Participants Of Secure Electronic Transactions Information Technology Essay

In the security environment, a proper and effective security is needed in order to prevent from attacks. Therefore, multiple security mechanism and protocol should be use to secure a network. An example for a system that needs to have a high security was online transaction.

Nevertheless, in term of network security, Internet Security Protocol (IPSec) is one of the best security protocols nowadays. More than that, the key exchange algorithm such as Oakley and ISAKMP is an enhance version of Diffie-Hellman (DH) protocol. This protocol has overcome the shortage or weaknesses of DH protocol.

The following section will cover the SET and IPSec in details with graphical explanation.

2.1) Feature and Services of Secure Electronic Transaction (SET)

SET is a system that use for security purpose in order to secure the financial transaction supported by Visa, MasterCard, American Express and others. In spite of that, SET itself is not a payment system, but rather a set of protocol that can be use in open public network with enhancement of security.

In term of key feature, SET provides the following features:-

Confidentiality of Information

Integrity of Data

Cardholder Account Authentication

Merchant Authentication

Taken from (Stallings, 1999)

Besides that, the main services are:-

Baseline Purchase (Transaction)

Cash Advances

Status Enquiry

Taken from (Hitachi, 2003)

The following pages will explain the features and services of SET in brief.

2.1.1) Feature of SET

Confidentiality of Information

Cardholder account and payment information are secured all the time, especially during the transaction. This is an important feature of SET whereby the encryption is using Data Encryption Standard (DES) to improve confidentiality.

Integrity of Data

With integrity of data, all the payment information between the cardholder and merchant will be secure all the time. With the help of digital signature like RSA, the data will be sure.

Cardholder Account Authentication

SET use X.509v3 digital signature with RSA during the authentication process. This allows the merchant to verify either the credit card is valid or invalid.

Merchant Authentication

With X.509v3 digital signature, SET allows the card holder to verify either the merchant is valid or invalid. This feature can prevent from fraud or scam.

The statement above supported by (Stallings, 1999)

2.1.2) Services of SET

Baseline Purchase

The main services of SET were baseline purchase where three steps are involved.

Choose product to be purchase

Consumer choose an independent or depended product to purchase

Payment Step

Consumer choose confirm the order and choose the payment method

Delivery Step

After completing the payment, consumer receives the product.

Cash Advances

Cash advances allow the cardholder to pay for the 1st time. For next payment onward, consumer can use different payment method. For example, installment

Status Enquiry

SET allow the consumer to check the status of their payment.

Statement above supports by (Hitachi, 2003)

2.2) Participant of Secure Electronic Transaction (SET)

Figure 2-1: Participants of SET

Figure 2-1 shows the participants of SET in graphical form. In spite of that, Table 2-1 on next page will explain the role and activity of the participants.

Participants

Role

Activity

Related to…

Merchant

Person or organization that has goods to sell.

Sell goods and services. Especially web transaction.

Acquirer

Acquirer

Process payment and card authorization.

Provide support of multiple type of credit card brand to merchant.

Provide electronic payment transfer

Control payment limit

N/A

Cardholder

Consumer

Can purchase goods and services from merchant with credit card.

Issuer

Issuer

Financial institution

Bank

Provide credit card to consumer

Collect debt payment from consumer

N/A

Payment Gateway

Operated by Acquirer or 3rd party

Work as middleman between SET and Issuer

Provide authorization and payment function during transaction

Acquirer

Issuer

Certificate Authority

Issuer of X.509v3

-Issue X.509v3 to merchant, cardholders, and payment gateway

N/A

Table 1-1: Roles and Activity of SET Participants

The information on this table was taken from (Stallings, 2006). However, it has been modified into table form.

2.3) Sequence of Events for Secure Transaction

In order to have a secure transaction, a proper sequence of event is needed. Although the process of transaction is very fast, but there was a lot of process in behind. There will be 10 events that will occur during the transaction. Therefore, this section will explain the sequence of events during the transaction.

Before that, Figure 2-2 shows the meaning of the icon for next several explanations.

Figure 2-2: Icon of events

The whole sequence of events is a research from (Stallings, 2006) and (whatis.com, 2010)

Figure 2-3: Events 1, 2 & 3

A customer open a bank account

The first thing a consumer needs to do was open a bank account and apply for credit card such as VISA, MASTERCARD with bank that support SET completely.

