网络支付原理

1、计算机审计计算机审计 Hugh Yan Hugh YanElectronic Payment Systems and Security 电子支付系统和安全加密技术1网上支付原理网上支付原理2计算机审计计算机审计 Hugh Yan Hugh YanLearning Objectives 学习目的zDescribe typical electronic payment systems for EC描述电子商务典型的电子支付系统zIdentify the security requirements for safe electronic payments 识别安全电子支付的安全要求zDescribe

2、 the typical security schemes used to meet the security requirements 满足安全要求的安全方案zIdentify the players and procedures of the electronic credit card system on the Internet 识别互联网上电子信用卡系统的使用者和使用处理过程zDiscuss the relationship between SSL and SET protocols 讨论SSL协议和SET协议之间的关系3计算机审计计算机审计 Hugh Yan Hugh YanzDi

3、scuss the relationship between electronic fund transfer and debit card 讨论电子资金转帐和借记卡之间的关系zDescribe the characteristics of a stored value card 描述一个储值卡的特征zClassify and describe the types of IC cards used for payments 辨别和描述用于支付的IC卡的类型zDiscuss the characteristics of electronic check systems 讨论电子支票系统的特征Le

4、arning Objectives (cont.)学习目的(继续继续)4计算机审计计算机审计 Hugh Yan Hugh YanSSL Vs. SET: Who Will Win?SSL对SET:谁将赢?zA part of SSL (Secure Socket Layer) is available on customers browsers 加密套接字协议层yit is basically an encryption mechanism for order taking, queries and other applications SSL是一个基本的加密技术yit does not pr

5、otect against all security hazards预防安全威胁yit is mature, simple, and widely use 成熟简单广泛应用zSET ( Secure Electronic Transaction) is a very comprehensive security protocol 加密电子交易协议yit provides for privacy, authenticity, integrity, and, or repudiation 它提供私密、真实、完整、拒绝方面的安全保护yit is used very infrequently due

6、to its complexity and the need for a special card reader by the user 不常用、复杂yit may be abandoned if it is not simplified/improved 需改进5计算机审计计算机审计 Hugh Yan Hugh YanPayments, Protocols and Related Issues支付、协议、相关议题z SET Protocol is for Credit Card Payments 信用卡支付z Electronic Cash and Micropayments 电子货币和找零

7、z Electronic Fund Transfer on the Internet 互联网上电子资金转帐z Stored Value Cards and Electronic Cash 储值卡和电子货币z Electronic Check Systems 电子支票系统6计算机审计计算机审计 Hugh Yan Hugh YanzSecurity requirements 安全要求Payments, Protocols and Related Issues (cont.)支付、协议、相关议题（继续）yAuthentication: A way to verify the buyers ident

8、ity before payments are made 真实性鉴定 支付前的买主身份认定yIntegrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission 完整性 信息不被偶然地或恶意地修改或破坏yEncryption: A process of making messages indecipherable except by those who have an authorized decryption

9、key 加密术 除非那些具有一个授权解密钥匙的人可以解释信息内容，加密技术使信息无法被解释或阅读yNon-repudiation: Merchants need protection against the customers unjustifiable denial of placed orders, and customers need protection against the merchants unjustifiable denial of past payment 不被拒绝 商人需要预防客户对于发出定单的无正当理由的抵赖，客户需要预防商人对于客户过去支付的无正当理由的抵赖。7计算

10、机审计计算机审计 Hugh Yan Hugh YanSecurity Schemes 安全加密方案z Secret Key Cryptography (symmetric)密码加密技术（对称加密技术）Scrambled MessageOriginal MessageSenderInternetScrambled MessageKeysender (= Keyreceiver)Encryption加密加密Original MessageReceiverKeyreceiverDecryption解密解密对称加密就如同一把有相同两把钥匙的锁对称加密就如同一把有相同两把钥匙的锁, ,两把钥匙在不同两把

