网上银行支付原理

《网上银行支付原理》由会员分享，可在线阅读，更多相关《网上银行支付原理（36页珍藏版）》请在装配图网上搜索。

1、Electronic Payment Systems and Security 电子支付系统和安全加密技术,1,网上支付原理,Learning Objectives 学习目的,Describe typical electronic payment systems for EC描述电子商务典型的电子支付系统 Identify the security requirements for safe electronic payments 识别安全电子支付的安全要求 Describe the typical security schemes used to meet the security requ

2、irements 满足安全要求的安全方案 Identify the players and procedures of the electronic credit card system on the Internet 识别互联网上电子信用卡系统的使用者和使用处理过程 Discuss the relationship between SSL and SET protocols 讨论SSL协议和SET协议之间的关系,Discuss the relationship between electronic fund transfer and debit card 讨论电子资金转帐和借记卡之间的关系

3、Describe the characteristics of a stored value card 描述一个储值卡的特征 Classify and describe the types of IC cards used for payments 辨别和描述用于支付的IC卡的类型 Discuss the characteristics of electronic check systems 讨论电子支票系统的特征,Learning Objectives (cont.)学习目的(继续),SSL Vs. SET: Who Will Win?SSL对SET:谁将赢?,A part of SSL (

4、Secure Socket Layer) is available on customers browsers 加密套接字协议层 it is basically an encryption mechanism for order taking, queries and other applications SSL是一个基本的加密技术 it does not protect against all security hazards预防安全威胁 it is mature, simple, and widely use 成熟简单广泛应用 SET ( Secure Electronic Transac

5、tion) is a very comprehensive security protocol 加密电子交易协议 it provides for privacy, authenticity, integrity, and, or repudiation 它提供私密、真实、完整、拒绝方面的安全保护 it is used very infrequently due to its complexity and the need for a special card reader by the user 不常用、复杂 it may be abandoned if it is not simplifie

6、d/improved 需改进,Payments, Protocols and Related Issues支付、协议、相关议题,SET Protocol is for Credit Card Payments 信用卡支付 Electronic Cash and Micropayments 电子货币和找零 Electronic Fund Transfer on the Internet 互联网上电子资金转帐 Stored Value Cards and Electronic Cash 储值卡和电子货币 Electronic Check Systems 电子支票系统,Security requir

7、ements 安全要求,Payments, Protocols and Related Issues (cont.)支付、协议、相关议题（继续）,Authentication: A way to verify the buyers identity before payments are made 真实性鉴定 支付前的买主身份认定 Integrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission 完整性 信息

8、不被偶然地或恶意地修改或破坏 Encryption: A process of making messages indecipherable except by those who have an authorized decryption key 加密术 除非那些具有一个授权解密钥匙的人可以解释信息内容，加密技术使信息无法被解释或阅读 Non-repudiation: Merchants need protection against the customers unjustifiable denial of placed orders, and customers need protect

9、ion against the merchants unjustifiable denial of past payment 不被拒绝 商人需要预防客户对于发出定单的无正当理由的抵赖，客户需要预防商人对于客户过去支付的无正当理由的抵赖。,Security Schemes 安全加密方案,Secret Key Cryptography (symmetric)密码加密技术（对称加密技术）,对称加密就如同一把有相同两把钥匙的锁,两把钥匙在不同的两个人手中,一个人加锁,另外一个人用同样的钥匙打开锁,Public Key Cryptography 公钥加密技术,Security Schemes (cont

10、.)安全加密方案（继续）,Message,Digital Signature,Digital Signature 数字签名,A digital signature is attached by a sender to a message encrypted in the receivers public key 一个数字签名由发送者附加在通过用接收者的公钥加密的信息上,Sender encrypts a message with her private key 发送者用他的私钥加密了一个信息,Security Schemes (cont.)安全加密方案（继续）,Analogous to han

11、dwritten signature 类似手写签名,Certificate 证书,Security Schemes (cont.)安全加密方案（继续）,Identifying the holder of a public key (Key-Exchange)识别一个公钥（密码交换）的持有者 Issued by a trusted certificate authority (CA) 由一个认可认证机关（CA）发出,Certificate Authority - e.g. VeriSign认证机构 例如：验证签名,RCA : Root Certificate Authority BCA : Br

12、and Certificate Authority GCA : Geo-political Certificate Authority CCA : Cardholder Certificate Authority MCA : Merchant Certificate Authority PCA : Payment Gateway Certificate Authority,Hierarchy of Certificate Authorities 认证机构的层级结构 Certificate authority needs to be verified by a government or wel

