Electronic Payment Systems For E-Commerce

TEAMFLY

Team-Fly®

Electronic Payment Systems

for E-Commerce

Second Edition

For a listing of recent titles in the Artech House

Computing Library , turn to the back of this book.

For quite a long time, computer security was a rather narrow field of study that was

populated mainly by theoretical computer scientists, electrical engineers, and applied

mathematicians. With the proliferation of open systems in general, and of the Inter￾net and the World Wide Web (WWW) in particular, this situation has changed fun￾damentally. Today, computer and network practitioners are equally interested in

computer security, since they require technologies and solutions that can be used to

secure applications related to electronic commerce. Against this background, the field

of computer security has become very broad and includes many topics of interest.

The aim of this series is to publish state-of-the-art, high-standard technical books on

topics related to computer security. Further information about the series can be

found on the WWW at the following URL:

http://www.esecurity.ch/serieseditor.html

Also, if you’d like to contribute to the series and write a book about a topic

related to computer security, feel free to contact either the Commissioning Editor or

the Series Editor at Artech House.

Recent Titles in the Artech House

Computer Security Series

Rolf Oppliger, Series Editor

Demystifying the IPsec Puzzle, Sheila Frankel

Electronic Payment Systems for E-Commerce, Second Edition,

Donal O’Mahony, Michael Peirce, and Hitesh Tewari

Information Hiding Techniques for Steganography and Digital Watermarking,

Stefan Katzenbeisser and Fabien A. P. Petitcolas, editors

Non-repudiation in Electronic Commerce, Jianying Zhou

Secure Messaging with PGP and S/MIME, Rolf Oppliger

Security Fundamentals for E-Commerce, Vesna Hassler

Security Technologies for the World Wide Web, Rolf Oppliger

Electronic Payment Systems

for E-Commerce

Second Edition

Donal O’Mahony

Michael Peirce

Hitesh Tewari

Artech House

Boston • London

www.artechhouse.com

Library of Congress Cataloging-in-Publication Data

O’Mahony, Donal, 1961.

Electronic payment systems for e-commerce / Donal O’Mahony, Michael Peirce,

Hitesh Tewari.2nd ed.

p. cm. (Artech House computer security series)

Rev. ed. of: Electronic payment systems, c1997.

Includes bibliographical references and index.

ISBN 1-58053-268-3 (alk. paper)

1. Electronic funds transfers. 2. Data encryption (Computer science)

3. Internet. I. Peirce, M. E. (Michael E.) II. Tewari, Hitesh. III. O’Mahony,

Donal, 1961Electronic payment systems. IV. Title. V. Series.

HG1710 .O45 2001

332’.0285dc21 2001022856

British Library Cataloguing in Publication Data

O’Mahony, Donal, 1961

Electronic payment systems for e-commerce.2nd. ed.

(Artech House computer security series )

1. Electronic funds tranfers

I. Title II. Peirce, Michael, 1972 III. Tewari, H.

332.1’0285

ISBN 1-58053-463-5

Cover design by Igor Valdman

© 2001 ARTECH HOUSE, INC.

685 Canton Street

Norwood, MA 02062

All rights reserved. Printed and bound in the United States of America. No part of this

book may be reproduced or utilized in any form or by any means, electronic or mechani￾cal, including photocopying, recording, or by any information storage and retrieval system,

without permission in writing from the publisher.

All terms mentioned in this book that are known to be trademarks or service marks

have been appropriately capitalized. Artech House cannot attest to the accuracy of this

information. Use of a term in this book should not be regarded as affecting the validity of

any trademark or service mark.