11、钥匙在不同的两个人手中的两个人手中, ,一个人加锁一个人加锁, ,另外一个人用同样的钥匙打开锁另外一个人用同样的钥匙打开锁 8计算机审计计算机审计 Hugh Yan Hugh YanzPublic Key Cryptography 公钥加密技术SenderOriginal MessageScrambled MessageScrambled Message公钥 Public KeyreceiverOriginal MessageReceiver私钥Private KeyreceiverInternetSecurity Schemes (cont.)安全加密方案（继续）MessageSenderO

12、riginal MessageScrambled MessageScrambled Message私钥Private KeysenderOriginal MessageReceiver公钥 Public KeysenderInternetDigitalSignature9计算机审计计算机审计 Hugh Yan Hugh YanzDigital Signature 数字签名A digital signature is attached by a sender to a message encrypted in the receivers public key 一个数字签名由发送者附加在通过用接收

13、者的公钥加密的信息上The receiver is the only one that can read the message and at the same time he is assured that the message was indeed sent by the sender 接收者是唯一一个能够阅读信息的人，同时他被告知这个信息的确是由那个发送者发送的Sender encrypts a message with her private key 发送者用他发送者用他的私钥加密了一个信息的私钥加密了一个信息Any receiver with senders public key

14、can read it 任何接任何接收者用发送者的公钥就能阅读这收者用发送者的公钥就能阅读这个信息个信息Security Schemes (cont.)安全加密方案（继续）yAnalogous to handwritten signature 类似手写签名10计算机审计计算机审计 Hugh Yan Hugh YanzCertificate 证书Name : “Richard”key-Exchange Key :Signature Key :Serial # : 29483756Other Data : 10236283025273Expires : 6/18/2005Signed : CAs

15、SignatureSecurity Schemes (cont.)安全加密方案（继续）yIdentifying the holder of a public key (Key-Exchange)识别一个公钥（密码交换）的持有者yIssued by a trusted certificate authority (CA) 由一个认可认证机关（CA）发出11计算机审计计算机审计 Hugh Yan Hugh YanzCertificate Authority - e.g. VeriSign认证机构 例如：验证签名RCABCAGCACCAMCAPCARCA : Root Certificate Aut

16、horityBCA : Brand Certificate AuthorityGCA : Geo-political Certificate AuthorityCCA : Cardholder Certificate AuthorityMCA : Merchant Certificate AuthorityPCA : Payment Gateway Certificate AuthorityHierarchy of Certificate Authorities 认证机构的层级结构认证机构的层级结构Certificate authority needs to be verified by a

17、government or well trusted entity ( e.g., post office)Security Schemes (cont.) Security Schemes (cont.)安全加密方案（继续）yPublic or private, comes in levels (hierarchy)yA trusted third party services 一个认可的第三方服务yIssuer of digital certificates 数字认证的发出者yVerifying that a public key indeed belongs to a certain i

18、ndividual12计算机审计计算机审计 Hugh Yan Hugh YanElectronic Credit Card System on the Internet互联网上的电子信用卡系统互联网上的电子信用卡系统zThe Players 信用卡使用者yCardholder 卡持有者yMerchant (seller) 销售商yIssuer (your bank)发卡银行yAcquirer (merchants financial institution, acquires the sales slips) 销售商的财务结算机构，获得销售商的销售单和顾客支付给销售商的金额，是销售商的结算银行

19、yBrand (VISA, Master Card) 卡的种类13计算机审计计算机审计 Hugh Yan Hugh Yanz The process of using credit cards offline 离线使用信用卡的操作过程A cardholder requests the issuance of a card brand (like Visa and MasterCard) to an issuer bank in which the cardholder may have an account. 申请发卡Electronic Credit Card System on the I

20、nternet (cont.) 互联网上的电子信用卡系统互联网上的电子信用卡系统The authorization of card issuance by the issuer bank, or its designated brand company, may require customers physical visit to an office. 银行审查A plastic card is physically delivered to the customers address by mail.发出The card can be in effect as the cardholder

21、 calls the bank for initiation and signs on the back of the card. 起用，持有者在卡的背面签名The cardholder shows the card to a merchant to pay a requested amount. Then the merchant asks for approval from the brand company. 持卡人支付时，商户请求银行允许支付Upon the approval, the merchant requests payment to the merchants acquire

