Secure Electronic Transactions Standard by Kelly Murrell

1
Secure Electronic Transactions Standardby Kelly
Murrell
2
Definition

• Secure Electronic Transaction (SET) is a standard
  developed for protecting the privacy and ensuring
  the authenticity of electronic transactions. i.e.
  for securing credit-card transactions over the
  Internet.
• It was jointly developed by Visa and MasterCard
  in collaboration with computer vendors such as
  IBM, Microsoft and Netscape.

3
How SETS Works

• SETS works through the use of public key
  encryption.
• This involves two keys
• a private key which is kept secret and
• a public key which can be distributed to others.
• If a message is encrypted using one key then it
  can only be decrypted using the other.
• When the customer encrypts his credit card
  details with the public key of the retailers
  bank these details can only be decrypted by the
  bank using its private key. This standard
  effectively prevents the retailer having access
  to the consumers credit card number at any stage
  in the process.

4
How SETS Works
5
The Technology

• The SET protocol uses two different encryption
  mechanisms, as well as an authentication
  mechanism. SET uses symmetric encryption, in the
  form of the aging Data Encryption Standard (DES),
  as well as asymmetric, or public-key encryption
  to transmit session keys for DES transactions
  (IBM, 1998).

6
Symmetric Encryption
Symmetric encryption with a single key
7
Asymmetric Encryption
Asymmetric encryption with a public and a private
key
8
So why session keys?

• Rather than offer the security and protection
  afforded by public-key cryptography, SET simply
  uses session keys (56 bits) which are transmitted
  asymmetrically the remainder of the transaction
  uses symmetric encryption in the form of DES.
• So now you might ask, "Why not simply use
  asymmetric encryption all the time?" The reason
  is simple - asymmetric crypto is about 10 to 1000
  times more compute intensive than symmetric
  crypto.
• In fact, some have suggested that the form of
  asymmetric crypto used in SET, which was named
  RSA (Rivest, Shamir, and Adleman - its
  inventors), might just as easily stand for
  "Really Slow Algorithm." Clearly, if your message
  is of any substantial size, you would limit the
  amount of asymmetric crypto that must take place
  unless you have loads of patience and free CPU
  cycles.

9
Why Session Keys 2

• SET strikes a balance between the pros and cons
  of DES and RSA by using DES to encrypt the bulk
  of the message payload and RSA to distribute the
  DES keys, which are only 56 bits long.

10
Why not SSL?

• So why not just use SSL?
• As Jerome indicated, SSL provides a secure
  "electronic pipe" between the consumer and the
  merchant for exchanging payment information. Data
  sent through this pipe is encrypted, so that no
  one other than these two parties will be able to
  read it. In other words, SSL can give us
  confidential communications.
• However, is that enough?
• Example
• Let's say that Shalik wants to buy something from
  Kevins electronic store. Shalik uses her Web
  browser to interact with Kevins merchant server
  to select the items she wants to buy, and saves
  her selections in an electronic shopping cart.
• Finally, the moment of truth has arrived and
  Shalik needs to send her credit card information
  to Kevin to pay for her purchases. Shaliks
  browser and Kevins merchant server set up a
  secure SSL pipe with Shalik at one end and Kevin
  at the other. They have a secure means for
  exchanging data, but no SET Is this considered
  Safe Surfing?

11
Why not SSL? 2

• As we would have discussed in class, how does
  Shalik know that Kevin is who he claims to be?
• After all, anyone can put up a snazzy Web site
  and profess to be the XYZ Corp., but how do you
  really know that they are legit?
• How does Shalik know that this isn't simply some
  hacker impersonating the XYZ Corp. and collecting
  credit card numbers for personal use?
• For that matter, how does Kevin (the merchant)
  know that Shalik is who she says she is? How does
  Kevin know that the credit card number she just
  sent really belongs to her and that she didn't
  pick it up from a receipt she found while
  rummaging through the garbage?
• The simple truth is, that while we may have a
  secure communications pipe, we have no way of
  knowing who we are dealing with.

12
So now we look at the Pros and Cons of SETS
13
ADVANTAGES

• The SET protocol provides three main advantages,
  that put
• together, make it safer than other payment
  methods. These
• advantages are
• Privacy, via cryptography that renders
  intercepted messages unreadable.
• Integrity, via hashing and signing assures that
  messages sent are received without alteration.
• Authentication, via digital certificates which
  assures that the parties involved in the
  transaction are who they claim to be, and
  prevents them from denying that they sent a
  message (i.e. non-repudiation).

14
CRITICISMS

• Too many delays It has been two years since
  Visa/MasterCard promised to make the Internet
  safe for credit card transactions and thereby
  pave the way for the full potential of
  I-commerce. Now two years later the standard is
  still far from completion.
• Slow - The price for the higher levels of
  security that SET provides is that the
  transactions become quite slow. Lag times of up
  to 50 seconds have been reported for the
  processing of a typical cardholder initiated
  purchase request to the approval response from
  the acquirer and the finalization of the
  transaction by the merchants server.

15
CRITICISMS 2

• Expensive - Besides being slow for the
  cardholders to use SET is also relatively
  expensive for the merchants to implement.
• According to experiences during the Swedish SET
  pilot project the typical costs amount to around
  a quarter million SKr (equivalent to over 30 000
  US).
• Such high costs simply makes SET unprofitable
  for most smaller merchants, at least as long as
  their online markets remain relatively small.
• In the future this problem could be solved if
  Web-hosting companies start supplying SET enabled
  services for merchants to connect their
  storefront merchant server applications to.

16
Conclusions and Future Works

• At a technological level, there are some obvious
• open questions
• When will electronic payment systems be 100
  safe?
• Is it going to become the standard of the future
  for I-commerce or not?

17
Conclusions and Future Works 2

• It is difficult to say that there will be 100
  safe systems. The bet is more likely to be in
  minimising the problem of hacking and finding
  alternative ways to address the question. In
  technological terms is highly difficult to find
  100 safe systems.
• Some say SET is simply too complex and expensive,
  others say its what is needed to make I-commerce
  safe and attractive for all parties involved.
• The fact is that as long as SET is backed by very
  powerful players that have much to gain on
  getting the standard widely adopted (i.e. card
  companies and banks) it stands an undeniable
  chance of being so.

18
Conclusions and Future Works 3

• MasterCard and Visa have invested heavily in SET,
  both financially and status wise, and cant be
  expected to abandon it in the first case.
• So, even if merchants wont really want to
  implement the protocol, the financial community
  might come to force SET on them by manipulating
  the interchange rates merchants pay on their
  financial transactions.
• Presently, all card transactions over the
  Internet (e.g. using SSL) are placed in the
  highest risk category, called Mail
  Order/Telephone Order (MOTO) or Card Not Present
  (CNP), and thereby carry the highest interchange
  rate. By offering lower interchange rates on
  transactions that use SET, the merchants can come
  to be enticed to adopt the protocol, even with
  its limitations.

19
ANY QUESTIONS?