3 Introduction Credit cards based payment system Entity: customer, merchant, credit card issuer and bank. Credit card: credit card number, Card Verification Value (CVV). Transaction: billing digest, information about the customer.
4 Introduction Secure Socket Layer (SSL) – Establish a trusted connection between two parties. HTTPS (Secure HTTP) – Send messages securely using SSL. Both two need public keys and certificates, besides, the operations process are complex.
5 Motivation SSL and HTTPS are complex because they involve key-management, user credentials and certificates. Smart cards require extra infrastructure like smart card reader and middleware. This paper want to let the transaction become more simpler and easy to achieve security.
6 Scheme (ex. customer credit card data) Credit card confidentially Common key K BMi
7 Scheme UI1: customer related non critical data. UI2: importance to the merchant data. h = H CVV (UI1, UCI, T, CVV) T: time stamp. UCI : customer critical information. CVV: Card Verifier Value. T ID : transaction id. r c and r m : response values generated by the issuer. T ID = H(h,UI1,T) 1.Request phase 2.Verification phase 3.Authentication Phase 4.Response Phase
8 Scheme Authentication Phase – Issuer has a database containing customer credit card data. A1 Retrieve CVV and UCI from database. A2 Compute hash value h1. A3 Comparing h and h1 consistency. A4 Generate response values A5 Send acknowledgement to bank. Reject: Accept: : common key between the bank and the merchant i.
11 Advantage vs. weakness Advantage – Can resist 4 type important attack. – No need complex computing. – No need extra overhead like smart card, reader and middleware. – Just use hash function and a common key. – just use a one round protocol. Weakness – Common key may be weak.