Internet.Security

placed inside the DMZ. This DMZ then functions as a small isolated network positioned between the Internet and the internal network. The screened subnet firewall contains external and internal screening routers. Each is configured such that its traffic flows only to or from the bastion host. This arrangement prevents any traffic from directly traversing the DMZ subnetwork. The external screening router uses standard filtering to restrict external access to the bastion host, and rejects any traffic that does not come from the bastion host. This router also uses filters to prevent attacks such as IP spoofing and source routing. The internal screening router also uses rules to prevent spoofing and source routing. Like its external counterpart, this internal router rejects incoming packets that do not originate from the bastion host, and sends only outgoing packets to the bastion host.

The benefits of the screened subnet firewall are based on the following facts. First, a hacker must subvert three separate tri-homed interfaces when he or she wants to access the internal network. But it is almost infeasible. Second, the internal network is effectively invisible to the Internet because all inbound/outbound packets go directly through the DMZ. This arrangement makes it impossible for a hacker to gain information about the internal systems because only the DMZ is advertised in the routing tables and other Internet information. Third, internal users cannot access the Internet without going through the bastion host because the routing information is contained within the network.

information. RSA digital signatures, using SHA-1 hash codes, provide message integrity. Certain messages are also protected by HMAC using SHA-1.

3.Cardholder account authentication (provide authentication that a cardholder is a legitimate customer of a branded payment card account): Merchants need a way to verify that a cardholder is a legitimate user of a valid account number. A mechanism that links the cardholder to a specific payment card account number reduces the incidence of fraud and the overall cost of payment processing. Digital signatures and certificates are used to ensure authentication of the cardholder account. SET uses X.509 v3 digital certificates with RSA signatures for this purpose.

4.Merchant authentication (provide authentication that a merchant can accept credit card transactions through its relationship with an acquiring financial institution): Merchants have no way of verifying whether the cardholder is in possession of a valid payment card or has the authority to be using that card. There must be a way for the cardholder to confirm that a merchant has a relationship with a financial institution (acquirer) allowing it to accept the payment card. Cardholders also need to be able to identify merchants with whom they can securely conduct electronic commerce. SET provides for the use of digital signatures and merchant certificates to ensure authentication of the merchant. SET uses X.509 v3 digital certificates with RSA signatures for this purpose.

5.Security techniques (ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction): SET utilises two asymmetric key pairs for the encryption/decryption process and for the creation and verification of digital signatures. Confidentiality is ensured by the message encryption. Integrity and authentication are ensured by the use of digital signatures. Authentication is further enhanced by the use of certificates. The SET protocol utilises cryptography to provide confidentiality of message information, ensure payment integrity and insure identity authentication. For authentication purposes, cardholders, merchants and acquirers will be issued with digital certificates by their sponsoring CAs. Thus, SET is a well-tested specification based on highly secure cryptographic algorithms and protocols.

6.Creation of brand-new protocol (create a protocol that neither depends on transport security mechanisms nor prevents their use): SET is an end-to-end protocol whereas SSL provides point-to-point encryption. SET does not interfere with the use of other security mechanisms such as IPsec and SSL/TLS. Even though both technologies address the issue of security, they work in different ways and provide different levels of security. SET was specifically developed for secure payment transactions.

7.Interoperability (facilitate and encourage interoperability among software and network providers): SET uses specific protocols and message formats to provide interoperability. The specification must be applicable on a variety of hardware and software platforms and must not include a preference for one over another. Any cardholder with compliant software must be able to communicate with any merchant software that also meets the defined standard.

11.2 SET System Participants

The participants in the SET system interactions are described in this section. A discrepancy is found between an SET transaction and a retail or mail order transaction: in a face-to- face retail transaction, electronic processing begins with the merchant or the acquirer, but, in an SET transaction, the electronic processing begins with the cardholder.

•Cardholder: In the electronic commerce environment, consumers or corporate purchasers interact with merchants on personal computers over the Internet. A cardholder is an authorised holder of a payment card that has been issued by an issuer. In the cardholder’s interactions, SET ensures that the payment card account information remains confidential.

•Issuer: An issuer is a financial institution (a bank) that establishes an account for a cardholder and issues the payment card. The issuer guarantees payment for authorised transactions using the payment card.

•Merchant : A merchant is a person or organisation that offers goods or services for sale to the cardholder. Typically, these goods or services are offered via a Website or by e-mail. With SET, the merchant can offer its cardholders secure electronic interactions. A merchant that accepts payment cards must have a relationship with an acquirer (a financial institution).

• Acquirer: An acquirer is the financial institution that establishes an account with a merchant and processes payment card authorisation and payments. The acquirer provides authentication to the merchant that a given card account is active and that the proposed purchase does not exceed the credit limit. The acquirer also provides electronic transfer of payments to the merchant’s account. Subsequently, the acquirer is reimbursed by the issuer over some sort of payment network for electronic funds transfer (EFT).

