• 1. Electronic Payment Systems and Security 电子支付系统和安全加密技术1网上支付原理
  • 2. Learning Objectives 学习目的Describe typical electronic payment systems for EC描述电子商务典型的电子支付系统 Identify the security requirements for safe electronic payments 识别安全电子支付的安全要求 Describe the typical security schemes used to meet the security requirements 满足安全要求的安全方案 Identify the players and procedures of the electronic credit card system on the Internet 识别互联网上电子信用卡系统的使用者和使用处理过程 Discuss the relationship between SSL and SET protocols 讨论SSL协议和SET协议之间的关系
  • 3. Discuss the relationship between electronic fund transfer and debit card 讨论电子资金转帐和借记卡之间的关系 Describe the characteristics of a stored value card 描述一个储值卡的特征 Classify and describe the types of IC cards used for payments 辨别和描述用于支付的IC卡的类型 Discuss the characteristics of electronic check systems 讨论电子支票系统的特征Learning Objectives (cont.)学习目的(继续)
  • 4. SSL Vs. SET: Who Will Win? SSL对SET:谁将赢?A part of SSL (Secure Socket Layer) is available on customers’ browsers 加密套接字协议层 it is basically an encryption mechanism for order taking, queries and other applications SSL是一个基本的加密技术 it does not protect against all security hazards预防安全威胁 it is mature, simple, and widely use 成熟简单广泛应用 SET ( Secure Electronic Transaction) is a very comprehensive security protocol 加密电子交易协议 it provides for privacy, authenticity, integrity, and, or repudiation 它提供私密、真实、完整、拒绝方面的安全保护 it is used very infrequently due to its complexity and the need for a special card reader by the user 不常用、复杂 it may be abandoned if it is not simplified/improved 需改进
  • 5. Payments, Protocols and Related Issues 支付、协议、相关议题SET Protocol is for Credit Card Payments 信用卡支付 Electronic Cash and Micropayments 电子货币和找零 Electronic Fund Transfer on the Internet 互联网上电子资金转帐 Stored Value Cards and Electronic Cash 储值卡和电子货币 Electronic Check Systems 电子支票系统
  • 6. Security requirements 安全要求Payments, Protocols and Related Issues (cont.) 支付、协议、相关议题(继续)Authentication: A way to verify the buyer’s identity before payments are made 真实性鉴定 – 支付前的买主身份认定 Integrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission 完整性 – 信息不被偶然地或恶意地修改或破坏 Encryption: A process of making messages indecipherable except by those who have an authorized decryption key 加密术 – 除非那些具有一个授权解密钥匙的人可以解释信息内容,加密技术使信息无法被解释或阅读 Non-repudiation: Merchants need protection against the customer’s unjustifiable denial of placed orders, and customers need protection against the merchants’ unjustifiable denial of past payment 不被拒绝 – 商人需要预防客户对于发出定单的无正当理由的抵赖,客户需要预防商人对于客户过去支付的无正当理由的抵赖。
  • 7. Security Schemes 安全加密方案Secret Key Cryptography (symmetric)密码加密技术(对称加密技术) Scrambled MessageOriginal MessageSenderInternetScrambled MessageKeysender (= Keyreceiver)Encryption加密Original MessageReceiverKeyreceiverDecryption解密对称加密就如同一把有相同两把钥匙的锁,两把钥匙在不同的两个人手中,一个人加锁,另外一个人用同样的钥匙打开锁
  • 8. Public Key Cryptography 公钥加密技术 SenderOriginal MessageScrambled MessageScrambled Message公钥 Public KeyreceiverOriginal MessageReceiver私钥Private KeyreceiverInternetSecurity Schemes (cont.)安全加密方案(继续)MessageSenderOriginal MessageScrambled MessageScrambled Message私钥Private KeysenderOriginal MessageReceiver公钥 Public KeysenderInternetDigital Signature