Cardholder certificate

Once the credit card is available, a verification process of identity will occur where X.509v3 digital certificate will receive by customer. This certificate is issue by Certificate Authority and signed by bank where it will verify the card expired date and public key.

Merchant certificate

For merchant who accept variety type of credit card, it has two certificates for two public keys owned by them. Besides that, a copy of payment gateway certificate also will be issue by payment gateway.

Both of the key owned by merchant itself was use for signing a message and exchange a message.

Figure 2-4: Events 4, 5, & 6

Customer buy a product

Once the credit card is ready, a consumer can start to look for the product they want to buy.

The consumer will send the list of item, price and order number information to merchant.

Merchant send verification

In order to continue, the merchant will send copy of its certificate to consumer.

This certificate is use to verify the merchant is legal

Payment and order sent

After the verification, the consumer will send the order and payment information along with its certification to merchant. The payment information contains the credit number and name.

In order to provide security, the information is encrypted all the way.

Figure 2-5: Events 7, 8, 9, & 10

Payment Authorization

Merchant will send the customer payment information to Payment Gateway in order to verify the sufficient credit for payment in customer account.

Order Confirmed

Once payment approved, merchant will send the order confirm and receipt to customer.

Goods Delivery

Merchant will deliver the goods to customer via shipping or other method.

(10) Payment request by merchant

Usually at end of the month, merchant will send a payment request to Payment Gateway.

2.4) SET Transaction Types

Besides feature and services of SET, this system also supports several transaction types where each of them is having its own function. Nevertheless, some of them are related to each other and required to work at pairs. Table 1-2 below listed out the transaction types that are supported by SET. (Stallings, 2005)

Transaction Types

Merchant Registration

Cardholder Registration

Certificate Inquiry and Status

Purchase Inquiry

Credit

Capture Reversal

Authorization Reversal

Credit Reversal

Error Message

Batch Administration

Payment Gateway Certificate Request

Purchase Request *

Payment Authorization *

Payment Capture *

Table 1-2: Transaction Types

Three types of transaction will be focused on this section. This is due to the importance of these transactions where it was the main focused transaction type of SET. On the following section, these three types of transaction will be discussed in details.

Purchase request

Payment Authorization

Payment Capture

2.4.1) Purchase Request

In order for the purchase request to begin exchange, the cardholder must have placed their order. This request will exchange four main messages which are:-

Initiate Request

Initiate Response

Purchase Request

Purchase Response

Initiate Request

A copy of certificate of cardholder must be send to merchant in order to send the SET messages. This certificates will be requested by customer in a message call Initiate Request. During the request, information of credit card brand and other info will be includes on this message.

Initiate Response

After send, the merchant will respond with a message call Initiate Respond which includes the signs of private signature key. This response will include the transaction ID and other relevant information for the particulate purchase transaction. In addition, this message also includes the payment gateway key exchange certificate.

Purchase Request

Next, the cardholders prepare a message call Purchase Request where it includes the information regarding:

Purchase-related Information – Forward to the payment gateway by merchant

Consists of

Payment Information (PI)

Order Information Message Digest (OIMD)

Dual Signature (not covered on this assignment)

Digital Envelope (Encryption)

Order-related Information – Needed by merchant

Consists of

Order Information (OI)

Dual Signature

Payment Information Message Digest (PIMD)

Cardholder Certificate – Contain cardholder public signature key

Consists of

Cardholder Public signature key

Figure 2-6: Purchase Request

Figure taken from (Stallings, 2005)

Based on the figure, it shows that the PI has been sign with Dual Signature and includes the OIMD. After being encrypted with key, the info will be mix together with other component such as Digital Envelop, PIDM, OI and cardholder certificate. The whole message is known as Purchase Request message.

Nonetheless, the whole message will send by cardholder to merchant. When the merchant receive the message, it will verify that the cardholder certificate is legal and verify the dual signature using cardholder public signature key. Meanwhile the 1st half of the message will be forwarded to Payment Gateway by merchant. Figure 2-7 on next page shows the algorithm of Purchase Request verification.

Figure 2-7: Purchase Request Verification

Figure taken from (Stallings, 2005)

Purchase Response

After the verification process, a Purchase Response message will be send in order to acknowledge to the cardholder. This message contains a block which signed by merchant private signature. This message will display a statement or message to the cardholder if it was successes to send.

