Ect 455 hci 513 e commerce web site engineering
Download
1 / 38

condor.depaul - PowerPoint PPT Presentation


  • 542 Views
  • Uploaded on

ECT 455/HCI 513 E-Commerce Web Site Engineering Electronic Payment Systems Internet Transaction Security Online Payment Systems Online payment is the foundation of systems for EC. How does it mesh with the past and current currency systems? credit cards, debit cards, ATM, banks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'condor.depaul' - omer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ect 455 hci 513 e commerce web site engineering l.jpg

ECT 455/HCI 513 E-Commerce Web Site Engineering

Electronic Payment Systems

Internet Transaction Security

ECT 455/HCI 513 Susy Chan Ph.D.


Online payment systems l.jpg
Online Payment Systems

  • Online payment is the foundation of systems for EC.

  • How does it mesh with the past and current currency systems?

    • credit cards, debit cards, ATM, banks

  • Political Challenges

    • What about taxes?

ECT 455/HCI 513 Susy Chan Ph.D.


Electronic payment systems l.jpg
Electronic Payment Systems

  • Efficient and effective payment services accepted by consumers and businesses are essential to e-commerce.

  • Requirements:

    • Convenient for web purchasing

    • Transportable over the network

    • Strong enough to thwart electronic interference

    • Cost-effective for extremely low-value transactions

ECT 455/HCI 513 Susy Chan Ph.D.


Electronic payment systems4 l.jpg
Electronic Payment Systems

  • Banking and Financial Payments

    • Bank-to-bank transfer (EFT)

    • Home Banking -- CitiBank, Wells Fargo

  • Payment through an Intermediary

    • Open Market *

    • First Virtual (FirstVirtual Pin) *

* Both refer to their earlier business models

ECT 455/HCI 513 Susy Chan Ph.D.


Electronic payment systems5 l.jpg
Electronic Payment Systems

  • Electronic Currency Payment Systems

    • Electronic Cash -- CyberCash,Internetcash.com

    • Electronic Checks -- NetCheque

    • e-Wallets (Visa)

  • Smart Cards

    • American Express (blue smart card)

    • Visa

  • Micropayments

    • echarge

ECT 455/HCI 513 Susy Chan Ph.D.


Slide6 l.jpg
More

  • Retailing Payment Systems

    • Credit Cards -- Visa or MasterCard

    • Private Label Credit/Debit Cards

    • Charge Cards -- American Express; echarge

  • Peer-to-peer payments (between consumers)

    • PayPal (billpoint)

ECT 455/HCI 513 Susy Chan Ph.D.


Credit card transactions l.jpg
Credit-Card Transactions

  • Popular form of payment for online purchases

  • Resistance due to security concerns

  • Many cards offer capabilities for online and offline purchases

    • Prodigy Internet Mastercard

    • American Express Blue

ECT 455/HCI 513 Susy Chan Ph.D.


Online credit card transaction l.jpg
Online Credit-Card Transaction

  • To accept credit-card payments, a merchant must have a merchant account

  • Traditional merchant accounts accept only POS (point-of-sale) transactions

    • Transactions that occur when you present your credit card at a store

  • Card-not-present (CNP) transaction

    • Merchant does not see actual card being used in the purchase

  • Authentication

    • The person is, in fact, who they say they are

ECT 455/HCI 513 Susy Chan Ph.D.


Credit card transaction enablers l.jpg
Credit-Card Transaction Enablers

  • Credit-Card Transaction Enablers

    • Companies that have established business relationships with financial institutions that will accept online credit-card payments for merchant clients

      • Trintech

      • Cybercash (Verisign)

ECT 455/HCI 513 Susy Chan Ph.D.


E wallets l.jpg
E-Wallets

  • E-wallets

    • Keep track of your billing and shipping information so that it can be entered with one click at participating sites

    • Store e-checks, e-cash and credit-card information

  • Credit-card companies offer a variety of e-wallets

    • Visa e-wallets

    • MBNA e-wallet allows one-click shopping at member sites

  • A group of e-wallet vendors have standardized technology with Electronic Commerce Modeling Language (ECML)

ECT 455/HCI 513 Susy Chan Ph.D.


Digital currency l.jpg
Digital Currency

  • Digital cash

    • Stored electronically, used to make online electronic payments

    • Similar to traditional bank accounts

    • Used with other payment technologies (digital wallets)

    • Alleviates some security fears online credit-card transactions

    • Allows those with no credit cards to shop online

    • Merchants accepting digital-cash payments avoid credit-card transaction fees

ECT 455/HCI 513 Susy Chan Ph.D.


