Home Publications Research Overview NotesonElectronicPaymentSystems CryptographicProtocolsinElectronicPaymentSystems ImplementationofAnonymousAuctionSystem TechResources OpenSSLCommandtoVerifyandParse SSLandPKIToolset ConferoLitterae

VijayPasupathinathanipsascientiapotestasest NotesonElectronicPaymentSystems
Introduction TheeaseofpurchasingandsellingproductsovertheInternethashelpedthegrowthofelectronic commerceandelectronicpaymentsservicesareaconvenientandefficientwaytodofinancial transactions.Currentepaymenttechnologiesdependonusingtraditionalmethodsthatarecommonto nonelectronicsystems.DuetothenatureofInternet,securityandauthenticityofpaymentsand participantscannotbeguaranteedwithtechnologiesthatarenotspecificallydesignedforelectronic commerce.Weneedanepaymentsystemthatwouldnotonlyprovidesecurepaymentsbutshouldalso havepropertieslikeonlinecustomerandmerchantauthentication,unforgeableproofoftransaction authorisationbythecustomerbothtothemerchantandthebank,privacyofcustomerandtransaction data.Thischapterprovidesanoverviewofepaymentarchitectureandtheirfunctionalities,their requirementsandverificationofpaymentprotocols.Morethoroughsurveycanbefoundin[1][2][3][4] [5][6][7]and[8]. GenericEPaymentSystem

1.Entities Electronicpaymentsinvolveapayerandapayee.Apayer(buyerorcustomer),isanentitywhomakesa payment.Apayee(sellerormerchant),isanentitywhoreceivesapayment.Themainpurposeofan electronicpaymentprotocolsistotransfermonetaryvaluefromthepayertothepayee.Theprocessalso involvesafinancialinstitution(bankormint). Typically,financialinstitutionparticipatesinpaymentprotocolsintworoles:asanissuer(interacting withthepayer)andasanacquirer(interactingwiththepayee).Theissuerisresponsibleforvalidating thepayerduringaccountregistrationsandholdsthepayersaccountandassets.Theacquirerholdsthe payeesaccountandassets.Thepayeedepositsthepaymentsreceivedduringatransactionwiththe acquirer.Theacquirerandtheissuerthenproceedtoperformaninterbankingtransactionforclearance offunds.Itispossiblefortheissuerandtheacquirertobefromthesamefinancialinstitution. OtherpartiesthatmaybepresentinapaymentprotocolincludeaTrustee(arbiter)whoisanentitythatis independentfromallparties.AllentitiesinaprotocolunconditionallytrusttheTrusteewhoiscalledto adjudicateanydisputesbetweenthepayerandthepayee.Certainpaymentsystemsmightinvolvemore playerslikePaymentGateways(PG)whoareentitiesthatactasamediumfortransactionprocessing betweenotherentities(e.g.MasterCard,Visa)andCertificationAuthorities(CA)whoarenecessaryif theepaymentsystemsinvolvePKIs.Theyissuepublickeycertificatestoentitiesinvolvedinapayment protocolsothattheirauthenticitycanbepubliclyverified.Figure1illustratestheparticipatingentitiesin anepaymentsystem. Figure1:GenericEpaymentProtocol

2.PhasesinEPayment Anelectronicpaymenttypicallyinvolvesthefollowingphases: 1. Registration: This phase involves the registration of the payer and the payee with the issuer and acquirerrespectively.Mostelectronicpaymentsdesignedrequireregistrationofpayersandpayeeswith theircorrespondingbankssothereisalinkbetweentheiridentitiesandtheiraccountsheldatthebank. 2. Invoicing: In this phase, the payee obtains an invoice for payment from the payee. This is accomplished by either browsing and selecting products for purchase from the merchants (payees) website in case of purchases made through the internet or obtaining an electronic invoice using other electronic communication medium like email. This phase typically is performed in an unsecured

