南京财经大学电子商务双语版Chapter5electronicpaym

Chapter5electronicpaymentsystems5.1SecurityInElectronicPaymentsystems5.2ElectronicPaymentmethods5.3CaseofE-banking5.1SecurityInElectronicPaymentsystems5.1.1RequirementofSecurepayment•Authenticity:thesender(eitherclientorserver)ofamessageiswhohe,sheoritclaimstobe.•Privacy:thecontentsofamessagearesecretandonlyknowntothesenderandreceiver.•Integrity:thecontentsofamessagearenotmodified(intentionallyoraccidentally)duringtransmission.•Non-repudiation:thesenderofamessagecannotdenythathe,sheoritactuallysentthemessage.5.1.2PublicKeyInfrastructurePKIhasbecomethecornerstoneforsecuree-payments.AttheheartofPKIisencryption.Encryption:Theprocessofscrambling(encrypting)amessageinsuchawaythatitisdifficult,expensive,ortime-consumingforanunauthorizedpersontounscramble(decrypt)it.Encryptionhasfourbasicparts•Plaintext•Ciphertext•Encryptionalgorithm•keyThetwomajorclassesofencryption:•Symmetricsystems(withonesecretkey),•Asymmetricsystems(withtwokeys)密码学是关于应用加密算法对信息进行加密的科学。加密算法就是用基于数学计算方法与一串数字（密钥）对普通的文本（信息）进行编码，产生不可理解的密文的一系列步骤。发送方将消息在发送到公共网络或互联网之前进行加密，接收方收到消息后对其解码或称为解密，所用的程序称为解密程序，这是加密的逆过程。密码学原理字母ABC…Z空格，./:?明文010203…26272829303132密文181920…43444546474849加密与解密示例例如：把英文26个字母表的顺序编号作为明文，将密钥定为17，将明文的编号加上17，就可以得到一个密码表：一个简单的密码表1.Symmetric(private)keysysteDES:standardsymmetricencryptionalgorithmPlaintextmessageCiphertextPlaintextmessageEncryptionprivatekeyDecryptionprivatekeysenderreceiver2.Asymmetric(public)keysystemRSA:themostcommonpublickeyencryptionalgorithmPlaintextmessageCiphertextPlaintextmessageEncryptionpublickeyDecryptionprivatekeysenderreceiver3.Digitalsignaturesinclude:Hash:Amathematicalcomputationthatisappliedtoamessage,usingaprivatekey,toencryptthemessage.Messagedigest:Asummaryofamessage,convertedintoastringofdigits,afterthehashhasbeenapplied.Digitalenvelope:thecombinationoftheencryptedoriginalmessageandthedigitalsignature,usingtherecipient’spublickeyHash算法:不是加密算法，能产生信息的数字“指纹”(messagedigest)，主要用途是为了确保数据没有被篡改或发生变化，以维护数据的完整性。Hash算法的特性：•能处理任意大小的信息，并能生成固定长度的信息摘要。•信息摘要的大小与原信息的大小没有关系，原信息的一个微小变化都会对信息摘要产生和大的影响。•具有不可逆性。（1）messageWithcontractMessagewithDigitalsignature（1）messageWithcontractMessagedigestDigitalsignatureDigitalenvelopeDigitalsignatureOriginalmessagedigestNewmessagedigest（2）senderapplieshashfunction(3)Senderencryptsusingsender’sprivatekey(4)Senderencryptsusingrecipient’spublickey(5)Sendere-mailstorecipient(6)Recipientdecryptsusingrecipient’sprivatekey(7)Recipientdecryptsusingsender’spublickey(8)Recipientapplieshashfunction(9)CompareformatchDigitalsignatures4.Certificateauthorities:Thirdpartiesthatissuedigitalcertificates.(电子商务认证中心)CA就是承担网上安全电子交易的认证服务的服务机构，它能签发数字证书，并能确认用户身份。CA的主要任务是受理数字证书的申请，签发及管理数字证书。Acertificatecontains:•Theholder’sname•Validityperiod•Publickeyinformation•Asignedhashofthecertificatedata5.SSLandSETSecuresocketlayer(SSL):protocolthatutilizesstandardcertificatesforauthenticationanddataencryptiontoensureprivacyorconfidentiality,inventedbyNetscape.Secureelectronictransaction(SET):AprotocoldesignedtoprovidesecureonlinecreditcardtransactionsforbothconsumersandjointlybyNetscape,Visa,MasterCard,andothers.SET协议与SSL协议的比较（1）SET是一个多方的报文协议，它定义了银行、商家、持卡人之间的必须的报文规范，而SSL只是简单地在两方之间建立了一条安全连接。（2）SET允许各方之间的报文交换不是实时的，而SSL则是面向连接的，必须实时的进行。（3）SET报文能够在银行内部网或者其他网络上传输，而SSL之上的卡支付系统只能与Web浏览器捆绑在一起。（4）SET的安全要求较高，因此所有参与SET交易的成员都必须申请数字证书，而SSL中只有商家端的服务器需要验证，客户段则是有选择的。5.2ElectronicPaymentMethods5.2.1E-paymenttoolsElectronicCardsElectroniccashElectroniccheckWhateverthee-paymentmethod,fivepartiesinvolvedine-payments:1.Customer/payer/buyer2.Merchant/payee/seller3.Issuer4.Regulator5.AutomatedClearingHouse(ACH)AutomatedClearingHouse(ACH):Electronicnetworkthatconnectsallfinancialinstitutionsforthepurposeofmakingfundstransfers.5.2.2Characteristicsofsuccessfule-paymentmethods•Independence•Interoperabilityandportability•Security•Anonymity•Divisibility•Easeofuse•Transactionfees•Criticalmass5.2.3ElectronicCardsandSmartCards1.Paymentcard:Electroniccardthatcontainsinformationthatcanbeusedforpaymentpurposes•Creditcards•Chargecards•DebitcardsCreditcard的付款过程持卡人商家支付网关开户银行发卡行认证中心（1）订单及信用卡号（2）审核（5）确认（6）确认（3）审核（4）批准认证认证认证支付网关：连接Internet与银行网络，完成支付协议和现存银行交易系统协议之间的信息格式转换，支付网关须由收单行授权，再由CA发放数字证书。支付网关的功能：确认商家身份、解密从持卡人处得到的支付指令，验证持卡人的证书与在购物中所使用的账号是否匹配，验证持卡人和商家申请信息的完整性等。ElectronicCardsandSmartCards(cont.)2.Smartcard:Anelectroniccardcontaininganembeddedmicrochipthatenablespredefinedoperationsortheaddition,deletion,ormanipulationofinformationonthecard.ElectronicCardsandSmartCards(cont.)Contactcard:Asmartcardcontainingasmallgoldplateonthefacethatwheninsertedinasmart-cardreadermakescontactandsopassesdatatoandfromtheembeddedmicrochip.Contactless(proximity)card:Asmartcardwithanembeddedantenna,bymeansofwhichdataandapplicationsarepassedtoandfromacardreaderunitorotherdevicewithoutcontactbetweenthecardandthecardreader5.2.4E-cashandE-checkE-cash:Thedigitalequivalentofpapercurrencyandcoins,whichenablessecureandanonymouspurchaseoflow-priceditems.Micro-payments:smallpayments,usuallyunder$10.数字现金支付的特点•匿名性•可传递性•可分性E-cash的支付过程（1）请求开设E-cash帐户（2）帐号（3）购买数字现金的请求（4）银行数字签名的数字现金（5）订单及加密的数字现金