Southwest University of Finance and Economics Simulation Bank Experiment Center Shuai Qinghong Sichuan Chengdu Southwest Finance and Economics Information
Summary is accompanied by the booming of the Internet, e-commerce is gradually become emerging business models and ideas with its own efficient, low-cost advantages. The SET protocol based on card business has become a major model of online shopping in e-commerce, but because SET transactions are complex, their promotion is limited. This article proposes an improved security online trading system for SET online transactions.
Keyword e-commerce, online transaction, digital certificate, security electronic transaction (SET)
1 Introduction
The global economic development is entering the information economy era, and the knowledge economy is beginning to see the end. As the main economic growth mode of the 21st century - e-commerce, it will bring huge changes to the world and the world economy, and have a profound impact. E-commerce adopts greatly reduces transaction costs, increase trade opportunities, streamline trade processes, and improve trade efficiency; e-commerce improves productivity, improves logistics systems, and promotes the reform of enterprises and national economic structures. The attention and investment of e-commerce can develop emerging industries, create jobs, and promote the development of national and global economies. Now, e-commerce has been applied in many fields such as foreign trade, customs, finance, and commerce. At the same time, various professional networks and value-added networks have developed rapidly, and e-commerce has become the focus of all parties concerned, e-commerce development and application environment is being Gradually formed. How to achieve security online transactions has always been one of the typical applications that should be considered in e-commerce.
2 SET trading profile
E-commerce is also facing a biggest challenge while providing opportunities and conveniences, that is, the security issues of trading. In an online shopping environment, cardholders want to keep their account information in the transaction, so that they are not stolen; merchants hope that customers' orders are not reliable, and in the transaction process, the transaction is hoped to test Other party identities to prevent being deceived. In response to this situation, a number of international technologies in the United States VISA and Mastercard were jointly internationally, and the bank card-based security standards were developed to be based on bank cards on the Internet. This is "safe electronic transaction" ( Secure Electronic Transaction, SET). It uses public key cryptosystems and X.509 digital certificate standards, mainly to ensure the security of online shopping information. Since SET provides certification between consumers, merchants and banks, ensuring the confidentiality, authenticity, integrity, and transaction of transaction data, especially the advantages of not exposing consumer bank card numbers to merchants, Therefore, it has become an international security standard for online transactions of the currently recognized credit card / debit card. SET is mainly used for card transactions on the Internet. Although the SET trading has no traditional face-to-face trading process, it is similar to traditional transactions, also involves three entities: card holder; merchant; Financial Institution. Cardholders are bought to merchandise through their own computer, to buy goods on the Internet, and then pay the goods on the Internet through the financial institution.
3 set shopping process
3.1 Shopping Request
(1) When the cardholder to the merchant's website, the browsing is selected, and after ordering the order. When the cardholder chooses the SET payment method, the merchant software wakes up the cardholder's e-wallet.
(2) The cardholder issues an initialization request to the merchant.
(3) After receiving the initial request, the cardholder receives the merchant and gateway certificate (traced back to the root certificate through the trust chain).
⑷ Verify the signature of the merchant (decrypt information savings with the public key of the merchant certificate, compared to the calculated information summary). ⑸ Produce Ordered Information (OI).
⑹ Generate Payment Directive (PI).
⑺ Generate dual signature of OI and PI: Hash (OPI information summary) is performed on (OI information summary), and then encrypt it with a cardholder signature private key.
⑻ Use the deskey1 (generated random symmetric key) encryption (PI Double Signature) called encrypted payment information, then encrypt the DESKEY1 and card number information of the gateway to generate payment envelopes.
⑼ Send (Oi Double Signature) Payment Envelope Encrypted Payment Information Pi's Information Summary Cardholder Sign Certificate to the merchant.
After the merchant received a cardholder's shopping request: (10) Verify the cardholder certificate.
(11) Double signature: Double signature of the Cardholder key to decrypt the OI band, calculate the information summary of the OI, and then the information summary of the information summary of the OI PI is compared to the decryption.
(12) Merchants send PI to the gateway.
(13) Generate a shopping response and sign.
(14) Pass the shopping response and the merchant sign certificate to the cardholder.
