SET Comparative Performance Analysis A White Paper from

SET Comparative Performance Analysis A White Paper from Gartner. Group Summarized by Sasan Adibi Secure Electronic Transaction Sasan Adibi

Agenda • • Objective SSL and it’s issues SET and it’s issues Principles of Cryptography • • • Privacy Authentication Authorization Integrity Non-Repudiation Certificates Authorities Master. Card Examples Different Performance Comparisons Conclusion Secure Electronic Transaction Sasan Adibi 2

Objective To discuss different online transaction mechanisms and compare their functionality versus performance and cost Secure Electronic Transaction Sasan Adibi 3

Leading protocols for securing the online purchase process , • Secure Sockets Layer (SSL) protocol (encrypted transaction) • Secure Electronic Transaction (SET) protocol (authenticate buyers) • OFX • OBI Secure Electronic Transaction Sasan Adibi 4

SSL (Secure Socket Layer) • Session Level Security • Certain level of trust between online purchaser and online seller • Purchaser is authorized to use the credit card • Seller is authorized to accept credit cards • Seller protects against all types of security issues Secure Electronic Transaction Sasan Adibi 5

SSL’s Drawbacks • Security is always an on-going issue • Specially for “soft goods” • Complex communication/handshaking • Slow • Minimal graphics, lack of visual attractions Secure Electronic Transaction Sasan Adibi 6

SET (Secure Electronic Transaction) • Ensure your customer is authorized to use his account • Customer wants to make sure you are the legit seller • Ensure payment is received • Ensure goods are received Secure Electronic Transaction Sasan Adibi 7

Five Principles of Cryptosystems • Privacy (only the intended recipient can • • read your messages) Authentication (you are who you say you are) Authorization (who can do what) Integrity (you and the recipient both know nothing got changed) Non-repudiation (no one can falsely deny a transaction) Secure Electronic Transaction Sasan Adibi 8

Privacy • Privacy means that the message contents cannot be seen by anyone but the intended parties • Accomplished through the use of encryption Secure Electronic Transaction Sasan Adibi 9

Authentication • Authentication means that each party involved in the transaction is identified as legitimate • Accomplished through the use of certificates • A certificate is a notarized public key (like a passport or a driver’s license) • Issued by a trusted third party called a Certificate Authority • Binds the certificate owner to the public key within the certificate Secure Electronic Transaction Sasan Adibi 10

Authorization • Lists of users who have different rights to do various tasks on a web site • Being able to track individuals throughout your computing systems and multiple logins Secure Electronic Transaction Sasan Adibi 11

Integrity • Integrity of data means that it cannot be altered by anyone during transmission, to avoid a “man in the middle” attack • Encryption allows only the intended recipient to open the digital envelope • A digital envelope (or ”hash”) = contents of an encrypted message + digital signature Secure Electronic Transaction Sasan Adibi 12

Non-repudiation • Non-repudiation means both parties to the transaction are ensured that the message is genuine and cannot be disputed • Parties are identified with certificates that have been notarized by a trusted Certificate Authority • It will be much harder for customers to claim they never placed the order Secure Electronic Transaction Sasan Adibi 13

Why Should You Get a Server Certificate? • You want those who visit your web site to know you are a legitimate business • A certificate is required to operate a secure server (SSL) Secure Electronic Transaction Sasan Adibi 14

Certificate Authorities (CAs) • Anyone who issues certificates is a Certificate Authority (CA). They’re required to publish the certificate they issue. In practice this functionality is broken down into other subtasks… • Trusted third parties, similar to notaries • Can be external or internal (server is managed within your own company) • Choice of a CA may depend on your merchant server software Secure Electronic Transaction Sasan Adibi 15

Steps in Certificate Creation • Refer to you server software documentation for selection of a CA and instructions • Generally you will do the following: • • Generate a key pair of public and private keys Send the public key and other information to CA CA verifies information provided Upon verification, CA creates a certificate containing public key and expiration date • The Certificate is sent back to applicant and may be posted publicly, if appropriate Secure Electronic Transaction Sasan Adibi 16

Examples of Certificate Authorities • Veri. Sign • www. Verisign. com • GTE Cyber. Trust Solutions, Inc. • www. cybertrust. gte. com • Thawte Consulting • www. thawte. com Secure Electronic Transaction Sasan Adibi 17

