网上银行支付原理

1、计算机审计计算机审计 Hugh Yan Hugh Yan Electronic Payment Systems and Security 电子支付系统和安全加密技术 1 网上支付原理网上支付原理 2计算机审计计算机审计 Hugh Yan Hugh Yan Learning Objectives 学习目的 zDescribe typical electronic payment systems for EC描 述电子商务典型的电子支付系统 zIdentify the security requirements for safe electronic payments 识别安全电子支付的安全要求

2、zDescribe the typical security schemes used to meet the security requirements 满足安全要求的安全方案 zIdentify the players and procedures of the electronic credit card system on the Internet 识别互联网上电子信 用卡系统的使用者和使用处理过程 zDiscuss the relationship between SSL and SET protocols 讨论SSL协议和SET协议之间的关系 3计算机审计计算机审计 Hugh Ya

3、n Hugh Yan zDiscuss the relationship between electronic fund transfer and debit card 讨论电子资金转帐和借记卡之 间的关系 zDescribe the characteristics of a stored value card 描 述一个储值卡的特征 zClassify and describe the types of IC cards used for payments 辨别和描述用于支付的IC卡的类型 zDiscuss the characteristics of electronic check sy

4、stems 讨论电子支票系统的特征 Learning Objectives (cont.)学习目的(继续继续) 4计算机审计计算机审计 Hugh Yan Hugh Yan SSL Vs. SET: Who Will Win? SSL对SET:谁将赢? zA part of SSL (Secure Socket Layer) is available on customers browsers 加密套接字协议层 yit is basically an encryption mechanism for order taking, queries and other applications SSL

5、是一个基本的加密技术 yit does not protect against all security hazards预防安全威胁 yit is mature, simple, and widely use 成熟简单广泛应用 zSET ( Secure Electronic Transaction) is a very comprehensive security protocol 加密电子交易协 议 yit provides for privacy, authenticity, integrity, and, or repudiation 它提供私密、真实、完整、拒绝方面的安全保护 yit

6、 is used very infrequently due to its complexity and the need for a special card reader by the user 不常用、复杂 yit may be abandoned if it is not simplified/improved 需改进 5计算机审计计算机审计 Hugh Yan Hugh Yan Payments, Protocols and Related Issues 支付、协议、相关议题 z SET Protocol is for Credit Card Payments 信用卡支付 z Elec

7、tronic Cash and Micropayments 电子货币和找零 z Electronic Fund Transfer on the Internet 互联网上电子资 金转帐 z Stored Value Cards and Electronic Cash 储值卡和电子 货币 z Electronic Check Systems 电子支票系统 6计算机审计计算机审计 Hugh Yan Hugh Yan zSecurity requirements 安全要求 Payments, Protocols and Related Issues (cont.) 支付、协议、相关议题（继续） yA

8、uthentication: A way to verify the buyers identity before payments are made 真实性鉴定 支付前的买主身份认定 yIntegrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission 完整性 信息不被偶然地或恶意地修改或破坏 yEncryption: A process of making messages indecipherable e

9、xcept by those who have an authorized decryption key 加密术 除非那些具有一个授权解密钥匙的人 可以解释信息内容，加密技术使信息无法被解释或阅读 yNon-repudiation: Merchants need protection against the customers unjustifiable denial of placed orders, and customers need protection against the merchants unjustifiable denial of past payment 不被拒绝 商人

10、需要预 防客户对于发出定单的无正当理由的抵赖，客户需要预防商 人对于客户过去支付的无正当理由的抵赖。 7计算机审计计算机审计 Hugh Yan Hugh Yan Security Schemes 安全加密方案 z Secret Key Cryptography (symmetric)密码加密技术（对称加密技术） Scrambled Message Original Message Sender Internet Scrambled Message Keysender (= Keyreceiver) Encryption加密加密 Original Message Receiver Keyrece

11、iver Decryption解密解密 对称加密就如同一把有相同两把钥匙的锁对称加密就如同一把有相同两把钥匙的锁, ,两把钥匙在不同两把钥匙在不同 的两个人手中的两个人手中, ,一个人加锁一个人加锁, ,另外一个人用同样的钥匙打开锁另外一个人用同样的钥匙打开锁 8计算机审计计算机审计 Hugh Yan Hugh Yan zPublic Key Cryptography 公钥加密技术 Sender Original Message Scrambled Message Scrambled Message 公钥 Public Keyreceiver Original Message Receiver

12、 私钥Private Keyreceiver Internet Security Schemes (cont.)安全加密方案（继续） Message Sender Original Message Scrambled Message Scrambled Message 私钥Private Keysender Original Message Receiver 公钥 Public Keysender Internet Digital Signature 9计算机审计计算机审计 Hugh Yan Hugh Yan zDigital Signature 数字签名 A digital signatur