22、r bank, and pays fee for the service. This process is called a Capturing process销售商结算银行获得销售单The acquirer bank requests the issuer bank to pay for the credit amount. 销售商结算银行请求发卡银行支付消费额Cardholder持卡人Merchant商户credit card信用卡Card Brand CompanyPayment authorization, payment data 支付数据Issuer BankCardholderA

23、ccount持卡人帐户Acquirer BankMerchantAccount销售商帐户account debit datapayment dataCredit Card Procedure信用卡操作过程 (offline and online在线和离线)14payment data支付数据amount transfer转付金额电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤Secure Electronic Transaction (SET) Protocol加密电子交易协议（SET）1. The message is hashed to a prefixed length of mess

24、age digest. 一个信息被杂凑（有时候常常是通过一个杂凑函数）成一个定长信息消化元。2. The message digest is encrypted with the senders private signature key, and a digital signature is created. 这个信息消化元用发送者私钥签名加密，这样，一个数字签名就被创造出来了。3. The composition of message, digital signature, and Senders certificate is encrypted with the symmetric ke

25、y which is generated at senders computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA. 信息内容、数字签名、新加上发送者的认证书一起被用对称钥匙加密，形成一个加密信息。4. The Symmetric key itself is encrypted wit

26、h the receivers public key which was sent to the sender in advance. The result is a digital envelope. 对称钥匙被预先发送给发送者的接收者的公钥加密，这样就形成一个数字信封。15zSenders Computer 发送者的计算机电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤Senders Computer 发送者的计算机发送者的计算机Senders Private Signature KeySenders发送者 Certificate认证书数字签名数字签名+Message原始信息+Digit

27、al Signature数字签名Receivers 接收者Certificate认证书Encrypt 加密Symmetric Key对称钥匙Encrypted Message加密信息Receivers 接收者公钥Key-Exchange KeyEncrypt 加密DigitalEnvelope数字信封Message原始信息Message Digest信息消化元16电子商务和电子政务 阎虎勤5. The encrypted message and digital envelope are transmitted to receivers computer via the Internet. 加密

28、信息和数字信封被通过互联网发送到接收者的计算机。6. The digital envelope is decrypted with receivers private exchange key. 数字信封被用接收者的私人交换钥匙（私钥）解蜜。7. Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and senders certificate. 使用恢复出来的对称钥匙，则加密信息能够被恢复成原始信息、数字签名、和发送者的认证书。8.

29、 To confirm the integrity, the digital signature is decrypted by senders public key, obtaining the message digest. 为确保数据的完整性，数字签名被用发送者的公钥解密，从而得到信息消化元。9. The delivered message is hashed to generate message. 反杂凑获得原始信息 10. The message digests obtained by steps 8 and 9 respectively, are compared by the

30、receiver to confirm whether there was any change during the transmission. This step confirms the integrity. 在8、9步后得到信息，接收者通过比较来确信是否在传输中间发生了任何变化。这一步保证了信息的完整性。zReceivers Computer 接收者的计算机Secure Electronic Transaction (SET) Protocol (cont.)加密电子交易协议（SET）（继续）17电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤Receivers Computer接收

31、者的计算机接收者的计算机DecryptSymmetric Key对称解密Encrypted Message加密信息Senders 发送者Certificate认证书数字签名数字签名+Message原始信息Compare 比较比较DigitalEnvelope数字信封Receivers Private Key-Exchange Key接收者私钥Decrypt 解密Message Digest 信息消化元Digital Signature 数字签名Senders Public Signature Key发送者公钥Decrypt 解密Message Digest 信息消化元18 Prentice H

32、all, 2000Entities of SET Protocol in Cyber Shopping 协议（SET）下的网上购物IC CardReaderIC卡读卡器Customer xCustomer yWith Digital Wallets数字钱包Certificate认证Authority机关Electronic Shopping MallMerchant AMerchant BCredit CardBrandProtocolX.25Payment Gateway支付网关 19电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤20计算机审计计算机审计 Hugh Yan Hugh Ya

