南京财经大学电子商务双语版Chapter5electronicpaym

Chapter5electronicpaymentsystems5.1SecurityInElectronicPaymentsystems5.2ElectronicPaymentmethods5.3CaseofE-banking5.1SecurityInElectronicPaymentsystems5.1.1RequirementofSecurepaymentAuthenticity:thesender(eitherclientorserver)ofamessageiswhohe,sheoritclaimstobe.Privacy:thecontentsofamessagearesecretandonlyknowntothesenderandreceiver.Integrity:thecontentsofamessagearenotmodified(intentionallyoraccidentally)duringtransmission.Non-repudiation:thesenderofamessagecannotdenythathe,sheoritactuallysentthemessage.5.1.2PublicKeyInfrastructurePKIhasbecomethecornerstoneforsecuree-payments.AttheheartofPKIisencryption.Encryption:Theprocessofscrambling(encrypting)amessageinsuchawaythatitisdifficult,expensive,ortime-consumingforanunauthorizedpersontounscramble(decrypt)it.EncryptionhasfourbasicpartsPlaintextCiphertextEncryptionalgorithmkeyThetwomajorclassesofencryption:Symmetricsystems(withonesecretkey),Asymmetricsystems(withtwokeys)

密码学是关于应用加密算法对信息进行加密的科学。加密算法就是用基于数学计算方法与一串数字（密钥）对普通的文本（信息）进行编码，产生不可理解的密文的一系列步骤。发送方将消息在发送到公共网络或互联网之前进行加密，接收方收到消息后对其解码或称为解密，所用的程序称为解密程序，这是加密的逆过程。密码学原理字母ABC…Z空格，./:?明文010203…26272829303132密文181920…43444546474849加密与解密示例

例如：把英文26个字母表的顺序编号作为明文，将密钥定为17，将明文的编号加上17，就可以得到一个密码表：一个简单的密码表1.Symmetric(private)keysysteDES:standardsymmetricencryptionalgorithmPlaintextmessageCiphertextPlaintextmessageEncryptionprivatekeyDecryptionprivatekeysenderreceiver2.Asymmetric(public)keysystemRSA:themostcommonpublickeyencryptionalgorithmPlaintextmessageCiphertextPlaintextmessageEncryptionpublickeyDecryptionprivatekeysenderreceiver3.Digitalsignaturesinclude:Hash:

Amathematicalcomputationthatisappliedtoamessage,usingaprivatekey,toencryptthemessage.Messagedigest:

Asummaryofamessage,convertedintoastringofdigits,afterthehashhasbeenapplied.Digitalenvelope:

thecombinationoftheencryptedoriginalmessageandthedigitalsignature,usingtherecipient’spublickeyHash算法:不是加密算法，能产生信息的数字“指纹”(messagedigest)，主要用途是为了确保数据没有被篡改或发生变化，以维护数据的完整性。Hash算法的特性：能处理任意大小的信息，并能生成固定长度的信息摘要。信息摘要的大小与原信息的大小没有关系，原信息的一个微小变化都会对信息摘要产生和大的影响。具有不可逆性。（1）messageWithcontractMessagewithDigitalsignature（1）messageWithcontractMessagedigestDigitalsignatureDigitalenvelopeDigitalsignatureOriginalmessagedigestNewmessagedigest（2）senderapplieshashfunction(3)Senderencryptsusingsender’sprivatekey(4)Senderencryptsusingrecipient’spublickey(5)Sendere-mailstorecipient(6)Recipientdecryptsusingrecipient’sprivatekey(7)Recipientdecryptsusingsender’spublickey(8)Recipientapplieshashfunction(9)CompareformatchDigitalsignatures4.Certificateauthorities:Thirdpartiesthatissuedigitalcertificates.(电子商务认证中心)CA就是承担网上安全电子交易的认证服务的服务机构，它能签发数字证书，并能确认用户身份。CA的主要任务是受理数字证书的申请，签发及管理数字证书。Acertificatecontains:Theholder’snameValidityperiodPublickeyinformationAsignedhashofthecertificatedata5.SSLandSETSecuresocketlayer(SSL):protocolthatutilizesstandardcertificatesforauthenticationanddataencryptiontoensureprivacyorconfidentiality,inventedbyNetscape.Secureelectronictransaction(SET):AprotocoldesignedtoprovidesecureonlinecreditcardtransactionsforbothconsumersandjointlybyNetscape,Visa,MasterCard,andothers.SET协议与SSL协议的比较（1）SET是一个多方的报文协议，它定义了银行、商家、持卡人之间的必须的报文规范，而SSL只是简单地在两方之间建立了一条安全连接。（2）SET允许各方之间的报文交换不是实时的，而SSL则是面向连接的，必须实时的进行。（3）SET报文能够在银行内部网或者其他网络上传输，而SSL之上的卡支付系统只能与Web浏览器捆绑在一起。（4）SET的安全要求较高，因此所有参与SET交易的成员都必须申请数字证书，而SSL中只有商家端的服务器需要验证，客户段则是有选择的。5.2ElectronicPaymentMethods5.2.1E-paymenttoolsElectronicCardsElectroniccashElectroniccheckWhateverthee-paymentmethod,fivepartiesinvolvedine-payments:1.Customer/payer/buyer2.Merchant/payee/seller3.Issuer4.Regulator5.AutomatedClearingHouse(ACH)AutomatedClearingHouse(ACH):

