ect 455 hci 513 e commerce web site engineering
Download
Skip this Video
Download Presentation
ECT 455/HCI 513 E-Commerce Web Site Engineering

Loading in 2 Seconds...

play fullscreen
1 / 38

condor.depaul - PowerPoint PPT Presentation


  • 543 Views
  • Uploaded on

ECT 455/HCI 513 E-Commerce Web Site Engineering Electronic Payment Systems Internet Transaction Security Online Payment Systems Online payment is the foundation of systems for EC. How does it mesh with the past and current currency systems? credit cards, debit cards, ATM, banks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'condor.depaul' - omer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ect 455 hci 513 e commerce web site engineering

ECT 455/HCI 513 E-Commerce Web Site Engineering

Electronic Payment Systems

Internet Transaction Security

ECT 455/HCI 513 Susy Chan Ph.D.

online payment systems
Online Payment Systems
  • Online payment is the foundation of systems for EC.
  • How does it mesh with the past and current currency systems?
    • credit cards, debit cards, ATM, banks
  • Political Challenges
    • What about taxes?

ECT 455/HCI 513 Susy Chan Ph.D.

electronic payment systems
Electronic Payment Systems
  • Efficient and effective payment services accepted by consumers and businesses are essential to e-commerce.
  • Requirements:
    • Convenient for web purchasing
    • Transportable over the network
    • Strong enough to thwart electronic interference
    • Cost-effective for extremely low-value transactions

ECT 455/HCI 513 Susy Chan Ph.D.

electronic payment systems4
Electronic Payment Systems
  • Banking and Financial Payments
    • Bank-to-bank transfer (EFT)
    • Home Banking -- CitiBank, Wells Fargo
  • Payment through an Intermediary
    • Open Market *
    • First Virtual (FirstVirtual Pin) *

* Both refer to their earlier business models

ECT 455/HCI 513 Susy Chan Ph.D.

electronic payment systems5
Electronic Payment Systems
  • Electronic Currency Payment Systems
    • Electronic Cash -- CyberCash,Internetcash.com
    • Electronic Checks -- NetCheque
    • e-Wallets (Visa)
  • Smart Cards
    • American Express (blue smart card)
    • Visa
  • Micropayments
    • echarge

ECT 455/HCI 513 Susy Chan Ph.D.

slide6
More
  • Retailing Payment Systems
    • Credit Cards -- Visa or MasterCard
    • Private Label Credit/Debit Cards
    • Charge Cards -- American Express; echarge
  • Peer-to-peer payments (between consumers)
    • PayPal (billpoint)

ECT 455/HCI 513 Susy Chan Ph.D.

credit card transactions
Credit-Card Transactions
  • Popular form of payment for online purchases
  • Resistance due to security concerns
  • Many cards offer capabilities for online and offline purchases
    • Prodigy Internet Mastercard
    • American Express Blue

ECT 455/HCI 513 Susy Chan Ph.D.

online credit card transaction
Online Credit-Card Transaction
  • To accept credit-card payments, a merchant must have a merchant account
  • Traditional merchant accounts accept only POS (point-of-sale) transactions
    • Transactions that occur when you present your credit card at a store
  • Card-not-present (CNP) transaction
    • Merchant does not see actual card being used in the purchase
  • Authentication
    • The person is, in fact, who they say they are

ECT 455/HCI 513 Susy Chan Ph.D.

credit card transaction enablers
Credit-Card Transaction Enablers
  • Credit-Card Transaction Enablers
    • Companies that have established business relationships with financial institutions that will accept online credit-card payments for merchant clients
      • Trintech
      • Cybercash (Verisign)

ECT 455/HCI 513 Susy Chan Ph.D.

e wallets
E-Wallets
  • E-wallets
    • Keep track of your billing and shipping information so that it can be entered with one click at participating sites
    • Store e-checks, e-cash and credit-card information
  • Credit-card companies offer a variety of e-wallets
    • Visa e-wallets
    • MBNA e-wallet allows one-click shopping at member sites
  • A group of e-wallet vendors have standardized technology with Electronic Commerce Modeling Language (ECML)

ECT 455/HCI 513 Susy Chan Ph.D.

digital currency
Digital Currency
  • Digital cash
    • Stored electronically, used to make online electronic payments
    • Similar to traditional bank accounts
    • Used with other payment technologies (digital wallets)
    • Alleviates some security fears online credit-card transactions
    • Allows those with no credit cards to shop online
    • Merchants accepting digital-cash payments avoid credit-card transaction fees

ECT 455/HCI 513 Susy Chan Ph.D.

