Project security

1.
Security in e-Businessاستاد:آقاي دکتر سخاوتیمريم سادات حاج اکبری88610222/8/20111

2.
Electronic commerceType ofelectronic commerceBusiness to business -> such as EDI

3.
Customer to business-> such as online stores

4.
Customer to customer -> such as Ebay

5.
Customer businessto public administrator -> such as filling electronic tax2/8/20112

6.
A typical electronic payment system36.Interbank(clearing) network7.okPaymentgateway 4.withdrawal5.deposit8.RegistrationAuthorization transaction3.registration2.Check account customer1.Payment info9.Delivery+Confirmation

7.
E-payment systemsOffline vs.onlineDebit vs. creditMacro vs. Micro2/8/20114

8.
Offline vs. OnlineOfflinepayment systemCustomer and seller are online but their banking info is offline.Use in AirlinesPayment mechanism:

9.
Crew prints payment’sinformation and customer’s credit card by a mechanical device in a paper and then enter online system.2/8/20115

10.
Offline vs. OnlineOnlinepayment system2/8/20116

11.
Debit vs. creditDebit card:Such as Iran banking system -> checksCredit card: Entities involve in credit system

12.
Card holder

13.
Card issuing bank-> visa or Master or AMEX ….

14.
Merchant

15.
Name on creditcard -> visa or master

16.
Association 2/8/20117

17.
How credit card act?2/8/20118

18.
Macro .VS MicroMacrosystemPaid more than the 5$ to 10$Micro paymentPaid less than 5$ to 1$

19.
Example: Public transportationsystem, Restaurants, Online Advertising….

20.
Difference:

21.
For any transactionit has a fee about 20 to 30 cent for payer and payee.2/8/20119

22.
Payment instructureCash likeChecklikeCredit cardElectronic moneyElectronic check2/8/201110

23.
Mechanism payment bycredit cart2/8/2011113241

24.
Credit card securityTwooriginal Illegal Use from credit cardEavesdroppers

25.
DishonestThe solution:Encryption &coding such as SSL

26.
Will issue nextchapter2/8/201112

27.
Electronic moneyDefine :Scripting money or exchanged only in electronic formCalled as:e- cash, digital cash, digital/electronic currencyMainly Used as: micro systemElectronic Currencies : Digital or electronic coin2/8/201113

28.
Digital moneySuch asOctopus system in Hong KongIt use in transportation systemThe best example is pay palUser holds Amount of credits in your account.

29.
The user canfrom their account to other account holders to give or receive money.2/8/201114

30.
Electronic check2/8/2011156.Interbank(clearing) networksettlementDifference with cash like:In cash like, Electronic payment system the first check customer’s account then delivery product or services5.Endorsed check1.Payment info2- invoice 3.Signed check4.

31.
Electronic wallet2/8/201116Define: It is a interface for save any financial information.Usage: Complete electronic forms without re-entering the transaction data when the transactionThe best example is pay pal

32.
Such as digitalmoney and credit cards

33.
Google check outElectronicpayment securityDesign a security servicesAnalysis risk

34.
Identify risks, threats, vulnerability

35.
Identify Related prioritiesNotice: any payment system have needs and special features.2/8/201117

36.
Electronic payment securityProblems Traditional payment systemsMoney can be counterfeited

37.
Signature can beforgot

38.
Checks can bounceProblemselectronic payment systemsDigital documents can be copied perfectly and arbitrarily.

39.
A payer’sidentity can be associated with every payment transaction.

40.
Digital signatures canbe produced by who knows the private key.Notice: electronic commerce need To more attention.2/8/201118

41.
Three types ofadversaries!Outsiders eavesdropping Misusing the collected data (e.g. credit card numbers )Active attackersSending forged message to authorizedDishonest payment system participants trying to obtain and misuse payment transaction data thatThey are not authorized to see or use2/8/201119

42.
The basic securityrequirementsPayment authenticationPayment integrityPayment authorizationPayment confidentiality2/8/201120

43.
Payment authenticationNo anonymity-> mechanisms such as MAC – SHA – MD5 With anonymity –> It needs to more security2/8/201121

44.
Payment integrityPayment integrity requires that payment transaction data cannot be modifiable by unauthorized principals.payment transaction data:Payer’s identity.