(15) If the gateway returns to the authorization, the merchant fills in the order to notify the card.
After receiving the merchant's shopping response:
(16) Verify the merchant certificate.
(17) Verify the merchant signature in the shopping response.
(18) Cardholders save shopping responses.
3.2 Authorization request
(1) Merchants to generate authorization requests: contain transaction IDs and amounts.
(2) Merchants sign the authorization request.
(3) Encrypt the authorization request with Deskey2, and encrypts Deskey2 with the gateway encryption.
⑷ Merchant will encrypt the encrypted authorization request encryption (PI Double Signature) and the gateway envelope cardholder's signature certificate merchant to the gateway. Note: Another Sales transaction, merchants issuing a Payment request while issuing an authorization request.
After receiving the authorization request:
⑸ Verify the merchant certificate.
⑹ Use the gateway encrypt the private key to decrypt Deskey2, and then decrypt authorization requests with Deskey2.
⑺ Verify the merchant signature.
⑻ Verify the cardholder certificate.
⑼ Use the gateway to encrypt the private key Decryption Deskey1, and then decrypt PI with the deskey11.
⑽ Verify the dual signature of the cardholder PI: Decrypt the double signature with the cardholder, calculate the information summary of the PI, and compare the Double Signature with the decryption of the OI summary.
⑾ Check whether the transaction ID in the authorization request of the merchant is consistent with the PI.
⑿ 请 请 请 专 专 网 网 专 网 网 网 网 网 网 网 行 专 网 网 行
⒀ Generate authorized response information and sign.
⒁ Use the Deskey3 encrypted responsive, encrypt Deskey3 with the Merchant's Encryption Card.
⒂ Produce a deduction token and sign it.
⒃ Use the Deskey4 encryption token to encrypt the Deskey4 generated gateway envelope with the gateway encrypted key.
⒄ Pass the encrypted authorized response and the signature certificate of the merchant envelope encrypted deduction token and gateway envelope gateway to the merchant.
Merchants receive authorized responses:
⒅ Verify the gateway certificate.
⒆ Use the merchant encrypt the private key to decrypt Deskey3, decrypt the authorization response with Deskey3.
⒇ Verify the signature of the gateway to the authorized response.
[21] Save encrypted deduction tokens and gateway envelopes for later deductions.
[22] Merchants complete shopping request processing.
3.3 deduction request
(1) Merchant produces a deduction request.
(2) Signature the deduction request.
(3) With the Deskey5 encryption request, encrypt the key to encrypt the key to the gateway. ⑷ Send the encrypted deduction encrypted button token and gateway envelope two merchants certificates to the gateway.
After the gateway receives the deduction request:
⑸ Verify the merchant certificate.
⑹ Use the gateway encrypt the private key to decrypt Deskey5, and decrypt the deduction request with Deskey5.
⑺ Verify the merchant signature requested by the deduction.
⑻ Use the gateway to encrypt the private key to decrypt Deskey4, and then decrypt the deduction token with the Deskey4.
⑼⑼ Compare the deduction request and deduction token.
⑽ Send the deduction request to the issuing line through the financial brigade.
⑾ Generate a deduction response information and sign it.
⑿ Use the Deskey6 encrypted deduction, and then encrypt Deskey6 with the merchant's encrypted key.
⒀ Pass the encrypted deduction and the signature certificate of the merchant envelope gateway to the merchant.
The merchant received the deduction response from the gateway:
⒁ Verify the gateway certificate.
⒂ Use the merchant to encrypt the private key to decrypt Deskey6, decrypt the deduction response with Deskey6.
⒃ Verify the gateway signature.
4 SET exists
The SET specification is launched in 1997, but there are not many applications in the SET protocol. At present, the SET protocol is found to have the following problems in the application:
(1) SET only supports credit card consumption
SET only supports credit card consumption, mainly because the US credit card consumption is very popular. The Set protocol mainly transmits the main account information of the card, without the use of personal password PIN. But in other countries (such as China), the debit card is mainly used.
(2) Too complex
Set defines the message message and data definition of the payment process. Since its specifications are global use, there are many factors that consider (mainly the US payment method), and the message news is too complicated to other countries (such as China). The design of the SET application software is complex, and the price is high, affecting the popularity of SET.
