Participants Of Secure Electronic Transactions Information Technology Essay
In the security environment, a proper and effective security is needed in order to prevent from attacks. Therefore, multiple security mechanism and protocol should be use to secure a network. An example for a system that needs to have a high security was online transaction.
Nevertheless, in term of network security, Internet Security Protocol (IPSec) is one of the best security protocols nowadays. More than that, the key exchange algorithm such as Oakley and ISAKMP is an enhance version of Diffie-Hellman (DH) protocol. This protocol has overcome the shortage or weaknesses of DH protocol.
The following section will cover the SET and IPSec in details with graphical explanation.
2.1) Feature and Services of Secure Electronic Transaction (SET)
SET is a system that use for security purpose in order to secure the financial transaction supported by Visa, MasterCard, American Express and others. In spite of that, SET itself is not a payment system, but rather a set of protocol that can be use in open public network with enhancement of security.
In term of key feature, SET provides the following features:-
Confidentiality of Information
Integrity of Data
Cardholder Account Authentication
Merchant Authentication
Taken from (Stallings, 1999)
Besides that, the main services are:-
Baseline Purchase (Transaction)
Cash Advances
Status Enquiry
Taken from (Hitachi, 2003)
The following pages will explain the features and services of SET in brief.
2.1.1) Feature of SET
Confidentiality of Information
Cardholder account and payment information are secured all the time, especially during the transaction. This is an important feature of SET whereby the encryption is using Data Encryption Standard (DES) to improve confidentiality.
Integrity of Data
With integrity of data, all the payment information between the cardholder and merchant will be secure all the time. With the help of digital signature like RSA, the data will be sure.
Cardholder Account Authentication
SET use X.509v3 digital signature with RSA during the authentication process. This allows the merchant to verify either the credit card is valid or invalid.
Merchant Authentication
With X.509v3 digital signature, SET allows the card holder to verify either the merchant is valid or invalid. This feature can prevent from fraud or scam.
The statement above supported by (Stallings, 1999)
2.1.2) Services of SET
Baseline Purchase
The main services of SET were baseline purchase where three steps are involved.
Choose product to be purchase
Consumer choose an independent or depended product to purchase
Payment Step
Consumer choose confirm the order and choose the payment method
Delivery Step
After completing the payment, consumer receives the product.
Cash Advances
Cash advances allow the cardholder to pay for the 1st time. For next payment onward, consumer can use different payment method. For example, installment
Status Enquiry
SET allow the consumer to check the status of their payment.
Statement above supports by (Hitachi, 2003)
2.2) Participant of Secure Electronic Transaction (SET)
Figure 2-1: Participants of SET
Figure 2-1 shows the participants of SET in graphical form. In spite of that, Table 2-1 on next page will explain the role and activity of the participants.
Participants
Role
Activity
Related to…
Merchant
Person or organization that has goods to sell.
Sell goods and services. Especially web transaction.
Acquirer
Acquirer
Process payment and card authorization.
Provide support of multiple type of credit card brand to merchant.
Provide electronic payment transfer
Control payment limit
N/A
Cardholder
Consumer
Can purchase goods and services from merchant with credit card.
Issuer
Issuer
Financial institution
Bank
Provide credit card to consumer
Collect debt payment from consumer
N/A
Payment Gateway
Operated by Acquirer or 3rd party
Work as middleman between SET and Issuer
Provide authorization and payment function during transaction
Acquirer
Issuer
Certificate Authority
Issuer of X.509v3
-Issue X.509v3 to merchant, cardholders, and payment gateway
N/A
Table 1-1: Roles and Activity of SET Participants
The information on this table was taken from (Stallings, 2006). However, it has been modified into table form.
2.3) Sequence of Events for Secure Transaction
In order to have a secure transaction, a proper sequence of event is needed. Although the process of transaction is very fast, but there was a lot of process in behind. There will be 10 events that will occur during the transaction. Therefore, this section will explain the sequence of events during the transaction.
Before that, Figure 2-2 shows the meaning of the icon for next several explanations.
Figure 2-2: Icon of events
The whole sequence of events is a research from (Stallings, 2006) and (whatis.com, 2010)
Figure 2-3: Events 1, 2 & 3
A customer open a bank account
The first thing a consumer needs to do was open a bank account and apply for credit card such as VISA, MASTERCARD with bank that support SET completely.