45.
Payee’s identity.

46.
Content of thepurchase.

47.
The amount.2/8/201122

48.
Payment authorization2/8/201123Payment authorizationensures that no money can be taken from a customer’s account or smart card without his explicit permissionPayment confidentiality2/8/201124Payment confidentiality covers of one or more pieces of payment transaction data

49.
Payment security servicesPaymenttransaction security servicesDigital money securityElectronic checks security 2/8/201125

50.
Payment transaction security servicesUser anonymity Location un-traceabilityPayer anonymityPayment transaction intractabilityConfidentiality of paymentNon-repudiationfreshness2/8/201126

51.
User anonymity Useranonymity protects against disclosure of a user’s identity in a network transaction.Mechanism:Chain of mixes2/8/201127

52.
Location untraceabilityLocation untraceabilityprotects against disclosure of where a payment transaction originated.Mechanism:Chain of mixes2/8/201128

53.
Payer anonymityPayer anonymityprotects against disclosure of a payer’s identity in a payment transaction.Mechanism:psedudonyms2/8/201129

54.
Payment transaction intractabilityPayment transaction intractability protects against linking of two different payment transactions involving the same customer.Mechanism:Hash function2/8/201130

55.
Confidentiality of paymentConfidentiality of payment transaction data selectively protects against disclosure of specific parts of payment transaction data to selected principals from the group authorized principals.Mechanism:Hash function2/8/201131

56.
Non-repudiationNon-repudiation of paymentmessages protects against denial of the origin of protocol message exchanged in a payment transaction.Mechanism:Digital signature2/8/201132

57.
FreshnessFreshness of paymenttransaction messages protects against replaying of payment transactions messages. Mechanism:Nonces and Time Stamps2/8/201133

58.
Payment transaction securityAnelectronic payment transaction is an execution of a protocol by which an amount of money is taken from a payer and given to payee2/8/201134

59.
User anonymity and location untraceabilityUser anonymity and location un-traceability can be provided separately.A pure user anonymity security service would protected against disclosure of a user’s identity.For example, a user’s employing pseudonyms instead of his or her real name.

60.
Problem: ifa network transaction can be traced back to the originating host, and if the host is used by a known network user only, This anonymity is obviously not sufficient2/8/201135

61.
location untraceabilityA purelocation untraceability security service would protect against disclosure of where a message originates.One possible solution is to route the network traffic through a set of anonymizing host.

62.
The requires thatat least one of the hosts on the network path be honest.2/8/201136

63.
Chain of mixesAuser anonymity and location untraceability mechanism based on a series of anonymizing hosts or mixes has been proposed by D. Chaum.2/8/201137MixAXBYZC

64.
Chain of mixesTheproblem of having a mix trusted by all participants can be solved by using a matrix (or network) of mixes instead of just one.2/8/201138

65.
Chain of mixes2/8/201139IfA wants to send an anonymous and untraceable message to Y, as in the example with one mix, the protocol goes as follows:

66.
Payer Anonymity2/8/201140The simplestway to ensure payer anonymity with respect to the payee is for the payer to use pseudonyms instead of his or her real identity. If one wants be sure that two different payment transactions by the same payer cannot be linked, then payment transaction untraceabilitymust also be provided.

67.
Pseudonyms2/8/201141First virtual Holding, IncStarted to operate the first internet payment system that was based on the Existing Internet infrastructure, that is e-mail and telnetSend email

68.
Pseudorandom Function2/8/201142Payment TransactionUntraceabilityIDC = hk (RC ,BAN)Payment Transaction Data confidentialityIDC = hk (RC ,BAN)

69.
IDC =hk (SALTc, DESC)Payment instruction: credit card info- account number- ...It should be secret from view merchant.Oder information: what buy?- where buy?- how delivery?...It should be secret from view acquirer bank, issuer bank...Secure Electronic TransactionSET2/8/201143SET is an open encryption and security specification designed to protect credit card transaction on the internet.Important feature of SET: it prevents the merchant from learning the card holder’s credit card number.Dual Signature2/8/201144The purpose of dual Signature is to link two message that are intended for two different recipients

70.
Nonrepudiation of PaymentTransaction Messages2/8/201145Digital Signature:To explain the nonrepudiation issues in a payment transaction protocolwe will use a simplified model based on the 3KP payment protocolNonrepudiation messages.

71.
Freshness of PaymentTransaction Messages2/8/201146This service protects against replay attacks. In other words, it prevents eavesdroppers or dishonest participants from reusing the messages exchanged during a payment transaction.Nonces and Time StampsIOTP2/8/201147The Internet Open Trading Protocol (IOTP) is an electronic payment framework for Internet commerce whose purpose is to ensure interoperability among different payment systems.IOTP is payment system-independent. That means that any electronic payment system (e.g., SET, DigiCash) can be used within the framework.IOTP messages are well-formed XML (Extensible Markup Language) documents.

72.
IOTP2/8/201148Format for electronicpaymentIt is for any transactionIt modify for any messageData integrity + nonrepudiation -> Digital certificate+ Digital signatureConfidentiality -> ssl+tls

73.
Fine2/8/201149

Project security

More Related Content

What's hot

Viewers also liked

Similar to Project security

Recently uploaded

Project security