33、nSET Vs. SSL 两个协议之间的对比Secure Electronic Transaction (SET)加密电子交易协议（SET）Secure Socket Layer (SSL)加密字套接层协议（SSL）Complex 复杂复杂Simple简单简单SET is tailored to the credit card payment to the merchants. 信用卡信用卡SSL is a protocol for general-purpose secure message exchanges (encryption). 普通加密普通加密SET protocol hides

34、 the customers credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called dual signature. 双签名双签名SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information a

35、nd credit card information, because the capturing process should be initiated by the merchants.无支付网关无支付网关21计算机审计计算机审计 Hugh Yan Hugh YanElectronic Fund Transfer (EFT) on the Internet 互联网上的电子资金转帐（EFT）An Architecture of Electronic Fund Transfer on the InternetInternetPayer付款人Cyber BankBankCyber BankPay

36、ee收款人Automated自动Clearinghouse清算VANBankVANPaymentGateway支付网关PaymentGateway支付网关22计算机审计计算机审计 Hugh Yan Hugh YanDebit Cards 借记卡借记卡zA delivery vehicle of cash in an electronic form 一个电子货币的运钞车zMondex, VisaCash applied this approach 借记卡Mondex和VisaCash适合这种方式 zEither anonymous or onymous 匿名或具名zCyberCash has c

37、ommercialized a debit card named CyberCoin as a medium of micropayments on the Internet 网络货币CyberCash已经商业化了一个借记卡名为网络硬币CyberCoin作为互联网上找零的一个中介。23计算机审计计算机审计 Hugh Yan Hugh YanFinancial EDI 财务EDIzIt is an EDI used for financial transactions 用于财务转帐yEDI is a standardized way of exchanging messages between

38、businesses 企业间信息交换的一个标准方式yEFT can be implemented using a Financial EDI system 使用一个财务EDI系统EFT能够被应用zSafe Financial EDI needs to adopt a security scheme used for the SSL protocol接受一个加密技术用于SSLzExtranet encrypts the packets exchanged between senders and receivers using the public key cryptography 企业间网络（

39、Extranet ）使用公钥加密技术加密发送者和接收者之间交换的邮包。24计算机审计计算机审计 Hugh Yan Hugh YanElectronic Cash and Micropayments电子货币和找零zSmart Cards 智能卡yThe concept of e-cash is used in the non-Internet environment 电子货币的概念被用在非互联网环境yPlastic cards with magnetic stripes (old technology)具有磁条的塑料卡（旧技术）yIncludes IC chips with programmab

40、le functions on them which makes cards “smart” 包含具有程序功能的IC芯片，芯片使卡更“聪明”。yOne e-cash card for one application 一种卡一种应用yRecharge the card only at designated locations, such as bank office or a kiosk. Future: recharge at your PC 重新写卡只能在指定地点进行，如银行办公室或一个工作间。将来可在PC上进行。ye.g. Mondex & VisaCash 例如： Mondex

41、& VisaCash 25计算机审计计算机审计 Hugh Yan Hugh YanVisaCash Makes Shopping Easy智能卡VisaCash使购物更容易zShopping with VisaCash 使用智能卡购物zAdding money to the card 增加存款到卡中zPayments in a new era of electronic shopping 支付在一个新的电子购物区zPaying on the Internet 在互联网上支付26计算机审计计算机审计 Hugh Yan Hugh YanElectronic Money 电子货币zDigiC

42、ash 数字货币yThe analogy of paper money or coins 类似纸币或硬币yExpensive, as each payment transaction must be reported to the bank and recorded 昂贵，每一次支付转帐都必须被报告给银行且被记录。yConflict with the role of central banks bill issuance 与中央银行的货币发行角色有矛盾。yLegally, DigiCash is not supposed to issue more than an electronic gif

43、t certificate even though it may be accepted by a wide number of member stores 合法地讲，虽然数字货币可能被一个庞大的会员商场接受，但是它不会被认为会发行超过一个电子礼品证书。27计算机审计计算机审计 Hugh Yan Hugh YanzStored Value Cards 储值卡Electronic Money (cont.)电子货币（继续）yNo issuance of money 没有货币的发行yDebit card a delivering vehicle of cash in an electronic f