environmentandnormallyexcludedwhiledesigningpaymentprotocols.Theimportanceofthisphaseis that,itsetsthemandatoryandoptionaldatavariablesthatshouldbeincludedinapaymentprotocol. 3.Paymentselectionandprocessing:Inthisphasethepayerselectstypeofpayment,(cardbased,e cash,echeque,etc.,)basedonthetypeofpaymentthepayeeaccepts.Basedontheselection,thepayer thensendstherelevantpaymentdetailslikeaccountnumber,uniqueidentifiersofthepayertothepayee along with accepted amount based on the invoice. Certain protocols might also require the payer to obtain preauthorised token (like bank drafts) from the issuer before the payer sending the payment informationtothepayee. 4.Paymentauthorisationandconfirmation:Inthisphase,theacquireronreceivingpaymentdetailsfrom thepayeeauthorisesthepaymentandissuesareceiptcontainingthesuccessorfailureofthepaymentto thepayee.Thepayeebasedonthemessagemayalsoissueareceiptofpaymenttothepayer. ClassificationofPaymentSystems Aspreviouslymentioned,electroniccommercecanbebroadlycategorisedintotwogroups,businessto business(B2B)andbusinesstoconsumer(B2C).B2Bnormallyinvolvehighervaluetransactionsand predominant payment methods are electronic cheques and bank transfers, whereas, B2C payments are lower value transactions and payment methods used are cash and card based payment systems. This sectionpresentsanoverviewofepaymentclassifications. Paymentinstruments:Therearethreecommonelectronicpaymentinstruments,namelycash,chequeand card.Cashpaymentsystemsconsistofselfauthenticatingdivisibletokensthatcanbeprocessedoffline. Cheque payment system is typically linked to a payers account and payment is indivisible. Card paymentschemesprovideapaymentmechanismthroughtheexistingcreditcardpaymentinfrastructure. Prepaid, Paynow and Postpay: In prepaid system the payment is debited from the payers account before a payment is processed and hence the term prepaid. Most cashlike systems such as an electroniccashsystem[9][10]fallinthiscategory.Inpaynowsystem,whenanelectronictransactionis processed,thepayersaccountisdebitedandthepayeesaccountiscreditedwiththepaymentamount. Eventhoughavailabilityoffundsdependsonthetimewheninterbanksettlementsarecarriedout,the payersandpayeesaccountareupdatedtoshowthedebitedandcreditedbalancesimmediatelyafteran transaction is carried out. Credit card based system, like Secure Electronic Transaction (SET) [11], VerifiedbyVisa(VBV)[12],MasterCardsecurecode[13]fallintothiscategory.Inpostpaysystems thepayersaccountisdebitedonlywhenthepayeesmakesarequestforpaymentsettlementwiththe acquirer.Mostchequebasedsystems[14][15]fallintothiscategory. OfflineandOnline:Basedoncommunicationalcharacteristics,electronicpaymentssystemsareclassified asofflineandonlinesystems. Inanofflinesystem,thecommunicationdoesnotinvolveanythirdparty,i.e.,anelectronictransaction takes place only between the payer and the payee. The advantages of offline payments are lower communicationcostandlesstimecriticaltransactionhandlingatthebanks.However,theysufferfrom oneseriousdrawback,theproblemofdoublespending.Doublespendingoccurswhenthepayerspends thesameelectronicmoneymultipletimes.Inadigitalsystemthepayercouldmakeabackupofelectronic money before each payment and reset his system to this backup after the payment. In this way, an arbitrarynumberofpaymentstodifferentrecipientsarepossiblewiththesamemoney. Typically,doublespendingispreventedwiththeuseoftamperresistanthardwaree.g.asmartcard.In certaincases,thetamperresistanthardwareisissuedbythebankcontainingapreauthorisedvalueof money.Howevertamperresistantdevicesonlyofferlimitedprotectionastheyarevulnerabletoattacks

