网上银行支付原理

Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,35,计算机审计,Hugh,Yan,Electronic Payment Systems and Security,电子支付系统和安全加密技术,1,网上支付原理,Learning Objectives,学习目的,Describe typical electronic payment systems for EC,描述电子商务典型的电子支付系统,Identify the security requirements for safe electronic payments,识别安全电子支付的安全要求,Describe the typical security schemes used to meet the security requirements,满足安全要求的安全方案,Identify the players and procedures of the electronic credit card system on the Internet,识别互联网上电子信用卡系统的使用者和使用处理过程,Discuss the relationship between SSL and SET protocols,讨论,SSL,协议和,SET,协议之间的关系,Discuss the relationship between electronic fund transfer and debit card,讨论电子资金转帐和借记卡之间的关系,Describe the characteristics of a stored value card,描述一个储值卡的特征,Classify and describe the types of IC cards used for payments,辨别和描述用于支付的,IC,卡的类型,Discuss the characteristics of electronic check systems,讨论电子支票系统的特征,Learning Objectives,(cont.),学习目的,(,继续,),SSL,Vs.,SET: Who Will Win?,SSL,对,SET:,谁将赢,?,A part of SSL (Secure Socket Layer) is available on customers browsers,加密套接字协议层,it is basically an encryption mechanism for order taking, queries and other applications SSL,是一个基本的加密技术,it does not protect against all security hazards,预防安全威胁,it is mature, simple, and widely use,成熟简单广泛应用,SET ( Secure Electronic Transaction) is a very comprehensive security protocol,加密电子交易协议,it provides for privacy, authenticity, integrity, and, or repudiation,它提供私密、真实、完整、拒绝方面的安全保护,it is used very infrequently due to its complexity and the need for a special card reader by the user,不常用、复杂,it may be abandoned if it is not simplified/improved,需改进,Payments, Protocols and Related Issues,支付、协议、相关议题,SET,Protocol is for Credit Card Payments,信用卡支付,Electronic Cash and,Micropayments,电子货币和找零,Electronic Fund Transfer on the Internet,互联网上电子资金转帐,Stored Value Cards and Electronic Cash,储值卡和电子货币,Electronic Check Systems,电子支票系统,Security requirements,安全要求,Payments, Protocols and Related Issues,(cont.),支付、协议、相关议题,（继续）,Authentication,:,A way to verify the buyers identity before payments are made,真实性鉴定,支付前的买主身份认定,Integrity,:,Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission,完整性,信息不被偶然地或恶意地修改或破坏,Encryption,:,A process of making messages indecipherable except by those who have an authorized decryption key,加密术,除非那些具有一个授权解密钥匙的人可以解释信息内容，加密技术使信息无法被解释或阅读,Non-repudiation,:,Merchants need protection against the customers unjustifiable denial of placed orders, and customers need protection against the merchants unjustifiable denial of past payment,不被拒绝,商人需要预防客户对于发出定单的无正当理由的抵赖，客户需要预防商人对于客户过去支付的无正当理由的抵赖。,Security Schemes,安全加密方案,Secret Key Cryptography (symmetric),密码加密技术（对称加密技术）,Scrambled Message,Original Message,Sender,Internet,Scrambled Message,Key,sender,(= Key,receiver,),Encryption,加密,Original Message,Receiver,Key,receiver,Decryption,解密,对称加密就如同一把有相同两把钥匙的锁,两把钥匙在不同的两个人手中,一个人加锁,另外一个人用同样的钥匙打开锁,Public Key Cryptography,公钥加密技术,Sender,Original Message,Scrambled Message,Scrambled Message,公钥,Public Key,receiver,Original Message,Receiver,私钥,Private Key,receiver,Internet,Security Schemes,(cont.),安全加密方案（,继续,）,Message,Sender,Original Message,Scrambled Message,Scrambled Message,私钥,Private Key,sender,Original Message,Receiver,公钥,Public Key,sender,Internet,Digital,Signature,Digital Signature,数字签名,A digital signature is attached by a sender to a message encrypted in the receivers public