International Standard Book Number: 1-58053-268-3

Library of Congress Catalog Card Number: 2001022856

10 9 8 7 6 5 4 3 2 1

Contents

Preface xiii

1 Motivation for electronic payment 1

References 4

2 Characteristics of current payment systems 5

2.1 Cash payments 6

2.2 Payment through banks 7

2.2.1 Payment by check 7

2.2.2 Payment by giro or credit transfer 9

2.2.3 Automated clearing house (ACH) payments 9

2.2.4 Wire transfer services 11

2.3 Using payment cards 12

2.4 Consumer preferences in payment systems 14

2.5 Regulatory framework 15

References 17

3 Cryptographic techniques 19

3.1 Encryption and decryption 20

3.2 Symmetric encryption 21

3.2.1 Data Encryption Standard (DES) 22

3.2.2 Triple DES 26

3.2.3 IDEA 26

3.2.4 Advanced Encryption Standard (AES) 28

3.2.5 RC2, RC4, and RC5 30

3.3 Message digesting or hashing 33

v

3.3.1 MD5 34

3.3.2 The Secure Hash Algorithm (SHA) 34

3.4 Kerberos 35

3.4.1 Overview of the Kerberos model 35

3.4.2 Obtaining a ticket 37

3.4.3 Service request 38

3.5 Asymmetric or public-key encryption 38

3.5.1 Properties of a public-key cryptosystem 39

3.5.2 Trapdoor one-way functions 40

3.5.3 Using public-key cryptosystems for authentication 40

3.6 Digital signatures and enveloping 40

3.7 RSA 42

3.8 Elliptic curve cryptography 44

3.9 Public-key infrastructure (PKI) 45

3.9.1 Certificates 45

3.9.2 Certification authorities 46

3.9.3 Attribute certificates 47

3.10 Transport of security information 48

3.10.1 Abstract syntax notation (ASN.1) 49

3.10.2 The X.509 directory authentication framework 51

3.10.3 PKCS cryptographic message syntax 53

3.11 Dual signatures 54

3.12 Nonces 56

3.13 Blind signatures 57

3.14 Chip cards/smart cards 59

3.14.1 Card types 60

3.14.2 Memory types and capacity 61

3.14.3 Physical specifications 63

3.14.4 Security 63

3.14.5 Public-key processing capabilities 64

3.14.6 Multiapplication cards 65

3.14.7 Java Card 65

3.14.8 MULTOS 67

3.14.9 Observers 68

References 69

4 Credit cardbased systems 73

4.1 Mail order/telephone order (MOTO) transactions 76

vi Electronic Payment Systems for E-Commerce

4.2 Unsecured network payments 76

4.3 First Virtual 77

4.4 Once-off credit card numbers 80

4.5 The secure socket layer (SSL) 82

4.6 i-Key protocol (iKP) 89

4.6.1 Framework of iKP protocols 90

4.6.2 1KP 91

4.6.3 2KP 96

4.6.4 3KP 98

4.7 Secure Electronic Transactions (SET) 100

4.7.1 The SET trust model 102

4.7.2 SET message structure 105

4.7.3 Payment initialization (PInitReq/PInitRes) 106

4.7.4 Purchase order (PReq/PRes) 107

4.7.5 Authorization (AuthReq/AuthRes) 112

4.7.6 Capture of payment (CapReq/CapRes) 114

4.7.7 Cardholder inquiry (InqReq/InqRes) 115

4.7.8 SET software components 120

4.7.9 SET market acceptance 120

4.7.10 Server-side wallets 122

4.7.11 Using SET with smart cards 123

4.8 Summary 123

References 125

5 Electronic checks and account transfers 127

5.1 Payment transfer between centralized accounts 128

5.1.1 Funding the account 130

5.1.2 Authenticated account transfer 134

5.1.3 Withdrawing funds from the system 137

5.1.4 Business models 137

5.2 FSTC payment initiatives 138

5.2.1 Electronic check concept 139

5.2.2 Financial Services Markup Language (FSML) 141

5.2.3 Electronic check functional flows 144

5.2.4 Check-handling infrastructure 146

5.2.5 Bank Internet Payment System (BIPS) 148

5.2.6 Financial Agent Secure Transaction (FAST) 151

Contents vii

5.3 NACHA Internet payments 153

5.3.1 Internet Secure ATM Payments (ISAP) 153

5.3.2 DirectPay 155

5.4 NetBill 156

5.4.1 Protocol overview 157

