CENTRL UNIVERSITY OF BIHAR

PROJECT

REPORT

ON

SECURE ELECTRONIC TRANSACTION

Submitted by

Submitted to

Subhash Prasad
3rd Sem MSc (cs)
Enrolment No-CUB1302312014
Dept of Computer Science
CUB Patna

Mr. Nemi Chandra Rathore

Dept of Computer Science
CUB Patna

INTRODUCTION
WHAT IS SECURE ELECTRONIC TRANSACTION:SET is an open encryption and security specification designed to
protect credit card transactions on the Internet. This is the protocol which is
used by the every credit card company to protect credit card transaction. We
are using credit card to buy some product online and pay the money by the
credit card this Secure Electronic Transaction help to protect to some third
parties does not access our credit card for fraud purpose. We are used
Internet to pay the money by credit card to our merchant but our channel is
not secure. We are not sure our channel is secure but Secure Electronic
Transaction protocol used some algorithm to make our payment process is
secure to know one able to access our credit card by some hacker or fraud
parties.

REQUIREMENTS THAT SECURE ELECTRONIC TRANSACTION MUST

PROVIDE: Provide confidentiality of ordering and payment information.
Ensure the integrity of all transmitted data
Provide authentication that a cardholder is a legitimate user of a
credit card account.
Provide authentication that a merchant can accept credit card
transactions through its relationship with a financial institution.

HISTORY OF SECURE ELECTRONIC TRANSACTION:Secure Electronic Transaction was developed by the SET
Consortium, established in 1996 by VISA and MasterCard in cooperation.
The consortiums goal was to combine the card associations similar but
incompatible protocols into a single standard. MasterCard and Visa realized
that for E-commerce payment processing. Software vendors were coming up
with new and conflicting standards. Microsoft mainly takes these on one
hand, and IBM on the other. After this lots of improvement in the area of
secure electronic transaction because our measure issues are to provide the
security of our credit card holder.
Secure Electronic Transaction allowed parties to exchange the information
securely from one parties to other parties and also identify each other
without knowing the third one or illegal person who are not in the part of the
our system. The consortium provide the certificate for every parties on
based on x5.09 and in this certificate all the rules regulation and also criteria
mentioned there. SET consortium used cryptographic algorithm to encrypt
our secure message into some non understandable syntax where non
authorized parties are able to decrypt the message or understand the
content of the message. Consortium provides the certificate to each users
credit card number uniquely.
SET consortium was became standard payment method on the internet
between the merchants and the buyers and the credit card companies. But
this consortium did not gain more publicity from the market as well buyers
because of some reasons and also not gain to widespread use by the user,
buyers, and also credit card companies.
There are some reasons are given below.

Network effect - need to install client software.

Cost and complexity for merchants to offer support, contrasted with the
comparatively low cost and simplicity of the existing SSL based
alternative.
Client-side certificate distribution logistics.

KEY FEATURES: Confidentiality of information.

A credit card holders personal and payment information is secured
travels across the network. One of the most interesting features of the
Secure Electronic Transaction is that seller as merchant never see the
credit card number of the card holder providing by the banks. Here for
achieving the confidentiality of information Secure Electronic
Transaction protocol used Data Encryption System (DES) because DES
provides the confidentiality.
Integrity of Data.
Payment information sent from card holders to merchants includes
order information, personal information and payment instructions.
Secure Electronic Transaction guarantees that these message contents
are not changed by the third party or adversary because all the
message contents are sending by the insecure channel. SET used RSA
for achieving the digital signature means checking the message
contents. This message is came from a valid source or not.
Cardholder account authentication.
Secure Electronic Transaction enables merchants to verify that a card
holder is having valid card account number. This protocol uses x.509
certificates and digital signature to verify the card holder account
authentication. Without proper verification of the card holder account
authentication there will be no process is done.
Merchant authentication.
Secure Electronic Transaction enables cardholders to verify that a
merchant has a relationship with a financial institution allowing it to
accept payment cards. Here also certificate x.509 is to verify the
merchant. Every merchant has also a unique x.509 certificate. This
protocol used RSA for verifying the merchant authentication.

