网上银行支付原理ppt课件

ElectronicPaymentSystemsandSecurity电子支付系统和安全加密技术,1,网上支付原理,1,LearningObjectives学习目的,DescribetypicalelectronicpaymentsystemsforEC描述电子商务典型的电子支付系统Identifythesecurityrequirementsforsafeelectronicpayments识别安全电子支付的安全要求Describethetypicalsecurityschemesusedtomeetthesecurityrequirements满足安全要求的安全方案IdentifytheplayersandproceduresoftheelectroniccreditcardsystemontheInternet识别互联网上电子信用卡系统的使用者和使用处理过程DiscusstherelationshipbetweenSSLandSETprotocols讨论SSL协议和SET协议之间的关系,2,Discusstherelationshipbetweenelectronicfundtransferanddebitcard讨论电子资金转帐和借记卡之间的关系Describethecharacteristicsofastoredvaluecard描述一个储值卡的特征ClassifyanddescribethetypesofICcardsusedforpayments辨别和描述用于支付的IC卡的类型Discussthecharacteristicsofelectronicchecksystems讨论电子支票系统的特征,LearningObjectives(cont.)学习目的(继续),3,SSLVs.SET:WhoWillWin?SSL对SET:谁将赢?,ApartofSSL(SecureSocketLayer)isavailableoncustomersbrowsers加密套接字协议层itisbasicallyanencryptionmechanismforordertaking,queriesandotherapplicationsSSL是一个基本的加密技术itdoesnotprotectagainstallsecurityhazards预防安全威胁itismature,simple,andwidelyuse成熟简单广泛应用SET(SecureElectronicTransaction)isaverycomprehensivesecurityprotocol加密电子交易协议itprovidesforprivacy,authenticity,integrity,and,orrepudiation它提供私密、真实、完整、拒绝方面的安全保护itisusedveryinfrequentlyduetoitscomplexityandtheneedforaspecialcardreaderbytheuser不常用、复杂itmaybeabandonedifitisnotsimplified/improved需改进,4,Payments,ProtocolsandRelatedIssues支付、协议、相关议题,SETProtocolisforCreditCardPayments信用卡支付ElectronicCashandMicropayments电子货币和找零ElectronicFundTransferontheInternet互联网上电子资金转帐StoredValueCardsandElectronicCash储值卡和电子货币ElectronicCheckSystems电子支票系统,5,Securityrequirements安全要求,Payments,ProtocolsandRelatedIssues(cont.)支付、协议、相关议题（继续）,Authentication:Awaytoverifythebuyersidentitybeforepaymentsaremade真实性鉴定支付前的买主身份认定Integrity:Ensuringthatinformationwillnotbeaccidentallyormaliciouslyalteredordestroyed,usuallyduringtransmission完整性信息不被偶然地或恶意地修改或破坏Encryption:Aprocessofmakingmessagesindecipherableexceptbythosewhohaveanauthorizeddecryptionkey加密术除非那些具有一个授权解密钥匙的人可以解释信息内容，加密技术使信息无法被解释或阅读Non-repudiation:Merchantsneedprotectionagainstthecustomersunjustifiabledenialofplacedorders,andcustomersneedprotectionagainstthemerchantsunjustifiabledenialofpastpayment不被拒绝商人需要预防客户对于发出定单的无正当理由的抵赖，客户需要预防商人对于客户过去支付的无正当理由的抵赖。,6,SecuritySchemes安全加密方案,SecretKeyCryptography(symmetric)密码加密技术（对称加密技术）,对称加密就如同一把有相同两把钥匙的锁,两把钥匙在不同的两个人手中,一个人加锁,另外一个人用同样的钥匙打开锁,7,PublicKeyCryptography公钥加密技术,SecuritySchemes(cont.)安全加密方案（继续）,Message,DigitalSignature,8,DigitalSignature数字签名,Adigitalsignatureisattachedbyasendertoamessageencryptedinthereceiverspublickey一个数字签名由发送者附加在通过用接收者的公钥加密的信息上,Senderencryptsamessagewithherprivatekey发送者用他的私钥加密了一个信息,SecuritySchemes(cont.)安全加密方案（继续）,Analogoustohandwrittensignature类似手写签名,9,Certificate证书,SecuritySchemes(cont.)安全加密方案（继续）,Identifyingtheholderofapublickey(Key-Exchange)识别一个公钥（密码交换）的持有者Issuedbyatrustedcertificateauthority(CA)由一个认可认证机关（CA）发出,10,CertificateAuthority-e.g.VeriSign认证机构例如：验证签名,RCA:RootCertificateAuthorityBCA:BrandCertificateAuthorityGCA:Geo-politicalCertificateAuthorityCCA:CardholderCertificateAuthorityMCA:MerchantCertificateAuthorityPCA:PaymentGatewayCertificateAuthority,HierarchyofCertificateAuthorities认证机构的层级结构Certificateauthorityneedstobeverifiedbyagovernmentorwelltrustedentity(e.g.,postoffice),SecuritySchemes(cont.)SecuritySchemes(cont.)