Different Classes of Certs • Class 1 (No authentication, emails) • Class 2 (Minimum authentication) • Class 3 (Substantial authentication) • Class 4 (High security) Secure Electronic Transaction Sasan Adibi 18

Certificate Management • Once public key certificates are issued, they must be managed to maintain integrity • They contain expiration dates • They may be revoked for various reasons • Upon expiration, certificates must be renewed or reissued • This is a consideration for using an external CA, as opposed to managing an internal CA Secure Electronic Transaction Sasan Adibi 19

How is this accomplished? • Secure servers and browsers • Capable of strong encryption (up to 128 bit) • 40 bit encryption is no longer considered adequate for financial transactions • Digital certificates • Ensure the identity of the certificate holder and are used to prevent impersonation/man-in-the middle attack • Also called digital IDs • The common protocol in use today is Secure Sockets Layer (SSL) Secure Electronic Transaction Sasan Adibi 20

Secure Sockets Layer Protocol (SSL) • Authenticates the merchant server • Merchant Certificate obtained from trusted Certificate Authority • Provides privacy through encryption of the message for both the sender and receiver • Secure “pipe” negotiates maximum encryption compatible at browser and server for each message transmitted • Ensures integrity of data transmitted • Message authenticity check (algorithm) Secure Electronic Transaction Sasan Adibi 21

Secure Sockets Layer Protocol (SSL) Merchant’s Certificate (Digital ID) can be viewed by any secure browser • https: // in the URL = a secure connection • SSL allows customers to verify who the merchant is • The merchant’s digital ID does not certify the integrity of the merchant Secure Electronic Transaction Sasan Adibi 22

Secure Sockets Layer Protocol (SSL) Customer Order with Encrypted Payment Information order sent Customer order decrypted at merchant server • SSL encrypts the customer order, which includes the payment information • This data is sent from the customer to the merchant via a secure “pipe” Secure Electronic Transaction Sasan Adibi 23

What SSL Doesn’t Encrypt • Once the data arrives on the secure server, it could be stored in an insecure location! • Or if someone has physical access to your desktop or server Secure Electronic Transaction Sasan Adibi 24

SSL: How do you get a certificate for your merchant server? ‘ • Apply to Certificate Authority • Instructions built into merchant server software • You will be asked to provide valid business license and other ID • Cost is dependent upon level of certification Secure Electronic Transaction Sasan Adibi 25

Encryption Strength • It is illegal to export outside the US products containing encryption that is stronger than 40 bits • It is not illegal to use encryption stronger than 40 bits internationally • Financial institutions do not consider 40 bit encryption adequate for Internet transactions Secure Electronic Transaction Sasan Adibi 26

Encryption Strength • Newer browser and server software capable of 128 -bit encryption • 128 -bit encryption is exponentially stronger than 40 -bit encryption Secure Electronic Transaction Sasan Adibi 27

SET: Authenticate Buyers • What is the protocol • How it works • Advantages and disadvantages Secure Electronic Transaction Sasan Adibi 28

What is SET protocol? • Secure Electronic Transaction protocol is a common standard that was developed jointly by Visa, Master. Card and other partners to ensure the processing of secure transactions. • Based on RSA encryption • Uses public and private key pairs that have a mathematical relationship Secure Electronic Transaction Sasan Adibi 29

How is SET Different from SSL? • Digital certificates for SET will be payment- specific • Merchants will be certified as legitimate to accept branded payment card transactions • Cardholders will be certified as valid account holders • Merchants will not see customer’s account number (it will only be passed to the acquirer) Secure Electronic Transaction Sasan Adibi 30

How is SET Different from SSL? With SET: Customer’s Digital ID related to a specific account + Customer Order info Merchant Server gets Customer’s Digital ID minus the account number + Customer Order Acquirer gets order receipt + Customer’s Digital ID with account number Secure Electronic Transaction Sasan Adibi 31

The Mechanics of SET • (1) Payment info sent from user to merchant • (2) Merchant confirms, fees charged • (3) Transaction to bank, funds debited/credited • (4) Merchant sends item to user Secure Electronic Transaction Sasan Adibi 32