key,一个数字签名由发送者附加在通过用接收者的公钥加密的信息上,The receiver is the only one that can read the message and at the same time he is assured that the message was indeed sent by the sender,接收者是唯一一个能够阅读信息的人，同时他被告知这个信息的确是由那个发送者发送的,Sender encrypts a message with her private key,发送者用他的私钥加密了一个信息,Any receiver with senders public key can read it,任何接收者用发送者的公钥就能阅读这个信息,Security Schemes,(cont.),安全加密方案（,继续,）,Analogous to handwritten signature,类似手写签名,Certificate,证书,Name : “Richard”,key-Exchange Key,:,Signature Key :,Serial # : 29483756,Other Data : 10236283025273,Expires : 6/18/2005,Signed : CAs Signature,Security Schemes,(cont.),安全加密方案（,继续,）,Identifying the holder of a public key (Key-Exchange),识别一个公钥（密码交换）的持有者,Issued by a trusted certificate authority (CA),由一个认可认证机关（,CA,）发出,Certificate Authority,- e.g.,VeriSign,认证机构,例如：验证签名,RCA,BCA,GCA,CCA,MCA,PCA,RCA : Root Certificate Authority,BCA : Brand Certificate Authority,GCA : Geo-political Certificate Authority,CCA : Cardholder Certificate Authority,MCA : Merchant Certificate Authority,PCA : Payment Gateway,Certificate Authority,Hierarchy of Certificate Authorities,认证机构的层级结构,Certificate authority needs to be verified by a government or well trusted entity ( e.g., post office),Security Schemes,(cont.),Security Schemes,(cont.),安全加密方案（,继续,）,Public or private, comes in levels (hierarchy),A trusted third party services,一个认可的第三方服务,Issuer of digital certificates,数字认证的发出者,Verifying that a public key indeed belongs to a certain individual,Electronic Credit Card System on the Internet,互联网上的电子信用卡系统,The Players,信用卡使用者,Cardholder,卡持有者,Merchant (seller),销售商,Issuer (your bank),发卡银行,Acquirer (merchants financial institution, acquires the sales slips),销售商的财务结算机构，获得销售商的销售单和顾客支付给销售商的金额，是销售商的结算银行,Brand (VISA, Master Card),卡的种类,The process of using credit cards offline,离线使用信用卡的操作过程,A cardholder requests the issuance of a card brand (like Visa and MasterCard) to an issuer bank in which the cardholder may have an account.,申请发卡,Electronic Credit Card System on the Internet,(cont.),互联网上的电子信用卡系统,The authorization of card issuance by the issuer bank, or its designated brand company, may require customers physical visit to an office.,银行审查,A plastic card is physically delivered to the customers address by mail.,发出,The card can be in effect as the cardholder calls the bank for initiation and signs on the back of the card.,起用，持有者在卡的背面签名,The cardholder shows the card to a merchant to pay a requested amount. Then the merchant asks for approval from the brand company.,持卡人支付时，商户请求银行允许支付,Upon the approval, the merchant requests payment to the merchants acquirer bank, and pays fee for the service. This process is called a Capturing process,销售商结算银行获得销售单,The acquirer bank requests the issuer bank to pay for the credit amount.,销售商结算银行请求发卡银行支付消费额,Cardholder,持卡人,Merchant,商户,credit card,信用卡,Card Brand Company,Payment authorization, payment data,支付数据,Issuer Bank,Cardholder,Account,持卡人帐户,Acquirer Bank,Merchant,Account,销售商帐户,account debit data,payment data,Credit Card Procedure,信用卡操作过程,(offline and online,在线和离线,),14,payment data,支付数据,amount transfer,转付金额,电子商务和电子政务,阎虎勤,Secure Electronic Transaction (SET) Protocol,加密电子交易协议（,SET,）,1.,The message is hashed to a prefixed length of message digest.,一个信息被杂凑（有时候常常是通过一个杂凑函数）成一个定长信息消化元。,2.,The message digest is encrypted with the senders private signature key, and a digital signature is created.,这个信息消化元用发送者私钥签名加密，这样，一个数字签名就被创造出来了。