Академический Документы
Профессиональный Документы
Культура Документы
59
One of the most important components of an SET is a good example of a protocol that ignores
electronic commerce (e-commerce) application is a “convenience”. SSL-based methods, on the other hand,
digitally secure means of electronic payment (e-payment). are ignoring important “security” requirements. In this
E-payment may be treated as a protocol among the payer, paper we propose a new e-payment protocol for Internet
the payee and their respective Financial Institutions (FIs). based transactions. Our aim is to balance the trade-off
between security and convenience. This protocol, named An SSL based protocol provides privacy, integrity and
CONSEPP (CONvenient and Secure E-Payment authentication of merchant to consumer. However, it does
Protocol), is based on ANSI X9.59 [5] standard. This not guarantee the authentication of consumer to merchant
standard describes secure payment object to be used in and consumer non-repudiation. The consumer may deny
electronic payment. It is not restricted to Internet-based making the payment and the merchant may not be able to
payment; same idea could be applied to Point-of-Sale prove the fact even if the transaction was legitimate. This
terminals, Mail-Order and Telephone-Order payments. causes a “charge-back” cost for honest merchants due to
However, CONSEPP is for Internet transactions only. In dishonest consumers. The SSL based methods may also
CONSEPP, we add some more features on top of the work for dishonest merchants to make illegal money. The
X9.59 standard to make it more specific for Internet based merchant has to see the consumer’s account information
payments. We solve the existing merchant certificate in order to initiate the authorization process after
problem of X9.59 with dynamic public key transfers receiving the payment order from the consumer. The
embedded in authorization messages. We propose a merchant could intentionally or unintentionally disclose
secure method for shopping experience in which this sensitive account information. Furthermore, since the
merchant authentication is embedded in payment cycle. consumer’s FI has no way to check the intent of the
These extra features are light methods and do not create a consumer to make the payment, a dishonest merchant is
significant burden on transactions. As a result, we end up also able to use this account information later to make
with a certificate-free and convenient Internet e-payment charges without the consent of consumer. Of course, the
method that satisfies the security requirements of all consumer can rightfully repudiate this bogus transaction.
parties. However, transactions that are overlooked would be to the
In the rest of this section the trade-off of security vs. benefit of the dishonest merchant.
convenience will be detailed using two applications, SSL Another class of electronic payment methods involves
and SET. Section 2 discusses the basic characteristics of the FIs in the protocol. The most well-known example is
the X9.59 model. CONSEPP is explained in Section 3. the Visa and MasterCard joint effort, the Secure
The advantages of CONSEPP are the subject of Section 4. Electronic Transaction (SET) protocol [3]. The
Some further discussions are given in Section 5. interaction among FIs in the settlement network is not a
Conclusions are in Section 6. part of SET. Communication between FIs and
consumer/merchant is defined in the protocol. The
1.2. SSL, SET and their disadvantages authentication and non-repudiation requirements require
the use of digital signatures and consequently of digital
SSL [4] is a protocol that provides a private, encrypted certificates for each message. Privacy and integrity are
session between the client and the server. The protocol also attained. Each SET cardholder must have a digital
and its related certificates are widely used in web certificate issued by a trusted Certificate Authority (CA).
browsers. The server authenticates itself to the client The cardholder’s public key is certified via a digital
using the server certificate, but the authentication of the certificate. This is necessary, because otherwise no one
client to the server is optional. In electronic payment can be sure of the legitimacy of a cardholder’s identity or
terminology, server means merchant; client means of the public key. SET provides all necessary security
consumer. In a basic electronic payment protocol based requirements, unfortunately by sacrificing “convenience”.
on SSL, a consumer sends account information and the Currently, SET is not widely deployed and we believe
transaction amount over an SSL protected connection. that it will not be in the near future. We also believe that
The merchant also sends the acknowledgment over the the FIs are less than eager to deploy SET, for reasons
same channel. The authorization for the transfer of funds discussed below.
from the consumer’s account is done as in classic Mail-
Order/Telephone-Order transactions. This step is 1. SET requires the registration of consumers by their FIs.
transparent to the consumer. Such a protocol is not only They need to have certificates in order to use the
easy to implement but also minimally changes the protocol. However, SSL based solutions do not require
traditional business model. Therefore it is very such registration.
“convenient”. The consumer does not need to register and 2. SET requires a PKI (Public Key Infrastructure) that is
obtain another account or card for electronic payment. defined in [3]. A PKI is a complete system for
The merchant and the FIs will make only slight certificates. The FIs, the payment brands and the end
modifications to the traditional authorization and users come together in a hierarchical manner in this
settlement procedures. Some new interfaces may need to PKI. The certificates are issued by independent CAs.
be implemented in order to provide automated responses We think that this PKI, as all other distributed and
to the consumer. large CA-based PKIs, is unlikely to be used, because
the implementation and maintenance cost of this PKI,
which is to be paid to CAs, would be an extra expense acknowledgment to the merchant via the Merchant’s FI
for the FIs. (MFI).
