Survey Paper on Secure Electronic Transaction (SET)
By
Contents
ABSTRACT: 3
INTRODUCTION: 3
BACKGROUND 6
DESIGN AND IMPLEMENTATION 7
CONCLUSION 15
REFERENCES 16
ABSTRACT: Security of electronic exchange over unstable communication channel is a testing task that incorporates numerous discriminating areas as secure communicating channel,strong encryption procedure and trusted outsider to keep up the electronic database. The traditional systems for encryption in Secure Electronic Transaction can just keep up the information security. The restricted data of client could be accessed by the unapproved client for pernicious reason. Accordingly, it is important to apply successful encryption techniques to upgrade data security and authentication of data communication. The numerous encryption methods gives sufficient security to electronic exchanges over remote system. In this survey paper the needs of various encryption procedure in Secure Electronic Transactions are proposed to upgrade the security of data confidentiality. This method builds the data security in such a way, to the point that unauthorized user cannot get to any piece of data over wireless network as web.
INTRODUCTION:
Secure Electronic Transaction (SET) is a standard protocol for securing credit card transactions over compromised networks, particularly, the Internet. SET is a set of rules and regulations that empower clients to perform financial transactions through existing payment system over unreliable wireless network (web) in much secure and dependable way [1]. SET is an application to give different security benefits as confidentiality, integrity and authenticity for all electronic transactions over the web. Secure Electronic Transaction (SET) is fundamental for the fruitful electronic transaction over the wireless network; confidentiality is obliged to conceal the sensitive information from unauthorized user, data integrity is obliged to guarantee that entire data is exchanged without any alteration through attacker, and authentication is needed to guarantee the sender and recipient that the performed transaction is legitimate and authentic[2]. In electronic transaction over compromised wireless networks as web, different risk variables are analyzed: There is no choice to see the product physically which we need to buy, There is no ensured security of online transaction over internet, and quite a while is needed to deliver the ordered item to the customer. SET uses a security algorithm that generates a digital certificate as a substitute for the client's credit card number. This permits shipper to credit transaction amount from client's credit cards account without requesting credit card number. SET use successful
Cryptographic methods like as digital signature standard (DSS) to produce digital certificates and public key cryptographic algorithm to permit communicating parties to authenticate each other and exchange required information in secure manner [3].In Secure Electronic Transaction (SET), merchant's site, secured web server and financial bank's server for the verification of client's database makes an imperative part for fruitful transaction. Secure Electronic Transaction (SET) takes after the accompanying steps for effective electronic transaction:
1.The client opens Master Card or Visa Card online payment system and fills all obliged data utilizing his/her credit card.
2. The client gets a duplicate of digital certificate produced by trusted certificate distribution authority. This certificate incorporates a public key and expiry time, which are needed for secure online transaction.
3. Trusted third-party additionally gets certificates from the credit/debit card issuer bank.
These digital certificates incorporate the public keys of bank and merchant.
4. The client affirms the request through website page of trader's site.
5.The web browser of client validates the authenticity of vendor and affirms that the dealer is valid and substantial.
6. The web browser of client transmits the request data to the dealer in encoded format. This request data incorporates the public keys of merchant and bank and payment details.
7. The vendor verify the client through confirming the digital signature on client's certificate. This methodology may be happened through bank and in addition trusted third party.
8. The vendor transmits the request data to the concerned bank. This data incorporates the bank's public key and customer's online payment information along withmerchant's certificate.
9. The bank performs the few check forms for the vendor and message authentication. Utilizing digital signature on certificates, bank verifies the details of online payment.