Smart cards l.jpg
Smart Cards

  • Smart card

    • Card with computer chip embedded on its face, holds more information than ordinary credit card with magnetic strip

    • Contact smart cards

      • To read information on smart cards and update information, contact smart cards need to be placed in a smart card reader

    • Contactless smart cards

      • Have both a coiled antenna and a computer chip inside, enabling the cards to transmit information

    • Can require the user to have a password, giving the smart card a security advantage over credit cards

      • Information can be designated as "read only" or as "no access"

      • Possibility of personal identity theft

ECT 455/HCI 513 Susy Chan Ph.D.


Internet security l.jpg
Internet security

  • Consumers entering highly confidential information

  • Number of security attacks increasing

  • Four requirements of a secure transaction

    • Privacy– information not read by third party

    • Integrity– information not compromised or altered

    • Authentication– sender and receiver prove identities

    • Non-repudiation– legally prove message was sent and received

  • Availability

    • Computer systems continually accessible

ECT 455/HCI 513 Susy Chan Ph.D.


Slide14 l.jpg

Secret-key Cryptography

  • Encrypting and decrypting a message using a symmetric key

ECT 455/HCI 513 Susy Chan Ph.D.


Secret key cryptography l.jpg
Secret-key Cryptography

  • Distributing a session key with a key distribution center

ECT 455/HCI 513 Susy Chan Ph.D.


Secret key cryptography16 l.jpg
Secret-key Cryptography

  • Secret-key cryptography

    • Same key to encrypt and decrypt message

    • Sender sends message and key to receiver

  • Problems with secret-key cryptography

    • Key must be transmitted to receiver

    • Different key for every receiver

    • Key distribution centers used to reduce these problems

      • Generates session key and sends it to sender and receiver encrypted with the unique key

  • Encryption algorithms

    • Dunn Encryption Standard (DES), Triple DES, Advanced Encryption Standard (AES)

ECT 455/HCI 513 Susy Chan Ph.D.


Key management l.jpg
Key Management

  • Key management

    • Handling and security of private keys

    • Key generation

      • The process by which keys are created

      • Must be truly random

ECT 455/HCI 513 Susy Chan Ph.D.


Public key cryptography l.jpg
Public Key Cryptography

  • Public key cryptography

    • Asymmetric– two inversely related keys

      • Private key

      • Public key

    • If public key encrypts only private can decrypt and vice versa

    • Each party has both a public and a private key

    • Either the public key or the private key can be used to encrypt a message

    • Encrypted with public key and private key

      • Proves identity while maintaining security

  • RSA public key algorithm www.rsasecurity.com

ECT 455/HCI 513 Susy Chan Ph.D.


Slide19 l.jpg

Public Key Encryption and Decryption

ECT 455/HCI 513 Susy Chan Ph.D.


Public key cryptography20 l.jpg
Public Key Cryptography

  • Authentication with a public-key algorithm

ECT 455/HCI 513 Susy Chan Ph.D.


Digital signatures l.jpg
Digital Signatures

  • Digital signature

    • Authenticates sender’s identity

    • Run plaintext through hash function

      • Gives message a mathematical value called hash value

      • Hash value also known as message digest

    • Collision

      • Occurs when multiple messages have same hash value

    • Encrypt message digest with private-key

    • Send signature, encrypted message (with public-key) and hash function

  • Timestamping

    • Binds a time and date to message, solves non-repudiation

    • Third party, time-stamping agency, timestamps messages

ECT 455/HCI 513 Susy Chan Ph.D.



Digital certificate l.jpg
Digital Certificate

  • A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key.

  • Public-key cryptography uses certificates to address the problem of impersonation

  • Certificate authorities (CAs) are entities that validate identities and issue certificates. They can be either independent third parties or organizations running their own certificate-issuing server software

ECT 455/HCI 513 Susy Chan Ph.D.


Digital certificate24 l.jpg
Digital Certificate

  • A digital certificate includes:

    • the public key

    • the name of the entity it identifies

    • an expiration date

    • the name of the CA that issued the certificate

    • a serial number, and other information. Most importantly, a certificate always includes the digital signature of the issuing CA.

  • The CA's digital signature allows the certificate to function as a "letter of introduction" for users who know and trust the CA but don't know the entity identified by the certificate.

ECT 455/HCI 513 Susy Chan Ph.D.


Encryption transaction security secret vs public key encryption l.jpg

Secret-Key Encryption (single key)

Symmetric encryption, DES

Use a shared secret key for encryption and decryption

Key distribution & disclosure

fast, for bulk data encryption

Public-Key Encryption (Pair of keys)

Asymmetric encryption, RSA (Rivest, Shamin, Adlemann)

Private/Public keys

Need digital certificates and trusted 3rd parties

Slower

For less demanding applications

Encryption & Transaction SecuritySecret vs. Public Key Encryption

ECT 455/HCI 513 Susy Chan Ph.D.


Client authentication l.jpg
Client Authentication

  • Password-Based Authentication.

