Presentation on theme: "Encryption techniques in online transaction via credit card Submitted by Deepika Dash Information and Communication technology Roll No:- 10IT61B02."— Presentation transcript:
Encryption techniques in online transaction via credit card Submitted by Deepika Dash Information and Communication technology Roll No:- 10IT61B02
Introduction The internet and world wide web have changed the way that customer can purchase almost everything online. On the other hand the Internet encourages merchants to expand their businesses beyond traditional markets and boundaries by building their own Web sites and providing their e-business solutions. Web sites that provide online shopping capabilities for users must provide a balance between giving customers easy access to their Web sites and providing security to protect themselves as well as their customers.
Contd.. e-commerce sites also have some additional concerns because customers trust them with credit card or online shopping card numbers and other personal information, which requires a kind of hiding and encryption to be provided to prevent hackers from stealing customers' information. Here we will discuss some of the most popular techniques used in securing online shopping payment via credit d.
Motivations Security Requirements - Confidentiality - Integrity - Availability - Accountability Security Threats - Threats to confidentiality - Threats to integrity - Threats to availability - Threats to Accountability
Techniques for secure online shopping process The principle of 'Risk vs. Reward' is central to the payments world. The techniques used in securing online shopping payments are: 1. Secure Electronic Transaction (SET). 2. Secure Sockets Layer (SSL). 3. Visa: Payer Authentication Service (3D Secure). 4. Biometric authentication
Secure Electronic Transaction Secure Electronic Transaction is a technical specifications for securing payment card transactions over open networks such as the internet. SET is based on specially developed encryption technology from RSA, data security.
Secure Socket Layer(SSL) SSL represents an encryption system used on servers to ensure privacy when transmitting information across the World Wide Web. SSL-enabled servers encrypt sensitive data into cipher text before sending it to clients, preventing third parties from reading the data, even if they intercept this data en route. Using SSL on a Web server helps ensure that information transmitted between a client, such as a Web browser and a server, remains private, and enables the clients to authenticate the identity of the server.
Visa: Payer Authentication Service (3D Secure) Payer authentication provides merchants with the electronic equivalent of a signed sales receipt. Under the umbrella of Visa's 3-Domain (3-D) Secure initiative, Internet merchants can participate in payer authentication. It validates that a consumer shopping on a merchant's Web site is the legitimate cardholder.
Biometric authentication Consists of methods for uniquely recognizing human, based upon one or more intrinsic physical or behavioral traits. Electronic internet Shopping Card(EISC) which contains the shopping card information and one of cardholder’s biometric ( finger print).
Secure Electronic Transaction (SET)
SET Technique Specification for securing payment card transaction over open networks such as the internet. SET makes use of 1. Netscape’s Secure Socket Layer(SSL) 2. Microsoft’s Secure Transaction Technology(STT) 3. Terisa System’s Secure Hypertext Transfer Protocol(s-HTTP ) 4. Some aspects of a public key Infrastructure
Participants in SET system
Advantages of SET Privacy by Cryptography - RSA  - DES  Integrity by Hashing Algorithm - Digital signature  Authentication by Digital Certificate
Disadvantage of SET Interoperability Integration with legacy system Slow and Expensive
Secure Socket Layer (SSL)
SSL SSL was first used by Netscape. To ensure security of data sent through HTTP, LDAP or POP3. Uses TCP to provide reliable end-to- end secure service. In general, SSL can be used for secure data transfer for any network service running over TCP/IP.
Basic Objectives of SSL The main objectives are: Authenticate the client and server to each other. Ensure data integrity. Ensure data privacy. Required for both the protocol data and also the application data.
