Electronic Transaction

Definition

An electronic transaction is the sale or purchase of goods or services whether between business,
households, individuals, governments and other public or private organizations conducted over computer
mediated networks. The goods and services are ordered over those networks, but the payment and the
ultimate delivery of goods or service may be conducted on or off-line.

E-Transaction system should have

i) Trustworthiness of the transaction – parties must have faith that records are authentic and
unaltered.
ii) Authentication of electronic signatures- person signing is the same who has identified himself
Depending on the type of electronic signatures used and the level of security inherent in
that signature it is possible that the electronic signatures may be subject to greater risk of
repudiation than handwritten ink signatures.
iii) Data integrity – accuracy and completeness of information – ensuring that no alteration has been
made intentionally or accidentally
IV) Integrity – must ensure non-repudiation and authenticity
Document must be same as sent by the sender
Document must not be altered either in storage or transmission
V) Retention of records –for a minimum period and in manner which would make it admissible in
court of law as evidence – in case of a dispute

E-Commerce Model

Shopper/Card
Issuer 1 8 Merchant
holder

9 3 10 5
4

Certification
Payment Gateway 7 Acquirer
Authority 6

1) The customer obtains a credit card account with a bank that supports electronic payment

2) The customer receives a digital certificate from by the bank / issuer

3) Merchants have their own certificates

4) The customer places an order

5) The merchant sends a copy of its certificate so that the customer can verify that it's a valid store

6) The order and payment are sent

8) The merchant confirms the order

9) The merchant ships the goods or provides the service to the customer

10) The merchant requests payment

This e-commerce model of e-transaction is most related to the banking process

SET Protocol

Secure Electronic Transactions (SET) is an open protocol which has the potential to emerge as a dominant
force in the securing of electronic transactions. Jointly developed by Visa and MasterCard, in conjunction
with leading computer vendors such as IBM, SET is an open standard for protecting the privacy, and
ensuring the authenticity, of electronic transactions. This is critical to the success of electronic commerce
over the Internet; without privacy, consumer protection cannot be guaranteed, and without authentication,
neither the merchant nor the consumer can be sure that valid transactions are being made.

The SET protocol relies on two different encryption mechanisms, as well as an authentication mechanism.
SET uses symmetric encryption, in the form of the aging Data Encryption Standard (DES), as well as
asymmetric, or public-key, encryption to transmit session keys for DES transactions (IBM, 1998). Rather
than offer the security and protection afforded by public-key cryptography, SET simply uses session keys
(56 bits) which are transmitted asymmetrically – the remainder of the transaction uses symmetric
encryption in the form of DES. This has disturbing connotations for a "secure" electronic transaction
protocol – because public key cryptography is only used only to encrypt DES keys and for authentication,
and not for the main body of the transaction. The computational cost of asymmetric encryption is cited as
reason for using weak 56 bit DES (IBM, 1998), however other reasons such as export/import restrictions,
and the perceived need by law enforcement and government agencies to access the plain-text of encrypted
SET messages may also play a role.

Symmetric and Asymmetric encryption in SET

In the SET protocol, two different encryption algorithms are used – DES and RSA. The DES algorithm has
been used since the 1970’s. It is believed by some that the National Security Agency (NSA) of America
played "an invisible hand in the development of the algorithm" (Schneier, 1996), and that they were
responsible for reducing its key size from the original 128-bits to 56. DES quickly became a federal
standard in 1976, and has been used ever since.

In the SET protocol, a DES 56-bit key is used to encrypt transactions. This level of encryption, using DES,
can be easily cracked using modern hardware. In 1993, a brute-force DES cracking machine was designed
by Michael Wiener – one which was massively parallel. For less than a million dollars (well within the
budget of many large companies), a 56-bit DES key could be cracked in average time of 3.5 hours. For a
billion dollars, which might be considered small change for a military or security organisation such as the
NSA or a foreign power, a parallel machine can be constructed that cracks 56-bit DES in a second
(Schneier, 1996). Clearly, this is of great concern, since DES encrypts the majority of a SET transaction.
As the power of computers grows, and the cost diminishes, such code-crackers may become more and more
common.

One may wonder why such crippled cryptography would be used in a "secure" transaction protocol. One
possible reason may be that the organizations involved recognise the desire by government organizations
(both foreign and domestic to the US) to observe and monitor financial transactions conducted over the
Internet. "Governments tend to look favorably upon SET based cryptography" (IBM, 1998), and the
prospect that any government with enough resources to build a code cracker could have access to people’s
financial transactions is disturbing. While many people believe that it is legitimate for a government to
observe the financial transactions of its citizens, it is unthinkable that a "secure" protocol would allow those
same transactions to be observed by foreign, and possibly hostile, governments.

Transaction Authenticity

Authentication is an important issue for users of electronic commerce. Consumers must have faith in the
authenticity of the merchant, and merchants must have faith in the authenticity of the consumer. Without
authentication, any individual could pose as a merchant, and besmirch a merchant’s good name by failing
to deliver goods and billing up credit card bills. Without authentication, any individual could pose as a
consumer, ordering costly goods to an abandoned house or apartment, and defrauding the merchant.
Without authentication, an individual could pose as a willing buyer, accept the goods, and then repudiate
the transaction. Authentication is critical to achieving trust in electronic commerce.

Authentication is achieved through the use of digital signatures. Using a hashing algorithm, SET can sign a
transaction using the sender’s private key. This produces a small message digest, which is a series of values
that "sign" a message. By comparing the transaction message and the message digest, along with the
sender’s public key, the authenticity of the transaction can be verified. Digital signatures are aimed at
achieving the same level of trust as a written signature has in real life. This helps achieve non-repudiation,
as the consumer cannot later establish that the message wasn't sent using his private key1.

Importance of secure e-transactions

Secure electronic transactions will be an important part of electronic commerce in the future. Without such
security, the interests of the merchant, the consumer, and the credit or economic institution cannot be
served. Privacy of transactions, and authentication of all parties, is important for achieving the level of trust
that will allow such transactions to flourish. However, it is important that the encryption algorithms and
key-sizes used, will be robust enough to prevent observation by hostile entities (either criminal or foreign
powers). The ideal of the secure electronic transactions protocol (SET) is important for the success of
electronic commerce. However, it remains to be seen whether the protocol will be widely used because of
the weakness of the encryption that it uses.