SET Comparative Performance Analysis - PowerPoint PPT Presentation

Loading...

PPT – SET Comparative Performance Analysis PowerPoint presentation | free to download - id: 76818e-MzIyY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

SET Comparative Performance Analysis

Description:

SET Comparative Performance Analysis A White Paper from GartnerGroup Summarized by Sasan Adibi – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 52
Provided by: Sasa57
Learn more at: http://web4.uwindsor.ca
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: SET Comparative Performance Analysis


1
SET Comparative Performance Analysis
  • A White Paper from GartnerGroup
  • Summarized by Sasan Adibi

2
Agenda
  • Objective
  • SSL and its issues
  • SET and its issues
  • Principles of Cryptography
  • Privacy
  • Authentication
  • Authorization
  • Integrity
  • Non-Repudiation
  • Certificates Authorities
  • MasterCard Examples
  • Different Performance Comparisons
  • Conclusion

3
Objective
  • To discuss different online transaction
  • mechanisms and compare their
  • functionality versus performance and cost

4
Leading protocols for securing the online
purchase process ,
5
SSL (Secure Socket Layer)
  • Session Level Security
  • Certain level of trust between online purchaser
    and online seller
  • Purchaser is authorized to use the credit card
  • Seller is authorized to accept credit cards
  • Seller protects against all types of security
    issues

6
SSLs Drawbacks
  • Security is always an on-going issue
  • Specially for soft goods
  • Complex communication/handshaking
  • Slow
  • Minimal graphics, lack of visual attractions

7
SET (Secure Electronic Transaction)
  • Ensure your customer is authorized to use his
    account
  • Customer wants to make sure you are the legit
    seller
  • Ensure payment is received
  • Ensure goods are received

8
Five Principles of Cryptosystems
  • Privacy (only the intended recipient can read
    your messages)
  • Authentication (you are who you say you are)
  • Authorization (who can do what)
  • Integrity (you and the recipient both know
    nothing got changed)
  • Non-repudiation (no one can falsely deny a
    transaction)

9
Privacy
  • Privacy means that the message contents cannot be
    seen by anyone but the intended parties
  • Accomplished through the use of encryption

10
Authentication
  • Authentication means that each party involved in
    the transaction is identified as legitimate
  • Accomplished through the use of certificates
  • A certificate is a notarized public key (like a
    passport or a drivers license)
  • Issued by a trusted third party called a
    Certificate Authority
  • Binds the certificate owner to the public key
    within the certificate

11
Authorization
  • Lists of users who have different rights to do
    various tasks on a web site
  • Being able to track individuals throughout your
    computing systems and multiple logins

12
Integrity
  • Integrity of data means that it cannot be altered
    by anyone during transmission, to avoid a man
    in the middle attack
  • Encryption allows only the intended recipient to
    open the digital envelope
  • A digital envelope (or hash) contents of an
    encrypted message digital signature

13
Non-repudiation
  • Non-repudiation means both parties to the
    transaction are ensured that the message is
    genuine and cannot be disputed
  • Parties are identified with certificates that
    have been notarized by a trusted Certificate
    Authority
  • It will be much harder for customers to claim
    they never placed the order

14
Why Should You Get a Server Certificate?
  • You want those who visit your web site to know
    you are a legitimate business
  • A certificate is required to operate a secure
    server (SSL)

15
Certificate Authorities (CAs)
  • Anyone who issues certificates is a Certificate
    Authority (CA). Theyre required to publish the
    certificate they issue. In practice this
    functionality is broken down into other subtasks
  • Trusted third parties, similar to notaries
  • Can be external or internal (server is managed
    within your own company)
  • Choice of a CA may depend on your merchant server
    software

16
Steps in Certificate Creation
  • Refer to you server software documentation for
    selection of a CA and instructions
  • Generally you will do the following
  • Generate a key pair of public and private keys
  • Send the public key and other information to CA
  • CA verifies information provided
  • Upon verification, CA creates a certificate
    containing public key and expiration date
  • The Certificate is sent back to applicant and may
    be posted publicly, if appropriate

