Payment Systems & Authentication

1. Payment Systems & Authentication e-Business 경영대학 홍일유 교수

2. Electronic Payment Systems • 신용카드 • 기존의 신용카드를 인터넷상에서 보안기능을 갖추도록 발전 • First Virtual, CyberCash, S.E.T. • 전자수표 • 상거래 이후의 지정된 날짜에 대금 결제 • FSTC Check, NetBill, NetCheque • 스마트카드 • 카드 자체에 가치가 존재함 • Mondex, EMV Card • 전자현금 • 상거래 수행시점에서 대금 결제 • Ecash (DigiCash), Project CAFE, NetCash, CyberCoin 인터넷 프로토콜

3. 전자지불시스템의 분석틀 인터넷 프로토콜

4. 전자지불시스템의 특성 분석 E : Ecash [DIGICASH], Nca : NetCash, C : CyberCash, S : SET, NCh : NetCheque, NB : NetBill, VC : Visa Cash, M : Mondex, FV : First Virtual 인터넷 프로토콜

5. Mondex Card • Mondex Devices • Mondex Wallet: The Mondex Wallet manages and transfers Mondex cash from one card to another, as well as storing value itself for later access. • Mondex Balance: The key-fob sized Balance Reader gives you an instant read-out of the value of the cash stored on your Card. • Mondex Payment: Retailers can transfer cash from a customer's card to their own using this counter-top device - paying it into their bank at night or using it to buy stock themselves. • IC Card • The Contact Plate, which provides electronic access to the chip itself • The chip, connected to the Contact Plate by Interconnect Wires, has an 8bit CPU, a 16K ROM, 512bytes of RAM (and 8K EEPROM for data storage). Compared to a PC which typically can run at above 100Mhz, the Mondex chip has a clock speed of up to 10Mhz and is less than 20mm square. • Security • locking their cards with a personal code • cards use an electronic digital signature • auditing function -> unique Identity • ‘cryptographic keys’ are installed in the cards • ‘change the locks’ -> safeguards against forgery 인터넷 프로토콜

6. S.E.T. Protocol • VISA와 MasterCard가 공동으로 개발한 차세대 신용카드 표준 • 모든 신용카드 거래 데이터가 디지털 정보의 형태로 전송 • 거래데이터에 디지털 서명(digital signature) 첨부 • 은행이 고객에게 온라인 인증서(certificates) 발급 인터넷 프로토콜

7. 전자상거래 환경의 보안 및 암호화 • 보안요건 • 기밀성(confidentiality): 거래의 내용이 제3자에게 노출되지 않게함 • 무결성(integrity): 거래내용의 변조나 승인되지 않은 거래생성의 방지 • 상호인증(authentication): 거래 당사자의 확인 • 부인봉쇄(non-repudiation): 이미 성립된 거래에 대한 부단한 번복 방지 • 암호화 방식 • 비밀키 암호화(symmetric or secret key cryptography): 송신자가 비밀키를 사용하여 메시지를 암호화하고, 수신자는 동일 비밀키로 메시지 복호화 • 공개키 암호화(public key cryptography): 공개키와 비밀키라는 한 쌍의 키로 메시지 암호화 (비밀키는 사용자 본인만 아는 키) 인터넷 프로토콜

8. 전자인증 (Authentication) • Authentication is any process by which a system verifies the identity of a user who wishes to access it. Since Access Control's are normally based on the identity of the user who requests access to a resource, Authentication is essential to effective Security. • Authentication may be implemented using Credentials, each of which is composed of a User ID and Password. Alternately, Authentication may be implemented with Smart Card's, an Authentication Server or even a Public Key Infrastructure. • Users are frequently assigned (with or without their knowledge) Ticket's, which are used to track their Authentication state. This helps various systems manage Access Control's without frequently asking for new Authentication information. • An Authentication Server is a system which provides Authentication services to other systems on a network. The classical example of this is a Kerberos server. Users and network servers alike authenticate to such a server, and receive cryptographic Ticket's. They exchange these tickets with one-another to verify each-other's identity. 인터넷 프로토콜

9. 전자인증의 개념도 인증기관 (Certificate Authority) 인터넷 전자상거래 인증서 인증서 인증서 등록 인증서 인증서 등록 인증서 등록 상점 고객 금융기관, 지급결제 중계기관 인터넷 프로토콜

10. Kerberos Authentication • The Kerberos authentication mechanism introduces the idea of an authentication server. The authentication server holds passwords for all users within a particular community - the passwords have been jumbled (passed through a one-way hashing function) before storage. • Kerberos authentication is a very elegant method, especially as the authentication server does not need to know the password of the users but merely a jumbled form. It is extremely suitable to small organisations operating a single LAN (and has been used very successfully in many applications this environment). However, there is no mechanism for multiple inter-operating authentication servers in a WAN environment unless all authentication servers are required to trust each other. 인터넷 프로토콜

11. Kerberos Authentication Procedure 1. The user sends an authentication request to the authentication server, including with the request its name and a random number. 2. The server invents a one-off session key, appends the random number and encrypts this with the jumbled password of the user. This is returned to the user along with a ticket which contains the user's name, a validity period and the one-off session key, all encrypted with a secret key known only to the authentication server. 3. The user then jumbles their own password and uses the result to decrypt the one-off session key (checking that the random number returned is the same as was sent). The user then constructs an authenticator which is the user's name and a timestamp, encrypted with the session key. 4. The combination of ticket and authenticator can then be used by the user to be authenticated to any other person or process that uses the same authentication server. The ticket and authenticator are sent along with any communication, and the recipient passes them back to the authentication server to determine the authenticity of the user. 5. The authentication server decrypts the ticket using its secret key (only it can do this) and this reveals the one-off session key and the user's name. The server then decrypts the authenticator using the session key and reveals the user's name. If they match then the user is authenticated because it proves he knew the correct password to decrypt the session key in the first place. 인터넷 프로토콜