1

Secure Credit Card Transactions on an Untrusted Channel

Source: Information Sciences in review

Presenter: Tsuei-Hung Sun (孫翠鴻 )

Date: 2010/9/24

2

Outline

• Introduction

• Motivation

• Scheme

• Security analysis

• Performance evaluation

• Advantage vs. weakness

• Comment

3

Introduction

• Credit cards based payment system

• Entity: customer, merchant, credit card issuer and bank.

• Credit card: credit card number, Card Verification Value (CVV).

• Transaction: billing digest, information about the customer.

4

Introduction

• Secure Socket Layer (SSL)– Establish a trusted connection between two parties.

• HTTPS (Secure HTTP)– Send messages securely using SSL.

• Both two need public keys and certificates, besides, the operations process are complex.

5

Motivation

• SSL and HTTPS are complex because they involve key-management, user credentials and certificates.

• Smart cards require extra infrastructure like smart card reader and middleware.

• This paper want to let the transaction become more simpler and easy to achieve security.

6

Scheme

(ex. customer credit card data)

Credit card confidentially

Common key KBMi

Common key KBMi

7

Scheme

UI1: customer related non critical data. UI2: importance to the merchant data. h = HCVV(UI1, UCI, T, CVV) T: time stamp. UCI : customer critical information. CVV: Card Verifier Value. TID: transaction id. rc and rm: response values generated by the issuer. TID = H(h,UI1,T)

1.Request phase

2.Verification phase

3.Authentication Phase

4.Response Phase

cr

8

Scheme

• Authentication Phase– Issuer has a database containing customer credit

card data.

A1 Retrieve CVV and UCI from database.

A2 Compute hash value h1.

A3 Comparing h and h1 consistency.

A4 Generate response values

A5 Send acknowledgement to bank.

).,( YesTEr IDKmiBM

).,( YesTHr IDCVVc

Reject:

Accept:

).,( NoTEr IDKmiBM

).,( NoTHr IDCVVc

: common key between the bank and the merchant i.iBMK

9

Security analysis

• Replay Attack

• Forgery Attack

• Man-in-the-Middle Attack

• Guessing Attack

10

Performance evaluation

• Complexity Comparison

Request phase: exor operation, hash operation (bank).Verification phase: hash operation (merchant), intersection operation (issuer).Authentication phase: exor operations (issuer).

11

Advantage vs. weakness

• Advantage– Can resist 4 type important attack.

– No need complex computing.

– No need extra overhead like smart card, reader and middleware.

– Just use hash function and a common key.

– just use a one round protocol.

• Weakness– Common key may be weak.