A Secure Online Card Payment Protocol VIJAY CHOUDHARY M.Tech(IS), DTU

INTRODUCTION  An electronic payment is any kind of non-cash payment that doesn't involve a paper check.  Methods of electronic payments include credit cards, debit cards and the ACH (Automated Clearing House) network.The ACH system comprises direct deposit, direct debit and electronic check (e check).  More the payment processed electronically, less cost will be spent on paper and postage. The basic requirements of e payment system are atomicity and non repudiation. Except these, money should be transferred electronically and universally accepted.

E payment can be of following types E payment can be of following types. E cash Electronic wallets Smart card Credit card

Major participants of online purchasing system:  Customer  Merchant  Financial Institute

Traditional method for online payment AliceBob Bank

 Buyer tells Seller the merchandise I that he requires AliceBob Bank - Alice tells Bob I, rA and { g ( I ll ra)} K 1

. - Bob computes and verifies the hash value signed by Alice, then sends rB, { aB llrb}K,bank Illm to alice Seller sends the cost m of I to Buyer AliceBob Bank 1 2

.  Alice computes and verifies the hash value signed by Bob, and then she sends to Bob. Bob can verify (aBllrB)K,bank, Illm, and then he knows whether Alice changes either his account or the amount of the money Alice should pay. -Buyer sends his account bA, and the appropriate password pa to Seller AliceBob Bank 1 2 3

. Bob send(aBllrB)K,bank, Illm to bank -Bob sends Bank his account aB, Alice’s account aA, his password ap and the money m should be transferred AliceBob Bank

.  Bank verifies whether the password ap, does fit Alice’s account aA, If it’s right, Bank transfers money m to Bob’s account and records rAllrB into a log file under Alice’s account to prevent Bob using this message again, then responds’ Bob a message of {aBllmllrAllrB}K,bank to notify him that the money m has been added to his account AliceBob Bank

.  Bob sends the digital goods being ordered or a billof lading Bill and ( g (Bill(rAllrB)),k,bob to Alice. - Seller sends the digital goods being ordered or a bill of lading to Buyer, with which he can pick up the goods. AliceBob Bank

.  A possible problem of this scheme is that Bob can still deny of the received money while he really got m After the transaction with Bob’ account, Bank will notify Bob that he has got the money m in step 5. Note: In this step and the next, Alice does know nothing about the transfer of the money from Bank directly. Then in step 6, Bob can refuse to deliver the goods or Bill to Alice and cheat Alice easily that he received a wrong account or a false password because Bank told him that they do not match with each other.  even If they are both correct. Though Alice can find this cheat later, she has no evidence of Bob's lying.

New improved scheme  We review the initial protocol and can easily find the root of the weakness is such a fact that Alice’s account a, and the appropriate password pb are transported to Bank in plaintext under seller’s view. To overcome this weakness, As and ps are encrypted by Bank’s public key. Then Bob knows nothing about and As at the end of the protocol.

So the initial protocol can be improved as follows -Bank sends {aA llmllrAllrB}K,bank to Alice Bob sends a bill of lading Bill and {g (Bill llrAllrB)}K,bob to Alice. AliceBob Bank

References  [l] Jianying Zhou, Robert Deng, and Feng Bao. “Some Remarks on a Fair Exchange Protocol“, Third International Workshop on Pructice and Theory in Public Key Cryptosystems, PKC 2000, Melbourne, Victoria,Australia,  [2]N. Asokan, V. Shoup, and M. Waidner. “Optimistic fair exchange of digital signatures”, Advances in Ctyptology - EUROCRYPT ‘98, volume 1403 of Lecture Notes in Computer Science, pp , Springer-Veriag, 199

. Thanks