9 research outputs found
Enhancing the security of electronic commerce transactions
This thesis looks at the security of electronic commerce transaction process-
ing. It begins with an introduction to security terminology used in the thesis.
Security requirements for card payments via the Internet are then described,
as are possible protocols for electronic transaction processing. It appears that
currently the Secure Socket Layer (SSL) protocol together with its standardised
version Transport Layer Security (TLS) are the most widely used means to se-
cure electronic transactions made over the Internet. Therefore, the analysis and
discussions presented in the remainder of the thesis are based on the assumption
that this protocol provides a `baseline' level of security, against which any novel
means of security should be measured.
The SSL and TLS protocols are analysed with respect to how well they
satisfy the outlined security requirements. As SSL and TLS provide transport
layer security, and some of the security requirements are at the application
level, it is not surprising that they do not address all the identi¯ed security
requirements.
As a result, in this thesis, we propose four protocols that can be used to build
upon the security features provided by SSL/TLS. The main goal is to design
schemes that enhance the security of electronic transaction processing whilst
imposing minimal overheads on the involved parties. In each case, a description
of the new scheme is given, together with its advantages and limitations. In the
¯rst protocol, we propose a way to use an EMV card to improve the security of
online transactions. The second protocol involves the use of the GSM subscriber
authentication service to provide user authentication over the Internet. Thirdly,
we propose the use of GSM data con¯dentiality service to protect sensitive
information as well as to ensure user authentication.
Regardless of the protection scheme employed for the transactions, there
exist threats to all PCs used to conduct electronic commerce transactions. These
residual threats are examined, and motivate the design of the fourth protocol,
proposed speci¯cally to address cookie threats
Enhancing e-commerce security using GSM authentication
Today, e-commerce transactions are typically protected using SSL/TLS. However, there are risks in such use of SSL/TLS, notably threats arising from the fact that information is stored in clear at the end point of the communication link and the lack of user authentication. Although SSL/TLS does o#er the latter, it is optional and usually omitted since users typically do not have the necessary asymmetric key pair. In this paper, we propose a payment protocol in which user authentication is provided using GSM `subscriber identity authentication'. In the protocol, a consumer is required to possess a GSM mobile station registered under a subscriber name corresponding to that on his/her debit/credit card. The cardholder identity is combined with the GSM subscriber identity in such a way that without a mobile station, in particular the SIM, and the corresponding debit/credit card, an unscrupulous user will find it difficult to make a fraudulent payment at the expense of the legitimate cardholder. This is achieved in such a way that no management overhead is imposed on the user