电子支付系统和安全加密技术

计算机审计–HughYanElectronicPaymentSystemsandSecurity电子支付系统和安全加密技术1网上支付原理2计算机审计–HughYanLearningObjectives学习目的DescribetypicalelectronicpaymentsystemsforEC描述电子商务典型的电子支付系统Identifythesecurityrequirementsforsafeelectronicpayments识别安全电子支付的安全要求Describethetypicalsecurityschemesusedtomeetthesecurityrequirements满足安全要求的安全方案IdentifytheplayersandproceduresoftheelectroniccreditcardsystemontheInternet识别互联网上电子信用卡系统的使用者和使用处理过程DiscusstherelationshipbetweenSSLandSETprotocols讨论SSL协议和SET协议之间的关系3计算机审计–HughYanDiscusstherelationshipbetweenelectronicfundtransferanddebitcard讨论电子资金转帐和借记卡之间的关系Describethecharacteristicsofastoredvaluecard描述一个储值卡的特征ClassifyanddescribethetypesofICcardsusedforpayments辨别和描述用于支付的IC卡的类型Discussthecharacteristicsofelectronicchecksystems讨论电子支票系统的特征LearningObjectives(cont.)学习目的(继续)4计算机审计–HughYanSSLVs.SET:WhoWillWin?SSL对SET:谁将赢?ApartofSSL(SecureSocketLayer)isavailableoncustomers’browsers加密套接字协议层itisbasicallyanencryptionmechanismforordertaking,queriesandotherapplicationsSSL是一个基本的加密技术itdoesnotprotectagainstallsecurityhazards预防安全威胁itismature,simple,andwidelyuse成熟简单广泛应用SET(SecureElectronicTransaction)isaverycomprehensivesecurityprotocol加密电子交易协议itprovidesforprivacy,authenticity,integrity,and,orrepudiation它提供私密、真实、完整、拒绝方面的安全保护itisusedveryinfrequentlyduetoitscomplexityandtheneedforaspecialcardreaderbytheuser不常用、复杂itmaybeabandonedifitisnotsimplified/improved需改进5计算机审计–HughYanPayments,ProtocolsandRelatedIssues支付、协议、相关议题SETProtocolisforCreditCardPayments信用卡支付ElectronicCashandMicropayments电子货币和找零ElectronicFundTransferontheInternet互联网上电子资金转帐StoredValueCardsandElectronicCash储值卡和电子货币ElectronicCheckSystems电子支票系统6计算机审计–HughYanSecurityrequirements安全要求Payments,ProtocolsandRelatedIssues(cont.)支付、协议、相关议题（继续）Authentication:Awaytoverifythebuyer’sidentitybeforepaymentsaremade真实性鉴定–支付前的买主身份认定Integrity:Ensuringthatinformationwillnotbeaccidentallyormaliciouslyalteredordestroyed,usuallyduringtransmission完整性–信息不被偶然地或恶意地修改或破坏Encryption:Aprocessofmakingmessagesindecipherableexceptbythosewhohaveanauthorizeddecryptionkey加密术–除非那些具有一个授权解密钥匙的人可以解释信息内容，加密技术使信息无法被解释或阅读Non-repudiation:Merchantsneedprotectionagainstthecustomer’sunjustifiabledenialofplacedorders,andcustomersneedprotectionagainstthemerchants’unjustifiabledenialofpastpayment不被拒绝–商人需要预防客户对于发出定单的无正当理由的抵赖，客户需要预防商人对于客户过去支付的无正当理由的抵赖。7计算机审计–HughYanSecuritySchemes安全加密方案SecretKeyCryptography(symmetric)密码加密技术（对称加密技术）ScrambledMessageOriginalMessageSenderInternetScrambledMessageKeysender(=Keyreceiver)Encryption加密OriginalMessageReceiverKeyreceiverDecryption解密对称加密就如同一把有相同两把钥匙的锁,两把钥匙在不同的两个人手中,一个人加锁,另外一个人用同样的钥匙打开锁8计算机审计–HughYanPublicKeyCryptography公钥加密技术SenderOriginalMessageScrambledMessageScrambledMessage公钥PublicKeyreceiverOriginalMessageReceiver私钥PrivateKeyreceiverInternetSecuritySchemes(cont.)安全加密方案（继续）MessageSenderOriginalMessageScrambledMessageScrambledMessage私钥PrivateKeysenderOriginalMessageReceiver公钥PublicKeysenderInternetDigitalSignature9计算机审计–HughYanDigitalSignature数字签名Adigitalsignatureisattachedbyasendertoamessageencryptedinthereceiver’spublickey一个数字签名由发送者附加在通过用接收者的公钥加密的信息上Thereceiveristheonlyonethatcanreadthemessageandatthesametimeheisassuredthatthemessagewasindeedsentbythesender接收者是唯一一个能够阅读信息的人，同时他被告知这个信息的确是由那个发送者发送的Senderencryptsamessagewithherprivatekey发送者用他的私钥加密了一个信息Anyreceiverwithsenderspublickeycanreadit任何接收者用发送者的公钥就能阅读这个信息SecuritySchemes(cont.)安全加密方案（继续）Analogoustohandwrittensignature类似手写签名10计算机审计–HughYanCertificate证书Name:“Richard”key-ExchangeKey:SignatureKey:Serial#:29483756OtherData:10236283025273Expires:6/18/2005Signed:CA’sSignatureSecuritySchemes(cont.)安全加密方案（继续）Identifyingtheholderofapublickey(Key-Exchange)识别一个公钥（密码交换）的持有者Issuedbyatrustedcertificateauthority(CA)由一个认可认证机关（CA）发出11计算机审计–HughYanCertificateAuthority-e.g.VeriSign认证机构–例如：验证签名RCABCAGCACCAMCAPCARCA:RootCertificateAuthorityBCA:BrandCertificateAuthorityGCA:Geo-politicalCertificateAuthorityCCA:CardholderCertificateAuthorityMCA:MerchantCertificateAuthorityPCA:PaymentGatewayCertificateAuthorityHierarchyofCertificateAuthorities认证机构的层级结构Certificateauthorityneedstobeverifiedbyagovernmentorwelltrustedentity(e.g.,postoffice)SecuritySchemes(cont.)SecuritySchemes(cont.)安全加密方案（继续）Publicorprivate,comesinlevels(hierarchy)Atrustedthirdpartyservices一个认可的第三方服务Issuerofdigitalcertificates数字认证的发出者Verifyingthatapublickeyindeedbelongstoacertainindividual12计算机审计–HughYanElectronicCreditCardSystemontheInternet互联网上的电子信用卡系统ThePlayers信用卡使用者Cardholder卡持有者Merchant(seller)销售商Issuer(yourbank)发卡银行Acquirer(merchant’sfinancialinstitution,acquiresthesalesslips)销售商的财务结算机构，获得销售商的销售单和顾客支付给销售商的金额，是销售商的结算银行Brand(VISA,MasterCard)卡的种类13计算机审计–HughYanTheprocessofusingcreditcardsoffline离线使用信用卡的操作过程Acardholderrequeststheissuanceofacardbrand(likeVisaandMasterCard)toanissuerbankinwhichthecardholdermayhaveanaccount.申请发卡ElectronicCreditCardSystemontheInternet(cont.)互联网上的电子信用卡系统Theauthorizationofcardissuancebytheissuerbank,oritsdesignatedbrandcompany,mayrequirecustomer’sphysicalvisittoanoffice.银行审查Aplasticcardisphysicallydeliveredtothe