merchant’s risk – Forged or copied instruments – Disputed charges – Insufficient funds in customer’s account – Unauthorized redistribution of purchased items § Main issue: Secure payment scheme

Why is the Internet insecure? § Host security – Client – Server (multi-user) S S C S § Transmission security – Passive sniffing – Active spoofing and masquerading – Denial of service § Active content C Denial of service Eavesdropping A B A C – Java, Javascript, Active. X, Interception DCOM B C Replay/fabrication B A B C

E-Commerce Security § Authorization, Access Control: – protect intranet from hordes: Firewalls § Confidentiality, Data Integrity: – protect contents against snoopers: Encryption § Authentication: – both parties prove identity before starting transaction: Digital certificates § Non-repudiation: – proof that the document originated by you & you only: Digital signature

Encryption (shared key) m: message k: shared key - Sender and receiver agree on a key K - No one else knows K - K is used to derive encryption key EK & decryption key DK - Sender computes and sends EK(Message) - Receiver computes DK(EK(Message)) - Example: DES: Data Encryption Standard

Public key encryption m: message sk: private secret key pk: public key · Separate public key pk and private key sk · Private key is kept secret by receiver · Dsk(Epk(mesg)) = mesg and vice versa · Knowing Ke gives no clue about Kd

Digital signature Sign: sign(sk, m) = Dsk(m) Verify: Epk(sign(sk, m)) = m Sign on small hash function to reduce cost

Signed and secret messages pk 2 m pk 1 Verify-sign Encrypt(pk 1) sign(sk 1, m) Encrypt(pk 2) Epk 2(Dsk 1(m) ) Decrypt(sk 2) First sign, then encrypt: order is important.

Digital certificates How to establish authenticity of public key? Register public key Download public key

Certification authority

Electronic payments: Issues § § § Secure transfer across internet High reliability: no single failure point Atomic transactions Anonymity of buyer Economic and computational efficiency: allow micropayments § Flexiblility: across different methods § Scalability in number of servers and users

E-Payments: Secure transfer § SSL: Secure socket layer – below application layer § S-HTTP: Secure HTTP: – On top of http

SSL: Secure Socket Layer § Application protocol independent § Provides connection security as: – Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key – Peer's identity can be authenticated using public (asymmetric) key – Connection is reliable: Message transport includes a message integrity check (hash) § SSL Handshake protocol: – Allows server and client to authenticate each other and negotiate a encryption key

SSL Handshake Protocol § 1. Client "Hello": challenge data, cipher specs § 2. Server "Hello": connection ID, public key certificate, cipher specs § 3. Client "session-key": encrypted with server's public key § 4. Client "finish": connection ID signed with client's private key § 5. Server "verify": client's challenge data signed with server's private key § 6. Server "finish": session ID signed with server's private key § Session IDs and encryption options cached to avoid renegotiation for reconnection

S-HTTP: Secure HTTP § Application level security (HTTP specific) § "Content-Privacy-Domain" header: – Allows use of digital signatures &/ encryption – Various encryption options § Server-Browser negotiate – Property: cryptographic scheme to be used – Value: specific algorithm to be used – Direction: One way/Two way security

Secure end to end protocols

E-Payments: Atomicity § Money atomicity: no creation/destruction of money when transferred § Goods atomicity: no payment w/o goods and viceversa. – Eg: pay on delivery of parcel § Certified delivery: the goods delivered is what was promised: – Open the parcel in front of a trusted 3 rd party

Anonymity of purchaser

Types of Payment Systems § Cash § Checking Transfer § Credit Card § Stored

Cash § Legal tender § Most common form of payment in terms of number of transactions § Instantly convertible into other forms of value without intermediation § Portable, requires no authentication § “Free” (no transaction fee), anonymous, low cognitive demands § Limitations: easily stolen, limited to smaller transaction, does not provide any float Copyright © 2009 Pearson Education, Inc. Slide 5 -26

Checking Transfer § Funds transferred directly via signed draft/check from a consumer’s checking account to merchant/ other individual § Most common form of payment in terms of amount spent § Can be used for small and large transactions § Some float § Not anonymous, requires third-party intervention (banks) § Introduces security risks for merchants (forgeries, stopped payments), so authentication typically required Copyright © 2009 Pearson Education, Inc. Slide 5 -27