[16] [17] [18]. Another way to prevent double spending is preauthorisation. The payer obtains pre authorisedsecuredigitalmoneyfromitsbank,thusthepayeeisassuredofpaymente.g.abankcheque. However,thismethodcanonlybeusedifthepayeeisknowntothepayerbeforeapayment.Aweaker solution,ratherthanemployingpreventiontechniquesistodetectdoublespendingwhentheyoccurand the dishonest payer can be held accountable. This solution is used in most ecash implementations. Adequatesecuritycanbeachievedbyacombinedapproachthatwouldinvolvebothdetectionmethods andtamperresisteddevices. In an online system, the payee typically connects to the bank to obtain a payment authorisation, thus increasingthecommunicationrequirementsforthepaymentsystem.Theadvantageis,thepayeeobtains aguaranteeonthepayment,asthebankisabletoauthoriseandcheckforavailabilityoffundsinthe payersaccount. PrepaidCashlikesystem ThebestknownsubclassinprepaidsystemsistheanonymousecashsystemintroducedbyChaum[19] [20]. Basic model of ecash system: An anonymous offline ecash consists of three probabilistic, polynomiallybounded parties, a bank B, payer P, and payee R, and three main sub protocols: withdrawal, payment and deposit (refer Figure 2). Payer and payee maintain their accounts with the bank. The payer withdraws electronic coins from their account with the bank, by performing a withdrawal protocol over an authenticated channel. The payer spends coins by participating in a payment protocol with the payee over an anonymous channel. In effect, the payee performs a deposit protocol,todepositthecoinsintotheiraccount.Theecashsystemalsoincludessetupprotocols:system setup,payersetupandpayeesetupwhichperformssysteminitialisationfunctions,namelycreatingand publishingpublickeysandopeningpayerandpayeebankaccounts. Figure2:AModelEcashsystem

PaynoworCardbasedsystem

Themostcommonmethodforonlinepaymentiscardbasedsystems.Mostpaymentsystemsinthis category are specifically designed for transaction conducted through the Internet. Because of their convenience and omnipresent nature, credit cards in particular have become a popular method for conductingonlinepaymentsovertheInternet,buttheyareinsecure,offernoanonymityorprotectionof payers payment information like card details and account information. To overcome these drawbacks andmakecardpaymentmoresecure,thetwoleadingcreditcardcompaniesVISAandMasterCardhave developedvariousprotocols.Thissectionpresentsanoverviewofvariouscardbasedsystemsthathave beenproposed. In1995,VisaandMicrosoftdevelopedacardbasedsystemcalledasSecureTransactionTechnology (STT) [24]. It featured strong, exportapproved DES encryption of financial information, RSA encryptionofbankaccountnumbers,RC4encryptionofthepurchasingordercontentsandreceipts,and mandatoryauthenticationofallparticipants.DuringthesametimetheIBMResearchgroupproposedthe Internet Keyed Payment Protocol (iKP) [25], which later became a part of MasterCards Secure ElectronicPaymentProtocol(SEPP)[26]proposal. DuetothelimitedpopularityofbothSTTandSEPPproposals,MasterCardandVisainajointeffort proposedSecureElectronicTransaction(SET)[11]systemthatwouldtakeadvantageofthecombined customer and merchant base. SET was published as an open specification for the industry and the development of the payment system included major companies like GTE, IBM, Microsoft, Netscape, RSA,SAIC,TerisaandVeriSign.Itincorporatesdigitalsignaturesfornotonlyauthenticatingcustomer butalsomerchantsandbanks.SETalsoincludedauniqueconceptknownasdualsignatures.Themain goalofdualsignaturesistoprotectthecustomersaccountinformationfromthemerchantandpurchase informationfromthebanks.Dualsignatureslinkpurchaseinformation(likeordermessage)senttothe merchant with the payment information (like account information) sent to the acquirer. When the merchantsendsanauthorisationrequesttotheacquirer,itincludesthepaymentinformationsenttoitby the cardholder (customer) and the message digest of the purchase information. The acquirer uses the messagedigestfromthemerchantandcomputesthemessagedigestofthepaymentinformationtocheck the dual signature. Even though the advantages of using SET are apparent, due to the system complexity, and implementation costs for both merchant and banks, the system has failed gain widespreadmarketacceptance. TodaytherearetwomajorproposalsforsecureelectronicpaymentovertheInternet.TheyareVisa3D Secure[12](VerifiedbyVisaVBV)andMasterCardSecureCode[13].BothprotocolsrelyonSSL [27] /TLS [28] to encrypt communication over the Internet. SSL is a clientserver protocol that uses public key cryptography and has become the de facto standard for encrypted communication over the Internet. In SSL, only servers (merchants) have public key certificates and clients (buyers) remain anonymoustotheservers.Becauseofthelightweightnatureandanexistingwiderdeploymentbaseof SSL protocol, MasterCard and Visa have implemented a standard that would allow merchant to incorporatetheproposedsecurityfeaturesintotheirpaymentacceptancestructure. PaylaterorChequebasedsystem Customers generally tend to use credit card payment methods for low and middle value payments, whereas,chequeisthepreferredmethodforlargevaluepayments.Variouselectroniccheque(echeque) protocols[29,30,31,15,21]havebeenproposedovertheyears.SystemslikeFSTCseCheck[15], NetCheque[30]andMANDATEII[29]arebasedonmethodsusedintraditionalpaperbasedchecking