Cardholder certificate
Once the credit card is available, a verification process of identity will occur where X.509v3 digital certificate will receive by customer. This certificate is issue by Certificate Authority and signed by bank where it will verify the card expired date and public key.
Merchant certificate
For merchant who accept variety type of credit card, it has two certificates for two public keys owned by them. Besides that, a copy of payment gateway certificate also will be issue by payment gateway.
Both of the key owned by merchant itself was use for signing a message and exchange a message.
Figure 2-4: Events 4, 5, & 6
Customer buy a product
Once the credit card is ready, a consumer can start to look for the product they want to buy.
The consumer will send the list of item, price and order number information to merchant.
Merchant send verification
In order to continue, the merchant will send copy of its certificate to consumer.
This certificate is use to verify the merchant is legal
Payment and order sent
After the verification, the consumer will send the order and payment information along with its certification to merchant. The payment information contains the credit number and name.
In order to provide security, the information is encrypted all the way.
Figure 2-5: Events 7, 8, 9, & 10
Payment Authorization
Merchant will send the customer payment information to Payment Gateway in order to verify the sufficient credit for payment in customer account.
Order Confirmed
Once payment approved, merchant will send the order confirm and receipt to customer.
Goods Delivery
Merchant will deliver the goods to customer via shipping or other method.
(10) Payment request by merchant
Usually at end of the month, merchant will send a payment request to Payment Gateway.
2.4) SET Transaction Types
Besides feature and services of SET, this system also supports several transaction types where each of them is having its own function. Nevertheless, some of them are related to each other and required to work at pairs. Table 1-2 below listed out the transaction types that are supported by SET. (Stallings, 2005)
Transaction Types
Merchant Registration
Cardholder Registration
Certificate Inquiry and Status
Purchase Inquiry
Credit
Capture Reversal
Authorization Reversal
Credit Reversal
Error Message
Batch Administration
Payment Gateway Certificate Request
Purchase Request *
Payment Authorization *
Payment Capture *
Table 1-2: Transaction Types
Three types of transaction will be focused on this section. This is due to the importance of these transactions where it was the main focused transaction type of SET. On the following section, these three types of transaction will be discussed in details.
Purchase request
Payment Authorization
Payment Capture
2.4.1) Purchase Request
In order for the purchase request to begin exchange, the cardholder must have placed their order. This request will exchange four main messages which are:-
Initiate Request
Initiate Response
Purchase Request
Purchase Response
Initiate Request
A copy of certificate of cardholder must be send to merchant in order to send the SET messages. This certificates will be requested by customer in a message call Initiate Request. During the request, information of credit card brand and other info will be includes on this message.
Initiate Response
After send, the merchant will respond with a message call Initiate Respond which includes the signs of private signature key. This response will include the transaction ID and other relevant information for the particulate purchase transaction. In addition, this message also includes the payment gateway key exchange certificate.
Purchase Request
Next, the cardholders prepare a message call Purchase Request where it includes the information regarding:
Purchase-related Information – Forward to the payment gateway by merchant
Consists of
Payment Information (PI)
Order Information Message Digest (OIMD)
Dual Signature (not covered on this assignment)
Digital Envelope (Encryption)
Order-related Information – Needed by merchant
Consists of
Order Information (OI)
Dual Signature
Payment Information Message Digest (PIMD)
Cardholder Certificate – Contain cardholder public signature key
Consists of
Cardholder Public signature key
Figure 2-6: Purchase Request
Figure taken from (Stallings, 2005)
Based on the figure, it shows that the PI has been sign with Dual Signature and includes the OIMD. After being encrypted with key, the info will be mix together with other component such as Digital Envelop, PIDM, OI and cardholder certificate. The whole message is known as Purchase Request message.
Nonetheless, the whole message will send by cardholder to merchant. When the merchant receive the message, it will verify that the cardholder certificate is legal and verify the dual signature using cardholder public signature key. Meanwhile the 1st half of the message will be forwarded to Payment Gateway by merchant. Figure 2-7 on next page shows the algorithm of Purchase Request verification.
Figure 2-7: Purchase Request Verification
Figure taken from (Stallings, 2005)
Purchase Response
After the verification process, a Purchase Response message will be send in order to acknowledge to the cardholder. This message contains a block which signed by merchant private signature. This message will display a statement or message to the cardholder if it was successes to send.