Information regarding the whole purchase request is taken from (Stallings, 2005)

2.4.2) Payment Authorization

During the transaction, an authorization must be made in order to make any payment. Although its look simple, but the whole process required a certain technical algorithm or process to guarantee the merchant receive the payment. Once the request has been acknowledge with response, the merchant can provide goods or services to customer.

This payment authorization is consist of two messages which are:-

Authorization Request

Authorization Response

Authorization Request

This request was send by merchant to payment gateway. The messages it consists of several information such as:-

Purchase-related Information – obtained from customer

Consists of

Payment Information (PI)

Order Information Message Digest (OIMD)

Dual Signature (not covered on this assignment)

Digital Envelope (Encryption)

Authorization-related information – Generated by merchant

Consists of

Authorization block

Digital Envelop

Cardholder Certificate – Contain cardholder public signature key

Consists of

Cardholder Public signature key

Authorization Response

After an authorization approved by issuer, payment gateway will send backs a message which includes:-

Authorization-related information – Generated by merchant

Consists of

Authorization block

Digital Envelop

Capture Token Information – use for future payment

Consists of

Signed & encrypted token

Digital Envelop

Certificate

Consists of

Gateway signature key certificate

Information regarding the whole payment authorization is taken from (Stallings, 2005)

2.4.3) Payment Capture

To obtain payment after sales, merchant need to contact the payment gateway by providing a capture request and wait for the response. In this case, there are two messages are involved, which are:-

Capture Request

Capture Response

Capture Request

This request is generate by merchant to payment gateway for request a payment. Meanwhile this consists of:-

Signed & encrypted request block which include payment amount and transaction ID

Merchant signature key

Key-exchange key certificates

Capture Response

Once the payment gateway receives the capture request, the message will be decrypt and verify the request blocks. Once it is legal, capture response will be issue to merchant. This message includes:

Signed & encrypted response block by payment gateway

Payment gateway signature key certificate

Information regarding the whole payment capture is taken from (Stallings, 2005)

“This page is intentionally left blank”

3.1) Overview of IPSec

A majority of today government, academic, corporate and home user’s network including internet, are based on the Internet Protocol (IP). However, IP networks are not vulnerable to security threat such as identity spoofing, loss of data, loss of privacy and other security threats. Because of this threats, Internet Engineering Task Force (IETF) has create a security frameworks call Internet Protocol Security (IPSec)

IPSec is implemented at network layer of OSI where it will protects and authenticate the packets that travel between the devices such as routers, firewall, and other IPSec compatible devices. (Nam-Kee-Tan, 2003) In terms of securing the IP layer, all the traffic which passing though an IP network will use the IP protocol. Because of that, IPSec provides security services for network layer more than application layer.

IPSec contain several new packet formats such as Authentication Header (AH), Encapsulating Security Payload (ESP) and IKE in order to provide data integrity, confidentiality and digital authentication. (Anon., n.d.) Besides that, with IPSec, IP network can gain several benefits such as strong authentication, firewall filtering, data protection, encryption and other technical support. Figure 2-1 shows the packet format with IPSec Header and Trailer.

Figure 3-1: IP Packet Format with IPSec

3.2) Security Services by IPSec

In term of security services, IPSec provide several security services for most of the applications which are communicating over the IP network. The IPSec framework provides the following important security services:-

Access Control

Connectionless Integrity

Data Origin Authentication

Confidentiality

“Obtained from (Stallings, 2010)”

The following sections will cover four of the security services above in details.

3.2.1) Access Control

Access control with IPSec could really secure the network from unauthorized access. This is one of the security services that prevent from unauthorized use of resource in the network. More than that, it can also prevent from remote control or access from remote location and external network.

3.2.2) Connectionless Integrity

Connectionless integrity in IPSec is a security services that helps to detect any modification of data. This security services detect the modification of IP packets without regard to the ordering of the packets in the traffic stream. (Nam-Kee-Tan, 2003) Besides that, integrity also ensures the prevention of unauthorized creations, modification or deletion of data between the source and destination. (Hewlett-Packard, 2001) In shorts, integrity verify that the content of the packet was not changed during the transmission.

3.2.3) Data Origin Authentication

This authentication method ensures that the user traffic is sent by original or legal sender. This authentication method involves sender and recipient. The sender is the originator of the message while recipient was the entity that receives the message from the sender. In order to ensure that the message is from the original sender, two type of signature can be used to sign the message. The signatures were Symmetric and Asymmetric. (MSDN; Microsoft, n.d.)

