SECURE ELECTRONIC TRANSACTIONS (SET)

1. SECUREELECTRONICTRANSACTIONS (SET) Cebanu Ghenadie

2. Historyanddevelopment Early in the 1990s, banks were refusing to accept or process charges originating on the Internet. So banks, led by pressures on two sides: merchantsandconsumers - beganpressuringtheVisa and MasterCard Associations to develop secure standards for using credit cards over any insecure channel

3. Historyanddevelopment • 1995 > Visa andMicrosoft- The Secure Transaction Technology(STT) • 1996 > MasterCard and its allies, Netscape, IBM, Cybercash, and GTE (now Baltimore Technologies) - Secure Electronic PaymentProtocol(SEPP)

4. Historyanddevelopment In February1996 Visa & MasterCard Combine Secure Specifications for Card Transactions on the Internet Into OneStandard. SET Consortium: Visa and MasterCard, along with GTE, IBM, Microsoft, Netscape Communications Corp., SAIC, Terisa Systems, Verisign, and RSA Data Security.

5. Historyanddevelopment June 24, 1996 - firstversion of SET 0.0 May 31, 1997, SET Version 1.0 was released to the public.

6. KeyFeatures of SET • Confidentiality of information (DES is used to provide confidentiality) • Integrity of data (RSA digital signatures, using SHA-1 hash codes) • Cardholderaccountauthentication (X.509v3 digital sertificates with RSA signatures) • Merchant authentication (X.509v3 digital certificates with RSA signatures ) • Privacy (separation of order and payment information using dual signatures)

7. Dual signature DS = Encrypt KRC [ H( H(PI) || H(OI) ) ] Verification by merchant Merchant is in possession of DS, OI, PIMD, Public key from customers certificate H(PIMD || H(OI)) andDKUc[DS] are equal Verification by bank Bank is in possession of DS, OIMD, PI, Public key from customers certificate H(H(PI) || OIMD) andDKUc[DS]are equal

8. Process

9. Purchaserequest • PurchaseInitiateRequest CM CM(Id assigned by customer and nonce to ensure timelines) • PurchaseInitiateResponseMC (Id assigned by merchant and a challenge) 3. PurchaseRequest CM (Encrypted KS(PI, DS, OIMD), DS, OI, KC, PIMD) 4. PurchaseResponse MC (acknowledges signed signedbythemerchant private signature key and merchant’s signature certificate)

10. PaymentAuthorization • PaymentAuthorizationRequest MP (DS, PI, OIMD, Certificates, AI) • PaymentAuthorizationResponse PM (AI, Certificate, Capture Token Information)

11. PROBLEMS • strong authentication on deal • weak authentication on deal • secrecy of order • secrecy of payment

12. What involve a purchase transaction? • 4 messages between merchant and customer • 2 messages between merchant and payment gateway • 6 digital signatures • 9 RSA encryption/decryption cycles • 4 DES encryption/decryption cycles • 4 certificate verifications

13. Related work 3-D Secure

14. Conclusions SET is a very complicated security protocol, expensive support for merchants in comparison with existing low cost SSL and need to install client software/hardware (e-wallet) make it dusty for merchants, banks and especially marketing people. But instead of that it is a safe protocol, and over time, its resurrection in some form or another may materialize to finally bring an end to the intolerable state of Internet credit cardfraud.

15. Bibliography • Mark S. Merkow (2004). "Secure Electronic Transactions (SET)". In HosseinBidgoli. The Internet Encyclopedia. • Yang Li & Yun Wang. Secure Electronic Transaction (SET protocol) • www.ing.ro/ingb/persoane-fizice/securitate/3d-secure.html • http://www.avispa-project.org/library/SET-purchase.html