Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Download
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
3Activity
×
0 of .
Results for:
No results containing your search query
P. 1
The Algorithm Analysis of E-Commerce Security Issues for Online Payment Transaction System in Banking Technology

The Algorithm Analysis of E-Commerce Security Issues for Online Payment Transaction System in Banking Technology

Ratings: (0)|Views: 1,466|Likes:
Published by ijcsis
E-Commerce offers the banking industry great opportunity, but also creates a set of new risks and vulnerability such as security threats. Information security, therefore, is an essential management and technical requirement for any efficient and effective Payment transaction activities over the internet. Still, its definition is a complex endeavor due to the constant technological and business change and requires a coordinated match of algorithm and technical solutions. Ecommerce is not appropriate to all business transactions and, within e-commerce there is no one technology that can or should be appropriate to all requirements. E-commerce is not a new phenomenon; electronic markets, electronic data interchange and customer e-commerce. The use of electronic data interchanges as a universal and non-proprietary way of doing business. Through the electronic transaction the security is the most important phenomena to enhance the banking transaction security via payment transaction.
E-Commerce offers the banking industry great opportunity, but also creates a set of new risks and vulnerability such as security threats. Information security, therefore, is an essential management and technical requirement for any efficient and effective Payment transaction activities over the internet. Still, its definition is a complex endeavor due to the constant technological and business change and requires a coordinated match of algorithm and technical solutions. Ecommerce is not appropriate to all business transactions and, within e-commerce there is no one technology that can or should be appropriate to all requirements. E-commerce is not a new phenomenon; electronic markets, electronic data interchange and customer e-commerce. The use of electronic data interchanges as a universal and non-proprietary way of doing business. Through the electronic transaction the security is the most important phenomena to enhance the banking transaction security via payment transaction.

More info:

Published by: ijcsis on Jun 30, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less

07/07/2010

pdf

text

original

 
 1
The Algorithm Analysis of E-Commerce SecurityIssues for Online Payment Transaction System inBanking Technology
 Abstract:-
E-Commerce offers the banking industry greatopportunity, but also creates a set of new risks and vulnerabilitysuch as security threats. Information security, therefore, is anessential management and technical requirement for anyefficient and effective Payment transaction activities over theinternet. Still, its definition is a complex endeavor due to theconstant technological and business change and requires acoordinated match of algorithm and technical solutions. E-commerce is not appropriate to all business transactions and,within e-commerce there is no one technology that can or shouldbe appropriate to all requirements. E-commerce is not a newphenomenon; electronic markets, electronic data interchangeand customer e-commerce. The use of electronic datainterchanges as a universal and non-proprietary way of doingbusiness. Through the electronic transaction the security is themost important phenomena to enhance the banking transactionsecurity via payment transaction.
Categories and Subject Descriptions:
-
Electronic commerce security, payment system, paymenttransaction security, payer anonymity, dual signature.
General terms:-
Electronic payment transaction security
.
 Keywords:
-
E-Commerce transaction security, Banking Technology
.
I.
 
INTRODUCTIONAn electronic payment transaction is an execution of aprotocol by
 
which amount of money is taken forms a payerand given to a payee. In a payment transaction we generallydifference between the order information (goods or servicesto be paid for) and the payment instruction (e.g., credit cardnumber). From a security perspective, these two pieces of information deserve special treatment. This paper describessome algorithm that can be used to implement the paymenttransaction security services.II.
 
USER ANONYMITY AND LOCATIONUNTRACEABILITYUser anonymity and location untraceability can be providedseparately, a pure user anonymity security service wouldprotect against disclosure of a user’s identity. This can beachieved by, for example, a user’s employing pseudonymsinstead of his or her real name. However, if a network transaction can be traced back to the originating host, and if the host is used by a known user only, such type of anonymity is obviously not sufficient. A “pure” locationuntraceability security service would protect againstdisclosure of where a message originates. One possiblesolution is to route the network traffic through a set of “anonym zing” hosts, so that the traffic appears to originateform one of these hosts. However, this requires that at leastone of the hosts on the network path be honest, if the trafficsource is to remain truly anonymous.
 A.
 