  • 9. Digital Signature 数字签名A digital signature is attached by a sender to a message encrypted in the receiver’s public key 一个数字签名由发送者附加在通过用接收者的公钥加密的信息上The receiver is the only one that can read the message and at the same time he is assured that the message was indeed sent by the sender 接收者是唯一一个能够阅读信息的人,同时他被告知这个信息的确是由那个发送者发送的Sender encrypts a message with her private key 发送者用他的私钥加密了一个信息Any receiver with senders public key can read it 任何接收者用发送者的公钥就能阅读这个信息Security Schemes (cont.)安全加密方案(继续)Analogous to handwritten signature 类似手写签名
  • 10. Certificate 证书Name : “Richard” key-Exchange Key : Signature Key : Serial # : 29483756 Other Data : 10236283025273 Expires : 6/18/2005 Signed : CA’s SignatureSecurity Schemes (cont.)安全加密方案(继续)Identifying the holder of a public key (Key-Exchange)识别一个公钥(密码交换)的持有者 Issued by a trusted certificate authority (CA) 由一个认可认证机关(CA)发出
  • 11. Certificate Authority - e.g. VeriSign认证机构 – 例如:验证签名RCABCAGCACCAMCAPCARCA : Root Certificate Authority BCA : Brand Certificate Authority GCA : Geo-political Certificate Authority CCA : Cardholder Certificate Authority MCA : Merchant Certificate Authority PCA : Payment Gateway Certificate AuthorityHierarchy of Certificate Authorities 认证机构的层级结构 Certificate authority needs to be verified by a government or well trusted entity ( e.g., post office)Security Schemes (cont.) Security Schemes (cont.) 安全加密方案(继续)Public or private, comes in levels (hierarchy) A trusted third party services 一个认可的第三方服务 Issuer of digital certificates 数字认证的发出者 Verifying that a public key indeed belongs to a certain individual
  • 12. Electronic Credit Card System on the Internet 互联网上的电子信用卡系统The Players 信用卡使用者 Cardholder 卡持有者 Merchant (seller) 销售商 Issuer (your bank)发卡银行 Acquirer (merchant’s financial institution, acquires the sales slips) 销售商的财务结算机构,获得销售商的销售单和顾客支付给销售商的金额,是销售商的结算银行 Brand (VISA, Master Card) 卡的种类
  • 13. The process of using credit cards offline 离线使用信用卡的操作过程A cardholder requests the issuance of a card brand (like Visa and MasterCard) to an issuer bank in which the cardholder may have an account. 申请发卡Electronic Credit Card System on the Internet (cont.) 互联网上的电子信用卡系统The authorization of card issuance by the issuer bank, or its designated brand company, may require customer’s physical visit to an office. 银行审查A plastic card is physically delivered to the customer’s address by mail.发出The card can be in effect as the cardholder calls the bank for initiation and signs on the back of the card. 起用,持有者在卡的背面签名The cardholder shows the card to a merchant to pay a requested amount. Then the merchant asks for approval from the brand company. 持卡人支付时,商户请求银行允许支付Upon the approval, the merchant requests payment to the merchant’s acquirer bank, and pays fee for the service. This process is called a Capturing process销售商结算银行获得销售单The acquirer bank requests the issuer bank to pay for the credit amount. 销售商结算银行请求发卡银行支付消费额
  • 14. Cardholder 持卡人Merchant 商户credit card 信用卡Card Brand CompanyPayment authorization, payment data 支付数据Issuer BankCardholder Account 持卡人帐户Acquirer BankMerchant Account 销售商帐户account debit datapayment dataCredit Card Procedure信用卡操作过程 (offline and online在线和离线)14payment data支付数据amount transfer转付金额电子商务和电子政务 – 阎虎勤