SSL Architecture SSL consists of two layers of protocols: SSL Record Protocol Ensures data security and integrity. Protocols required to establish SSL connection. Three protocols used in this layer: SSL Handshake Protocol SSL ChangeCipherSpec Protocol SSL Alert Protocol
SSL Handshake Protocol SSL Changecipherspec protocol SSL Alert Protocol SSL Record Protocol TCP IP
Application Data H Fragments Compressed Data Add MAC Encrypt Data TCP packet MAC H: SSL record protocol
SSL Record Protocol SSL record header consists of: Content type: –identifies the type of payload (that is, the higher level protocol being used) Major version: –for SSL 3.0, the value is 3. Minor version: –for SSL 3.0, the value is 0. Compressed length: –size of the compressed data in bytes.
The Higher Layer Protocols SSL Alert Protocol Used to send session messages associated with data exchange and functioning of the protocol. Each message consists of two bytes: First byte is either 1 (warning) or 2 (fatal). If “fatal”, the SSL session is terminated. Second byte contains one of the defined error codes.
Higher Layer Protocols SSL ChangeCipherSpec Protocol Consists of a single message that carries the value of 1. Purpose of this message is to cause the pending session state to be established as a fixed state. Define the set of protocols to be used. Must be sent from client to server, and vice versa.
SSL Handshake Protocol Client sends to the server SSL version Random (used to protect key exchange) Session ID CipherSuite Server sends back SSL version Random (a different number is generated) Session ID CipherSuite
BIOMETRIC PERSONAL AUTHENTICATION
Finger print as a Biometric Authentication System Finger prints are unique for every individuals using which verification can be provided. Uniqueness is provided by topographic relief of ridge structure and ridge anomalies known as MINUTIAE POINTS. Representation is of 2 types - Local - Global MINUTIAE POINTS are common due to : - capture individual information - storage sufficient - robust to various sources of finger print degradation
A Fingerprint Uniqueness
EISC-ONLINE SHOPPING SYSTEM ELECTRONIC INTERNET SHOPPING CARD– authenticates the cardholder and to complete the online shopping transaction by generating a special image containing information to complete the transaction. System proposes 3 techniques: Fingerprint verification technique as a biometric personal authentication system. Extraction of minutiae Determination of core point of fingerprint Fragile steganography algorithm Data hiding encrypting Embedding the extracted features and encrypted
ESIC System Component
From a technical point of view, the proposed system can be divided into the following stages: EISC issuers side(creation stage) EISC customer side(E-payment stage) EISC issuers side(validation stage)
Overview of online transaction using EISC
Advantage Meets different kind of security objective - Confidentiality - Integrity - Availability
Disadvantage Safety is not enough Cost may be high May need special software to be installed in the customers machine.
CONCLUSION Methods to encrypt information during online transaction give customer confidence to shop online. SSL is the most popular protocol used in credit card industry for secure transaction. SET is also used SSL as one of its protocol. The only difference is that, in SET we use 4 digital signatures, 6 certificates which is not required in SSL once session is started between client and server. ESIC is a better way to provide security using biometric authentication. But it requires additional overhead. The credit card industry has its interest dispersed in a large number of service organizations, such as autonomous banks, so that it will be very difficult to agree on a universal standard. Still it is standardized for the secure transaction of large amount of money.
REFERENCES .Knorr K. and Rohrig S., 2000. Security of Electronic Business Applications: Structure and Quantification, First International Conference, EC-Web 2000, London, UK, Sep 2000 .financialsecurity.techtarget.com/definitio n/Secure-Electronic-Transaction .Secure online transaction by biometric authentication and steganography[ IEEE Xplore.ieee.org]
REFERENCES .Secure Electronic Transaction: a market survey and a test implementation of SET technology, Master Thesis, UPPSALA University. 1998[IEEE Xplore] .Ross A. 2003. Information Fusion in Fingerprint Authentication. PhD thesis, Michigan State University, 2003 [IEEE Xplore] .NEW TECHNOLOGIES IN CREDIT CARD AUTHENTICATION,Pieter de Bruyne,Institute for Communications Technology,ETH Zentrum [IEEE, Xplore] . Cryptography and network security by B.A.Farozaun and D.Mukhopadhaya, 2 nd edition, Tata macgraw Hill