Electronicnetworkthatconnectsallfinancialinstitutionsforthepurposeofmakingfundstransfers.5.2.2

Characteristicsofsuccessfule-paymentmethodsIndependenceInteroperabilityandportabilitySecurityAnonymityDivisibilityEaseofuseTransactionfeesCriticalmass5.2.3ElectronicCardsand

SmartCards1.Paymentcard:

ElectroniccardthatcontainsinformationthatcanbeusedforpaymentpurposesCreditcardsChargecardsDebitcardsCreditcard的付款过程持卡人商家支付网关开户银行发卡行认证中心（1）订单及信用卡号（2）审核（5）确认（6）确认（3）审核（4）批准认证认证认证

支付网关：连接Internet与银行网络，完成支付协议和现存银行交易系统协议之间的信息格式转换，支付网关须由收单行授权，再由CA发放数字证书。

支付网关的功能：确认商家身份、解密从持卡人处得到的支付指令，验证持卡人的证书与在购物中所使用的账号是否匹配，验证持卡人和商家申请信息的完整性等。ElectronicCardsand

SmartCards(cont.)2.Smartcard:Anelectroniccardcontaininganembeddedmicrochipthatenablespredefinedoperationsortheaddition,deletion,ormanipulationofinformationonthecard.ElectronicCardsand

SmartCards(cont.)Contactcard:Asmartcardcontainingasmallgoldplateonthefacethatwheninsertedinasmart-cardreadermakescontactandsopassesdatatoandfromtheembeddedmicrochip.Contactless(proximity)card:Asmartcardwithanembeddedantenna,bymeansofwhichdataandapplicationsarepassedtoandfromacardreaderunitorotherdevicewithoutcontactbetweenthecardandthecardreader5.2.4E-cashandE-checkE-cash:

Thedigitalequivalentofpapercurrencyandcoins,whichenablessecureandanonymouspurchaseoflow-priceditems.Micro-payments:smallpayments,usuallyunder$10.数字现金支付的特点匿名性可传递性可分性E-cash的支付过程（1）请求开设E-cash帐户（2）帐号（3）购买数字现金的请求（4）银行数字签名的数字现金（5）订单及加密的数字现金（6）加密的数字现金（8）确认（9）确认信息买方卖方银行数字现金库（7）核对E-CheckingE-check:TheelectronicversionorrepresentationofapapercheckEliminatetheneedforexpensiveprocessreengineeringandtakingadvantageofthebankingindustryCanbeusedbyallbankcustomerswhohavecheckingaccountsE-check的支付过程（1）注册申请（2）支票（3）订单和支票（6）确认（4）审核（5）确认（7）定期将电子支票存入银行帐户买方银行卖方9、春去春又回，新桃换旧符。在那桃花盛开的地方，在这醉人芬芳的季节，愿你生活像春天一样阳光，心情像桃花一样美丽，日子像桃子一样甜蜜。2月-252月-25Thursday,February13,202510、人的志向通常和他们的能力成正比例。14:31:3014:31:3014:312/13/20252:31:30PM11、夫学须志也，才须学也，非学无以广才，非志无以成学。2月-2