  • 15. Secure Electronic Transaction (SET) Protocol 加密电子交易协议(SET)1. The message is hashed to a prefixed length of message digest. 一个信息被杂凑(有时候常常是通过一个杂凑函数)成一个定长信息消化元。 2. The message digest is encrypted with the sender’s private signature key, and a digital signature is created. 这个信息消化元用发送者私钥签名加密,这样,一个数字签名就被创造出来了。 3. The composition of message, digital signature, and Sender’s certificate is encrypted with the symmetric key which is generated at sender’s computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA. 信息内容、数字签名、新加上发送者的认证书一起被用对称钥匙加密,形成一个加密信息。 4. The Symmetric key itself is encrypted with the receiver’s public key which was sent to the sender in advance. The result is a digital envelope. 对称钥匙被预先发送给发送者的接收者的公钥加密,这样就形成一个数字信封。15Sender’s Computer 发送者的计算机电子商务和电子政务 – 阎虎勤
  • 16. Sender’s Computer 发送者的计算机Sender’s Private Signature KeySender’s发送者 Certificate认证书数字签名++Message 原始信息+Digital Signature 数字签名Receiver’s 接收者 Certificate认证书Encrypt 加密Symmetric Key 对称钥匙Encrypted Message 加密信息Receiver’s 接收者公钥 Key-Exchange KeyEncrypt 加密Digital Envelope 数字信封Message 原始信息Message Digest 信息消化元16电子商务和电子政务 – 阎虎勤
  • 17. 5. The encrypted message and digital envelope are transmitted to receiver’s computer via the Internet. 加密信息和数字信封被通过互联网发送到接收者的计算机。 6. The digital envelope is decrypted with receiver’s private exchange key. 数字信封被用接收者的私人交换钥匙(私钥)解蜜。 7. Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and sender’s certificate. 使用恢复出来的对称钥匙,则加密信息能够被恢复成原始信息、数字签名、和发送者的认证书。 8. To confirm the integrity, the digital signature is decrypted by sender’s public key, obtaining the message digest. 为确保数据的完整性,数字签名被用发送者的公钥解密,从而得到信息消化元。 9. The delivered message is hashed to generate message. 反杂凑获得原始信息 10. The message digests obtained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transmission. This step confirms the integrity. 在8、9步后得到信息,接收者通过比较来确信是否在传输中间发生了任何变化。这一步保证了信息的完整性。Receiver’s Computer 接收者的计算机Secure Electronic Transaction (SET) Protocol (cont.)加密电子交易协议(SET)(继续)17电子商务和电子政务 – 阎虎勤
  • 18. Receiver’s Computer接收者的计算机DecryptSymmetric Key对称解密Encrypted Message 加密信息Sender’s 发送者 Certificate认证书数字签名++Message 原始信息Compare 比较Digital Envelope 数字信封Receiver’s Private Key-Exchange Key接收者私钥Decrypt 解密Message Digest 信息消化元Digital Signature 数字签名Sender’s Public Signature Key 发送者公钥Decrypt 解密Message Digest 信息消化元18© Prentice Hall, 2000
  • 19. Entities of SET Protocol in Cyber Shopping 协议(SET)下的网上购物IC Card Reader IC卡读卡器Customer xCustomer yWith Digital Wallets数字钱包Certificate认证 Authority机关Electronic Shopping MallMerchant AMerchant BCredit Card BrandProtocol X.25Payment Gateway 支付网关 19电子商务和电子政务 – 阎虎勤
  • 20. SET Vs. SSL 两个协议之间的对比Secure Electronic Transaction (SET) 加密电子交易协议(SET)Secure Socket Layer (SSL) 加密字套接层协议(SSL)Complex 复杂Simple简单SET is tailored to the credit card payment to the merchants. 信用卡SSL is a protocol for general-purpose secure message exchanges (encryption). 普通加密SET protocol hides the customer’s credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called dual signature. 双签名SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and credit card information, because the capturing process should be initiated by the merchants.无支付网关
  • 21. Electronic Fund Transfer (EFT) on the Internet 互联网上的电子资金转帐(EFT)An Architecture of Electronic Fund Transfer on the InternetInternetPayer 付款人Cyber BankBankCyber BankPayee 收款人Automated自动 Clearinghouse清算VANBankVANPayment Gateway 支付网关Payment Gateway 支付网关
  • 22. Debit Cards 借记卡A delivery vehicle of cash in an electronic form 一个电子货币的运钞车 Mondex, VisaCash applied this approach 借记卡Mondex和VisaCash适合这种方式 Either anonymous or onymous 匿名或具名 CyberCash has commercialized a debit card named CyberCoin as a medium of micropayments on the Internet 网络货币CyberCash已经商业化了一个借记卡名为网络硬币CyberCoin作为互联网上找零的一个中介。