Credit Card § Represents account that extends credit to consumers; allows consumers to make payments to multiple vendors at one time § Credit card associations: – Nonprofit associations (Visa, Master. Card) that set standards for issuing banks § Issuing banks: – Issue cards and process transactions § Processing centers (clearinghouses): – Handle verification of accounts and balances Copyright © 2009 Pearson Education, Inc. Slide 5 -28

Stored Value § Accounts created by depositing funds into an account and from which funds are paid out or withdrawn as needed – § Examples: Debit cards, gift certificates, prepaid cards, smart cards Peer-to-peer payment systems – Variation on stored value systems – e. g. Pay. Pal Copyright © 2009 Pearson Education, Inc. Slide 5 -29

Accumulating Balance § Accounts that accumulate expenditures and to which consumers make period payments – § Examples: Utility, phone, American Express accounts Evaluating payment systems: – Different stakeholders (consumers, merchants, financial intermediaries, government regulators) have different priorities in payment system dimensions (refutability, risk, anonymity, etc. ) Slide 5 -30

Dimensions of Payment Systems Table 5. 6, Page 309 Slide 5 -31

E-commerce Payment Systems § Credit cards are dominant form of online payment, accounting for around 60% of online payments in 2008 § Other e-commerce payment systems: – Digital wallets – Digital cash – Online stored value payment systems – Digital accumulating balance systems – Digital checking Slide 5 -32

How an Online Credit Transaction Works Figure 5. 18, Page 312 Copyright © 2009

Limitations of Online Credit Card Payment Systems § Security: – Neither merchant nor consumer can be fully authenticated § Cost: – For merchants, around 3. 5% of purchase price plus transaction fee of 20 – 30 cents per transaction § Social equity: – Many people do not have access to credit cards Copyright © 2009 Pearson Education, Inc. Slide 5 -34

Digital Wallets § Seeks to emulate the functionality of traditional wallet § Most important functions: – Authenticate consumer through use of digital certificates or other encryption methods – Store and transfer value – Secure payment process from consumer to merchant § Early efforts to popularize have failed § Newest effort: Google Checkout Copyright © 2009 Pearson Education, Inc. Slide 5 -35

Digital Cash § One of the first forms of alternative payment systems § Not really “cash” – Form of value storage and value exchange using tokens that has limited convertibility into other forms of value, and requires intermediaries to convert § Most early examples have disappeared; protocols and practices too complex Copyright © 2009 Pearson Education, Inc. Slide 5 -36

Online Stored Value Systems § Permit consumers to make instant, online payments to merchants and other individuals § Based on value stored in a consumer’s bank, checking, or credit card account § Pay. Pal most successful system § Smart cards – Contact smart cards: Require physical reader • Mondex – Contactless smart cards: Use RFID • EZPass • Octopus Copyright © 2009 Pearson Education, Inc. Slide 5 -37

Digital Accumulating Balance Payment Systems § Allows users to make micropayments and purchases on the Web § Users accumulate a debit balance for which they are billed at the end of the month § Valista’s Payments. Plus § Clickshare Copyright © 2009 Pearson Education, Inc. Slide 5 -38

Digital Checking Payment Systems § Extends functionality of existing checking accounts for use as online shopping payment tool § Example: Pay. By. Check Copyright © 2009 Pearson Education, Inc. Slide 5 -39

Wireless Payment Systems § Use of mobile handsets as payment devices well -established in Europe, Japan, South Korea § Japanese mobile payment systems – E-money (stored value) – Mobile debit cards – Mobile credit cards § Not as well established yet in U. S, but with growth in Wi-Fi and 3 G cellular phone systems, this is beginning to change Copyright © 2009 Pearson Education, Inc. Slide 5 -40

Insight on Business Mobile Payment’s Future: Wavepayme, Textpayme Group Discussion § What technologies make mobile payment more feasible now than in the past? § Describe some new experiments that are helping to develop mobile payment systems. § How has Pay. Pal responded? § Why haven’t mobile payment systems grown faster? What factors will spur their growth? Copyright © 2009 Pearson Education, Inc. Slide 5 -41

Electronic Billing Presentment and Payment (EBPP) § Online payment systems for monthly bills § 50% of households in 2008 used some EBPP; expected to grow to 75% by 2012 § Two competing EBPP business models: – Biller-direct: Dominant model – Consolidator: Third party aggregates consumer’s bills § Both models are supported by EBPP infrastructure providers Copyright © 2009 Pearson Education, Inc. Slide 5 -42