Information regarding the whole purchase request is taken from (Stallings, 2005)
2.4.2) Payment Authorization
During the transaction, an authorization must be made in order to make any payment. Although its look simple, but the whole process required a certain technical algorithm or process to guarantee the merchant receive the payment. Once the request has been acknowledge with response, the merchant can provide goods or services to customer.
This payment authorization is consist of two messages which are:-
Authorization Request
Authorization Response
Authorization Request
This request was send by merchant to payment gateway. The messages it consists of several information such as:-
Purchase-related Information – obtained from customer
Consists of
Payment Information (PI)
Order Information Message Digest (OIMD)
Dual Signature (not covered on this assignment)
Digital Envelope (Encryption)
Authorization-related information – Generated by merchant
Consists of
Authorization block
Digital Envelop
Cardholder Certificate – Contain cardholder public signature key
Consists of
Cardholder Public signature key
Authorization Response
After an authorization approved by issuer, payment gateway will send backs a message which includes:-
Authorization-related information – Generated by merchant
Consists of
Authorization block
Digital Envelop
Capture Token Information – use for future payment
Consists of
Signed & encrypted token
Digital Envelop
Certificate
Consists of
Gateway signature key certificate
Information regarding the whole payment authorization is taken from (Stallings, 2005)
2.4.3) Payment Capture
To obtain payment after sales, merchant need to contact the payment gateway by providing a capture request and wait for the response. In this case, there are two messages are involved, which are:-
Capture Request
Capture Response
Capture Request
This request is generate by merchant to payment gateway for request a payment. Meanwhile this consists of:-
Signed & encrypted request block which include payment amount and transaction ID
Merchant signature key
Key-exchange key certificates
Capture Response
Once the payment gateway receives the capture request, the message will be decrypt and verify the request blocks. Once it is legal, capture response will be issue to merchant. This message includes:
Signed & encrypted response block by payment gateway
Payment gateway signature key certificate
Information regarding the whole payment capture is taken from (Stallings, 2005)
“This page is intentionally left blank”
3.1) Overview of IPSec
A majority of today government, academic, corporate and home user’s network including internet, are based on the Internet Protocol (IP). However, IP networks are not vulnerable to security threat such as identity spoofing, loss of data, loss of privacy and other security threats. Because of this threats, Internet Engineering Task Force (IETF) has create a security frameworks call Internet Protocol Security (IPSec)
IPSec is implemented at network layer of OSI where it will protects and authenticate the packets that travel between the devices such as routers, firewall, and other IPSec compatible devices. (Nam-Kee-Tan, 2003) In terms of securing the IP layer, all the traffic which passing though an IP network will use the IP protocol. Because of that, IPSec provides security services for network layer more than application layer.
IPSec contain several new packet formats such as Authentication Header (AH), Encapsulating Security Payload (ESP) and IKE in order to provide data integrity, confidentiality and digital authentication. (Anon., n.d.) Besides that, with IPSec, IP network can gain several benefits such as strong authentication, firewall filtering, data protection, encryption and other technical support. Figure 2-1 shows the packet format with IPSec Header and Trailer.
Figure 3-1: IP Packet Format with IPSec
3.2) Security Services by IPSec
In term of security services, IPSec provide several security services for most of the applications which are communicating over the IP network. The IPSec framework provides the following important security services:-
Access Control
Connectionless Integrity
Data Origin Authentication
Confidentiality
“Obtained from (Stallings, 2010)”
The following sections will cover four of the security services above in details.
3.2.1) Access Control
Access control with IPSec could really secure the network from unauthorized access. This is one of the security services that prevent from unauthorized use of resource in the network. More than that, it can also prevent from remote control or access from remote location and external network.
3.2.2) Connectionless Integrity
Connectionless integrity in IPSec is a security services that helps to detect any modification of data. This security services detect the modification of IP packets without regard to the ordering of the packets in the traffic stream. (Nam-Kee-Tan, 2003) Besides that, integrity also ensures the prevention of unauthorized creations, modification or deletion of data between the source and destination. (Hewlett-Packard, 2001) In shorts, integrity verify that the content of the packet was not changed during the transmission.
3.2.3) Data Origin Authentication
This authentication method ensures that the user traffic is sent by original or legal sender. This authentication method involves sender and recipient. The sender is the originator of the message while recipient was the entity that receives the message from the sender. In order to ensure that the message is from the original sender, two type of signature can be used to sign the message. The signatures were Symmetric and Asymmetric. (MSDN; Microsoft, n.d.)