  • 23. Financial EDI 财务EDIIt is an EDI used for financial transactions 用于财务转帐 EDI is a standardized way of exchanging messages between businesses 企业间信息交换的一个标准方式 EFT can be implemented using a Financial EDI system 使用一个财务EDI系统EFT能够被应用 Safe Financial EDI needs to adopt a security scheme used for the SSL protocol接受一个加密技术用于SSL Extranet encrypts the packets exchanged between senders and receivers using the public key cryptography 企业间网络( Extranet )使用公钥加密技术加密发送者和接收者之间交换的邮包。
  • 24. Electronic Cash and Micropayments 电子货币和找零Smart Cards 智能卡The concept of e-cash is used in the non-Internet environment 电子货币的概念被用在非互联网环境 Plastic cards with magnetic stripes (old technology)具有磁条的塑料卡(旧技术) Includes IC chips with programmable functions on them which makes cards “smart” 包含具有程序功能的IC芯片,芯片使卡更“聪明”。 One e-cash card for one application 一种卡一种应用 Recharge the card only at designated locations, such as bank office or a kiosk. Future: recharge at your PC 重新写卡只能在指定地点进行,如银行办公室或一个工作间。将来可在PC上进行。 e.g. Mondex & VisaCash 例如: Mondex & VisaCash
  • 25. VisaCash Makes Shopping Easy 智能卡VisaCash使购物更容易Shopping with VisaCash 使用智能卡购物 Adding money to the card 增加存款到卡中 Payments in a new era of electronic shopping 支付在一个新的电子购物区 Paying on the Internet 在互联网上支付
  • 26. Electronic Money 电子货币DigiCash 数字货币The analogy of paper money or coins 类似纸币或硬币 Expensive, as each payment transaction must be reported to the bank and recorded 昂贵,每一次支付转帐都必须被报告给银行且被记录。 Conflict with the role of central bank’s bill issuance 与中央银行的货币发行角色有矛盾。 Legally, DigiCash is not supposed to issue more than an electronic gift certificate even though it may be accepted by a wide number of member stores 合法地讲,虽然数字货币可能被一个庞大的会员商场接受,但是它不会被认为会发行超过一个电子礼品证书。
  • 27. Stored Value Cards 储值卡Electronic Money (cont.)电子货币(继续)No issuance of money 没有货币的发行 Debit card — a delivering vehicle of cash in an electronic form 借记卡 – 一个电子格式的货币转运车 Either anonymous or onymous 匿名或具名 Advantage of an anonymous card 匿名卡的优点 the card may be given from one person to another 该卡可以被一个人交给另外一个人使用 Also implemented on the Internet without employment of an IC card 如果没有使用IC卡也可以在互联网上使用
  • 28. Smart card-based e-cash 基于智能卡的电子货币 Can be recharged at home through the Internet 可以在家中通过互联网被刷新 Can be used on the Internet as well as in a non-Internet environment 能够被在互联网环境下被使用,如同在非互联网环境下被使用一样好 Ceiling of Stored Values 储值的上限 To prevent the abuse of stored values 预防储值滥用 S$500 in Singapore; HK$3,000 in Hong Kong Multiple Currencies 多种货币 Can be used for cross border payments 交叉支付Electronic Money (cont.)电子货币(继续)
  • 29. Contactless IC Cards 无接触IC卡Proximity Card 功能接近的卡 Used to access buildings and for paying in buses and other transportation systems 用来进入大楼、支付公交车票、和其它运输系统 Bus, subway and toll card in many cities 在许多城市使用的公交车、地铁和路桥卡 Amplified Remote Sensing Card 放大的远程感应卡 Good for a range of up to 100 feet, and can be used for tolling moving vehicles at gates 能够被机动车辆在门口用来支付路桥费,最远可达到100英尺 Pay toll without stopping (e.g. Highway 91 in California) 支付路桥费而不用停车
  • 30. Electronic Check Systems 电子支票系统CheckSignatureRemittance InvoiceSecure EnvelopeRemittanceCheckSignatureCertificateCertificateRemittanceSecure EnvelopeCertificateCertificateEndorsementCertificateCertificateSignature “Card”Signature “Card”WorkstationMall statement E-Check line itemPayer’s Bank付款人银行 借款帐户Debit accountPayee’s Bank收款人银行 信用帐户Credit accountE- Mail WWWACH ECP Clear Check 清算支票Deposit checkPayer 付款者Payee 收款人E-mailAccount ReceivableProcedure of Financial Service Technology Consortium Prototype 金融服务技术集团的处理模型