(3) more entities involved in the SET
In order to realize multi-party authentication, SET will connect cards, merchants, payment gateways, and CA these four entities are linked through the certificate, and communicate with each other. The SSL mode only involves the relationship between cardiac cards and merchants. Therefore, to implement SET payment, cardholders, merchants, payment gateways, and CA must support SET, thus causing difficulties in construction and coordination.
⑷ Set is not enough for smart cards
Smart cards are safe, convenient, and more features compared to the magnetic stripe card, which is the development trend of the payment card, and SET has no support for smart cards. In recent years, SET has also proposed support for smart cards. ⑸ SET consumption mode difference
In order to achieve convenient payment, Set define various consumer models. If you implement installment payment, regular payment, division development, and even define the consumption model of car rental, hotel consumption, these models are mainly in accordance with the US consumption method, For other countries (such as China), the consumer model is different, many consumption methods have almost no way in China, or there are few cases, which can be used to use traditional payment methods, which simplifies the difficulty of SET software development, and reduces SET software. The cost, speed up the popularity of Set.
Set is a payment for transaction on the Internet, reducing fraudulent risks, which has been promoted as the industry's public standards. SET Safety Electronic Trading Agreement, mainly applied to the security of payment information in B TO C mode. The Set protocol itself is complicated, the design is strict, high security, it guarantees the confidentiality, authenticity, integrity, and undisibility of information transmission. The Set protocol is a typical implementation under the PKI framework, and is also constantly upgrading and perfect, such as SET 2.0 will support debit card electronic transactions.
5 Improvement Program for SET
Due to the complexity of SET transactions, the transaction success rate is not high, leading to the promotion and application, and through the improvement of SET transactions, the improved program can be good to realize online transactions. "Improved Program of SET Trading" has three major functions: authentication, data encryption transmission, online payment. The system requires the parties involved in the transaction to have a digital certificate, which can be authenticated, ensuring that only legitimate users with digital certificates can implement secure payments on the system; at the same time, using the key to the key to the transfer of the key to the key to the transfer Encryption and signing, ensuring the confidentiality, authenticity, integrity, and non-negotiation of the information transmission. 5.1 Transaction Process
In the "SET Trading Improvement Program", the parties involved in the transaction are: customers, merchants, payment gateways and commercial banks, their data streams are as follows:
(1) The customer has established a connection with the merchant through a secure channel, and the two parties exchange the certificate, verify the identity, confirm the authenticity, legality of the identity. (2) Customer browsing the merchandise information of the merchant, after the purchase, the order under the safety channel, the order contains information about the merchant; the order is signed, and the merchant stores the customer's signature into the database, as a non-denial of the transaction evidence. (3) The client establishes a connection with the payment gateway through a secure channel, and the two parties exchange the certificate, verify the identity, confirm the authenticity, legality of the identity. ⑷ Customers receive their own signature to the payment gateway through a secure channel and contain a payment instruction for merchant information, and the gateway retains the history to the database, as a credential that the transaction is undeniable; the payment network is transferred to the commercial bank to transfer the customer's payment information. ⑸ Payment Gateway Receives the information of the completed payment of the commercial bank, and retains the history to the database; after the payment gateway is signed, the secure channel transmits the information that has been completed to the customer. ⑹ Customer deposited the complete payment information of the gateway to the database, and transmits information that has been completed through the merchant through the secure channel. ⑻ Merchants use the signed completed information into the database, send the goods ordered to the customer; the merchant deposes the shipping information to the database and send the shipped information to the customer. ⑼ Customer receives the sending goods information after the merchant signature, is stored in the database as a history, and the goods are accepted, and the entire transaction is completed.
Figure 2 SET transaction improvement scheme data stream
As can be seen from the above, the "SET Trading Improvement Program" includes three systems: payment gateway system, merchant trading security platform system, customer management system.
