Electronic Payment Systems 20-763 Lecture 7 Credit Card Protocols: SSL, TLS, SET

Electronic Payment Systems 20-763 Lecture 7 Credit Card Protocols: SSL, TLS, SET www.phwiki.com

Electronic Payment Systems 20-763 Lecture 7 Credit Card Protocols: SSL, TLS, SET

Shannon, Larry, Host has reference to this Academic Journal, PHwiki organized this Journal Electronic Payment Systems 20-763 Lecture 7 Credit Card Protocols: SSL, TLS, SET Outline Credit card participants (5) Secure Sockets Layer (SSL) Credit card economics Secure Electronic Transactions (SET) Fraud Online card reading Participants Issuing Bank Issues card Extends credit Assumes risk of card Cardholder reporting Card Associations Merchant Merchant Bank (Acquirer) Sets up merchant Extends credit Assumes risk of merchant Funds merchant Consumer Processor Processor

Universidad de Extremadura ES www.phwiki.com

This Particular University is Related to this Particular Journal

Credit Cards on the Internet Problem: communicate credit card in addition to purchasing data securely to gain consumer trust Authentication of buyer in addition to merchant Confidential transmissions Systems vary by type of public-key encryption type of symmetric encryption message digest algorithm number of parties having private keys number of parties having certificates Credit Card Protocols SSL 1 or 2 parties have private keys TLS (Transport Layer Security) IETF version of SSL i KP (IBM) i parties have private keys SEPP (Secure Encryption Payment Protocol) MasterCard, IBM, Netscape based on 3KP STT (Secure Transaction Technology) VISA, Microsoft SET (Secure Electronic Transactions) MasterCard, VISA all parties have certificates OBSOLETE VERY IMPORTANT. USAGE INCREASING VERY SLOW ACCEPTANCE SSL (Secure Sockets Layer) NOT a payment protocol – can be used as long as any secure communications, like credit card numbers SSL is a secure data exchange protocol providing Privacy between two Internet applications Authentication of server (authentication of browser optional) Uses enveloping: RSA used to exchange DES keys SSL H in addition to shake Protocol Negotiates symmetric encryption protocol, authenticates SSL Record Protocol Packs/unpacks records, per as long as ms encryption/decryption Does not provide non-repudiation

Secure Sockets Layer (SSL) Layered on top of TCP/IP but below the application layer. (Requires reliable transport to operate.) SSL is increasing in importance as long as Internet security Invented by Phil Karlton (CMU Ph.D.) in addition to others at Netscape View protocol (63 pages) SSL (Secure Sockets Layer) HANDLES COMMUNICATION WITH THE APPLICATION Protocols INITIALIZES COMMUNCATION BETWEEN CLIENT & SERVER INITIALIZES SECURE COMMUNICATION HANDLES DATA COMPRESSION ERROR HANDLING Cipher Suite For public-key, symmetric encryption in addition to certificate verification we need public-key algorithm symmetric encryption algorithm message digest (hash) algorithm This collection is called a cipher suite SSL supports many different suites Client in addition to server must decide on which one to use The client offers a choice; the server picks one

Cipher Suites INITIAL (NULL) CIPHER SUITE PUBLIC-KEY ALGORITHM SYMMETRIC ALGORITHM HASH ALGORITHM CIPHER SUITE CODES USED IN SSL MESSAGES SSL-NULL-WITH-NULL-NULL = { 0, 0 } SSL-RSA-WITH-NULL-MD5 = { 0, 1 } SSL-RSA-WITH-NULL-SHA = { 0, 2 } SSL-RSA-EXPORT-WITH-RC4-40-MD5 = { 0, 3 } SSL-RSA-WITH-RC4-128-MD5 = { 0, 4 } SSL-RSA-WITH-RC4-128-SHA = { 0, 5 } SSL-RSA-EXPORT-WITH-RC2-CBC-40-MD5 = { 0, 6 } SSL-RSA-WITH-IDEA-CBC-SHA = { 0, 7 } SSL-RSA-EXPORT-WITH-DES40-CBC-SHA = { 0, 8 } SSL-RSA-WITH-DES-CBC-SHA = { 0, 9 } SSL-RSA-WITH-3DES-EDE-CBC-SHA = { 0, 10 } SSL H in addition to shake Messages THE SSL PROTOCOL DEFINES VARIOUS MESSAGE TYPES EXCHANGED BETWEEN CLIENT AND SERVER SSL Messages OFFER CIPHER SUITE MENU TO SERVER SELECT A CIPHER SUITE SEND CERTIFICATE AND CHAIN TO CA ROOT CLIENT SIDE SERVER SIDE SEND PUBLIC KEY TO ENCRYPT SYMM KEY SERVER NEGOTIATION FINISHED SEND ENCRYPTED SYMMETRIC KEY SOURCE: THOMAS, SSL AND TLS ESSENTIALS ACTIVATE ENCRYPTION CLIENT PORTION DONE ( SERVER CHECKS OPTIONS ) ACTIVATESERVER ENCRYPTION SERVER PORTION DONE ( CLIENT CHECKS OPTIONS ) NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION

SSL Encryption Premaster secret Created by client; used to “seed” calculation of encryption parameters Very simple: 2 bytes of SSL version + 46 r in addition to om bytes Sent encrypted to server using server’s public key Master secret Generated by both parties from premaster secret in addition to r in addition to om values generated by both client in addition to server Key material Generated from the master secret in addition to shared r in addition to om values Encryption keys Extracted from the key material Forming the Master Secret SOURCE: THOMAS, SSL AND TLS ESSENTIALS SERVER’S PUBLIC KEY IS SENT BY SERVER IN ServerKeyExchange CLIENT GENERATES THE PREMASTER SECRET ENCRYPTS WITH PUBLIC KEY OF SERVER CLIENT SENDS PREMASTER SECRET IN ClientKeyExchange SENT BY CLIENT IN ClientHello SENT BY SERVER IN ServerHello MASTER SECRET IS 3 MD5 HASHES CONCATENATED TOGETHER = 384 BITS Forming the Key Material SOURCE: THOMAS, SSL AND TLS ESSENTIALS JUST LIKE FORMING THE MASTER SECRET EXCEPT THE MASTER SECRET IS USED HERE INSTEAD OF THE PREMASTER SECRET

Obtaining Keys from the Key Material SOURCE: THOMAS, SSL AND TLS ESSENTIALS SECRET VALUES INCLUDED IN MESSAGE AUTHENTICATION CODES INITIALIZATION VECTORS FOR DES CBC ENCRYPTION SYMMETRIC KEYS SSL Record Protocol SOURCE: WILLIAM STALLINGS SSL (Secure Sockets Layer) Some payment services using SSL: Credit Card Network Secure-Bank.Com Web-Charge SecureTrans

TLS (Transport Layer Security) SSL is so important it was adopted by the Internet Engineering Task Force (IETF) TLS Protocol 1.0 (RFC 2246) TLS is very similar to SSL but they do not interoperate Goals Separate record in addition to h in addition to shaking protocols Extensibility (add new cipher suites easily) Efficiency (minimize network activity) 1. Customer pays with card card swiped mag data read (get signature) 5. Merchant stores authorizations in addition to sales conducted captures sales (at end of day) submits batch as long as funding Authorizations Batch Settlement 2.Card Authorization via dial, lease line, satellite 3 . Acquiring Bank’s Processor direct connections to MC /VI obtains authorization from Issuer returns response to merchant five digit number that must be stored 6. Acquiring Bank / Processor scans settlement file verifies authorizations match captured data prepares file as long as MC/VI prepares funding file records txs as long as reporting 4 . Issuing Bank / Processor receives auth request verifies available funds places hold on funds 7. Issuing Bank / Processor receives settlement file from MC / VI funds MC / VI matches txs to auths post txs to cardholder records transactions as long as reporting 8. MC / VI debit issuers / credit acquirers 9. Acquiring Bank funds merchant Industry Update Acquirer Market Share 12% 7% 40% 11% 5% 25% Paymentech Nova First Data NPC B of A All Others Bank Issuer Market Share 19% 19% 13% 9% 6% 34% First USA Citigroup MBNA Chase B of A All others Disintermediation of Bank issuers in addition to acquirers Consolidation of the industry