  • 31. Electronic Checkbook 电子支票簿Electronic Check Systems (cont.) 电子支票系统(继续)Counterpart of electronic wallet 对应电子钱包 To be integrated with the accounting information system of business buyers and with the payment server of sellers 被与商业购买者会计信息系统和销售商的支付服务系统一起综合起来 To save the electronic invoice and receipt of payment in the buyers and sellers computers for future retrieval 保存电子发票和支付收据在购买者和销售者的计算机内,以备今后使用 Example : SafeCheck Used mainly in B2B 主要用于B2B业务
  • 32. Payer’s checkbook agentPayee’s check-receipt agentPayerPayeeIssue a checkReceiptA/C DBA/C DBcontrol agent of payer’s bankcontrol agent of payee’s bankclearingCheckbook, screened resultRequest of screening check issuancepresentreportpayer’s bankpayee’s bankInternetThe Architecture of SafeCheck32电子商务和电子政务 – 阎虎勤
  • 33. Integrating Payment Methods 综合支付方法Two potential consolidations: The on-line electronic check is merging with EFT The electronic check with a designated settlement date is merging with electronic credit cards Security First Network Bank (SFNB) First cyberbank Lower service charges to challenge the service fees of traditional banks Visa VisaCash is a debit card ePay is an EFT service
  • 34. How Many Cards are Appropriate?An onymous card is necessary to keep the certificates for credit cards, EFT, and electronic checkbooksThe stored value in IC card can be delivered in an anonymous modeMalaysia’s Multimedia Supper Corridor project pursues a One-Card system Relationship Card by Visa is also attempting a one card system
  • 35. Five Security Tips 五个安全忠告 Don’t reveal your online Passcode to anyone. If you think your online Passcode has been compromised, change it immediately. 不要给任何人出示你的在线密码。 Don’t walk away from your computer if you are in the middle of a session. 如果你在一个会话中间请不要离开你的计算机。 Once you have finished conducting your banking on the Internet, always sign off before visiting other Internet sites. 一旦你已经结束在网上操作你的银行帐户,在访问其它网址之前要退出。 If anyone else is likely to use your computer, clear your cache or turn off and re-initiate your browser in order to eliminate copies of Web pages that have been stored in your hard drive. 如果任何人可能使用你的计算机,注意清除你的计算机缓存。 Bank of America strongly recommends that you use a browser with 128-bit encryption to conduct secure financial transactions over the Internet. 使用128位加密码技术。
  • 36. Managerial Issues 管理性议题Security solution providers(安全方案提供商) can cultivate the opportunity of providing solutions for the secure electronic payment systems Electronic payment system solution providers (电子支付系统方案提供商)can offer various types of electronic payment systems to electronic stores and banks Electronic stores (电子商场)should select an appropriate set of electronic payment systems Banks (银行)need to develop cyberbank services to be compatible with the various electronic payment system Credit card brand companies (银行卡公司)need to develop an EC standard like SET, and watch the acceptance by customers Smart card brand (智能卡公司)should develop a business model in cooperation with application sectors and banks Certificate authority (认证机关)needs to identify the types of certificate to provide36电子商务与电子政务 – 阎虎勤