17
Examples of Certificate Authorities
  • VeriSign
  • www.Verisign.com
  • GTE CyberTrust Solutions, Inc.
  • www.cybertrust.gte.com
  • Thawte Consulting
  • www.thawte.com

18
Different Classes of Certs
  • Class 1 (No authentication, emails)
  • Class 2 (Minimum authentication)
  • Class 3 (Substantial authentication)
  • Class 4 (High security)

19
Certificate Management
  • Once public key certificates are issued, they
    must be managed to maintain integrity
  • They contain expiration dates
  • They may be revoked for various reasons
  • Upon expiration, certificates must be renewed or
    reissued
  • This is a consideration for using an external CA,
    as opposed to managing an internal CA

20
How is this accomplished?
  • Secure servers and browsers
  • Capable of strong encryption (up to 128 bit)
  • 40 bit encryption is no longer considered
    adequate for financial transactions
  • Digital certificates
  • Ensure the identity of the certificate holder and
    are used to prevent impersonation/man-in-the
    middle attack
  • Also called digital IDs
  • The common protocol in use today is Secure
    Sockets Layer (SSL)

21
Secure Sockets Layer Protocol (SSL)
  • Authenticates the merchant server
  • Merchant Certificate obtained from trusted
    Certificate Authority
  • Provides privacy through encryption of the
    message for both the sender and receiver
  • Secure pipe negotiates maximum encryption
    compatible at browser and server for each message
    transmitted
  • Ensures integrity of data transmitted
  • Message authenticity check (algorithm)

22
Secure Sockets Layer Protocol (SSL)
Merchants Certificate (Digital ID) can be viewed
by any secure browser
  • https// in the URL a secure connection
  • SSL allows customers to verify who the merchant
    is
  • The merchants digital ID does not certify the
    integrity of the merchant

23
Secure Sockets Layer Protocol (SSL)
Customer Order with Payment Information
Encrypted order sent
Customer order decrypted at merchant server
  • SSL encrypts the customer order, which includes
    the payment information
  • This data is sent from the customer to the
    merchant via a secure pipe

24
What SSL Doesnt Encrypt
  • Once the data arrives on the secure server, it
    could be stored in an insecure location!
  • Or if someone has physical access to your desktop
    or server

25
SSL How do you get a certificate for your
merchant server?
  • Apply to Certificate Authority
  • Instructions built into merchant server software
  • You will be asked to provide valid business
    license and other ID
  • Cost is dependent upon level of certification

26
Encryption Strength
  • It is illegal to export outside the US products
    containing encryption that is stronger than 40
    bits
  • It is not illegal to use encryption stronger than
    40 bits internationally
  • Financial institutions do not consider 40-bit
    encryption adequate for Internet transactions

27
Encryption Strength
  • Newer browser and server software are capable of
    128-bit encryption
  • 128-bit encryption is exponentially stronger
    than 40-bit encryption

28
SET Authenticate Buyers
  • What is the protocol
  • How it works
  • Advantages and disadvantages

29
What is SET protocol?
  • Secure Electronic Transaction protocol is a
    common standard that was developed jointly by
    Visa, MasterCard and other partners to ensure the
    processing of secure transactions.
  • Based on RSA encryption
  • Uses public and private key pairs that have a
    mathematical relationship

30
How is SET Different from SSL?
  • Digital certificates for SET will be
    payment-specific
  • Merchants will be certified as legitimate to
    accept branded payment card transactions
  • Cardholders will be certified as valid account
    holders
  • Merchants will not see customers account number
    (it will only be passed to the acquirer)

31
How is SET Different from SSL?
With SET
Merchant Server gets Customers Digital ID minus
the account number Customer Order
Customers Digital ID related to a specific
account Customer Order info
Acquirer gets order receipt Customers Digital
ID with account number
32
The Mechanics of SET
  • (1) Payment info sent from user to merchant
  • (2) Merchant confirms, fees charged
  • (3) Transaction to bank, funds debited/credited
  • (4) Merchant sends item to user