安全加密方案（继续）,Publicorprivate,comesinlevels(hierarchy)Atrustedthirdpartyservices一个认可的第三方服务Issuerofdigitalcertificates数字认证的发出者Verifyingthatapublickeyindeedbelongstoacertainindividual,11,ElectronicCreditCardSystemontheInternet互联网上的电子信用卡系统,ThePlayers信用卡使用者,Cardholder卡持有者Merchant(seller)销售商Issuer(yourbank)发卡银行Acquirer(merchantsfinancialinstitution,acquiresthesalesslips)销售商的财务结算机构，获得销售商的销售单和顾客支付给销售商的金额，是销售商的结算银行Brand(VISA,MasterCard)卡的种类,12,Theprocessofusingcreditcardsoffline离线使用信用卡的操作过程,ElectronicCreditCardSystemontheInternet(cont.)互联网上的电子信用卡系统,13,Cardholder持卡人,CreditCardProcedure信用卡操作过程(offlineandonline在线和离线),14,电子商务和电子政务阎虎勤,14,SecureElectronicTransaction(SET)Protocol加密电子交易协议（SET）,1.Themessageishashedtoaprefixedlengthofmessagedigest.一个信息被杂凑（有时候常常是通过一个杂凑函数）成一个定长信息消化元。2.Themessagedigestisencryptedwiththesendersprivatesignaturekey,andadigitalsignatureiscreated.这个信息消化元用发送者私钥签名加密，这样，一个数字签名就被创造出来了。3.Thecompositionofmessage,digitalsignature,andSenderscertificateisencryptedwiththesymmetrickeywhichisgeneratedatsenderscomputerforeverytransaction.Theresultisanencryptedmessage.SETprotocolusestheDESalgorithminsteadofRSAforencryptionbecauseDEScanbeexecutedmuchfasterthanRSA.信息内容、数字签名、新加上发送者的认证书一起被用对称钥匙加密，形成一个加密信息。4.TheSymmetrickeyitselfisencryptedwiththereceiverspublickeywhichwassenttothesenderinadvance.Theresultisadigitalenvelope.对称钥匙被预先发送给发送者的接收者的公钥加密，这样就形成一个数字信封。,15,SendersComputer发送者的计算机,电子商务和电子政务阎虎勤,15,SendersComputer发送者的计算机,SendersPrivateSignatureKey,16,电子商务和电子政务阎虎勤,16,5.TheencryptedmessageanddigitalenvelopearetransmittedtoreceiverscomputerviatheInternet.加密信息和数字信封被通过互联网发送到接收者的计算机。6.Thedigitalenvelopeisdecryptedwithreceiversprivateexchangekey.数字信封被用接收者的私人交换钥匙（私钥）解蜜。7.Usingtherestoredsymmetrickey,theencryptedmessagecanberestoredtothemessage,digitalsignature,andsenderscertificate.使用恢复出来的对称钥匙，则加密信息能够被恢复成原始信息、数字签名、和发送者的认证书。8.Toconfirmtheintegrity,thedigitalsignatureisdecryptedbysenderspublickey,obtainingthemessagedigest.为确保数据的完整性，数字签名被用发送者的公钥解密，从而得到信息消化元。9.Thedeliveredmessageishashedtogeneratemessage.反杂凑获得原始信息10.Themessagedigestsobtainedbysteps8and9respectively,arecomparedbythereceivertoconfirmwhethertherewasanychangeduringthetransmission.Thisstepconfirmstheintegrity.在8、9步后得到信息，接收者通过比较来确信是否在传输中间发生了任何变化。这一步保证了信息的完整性。,ReceiversComputer接收者的计算机,SecureElectronicTransaction(SET)Protocol(cont.)加密电子交易协议（SET）（继续）,17,电子商务和电子政务阎虎勤,17,ReceiversComputer接收者的计算机,18,PrenticeHall,2000,18,EntitiesofSETProtocolinCyberShopping协议（SET）下的网上购物,19,电子商务和电子政务阎虎勤,19,SETVs.SSL两个协议之间的对比,SecureElectronicTransaction(SET)加密电子交易协议（SET）,SecureSocketLayer(SSL)加密字套接层协议（SSL）,20,ElectronicFundTransfer(EFT)ontheInternet互联网上的电子资金转帐（EFT）,AnArchitectureofElectronicFundTransferontheInternet,Payer付款人,21,DebitCards借记卡,Adeliveryvehicleofcashinanelectronicform一个电子货币的运钞车Mondex,VisaCashappliedthisapproach借记卡Mondex和VisaCash适合这种方式Eitheranonymousoronymous匿名或具名CyberCashhascommercializedadebitcardnamedCyberCoinasamediumofmicropaymentsontheInternet网络货币CyberCash已经商业化了一个借记卡名为网络硬币CyberCoin作为互联网上找零的一个中介。