,3.,The composition of message, digital signature, and Senders certificate is encrypted with the symmetric key which is generated at senders computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA.,信息内容、数字签名、新加上发送者的认证书一起被用对称钥匙加密，形成一个加密信息。,4.,The Symmetric key itself is encrypted with the receivers public key which was sent to the sender in advance. The result is a digital envelope.,对称钥匙被预先发送给发送者的接收者的公钥加密，这样就形成一个数字信封。,15,Senders Computer,发送者的计算机,电子商务和电子政务,阎虎勤,Senders Computer,发送者的计算机,Senders Private Signature Key,Senders,发送者,Certificate,认证书,数字签名,+,+,Message,原始信息,+,Digital Signature,数字签名,Receivers,接收者,Certificate,认证书,Encrypt,加密,Symmetric Key,对称钥匙,Encrypted Message,加密信息,Receivers,接收者公钥,Key-Exchange Key,Encrypt,加密,Digital,Envelope,数字信封,Message,原始信息,Message Digest,信息消化元,16,电子商务和电子政务,阎虎勤,5.,The encrypted message and digital envelope are transmitted to receivers computer via the Internet.,加密信息和数字信封被通过互联网发送到接收者的计算机。,6.,The digital envelope is decrypted with receivers private exchange key.,数字信封被用接收者的私人交换钥匙（私钥）解蜜。,7.,Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and senders certificate.,使用恢复出来的对称钥匙，则加密信息能够被恢复成原始信息、数字签名、和发送者的认证书。,8.,To confirm the integrity, the digital signature is decrypted by senders public key, obtaining the message digest.,为确保数据的完整性，数字签名被用发送者的公钥解密，从而得到信息消化元。,9.,The delivered message is hashed to generate message.,反杂凑获得原始信息,10.,The message digests obtained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transmission. This step confirms the integrity.,在,8,、,9,步后得到信息，接收者通过比较来确信是否在传输中间发生了任何变化。这一步保证了信息的完整性。,Receivers Computer,接收者的计算机,Secure Electronic Transaction (SET) Protocol,(cont.),加密,电子交易协议（,SET,）,（继续）,17,电子商务和电子政务,阎虎勤,Receivers Computer,接收者的计算机,Decrypt,Symmetric Key,对称解密,Encrypted Message,加密信息,Senders,发送者,Certificate,认证书,数字签名,+,+,Message,原始信息,Compare,比较,Digital,Envelope,数字信封,Receivers Private Key-Exchange Key,接收者私钥,Decrypt,解密,Message Digest,信息消化元,Digital Signature,数字签名,Senders Public Signature Key,发送者公钥,Decrypt,解密,Message Digest,信息消化元,18, Prentice Hall, 2000,Entities of SET Protocol in Cyber Shopping,协议（,SET,）下的网上购物,IC Card,Reader,IC,卡读卡器,Customer x,Customer y,With Digital Wallets,数字钱包,Certificate,认证,Authority,机关,Electronic Shopping Mall,Merchant A,Merchant B,Credit Card,Brand,Protocol,X.25,Payment Gateway,支付网关,19,电子商务和电子政务,阎虎勤,SET,Vs,. SSL,两个协议之间的对比,Secure Electronic Transaction (SET),加密电子交易协议（,SET,）,Secure Socket Layer (SSL),加密字套接层协议（,SSL,）,Complex,复杂,Simple,简单,SET is tailored to the credit card payment to the merchants.,信用卡,SSL is a protocol for general-purpose secure message exchanges (encryption).,普通加密,SET protocol hides the customers credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called,dual signature.,双签名,SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and credit card information, because the capturing process should be initiated by the merchants.,无支付网关,Electronic Fund Transfer (EFT) on the Internet,互联网上的电子资金转帐（,EFT,）,An Architecture of Electronic Fund Transfer on the Internet,Internet,Payer,付款人,Cyber Bank,Bank,Cyber Bank,Payee,收款人,Automated,自动,Clearinghouse,清算,VAN,Bank,VAN,Payment,Gateway,支付网关,Payment,Gateway,支付网关,Debit Cards,借记卡,A delivery vehicle of cash in an electronic form,一个电子货币的运钞车,Mondex, VisaCash applied this approach,借记卡,Mondex,和,VisaCash,适合这种方式,Either,anonymous,or,onymous,匿名或具名,CyberCash has commercialized a debit card named CyberCoin as a medium of micropayments on the Internet,网络货币,CyberCash,已经商业化了一个借记卡名为网络硬币,CyberCoin,作为互联网上找零的一个中介。