5.2 payment gateway
Payment Gateway: is a set of servers connected to the Bank Network and the INTERNET. Its main role is to complete communication, protocol conversion, and data plus, decryption, to protect the security of the bank's internal network. The main function of the payment gateway is to decrypt the data packets from the Internet and re-packaged the data according to the communication protocol inside the banking system; incoming the bank internal business processing system; receiving the response message of the internal feedback of the banking system, convert the data to The data format of the Internet is encrypted. In fact, the payment gateway plays a role of a data conversion and processing center.
The payment gateway system mainly includes: commercial bank business system public interface, SET server, SSL server, HTTP server, payment gateway application, payment transaction arbitration software, payment network level key and certificate management software, etc.
The payment gateway system provides customers, merchants, and banks with a safe, convenient and fast online trading system. If you log in to the user's authentication, you must obtain a certificate of authentication centers (CAs), all customers, merchants, and payment gateways have CA certificates. This system first confirms that the user's identity, the merchant, the customer can enter the product supply and demand information, quantity, amount, credit card number and other information on the web page, and then submit the system for processing. The system has the main body of the system, merchants, banks, and payment gateways. The payment gateway system is an important part of the "safe online trading system". It refers to the use of safety electronic means between customers, merchants and financial institutions to exchange goods or services, that is, transfer payment information to banks or corresponding network security. Treatment agency to achieve electronic payment.
5.3 Establishing a safety channel
In the merchant trading safety platform system, the customer management system is implemented by establishing a secure channel.
(1) The function of the merchant trading security platform system verifies the identity of the customer, providing product information to customers, records the order information after the customer's signature, record the payment information after the payment gateway signature, and save your own signature delivery information. It includes identity authentication software, digital signage verification software, customer payment information processing software, key, certificate management software, etc. (2) The function of the customer management system has the identity of the merchant and gateway, saves history (including the order information and payment information of the customer yourself, the payment information after the signature of the gateway, the delivery information after the merchant signed), Ability to check customers their own purchase information and bank funding information. It includes security agent software, transaction and payment history data storage management software, payment trading query, statistics, reports and analysis software, key and certificate management software, etc.
These two systems are achieved by setting up a customer trading agent (Agent) software in the customer management system and set up a merchant trading security platform at the merchant trading security platform system.
The information transfer between the traditional browser and the server does not provide high-intensity encryption mechanism, which is unable to meet the security requirements for e-commerce on data processing. Mainly manifested in the following aspects: (1) General browser and server web certificates and SSL certificates and SSL protocols supported by the US government, in some countries, especially in China, especially in China, only 40 symmetrical encryption strength . With the current technical means, the DES algorithm with only 40-bit keys is not enough, the intensity of the transaction is too large, and the needs of online banking, online shopping and other applications cannot be met. (2) Web certificate and SSL certificate and its SSL protocol, no functionality of digital signatures, so there is no anti-negativeness. (3) CRL automatic query cannot be carried out online, which automatically queries, ensuring the reliability and security of online transactions. ⑷ 有 有 有 有 有 有 有 functions such as certificate management functions such as certification validity and key management. Because there are many problems, the customer trading agent (Agent) is added to the browser side, and the merchant trading security platform is added between the web server. The Customer Trading Agent (Agent) and the merchant trading security platform will construct a safe passage on the Internet.
