1 1
A part of SSL (Secure Socket Layer) is available on customers browsers it is basically an encryption mechanism for order taking, queries and other applications it does not protect against all security hazards it is mature, simple and widely used But does not include a digital wallet SET ( Secure Electronic Transaction) is a very comprehensive security protocol (with digital wallet) it provides for privacy, authenticity, integrity, and nonrepudiation it is used very infrequently due to its complexity and the need for a special card reader by the user it may be abandoned if it is not simplified/improved
3
digital certificates, all similar to SET; e-chequebook instead of DW; does not
6
X
7
Authentication: A way to verify the buyers identity before payments are made Integrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission Encryption: A process of making messages indecipherable except by those who have an authorized decryption key Non-repudiation: Merchants need protection against the customers unjustifiable denial of placed orders, and customers need protection against the merchants unjustifiable denial of past payment Digital envelope: (p 281) a technique which uses symmetric encryption for documents, but public key encryption to cover the symmetric key.
8
Original Message
Scrambled
Internet
Receiver Decryption
Public Key Cryptography (RSA) p 279 Public Keyreceiver Private Keyreceiver Internet
Scrambled Message Original Message
Message
Original Message
Scrambled Message
Receiver
Public Keysender
Internet
Scrambled Message
Original Message
Receiver
10
Analogous to handwritten signature: Note the difference between cases 1 and 2 below
1. Sender encrypts a message with her private key 2. A digital signature is attached by a sender to a message encrypted with the receivers public key
Any receiver with senders public key can read it The receiver is the only one that can read the message and at the same time he is assured that the message was indeed sent by the sender 11
A digital certificate Includes owners name, his/her public keys, the appropriate algorithm, certificate type (merchant, cardholder, payment gateway), CAs name and signature. One public key is for secret exchange as receiver and the other is for digital signature as sender Issued by a trusted certificate authority (CA)
12
Public or private, comes in levels (hierarchy) A trusted third party Issuer of digital certificates Verifies that a public key indeed belongs to a certain individual
RCA : Root Certificate Authority (yet undecided) BCA : Brand Certificate Authority (e.g. Verisign) GCA : Geo-political Certificate Authority (national level) CCA : Cardholder Certificate Authority MCA : Merchant Certificate Authority PCA : Payment Gateway Certificate Authority
Simple
SSL is a protocol for generalpurpose secure message exchanges (encryption).
SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and credit card information see Fig 8.8, p 286.
14
Client-based digital wallets are software applications that consumers install on their computer, and that offer consumer convenience by automatically filling out forms at online stores
Electronic Commerce Modeling Language (ECML) is a standard of digital wallets
15
FUNCTIONALITY OF DIGITAL
WALLETS - X
16
EFT p 287
VAN (via ACH) preceded NET: provided better security compared to the Internet. The Internet is destined to become the most economical EFT medium DEBIT CARDS To authorize an EFT. Offer less protection compared to a credit card, but are fee-free to the merchant (incentive)
17
Store ID information and available balance Now include programmable IC chip, to enable recharging Read Mondex example in the box item, p 291
18
Issuing Banks were affiliated to DigiCash Needed tracing of usage records, which made it as expensive as EFT
Stored-value cards p 292 For all practical purposes, same as a prepaid card Mondex, VisaCash and others have used the approach May be either anonymous or identifiable (be careful with the word onymous it is currently not being used)
Anonymous cards are transferable
20
E Cheques p 295
E Chequebook as discussed
With the proposed SafeCheck system, unintentional default risky cheque issuance can be prevented