Internet Monetary payment and security Requirement:

 For consumer and merchant to be able to trust one another ,Prevent

transmitted payment information from being tampered with and complete
transaction with any valid party ,the following issues need to be addressed:
 Confidentiality ofpayment information
 Integrity of payment information transmitted via public networks
 Verification that an accountholder is using a legitimate account
 Verification that a merchant can accept that particular account
 Interoperability across software and network provider.
Confidentiality of payment information:
 Payment information must be secure as it travels across the internet ,without
security payment information could be picked up by hackers as the router
communication line or host level possibly resulting in the production of
counterfeit card or fraudulent transaction.
 There are two encryption methods used symmetric cryptography and
asymmetric cryptography.
 Symmetric cryptography or more commonly called secret key cryptography,
use the same key to encrypt and decrypt a message.
 A commonly used secret key algorithm is the Data Encryption
Standard(DES) Fig 4.1 Asymmetric cryptography ,or public key
cryptography ,use two distinct keys :a public key and a private key.
 This allows multiple senders to receiver who uses the private key to
decrypted it .The assurance of security is dependent on the receiver
protecting the private key Fig.42.
 For merchants to use secret key cryptography ,they would each have to
administer individuals secret key to all their customer and provide these

1
 keys through some secure channel .This channel complex from an
administrative perspective.
 This process ,the customer generate a random number used to encrypt
payment information using DES. The DES encrypted payment information
and the encrypted DES key are then transmitted to the merchant.
 To decrypt the payment information the merchant first decrypt the DES key
then use the DES key to decrypt the payment information .
payment information Integrity :
 Payment information sent from consumer to merchants includes order
information, personal dataand payment instruction .The information is
modified ,the transaction may no longer be accurate.
 To eliminate this possible source of error or fraud , an, arithmetic algorithm
called hashing. The hash algorithm generates a value that is unique to the
payment information to be transferred.
 A helpful way to view a hash algorithm is as a one way public cipher ,in
that
 It has no secret key
 Given a message digest there is no way to reproduce the original
information.
 It is impossible to hash other data with the same value.
 To ensure the integrity the message digest is transmitted with the payment
information .The receiver would then validate the message digest by
recalculating it once payment information is received .
 If the message digest does not calculate the same value sent the payment
information is assumed to be corrupted and is therefore discarded.


To rectify the situation the message digest is encrypt using a private key of
the sender (customer).This encryption of a message digest is called a digital
signature.

2
 A digital signature is created by using public key cryptography ,it is
possible to identify the sender of the payment information .The encryption
is done by using the private key of a public /private key pair this means only
the owner of that private key can encrypt the message digest.
 Note that the roles of the public/private key pair in the digital signature
process are the reverse of that used in ensuring information confidentiality.
 A digital signature however ,does not authorize a particular customer to use
the monetary account information located in the payment.
Account holder and merchant authentication:
 Similar to the way card accounts are stolen and used today, it is possible for
a person to use a stolen account and try to initiate an electronic commerce
transaction .
 A way to secure this link is by use of a trusted third party who could
validate the public key and account of the customer this third party could be
one of many organization ,depending upon the type of account used.
 For example if a credit card account were used the third party could be one
of the major credit card companies ;if a checking account were used ,the
third party could be the federal clearinghouse or some other financial
institution .
 Merchants would then decrypt the public key of the customer and ,by
definition of public key cryptography ,validate the public key and account
of the customer. For the preceding to transpire ,however, the following is
assumed
 The public key(s) of the third party (ies)is widely distributed
 The public key(s) of the third party(ies) is highly trusted on face value
 The third party(ies) issue public keys and accounts after receiving some
proof of an individual‟s identity.
3
Interoperability:
 For electronic commerce to take place ,customer must be able to
communicate with any merchant.
 Interoperability is then achieved by using a particular set of publicly
announced algorithm and process in support of electronic commerce.
Payment and purchase order process:
Overview:
 For an electronic payment to occur over the internet the following
transaction/process must occur.
 Account holder registration
 Merchant registration
 Account holder (customer) ordering
 Payment authorization
Account holder registration :
 Account holder must register with a third party (TP)that corresponds to a
particular account type before they can transact with any merchant.
 In order to register ,the account holder must have a copy of the TP‟s public
key of the public/private key set.
 To register the account holder will most likely be required to fill out a from
requesting information such as name, address, account number, and other
identifying personal information when the form is completed the account
holder software will do the following.