X.509 Authentication Service:This is an authentication service which includes a public certificate

associated with each user uniquely. Certificates are created by the some
trusted authority (Certificate Authority) generally this is the government
authority. This certificate is present in the public domain which means every
one able to see this certificate. Certificate authority signs two keys for a
single financial institution. The institution is to make one key as a public and
keep secret one key as a secret. Which is not known for any others also does
not known for certifying authority as well.
X.509 CERTIFICATE FORMAT:-

SECURE ELCETRONIC TRANSACTION PARTICIPANTS:

Cardholder
This is an authorized holder of a payment card like MasterCard, VISA that
has been issued by some authorized issuer. Credit card companies issues
the credit card to our user who are taking the service from the card
issued company. This card is verifying by the issued company. Only valid
card holder user can take the service from the issuing credit card
company.

Merchant
A merchant is a business person or business organization who trades of
our product to earn profit. Merchant or business organization sells our
product to your buyer and takes the money by the help of credit card. A
merchant that accepts credit cards must have a relationship with an
acquirer.

Issuer
Generally banks are providing the service of credit card to the users. Like
the SBI, ICICI, HDFC etc are the banks are issuing the credit card his
users to by the product by the credit card.

Acquirer
An acquiring bank is a bank or financial institution that processes credit
or debit card payments on behalf of a merchant. This is a financial
institution that establishes an account with the merchant and processes
credit card authorizations and payments. The acquirer provides
authorization to the merchant that a given card accounts is active and
that the proposed purchase does not exceed the credit limit.

Payment gateway
Payment gateway is function that provides the interface between Secure
Electronic Transaction and backward or card holder. Securely your
payment is done or not that is the task of payment gateway.

Certification authority
Certificate authority is the authority that provides the digital signature.
That provides the public key for the card holder, merchant and payment
gateway. Public key and digital signature presents on the public domain
for everyone.

Events required for a Successful SET Transaction:Customer Opens an account:Customer gets a credit account from some credit card issuing
organization that supports electronic payment and Secure Electronic
Transaction.
Customer receives a certificate:Customer receives a x.509 certificate signed by the particular
organization who provide the credit card account.
Merchant Certificates:Merchant also have their certificate. The merchant must have two
certificates for the two public keys it owns. They use one for singing the
messages and one for key exchange. The merchant also needs a copy of
the payment gateways public-key certificate.
Customer Placed Orders:His certificate
His order details, unencrypted
His bank account details encrypted with the bank's public key

Merchant Verification:The merchant sends an order form to the customer, as well as a copy of the
merchants certificate, so the customer can verify that his dealing with a valid
store.
Order and Payment Sent:The customer sends the order details and payment details as well as
customer certificate to the merchant. Merchant can verify the dealing is from
valid customer or not.
Merchant Requests PI authorization:
The merchant forwards the PI to the payment gateway, to determine
whether the customer has sufficient funds/credit for the purchase.
Merchant confirms the order:Merchant sends the confirmation message to the customer. Your order has
been confirmed or not.
Merchants ships goods and services:According to your details merchants shipped the goods.
Merchant requests payment:
This request for payment is sent to the payment gateway, which handles
payment processing.

DUAL SIGNATURE:The purpose of the dual signature is to link two messages that are intended
for two different recipients. In this case, the customer wants to send the
order information (OI) to the merchant and the payment information (PI) to
the bank. The merchant doesn't need to know the customer's credit card
number, and the bank doesn't need to know the details of the customer's
order. The customer is afforded extra protection in terms of privacy by
keeping these two items separate. However, the two items must be linked in
a way that can be used to resolve disputes if necessary. The link is needed
so that the customer can prove that this payment is intended for this order
and not for some other goods or services.

Payment Gateway Authorization:

verifies all certificates

decrypts digital envelope of authorization block to obtain symmetric

key & then decrypts authorization block

verifies merchant's signature on authorization block

decrypts digital envelope of payment block to obtain symmetric key

& then decrypts payment block

verifies dual signature on payment block

verifies that transaction ID received from merchant matches that in

PI received (indirectly) from customer

requests & receives an authorization from issuer

sends authorization response back to merchant

THANK YOU.
REGARDS
SUBHASH PRASAD