Card Economics Issuing Bank Revenue interest on revolving balances interchange fee income on card purchases Expenses cost of carrying asset transactors vs. revolvers cardholder reporting, chargeback processing, customer service marketing fees / dues acquisition costs fraud – lost/stolen cards bankruptcy Acquiring Bank Revenue transaction fees charged merchants net of interchange expense earnings on deposits Expenses processing fees as long as authorization, settlement, funding, chargebacks, customer service marketing fees / dues acquisition costs credit / fraud risk bankruptcy Parties in Secure eCommerce SOURCE: WILLIAM STALLINGS SET in Practice SOURCE: http://www.software.ibm.com/commerce/payment/specsheetetill.html

Shannon, Larry Overdrive Trucking News Host www.phwiki.com

SET Objectives Confidentiality of payment in addition to order in as long as mation Encryption Integrity of all data (digital signatures) Authentication of cardholder & account (certificates) Authentication of merchant (certificates) No reliance on secure transport protocols (uses TCP/IP) Interoperability between SET software in addition to network St in addition to ardized message as long as mats SET is a payment protocol Messages relate to various steps in a credit card transaction Dual Signatures Links two messages securely but allows only one party to read each. Used in SET. MESSAGE 1 DIGEST 1 NEW DIGEST HASH 1 & 2 WITH SHA MESSAGE 2 DIGEST 2 CONCATENATE DIGESTS TOGETHER HASH WITH SHA TO CREATE NEW DIGEST DUAL SIGNATURE PRIVATE KEY ENCRYPT NEW DIGEST WITH SIGNER’S PRIVATE KEY Using Dual Signatures Alice wants to send Message 1 to Bob in addition to Message 2 to Carol Message 1 is order info; Message 2 is payment info Alice encrypts Message 1 with Bob’s public key; Message 2 with Carol’s public key Both Bob in addition to Carol must be convinced that the messages are linked in addition to unaltered Alice sends { PKBOB(Message 1), PKCAROL (Message 2), DualSig} to both Bob in addition to Carol Bob hashes PKBOB(Message 1), concatenates with PKCAROL (Message 2), in addition to hashes again to give the dual hash Bob decrypts the dual signature with Alice’s public key If the new hash in addition to the decrypted signature match, all is OK

Dual Signatures on Plaintext Alice wants to send Message 1 to Bob in addition to Message 2 to Carol in plaintext Bob can’t see Message 2; Carol can’t see Message 1 Both Bob in addition to Carol must be convinced that the messages are linked in addition to unaltered Alice sends Bob { Message 1, Digest 2, Dual Signature} Bob hashes Message 1, concatenates with Digest2 in addition to hashes Bob decrypts the dual signature with Alice’s public key If the new hash in addition to the decrypted signature match, all is OK Now Bob can send Carol Digest 2 in addition to ask if she got the message corresponding to it! (Carol got { Message 2, Digest 1, Dual Signature} ) SET in the Transaction Process 1. Browsing 2. Product selection 3. Customer order entry 4. Selection of payment mechanism 5. Customer sends order in addition to payment instructions 6. Merchant requests payment authorization 7. Merchant sends order confirmation 8. Merchant ships goods 9. Merchant requests payment from bank SET PROTOCOL FUNCTIONS: SET Security Digital envelopes, nonces, salt Two public-private key pairs as long as each party One as long as digital signatures; one as long as key exchange messages 160-bit message digests Statistically globally unique IDs (XIDs) Certificates (5 kinds) Cardholder, Merchant, Acquirer, Issuer, Payment Gateway Hardware cryptographic modules ( as long as high security) Idempotency (message can be received many times but is only processed once) f (f (x)) = f (x) Complex protocol. Over 600 pages of detail Dual signatures

Major Ideas SSL, TLS are secure message protocols, not payment protocols SSL requires the vendor to have a certificate SSL is secure against breaking of any one as long as m of encryption SET is a payment protocol SET requires all parties to have certificates Q A & Secure Sockets Layer (SSL) H in addition to shake if it has one SOURCE: WEB SECURITY SYMMETRIC SYMMETRIC ASYMMETRIC ASYMMETRIC SECURE TRANSMISSION BEGINS HERE

Shannon, Larry Host

Shannon, Larry is from United States and they belong to Overdrive Trucking News and they are from  Tuscaloosa, United States got related to this Particular Journal. and Shannon, Larry deal with the subjects like Human Interest; Trucking

Journal Ratings by Universidad de Extremadura

This Particular Journal got reviewed and rated by Universidad de Extremadura and short form of this particular Institution is ES and gave this Journal an Excellent Rating.