5.4.2 Authentication procedure 159

5.4.3 Transaction protocol 160

5.4.4 Price request phase 161

5.4.5 Goods delivery phase 161

5.4.6 Payment phase 162

5.4.7 NetBill characteristics 163

5.5 NetCheque 164

5.6 Summary 167

References 167

6 Electronic cash payment systems 171

6.1 Ecash 172

6.1.1 The Ecash model 173

6.1.2 Ecash coins 174

6.1.3 Coin keys 174

6.1.4 Double-spending prevention 177

6.1.5 Withdrawing coins 178

6.1.6 An Ecash purchase 180

6.1.7 Making the payment 180

6.1.8 Proving payment 181

6.1.9 Payment deposit 182

6.1.10 Integration with the Web 182

6.1.11 Ecash in the mail 183

6.1.12 Transferring Ecash 183

6.1.13 Lost coins 184

6.1.14 Ecash and crime 184

6.1.15 Magic Money 186

6.1.16 Remarks 186

6.2 Project CAFE 186

6.2.1 Goals of CAFE 187

6.2.2 Architecture 188

6.2.3 CAFE devices 189

viii Electronic Payment Systems for E-Commerce

6.2.4 Role of observers 190

6.2.5 Protocol overview 190

6.2.6 Off-line coins 191

6.2.7 The α protocol 192

6.2.8 The Γ protocol 195

6.2.9 Additional features 196

6.2.10 Remarks 196

6.3 NetCash 196

6.3.1 Framework/model 197

6.3.2 NetCash coins 198

6.3.3 Double-spending prevention 199

6.3.4 Coin transfer 200

6.3.5 Certificate of insurance 200

6.3.6 Basic purchase 201

6.3.7 Obtaining coins 201

6.3.8 Paying a merchant 203

6.3.9 Verifying coins 204

6.3.10 Providing limited anonymity 204

6.3.11 Merchant anonymity 205

6.3.12 Preventing anonymity 206

6.3.13 Clearing 206

6.3.14 Extensions 207

6.3.15 Preventing merchant fraud 207

6.3.16 Off-line protocols 209

6.3.17 Remarks 210

6.4 Mondex 210

6.5 EMV cash cards and CEPS 213

6.5.1 EMV2000 214

6.5.2 Common Electronic Purse Specification (CEPS) 214

6.5.3 Remarks 220

6.6 SmartAxis 220

6.7 Remarks 222

References 223

7 Micropayment systems 227

7.1 Millicent 228

7.1.1 The Millicent model 229

Contents ix

7.1.2 Purchasing with Millicent 231

7.1.3 Scrip 233

7.1.4 Scrip structure 234

7.1.5 Scrip certificate generation 235

7.1.6 Scrip validation 235

7.1.7 Preventing double spending 237

7.1.8 Computation costs 237

7.1.9 Sending scrip over a network: the Millicent protocols 237

7.1.10 Scrip in the clear 237

7.1.11 Encrypted network connection 237

7.1.12 Request signatures 241

7.1.13 Performance 243

7.1.14 Millicent with the Web 243

7.1.15 Extensions 244

7.1.16 Summary 245

7.2 SubScrip 245

7.2.1 Basic SubScrip 246

7.2.2 Establishing a temporary account 246

7.2.3 Providing anonymity 247

7.2.4 A SubScrip ticket 247

7.2.5 A SubScrip purchase 248

7.2.6 Security and privacy 248

7.2.7 Protected SubScrip 249

7.2.8 Refunding SubScrip 250

7.2.9 Lost tickets 250

7.3 PayWord 250

7.3.1 PayWord user certificates 251

7.3.2 Revoked certificates 253

7.3.3 PayWord chains 253

7.3.4 Commitment to a PayWord chain 254

7.3.5 Spending PayWords 255

7.3.6 Variable-size payments 256

7.3.7 Redeeming spent PayWords 257

7.3.8 Computational costs 257

7.3.9 Extensions 258

7.3.10 Remarks 258

x Electronic Payment Systems for E-Commerce

TEAMFLY

Team-Fly®

7.4 iKP micropayment protocol 259

7.4.1 µ-3KP protocol 260

7.4.2 Repeated micropayments 261

7.4.3 Nonrepeated micropayments 264

7.4.4 Remarks 266

7.5 Hash chain trees 266

7.5.1 PayTree 268

7.5.2 Unbalanced One-way Binary Tree (UOBT) 270

7.6 MicroMint 273

7.6.1 The MicroMint model 274

7.6.2 MicroMint coins 274

7.6.3 Verifying a coin 275

7.6.4 Minting coins 276

7.6.5 Computational costs 277

7.6.6 Multiple coins per bin 278

7.6.7 Coin validity criterion 278

7.6.8 Preventing forgery 279

7.6.9 A MicroMint purchase 280

7.6.10 Double spending 280