Chain of Mixes:-
A user anonymity and location untraceability mechanismbased on a series of anonym zing hosts or mixes has beenproposed by D. Chaum [1]. This mechanism, which ispayment system independent, can also provide protectionagainst traffic analysis. The basic idea is illustrated in Fig.[2.1] messages are sent from A,B and C (representingcustomer wishing to remain anonymous) to the mix, andfrom the mix to X,Y and Z )representing merchant or bankscurious about the customer’ identities). Messages areencrypted with the public key of the mix, E
M.,
if customer awishes to send a message to merchant Y, A sends to the mixthe following construct:A Mix:E
M
[Mix, E
Y
(Y, Message)]Now the mix can decrypt it and send the result to Y:Mix Y: E
Y
(Y, Message)
RAJU BARSKAR,M.Tech. Student of CSE Dept.
MANIT, Bhopal (M.P) India
rajubarskar353@gmail.com
 
 
ANJANA JAYANT DEEN,
Faculty of CSE DepartmentUIT_RGPV, Bhopal (M.P) India
JYOTI BHARTI,Assistant Prof. IT Dept.
MANIT, Bhopal (M.P) Indi
jyoti2202@gmail.com
 
 
GULFISHAN FIRDOSE AHMED,M.Tech. Student of CSE Dept.
LNCT, Bhopal (M.P) India
gul_firdose@rediffmail.com
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010307http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
 2
Only Y can read is since it is encrypted with Y’spublic key, EY. If the mix is honest, Y has no
 
ideawhere the message originated or who sent
it.
The
 
main drawback of the scheme is that the mixhas to be completely trustworthy.If A wishes Y to send a reply, he can include ananonymous return address in the message to Y:Mix, E
M
(A)In this way the reply message is actually sent to the mix, butonly the mix knows whom to send it on to (i.e., who shouldultimately receive it).An additional property of the mix scheme is protectionagainst traffic analysis.This can be achieved by sending “dummy” message from A,B and C to the mix and from the mix to X, Y and Z. allmessages, both dummy and genuine, must be random and of fixed length, and sent at a constant rate. Additionally, theymust be broken into fixed block sizes and sent encrypted sothat an eavesdropper cannot read them. The problem of having a mix trusted by all participant can be solved by usinga matrix (or network) of mixes instead of just one, as shownin fig. [2.2]. in this case, only one mix on a randomly chosenpath (“chain”) has to be honest.The bigger the matrix, thehigher the probability that there will be at least one honestmix on a randomly chosen path.For a chain of mixes, let E, be the public key of Mix
i
= 1, 2, 3. A message is constructed recursively as follows:E Recipient (Next recipient, E Next recipient (…))If a wants to send an anonymous and untraceablemessage to Y, as in the example with on mix, the protocolgoes as follows:A Mix1:E
1
(Mix
2
, E
2
(Mix
3,
E
3
, (Y, Message)))Mix1 Mix2:E
2
(Mix3, E
3
(Y, Message))Mix2 Mix3:E
3
(Y, Message)Mix3 Message
Fig-2.2 Chain of Mix
Message” can additionally be encrypted with Y’s public key,which is omitted here for simplicity. The principal a canprovide an anonymous return address in the same way as inthe example with one mix. Specifically, A picks a randomreturn path through the mix network (e.g., Mix2, Mix1) andencrypts his identity and address multiple times using thepublic keys of the mixes on the return path:Mix2, E
2
(Mix1, E
1
(A))The recipient of the message (Y) can then send the messageto the first mix, and from this point on it works in the sameway as from A to Y. An implementation of the mix network would be expensive and complex from both the technical andthe organizational points of view. There is an experimentalimplementation of anonymous e-mail with return addressescalled BABEl by Gulcu and Tsudik [3], and onion network 
.
III.
 
PAYER ANONYMITYThis is a simplest way to ensue payer anonymity with respectto the payee in for the payer to use pseudonyms instead of hisor her real identity. If one wants be sure that two differentpayment transactions by the same payer cannot be linked,then payment transaction untraceability must also beprovided.
 A.
 
