SECURE SOCKET LAYER (SSL)
SSL is a protocol developed by Netscape Communications. SSL is built into many browsers. It operates at
the TCP/IP layer of the OSI model, and uses a combination of symmetric and asymmetric cryptography. If
there appears the word "https" in a URL, (e.g, https://www.microsoft.com) it indicates that the web server
hosting this web site is SSL enabled. So, if a client machine is configured for SSL then any exchange of
information between such a client and the web server would be in the encrypted form.
To configure a client machine for SSL following steps are required:
Internet Explorer:Tools menu->Internet options->Advanced tab-> Security (use SSL option can be
SSL supports a variety of encryption algorithm and authentication methods. The combination of algorithms
and methods is called a cipher suite. When a client connects to an SSL server, the SSL handshake begins,
which means that the two negotiate a cipher suite selecting the strongest suite the two have in common.
Thus, the handshake establishes the protocols that will be used during the communication, selects
cryptographic algorithms and authenticates the parties using digital certificates.
To start the SSL handshake process, a client sends a message to the server, the server responds and sends its
digital certificate that authenticates its public key. The client (customer's browser) generates a secret
symmetric key for the session. The client encrypts the secret key using the public key that it has just
received and transmits it to the server. The server decrypts the message using its private key and now has
the secret or symmetric key. Further communication between the customer's browser and the merchant's
server can now be encrypted and decrypted using the secret session key.
SSL is commonly applied in online shopping as the customer puts in his/her credit/debit card information
on the web form for payment purposes. If the web client and the server are SSL enabled, the SSL
handshake would begin when the client enters the URL starting with "https". This handshake can be
accomplished in seconds. The web form opens before the client. The client enters information in the text
boxes of the form and on pressing `submit' all such information is automatically encrypted with the agreed
secret or session key. This secured/encrypted information travels across the internet and is retrieved by the
server side where it is automatically decrypted with the help of same secret or session key. Even if someone
intercepts the information, he cannot make any sense out of it because of encryption.
The greatest advantage of SSL is its simplicity. Since SSL is built into many browsers, no special encryption
software is required either on the client or the server side. However, a drawback of SSL is that the merchant
can store credit/debit card information after decryption that can be accessed by unauthorized parties from
the merchant's database.
The process of SSL handshake is also explained in Fig. 1 below:
SSL Client (browser)
Send encryption algorithms
and key length
With "hello" message
Send server certificate
containing server's public key
Server receives client
Send client certificate and
encrypted private session key
Send data between client and
server using private shared key
Secure Electronic Transaction (SET)
The drawback in SSL that the credit card/debit card information remains with the merchant led to the
development of a more sophisticated protocol called SET. It was developed in 1997 jointly by Visa,
MasterCard, Netscape and Microsoft. There are four entities involved in a SET transaction cardholder,
merchant, and certification authority and payment gateway. The role of payment gateway is to connect
entities on the internet with those which are not on the internet such as the electronic network of banks (see
fig. 2 below). Payment gateway provides the security of data transmission to/from the acquirer bank.
Merchants must have special SET software to process transactions. Customers must have digital wallet
software that stores certificates and card information.
Dual Signature in SET
SET hides customer's credit card information from merchants and hides order information from banks to
protect privacy. This scheme is called Dual Signature.
A dual signature is created by combining two message digests and creating a new digest called Dual
Signature Message Digest (DSMD). Fig. 3 below explains how the scheme of dual signatures is
implemented in SET.
Offer for Items
or Auction house
·Encrypted message includes
amount offered on the item,
but no account information
·MD1 encrypted with Bidder's
·Encrypted message authorizing
with auction house
payment to the auction
house if offer is
·Decrypt MD1 with
accepted, but no details
bidder's public key
about what item is bought
·MD2 and DSMD
Bidder's private key
offer is accepted 3
·Decrypt account information with acquirer private key
·Decrypt offer acceptance message with acquirer private
·Decrypt MD2 and DSMD with bidder's public key
·Decrypt MD1 from step no. 3 with auction house's public
·Concatenate MD1 and MD2
·Recompute dual signature and verify against DSMD sent
SET software on the customer side splits the order information from the account information. MDI is the
message digest obtained by applying hash function on the order information. MD2 is the message digest
obtained by applying hash function on the account information. Both, MD1 and MD2 are concatenated and
a third message digest, DSMD, is obtained by again applying the hash function on the concatenated
message digests. The order information or the offer for items is forwarded to the merchant/auction house
in an encrypted form along with its message digest (MD1) signed with the private key of the buyer/bidder
(step 1b). The merchant/auction house decrypts the order information/offer and verifies the signatures of
the buyer/bidder through his/her digital certificate (step 2). If the order/offer is acceptable to the
merchant then the merchant signs the received MD1 with merchant's private key and sends it to the
acquirer bank along with an encrypted letter of acceptance to the offer (step3). On the other hand, the
buyer sends the text based account information (credit card details) to the acquirer in an encrypted form.
The buyer also sends MD2 (message digest related to account information) and DSMD to the acquirer bank
signed with his/her private key (step 1a). The acquirer bank decrypts this information. Mainly, the acquirer
bank receives four pieces of information as follows (step 4):
MD1 from merchant/auction house related to order information
Account information in encrypted form from the buyer
MD2 related to account information from the buyer
DSMD from the buyer
Acquirer bank concatenates MD1 and MD2 and applies the hash function to compute a message digest.
Note that if this message digest is the same as the DSMD received by the acquirer, it ensures that a
particular order information or offer is related to particular account information. At the same time, we have
achieved our purpose that the order information should not reach the bank and the account information
(credit card no. etc.) should not reach the merchant/auction house.
SETCo. is a company formed to lead the implementation and promotion of SET specifications It ensures
that the vendors of SET software comply with the requirements laid down by its originators. A merchant
holds certificate from card brand indicating that the merchant is authorized to accept credit card payment.
The customer holds certificate from the card issuing bank. SETCo acts as a root certification authority in
the certification hierarchy (see Fig. 4 below)
Card Issuer Bank
SSL vs. SET
SSL only handles secured transmission of credit card no. but SET is designed to handle the whole
transaction in a secured manner using dual signatures.
SSL is a general purpose protocol built into the browser, whereas SET requires software on, both,
the client and the merchant side.
SET uses a hierarchy of certificates for authentication.
SET is complex and distribution of certificates is sometimes not stable.
SET increases transaction cost.
SET transactions are slower than SSL.
SET uses a payment gateway for secured transmission of information.
An e-business is defined as a company/entity that has an online presence. E-businesses that have the ability
to sell, trade, barter or transact over the web can be considered as e-commerce businesses. An e-business
model is defined by a company's policy, operations, technology and ideology.
Advantages of E-business
Some of the major advantages of an e-business as compared to a traditional business are as under:
High-quality customer service
No inventory cost
Worldwide reach of the business
Electronic catalogues (convenient and quick transaction)
Improved supply chain management
Table of Contents: