SPP Secure Payment Protocol: Protocol Analysis, Implementation and Extensions

Kovan, Gerry

January 2005

Internet commerce continues to grow rapidly. Over 60% of US households use the internet to shop online. A secure payment protocol is required to support this rapid growth. A new payment protocol was recently invented at IBM. We refer to the protocol as SPP or Secure Payment Protocol. This thesis presents a protocol analysis of SPP. It is essential that a thorough security analysis be done on any new payment protocol so that we can better understand its security properties. We first develop a method for analyzing payment protocols. This method includes a list of desirable security features and a list of proofs that should be satisfied. We then present the results of the analysis. These results validate that the protocol does contain many security features and properties. They also help understand the security properties and identify areas where the protocol can be further secured. This led us to extend the design of the protocol to enhance its security. This thesis also presents a prototype implementation of SPP. Three software components were implemented. They are the Electronic Wallet component, the merchant software component and the Trusted Third Party component. The architecture and technologies that are required for implementation are discussed. The prototype is then used in performance measurement experiments. Results on system performance as a function of key size are presented. Finally, this thesis presents an extension of SPP to support a two buyer scenario. In this scenario one buyer makes an order while another buyer makes the payment. This scenario enables additional commerce services.

Computer Science

Secure Payment Protocol

Internet Commerce

Public Key Cryptography

SSL

Digital Signatures

SPP Secure Payment Protocol: Protocol Analysis, Implementation and Extensions

Kovan, Gerry

January 2005

Internet commerce continues to grow rapidly. Over 60% of US households use the internet to shop online. A secure payment protocol is required to support this rapid growth. A new payment protocol was recently invented at IBM. We refer to the protocol as SPP or Secure Payment Protocol. This thesis presents a protocol analysis of SPP. It is essential that a thorough security analysis be done on any new payment protocol so that we can better understand its security properties. We first develop a method for analyzing payment protocols. This method includes a list of desirable security features and a list of proofs that should be satisfied. We then present the results of the analysis. These results validate that the protocol does contain many security features and properties. They also help understand the security properties and identify areas where the protocol can be further secured. This led us to extend the design of the protocol to enhance its security. This thesis also presents a prototype implementation of SPP. Three software components were implemented. They are the Electronic Wallet component, the merchant software component and the Trusted Third Party component. The architecture and technologies that are required for implementation are discussed. The prototype is then used in performance measurement experiments. Results on system performance as a function of key size are presented. Finally, this thesis presents an extension of SPP to support a two buyer scenario. In this scenario one buyer makes an order while another buyer makes the payment. This scenario enables additional commerce services.

Computer Science

Secure Payment Protocol

Internet Commerce

Public Key Cryptography

SSL

Digital Signatures

Analýza vybraných platebních protokolů / Analysis of Selected Payment Protocols

Kučerová, Petra

January 2010

The aim of the master's thesis "Analysis of Selected Payment Protocols" is overview of used payment. The first part is concentrated on data security, the second is dedicated to payment protocols, their characteristics, used technology and security elements. The third part is dedicated to verification and simulation tools. Comparison of particular payment protocols and of particular verification tools is part of this work too. Experimental part of the thesis is focused on formalization and verification of the payment protocol Visa 3-D Secure, of the protocol NetBill and on formalization of two subprotocols of SET.

Mise en oeuvre d’une approche sociotechnique de la vie privée pour les systèmes de paiement et de recommandation en ligne