smart cards
Smart Cards
  • Smart card
    • Card with computer chip embedded on its face, holds more information than ordinary credit card with magnetic strip
    • Contact smart cards
      • To read information on smart cards and update information, contact smart cards need to be placed in a smart card reader
    • Contactless smart cards
      • Have both a coiled antenna and a computer chip inside, enabling the cards to transmit information
    • Can require the user to have a password, giving the smart card a security advantage over credit cards
      • Information can be designated as "read only" or as "no access"
      • Possibility of personal identity theft

ECT 455/HCI 513 Susy Chan Ph.D.

internet security
Internet security
  • Consumers entering highly confidential information
  • Number of security attacks increasing
  • Four requirements of a secure transaction
    • Privacy– information not read by third party
    • Integrity– information not compromised or altered
    • Authentication– sender and receiver prove identities
    • Non-repudiation– legally prove message was sent and received
  • Availability
    • Computer systems continually accessible

ECT 455/HCI 513 Susy Chan Ph.D.

slide14

Secret-key Cryptography

  • Encrypting and decrypting a message using a symmetric key

ECT 455/HCI 513 Susy Chan Ph.D.

secret key cryptography
Secret-key Cryptography
  • Distributing a session key with a key distribution center

ECT 455/HCI 513 Susy Chan Ph.D.

secret key cryptography16
Secret-key Cryptography
  • Secret-key cryptography
    • Same key to encrypt and decrypt message
    • Sender sends message and key to receiver
  • Problems with secret-key cryptography
    • Key must be transmitted to receiver
    • Different key for every receiver
    • Key distribution centers used to reduce these problems
      • Generates session key and sends it to sender and receiver encrypted with the unique key
  • Encryption algorithms
    • Dunn Encryption Standard (DES), Triple DES, Advanced Encryption Standard (AES)

ECT 455/HCI 513 Susy Chan Ph.D.

key management
Key Management
  • Key management
    • Handling and security of private keys
    • Key generation
      • The process by which keys are created
      • Must be truly random

ECT 455/HCI 513 Susy Chan Ph.D.

public key cryptography
Public Key Cryptography
  • Public key cryptography
    • Asymmetric– two inversely related keys
      • Private key
      • Public key
    • If public key encrypts only private can decrypt and vice versa
    • Each party has both a public and a private key
    • Either the public key or the private key can be used to encrypt a message
    • Encrypted with public key and private key
      • Proves identity while maintaining security
  • RSA public key algorithm www.rsasecurity.com

ECT 455/HCI 513 Susy Chan Ph.D.

slide19

Public Key Encryption and Decryption

ECT 455/HCI 513 Susy Chan Ph.D.

public key cryptography20
Public Key Cryptography
  • Authentication with a public-key algorithm

ECT 455/HCI 513 Susy Chan Ph.D.

digital signatures
Digital Signatures
  • Digital signature
    • Authenticates sender’s identity
    • Run plaintext through hash function
      • Gives message a mathematical value called hash value
      • Hash value also known as message digest
    • Collision
      • Occurs when multiple messages have same hash value
    • Encrypt message digest with private-key
    • Send signature, encrypted message (with public-key) and hash function
  • Timestamping
    • Binds a time and date to message, solves non-repudiation
    • Third party, time-stamping agency, timestamps messages

ECT 455/HCI 513 Susy Chan Ph.D.

digital certificate
Digital Certificate
  • A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key.
  • Public-key cryptography uses certificates to address the problem of impersonation
  • Certificate authorities (CAs) are entities that validate identities and issue certificates. They can be either independent third parties or organizations running their own certificate-issuing server software

ECT 455/HCI 513 Susy Chan Ph.D.

digital certificate24
Digital Certificate
  • A digital certificate includes:
    • the public key
    • the name of the entity it identifies
    • an expiration date
    • the name of the CA that issued the certificate
    • a serial number, and other information. Most importantly, a certificate always includes the digital signature of the issuing CA.
  • The CA\'s digital signature allows the certificate to function as a "letter of introduction" for users who know and trust the CA but don\'t know the entity identified by the certificate.