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall Copyright © 2009 Pearson Education, Inc. Slide 5 -43

Payment system types § Credit card-based methods – Credit card over SSL § Electronic Cheques – - Net. Cheque § Anonymous payments – - Digicash - CAFE § Micropayments § Smart. Cards - First Virtual -SET

Encrypted credit card payment § Set secure communication channel between buyer and seller § Send credit card number to merchant encrypted using merchant’s public key § Problems: merchant fraud, no customer signature § Ensures money but no goods atomicity § Not suitable for microtransactions

First virtual § § § Customer assigned virtual PIN by phone Customer uses PIN to make purchases Merchant contacts First virtual send email to customer If customer confirms, payment made to merchant Not goods atomic since customer can refuse to pay § Not suitable for small transactions § Flood customer’s mailbox, delay merchant

Cybercash § Customer opens account with cybercash, gives credit card number and gets a PIN § Special software on customer side sends PIN, signature, transaction amount to merchant § Merchant forwards to cybercash server that completes credit card transaction § Pros: credit card # not shown to server, fast § Cons: not for microtransactions

SET: Secure Electronic Transactions § Merge of STT, SEPP, i. KP § Secure credit card based protocol § Common structure: – Customer digitally signs a purchase along with price and encrypts in bank’s public key – Merchant submits a sales request with price to bank. – Bank compares purchase and sales request. If price match, bank authorizes sales § Avoids merchant fraud, ensures money but no goods atomicity

Electronic Cheques § Leverages the check payments system, a core competency of the banking industry. § Fits within current business practices § Works like a paper check does but in pure electronic form, with fewer manual steps. § Can be used by all bank customers who have checking accounts § Different from Electronic fund transfers

How does echeck work? § Exactly same way as paper § Check writer "writes" the echeck using one of many types of electronic devices § ”Gives" the echeck to the payee electronically. § Payee "deposits" echeck, receives credit, § Payee's bank "clears" the echeck to the paying bank. § Paying bank validates the echeck and "charges" the check writer's account for the check.

Anonymous payments 5. Deposit token at bank. If double spent reveal identity and notify police 1. Withdraw money: cyrpographically encoded tokens customer merchant 3. Send token after adding merchant’s identity 4. Check validity and send goods 2. Transform so merchant can check validity but identity hidden

Problems with the protocol § Not money atomic: if crash after 3, money lost – if money actually sent to merchant: returning to bank will alert police – if money not sent: not sending will lead to loss § High cost of cryptographic transformations: not suitable for micropayments § Examples: Digicash

Micropayments on hyperlinks § HTML extended to have pricing details with each link: displayed when user around the link § On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site § Payment for content providers § Attempt to reduce overhead per transaction

Micropayments: Net. Bill § Customer & merchant have account with Net. Bill server § Protocol: – Customer request quote from merchant, gets quote and accepts – Merchant sends goods encrypted by key K – Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> – Merchant countersigns EPO, signs K and sends both to Net. Bill server – Net. Bill verifies signatures and transfers funds, stores K and crypto-checksum and – Net. Bill sends receipt to merchant and K to customer

Recent micropayment systems

Smartcards § § § 8 -bit micro, < 5 MHz, < 2 k RAM, 20 k ROM Download electronic money on a card: wallet on a card Efficient, secure, paperless, intuitive and speedy Real and virtual stores accept them Less susceptible to net attacks since disconnected Has other uses spanning many industries, from banking to health care

Mondex § Smart card based sales and card to card transfers § Money is secured through a password and transactions are logged on the card § Other operation and features similar to traditional debit cards § Card signs transaction: so no anonymity § Need card reader everywhere § Available only in prototypes

Summary § Various protocols and software infrastructure for ecommerce § Today: credit card over SSL or S-HTTP § Getting there: – smart cards, – digital certificates § Need: – legal base for the entire ecommerce business – global market place for ecommerce

References § State of the art in electronic payment systems, IEEE COMPUTER 30/9 (1997) 28 -35 § Internet privacy - The quest for anonymity, Communications of the ACM 42/2 (1999) 28 -60. § Hyper links: – http: //www. javasoft. com/products/commerce/ – http: //www. semper. org/ – http: //www. echeck. org/ – http: //nii-server. isi. edu/info/Net. Cheque/ – http: //www. ec-europe. org/Welcome. html/ – http: //www. zdnet. com/icom/e-business/