Journal of Computing Science and Engineering

  • 제5권1호
  • /
  • Pages.51-70
  • /
  • 2011
  • /
  • 1976-4677(pISSN)
  • /
  • 2093-8020(eISSN)
한국정보과학회 (Korean Institute of Information Scientists and Engineers)
권호 표지
DOI QR코드

DOI QR Code

A Secure Credit Card Transaction Method Based on Kerberos

  • 투고 : 2010.10.28
  • 심사 : 2011.03.03
  • 발행 : 2011.03.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

This paper introduces a new credit card payment scheme called No Number Credit Card that can significantly reduce the possibility of credit card fraud. The proposed payment system is loosely based on Kerberos, a cryptographic framework that has stood the test of time. In No Number Credit Card, instead of card numbers, only payment tokens are exchanged between the customers and merchants. The tokens are generated based on the payment amount, payment type, client information, and merchant information. However, it does not contain the credit card number, so the merchant or a database hacker cannot acquire and illegally use any credit card numbers. The No Number Credit Card system is ideal for online e-commerce transactions and can be used with any credit card that users possess. It can be used with minor modifications to the current card payment system. We provide the principles of its operation through scenario analysis, a sample implementation, and a security analysis

키워드

참고문헌

  1. ABRAZHEVICH, D. 2001.Classification and characteristics of electronic payment systems. In Electronic Commerce and Web Technologies (Lecture Notes in Computer Science 2115), 81-90.
  2. ABRAZHEVICH, D. 2004. Electronic Payment Systems: A User-Centered Perspective and Interaction Design. Technische Universiteit Eindhoven, Eindhoven.
  3. BRESSON, P. AND BUTTERWORTH, C. 2009. IC3 2008 Annual report on internet crime released. http://www.ic3.gov/media/2009/090331.aspx. Acccessed on Feb 20, 2011.
  4. CHAUM, D. 1983. Blind signatures for untraceable payments. In Advances in Cryptology, Proceedings of Crypto 82. 199-203.
  5. COX, B., TYGAR, J. D., AND SIRBU, M. 1995. NetBill security and transaction protocol. In Proceedings of the1st USENIX Workshop in Electronic Commerce, 77-88.
  6. ELECTRONIC PAYMENT EXCHANGE. 2009. Buyer Wall tokenization and encryption for payment processing and PCI compliance. http://www.epx.com/solutions/buyerwall.htm. Acccessed on Feb 22, 2011.
  7. FREIER, A. O., KARLTON, P., AND KOCHER, P. C. 1996. The SSL protocol version 3.0. http://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00. Acccessed on Feb 22, 2011.
  8. GLASSMAN, S., MANASSE, M., ABADI, M., GAUTHIER, P., AND SOBALVARRO, P. 1995. The Millicent protocol for inexpensive electronic commerce. In Proceedings of the 4th International World Wide Web Conference, 603-618.
  9. GONZALEZ, A. G. 2004. PayPal: the legal status of C2C payment systems. Computer Law and Security Report 20, 4, 293-299. https://doi.org/10.1016/S0267-3649(04)00051-2
  10. KASSLIN, K. AND TIKKANEN, A. 2003. Replay attack on Kerberos V and SMB. http://users.tkk.fi/autikkan/kerberos/docs/phase1/pdf/LATEST_replay_attack.pdf. Acccessed on Feb 22, 2011.
  11. KENNY, P. 2010. How to use a one time credit card. http://www.streetdirectory.com/travel_guide/149328/credit_cards/how_to_use_a_one_time_credit_card.html. Acccessed on Feb 20, 2011.
  12. KERNER, S. M. 2009. Black Hat: hacking SSL with sslstrip. http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html. Acccessed on Feb 20, 2011.
  13. LI, Y. AND ZHANG, X. 2005. Securing credit card transactions with one-time payment scheme. Electronic Commerce Research and Applications 4, 4, 413-426. https://doi.org/10.1016/j.elerap.2005.06.002
  14. MARLINSPIKE, M. 2009. SSLStrip. http://www.thoughtcrime.org/software/sslstrip. Acccessed onFeb 20, 2011.
  15. MCrypt. http://mcrypt.sourceforge.net. Acccessed on Feb 22, 2011.
  16. MEDVINSKY, G. AND NEUMAN, B. C. 1993. NetCash: a design for practical electronic currency on the internet. In Proceedings of the 1st ACM Conference on Computer and Communications Security, 102-106.
  17. MERCHANT LINK. Transaction vault--Remove the data, remove the risk. http://www.merchantlink.com/portal/community/merchant_link/v2.0/restaurant/transactionvault. Acccessed on Feb 22, 2011.
  18. NEUMAN, B. C. AND MEDVINSKY, G. 1995. Requirements for network payment: the NetCheque perspective. In IEEE Proceedings of Compcon '95 Technologies for the Information Superhighway, Digest of Papers, 32-36.
  19. NEUMAN, B. C. AND TS'O, T. 1994. Kerberos. an authentication service for computer networks. IEEE Communications Magazine 32, 9, 33-38. https://doi.org/10.1109/35.312841
  20. OpenSSL project. http://www.openssl.org. Acccessed on Feb 22, 2011.
  21. The $OSCMall^{TM}$ development site. http://www.oscdevshed.com/. Acccessed on Feb 22, 2011.
  22. PayPal. http://www.paypal.com. acccessed on Feb 22, 2011.
  23. PRIVACY RIGHTS CLEARINGHOUSE. Chronology of data breaches. http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009. Acccessed on Feb 20, 2011.
  24. RIVEST, R. L. AND SHAMIR, A. 1996. PayWord and MicroMint: two simple micropayment schemes. CryptoBytes 2, 1, 7-11.
  25. SHAMIR, A. 2002. Secureclick: a web payment system with disposable credit card numbers. In Financial Cryptography (Lecture Notes in Computer Science 2339), P. SYVERSON, Ed. Springer Berlin, Heidelberg, 232-242.
  26. SHIFT4 CORPORATION. True Security, TrueTokenizationTM. http://www.shift4.com/tokenization.cfm. Acccessed on Feb 22, 2011.
  27. SORKIN, D. E. 2001. Payment methods for consumer-to-consumer online transactions. Akron Law Review 35, 1, 1-30.
  28. STONE, B. 2009. Hacking suspect's lawyer criticizes federal prosecutors (New York Times August 19, 2009). http://bits.blogs.nytimes.com/2009/08/19/accused-hackers-lawyer-criticizes-federalprosecutors/. Acccessed on Feb 20, 2011.
  29. VERSIGN INC. Online payment processing: what you and your customers need to know. https://www.verisign.com/stellent/groups/public/documents/white_paper/001879.pdf. acccessed on Feb 20, 2011.
  30. VISA INTERNATIONAL AND MASTER CARD INTERNATIONAL. 1997. SET secure electronic transaction specification book 3: Formal protocol definition. http://www.cl.cam.ac.uk/research/security/resources/SET. Accessed on Feb 20, 2011.
  31. WIKIPEDIA. Chip and PIN (smartcard payment system). http://en.wikipedia.org/wiki/Chip_and_PIN. acccessed on Feb 22, 2011.