13、e is attached by a sender to a message encrypted in the receivers public key 一个数字签名由发送者附加 在通过用接收者的公钥加密 的信息上 The receiver is the only one that can read the message and at the same time he is assured that the message was indeed sent by the sender 接收者是唯一一个能够阅读信息 的人，同时他被告知这个信息的确是由 那个发送者发送的 Sender encryp

14、ts a message with her private key 发送者用他发送者用他 的私钥加密了一个信息的私钥加密了一个信息 Any receiver with senders public key can read it 任何接任何接 收者用发送者的公钥就能阅读这收者用发送者的公钥就能阅读这 个信息个信息 Security Schemes (cont.)安全加密方案（继续） yAnalogous to handwritten signature 类似手写签名 10计算机审计计算机审计 Hugh Yan Hugh Yan zCertificate 证书 Name : “Richard”

15、key-Exchange Key : Signature Key : Serial # : 29483756 Other Data : 10236283025273 Expires : 6/18/2005 Signed : CAs Signature Security Schemes (cont.)安全加密方案（继续） yIdentifying the holder of a public key (Key- Exchange)识别一个公钥（密码交换）的持有者 yIssued by a trusted certificate authority (CA) 由一 个认可认证机关（CA）发出 11

16、计算机审计计算机审计 Hugh Yan Hugh Yan zCertificate Authority - e.g. VeriSign认证机构 例如：验证签名 RCA BCA GCA CCAMCAPCA RCA : Root Certificate Authority BCA : Brand Certificate Authority GCA : Geo-political Certificate Authority CCA : Cardholder Certificate Authority MCA : Merchant Certificate Authority PCA : Payment

17、 Gateway Certificate Authority Hierarchy of Certificate Authorities 认证机构的层级结构认证机构的层级结构 Certificate authority needs to be verified by a government or well trusted entity ( e.g., post office) Security Schemes (cont.) Security Schemes (cont.) 安全加密方案（继续） yPublic or private, comes in levels (hierarchy) y

18、A trusted third party services 一个认可的第三方服务 yIssuer of digital certificates 数字认证的发出者 yVerifying that a public key indeed belongs to a certain individual 12计算机审计计算机审计 Hugh Yan Hugh Yan Electronic Credit Card System on the Internet 互联网上的电子信用卡系统互联网上的电子信用卡系统 zThe Players 信用卡使用者 yCardholder 卡持有者 yMerchant

19、(seller) 销售商 yIssuer (your bank)发卡银行 yAcquirer (merchants financial institution, acquires the sales slips) 销售商的财务结算机构，获得销售商的 销售单和顾客支付给销售商的金额，是销售商的结算银行 yBrand (VISA, Master Card) 卡的种类 13计算机审计计算机审计 Hugh Yan Hugh Yan z The process of using credit cards offline 离线使用信用卡的操作过程 A cardholder requests the iss

20、uance of a card brand (like Visa and MasterCard) to an issuer bank in which the cardholder may have an account. 申请发卡 Electronic Credit Card System on the Internet (cont.) 互联网上的电子信用卡系统互联网上的电子信用卡系统 The authorization of card issuance by the issuer bank, or its designated brand company, may require cust

21、omers physical visit to an office. 银行审查 A plastic card is physically delivered to the customers address by mail.发出 The card can be in effect as the cardholder calls the bank for initiation and signs on the back of the card. 起用，持有者在卡的背面签名 The cardholder shows the card to a merchant to pay a requested

22、 amount. Then the merchant asks for approval from the brand company. 持卡人支付时，商户请求银行允许支付 Upon the approval, the merchant requests payment to the merchants acquirer bank, and pays fee for the service. This process is called a Capturing process销售商结算银行获得销售单 The acquirer bank requests the issuer bank to p

23、ay for the credit amount. 销售商结算银行请求发卡银行支付消费额 Cardholder 持卡人 Merchant 商户 credit card 信用卡 Card Brand Company Payment authorization, payment data 支付数据 Issuer Bank Cardholder Account 持卡人帐户 Acquirer Bank Merchant Account 销售商帐户 account debit datapayment data Credit Card Procedure信用卡操作过程 (offline and onlin

24、e在线和离线) 14 payment data支付数据 amount transfer转付金额 电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤 Secure Electronic Transaction (SET) Protocol 加密电子交易协议（SET） 1. The message is hashed to a prefixed length of message digest. 一个信 息被杂凑（有时候常常是通过一个杂凑函数）成一个定长信息消化元。 2. The message digest is encrypted with the senders private signat

25、ure key, and a digital signature is created. 这个信息消化元用发送者私钥签名加密，这 样，一个数字签名就被创造出来了。 3. The composition of message, digital signature, and Senders certificate is encrypted with the symmetric key which is generated at senders computer for every transaction. The result is an encrypted message. SET protoc