4
1.Create and attach the account holder‟s public key to the form
2.Generate a message digest from the information
3.Encrypt the information and message digest using a secret key
4.Transmit all times to the TP
 When the TP receives the account holder‟s request, it does the following

1. Decrypts the secret key

2. Decrypts the information, message digest, and account holder‟s public key.
3. Computes and compares message digest
 The certified documentation is then encrypted using a secret key which is in
turn encrypted with the account holder‟s public key.
 The certified documentation is then verified by the account holder by using
the public key of the TP, thus checking the digital signature.the account
holder‟s software for future use in electronic commerce transaction.
Merchant registration:
 Merchant must register with TPs that correspond to particular
account type that they wish to honor before transacting business with customer
who share the same account types.

5
 For example if a merchant wishes to accept visa and MasterCard ,that
merchant may have to register with two TPs or find a TP that represent both
.
 The merchant registration is similar to the account holder‟s registration
process.
Account Holder(customer)ordering:
 To send a message to a merchant the customer (account holder)must have a
copy of the merchant‟s public key and a copy of the TPs public key that
corresponds to the account type to be used.
 The order form is completed ,that customer software does the following

 Encrypts account informationwith the TP‟s public key.

 Attaches encrypted account information to the order form
 Creates a message digest of the order form and digitally signs it with the
customer‟s private key.
 Encrypts the following with the secret key order form ,digital signature, and
customer‟s.
 Encrypts secret key with the merchant‟s public key from the merchant CD.
 Transmits the secret key encrypted message and encrypted secret key to the
merchant
 When the merchants software receives the order ,it does the following

6
Payment authorization:
 The processing of an order ,the merchant will need a authorize(clear) the
transaction with the TP responsible for that particular account.
 The authorization assures the merchant that the necessary funds or credit
limit is available to cover the cost of the order.
 The merchant has no access to the customer account information since it
was encrypted using the TP‟s public key thus it is required that this
information be sent to the TP so that the merchant can receive payment
authorization from the TP and that the proper customer account is debited
for the transaction.
TP the following information using encryption and digital signature process
previously described:

 Merchant‟s CD
 Specific order information such as amount to be authorized order , number,
date.
 Customers ID
 Customers account information
 After verifying the merchant , customer, and account information the TP
would then analyze the amount to be authorized.

7
On-Line Electronic cash:
Overview:
 E-cash works in the following way: a consumer opens an account with an
appropriate bank.
 The consumer shows the bank some form of identification so that the bank
knows who the consumer is.
 The e-cash is then stored on a PCs hard drive or possibly a PCMCIA card
for later use.
 These transaction could all be done using public key cryptography and
digital signatures as discussed easily.
Problem with simple electronic cash:
 A problem with the e-cash example just discussed is that double spending
cannot be attacked or prevent since all cash would look the same.
 The bank sees e-cash from a merchant with a certain serial number ,it can
trace back to the consumer who spent it and possibly deduce purchasing
habits
 This frustrate the nature of privacy associated with real cash.
Creating electronic cash anonymity:
 To allow anonymity the bank and the customer must collectively create the
e-cash and associate serial number, whereby the bank can digitally sign and
thus verify the e-cash ,but not recognize it as coming from a particular
consumer.
 To get e-cash the consumer choose a random number to be used as the serial
number for the e-cash.
Preventing double spending:
 While the preceding process protects the anonymity of the consumer and
can identify when money has been double spent ,it still does not prevent
consumer ,or merchant for that matter ,from double spending.
 To create a process to identify double spender but one that keep the
anonymity of lawful individuals requires the use of tamperproof software
and complex cryptography algorithms.
 The software prevents double spending by encrypting an individuals
identity by using a random secret key generated for each piece of e-cash.