Symmetric Signature
Use a single shared secret key is use to sign and verify the message.
This signature also known as Message Authentication Code (MAC)
Figure 3-2: Symmetric Signature
Figure 3-2 is taken from (MSDN Microsoft, n.d.)
Asymmetric Signature
Use two different key (private and public) to sign and verify the message.
Private key
Kept by owner and never send out
Use to create signature on message
Public key
Distribute to public or receiver
Use to verify the signature of the message
Figure 3-3: Asymmetric Signature
Figure 3-3 is taken from (MSDN Microsoft, n.d.)
3.2.4) Confidentiality
Confidentiality or encryption is the most important services by IPSec. This services ensure that the traffic is not hijacked by non-authorized parties during the transmission. (Anon., 2008) One of the favourtie hacking method by hacker was intercept between the connection and steal the information. Data confidentiality was the capability of IPSec to encrypt data before travel to external network.
3.3) Role of Oakley Key Determination Protocol
The Oakley protocol is a refined version of Diffie-Hellman(DH) key exchange version. This protocol was created to overcome the drawbacks of DH key exchange, meanwhike retaint the advantages of the DH key exchange. Some of the advantages of this protocol are as follows: (Kahate, 2008)
Ability to prevent and overcome replay attacks
Enable the exchange of DH public key values
Provide authentcation to prevent the man-in-the-middle attacks
Oakley also is a protocol that uses a public-key exchange algorithm and an ability know as Perfect Forward Secrecy (PFS) in order to prevent from the key reuse problem. (Diane Barrett, 2006) For PFS, it is a system that ensure the information about the key is being protected. For example, if a hacker successed to break on of the keys, the information about other related keys will be kept secret. This mean, the breaked key wil tell them nothing about other keys.
In term of authentication, oakley support three authentication mechanism which digital signature, public key and private key. Both private key and public key has been explained in section (3.2.3) Data Origin Authentication.
Nonetheless, when dealing with congestion attack, the concept of cookies will be use in order to solve the congestian attack. This method was normally use to prevent from the masquerading of IP addresses and port by the packer. The whole process has include a cookie and acknowledgement cookie.
3.4) Role of Internet Security Association and Key Management Protocol (ISAKMP)
ISAKMP is a key protocol in IPSec where it combines several concept together such as authentication, key management and security association in order to establid a good security association (SA). This general protocol framework contains a ISAKMP header where the entire header is encapsulated inside the OSI transport layer. Figure 3-4 shows the format of ISAKMP header.
Figure 3-4: ISAKMP Header Format
Figure 3-4 is obtain from source (Kahate, 2008)
Nevertheless, ISAKMP also support the negotiation of SA for other seucirty protocol such as IPSec, TLSP, TLS, and etc. In spite of that , the amount of duplicated functionallity also can be reduces by centralizing the management of SA. (Javvin, n.d.) ISAKMP by itslef does not use a specific key exchange algorithm. It use a set of message that enable the usage of variety of key exchange algorithm.
In term of role for Domain of Interpretion (DOI), ISAKMP will choose a security protocol and crytographic alforithm to share the key exchange. Mean while, ISAKMP will place the following requirement on DOI:
Additional Key Exchange
Additional Notification Message
Naming scheme for DOI
Applicable Security Policies
The statement above was taken from (Dictionary, n.d.)
4.0) Conclusion
In my research, I’ve discover the importance of understand SET. With SET, a secure transaction can be perform meanwhile the process itself is pretty fast. More than that, a list of participants also has been found and explained on this assignment.
Nevertheless,, the sequence of events of how the transaction happen behind the process also has beens tudy. By understanding the transaction types, the easiest way to understand how SET actually work. Nontheless, a set of diagram also has been use to summaries the whole events.
For IPSec, it is important to implement especially in a secure network. One of the proper way to apply IPSec was implement VPN. With IPSec, several advantages such as authnetication, data integrity and more and helps to secure the network.
Lastly, regarding the key exchange protocol. With the enhance of Oakley and ISAKMP, the weakness of DH protocl can be overcome and provide better key exchange algorithm in term of security and encryption.
P.S.: The softcopy of this assignment shows an exceeded word count. However, after exclude the citation, caption, bibliography and other unrelated document, the final word counts was 3247 words.
Order Now