Академический Документы
Профессиональный Документы
Культура Документы
Authentication, Encryption,
Digital Payments, and Digital Money
Chapter 5
Slide 1
Learning Objectives
Understand the importance of authentication.
Understand the various encryption alternatives.
Differentiate between symmetric and asymmetric
encryption.
Determine how and why encryption is important for ecommerce.
Chapter 5
Slide 2
Learning Objectives
Understand how security applies to e-mail, the Web, the
intranet, and the extranet.
Appreciate how virtual private networks are relevant to the
future of e-commerce.
Plan for strategies to fend-off security threats.
List and understand various e-commerce modes of
payment.
Chapter 5
Slide 3
Encryption
Encryption is the conversion of plain text or data into a
unintelligible form by means of a reversible translation.
Decryption
The inverse operation to encryption
Chapter 5
Slide 4
Simplest method.
Easy to program
Easy to break
Refinements
Table rotation
Using several tables
A
C
Chapter 5
Slide 5
Chapter 5
Slide 6
Chapter 5
Slide 7
Chapter 5
Slide 8
Chapter 5
Slide 9
Confidentiality
Confidentiality has two aims:
To use the digital signature or encrypted hash function to
authenticate the identity of the sender.
To protect the content of the message from eyes other than those of
the intended recipient.
Chapter 5
Slide 10
Confidentiality
Two steps involved:
In the first step, a clear message is encrypted.
The reverse aspect is the deciphering by the recipient.
Chapter 5
Slide 11
Confidentiality
Chapter 5
Slide 12
Authentication
Authentication is the process of identifying an individual
or a message usually based on a user name and password
or a file signature.
Authentication is distinct from authorization
Chapter 5
Slide 13
Authentication
Log-in Passwords
Weak method with short passwords
Chapter 5
Slide 14
Authentication
Features commonly used to identify and authenticate an
user:
Something the user knows (e.g. password).
Something the user has (e.g. token, smartcard).
Something that is part of the user (e.g. fingerprint).
Chapter 5
Slide 15
Authentication
Digital Signature
A digital signature is a code attached to an electronically
transmitted message to identify the sender.
Chapter 5
Slide 16
Authentication
Digital Signature
1.
2.
3.
4.
Chapter 5
Slide 17
Authentication
Digital Signature
1.
2.
3.
Chapter 5
Slide 18
Authentication
Digital Signature
Chapter 5
Slide 19
Authorization
Gives someone permission to do or have something.
Chapter 5
Slide 20
Integrity
Developed by Ron Rivest and supported by RSA security (the most trusted names in e-security)
Netscape Navigator supports RSAs algorithm and Microsoft Internet Explorer contains RSAs
licensed security software
MD5 is most widely used secure hash algorithm
Generates 128-bit message digest (however, not enough to resist brute force hacking)
RIPEMD-160
Chapter 5
Developed in Europe
Originally 128-bit algorithm, extended 160-bit
Slide 21
Auditing
As no system will ever be completely secure, policies need
to be devised where unauthorized usage will not
occur.
Chapter 5
Slide 22
Nonrepudiation
Nonrepudiation is a proof that a message has been sent or
received.
Nonrepudiation is specially important for the secure
completion of online transactions.
Chapter 5
Slide 23
Nonrepudiation
Chapter 5
Public key.
The name of the entity.
Expiration date.
The name of the certification authority (CA).
The digital signature of the CA.
A serial number
Slide 24
Non-repudiation
Slide 25
Non-repudiation
Private Key Infrastructure (PKI)
Chapter 5
Slide 26
Chapter 5
Slide 27
Chapter 5
Created by Netscape
Widely used
Messages are contained in a program layer between an
application and the Internets TCP/IP layers
Uses RSAs encryption system.
Uses temporary shared keys
Implement Certificate Authorities (CA)
Client and server certificates
Slide 28
Chapter 5
Slide 29
Chapter 5
The router (peer) at one end of the link transmits a user name and
password pair
The router (authenticator) at the other end determines whether it
will accept this as identifying a valid user
Slide 30
Microsoft Initiative.
Symmetric encryption.
Authenticates of server to client via certificate or CA.
Verifies message integrity with hash function message digests
Can be implemented with HTTP and FTP.