,Financial EDI,财务,EDI,It is an EDI used for financial transactions,用于财务转帐,EDI is a standardized way of exchanging messages between businesses,企业间信息交换的一个标准方式,EFT can be implemented using a Financial EDI system,使用一个财务,EDI,系统,EFT,能够被应用,Safe Financial EDI needs to adopt a security scheme used for the SSL protocol,接受一个加密技术用于,SSL,Extranet encrypts the packets exchanged between senders and receivers using the public key cryptography,企业间网络（,Extranet,）使用公钥加密技术加密发送者和接收者之间交换的邮包,。,Electronic Cash and,Micropayments,电子货币和找零,Smart Cards,智能卡,The concept of e-cash is used in the non-Internet environment,电子货币的概念被用在非互联网环境,Plastic cards with magnetic stripes (old technology),具有磁条的塑料卡（旧技术）,Includes IC chips with programmable functions on them which makes cards “smart”,包含具有程序功能的,IC,芯片，芯片使卡更“聪明”。,One e-cash card for one application,一种卡一种应用,Recharge the card only at designated locations, such as bank office or a kiosk. Future: recharge at your PC,重新写卡只能在指定地点进行，如银行办公室或一个工作间。将来可在,PC,上进行,。,e.g. Mondex &,VisaCash,例如：,Mondex,&,VisaCash,VisaCash,Makes Shopping Easy,智能卡,VisaCash,使购物更容易,Shopping with,VisaCash,使用智能卡购物,Adding money to the card,增加存款到卡中,Payments in a new era of electronic,shopping,支付在一个新的电子购物区,Paying on the Internet,在互联网上支付,Electronic Money,电子货币,DigiCash,数字货币,The analogy of paper money or coins,类似纸币或硬币,Expensive, as each payment transaction must be reported to the bank and recorded,昂贵，每一次支付转帐都必须被报告给银行且被记录。,Conflict with the role of central banks bill issuance,与中央银行的货币发行角色有矛盾。,Legally, DigiCash is not supposed to issue more than an electronic gift certificate even though it may be accepted by a wide number of member stores,合法地讲，虽然数字货币可能被一个庞大的会员商场接受，但是它不会被认为会发行超过一个电子礼品证书。,Stored Value Cards,储值卡,Electronic Money,(cont.),电子货币（,继续,）,No issuance of money,没有货币的发行,Debit card a delivering vehicle of cash in an electronic form,借记卡,一个电子格式的货币转运车,Either anonymous or,onymous,匿名或具名,Advantage of an anonymous card,匿名卡的优点,the card may be given from one person to another,该卡可以被一个人交给另外一个人使用,Also implemented on the Internet without employment of an IC card,如果没有使用,IC,卡也可以在互联网上使用,Smart card-based e-cash,基于智能卡的电子货币,Can be recharged at home through the Internet,可以在家中通过互联网被刷新,Can be used on the Internet as well as in a non-Internet environment,能够被在互联网环境下被使用，如同在非互联网环境下被使用一样好,Ceiling of Stored Values,储值的上限,To prevent the abuse of stored values,预防储值滥用,S$500 in Singapore; HK$3,000 in Hong Kong,Multiple Currencies,多种货币,Can be used for cross border payments,交叉支付,Electronic Money,(cont.),电子货币（,继续,）,Contactless IC Cards,无接触,IC,卡,Proximity Card,功能接近的卡,Used to access buildings and for paying in buses and other transportation systems,用来进入大楼、支付公交车票、和其它运输系统,Bus, subway and toll card in many cities,在许多城市使用的公交车、地铁和路桥卡,Amplified Remote Sensing Card,放大的远程感应卡,Good for a range of up to 100 feet, and can be used for tolling moving vehicles at gates,能够被机动车辆在门口用来支付路桥费，最远可达到,100,英尺,Pay toll without stopping (e.g. Highway 91 in California),支付路桥费而不用停车,Electronic Check Systems,电子支票系统,Check,Signature,Remittance,Invoice,Secure Envelope,Remittance,Check,Signature,Certificate,Certificate,Remittance,Secure Envelope,Certificate,Certificate,Endorsement,Certificate,Certificate,Signature “Card”,Signature,“Card”,Workstation,Mall statement,E-Check line