protocols.SystemslikeNetBill[31],EChequeandPayNowbyCyberCashuseacentralserver.Othere checkingsystemsarebasedonmodifiedversionsofecashprotocols[21].Butmostpromisingofalle chequesystemthathasthesupportofmajorfinancialinstitutionsandgovernmentagencieshasbeenthe FSTCseChecksystem. Micropayments Oneofthemostpromisingpaymentmethodsistheuseofmicropayments:theabilitytopayfordataor servicesinsmallincrements.Micropaymentscanbeseenasasolutiontoallowlowvaluepaymentsfor purchasing news articles, stock quotes, index queries, perclick purchase and other services over the Internet.In[32],Jonespresentedsomepossiblemicrocommercecontentproviderswhicharepresented intheTable3. Table3:MicroPaymentSoluctionsforcontentproviders

Various micro payment protocols (micromint and payword [33], netbill [31], cybercoin by cybercash, millicentbycompaq[34],NetPay[35],andmiKP[36])havebeenproposedovertheyears.Theprimary aimofallmicropaymentsystemhavebeentohandlearbitrarilysmallamountsofmoneyandkeepthe cost for the individual transaction low along with generic epayment security requirements like confidentiality,integrity,authenticationandnonrepudiation. MobilePayments Duetothephenomenalsuccessofmobilecommunicationaldevices,therehasbeenincreasingeffortto usedmobiledevicesaselectronicwalletstostorepaymentandaccountinformation. Currently two main wireless protocols are used for mobile commerce. WAP (Wireless Application Protocol)[37]developedbyWAPforum(consolidatedintotheOpenMobileAlliance)andiMode[38, 39]developedbyNTTDoCoMo,Japan. WAP is an open and global specification that helps mobile devices with WAP enabled browsers to accessinformationandservices.WAPspecificationsincludeanXMLtypemarkuplanguageknownas Wireless Markup Language (WML) for displaying information on to a mobile device browser. The WAPspecificationsalsoincludealightweightprotocolstacktoreducebandwidthrequirements. ImodeisaproprietaryprotocoldevelopedbyNTTDoCoMoandusesPersonalDigitalCellularPacket (PDCP)toprovidenetworkservices.Imodeallowsefficientnetworkusagebyusingpacketswitching technology for wireless communication and TCP/IP for wired communications. Imode uses cHTML