    • A server might require a user to type a name and password before granting access to the server.

    • The server maintains a list of names and passwords; if a particular name is on the list, and if the user types the correct password, the server grants access.

  • Certificate-Based Authentication.

    • Client authentication based on certificates is part of the SSL protocol.

    • The client digitally signs a randomly generated piece of data and sends both the certificate and the signed data across the network.

    • The server uses techniques of public-key cryptography to validate the signature and confirm the validity of the certificate

ECT 455/HCI 513 Susy Chan Ph.D.




Public key infrastructure certificates and certification authorities l.jpg
Public Key Infrastructure, Certificates and Certification Authorities

Public Key Infrastructure (PKI)

Integrates public key cryptography with digital certificates and certification authorities

Digital certificate

Digital document issued by certification authority

Includes name of subject, subject’s public key, serial number, expiration date and signature of trusted third party

Verisign (www.verisign.com)

Leading certificate authority

Periodically changing key pairs helps security

ECT 455/HCI 513 Susy Chan Ph.D.


Set secure electronic transaction l.jpg
SET Secure Electronic Transaction Authorities

  • The SET protocol is a collection of encryption and security specification used as an industry-wide, open standard for ensuring secure payment transaction over the Internet.

  • A payment protocol to accelerate development of e-commerce and to bolster consumer confidence

ECT 455/HCI 513 Susy Chan Ph.D.


Set secure electronic transaction31 l.jpg
SET Secure Electronic Transaction Authorities

  • SET establishes a method for interoperability of secure transactions software over multiple, popular hardware platforms and operating systems

  • Developed by Visa and MasterCard, with GTE, IBM, Microsoft, Netscape, SAIC, Terisa Systems and Verisign.

  • Based on encryption technology from RSA Data Security.

ECT 455/HCI 513 Susy Chan Ph.D.


Set secure electronic transaction32 l.jpg
SET Secure Electronic Transaction Authorities

  • Use digital certificates to authenticate all the parties involved in a transaction

  • SET-compliant software validates both merchant and cardholder before exchange of information

  • Employs public-key encryption and digital signature

  • Complete documentation in visa.com

ECT 455/HCI 513 Susy Chan Ph.D.


Secure electronic transaction set l.jpg
Secure Electronic AuthoritiesTransaction (SET)

  • SET protocol

    • Designed to protect e-commerce payments

    • Certifies customer, merchant and merchant’s bank

    • Requirements

      • Merchants must have a digital certificate and SET software

      • Customers must have a digital certificate and digital wallet

    • Digital wallet

      • Stores credit card information and identification

    • Merchant never sees the customer’s personal information

      • Sent straight to banks

  • Microsoft Authenticode

    • Authenticates file downloads

    • Informs users of the download’s author

ECT 455/HCI 513 Susy Chan Ph.D.


Advantages of set over channel encryption l.jpg
Advantages of SET Over Channel Encryption Authorities

  • Participants are authenticated via certificates

  • Financial institutions provide assurance, not software

  • SET allows a wallet to clearly distinguish a payment from other uses of web forms

  • SET prevents terminated merchants from obtaining account information (three party transaction)

ECT 455/HCI 513 Susy Chan Ph.D.


Merchant benefits of set l.jpg
Merchant Benefits of SET Authorities

  • More sales

    • Increased trust in merchant

  • Visa global acceptance

    • Cost Savings

  • Fewer losses from chargebacks

  • Assured payment

  • Reduced overhead

    • Automated payment process

  • ECT 455/HCI 513 Susy Chan Ph.D.


    Secure sockets layer ssl l.jpg
    Secure Sockets Layer (SSL) Authorities

    • A transport-level technology for authentication and data encryption between a Web server and a Web browser.

    • SSL negotiates point-to-point security between a client and a server.

    • SSL secures the routes of Internet communication, but it does not protect you from unscrupulous or careless people.

      • Source: www.Netscape.com

    • Use Public Key

    • Do not protect private information.

    ECT 455/HCI 513 Susy Chan Ph.D.


    Secure sockets layer ssl37 l.jpg
    Secure Sockets layer (SSL) Authorities

    • SSL

      • Uses public-key technology and digital certificates to authenticate the server in a transaction

      • Protects information as it travels over Internet

        • Does not protect once stored on receivers server

      • Peripheral component interconnect (PCI) cards

        • Installed on servers to secure data for an SSL transaction

    ECT 455/HCI 513 Susy Chan Ph.D.


    Set versus ssl l.jpg

    SET Authorities

    Three party protocol

    Application protocol

    Trust requirement: All participants have been authenticated for a specific role in payment card transaction processing

    SSL

    Two party protocol

    TCP/IP Communication protocol

    Trust requirement: communicating with a trustable server

    SET versus SSL

    ECT 455/HCI 513 Susy Chan Ph.D.


    ad