Cryptography Reference
In-Depth Information
In the event the transaction is declined, this is the end of the SET protocol.
However, if all is validated, then we proceed as follows.
Payment Capture and Response
Once Alice's order is completed, Bobrequests payment from Trent.
Protocol Messages
1. Capture Request Message : Bobgenerates, signs, and encrypts a message
block that contains the TID; the CT ; his signature key; and his key-
exchange key certificates.
Upon receipt of the capture request, Trent decrypts and verifies that the
CT matches what he sent in part (4) of the Authorization Response Mes-
sage above. (If all is valid, Trent interacts with the issuer over a private
network to request payment to Bob's bank account. Otherwise the pay-
ment is declined.)
2. Capture Response Message : Once the data is verified, Trent sends a
message block containing payment details for the transaction and includes
his signature-key certificate. Trent then forms a digital envelope and sends
it to Bob.
Upon receipt, Bobdecrypts the envelope, verifies the message, and data,
then stores the message (for any future reconciliations with the acquirer).
The SET protocol is now complete. Our description was necessarily stripped
down since the original SET document, released in 1997 is nearly 1000 pages.
We have given all the necessary details to have a reasonable overview of the SET
scheme. If nothing else, the reader who has even a passing understanding of the
SET mechanisms, must be convinced of the security of this e-commerce scheme.
Since shopping on the Internet will almost certainly involve SET-enabled soft-
ware, the reader will now be convinced of the security of such transactions. We
now look at the scheme in detail from several perspectives pertaining to the key
features of SET.
Analysis
Certificates and PKI : the secure PKI with a trusted CA guarantees that
the public keys are actually keys used by the legitimate entities to whom they
belong. This is an essential role of PKI. As we have seen, this was a verification
for both the key-exchange keys and the signature keys. Hence, the PKI provides
trust through the use of X.509V3 digital certificates.
Confidentiality : Alice's account and payment information is secure as it
travels over a network. For instance, even Bobdoes not know Alice's credit
card number, and Trent does not know the details of Alice's order. This is
guaranteed by the mechanisms in the dual signature. Moreover, since k A is
not made available to Bob in her purchase request, Bob cannot read any of the
payment-related details.
Search WWH ::




Custom Search