13、l trusted entity ( e.g., post office),Security Schemes (cont.) Security Schemes (cont.)安全加密方案（继续）,Public or private, comes in levels (hierarchy) A trusted third party services 一个认可的第三方服务 Issuer of digital certificates 数字认证的发出者 Verifying that a public key indeed belongs to a certain individual,Electr

14、onic Credit Card System on the Internet互联网上的电子信用卡系统,The Players 信用卡使用者,Cardholder 卡持有者 Merchant (seller) 销售商 Issuer (your bank)发卡银行 Acquirer (merchants financial institution, acquires the sales slips) 销售商的财务结算机构，获得销售商的销售单和顾客支付给销售商的金额，是销售商的结算银行 Brand (VISA, Master Card) 卡的种类,The process of using cred

15、it cards offline 离线使用信用卡的操作过程,Electronic Credit Card System on the Internet (cont.) 互联网上的电子信用卡系统,Cardholder 持卡人,Credit Card Procedure信用卡操作过程 (offline and online在线和离线),14,电子商务和电子政务 阎虎勤,Secure Electronic Transaction (SET) Protocol加密电子交易协议（SET）,1. The message is hashed to a prefixed length of message d

16、igest. 一个信息被杂凑（有时候常常是通过一个杂凑函数）成一个定长信息消化元。 2. The message digest is encrypted with the senders private signature key, and a digital signature is created. 这个信息消化元用发送者私钥签名加密，这样，一个数字签名就被创造出来了。 3. The composition of message, digital signature, and Senders certificate is encrypted with the symmetric key w

17、hich is generated at senders computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA. 信息内容、数字签名、新加上发送者的认证书一起被用对称钥匙加密，形成一个加密信息。 4. The Symmetric key itself is encrypted with

18、the receivers public key which was sent to the sender in advance. The result is a digital envelope. 对称钥匙被预先发送给发送者的接收者的公钥加密，这样就形成一个数字信封。,15,Senders Computer 发送者的计算机,电子商务和电子政务 阎虎勤,Senders Computer 发送者的计算机,Senders Private Signature Key,16,电子商务和电子政务 阎虎勤,5. The encrypted message and digital envelope are

19、transmitted to receivers computer via the Internet. 加密信息和数字信封被通过互联网发送到接收者的计算机。 6. The digital envelope is decrypted with receivers private exchange key. 数字信封被用接收者的私人交换钥匙（私钥）解蜜。 7. Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and senders c

20、ertificate. 使用恢复出来的对称钥匙，则加密信息能够被恢复成原始信息、数字签名、和发送者的认证书。 8. To confirm the integrity, the digital signature is decrypted by senders public key, obtaining the message digest. 为确保数据的完整性，数字签名被用发送者的公钥解密，从而得到信息消化元。 9. The delivered message is hashed to generate message. 反杂凑获得原始信息 10. The message digests ob

21、tained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transmission. This step confirms the integrity. 在8、9步后得到信息，接收者通过比较来确信是否在传输中间发生了任何变化。这一步保证了信息的完整性。,Receivers Computer 接收者的计算机,Secure Electronic Transaction (SET) Protocol (cont.)加密电子交

22、易协议（SET）（继续）,17,电子商务和电子政务 阎虎勤,Receivers Computer接收者的计算机,18, Prentice Hall, 2000,Entities of SET Protocol in Cyber Shopping 协议（SET）下的网上购物,19,电子商务和电子政务 阎虎勤,SET Vs. SSL 两个协议之间的对比,Secure Electronic Transaction (SET) 加密电子交易协议（SET）,Secure Socket Layer (SSL) 加密字套接层协议（SSL）,Electronic Fund Transfer (EFT) on

23、the Internet 互联网上的电子资金转帐（EFT）,An Architecture of Electronic Fund Transfer on the Internet,Payer 付款人,Debit Cards 借记卡,A delivery vehicle of cash in an electronic form 一个电子货币的运钞车 Mondex, VisaCash applied this approach 借记卡Mondex和VisaCash适合这种方式 Either anonymous or onymous 匿名或具名 CyberCash has commercializ

24、ed a debit card named CyberCoin as a medium of micropayments on the Internet 网络货币CyberCash已经商业化了一个借记卡名为网络硬币CyberCoin作为互联网上找零的一个中介。,Financial EDI 财务EDI,It is an EDI used for financial transactions 用于财务转帐 EDI is a standardized way of exchanging messages between businesses 企业间信息交换的一个标准方式 EFT can be imp