item,Payers Bank,付款人银行,借款帐户,Debit account,Payees Bank,收款人银行,信用帐户,Credit account,E- Mail,WWW,ACH,ECP,Clear Check,清算支票,Deposit check,Payer,付款者,Payee,收款人,E-mail,Account,Receivable,Procedure of Financial Service Technology Consortium Prototype,金融服务技术集团的处理模型,Electronic Checkbook,电子支票簿,Electronic Check Systems,(cont.),电子支票系统,（继续）,Counterpart of electronic wallet,对应电子钱包,To be integrated with the accounting information system of business buyers and with the payment server of sellers,被与商业购买者会计信息系统和销售商的支付服务系统一起综合起来,To save the electronic invoice and receipt of payment in the buyers and sellers computers for future retrieval,保存电子发票和支付收据在购买者和销售者的计算机内，以备今后使用,Example : SafeCheck,Used mainly in B2B,主要用于,B2B,业务,Payers,checkbook,agent,Payees,check-receipt,agent,Payer,Payee,Issue a check,Receipt,A/C,DB,A/C,DB,control,agent of,payers,bank,control,agent of,payees,bank,clearing,Checkbook,screened result,Request of,screening check,issuance,present,report,payers bank,payees bank,Internet,The Architecture of SafeCheck,32,电子商务和电子政务,阎虎勤,Integrating Payment Methods,综合支付方法,Two potential consolidations:,The on-line electronic check is merging with EFT,The electronic check with a designated settlement date is merging with electronic credit cards,Security First Network Bank (SFNB),First cyberbank,Lower service charges to challenge the service fees of traditional banks,Visa,VisaCash is a debit card,ePay is an EFT service,How Many Cards are Appropriate?,An onymous card,is necessary to,keep the certificates for,credit cards, EFT, and,electronic checkbooks,The stored value in,IC card can be delivered,in an anonymous mode,Malaysias Multimedia Supper Corridor project,pursues a One-Card system,Relationship Card by Visa is also attempting,a one card system,Five Security Tips,五个安全忠告,Dont reveal your online Passcode to anyone. If you think your online Passcode has been compromised, change it immediately.,不要给任何人出示你的在线密码,。,Dont walk away from your computer if you are in the middle of a session.,如果你在一个会话中间请不要离开你的计算机,。,Once you have finished conducting your banking on the Internet, always sign off before visiting other Internet sites.,一旦你已经结束在网上操作你的银行帐户，在访问其它网址之前要退出。,If anyone else is likely to use your computer, clear your cache or turn off and re-initiate your browser in order to eliminate copies of Web pages that have been stored in your hard drive.,如果任何人可能使用你的计算机，注意清除你的计算机缓存。,Bank of America strongly recommends that you use a browser with 128-bit encryption to conduct secure financial transactions over the Internet.,使用,128,位加密码技术。,Managerial Issues,管理性议题,Security solution providers,（,安全方案提供商,）,can cultivate the opportunity of providing solutions for the secure electronic payment systems,Electronic payment system solution providers,（,电子支付系统方案提供商,）,can offer various types of electronic payment systems to electronic stores and banks,Electronic stores,（,电子商场,）,should select an appropriate set of electronic payment systems,Banks,（,银行,）,need to develop cyberbank services to be compatible with the various electronic payment system,Credit card brand companies,（,银行卡公司,）,need to develop an EC standard like SET, and watch the acceptance by customers,Smart card brand,（,智能卡公司,）,should develop a business model in cooperation with application sectors and banks,Certificate authority,（,认证机关,）,needs to identify the types of certificate to provide,36,电子商务与电子政务,阎虎勤,