44、orm 借记卡 一个电子格式的货币转运车yEither anonymous or onymous 匿名或具名yAdvantage of an anonymous card 匿名卡的优点xthe card may be given from one person to another 该卡可以被一个人交给另外一个人使用yAlso implemented on the Internet without employment of an IC card 如果没有使用IC卡也可以在互联网上使用28计算机审计计算机审计 Hugh Yan Hugh YanzSmart card-based e-cash

45、基于智能卡的电子货币yCan be recharged at home through the Internet 可以在家中通过互联网被刷新yCan be used on the Internet as well as in a non-Internet environment 能够被在互联网环境下被使用，如同在非互联网环境下被使用一样好zCeiling of Stored Values 储值的上限yTo prevent the abuse of stored values 预防储值滥用yS$500 in Singapore; HK$3,000 in Hong KongzMultiple Cu

46、rrencies 多种货币yCan be used for cross border payments 交叉支付Electronic Money (cont.)电子货币（继续）29计算机审计计算机审计 Hugh Yan Hugh YanContactless IC Cards 无接触IC卡zProximity Card 功能接近的卡yUsed to access buildings and for paying in buses and other transportation systems 用来进入大楼、支付公交车票、和其它运输系统yBus, subway and toll card in

47、 many cities 在许多城市使用的公交车、地铁和路桥卡zAmplified Remote Sensing Card 放大的远程感应卡yGood for a range of up to 100 feet, and can be used for tolling moving vehicles at gates 能够被机动车辆在门口用来支付路桥费，最远可达到100英尺yPay toll without stopping (e.g. Highway 91 in California) 支付路桥费而不用停车30计算机审计计算机审计 Hugh Yan Hugh YanElectronic Ch

48、eck Systems 电子支票系统CheckSignatureRemittanceInvoiceSecure EnvelopeRemittanceCheckSignatureCertificateCertificateRemittanceSecure EnvelopeCertificateCertificateEndorsementCertificateCertificateSignature “Card”Signature“Card”WorkstationMall statementE-Check line itemPayers Bank付款人银行借款帐户Debit accountPaye

49、es Bank收款人银行信用帐户Credit accountE- MailWWWACHECPClear Check清算支票Deposit checkPayer付款者Payee收款人E-mailAccountReceivableProcedure of Financial Service Technology Consortium Prototype金融服务技术集团的处理模型31计算机审计计算机审计 Hugh Yan Hugh YanzElectronic Checkbook 电子支票簿Electronic Check Systems (cont.)电子支票系统（继续）yCounterpart

50、of electronic wallet 对应电子钱包yTo be integrated with the accounting information system of business buyers and with the payment server of sellers 被与商业购买者会计信息系统和销售商的支付服务系统一起综合起来yTo save the electronic invoice and receipt of payment in the buyers and sellers computers for future retrieval 保存电子发票和支付收据在购买者和

51、销售者的计算机内，以备今后使用yExample : SafeCheckyUsed mainly in B2B 主要用于B2B业务Payers checkbook agentPayees check-receipt agentPayerPayeeIssue a checkReceiptA/CDBA/CDBcontrolagent of payers bankcontrolagent of payees bankclearingCheckbook,screened resultRequest of screening checkissuancepresentreportpayers bankpay

52、ees bankInternetThe Architecture of SafeCheck32电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤33计算机审计计算机审计 Hugh Yan Hugh YanIntegrating Payment Methods 综合支付方法zTwo potential consolidations:yThe on-line electronic check is merging with EFTyThe electronic check with a designated settlement date is merging with electronic cr

53、edit cardszSecurity First Network Bank (SFNB)yFirst cyberbankyLower service charges to challenge the service fees of traditional bankszVisayVisaCash is a debit cardyePay is an EFT service34计算机审计计算机审计 Hugh Yan Hugh YanHow Many Cards are Appropriate?An onymous cardis necessary tokeep the certificates forcredit cards, EFT, andelectronic checkbooksThe stored value inIC card can be deliveredin an anonym