8
E-cash Interoperability:
 Consumer must be able to transact with any merchant or bank .Hence
process and security standard must exit for all hardware and software used
in e-cash transaction.
 Interoperability can only be achieved by adherence to algorithm and process
in support e- cash-initiate commerce
Electronic payment scheme:
The leading commercial electronic payment schemes that have
been proposed in the past few years and the companies using them .
Netscape.Netscape secure courier electronic payment scheme which has been
selected by intuit for secure payment between users of its quicken home
banking program and bank use SEPP.
Microsoft: Microsoft STT is similar to SEEP/SET in that it provides digital
signature and user authentication for securing electronic payments. STT is
an embellished version of Netscape„s SSL security tool and is compatible
with SSL version 2.0.
Check free: check freecorporation provides online payment processing service
to major clients

9
To major clients, including CompuServe, Genie, Cellular one, Delphi Internet
service corporation and Sky-Tel. check free has also announced intension to
support all security methods that achieve prominence inn the marketplace.
e.g., SET.
CyberCash: CyberCash combines features from checks and CyberCash is a
digital cash software system which is usedlike a money order guaranteeing
payment to the merchant before the goods shifting. CyberCash wants a
micropayment capabilities of 5 to 20 cents pre transaction.

VeriSign: VeriSign is offering its digital signature technology for

authenticating as a component separated from encryption which allows for
export of stronger authentication.IBM is building support for digital ID into
its web browser and internet connection secure server for AIX and OS/2.
DigiCash:DigiCash is a software company whose products allow users to
purchase goods over the internet without using accredit card. The threat of
privacy loss(where expenses can be easily traced ) gave rice to the idea of
anonymous e-cash ,an electronic store of cash replacement funds which can
be loaded into a smart card for electronic purchase.
First virtual holding:It‟s targeting individuals and small business that want to
buy and sell on the internet but cannot afford an extensive on-line
infrastructure. A first virtual e-mail account and first virtual hosting system
to track and record the transfer of information ,products , and payment for
accounting and billing purpose ,consumer and merchant can buy and sell
goods on the internet without sensitive information such as credit card
number moving across the network. All sensitive information is delivered
by telephone.

10
Commerce Net: In 1993 a group of silicon valley entrepreneurs envisioned the
internet as a whole new model of commerce one defined around global
access alarge number of buyers and seller many tomany interaction and a
significantly accelerated pace of procurement anddevelopment they called
this model Spontaneous commerce.
Netcash :Netcash is the internet answer to traveler‟s check. To use Netcash user
must enter their checking account or credit card numbers into an on screen
form and e-mail it to the Netcash.
Other approach: This section lists a few other approaches that have appeared
in the recent past.
Mondexis based on smart cardtechnology initially backed by the united
kingdom‟s West minster and midland Banks. The electronic purse is a
handled smart card it remembers previous transaction and use RSA
cryptography.
Openmarket handles credit card transaction via web servers but it was planning
to provide support for debit cards checking account and corporate purchase
order.
Global online use on-line challenge/response. It is based on a third party
originating agreements therefore the seller has a higher cost to enter the
market.

Wallet and such:Even in the absence of standards(e.g., SET) vendors have

been developing system to handle sales over the internet and companies
willing to accept that the products are not interoperable can support business
before standard become widely deployed.

11
Securities on Web server:
There are three main types of Web server security: physical, network and host.
All network connections are protected by a firewall, a hardware or software
component that prevents unauthorized access to or from a network.
Web Server Security encompasses two major areas:
 The security of the data on the web server
 The security of the services running on the web server
 The data on a web server is protected by operating system security and access
controls. Firewalls and anti-virus software protect the services running on a web
server.
 The data on the server may be the most valuable asset and hence is the target
of the most attacks.
 Data protection is achieved by encrypting the information on the disk and using
intrusion detection software to detect and respond to intrusion attempts.
 When a user is surfing the internet, he’s not just interested in getting to his
destination quickly.
 He also wants to know that he can get there safely. This is why Web server
security is so important.
 Information technology (IT) professionals can use several methods to protect a
Web server from malicious attacks.
 One of the most basic methods is to use a firewall, which is a program that
checks all Internet traffic coming into and going out of the Web server, blocking any
traffic that seems suspicious or otherwise dangerous.
Importance of Web Server Security
 Security is an integral part of your website, especially when it comes to your
web server. Unsecured servers can be easily attacked, and their information can
be stolen. That is why Web server security is critical to have.
 Web servers store, process, and deliver Web pages and other online content.
Web servers can also host and serve different data types, such as audio and
video files, database records, and executable programs.
 To ensure the confidentiality, integrity, and availability of information, Web
servers must be protected from unwanted access, improper use, modification,
destruction.

12