ECT 455/HCI 513 Susy Chan Ph.D.

encryption transaction security secret vs public key encryption
Secret-Key Encryption (single key)

Symmetric encryption, DES

Use a shared secret key for encryption and decryption

Key distribution & disclosure

fast, for bulk data encryption

Public-Key Encryption (Pair of keys)

Asymmetric encryption, RSA (Rivest, Shamin, Adlemann)

Private/Public keys

Need digital certificates and trusted 3rd parties

Slower

For less demanding applications

Encryption & Transaction SecuritySecret vs. Public Key Encryption

ECT 455/HCI 513 Susy Chan Ph.D.

client authentication
Client Authentication
  • Password-Based Authentication.
    • A server might require a user to type a name and password before granting access to the server.
    • The server maintains a list of names and passwords; if a particular name is on the list, and if the user types the correct password, the server grants access.
  • Certificate-Based Authentication.
    • Client authentication based on certificates is part of the SSL protocol.
    • The client digitally signs a randomly generated piece of data and sends both the certificate and the signed data across the network.
    • The server uses techniques of public-key cryptography to validate the signature and confirm the validity of the certificate

ECT 455/HCI 513 Susy Chan Ph.D.

public key infrastructure certificates and certification authorities
Public Key Infrastructure, Certificates and Certification Authorities

Public Key Infrastructure (PKI)

Integrates public key cryptography with digital certificates and certification authorities

Digital certificate

Digital document issued by certification authority

Includes name of subject, subject’s public key, serial number, expiration date and signature of trusted third party

Verisign (www.verisign.com)

Leading certificate authority

Periodically changing key pairs helps security

ECT 455/HCI 513 Susy Chan Ph.D.

set secure electronic transaction
SET Secure Electronic Transaction
  • The SET protocol is a collection of encryption and security specification used as an industry-wide, open standard for ensuring secure payment transaction over the Internet.
  • A payment protocol to accelerate development of e-commerce and to bolster consumer confidence

ECT 455/HCI 513 Susy Chan Ph.D.

set secure electronic transaction31
SET Secure Electronic Transaction
  • SET establishes a method for interoperability of secure transactions software over multiple, popular hardware platforms and operating systems
  • Developed by Visa and MasterCard, with GTE, IBM, Microsoft, Netscape, SAIC, Terisa Systems and Verisign.
  • Based on encryption technology from RSA Data Security.

ECT 455/HCI 513 Susy Chan Ph.D.

set secure electronic transaction32
SET Secure Electronic Transaction
  • Use digital certificates to authenticate all the parties involved in a transaction
  • SET-compliant software validates both merchant and cardholder before exchange of information
  • Employs public-key encryption and digital signature
  • Complete documentation in visa.com

ECT 455/HCI 513 Susy Chan Ph.D.

secure electronic transaction set
Secure Electronic Transaction (SET)
  • SET protocol
    • Designed to protect e-commerce payments
    • Certifies customer, merchant and merchant’s bank
    • Requirements
      • Merchants must have a digital certificate and SET software
      • Customers must have a digital certificate and digital wallet
    • Digital wallet
      • Stores credit card information and identification
    • Merchant never sees the customer’s personal information
      • Sent straight to banks
  • Microsoft Authenticode
    • Authenticates file downloads
    • Informs users of the download’s author

ECT 455/HCI 513 Susy Chan Ph.D.

advantages of set over channel encryption
Advantages of SET Over Channel Encryption
  • Participants are authenticated via certificates
  • Financial institutions provide assurance, not software
  • SET allows a wallet to clearly distinguish a payment from other uses of web forms
  • SET prevents terminated merchants from obtaining account information (three party transaction)

ECT 455/HCI 513 Susy Chan Ph.D.

merchant benefits of set
Merchant Benefits of SET
  • More sales
    • Increased trust in merchant
  • Visa global acceptance
      • Cost Savings
  • Fewer losses from chargebacks
  • Assured payment
  • Reduced overhead
      • Automated payment process

ECT 455/HCI 513 Susy Chan Ph.D.

secure sockets layer ssl
Secure Sockets Layer (SSL)
  • A transport-level technology for authentication and data encryption between a Web server and a Web browser.
  • SSL negotiates point-to-point security between a client and a server.
  • SSL secures the routes of Internet communication, but it does not protect you from unscrupulous or careless people.
    • Source: www.Netscape.com
  • Use Public Key
  • Do not protect private information.

ECT 455/HCI 513 Susy Chan Ph.D.

secure sockets layer ssl37
Secure Sockets layer (SSL)
  • SSL
    • Uses public-key technology and digital certificates to authenticate the server in a transaction
    • Protects information as it travels over Internet
      • Does not protect once stored on receivers server
    • Peripheral component interconnect (PCI) cards
      • Installed on servers to secure data for an SSL transaction

ECT 455/HCI 513 Susy Chan Ph.D.

set versus ssl
SET

Three party protocol

Application protocol

Trust requirement: All participants have been authenticated for a specific role in payment card transaction processing

SSL

Two party protocol

TCP/IP Communication protocol

Trust requirement: communicating with a trustable server

SET versus SSL

ECT 455/HCI 513 Susy Chan Ph.D.

ad