25、lemented using a Financial EDI system 使用一个财务EDI系统EFT能够被应用 Safe Financial EDI needs to adopt a security scheme used for the SSL protocol接受一个加密技术用于SSL Extranet encrypts the packets exchanged between senders and receivers using the public key cryptography 企业间网络（ Extranet ）使用公钥加密技术加密发送者和接收者之间交换的邮包。,Elec

26、tronic Cash and Micropayments电子货币和找零,Smart Cards 智能卡,The concept of e-cash is used in the non-Internet environment 电子货币的概念被用在非互联网环境 Plastic cards with magnetic stripes (old technology)具有磁条的塑料卡（旧技术） Includes IC chips with programmable functions on them which makes cards “smart” 包含具有程序功能的IC芯片，芯片使卡更“聪明

27、”。 One e-cash card for one application 一种卡一种应用 Recharge the card only at designated locations, such as bank office or a kiosk. Future: recharge at your PC 重新写卡只能在指定地点进行，如银行办公室或一个工作间。将来可在PC上进行。 e.g. Mondex HK$3,000 in Hong Kong Multiple Currencies 多种货币 Can be used for cross border payments 交叉支付,Elect

28、ronic Money (cont.)电子货币（继续）,Contactless IC Cards 无接触IC卡,Proximity Card 功能接近的卡 Used to access buildings and for paying in buses and other transportation systems 用来进入大楼、支付公交车票、和其它运输系统 Bus, subway and toll card in many cities 在许多城市使用的公交车、地铁和路桥卡 Amplified Remote Sensing Card 放大的远程感应卡 Good for a range of

29、 up to 100 feet, and can be used for tolling moving vehicles at gates 能够被机动车辆在门口用来支付路桥费，最远可达到100英尺 Pay toll without stopping (e.g. Highway 91 in California) 支付路桥费而不用停车,Electronic Check Systems 电子支票系统,Procedure of Financial Service Technology Consortium Prototype 金融服务技术集团的处理模型,Electronic Checkbook 电子

30、支票簿,Electronic Check Systems (cont.)电子支票系统（继续）,Counterpart of electronic wallet 对应电子钱包 To be integrated with the accounting information system of business buyers and with the payment server of sellers 被与商业购买者会计信息系统和销售商的支付服务系统一起综合起来 To save the electronic invoice and receipt of payment in the buyers

31、and sellers computers for future retrieval 保存电子发票和支付收据在购买者和销售者的计算机内，以备今后使用 Example : SafeCheck Used mainly in B2B 主要用于B2B业务,The Architecture of SafeCheck,32,电子商务和电子政务 阎虎勤,Integrating Payment Methods 综合支付方法,Two potential consolidations: The on-line electronic check is merging with EFT The electronic

32、check with a designated settlement date is merging with electronic credit cards Security First Network Bank (SFNB) First cyberbank Lower service charges to challenge the service fees of traditional banks Visa VisaCash is a debit card ePay is an EFT service,How Many Cards are Appropriate?,An onymous

33、card is necessary to keep the certificates for credit cards, EFT, and electronic checkbooks,The stored value in IC card can be delivered in an anonymous mode,Five Security Tips 五个安全忠告,Dont reveal your online Passcode to anyone. If you think your online Passcode has been compromised, change it immedi

34、ately. 不要给任何人出示你的在线密码。 Dont walk away from your computer if you are in the middle of a session. 如果你在一个会话中间请不要离开你的计算机。 Once you have finished conducting your banking on the Internet, always sign off before visiting other Internet sites. 一旦你已经结束在网上操作你的银行帐户，在访问其它网址之前要退出。 If anyone else is likely to use

35、 your computer, clear your cache or turn off and re-initiate your browser in order to eliminate copies of Web pages that have been stored in your hard drive. 如果任何人可能使用你的计算机，注意清除你的计算机缓存。 Bank of America strongly recommends that you use a browser with 128-bit encryption to conduct secure financial tra

36、nsactions over the Internet. 使用128位加密码技术。,Managerial Issues 管理性议题,Security solution providers（安全方案提供商） can cultivate the opportunity of providing solutions for the secure electronic payment systems Electronic payment system solution providers （电子支付系统方案提供商）can offer various types of electronic paymen

37、t systems to electronic stores and banks Electronic stores （电子商场）should select an appropriate set of electronic payment systems Banks （银行）need to develop cyberbank services to be compatible with the various electronic payment system Credit card brand companies （银行卡公司）need to develop an EC standard like SET, and watch the acceptance by customers Smart card brand （智能卡公司）should develop a business model in cooperation with application sectors and banks Certificate authority （认证机关）needs to identify the types of certificate to provide,36,电子商务与电子政务 阎虎勤,