(compactHTML)todisplaycontentonmobiledevices.ImodeenableddevicesarealsoviewHTML webpagesasthestructureofcHTMLissimilartoHTMLascomparedtoWAPwhereHTMLneedsto beconvertedtoWMLfordisplay. BothWAPandImodeprovidesecurityfeaturesthatcanbeusedtoprovideelectroniccommerceand electronicpaymentservices. Others PollingSchemes GabberandSilberschatz[44]andJareckiandOdlyzko[45],proposedschemeswhereusersregisterby givingafirstpayment,whichisasignednoteincludingabankcertificateandsubsequentpaymentssent byusersarereceivedbythevendorandprobabilisticallysenttothebankfordepositatthetimeofthe transaction. The overspending risk can be limited to a known value by defining the probabilistic checkingasafunctionofthetransactionsize(makinglargepaymentsmorelikelytobechecked). PhonebasesSystem BPay[46]andPostBillPay[47]enablesuserstopaymostofyourregularmonthlybillsusingeitheryour telephoneoryourcomputer24/7.Billsthatcanbepaidincludeutilities,telephonebills,cableTV,credit cards,chargecardsandmanyotheraccounts.Tousethesystemapayeerequirestoobtainbillerspecific information(likebilleraccount)andpaymentdetails(likecreditcardinformation).Theyalsohavethe option to receive electronic bills for registered users and to send additional details regarding bills registeredoraddmorebillsaftertheinitialregistrationphase. References [1]Newpaymentinstrumentsprototype,semperdeliverabled15,SEMPERConsortium/r3security engineering(ed.),1997. [2] J. A. P. N. Ashokan, Payment manageroverview, Tech. Rep. 212ZR054, SEMPER Consortium,March1996. [3]J.A.P.N.Ashokan,M.Steiner,andM.Waidner,Designingagenericpaymentservice,Tech. Rep.212ZR055,SEMPERConsortium,September1996. [4]N.Asokan,P.A.Janson,M.Steiner,andM.Waidner,Thestateoftheartinelectronicpayment systems,Computer,vol.30,no.9,pp.2835,1997. [5]S.Y.Choi,D.O.Stahl,andA.B.Whinston,TheEconomicsofElectronicCommerce.Macmillan TechnicalPublishing,1997.ISBN:1578700140. [6]N.HeintzeandJ.D.Tygar,Amodelforsecureprotocolsandtheircompositions,in1994IEEE ComputerSocietySymposiumonResearchinSecurityandPrivacy,pp.213,IEEEComputerSociety Press,1994. [7] R. Kailar, Accountability in electronic commerce protocols, in IEEE Transaction on software engineering,vol.22(5),pp.313328,1996. [8] M. S. M. W. N. Asokan, Phil Janson, Electronic payment systems, Tech. Rep. RZ 2890 (# 90838,1996. [9] D. Chaum and H. van Antwerpen, Undeniable signatures, in Crypto 90, vol. LNCS of 473, pp.212216,1990. [10] G. Medvinsky and B. C. Neuman, Netcash: A design for practical electronic currency on the internet,inFirstACMConferenceonComputerandCommunicationsSecurity,November1993. [11]M.CardandVISA,SETSecureElectronictransactionprotocol,Book1,2and3.availablefrom

