南京财经大学电子商务双语版Chapterelectronicpaym

Chapter5electronicpaymentsystems5.1SecurityInElectronicPaymentsystems5.2ElectronicPaymentmethods5.3CaseofE-banking,5.1SecurityInElectronicPaymentsystems,5.1.1RequirementofSecurepaymentAuthenticity:thesender(eitherclientorserver)ofamessageiswhohe,sheoritclaimstobe.Privacy:thecontentsofamessagearesecretandonlyknowntothesenderandreceiver.Integrity:thecontentsofamessagearenotmodified(intentionallyoraccidentally)duringtransmission.Non-repudiation:thesenderofamessagecannotdenythathe,sheoritactuallysentthemessage.,5.1.2PublicKeyInfrastructurePKIhasbecomethecornerstoneforsecuree-payments.AttheheartofPKIisencryption.Encryption:Theprocessofscrambling(encrypting)amessageinsuchawaythatitisdifficult,expensive,ortime-consumingforanunauthorizedpersontounscramble(decrypt)it.,EncryptionhasfourbasicpartsPlaintextCiphertextEncryptionalgorithmkeyThetwomajorclassesofencryption:Symmetricsystems(withonesecretkey),Asymmetricsystems(withtwokeys),密码学是关于应用加密算法对信息进行加密的科学。加密算法就是用基于数学计算方法与一串数字（密钥）对普通的文本（信息）进行编码，产生不可理解的密文的一系列步骤。发送方将消息在发送到公共网络或互联网之前进行加密，接收方收到消息后对其解码或称为解密，所用的程序称为解密程序，这是加密的逆过程。,密码学原理,加密与解密示例例如：把英文26个字母表的顺序编号作为明文，将密钥定为17，将明文的编号加上17，就可以得到一个密码表：,一个简单的密码表,1.Symmetric(private)keysysteDES:standardsymmetricencryptionalgorithm,Plaintextmessage,Ciphertext,Plaintextmessage,Encryptionprivatekey,Decryptionprivatekey,sender,receiver,2.Asymmetric(public)keysystemRSA:themostcommonpublickeyencryptionalgorithm,Plaintextmessage,Ciphertext,Plaintextmessage,Encryptionpublickey,Decryptionprivatekey,sender,receiver,3.Digitalsignaturesinclude:Hash:Amathematicalcomputationthatisappliedtoamessage,usingaprivatekey,toencryptthemessage.Messagedigest:Asummaryofamessage,convertedintoastringofdigits,afterthehashhasbeenapplied.Digitalenvelope:thecombinationoftheencryptedoriginalmessageandthedigitalsignature,usingtherecipientspublickey,Hash算法:不是加密算法，能产生信息的数字“指纹”(messagedigest)，主要用途是为了确保数据没有被篡改或发生变化，以维护数据的完整性。Hash算法的特性：能处理任意大小的信息，并能生成固定长度的信息摘要。信息摘要的大小与原信息的大小没有关系，原信息的一个微小变化都会对信息摘要产生和大的影响。具有不可逆性。,（1）messageWithcontract,MessagewithDigitalsignature,（1）messageWithcontract,Messagedigest,Digitalsignature,Digitalenvelope,Digitalsignature,Originalmessagedigest,Newmessagedigest,（2）senderapplieshashfunction,(3)Senderencryptsusingsendersprivatekey,(4)Senderencryptsusingrecipientspublickey(5)Sendere-mailstorecipient,(6)Recipientdecryptsusingrecipientsprivatekey,(7)Recipientdecryptsusingsenderspublickey,(8)Recipientapplieshashfunction,(9)Compareformatch,Digitalsignatures,4.Certificateauthorities:Thirdpartiesthatissuedigitalcertificates.