33
How Will Certificates (Digital IDs) be issued for
eCommerce?
  • Hierarchy of trust for certificate issuance
  • Visa and MasterCard will designate a Certificate
    Authority to hold the Trusted Root
  • Merchants will obtain certificates from banks or
    acquirers Certificate Authority, then store on
    SET server software
  • Cardholders will obtain certificates (digital
    IDs) from their banks Certificate Authority,
    then store in electronic wallet

34
MasterCard Example of a SET Transaction

http//www.mastercard.com/set/screen1.html
35
SSL vs. SET
  • SSL
  • Server authentication
  • Merchant certificate as legitimate business
  • Possible for client authentication
  • Not tied to payment method
  • Privacy
  • Encrypted message to merchant includes account
    number
  • Integrity
  • Message authenticity check (MAC)
  • SET
  • Server authentication
  • Merchant certificate tied to accept payment
    brands
  • Customer authentication
  • Digital certificate tied to certain payment
    method
  • Privacy
  • Encrypted message does not pass account number to
    merchant
  • Integrity
  • Hash/message envelope

36
Is SET the Answer to eCommerce?
  • SET has been proposed as the answer to secure and
    interoperable eCommerce
  • It is not currently mandated by Visa and
    MasterCard
  • There are big implementation issues for all
    concerned
  • The SET protocol is definitely more secure than
    SSL
  • However...

37
SET Issues
  • Implementation of SET has some big drawbacks
  • Lack of interoperability among systems
  • Management of public key infrastructure
  • Distribution of digital certificates requires
    action on the part of the consumer
  • Will banks want to become cert authorities?
  • And who will pay for all this?
  • Meanwhile, eCommerce goes on

38
The Future of SET
  • Non-repudiation of transactions through digital
    certificates for both merchant and customer
  • SET may be the industry standard for payments,
    but yet to be implemented
  • It will be far more difficult for a customer to
    claim no knowledge of a transaction
  • Demonstrations continue

39
Comparisons and Performance Analysis
40
E-Commerce Process
  • Three processes 1). Customers client PC, 2).
    Merchants e-commerce server, 3). acquiring
    banks payment gateway server

41
e_Commerce Server Performance
  • The operations required for a SET transaction,
    each of the connections
  • represents a single encryption/decryption
    operation. As the figure shows, this results
  • in the requirement for two operations per
    transaction at the client, six at the merchant
  • and four at the acquirer. A SSL connection, in
    contrast, only requires a single
  • operation at the client, three at the merchant
    and two at the acquirer.

42
Technologies to Improve Performance
  • Symmetric multiprocessing (SMP) CPU scaling
  • OSs allocation of functions of CPU
  • Clustering
  • Sharing application load among CPUs forming
    cluster
  • Cryptographic accelerators
  • Special-purpose hardware helping cryptography
  • Elliptical curve cryptography (ECC)
  • Efficient algorithm with small key size
  • Random Key Stream (RKS)
  • New technology still under investigation

43
Large e-Commerce Server Example
44
Peak Transaction Per Second Load
45
Peak Load requirements vs. Capacity with Crypto
acceleration
46
The Effect of ECC
47
Cost of performance with clustered systems

48
Cost of performance with clustered systems and
ECC, no cryptographic acceleration
49
Cost Comparison of SET and SSL
50
Conclusion
  • Independent of the protocol in use, Cryptographic
    processes require substantial compute power,
  • The cost of additional hardware support required
    to support SET is small in all of the application
    scenarios, including
  • For the low and medium e-commerce applications,
    there is no additional server cost to support SET
    over SSL.
  • For the large e-commerce server application,
    supporting SET requires additional hardware
    acceleration in the medium term with a 5 percent
    to 6 percent difference in server cost.
  • For the small payment gateway application,
    hardware acceler-ation is required in the short
    term, but can be phased out as servers improve in
    performance and if other improvements, e.i.,
    elliptical-curve cryptography (ECC) become
    available.
  • We anticipate that the large payment gateway
    applications will always be based on clustered
    systems for reasons of robustness and reliability.

51
The End
  • Thank you
About PowerShow.com