•Payment gateway: A payment gateway acts as the interface between a merchant and the acquirer. It carries out payment authorisation services for many card brands and performs clearing services and data capture. A payment gateway is a device operated by the acquirer or a designated third party that processes merchant payment messages, including payment instructions from cardholders. The payment gateway functions as follows: it decrypts the encoded message, authenticates all participants in a transaction, and reformats the SET message into a format compliant with the merchant’s point of sale system. Note that issuers and acquirers sometimes choose to assign the processing of payment card transactions to third-party processors.

•Certification Authority: A CA is an entity that is trusted to issue X.509 v3 publickey certificates for cardholders, merchants and payment gateways. The success of SET will depend on the existence of a CA infrastructure available for this purpose. The primary functions of the CA are to receive registration requests, to process and approve/decline requests, and to issue certificates. A financial institution may receive, process and approve certificate requests for its cardholders or merchants, and forward the information to the appropriate payment card brand(s) to issue the certificates. An independent Registration Authority (RA) that processes payment card certificate

Root CA

Brand CA

Figure 11.1 The SET hierarchy indicating the relationships between the participants.

requests and forwards them to the appropriate issuer or acquirer for processing. The financial institution (issuer or acquirer) forwards approved requests to the payment card brand to issue the certificates.

Figure 11.1 illustrates the SET hierarchy which reflects the relationships between the participants in the SET system, described in the preceding paragraphs. In the SET environment, there exists a hierarchy of CAs. The SET protocol specifies a method of trust chaining for entity authentication. This trust chain method entails the exchange of digital certificates and verification of the public keys by validating the digital signatures of the issuing CA. As indicated in Figure 11.1, this trust chain method continues all the way up to the root CA at the top of the hierarchy.

11.3 Cryptographic Operation Principles

SET is the Internet transaction protocol providing security by ensuring confidentiality, data integrity, authentication of each party and validation of the participant’s identity. To meet these requirements, SET incorporates the following cryptographic principles:

•Confidentiality: This is ensured by the use of message encryption. SET relies on encryption to ensure message confidentiality. In SET, message data is encrypted with a random symmetric key which is further encrypted using the recipient’s public key. The encrypted message along with this digital envelope is sent to the recipient. The recipient decrypts the digital envelope with a private key and then uses the symmetric key in order to recover the original message.

•Integrity: This is ensured by the use of a digital signature. Using the public/privatekey pair, data encrypted with either key can be decrypted with the other. This allows the sender to encrypt a message using the sender’s private key. Any recipient can determine that the message came from the sender by decrypting the message using the sender’s public key. With SET, the merchant can be assured that the order it received is what the cardholder entered. SET guarantees that the order information is not altered in transit. Note that the roles of the public and private keys are reversed in the digital signature process where the private key is used to encrypt for signature and the public key is used to decrypt for verification of signature.

•Authentication: This is also ensured by means of a digital signature, but it is further strengthened by the use of a CA. When two parties conduct business transactions, each party wants to be sure that the other is authenticated. Before a user B accepts a message with a digital signature from a user A, B wants to be sure that the public key belongs to A. One way to secure delivery of the key is to utilise a CA to authenticate that the public key belongs to A. A CA is a trusted third party that issues digital certificates. Before it authenticates A’s claims, a CA could supply a certificate that offers a high assurance of personal identity. This CA may require A to confirm his or her identity prior to issuing a certificate. Once A has provided proof of his or her identity, the CA creates a certificate containing A’s name and public key. This certificate is digitally signed by the CA. It contains the CA’s identification information, as well as a copy of the CA’s public key. To get the most benefit, the public key of the CA should be known to as many people as possible. Thus, by trusting a single key, an entire hierarchy can be established in which one can have a high degree of trust.

The SET protocol utilises cryptography to provide confidentiality of information, ensure payment integrity and ensure identity authentication. For authentication purposes, cardholders, merchants and acquirers (financial institutions) will be issued with digital certificates by their sponsoring CAs. The certificates are digital documents attesting to the binding of a public key to an individual user. They allow verification of the claim that a given public key does indeed belong to a given individual user.

11.4 Dual Signature and Signature Verification

SET introduced a new concept of digital signature called dual signatures. A dual signature is generated by creating the message digest of two messages: order digest and payment digest. Referring to Figure 11.2, the customer takes the hash codes (message digests) of both the order message and payment message by using the SHA-1 algorithm. These two hashes, ho and hp, are then concatenated and the hash code h of the result is taken. Finally, the customer encrypts (via RSA) the final hash code with his or her private key, Ksc, creating the dual signature. Computation of the dual signature (DS) is shown as follows:

DS = EKsc (h)

where h = H(H(OM)||H(PM))

= H(ho||hp )

EKsc (= dc) is the customer’s private signature key.