(电子商务认证中心)CA就是承担网上安全电子交易的认证服务的服务机构，它能签发数字证书，并能确认用户身份。CA的主要任务是受理数字证书的申请，签发及管理数字证书。Acertificatecontains:TheholdersnameValidityperiodPublickeyinformationAsignedhashofthecertificatedata,5.SSLandSETSecuresocketlayer(SSL):protocolthatutilizesstandardcertificatesforauthenticationanddataencryptiontoensureprivacyorconfidentiality,inventedbyNetscape.Secureelectronictransaction(SET):AprotocoldesignedtoprovidesecureonlinecreditcardtransactionsforbothconsumersandjointlybyNetscape,Visa,MasterCard,andothers.,SET协议与SSL协议的比较,（1）SET是一个多方的报文协议，它定义了银行、商家、持卡人之间的必须的报文规范，而SSL只是简单地在两方之间建立了一条安全连接。（2）SET允许各方之间的报文交换不是实时的，而SSL则是面向连接的，必须实时的进行。（3）SET报文能够在银行内部网或者其他网络上传输，而SSL之上的卡支付系统只能与Web浏览器捆绑在一起。（4）SET的安全要求较高，因此所有参与SET交易的成员都必须申请数字证书，而SSL中只有商家端的服务器需要验证，客户段则是有选择的。,5.2ElectronicPaymentMethods,5.2.1E-paymenttoolsElectronicCardsElectroniccashElectroniccheck,Whateverthee-paymentmethod,fivepartiesinvolvedine-payments:1.Customer/payer/buyer2.Merchant/payee/seller3.Issuer4.Regulator5.AutomatedClearingHouse(ACH),AutomatedClearingHouse(ACH):Electronicnetworkthatconnectsallfinancialinstitutionsforthepurposeofmakingfundstransfers.,5.2.2Characteristicsofsuccessfule-paymentmethodsIndependenceInteroperabilityandportabilitySecurityAnonymityDivisibilityEaseofuseTransactionfeesCriticalmass,5.2.3ElectronicCardsandSmartCards,1.Paymentcard:ElectroniccardthatcontainsinformationthatcanbeusedforpaymentpurposesCreditcardsChargecardsDebitcards,Creditcard的付款过程,持卡人,商家,支付网关,开户银行,发卡行,认证中心,（1）订单及信用卡号,（2）审核,（5）确认,（6）确认,（3）审核,（4）批准,认证,认证,认证,支付网关：连接Internet与银行网络，完成支付协议和现存银行交易系统协议之间的信息格式转换，支付网关须由收单行授权，再由CA发放数字证书。支付网关的功能：确认商家身份、解密从持卡人处得到的支付指令，验证持卡人的证书与在购物中所使用的账号是否匹配，验证持卡人和商家申请信息的完整性等。,ElectronicCardsandSmartCards(cont.),2.Smartcard:Anelectroniccardcontaininganembeddedmicrochipthatenablespredefinedoperationsortheaddition,deletion,ormanipulationofinformationonthecard.,ElectronicCardsandSmartCards(cont.),Contactcard:Asmartcardcontainingasmallgoldplateonthefacethatwheninsertedinasmart-cardreadermakescontactandsopassesdatatoandfromtheembeddedmicrochip.Contactless(proximity)card:Asmartcardwithanembeddedantenna,bymeansofwhichdataandapplicationsarepassedtoandfromacardreaderunitorotherdevicewithoutcontactbetweenthecardandthecardreader,5.2.4E-cashandE-checkE-cash:Thedigitalequivalentofpapercurrencyandcoins,whichenablessecureandanonymouspurchaseoflow-priceditems.Micro-payments:smallpayments,usuallyunder$10.数字现金支付的特点匿名性可传递性可分性,E-cash的支付过程,（1）请求开设E-cash帐户（2）帐号（3）购买数字现金的请求（4）银行数字签名的数字现金,（5）订单及加密的数字现金,（6）加密的数字现金,（8）确认,（9）确认信息,买方,卖方,银行,数字现金库,（7）核对,E-Checking,E-check:T