10. The bank creates the last approbation for requested transaction to the dealer.
In such a way SET experiences for different methodologies to perform electronic transaction in secure way over internet. Multiple encryptions is a strategy to upgrade the information security by performing the encryption process numerous times utilizing same or distinctive sorts of encryption key (algorithm). Multiple encryption increases the complexity of data encryption in such a manner that attacker or unauthorized user can’t decrypt the data, if some encryption keys (algorithms) are known [4].In cryptography, multiple encryption as found in 3DES and AES gives cryptographic certification of a message's integrity. The least complex methodology to increasing the key size is to encode twice, with two free keys K1 and K2. Letting P be a 64-bit plaintext, C a 64-bit ciphertext, and K a 56-bit key, the fundamental DES encryption operation can be represented.
C = SK (P), and simple double encryption is obtained as:
C = SK2 [SK1 (P)].
While thorough search over all mentioned keys (K1-K2 sets) requires more operations what's more is obviously infeasible, this cipher can be broken under a known plaintext assault (where comparing plaintext and ciphertext are both known) with 256 operations. The time needed is consequently no more prominent than is expected to cryptanalyze a single 56-bit key thoroughly. On the off chance that P and C speak to a known plaintext- -ciphertext pair, then the algorithm for finishing this twofold encryption scrambles P under every one of the 256 conceivable estimations of K1, unscrambles C under each of the 256 estimations of K2, and searches for a match. For evident reasons, this is known as a "meet in the middle" assault [5].
BACKGROUND
Secure Electronic Transaction (SET) was developed by VISA and Mastercard with the assistance of different organizations like as Microsoft, GTE, IBM, Netscape, VeriSign and RSA in 1996. Secure Electronic Transaction (SET) was focused around X.509 declarations, which is a digital certificate utilized for verification purpose. The primary version of Secure Electronic Transaction was propelled in May, 1997.
In Secure Electronic Transaction (SET), different encryption algorithm are utilized, for example, DES and RSA algorithm. DES is a 56-bit key algorithm, which is utilized to encode online transactions. This encryption procedure was most certainly not much secure and can be easily cracked utilizing present day software embedded hardware. In 1993, utilizing an idea of brute force attack, a DES cracking machine was composed by a researcher Michael Wiener. In 1996, an extraordinary researcher Schneier suggested that a parallel machine can be developed that breaks DES framework inside a second. Along these lines, for the secure transaction the DES was replaced by influential and solid framework as Secure Electronic Transaction (SET).
Secure Electronic Transaction (SET) allowed imparting gatherings to recognize and validate one another in hidden way and exchange sensitive information securely. The main advantage of SET is that all communication will be occurred in concealed way. In SET, the vendor can't get to the customer sensitive credit card information. Such solid assurance is accommodated for the benefits of customers and in addition credit/debit card organizations to stay away from any sort of financial frauds.
DESIGN AND IMPLEMENTATION
The prominence of internet shopping is expanding step by step, in which client gives the credit card information to make payment for requested product. Secure Socket Layer (SSL) and
Transport Layer Security (TLS) keeps record of credit card details from attacker and unapproved clients. SET handles such sort of circumstances by obliging shippers and credit/debit card holders to enroll themselves before any online exchange. A trusted certificate authority makes a paramount part to enroll cardholders and dealers and after final approval certificate authority issues the security subtle elements and a unique signature key for online exchanges. These subtle elements and digital signature will be utilized for the authentication reason. All request data and affirmations convey digital signatures, which give non-revocation what's more validation administrations to stay away from any extortion and can be utilized to determination any question [6]. A Secure Electronic Transaction (SET) includes three parties: the credit/debit cardholder, the shipper, and a bank as an payment gateway. The credit/debit cardholder imparts the request data with the shipper however vendor site yet not with the bank (an payment gateway).But credit/debit cardholder imparts the payment data to the payment gateway (bank) but not with the merchant. A set of double digital signature secures this fractional offering of data and permitting all communicating parties to affirm that they are performing the same exchange. In this process, each conveying party receives the hash format of the obliged data. The cardholder signs the hashes of payment and order information. Each communicating party can confirm and affirm that the hash in their ownership matches with the hash marked by the cardholder. The cardholder and merchant register identical hashes for the bank to analyze. All interchanges between communicating parties are profoundly secured. Vendors can't get to the credit card information of customer. In SET, attacker or criminal is not able to make any transaction because it requires cardholder signature and a secret number received by trusted third party after registration. A shipper can be approved to get credit card numbers and has the choice of accepting payments given a credit/debit card number alone.
