08-08-2012, 01:32 PM
A Secure on-line credit card transaction method based on Kerberos Authentication protocol
[attachment=30569]
ABSTRACT
Nowadays, electronic payment system is an essential part of modern business.
Credit cards or debit cards have been widely used for on-site or remote transactions,
greatly reducing the need for inconvenient cash transactions. However, there have been a
huge number of incidents of credit card frauds over the Internet due to the security
weakness of electronic payment system. A number of solutions have been proposed in
the past to prevent this problem, but most of them were inconvenient and did not satisfy
the needs of cardholders and merchants at the same time.
In this thesis, we present a new secure card payment system called NNCC (No
Number Credit Card) that significantly reduces the possibility of credit card frauds. This
scheme is primarily designed for on-line shopping. NNCC is based on the Kerberos
cryptographic framework that has been proven to be secure after being used in real world
for decades. In this proposed system, instead of card numbers, only the payment tokens
are exchanged between the buyers and merchants. The token is generated based on the
payment amount, the client information, and merchant information. However it does not
contain the credit card number, so the merchant cannot acquire and illegally use the credit
card number. A token is cryptographically secure and valid only for the designated
merchant, so it is robust against eavesdropping.
INTRODUCTION
Electronic payment system (EPS) is an essential part of modern business. Credit cards
or debit cards have been widely used for on-site or remote transactions, greatly reducing
the need for inconvenient cash transactions. Furthermore EPS has become a critical piece
for the operation of e-commerce systems where cash transactions are impractical.
However, the proliferation of EPS has brought forth an undesirable effect. The
convenience of credit cards gives a purchasing power to whoever has the card number
with some extra information associated with it. When a 3rd party person obtains the card
number, he has the same purchasing power as the legitimate owner and can falsely use
the card without the knowledge of the legitimate owner. This can happen either
inadvertently or on purpose. Merchant may store the credit card numbers insecurely and
get them stolen. Or fake web sites can be set up to grab the credit card information from
unsuspecting victims. Once the card number and the associated information are given to a
merchant, the number cannot be withdrawn. The present EPS does not provide a
mechanism to hide the credit card numbers during transactions.
RELATED WORK
Generally an EPS falls into one of two categories: token based systems (Electronic
cash system, or electronic currency systems), and account-based systems (Credit-debit)
[7][8][9]. However the credit card system can be considered a separate category in some
cases. In this Thesis, we also divide the EPS into three categories because the credit card
system is most popular among the payment system.
Electronic Cash System
In electronic cash systems, customers buy digital tokens and surrender them to the
merchant when they buy an item [7]. Electronic cash systems are further divided into
two systems: smart card-based systems which use smart cards to store E-Cash, and Web
Cash where user‟s E-Cash is stored in users‟ online account. The smart card-based
system is not suitable for Internet Payment System due to the need for a physical contact
to make a payment. Web Cash systems do not suffer from this problem and there are
several systems proposed, e.g., Millicent Protocol [10], PayWord [11] and MicroMint
[11], NetCash [12], eCash (or DigiCash) invented by David Chaum [13], and so forth.
Millicent Protocol is designed to process the small amount of money which can be a
fraction of cents for the inexpensive internet contents. The most important parts of
Millicent Protocol are Broker and Scrip. Broker provides account management and
billing, and Scrip is digital cash which is valid for the specific merchant [10].
PayWord is credit-based. Customers need digital certificate signed by a broker.
[attachment=30569]
ABSTRACT
Nowadays, electronic payment system is an essential part of modern business.
Credit cards or debit cards have been widely used for on-site or remote transactions,
greatly reducing the need for inconvenient cash transactions. However, there have been a
huge number of incidents of credit card frauds over the Internet due to the security
weakness of electronic payment system. A number of solutions have been proposed in
the past to prevent this problem, but most of them were inconvenient and did not satisfy
the needs of cardholders and merchants at the same time.
In this thesis, we present a new secure card payment system called NNCC (No
Number Credit Card) that significantly reduces the possibility of credit card frauds. This
scheme is primarily designed for on-line shopping. NNCC is based on the Kerberos
cryptographic framework that has been proven to be secure after being used in real world
for decades. In this proposed system, instead of card numbers, only the payment tokens
are exchanged between the buyers and merchants. The token is generated based on the
payment amount, the client information, and merchant information. However it does not
contain the credit card number, so the merchant cannot acquire and illegally use the credit
card number. A token is cryptographically secure and valid only for the designated
merchant, so it is robust against eavesdropping.
INTRODUCTION
Electronic payment system (EPS) is an essential part of modern business. Credit cards
or debit cards have been widely used for on-site or remote transactions, greatly reducing
the need for inconvenient cash transactions. Furthermore EPS has become a critical piece
for the operation of e-commerce systems where cash transactions are impractical.
However, the proliferation of EPS has brought forth an undesirable effect. The
convenience of credit cards gives a purchasing power to whoever has the card number
with some extra information associated with it. When a 3rd party person obtains the card
number, he has the same purchasing power as the legitimate owner and can falsely use
the card without the knowledge of the legitimate owner. This can happen either
inadvertently or on purpose. Merchant may store the credit card numbers insecurely and
get them stolen. Or fake web sites can be set up to grab the credit card information from
unsuspecting victims. Once the card number and the associated information are given to a
merchant, the number cannot be withdrawn. The present EPS does not provide a
mechanism to hide the credit card numbers during transactions.
RELATED WORK
Generally an EPS falls into one of two categories: token based systems (Electronic
cash system, or electronic currency systems), and account-based systems (Credit-debit)
[7][8][9]. However the credit card system can be considered a separate category in some
cases. In this Thesis, we also divide the EPS into three categories because the credit card
system is most popular among the payment system.
Electronic Cash System
In electronic cash systems, customers buy digital tokens and surrender them to the
merchant when they buy an item [7]. Electronic cash systems are further divided into
two systems: smart card-based systems which use smart cards to store E-Cash, and Web
Cash where user‟s E-Cash is stored in users‟ online account. The smart card-based
system is not suitable for Internet Payment System due to the need for a physical contact
to make a payment. Web Cash systems do not suffer from this problem and there are
several systems proposed, e.g., Millicent Protocol [10], PayWord [11] and MicroMint
[11], NetCash [12], eCash (or DigiCash) invented by David Chaum [13], and so forth.
Millicent Protocol is designed to process the small amount of money which can be a
fraction of cents for the inexpensive internet contents. The most important parts of
Millicent Protocol are Broker and Scrip. Broker provides account management and
billing, and Scrip is digital cash which is valid for the specific merchant [10].
PayWord is credit-based. Customers need digital certificate signed by a broker.