Symmetric Signature

Use a single shared secret key is use to sign and verify the message.

This signature also known as Message Authentication Code (MAC)

Figure 3-2: Symmetric Signature

Figure 3-2 is taken from (MSDN Microsoft, n.d.)

Asymmetric Signature

Use two different key (private and public) to sign and verify the message.

Private key

Kept by owner and never send out

Use to create signature on message

Public key

Distribute to public or receiver

Use to verify the signature of the message

Figure 3-3: Asymmetric Signature

Figure 3-3 is taken from (MSDN Microsoft, n.d.)

3.2.4) Confidentiality

Confidentiality or encryption is the most important services by IPSec. This services ensure that the traffic is not hijacked by non-authorized parties during the transmission. (Anon., 2008) One of the favourtie hacking method by hacker was intercept between the connection and steal the information. Data confidentiality was the capability of IPSec to encrypt data before travel to external network.

3.3) Role of Oakley Key Determination Protocol

The Oakley protocol is a refined version of Diffie-Hellman(DH) key exchange version. This protocol was created to overcome the drawbacks of DH key exchange, meanwhike retaint the advantages of the DH key exchange. Some of the advantages of this protocol are as follows: (Kahate, 2008)

Ability to prevent and overcome replay attacks

Enable the exchange of DH public key values

Provide authentcation to prevent the man-in-the-middle attacks

Oakley also is a protocol that uses a public-key exchange algorithm and an ability know as Perfect Forward Secrecy (PFS) in order to prevent from the key reuse problem. (Diane Barrett, 2006) For PFS, it is a system that ensure the information about the key is being protected. For example, if a hacker successed to break on of the keys, the information about other related keys will be kept secret. This mean, the breaked key wil tell them nothing about other keys.

In term of authentication, oakley support three authentication mechanism which digital signature, public key and private key. Both private key and public key has been explained in section (3.2.3) Data Origin Authentication.

Nonetheless, when dealing with congestion attack, the concept of cookies will be use in order to solve the congestian attack. This method was normally use to prevent from the masquerading of IP addresses and port by the packer. The whole process has include a cookie and acknowledgement cookie.

3.4) Role of Internet Security Association and Key Management Protocol (ISAKMP)

ISAKMP is a key protocol in IPSec where it combines several concept together such as authentication, key management and security association in order to establid a good security association (SA). This general protocol framework contains a ISAKMP header where the entire header is encapsulated inside the OSI transport layer. Figure 3-4 shows the format of ISAKMP header.

Figure 3-4: ISAKMP Header Format

Figure 3-4 is obtain from source (Kahate, 2008)

Nevertheless, ISAKMP also support the negotiation of SA for other seucirty protocol such as IPSec, TLSP, TLS, and etc. In spite of that , the amount of duplicated functionallity also can be reduces by centralizing the management of SA. (Javvin, n.d.) ISAKMP by itslef does not use a specific key exchange algorithm. It use a set of message that enable the usage of variety of key exchange algorithm.

In term of role for Domain of Interpretion (DOI), ISAKMP will choose a security protocol and crytographic alforithm to share the key exchange. Mean while, ISAKMP will place the following requirement on DOI:

Additional Key Exchange

Additional Notification Message

Naming scheme for DOI

Applicable Security Policies

The statement above was taken from (Dictionary, n.d.)

4.0) Conclusion

In my research, I’ve discover the importance of understand SET. With SET, a secure transaction can be perform meanwhile the process itself is pretty fast. More than that, a list of participants also has been found and explained on this assignment.

Nevertheless,, the sequence of events of how the transaction happen behind the process also has beens tudy. By understanding the transaction types, the easiest way to understand how SET actually work. Nontheless, a set of diagram also has been use to summaries the whole events.

For IPSec, it is important to implement especially in a secure network. One of the proper way to apply IPSec was implement VPN. With IPSec, several advantages such as authnetication, data integrity and more and helps to secure the network.

Lastly, regarding the key exchange protocol. With the enhance of Oakley and ISAKMP, the weakness of DH protocl can be overcome and provide better key exchange algorithm in term of security and encryption.

P.S.: The softcopy of this assignment shows an exceeded word count. However, after exclude the citation, caption, bibliography and other unrelated document, the final word counts was 3247 words.