7.6.11 Extensions 281

7.7 Probability-based micropayments 283

7.7.1 Bets using coin flips 284

7.7.2 Hash chain lottery tickets 286

7.8 Jalda 288

7.9 NewGenPay/IBM Micropayments 292

7.10 Banner advertising as a form of micropayment 296

7.11 Micropayments summary and analysis 297

References 300

8 Mobile commerce 303

8.1 Mobile Internet architectures 305

8.1.1 Carrying Internet data on cellular networks 305

8.1.2 The wireless application protocol (WAP) 306

8.1.3 Japan’s iMode service 307

8.2 Industry consortia 308

8.3 Mobile network operator as banker 308

8.4 Third-party account-based mobile payment systems 309

8.4.1 Sonera MobilePay 310

Contents xi

8.4.2 Paybox 311

8.4.3 GiSMo 313

8.4.4 The Fundamo architecture 315

8.5 Credit cardbased systems 316

8.5.1 Mobile SET 317

8.5.2 Remarks 320

8.6 Summary 321

References 322

9 Payment systems: prospects for the future 325

About the authors 329

Index 331

xii Electronic Payment Systems for E-Commerce

Preface

This book is about the techniques and systems used to allow payments

to be made across the Internet. It is written primarily for researchers

and industry professionals who need to develop a broad understanding of

the important technologies in this area. Anyone involved in electronic

commerce will ultimately need to understand how payment can be incor￾porated into trading systems, and this book gives a comprehensive view of

the best ways to achieve this today. It assumes that the reader has

some knowledge of computers and networked systems, and the necessary

cryptography required to understand the systems is fully explained in

Chapter 3. Readers without a financial background will be introduced to

the salient aspects of conventional (pre-Internet) systems in Chapter 2 as a

background to Chapters 49, which cover each significant Internet-based

payment category.

The three authors of this book have been actively engaged in

research into electronic payment systems since 1994. They are all mem￾bers of the Networks & Telecommunications Research Group (NTRG) at

Trinity College, Dublin, Ireland, and in this context have been responsi￾ble for developing innovative new designs and prototypes for new check,

cash, and micropayment schemes. In 1996, as e-commerce was begin￾ning to emerge as a major phenomenon, they saw a need for a book to

give a good overview of the different types of payment systems that were

offered. The book, Electronic Payment Systems, published in 1997, was very

well received and, appropriately, won a best-seller award in its category

from the on-line bookseller Amazon.com. Many things have changed

since 1996, and this second edition of Electronic Payment Systems for

E-Commerce has been greatly revised. New encryption techniques such as

xiii

the Advanced Encryption Standard (AES) have been covered as well as

new coverage of elliptic curve cryptography. The main chapters have

been updated to reflect the success or failure of systems that existed in

1996 and also any new significant systems that have been added. Perhaps

the most significant change is a brand-new chapter on mobile payment

for use in m-commerce. This is a commercially very hot topic at the time

of writing and is likely to remain so in the medium-term future.

As with the first edition, this book can only hope to capture a snap￾shot of the technology as it progresses. Nevertheless, we believe that the

core principles of payment exemplified by the systems in this book will be

valid for many years to come.

xiv Electronic Payment Systems for E-Commerce