Secure Electronic Transaction using Credit Cart
There are three main phases in a secure electronic transaction:
• Purchase request
• Payment authorization
• Payment capture
Purchase Request Phase: There are 5 phases in request phase
1) Initiate Request: The methodology begins with the client shopping, and selecting items. The client has a completed order form and has chosen a particular payment card. The customer's (cardholder's) machine running the cardholder's software package (from now on called simply the cardholder) sends a initiate request (P INIT REQ) message to the merchant asking for the certified public key of the payment gateway.
2) Initiate Response: Once the merchant receives the initiate request, it assigns an unique transaction ID to the message and returns a signed version of the transaction ID, its own certificate and the appropriate (for the particular brand) payment gateway’s certificate to the cardholder.
3) Cardholder Purchase Request:
Once the response is received, the cardholder checks the certificates of the trader
Furthermore gateway and the vendor's digital signature on the transaction information. When this is finished, the cardholder creates two messages: an order information (OI) message expected for the vendor and payment information(PI) message intended for the payment gateway. The PI message data such as the credit card number of the cardholder and will be covered from the trader. These messages both contain the unique transaction ID that the merchant assigned. This is done so that the two messages can be connected to one another. At this point, an exceptionally rich system is utilized tie the two messages together. The cardholder s forms message digest of both the OI and PI. These digests are concatenated, then a third message digest is formed. This last digests is then digitally signed by the cardholder. This forms the dual signature on OI and PI. The following step is utilized to conceal the PI data from the shipper. The cardholder creates a random session key (to be utilized with a conventional encryption algorithm) that is utilized to encrypt the PI. To transport this data to the payment gateway, the cardholder joins the random session key and their account information into a message then encodes it utilizing the payment gateway’s public key (so that just the PG can recoup the record data and the account information and the session key that can decrypt the PI).Dealer then is sent a message containing the PI and OI digest, the dual signature, the "wrapped" variant of the PI, session key and account information also the cardholder's certificate. The explanation behind the dual signature scheme is as per the following: the payment gateway will just have a digest of the OI and not the request itself. The payment gateway can't determine the purchase from that data. On the off chance that a debate emerges, between the trader and client, the OI can be delivered and the payment gateway with knowledge of the PI can recover the message digests and confirm whose case is right. This is a paramount component in security of SET.
4) Merchant’s Purchase Request Processing
At the point when the purchase request is received at the trader, it checks the cardholder's certificate. This is then used to confirm the dual signature on the OI and digest of the PI to guarantee no altering of the OI has happened. When this has been confirmed, the trader produces a digitally signed purchase response message that is returned to the cardholder.
5) Purchase Response:
In the final step in this phase, the cardholder uses the merchant’s certified public key to verify the purchase response. This is stored for future reference.
Payment Authorization Phase:
This part of the protocol involves the merchant and the payment gateway. The objective is for the merchant to acquire authorization for the transaction. Three steps are involve in this:
1) Merchant Authorization Request:
The vendor begins by making a digitally marked approval request that incorporates the add up to be approved, the transaction ID, and different details about the transaction. The vendor creates a random session key that is utilized to encode this message. The session key is then wrapped utilizing the payment gateway’s public key. This data is sent alongside the cardholder's PI data and wrapped session key, cardholder's certificate and vendor's certificate
2) Payment Gateway Processing
At the point when the gateway gets the approval request, it uses its private key to recoup the wrapped session key. This is then used to decode the request. The vendor's certificate is confirmed then used to confirm the signature on the appeal. Next, the second session key and client account data are recouped. The session key is then used to recoup the PI. The cardholder's certificate is checked furthermore the digital signature on the OI and PI is checked. As a further check, the Transaction ID's on both parts of the message are contrasted with guarantee that they are the same. The following operation includes the payment gateway making a message for the issuing bank. This is carried out over the private financial network. In the event that the buy is approved, then a digitally marked reaction message is created by the payment gateway. This message is encrypted with another arbitrary session key that is wrapped utilizing the merchant's public key, then sent to the merchant.