Pseudonyms
The first internet payment system was based on the existinginternet infrastructure that is e-mail, TELNET, S/MIME, andFINGER. Although they did not use cryptography at thebeginning, they later realized that in some cases it wasnecessary. For example, authorization message exchangedbetween First Virtual and merchants before shipment must beprotected to prevent large shipments to fraudulent customers.Under the First Virtual System, a customer obtains a VirtualPIN (VPIN), a string of alphanumeric which acts as apseudonym for a credit card number. The Virtual PIN may besent safety by e-mail. Even if it is stolen, an unauthorized
ABCXYZMIX
Fig. 2.1 Chaum’s Mix
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010308http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
 3
customer cannot use it because all transactions are confirmedby e-mail before a credit card is charged. If some one tries touse a customer’s Virtual PIN without authorization, FirstVirtual will be notified of the stolen Virtual PIN when thecustomer replies “Fraud” to First Victual’s request forconfirmation of the sale (Fig. 3.1) in such a case, the VirtualPIN will be canceled immediately. This mechanism alsoensures confidentiality of payment instruction with request tothe merchant and potential eavesdroppers. Fig. (3.1)illustrates a First Virtual (FV) payment transaction. Acustomer sends his order to the merchant together with hisVPIN (1). The merchant may send VPIN authorizationrequest to the FV payment provider (2). If the VPIN is valid(3), the merchant supplies the ordered services to thecustomer (4) and sends the transaction information to the FVprovider (5). In the next step (6) the FV provider asks thecustomer whether he is willing to pay for the services (e.g.,via e-mail). Note the customer may refuse to pay (“No”) if the services were delivered but do not fulfill his expectations.If the services were not ordered by the customer, he respondswith “Fraud”. That aborts the transaction and revokes (i.e.,declare invalid) the PIN. If the customer wants to pay, heresponds with “Yes” (7). In this case the amount of sale iswithdrawn from his account (8a) and deposited to themerchant’s account (8b), involving a clearing transactionbetween the banks (9)The payment transaction described above involves low risk if the services include information only. Even if a fraudulentcustomer does not pay for the services delivered, themerchant will not suffer a significant loss [4], and the VPINwill be blacklisted immediately, as mentioned before,cryptographically protected authorization message must beexchanged between First Virtual and merchant before largeshipments.IV.
 
PAYMENR TRANSACTIONUNTRACEABILITYCurrently there is only one mechanism providingperfect anonymity and thus perfect payment untraceability.However, this mechanism (Blind signature) is used for digitalcoins.
 A.
 
 Randomized Has sum in SET 
A merchant also obtains only the hash sum of a paymentinstruction. The payment instruction contains, among otherinformation like: Primary account number, PAN (e.g., creditcard number):The card’s expiry date (Card Expiry);A secretvalue shared among the cardholder, the payment gateway,and the cardholder’s certification authority (PAN Secret);Afresh nonce to prevent dictionary attacks (EXNonce).Since the nonce is different for each payment transaction, themerchant cannot link two transactions even if the same PANis used.
 B.
 
 Blind Signature
D.Chaum [1] proposed a cryptographic mechanism that canbe used to blind (obscure) the connection between the coinsissued and the identity of the customer who originallyobtained them. The mechanism, which provides both payeranonymity and payment transaction untraceability, are basedon the RSA signature and is called a blind signature. Thistype of signature is called blind since the signer cannot seewhat he signs. The basic scenario is the same as in RSA:
isthe signer’s private key, e and n are the signer’s public key.There is an additional parameter, k, called the blinding factorand chosen by the message (e.g., the digital money serialnumbers) provider:
Fig. 3.1 First Virtual’s Payment System
Provider blinds the massage M:M = Mk 
e
mod n;Signer computers the blind signature:S’ = (M)
d
mod
n
= kM
d
mod
n
;Provider removes the blinding factor:S = S’/k = M
d
mod
n
.This signer usually wants to check if the messageM(e.g., a vote or digital coin) in valid. For this purpose theprovider prepares n messages and blinds each one with adifferent blinding factor. The signer then chosen n-1messages at random and asks the provider to send thecorresponding blinding factor. The signer checks the n-1messages; if they are correct, he signs the remainingmessages. Note that electronic coins blinded in this way canonly be used in an online payment system.V.
 
CONFIDENTIALITY OF PAYMENTTRANSACTION DATAPayment transaction date generally consists of two parts: thepayment instruction and the order information. A paymentinstruction can contain a credit card number or an account
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010309http://sites.google.com/site/ijcsis/ISSN 1947-5500

Activity (3)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
hak2310 liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->