26、ol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA. 信息 内容、数字签名、新加上发送者的认证书一起被用对称钥匙加密，形成一个加密信息。 4. The Symmetric key itself is encrypted with the receivers public key which was sent to the sender in advance. The result is a digital envelope. 对称钥匙被预

27、先发送给发送者的接收者的公钥加密，这样就形成一个数字信封。 15 zSenders Computer 发送者的计算机 电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤 Senders Computer 发送者的计算机发送者的计算机 Senders Private Signature Key Senders发送者 Certificate认证书 数字签名数字签名 + + Message 原始信息 + Digital Signature 数字签名 Receivers 接收者 Certificate认证书 Encrypt 加密 Symmetric Key 对称钥匙 Encrypted Message

28、 加密信息 Receivers 接收者公钥 Key-Exchange Key Encrypt 加密 Digital Envelope 数字信封 Message 原始信息 Message Digest 信息消化元 16 电子商务和电子政务 阎虎勤 5. The encrypted message and digital envelope are transmitted to receivers computer via the Internet. 加密信息和数字信封被通过互联网发送到接 收者的计算机。 6. The digital envelope is decrypted with recei

29、vers private exchange key. 数字信封被用接收者的私人交换钥匙（私钥）解蜜。 7. Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and senders certificate. 使 用恢复出来的对称钥匙，则加密信息能够被恢复成原始信息、数字签名、和发送者的认证书。 8. To confirm the integrity, the digital signature is decrypted by sen

30、ders public key, obtaining the message digest. 为确保数据的完整性，数字签名被用 发送者的公钥解密，从而得到信息消化元。 9. The delivered message is hashed to generate message. 反杂凑获得原始信息 10. The message digests obtained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transm

31、ission. This step confirms the integrity. 在8、9步后得到 信息，接收者通过比较来确信是否在传输中间发生了任何变化。这一步保证了信息的完整性。 zReceivers Computer 接收者的计算机 Secure Electronic Transaction (SET) Protocol (cont.)加密 电子交易协议（SET）（继续） 17电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤 Receivers Computer接收者的计算机接收者的计算机 Decrypt Symmetric Key对称解密 Encrypted Message 加密信

32、息 Senders 发送者 Certificate认证书 数字签名数字签名 + + Message 原始信息 Compare 比较比较 Digital Envelope 数字信封 Receivers Private Key-Exchange Key 接收者私钥 Decrypt 解密 Message Digest 信息消化元 Digital Signature 数字签名 Senders Public Signature Key 发送者公钥 Decrypt 解密 Message Digest 信息消化元 18 Prentice Hall, 2000 Entities of SET Protocol

33、 in Cyber Shopping 协议（SET）下的网上购物 IC Card Reader IC卡读卡器 Customer x Customer y With Digital Wallets数字钱包 Certificate认证 Authority机关 Electronic Shopping Mall Merchant AMerchant B Credit Card Brand Protocol X.25 Payment Gateway 支付网关 19电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤 20计算机审计计算机审计 Hugh Yan Hugh Yan SET Vs. SSL 两个

34、协议之间的对比 Secure Electronic Transaction (SET) 加密电子交易协议（SET） Secure Socket Layer (SSL) 加密字套接层协议（SSL） Complex 复杂复杂Simple简单简单 SET is tailored to the credit card payment to the merchants. 信用卡信用卡 SSL is a protocol for general- purpose secure message exchanges (encryption). 普通加密普通加密 SET protocol hides the c

35、ustomers credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called dual signature. 双签名双签名 SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and cr

36、edit card information, because the capturing process should be initiated by the merchants.无支付网关无支付网关 21计算机审计计算机审计 Hugh Yan Hugh Yan Electronic Fund Transfer (EFT) on the Internet 互联网上的电子资金转帐（EFT） An Architecture of Electronic Fund Transfer on the Internet Internet Payer 付款人 Cyber Bank Bank Cyber Ban

37、k Payee 收款人 Automated自动 Clearinghouse清算 VAN Bank VAN Payment Gateway 支付网关 Payment Gateway 支付网关 22计算机审计计算机审计 Hugh Yan Hugh Yan Debit Cards 借记卡借记卡 zA delivery vehicle of cash in an electronic form 一个电 子货币的运钞车 zMondex, VisaCash applied this approach 借记卡 Mondex和VisaCash适合这种方式 zEither anonymous or onymou

38、s 匿名或具名 zCyberCash has commercialized a debit card named CyberCoin as a medium of micropayments on the Internet 网络货币CyberCash已经商业化了一个借记卡名为网络硬 币CyberCoin作为互联网上找零的一个中介。 23计算机审计计算机审计 Hugh Yan Hugh Yan Financial EDI 财务EDI zIt is an EDI used for financial transactions 用于财务转帐 yEDI is a standardized way of

