Secure Electronic Transaction

from Wikipedia, the free encyclopedia

Secure Electronic Transaction ( SET ; German Safe Electronic Transaction ) is a security protocol for electronic payment transactions with credit cards , especially over the Internet .

SET was developed in 1996 by VISA and Mastercard , with the participation of GTE , IBM , Microsoft and Netscape .

The security of SET is based on the use of digital signatures and the encryption of the transmitted data with asymmetrical and symmetrical encryption algorithms. A special feature of the SET is the use of dual signatures in order to protect the privacy of the user and to guarantee data protection.

Due to a lack of acceptance, the credit card organizations have largely stopped efforts to disseminate SET in recent years and are instead promoting the 3-D Secure process.

principle

In a SET scenario there are different participants: customers who are in possession of credit cards, banks and credit card institutions of the customers, merchants who offer their products for online purchase, the banks of the merchants and a payment gateway , which acts as an interface between the merchant and serves the merchant's bank. If a customer purchases from a retailer using SET, the parties authenticate themselves with one another using certificates . The data for the purchase (order, payment, etc.) are encrypted so that only the participant can read the information for whom it is intended (e.g. the customer's bank does not receive any information about the goods purchased, only their price). The authenticity and integrity of the messages can be proven with (dual) signatures.

techniques

  • PKIs and X.509 certificates for authentication and keys
  • SHA-1 as a hash function
  • DES as a symmetric encryption function
  • RSA as an asymmetric encryption function

Dual signature

As with the standard electronic signature , the aim of the dual signature is to ensure the authenticity and integrity of the data. With the dual signature, attention is also paid to the need-to-know principle if the message is intended for two (or more) parties. For this purpose, the message parts are encrypted in such a way that they can only be decrypted by the desired recipient party. So that the signature is now valid for the entire (plain) text, the attached hash values ​​of the individual message parts are signed. In order to enable the recipients to verify the dual signature, the hash value of the unknown message part is added to its encrypted part.

Formula-based: 

Nachricht = Teil1 | Teil2
h1 = SHA-1(Teil1)
h2 = SHA-1(Teil2)
Duale_Signatur = SHA-1(h1 | h2)

Empfänger 1 erhält:

Msg1 = DES(Teil1 | h2)

| steht für Konkatenation
SHA-1 als Beispiel Hash-Funktion
DES als Beispiel Verschlüsselung

Advantages and disadvantages

SET offers many advantages compared to the credit card-based payment normally found on the Internet. The integrity and confidentiality of the transactions are guaranteed by means of signatures and encryption. The binding nature (non- repudiation ) of the transaction is given by the certificates and signatures, as well as the security that all participants are authentic. Another data protection advantage is compliance with the need-to-know principle with the help of dual signatures.

The definition of the encryption method used can be seen as problematic. Today, DES is no longer considered sufficiently secure and should not be used to encrypt confidential data. Furthermore, the complexity of the procedure is certainly an obstacle to its implementation (the standard comprises over 900 pages). It is also questionable whether the necessary establishment of a complete public key infrastructure will be accepted by all financial intermediaries involved (banks and credit card companies), retailers and customers. This has not happened to date (as of 2017).

Web links