3) Merchant Response Processing
When the response is received by the merchant, the payment authorization is recovered and the signature is verified. A copy of this authorization is kept by the
Merchant.
3) Payment Capture Phase:
The final phase in the SET protocol is payment capture. In this phase, the Merchant requests payment from the payment gateway. This phase may occur sometime after the transaction has occurred and involves three basic steps:
1) Merchant Payment Capture Request:
The trader makes a digitally marked payment ask for that incorporates the last transaction sum, the transaction ID, and other transaction data. This is encrypted utilizing another random session key that is wrapped utilizing the payment gateway public key. The encrypted message is sent to the payment gateway alongside the vendor's certificate.
2) Payment Gateway Capture Processing
Upon receipt, the payment gateway recuperates the session key, catch ask for then confirms the trader's certificate and signature on the request. The payment gateway creates a digitally signed and encoded reaction message that is sent to the dealer alongside the gateway’s certificate
3) Merchant Processing of Response
This is the final step in the protocol. The merchant recovers the session key and the capture message and verifies the gateway’s certificate as well as the digital signature on the message. This is stored by the gateway for reconciliation for payment from the issuer.
Where 1 =Eks{PI+DS+OIMD}+ Epub bank{Ks} 2=PIMD+OI+DS
CONCLUSION
Multiple encryptions is an irresolute encryption for Secure Electronic Transaction also it will play an imperative and progressive part in secure electronic transaction over
Wireless network. Multiple encryptions in Secure Electronic Transaction depicts the upgraded security and trustworthiness of confidential data because of different encryption operations. The primary point of interest of multiple encryption is that it gives better security in light of the fact that regardless of the possibility that some secret or encryption keys are broken or some piece of cipher texts are broken, the confidentiality also protection of unique information can in any case be kept up by multiple encryption. Secure electronic transaction with various encryption will be a critical piece of electronic trade in the future. Such level of security is obliged to win the investment and trust of clients, traders also monetary associations for online exchange over remote system. The perfect of the secure electronic transaction (SET) with various encryptions is critical for the achievement of electronic commerce.
REFERENCES
1.Wikipedia: The free Encyclopedia, Technical Weblink: http://en.wikipedia.org/wiki/Secure_Electronic_ Transaction#History_and_development
2. IBM Corporation. An overview of the IBM Secure Electronic Transaction and the IBM
Commerce Point Product, June 1998, Weblink: http://www.software.ibm.com/commerce/set/overview.html 3.MBA Knowledge Base, Management Article Weblink:http://www.mbaknol.com/businessfinance/secure-electronic-transaction-set/
4. Wikipedia: The free Encyclopedia, Technical Weblink: http://en.wikipedia.org/wiki/Multiple_encryption
5. Ralph C. Merkle, Martin E. Hellman, On the Security of Multiple Encryption, A technical note on Programming Technique & Data Structure in Stanford University, Department of Electrical Engineering, Stanford, CA published in ACM, 1981, Volume 24, Number 7.
6. Schneier, Bruce. Applied Cryptography, John Wiley & Sons, Canada 1996
7. IBM Corporation. Cryptography and SET, June 1998, Weblink: http://www.software.ibm.com/commerce /payment/part2.html
8. Data Security for e-Transaction. Retrieved on April 12th 2008, from Weblink: http://www.comp.nus.edu.sg/~jervis /cs3235/set.html