Lecture on Secure Electronic Transaction

B. Tech CSE, VI Semester A, B, C, E

Instructor:
Dr Mohammad Wazid (PhD, SMIEEE)
Associate Professor, Department of Computer Science and Engineering
Head of Cybersecurity and Internet of Things Research Group
(Research h-index: 25, i10-index: 46)
Graphic Era (Deemed to be University), Dehradun, India
Email: [email protected]
Homepage: https://sites.google.com/site/mwazidiiith/home
 Overview
 Secure electronic transaction (SET) was an early protocol for
electronic credit card payments.
 As the name implied, SET was used to facilitate the secure
transmission of consumer credit card information via
electronic avenues, such as the Internet.
 SET blocked out the details of credit card information, thus
preventing merchants, hackers and electronic thieves from
accessing this information.
 It was supported initially by Mastercard, Visa, Microsoft,
Netscape, and others.
 Overview
 With SET, a user is given an electronic wallet (digital certificate)
and a transaction is conducted and verified using a combination of
digital certificates and digital signatures among the purchaser, a
merchant, and the purchaser’s bank in a way that ensures privacy
and confidentiality.
 SET makes use of Netscape’s Secure Sockets Layer (SSL),
Microsoft’s Secure Transaction Technology (STT), and Terisa
System’s Secure Hypertext Transfer Protocol (S-HTTP).
 Operations of public key infrastructure (PKI) are also utilized.
SET-General scenario:

Electronic transaction includes client, payment gateway, client

financial institution, merchant and merchant financial
institution. (image source: geeksforgeeks.org)
Requirements in SET :
Important requirements are :
• It has to provide mutual authentication i.e., customer (or
cardholder) authentication and merchant authentication by
validating the customer and merchant.
• It has to keep the PI (Payment Information) and OI (Order
Information) confidential by appropriate encryptions.
• It has to be resistive against message modifications i.e., no
changes should be allowed in the content being transmitted.
Participants in SET :

• Cardholder - customer
• Issuer - customer financial institution (i.e., SBI, ICICI, etc)
• Merchant (i.e., flipkart.com)
• Acquirer - Merchant financial institution (i.e., a bank)
• Certificate authority - Authority which follows certain
standards and issues certificates like X.509V3) to all other
participants.
Security and functionalities:
• Provide authentication
1- Merchant Authentication: To prevent theft, SET
allows customers to check previous relationships between
merchant and financial institution. Standard X.509V3
certificates are used for this verification.
2- Customer / Cardholder Authentication : SET
checks if use of credit card is done by an authorized user or
not using X.509V3 certificates.
Security and functionalities:

• Provide message confidentiality

Confidentiality refers to preventing unintended people
from reading the message being transferred.
SET implements confidentiality by using encryption
techniques. Traditionally DES is used for encryption
purpose.
Security and functionalities:
• Protect the integrity of messages
• SET doesn’t allow message modification with the help
of signatures. Messages are protected against
unauthorized modification using RSA digital signatures
with SHA-1.
Security and functionalities:
Dual Signature
• The dual signature is a concept introduced with SET, which aims at
connecting two information components meant for two different
receivers :
Order Information (OI) for merchant
Payment Information (PI) for bank
• You might think sending them separately is an easy and more secure
way, but sending them in a connected form resolves any future dispute
possible.
 Security and functionalities:
• Generation of dual signature
Security and functionalities:
Generation of dual signature
Where
• PI stands for payment information
• OI stands for order information
• PIMD stands for Payment Information Message Digest
• OIMD stands for Order Information Message Digest
• POMD stands for Payment Order Message Digest
• H stands for Hashing
• E stands for public key encryption
• KPc is customer’s private key
• || stands for append operation
• Dual signature, DS= E(KPc, [H(H(PI)||H(OI))])
Purchase request generation :

• It needs 3 inputs:

• Payment Information (PI)

• Dual Signature
• Order Information Message Digest (OIMD)
Purchase Request Generation :
The purchase request is generated as follows:
Purchase request generation :
The purchase request is generated as follows:

Where
• PI, OIMD, OI all have the same meanings as before.
• The new things are :
• EP which is symmetric key encryption
• Ks is a temporary symmetric key
• KUbank is public key of bank
• CA is Cardholder or customer Certificate
• Digital Envelope = E(KUbank, Ks) {Note: This is to encrypt Ks}
Purchase request validation at Merchant’s
site:
• The Merchant verifies by comparing POMD generated through PIMD
hashing with POMD generated through decryption of Dual Signature
as follows:

• Since we used Customer private key in encryption so here we use KUc

which is public key of customer or cardholder for decryption ‘D’.
Payment authorization
• 1- Merchant will send Digital envelop and encrypted value of (payment info + OIMD +
Dual Sig) to the bank.
• 2- Then bank will do the decryption using its own private key:
DKbank-p(Digital envelop), then bank will get Ks.
• 3- By decrypting through Ks bank will get the original values (payment info + OIMD +
Dual Sig).
• 4-Apply H(payment info) PIMD
• 5- Concatenate PIMD and OIMD apply H again H(PIMD||OIMD) POMD
• 6- By decrypting the dual signature using the public key of the customer, the bank will get
POMD.
• 7- Compare both POMD computed in Step 5 and 6; if matches user is valid otherwise
abort the transaction.
Transaction flow in SET (image source: cas.mcmaster.ca)
References
• https://www.geeksforgeeks.org/secure-electronic-transaction-set-
protocol/
• https://www.investopedia.com/terms/s/secure-electronic-
transaction-set.asp
• cas.mcmaster.ca
• Cryptography and Network Security: Principles and Practice-Text book
by William Stallings