On cryptographic techniques for on-line bankcard payment transactions using open networks
Recently, two major bankcard payment instrument operators VISA and MasterCard published specifications for securing bankcard payment transactions on open networks for open scrutiny. (VISA: Secure Transaction Technology, STT; MasterCard: Secure Electronic Payment Protocol, SEPP.) Based on their success in operating the existing on-line payment systems, both proposals use advanced cryptographic technologies to supply some security services that are well-understood to be inadequate in open networks, and otherwise specify systems similar to today's private-network versions. In this paper we reason that when an open network is used for underlying electronic commerce some subtle vulnerabilities will emerge and the two specifications are seen not in anticipation of them. A number of weaknesses are found as a result of missing and misuse of security services. Missing and misused services include: authentication, non-repudiation, integrity, and timeliness. We identify problems and devise solutions while trying to keep the current successful working style of financial institutions being respected.
KeywordsOpen Network Security Service Communication Failure Payment Instrument Payment Transaction
Unable to display preview. Download preview PDF.
- 1.The CyberCash(tm) System — How it Works. http://www.cybercash.com/cybercash/cyber2.html.Google Scholar
- 2.Secure Electronic Payment Protocol, Draft Version 1.2. November 3, 1995. http://www.mastercard.com/Sepp/sepptoc.htm.Google Scholar
- 3.Secure Transaction Technology Specifications, version 1.0. September 26 1995. http://www.visa.com/visa-stt/index.html.Google Scholar
- 4.Totally Secure On-line Checking. http://www1.primenet.com/∼rhm/index.html.Google Scholar
- 5.D. Gifford, L. Stewart, A. Payme, and G. Treese. Payment Switches for Open Networks. http://www.openmarket.com/about/technical/compcon95.psGoogle Scholar
- 6.M. Linehan and G. Tsudik. Internet Keyed Payments Protocol (iKP). June 30 1995. http://www.zurich.ibm.com/Technology/Security/extern/ecommerce/spec.Google Scholar
- 7.M.S. Manasse. The millicent protocols for electronic commerce. http://www.research.digitalcom/SRC/people/Mark_Manasse/bio.html.Google Scholar
- 8.B.C. Neuman and G. Medvinsky. Requirements for Network Payment: The NetCheque(TM) Perspective. Proceedings of IEEE Compcon'95, San Francisco, March 1995.Google Scholar
- 9.R.L. Rivest and A. Shamir. Payword and micromint: two simple micropayment schemes. http: //theory. lcs.mit.edu/∼rivest/publications.htmlGoogle Scholar
- 10.M. Sirbu and J.D. Tygar. NetBill: An Internet Commerce System. http://www.ini.cmu.edu/netbill/CompCon.html.Google Scholar