39、 exchanging messages between businesses 企业间信息交换的一个标准方式 yEFT can be implemented using a Financial EDI system 使用一个财务EDI系统EFT能够被应用 zSafe Financial EDI needs to adopt a security scheme used for the SSL protocol接受一个加密技术用于SSL zExtranet encrypts the packets exchanged between senders and receivers using the

40、 public key cryptography 企业间网络（ Extranet ）使用公钥加密技术加密发送者和接 收者之间交换的邮包。 24计算机审计计算机审计 Hugh Yan Hugh Yan Electronic Cash and Micropayments 电子货币和找零 zSmart Cards 智能卡 yThe concept of e-cash is used in the non-Internet environment 电子货币的概念被用在非互联网环境 yPlastic cards with magnetic stripes (old technology)具有 磁条的塑料

41、卡（旧技术） yIncludes IC chips with programmable functions on them which makes cards “smart” 包含具有程序功能的IC芯片，芯片使卡更 “聪明”。 yOne e-cash card for one application 一种卡一种应用 yRecharge the card only at designated locations, such as bank office or a kiosk. Future: recharge at your PC 重 新写卡只能在指定地点进行，如银行办公室或一个工作间。将来可在

42、PC上进行。 ye.g. Mondex HK$3,000 in Hong Kong zMultiple Currencies 多种货币 yCan be used for cross border payments 交叉支付 Electronic Money (cont.)电子货币（继续） 29计算机审计计算机审计 Hugh Yan Hugh Yan Contactless IC Cards 无接触IC卡 zProximity Card 功能接近的卡 yUsed to access buildings and for paying in buses and other transportatio

43、n systems 用来进入大楼、支付公 交车票、和其它运输系统 yBus, subway and toll card in many cities 在许多城市 使用的公交车、地铁和路桥卡 zAmplified Remote Sensing Card 放大的远程感应卡 yGood for a range of up to 100 feet, and can be used for tolling moving vehicles at gates 能够被机动 车辆在门口用来支付路桥费，最远可达到100英尺 yPay toll without stopping (e.g. Highway 91 i

44、n California) 支付路桥费而不用停车 30计算机审计计算机审计 Hugh Yan Hugh Yan Electronic Check Systems 电子支票系统 Check Signature Remittance Invoice Secure Envelope Remittance Check Signature Certificate Certificate Remittance Secure Envelope Certificate Certificate Endorsement Certificate Certificate Signature “Card” Signat

45、ure “Card” Workstation Mall statement E-Check line item Payers Bank付款人银行 借款帐户Debit account Payees Bank收款人银行 信用帐户Credit account E- Mail WWW ACH ECP Clear Check 清算支票 Deposit check Payer 付款者 Payee 收款人 E-mail Account Receivable Procedure of Financial Service Technology Consortium Prototype 金融服务技术集团的处理模型

46、 31计算机审计计算机审计 Hugh Yan Hugh Yan zElectronic Checkbook 电子支票簿 Electronic Check Systems (cont.) 电子支票系统（继续） yCounterpart of electronic wallet 对应电子钱包 yTo be integrated with the accounting information system of business buyers and with the payment server of sellers 被与商业购买者会计信息系统和销售商的支付服 务系统一起综合起来 yTo save

47、 the electronic invoice and receipt of payment in the buyers and sellers computers for future retrieval 保存电子发票和支付收据在购买者和销售者的计算 机内，以备今后使用 yExample : SafeCheck yUsed mainly in B2B 主要用于B2B业务 Payers checkbook agent Payees check-receipt agent PayerPayee Issue a check Receipt A/C DB A/C DB control agent o

48、f payers bank control agent of payees bank clearing Checkbook, screened result Request of screening check issuance present report payers bankpayees bank Internet The Architecture of SafeCheck 32 电子商务和电子政务电子商务和电子政务 阎虎勤阎虎勤 33计算机审计计算机审计 Hugh Yan Hugh Yan Integrating Payment Methods 综合支付方法 zTwo potentia

49、l consolidations: yThe on-line electronic check is merging with EFT yThe electronic check with a designated settlement date is merging with electronic credit cards zSecurity First Network Bank (SFNB) yFirst cyberbank yLower service charges to challenge the service fees of traditional banks zVisa yVi

50、saCash is a debit card yePay is an EFT service 34计算机审计计算机审计 Hugh Yan Hugh Yan How Many Cards are Appropriate? An onymous card is necessary to keep the certificates for credit cards, EFT, and electronic checkbooks The stored value in IC card can be delivered in an anonymous mode Malaysias Multimedia Supper Corridor project pursues a One-Card system Relationship Card by Visa is also attemp