,22,FinancialEDI财务EDI,ItisanEDIusedforfinancialtransactions用于财务转帐EDIisastandardizedwayofexchangingmessagesbetweenbusinesses企业间信息交换的一个标准方式EFTcanbeimplementedusingaFinancialEDIsystem使用一个财务EDI系统EFT能够被应用SafeFinancialEDIneedstoadoptasecurityschemeusedfortheSSLprotocol接受一个加密技术用于SSLExtranetencryptsthepacketsexchangedbetweensendersandreceiversusingthepublickeycryptography企业间网络（Extranet）使用公钥加密技术加密发送者和接收者之间交换的邮包。,23,ElectronicCashandMicropayments电子货币和找零,SmartCards智能卡,Theconceptofe-cashisusedinthenon-Internetenvironment电子货币的概念被用在非互联网环境Plasticcardswithmagneticstripes(oldtechnology)具有磁条的塑料卡（旧技术）IncludesICchipswithprogrammablefunctionsonthemwhichmakescards“smart”包含具有程序功能的IC芯片，芯片使卡更“聪明”。Onee-cashcardforoneapplication一种卡一种应用Rechargethecardonlyatdesignatedlocations,suchasbankofficeorakiosk.Future:rechargeatyourPC重新写卡只能在指定地点进行，如银行办公室或一个工作间。将来可在PC上进行。e.g.MondexHK$3,000inHongKongMultipleCurrencies多种货币Canbeusedforcrossborderpayments交叉支付,ElectronicMoney(cont.)电子货币（继续）,28,ContactlessICCards无接触IC卡,ProximityCard功能接近的卡Usedtoaccessbuildingsandforpayinginbusesandothertransportationsystems用来进入大楼、支付公交车票、和其它运输系统Bus,subwayandtollcardinmanycities在许多城市使用的公交车、地铁和路桥卡AmplifiedRemoteSensingCard放大的远程感应卡Goodforarangeofupto100feet,andcanbeusedfortollingmovingvehiclesatgates能够被机动车辆在门口用来支付路桥费，最远可达到100英尺Paytollwithoutstopping(e.g.Highway91inCalifornia)支付路桥费而不用停车,29,ElectronicCheckSystems电子支票系统,ProcedureofFinancialServiceTechnologyConsortiumPrototype金融服务技术集团的处理模型,30,ElectronicCheckbook电子支票簿,ElectronicCheckSystems(cont.)电子支票系统（继续）,Counterpartofelectronicwallet对应电子钱包Tobeintegratedwiththeaccountinginformationsystemofbusinessbuyersandwiththepaymentserverofsellers被与商业购买者会计信息系统和销售商的支付服务系统一起综合起来Tosavetheelectronicinvoiceandreceiptofpaymentinthebuyersandsellerscomputersforfutureretrieval保存电子发票和支付收据在购买者和销售者的计算机内，以备今后使用Example:SafeCheckUsedmainlyinB2B主要用于B2B业务,31,TheArchitectureofSafeCheck,32,电子商务和电子政务阎虎勤,32,IntegratingPaymentMethods综合支付方法,Twopotentialconsolidations:Theon-lineelectroniccheckismergingwithEFTTheelectroniccheckwithadesignatedsettlementdateismergingwithelectroniccreditcardsSecurityFirstNetworkBank(SFNB)FirstcyberbankLowerservicechargestochallengetheservicefeesoftraditionalbanksVisaVisaCashisadebitcardePayisanEFTservice,33,HowManyCardsareAppropriate?,Anonymouscardisnecessarytokeepthecertificatesforcreditcards,EFT,andelectroniccheckbooks,ThestoredvalueinICcardcanbedeliveredinananonymousmode,34,FiveSecurityTips五个安全忠告,DontrevealyouronlinePasscodetoanyone.IfyouthinkyouronlinePasscodehasbeencompromised,changeitimmediately.不要给任何人出示你的在线密码。Dontwalkawayfromyourcomputerifyouareinthemiddleofasession.如果你在一个会话中间请不要离开你的计算机。OnceyouhavefinishedconductingyourbankingontheInternet,alwayssignoffbeforevisitingotherInternetsites.一旦你已经结束在网上操作你的银行帐户，在访问其它网址之前要退出。Ifanyoneelseislikelytous