3. SET is only for payment-card (credit or debit) based Since the account information of the consumer is
transactions. Account based transactions, like already held in the CFI’s site, it would not be difficult to
electronic check (e-check), are not included in SET. hold the consumer’s public key as another field of this
account record. Moreover, the transaction should be
1.3. Motivation behind X9.59 forwarded to the CFI in order to allocate enough funds for
the authorization. An acknowledgment should also be sent
SSL based protocols are convenient but have some to the merchant for this fund authorization. In X9.59,
authentication and non-repudiation problems. SET and these authorization and acknowledgment messages
other payment-card based protocols, which require either contain the digital signature and its verification
intermediary agents or CA-based PKI, are secure, but not information as well. The X9A10 committee believes that
so convenient, particularly for FIs. X9.59 standard tries to this payment method does not require changing the
find a middle ground in the security-versus-convenience existing settlement infrastructure tremendously. A few
trade-off. addenda fields in the current messages would solve the
The Account Authority Digital Signature (AADS) problem. Furthermore, the business model remains the
model was first introduced by Lynn and Anne Wheeler same.
[6] in 1997 as the part of the ANSI X9.59 “Electronic Another important characteristic of the X9.59 model is
Commerce for Financial Services Industry” that messages transmitted among the consumer, merchant
standardization efforts. The Wheelers and ANSI X9A10 and FIs are not encrypted. However, the X9.59 draft
working group shaped the AADS idea and used it in the standard [5] states that encryption could be provided by
X9.59 standard. As of this writing, X9.59 is in DSTU some other means outside the scope of X9.59 standard.
(Draft Standard for Trial Use) status. Some prototype Justifications for this challenging characteristic are as
implementations are being developed. In the rest of this follows.
paper, the terms AADS model and X9.59 model will be
used interchangeably. 1. X9.59 uses Payment Routing Code (PRC) instead of
The Wheelers tried to eliminate the requirement of a consumer and merchant account/card numbers. This is
Certificate Authority (CA), and consequently a CA-based an FI-assigned account number that internally
PKI, in order to verify a public-key based digital identifies a consumer or a merchant. PRCs are X9.59
signature, because they strongly believe that the existence specific and are not used elsewhere. FIs assign and
of a CA-based certification system has no part in business pass PRCs to their customers when they are registered
models for the financial services industry. They use the for the first time. This is part of the account setup
name “Certificate Authority Digital Signature (CADS)” to procedure. Consumers and merchants use their PRCs
describe the classical way to obtain a public key using for all X9.59 transactions, instead of regular
certificate(s) and to verify a digital signature using this account/card numbers. PRCs are not one-time, their
certificate. They name their method AADS, since the holders use the same value for all their X9.59
public key necessary for the verification does not come transactions. The FIs keep the mappings between the
from a CA in their method. The public key is stored and PRCs and conventional account numbers in order to
used by the account authority (i.e., the FI) of the entity. process an X9.59 transaction, but they do not reveal
this mapping. In this way, the binding between a PRC
2. Basic characteristics of the X9.59 model and its holder becomes a secret between the holder and
its FI. A PRC is not valid unless there is an
The basic idea behind the AADS model as proposed accompanying digital signature issued by its owner.
by the Wheelers for the X9.59 standard is to avoid the Any third party cannot take advantage of knowing
necessity of consumer certificates. However, to verify the PRC, since it cannot produce a digital signature. Thus,
signatures issued by the consumer, a public key is still PRCs need not be encrypted.
necessary. The merchant verifies the digital signature of 2. The strong authentication that X9.59 claims to provide
the consumer in most of the electronic payment protocols. is sufficient to prevent the majority of consumer and
However in X9.59, the Consumer’s FI (CFI) is the merchant frauds. Using the PRC concept and strong
authority who verifies the consumer’s digital signature. authentication make encryption a luxury in X9.59. The
The consumer’s public key is stored in the consumer’s X9.59 group believe that strong privacy via encryption
account record held by the CFI. Therefore, no consumer is one of the reasons behind the failure of SET [3],
certificate is necessary. Having verified the signature of since such an approach slows down the transaction
the consumer on the payment order, the CFI sends an processing and creates extra key distribution problems.
3. Having no encryption makes the system suitable for – merchant authentication that is embedded in the
consumers who use wireless devices. Processing speed payment cycle,
and power consumption are important problems of – a method for secure shopping experience,
wireless devices. End-user wireless devices can save – authorization request and response messages,
some time and power by having no encryption. – a lightweight method for merchant’s public key
4. X9.59 is not an Internet-only standard. Implementation transfer from MFI to consumer.
is possible in existing point-of-sale networks where the
consumer/merchant transaction occurs at a physical These features are detailed in Sections 3.2, 3.3, 3.4
box located on the merchant’s premises. The and 3.5.
encryption requirement is minimal in such a classical
transaction. 3.1. Basic payment cycle
Integrity is inherently supplied by the digital signature A generic CONSEPP payment cycle as described in
scheme in X9.59. Replay attacks are avoided by the X9.59 standard [5] is given in Figure 1. First we start
supplying a unique “nonce” called Locally Unique by explaining the payment infrastructure and trust
IDentifier (LUID). relationships among the consumer, merchant and FIs.
The X9.59 model tries to take full advantage of the Then the protocol is detailed.
current payment infrastructure and business model. It is
not restricted to a specific payment method and 2 AutReqObject
pairs are created and the public keys are deposited in their SigPayAckObject Signature on
SigPayObject