How Will Certificates (Digital IDs) be issued for e. Commerce? ‘ • Hierarchy of trust for certificate issuance • Visa and Master. Card will designate a Certificate Authority to hold the Trusted Root • Merchants will obtain certificates from banks’ or acquirers’ Certificate Authority, then store on SET server software • Cardholders will obtain certificates (digital IDs) from their banks’ Certificate Authority, then store in electronic wallet Secure Electronic Transaction Sasan Adibi 33

Master. Card® Example of a SET Transaction ‘ http: //www. mastercard. com/set/screen 1. html Secure Electronic Transaction Sasan Adibi 34

SSL vs. SET SSL • Server authentication • Merchant certificate as legitimate business • Possible for client SET • Server authentication • Merchant certificate tied to accept payment brands • Customer authentication • Not tied to payment method • Digital certificate tied to certain payment method • Privacy • Encrypted message to merchant includes account number • Encrypted message does not pass account number to merchant • Integrity • Message authenticity check (MAC) • Hash/message envelope Secure Electronic Transaction Sasan Adibi 35

Is SET the Answer to e. Commerce? • SET has been proposed as the answer to secure and interoperable e. Commerce • It is not currently mandated by Visa and Master. Card • There are big implementation issues for all concerned • The SET protocol is definitely more secure than SSL • However. . . Secure Electronic Transaction Sasan Adibi 36

SET Issues • Implementation of SET has some big drawbacks: • Lack of interoperability among systems • Management of public key infrastructure • Distribution of digital certificates requires action on the part of the consumer • Will banks want to become cert authorities? • And who will pay for all this? • Meanwhile, e. Commerce goes on Secure Electronic Transaction Sasan Adibi 37

The Future of SET • Non-repudiation of transactions through digital certificates for both merchant and customer • SET may be the industry standard for payments, but yet to be implemented • It will be far more difficult for a customer to claim no knowledge of a transaction • Demonstrations continue Secure Electronic Transaction Sasan Adibi 38

Comparisons and Performance Analysis Secure Electronic Transaction Sasan Adibi

E-Commerce Process Three processes: 1). Customer’s client PC, 2). Merchant’s e-commerce server, 3). acquiring bank’s payment gateway server Secure Electronic Transaction Sasan Adibi 40

e_Commerce Server Performance The operations required for a SET transaction, each of the connections represents a single encryption/decryption operation. As the figure shows, this results in the requirement for two operations per transaction at the client, six at the merchant and four at the acquirer. A SSL connection, in contrast, only requires a single operation at the client, three at the merchant and two at the acquirer. Secure Electronic Transaction Sasan Adibi 41

Technologies to Improve Performance • Symmetric multiprocessing (SMP) CPU scaling • OS’s allocation of functions of CPU • Clustering • Sharing application load among CPUs forming cluster • Cryptographic accelerators • Special-purpose hardware helping cryptography • Elliptical curve cryptography (ECC) • Efficient algorithm with small key size • Random Key Secure Stream (RKS) Electronic Transaction Sasan Adibi 42

Large e-Commerce Server Example Secure Electronic Transaction Sasan Adibi 43

Peak Transaction Per Second Load Secure Electronic Transaction Sasan Adibi 44

Peak Load requirements vs. Capacity with Crypto acceleration Secure Electronic Transaction Sasan Adibi 45

The Effect of ECC Secure Electronic Transaction Sasan Adibi 46

Cost of performance with clustered systems ‘ Secure Electronic Transaction Sasan Adibi 47

Cost of performance with clustered systems and ECC, no cryptographic acceleration ‘ Secure Electronic Transaction Sasan Adibi 48

Cost Comparison of SET and SSL Secure Electronic Transaction Sasan Adibi 49

Conclusion • • Independent of the protocol in use, Cryptographic processes require substantial compute power, The cost of additional hardware support required to support SET is small in all of the application scenarios, including: • For the low and medium e-commerce applications, there is no additional server cost to support SET over SSL. • For the large e-commerce server application, supporting SET requires additional hardware acceleration in the medium term with a 5 percent to 6 percent difference in server cost. • For the small payment gateway application, hardware acceleration is required in the short term, but can be phased out as servers improve in performance and if other improvements, e. i. , elliptical-curve cryptography (ECC) become available. • We anticipate that the large payment gateway applications will always be based on clustered systems for reasons of robustness and reliability. Secure Electronic Transaction Sasan Adibi 50

The End Thank you Secure Electronic Transaction Sasan Adibi