www.setco.org. [12] VISA, 3D Secure protocol specification Core functions. 2002. available from http://international.visa.com/fb/main.jsp. [13] Master Card, Master Card Secure code Merchat implementation guide. 2003. available from www.mastercardonline.com. [14] M. M. Anderson, Electronic check architecture, Tech. Rep. Version 1.0.2, FSTC, September 1998. [15]J.K.(ed.),Financialservicesmarkuplanguageversion1.5,tech.rep.,FSTC,July1999. [16]R.AndersonandM.Kuhn,Tamperreistanceacautionarynote,inSecondUSENIXWorkshop onElectronicCommerce,(Oakland,California),pp.111,November1996. [17] P. Kocher, J. Jaffe, and B. Jun, Differential power analysis, in Advances in Cryptology CRYPTO99(M.Wiener,ed.),vol.1666ofLNCS,pp.389397,SpringerVerlag,1999. [18] D. Boneh, R. A. DeMillo, and R. J. Lipton, On the importance of checking cryptographic protocolsforfaults,inEurocrypt97,vol.1233ofLNCS,pp.3751,SpringerVerlag,1997. [19]D.Chaum,Blindsiganturesforuntraceablepayments,inAdvancesinCryptologyCrypto82, pp.199203,1983. [20] D. Chaum, Privacy protected payments unconditional payer and/or payee untraceablility, SMARTCARD 2000: The future of IC Cards, IFIP WG 11.6 International conference, Luxenburg, pp.6993,1989. [21]S.A.Brands,Anefficientofflineelectroniccashsystembasedontherepresentationproblem.,in 246,p.77,ISSN0169118X:CentrumvoorWiskundeenInformatica(CWI),311993. [22] D. Chaum and T. Pedersen, Wallet databases with observers., in Advances in Cryptology CRYPTO92(E.F.Brickell,ed.),vol.740ofLNCS,(89105),SpringerVerlag,1992. [23] C. P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, vol. 4, pp.161174,1991. [24] VISA and Microsoft, Secure Transaction Technology Specifications. Visa International, version 1.0ed.,1995. [25] M. Bellare, J. Garay, R. Hauser, A. Herzberg, H. Krawczyk, M. Steiner, G. Tsudik, and M.Waidner,iKPAfamilyofsecureelectronicpaymentprotocols,pp.89106,1995. [26]Cybercash,GTE,IBM,MasterCard,andNetscape,Secureelectronicpaymentprotocol,Internet DraftVersion1.2,1995. [27]N.Communications,Ssl3.0specification.http://wp.netscape.com/eng/ssl3/. [28] Transport layer security (tls) protocol, version 1.1, in Internet Draft from http://www.ietf.org/internetdrafts/draftietftlsrfc2246bis08.txt,IETF. [29]Mandate.http://www.cryptomathic.dk/mandate. [30]B.NeumanandG.Medvinsky,Requirementsfornetworkpayments:Anetchequeperspective,in IEEECOMPCON95,(SanFrancisco,CA,USA),pp.3236,March591995. [31]B.Cox,J.D.Tygar,andM.Sirbu,Netbillsecurityandtransactionprotocol,inFirstUSENIX WorkshoponElectronicCommerce,(NewYork),USENIX,July1995. [32] R. Jones, Millicent update presentation, presented at epayment forum, MilliCent Marketing, DEC,SanFrancisco,March1997. [33] R. L. Rivest and A. Shamir, Payword and micromint: Two simple micropayment schemes, in SecurityProtocolsInternationalWorkshop,Berlin,Germany,vol.1189,pp.6988,SpringerVerlag, 1997. [34]CompaqandDigital,Millicenthomepage.http://www.millicent.digital.com/. [35]X.DaiandB.Lo,Netpayanefficientprotocolsformicropaymentonthewww,FifthAustralian WorldWideWebConfernence,1999.ausweb.scu.edu.au/papers/technical. [36]R.Hauser,M.Steiner,andM.Waidner.,Micropaymentsbasedonikp,pp.6782,1996.

[37] W. Forum, Wap forum releases. http://www.openmobilealliance.org/tech /affiliates/wap/wapindex.html. [38]N.DoCoMo,Speciallssueonimodeservice,TechnicalJournalVol.1No.1,December1999. [39]N.DoCoMo,imodefelica,TechnicalJournalVol.6No.3,December2004. [40]R.Anderson,C.Manifavas,andC.Sutherland.,Netcardapracticalelectroniccashsystem,in Fourth Cambridge Workshop on Security Protocols, SpringerVerlag, 1996. http://www.cl.cam.ac.uk/users/rja14. [41] T. Pedersen, Electronic payments of small amounts, Tech. Rep. DAIMI PB495, Aarhus University,ComputerScienceDepartment,1995. [42] C. Jutla and M. Yung, Paytree: "amortized signature" for flexible micropayments, in Second USENIXWorkshoponElectronicCommerce,1996. [43]L.Lamport.,Constructingdigitalsignaturesfromaonewayfunction,inTechnicalReportCSL 98,SRIInternational,1979. [44] E. Gabber and A. Silberschatz, A minimal distributed protocol for electronic commerce, in USENIXWorkshoponElectronicCommerce,1996. [45]S.JareckiandA.Odlyzko,Anefficeientmicropaymentschemebasedonprobabilisticpolling,in FinacialCryptography97,vol.1318ofLNCS,SpringerVerlag,1997. [46]B.P.Ltd.http://www.bpay.com.au. [47]A.POST.http://www.postbillpay.com.au/. TK 2013VijayPasupathinathan