Customer Trading Agent (Agent) and Merchant Trading Security Platform are web-based applications, users can securely use browser to connect protected sites, including users' customer trading agent (Agent) and merchant trading security platforms. Customer Trading Agent (Agent) and merchant transaction security platforms have been negotiated to generate a security session, protect data between the browser and the transmission between the web server. Customer Trading Agent (Agent) is responsible for the management of the Browser-end key and the security of the server, the merchant trading security platform is responsible for the management of the server-side key and ensures the security of the server. Customer Trading Agent (Agent) The data sent by the browser is encrypted and signed, transferring the protection data to the merchant trading security platform; the merchant trading security platform is decrypted and verified before sending it to Web Server. The principle is shown in Figure 3: Figure 3 Schematic diagram of the principle of the customer trading agent (Agent) and the merchant trading security platform
The security channel based on customer trading agent (Agent) and merchant trading security platform has the following advantages:
(1) Customer Trading Agent (Agent) and merchant trading security platforms are only independent of Browser, Web Server, and user applications running on the Browser / Server system are independent, and the original user application can not be modified and directly upgraded to an application system with a security mechanism. (2) The security mechanism used in the system can be widely used in all kinds of commercial BROWSER and Web Server products. (3) Customer Trading Agent (Agent) and the merchant trading security platform for application layer software, can realize the security service of the application layer, providing other forms of access control based on the user, such as restricting connection time, connected host, and time of use. ⑷ Customer Trading Agent (Agent) The communication protocol used between the merchant trading safety platform can also be used, and internationally universal security protocols, such as safety sleeve layers SSL, secure HTTP, secure transport layer TLS, simple public key SPKM and other protocols High flexible. When the user has installed the Customer Trading Agent (Agent) and the merchant transaction security platform, it monitors the entry information, when the user accesses a site protected by the merchant trading security platform, Client / Server negotiates trusted security session if negotiated Success, producing a trusted security session. The process of establishing a secure connection between the merchant trading security platform and the customer trading agent (Agent) is as follows: (1) The customer issues a connection request to the site protected by the merchant trading security platform through the Customer Trading Agent (Agent). (2) After the merchant trading security platform is connected, the test request is issued by the Customer Trading Agent (Agent). Yes, returns the result of the request, otherwise, the name of the certificate returned to the merchant trading security platform indicates the HTTP flag indicating the need to securely connect sessions. Client's Customer Trading Agent (Agent) will intercept the information returned at this time and go to the next step. If the client does not have a customer trading agent (Agent), the connection will not be possible. (3) After the client customer trading agent (Agent) receives the screen of the merchant trading security platform certificate, query the CA's directory service to confirm the legality of the connection site. ⑷ If you are legal, TOKEN exchange, if successful, create a SPKM (Simple Public Key Mechanism) secure connection. (Token is a packet containing information such as user certificates, sequence numbers.) ⑸ Establish a security channel to transfer communication data. After receiving the last verification token, the merchant trading security platform, the customer's original request is sent to Web Server, and each request, the client's DN name and IP address are also sent to Web Server, and the server's handler can perform according to this information. Permission control and transaction processing. The security channel based on customer trading agent (Agent) and merchant trading security platform contains customers, merchants and bank triparties. Customers have a web browser (Web Browser). With the Customer Trading Agent (Agent) software. Its role is responsible for establishing security communication with the merchant trading security platform, providing security and key management functions for client and server-side, which detects that the browser's information sent to Server is high-intensity communication information, which is designed for Encryption and signature information provided by the merchant trading security platform. Merchants have a Web Server, a business trading security platform. Its role is responsible for establishing secure communication with the client, performing both parties, accept information about the client; supports the online automatic CRL check of the client and the server side; the management function of the perfect key and certificate.
Among them, banks provide a payment settlement function for intermediary services. Set the payment gateway in the front end of the traditional bank information network. Its role is to transfer the information transmitted by the customer, through the communication format, and turn into the communication format for traditional banks to public business transactions. And connect with the bank customer information database, complete the transfer account task. Based on customer trading agent (Agent) and merchant trading security platforms: (1) Both parties certified; (2) The complete key and certificate lifecycle management system; (3) is easy to use and transparency to users; ⑷ client The server side automatically performs a CRL query; the powerful password mechanism has high security; ⑹ Dual key pair mechanism, support non-negotiation.
6 Conclusion E-Commerce is the most important business model in the 21st century, which will inevitably penetrate into all aspects of life, production and society. SET transactions based on card business are a typical application of online shopping in e-commerce, but because of its complexity, the success rate is not high, through the improvement of SET transactions, it provides a good mode for realizing online transactions.
About the author: Shuai Qinghong, male, born in 1966, in 1984, attended the Department of Defense Science and Technology (Changsha) Aerospace Technology, graduated to the Air Force Flight Academy teacher. In 1990, I was admitted to computer application of National Defense Scienceial Research Institute. After graduation, I was admitted to Dr. Sichuan University. After graduating from 1996, I was working in Southwest University of Finance and Economics. The main research direction is e-commerce, financial electronic, network security and computer application. More than ten papers, participate in various books, textbooks, participate in the National Natural Science Foundation of China, Torch Program, 863 Project.