Similar to Netscapes SSL
Chapter 5
Slide 31
Chapter 5
Slide 32
Chapter 5
Slide 33
The node can join the network for any desired function at any
time, for any length of time (on-demand networking)
Chapter 5
Slide 34
Chapter 5
Slide 35
Chapter 5
Slide 36
The Players
Cardholder
Merchant (seller)
Issuer (your bank)
Acquirer (merchants financial institution, acquires the sales slips)
Brand (VISA, Master Card)
Chapter 5
Slide 37
Cardholder
credit
card
Merchant
Payment authorization,
payment data
Issuer Bank
Acquirer Bank
Cardholder
Account
Merchant
Account
Slide 39
Chapter 5
Slide 40
40
Message
Senders Computer
Senders Private
d
Signature Key
Message Digest
Digital Signature
Message
e
Encrypt
+
Senders
Certificate
Receivers
Certificate
Encrypted
Message
Digital
Envelope
f
Encrypt
Receivers
Key-Exchange Key
Chapter 5
Encrypted
Message
Symmetric
Key
Digital
Envelope
Slide 41
41
Chapter 5
Slide 42
42
Receivers Computer
Receivers Private
Key-Exchange Key
Decrypt
Digital
Envelope
Message
i
Message Digest
Encrypted
Message
Digital
Envelope
Decrypt
Symmetric
Key
Encrypted
Message
+
+
Senders
Certificate
compare
j
Decrypt
Digital Signature
Chapter 5
Senders Public
Signature Key
Message Digest
Slide 43
Electronic Wallet
Electronic Wallet, also known as digital wallet
keep customers certificate in his or her PC or IC card
A consortium of companies including Visa, MaterCard, JCB, and
American Express
established a company called SETCo
performs the interoperability test and issues a SET Mark as a
confirmation of interoperability
Chapter 5
Slide 44
IC Card
Reader
Customer y
Customer x
With Digital Wallets
Certificate
Authority
Merchant B
Payment Gateway
Protocol
X.25
Credit Card
Brand
Slide 45
Simple
Chapter 5
Slide 46
Chapter 5
Slide 47
Payer
Cyber Bank
Cyber Bank
Payment
Gateway
Payment
Gateway
Bank
VAN
Bank
Automated
Clearinghouse
VAN
An
Architecture
of Electronic Fund Transfer on the Internet
Chapter 5
Slide 48
Edited by Christopher C. Yang
Debit Cards
A delivery vehicle of cash in an electronic form
also known as check card
credit card - pay later
debit card - pay now, immediately deducted from you checking or
saving account
Chapter 5
Slide 49
Financial EDI
It is an EDI used for financial transactions
EDI is a standardized way of exchanging messages between
businesses
EFT can be implemented using a Financial EDI system
Chapter 5
Slide 50
Smart Cards
The concept of e-cash is used in the non-Internet environment
Plastic cards with magnetic stripes (old technology)
Includes IC chips with programmable functions on them which makes cards
smart
One e-cash card for one application
Recharge the card only at designated locations, such as bank office or a kiosk.
Future: recharge at your PC
Chapter 5
Slide 51
Chapter 5
Slide 52
Electronic Money
DigiCash
The analogy of paper money or coins
electronic bills, each with a unique identification
prevent duplication of bills
Chapter 5
Slide 53
No issuance of money
Debit card a delivering vehicle of cash in an electronic form
Either anonymous or onymous
Advantage of an anonymous card
the card may be given from one person to another
Chapter 5
Slide 54
Multiple Currencies
Can be used for cross border payments
Chapter 5
Slide 55
Contactless IC Cards
Proximity Card
Used to access buildings and for paying in buses and other
transportation systems
Bus, subway and toll card in many cities
Chapter 5
Slide 56
Chapter 5
Slide 57
Payer
Account
Receivable
Payee
E- Mail
WWW
Signature
Card
Signature Card
Workstation
Mall statement
E-Check line item
Remittance
Remittance
Check
Signature
Certificate
Certificate
Check
Signature
Certificate
Certificate
Endorsement
Certificate
Certificate
Secure Envelope
ACH
Secure Envelope
ECP
Payers Bank
Debit account
Chapter 5
Clear Check
Payees Bank
Credit account
Deposit check
Slide 58
Chapter 5
Slide 59
Chapter 5
Slide 60
Payers
Payees
checkbook
check-receipt
agent
Issue a check
agent
Receipt
Payer
Payee
Checkbook,
screened result
report
Request of
screening check
issuance
control
agent of
payers
bank
clearing
Internet
present
control
agent of
payees
bank
A/C
DB
A/C
DB
payers bank
payees bank
The Architecture of SafeCheck
Chapter 5
Slide 61
Chapter 5
Slide 62
Links
www.echeck.org
www.echecksecure.com
www.safecheck.com
www.ecoin.com
www.mondex.com
www.paypal.com person-to-person payments
www.c2it.com Citibank
Chapter 5
Slide 63
One-Card system
Chapter 5
Slide 64