EL Haddad, Ghada

12 1900

Depuis ses fondements, le domaine de l’Interaction Homme-Machine (IHM) est marqué par le souci constant de concevoir et de produire des systèmes numériques utiles et utilisables, c’est-à-dire adaptés aux utilisateurs dans leur contexte. Vu le développement exponentiel des recherches dans les IHM, deux états des lieux s’imposent dans les environnements en ligne : le concept de confiance et le comportement de l’usager. Ces deux états ne cessent de proliférer dans la plupart des solutions conçues et sont à la croisée des travaux dans les interfaces de paiements en ligne et dans les systèmes de recommandation. Devant les progrès des solutions conçues, l’objectif de cette recherche réside dans le fait de mieux comprendre les différents enjeux dans ces deux domaines, apporter des améliorations et proposer de nouvelles solutions adéquates aux usagers en matière de perception et de comportement en ligne. Outre l’état de l’art et les problématiques, ce travail est divisé en cinq parties principales, chacune contribue à mieux enrichir l’expérience de l’usager en ligne en matière de paiement et recommandations en ligne : • Analyse des multi-craintes en ligne : nous analysons les différents facteurs des sites de commerce électronique qui influent directement sur le comportement des consommateurs en matière de prise de décision et de craintes en ligne. Nous élaborons une méthodologie pour mesurer avec précision le moment où surviennent la question de la confidentialité, les perceptions en ligne et les craintes de divulgation et de pertes financières. • Intégration de personnalisation, contrôle et paiement conditionnel : nous proposons une nouvelle plateforme de paiement en ligne qui supporte à la fois la personnalisation et les paiements multiples et conditionnels, tout en préservant la vie privée du détenteur de carte. • Exploration de l’interaction des usagers en ligne versus la sensibilisation à la cybersécurité : nous relatons une expérience de magasinage en ligne qui met en relief la perception du risque de cybercriminalité dans les activités en ligne et le comportement des utilisateurs lié à leur préoccupation en matière de confidentialité. • Équilibre entre utilité des données et vie privée : nous proposons un modèle de préservation de vie privée basé sur l’algorithme « k-means » et sur le modèle « k-coRating » afin de soutenir l’utilité des données dans les recommandations en ligne tout en préservant la vie privée des usagers. • Métrique de stabilité des préférences des utilisateurs : nous ciblons une meilleure méthode de recommandation qui respecte le changement des préférences des usagers par l’intermédiaire d’un réseau neural. Ce qui constitue une amélioration à la fois efficace et performante pour les systèmes de recommandation. Cette thèse porte essentiellement sur quatre aspects majeurs liés : 1) aux plateformes des paiements en ligne, 2) au comportement de l’usager dans les transactions de paiement en ligne (prise de décision, multi-craintes, cybersécurité, perception du risque), 3) à la stabilité de ses préférences dans les recommandations en ligne, 4) à l’équilibre entre vie privée et utilité des données en ligne pour les systèmes de recommandation. / Technologies in Human-Machine Interaction (HMI) are playing a vital role across the entire production process to design and deliver advanced digital systems. Given the exponential development of research in this field, two concepts are largely addressed to increase performance and efficiency of online environments: trust and user behavior. These two extents continue to proliferate in most designed solutions and are increasingly enriched by continuous investments in online payments and recommender systems. Along with the trend of digitalization, the objective of this research is to gain a better understanding of the various challenges in these two areas, make improvements and propose solutions more convenient to the users in terms of online perception and user behavior. In addition to the state of the art and challenges, this work is divided into five main parts, each one contributes to better enrich the online user experience in both online payments and system recommendations: • Online customer fears: We analyze different components of the website that may affect customer behavior in decision-making and online fears. We focus on customer perceptions regarding privacy violations and financial loss. We examine the influence on trust and payment security perception as well as their joint effect on three fundamentally important customers’ aspects: confidentiality, privacy concerns and financial fear perception. • Personalization, control and conditional payment: we propose a new online payment platform that supports both personalization and conditional multi-payments, while preserving the privacy of the cardholder. • Exploring user behavior and cybersecurity knowledge: we design a new website to conduct an experimental study in online shopping. The results highlight the impact of user’s perception in cybersecurity and privacy concerns on his online behavior when dealing with shopping activities. • Balance between data utility and user privacy: we propose a privacy-preserving method based on the “k-means” algorithm and the “k-coRating” model to support the utility of data in online recommendations while preserving user’s privacy. • User interest constancy metric: we propose a neural network to predict the user’s interests in recommender systems. Our aim is to provide an efficient method that respects the constancy and variations in user preferences. In this thesis, we focus on four major contributions related to: 1) online payment platforms, 2) user behavior in online payments regarding decision making, multi-fears and cyber security 3) user interest constancy in online recommendations, 4) balance between privacy and utility of online data in recommender systems.

Vie privée

Paiements en ligne

Protocole

Protection des données

Contrôle

Système de recommandation

Cyber sécurité

Filtrage collaboratif

Privacy

Online payment

Payment protocol

Data protection

Data control

Recommender system

Cybersecurity

Collaborative filtering