Periodical Payments Using X.509 Restricted Proxy ...
Transcript of Periodical Payments Using X.509 Restricted Proxy ...
![Page 1: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/1.jpg)
Periodical Payments Using X.509 Restricted Proxy Certificates
Lawrie Brown Grigori Goldman
January 2010
University of New South Wales @ Australian Defence Force Academy
![Page 2: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/2.jpg)
Who Am I?
senior lecturer at UNSW@ADFA professional interests include:
cryptography, communications and computer systems security, and safe mobile code execution
teaches courses in: computer security, cryptography, data
communications and java programming co-authored text on Computer Security
![Page 3: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/3.jpg)
Research Goal
“To develop a payment framework based on the direct debit payment model using currently available, standards compliant and industry supported technologies.”
![Page 4: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/4.jpg)
Electronic Payment Schemes (History)
1980s – David Chaum, blind digital signatures, anonymous electronic cash, etc
1990s – Secure Electronic Transaction (SET) And Now
Visa Three Domain (3-D) Secure MasterCard Secure Payment Application (SPA) Single European Payments Area (SEPA)
![Page 5: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/5.jpg)
What is missing?
Follows paper-based model Insecure when used over the Internet
Not using cryptographic authentication
No automated payment cancellation features Payment contracts are not enforceable during
payment processing
![Page 6: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/6.jpg)
X.509 Proxy Certificates
What Allow delegation of a user’s credential to an
intermediary service for execution of a task Where
Globus Open Grid Services Architecture, Grid Security Infrastructure (GSI)
How Private/Public key pair created by the recipient Certificate is signed by an end-entity not a CA
![Page 7: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/7.jpg)
Periodical Payment Framework Overview
1. Periodical Payment Policy Language (Policies are added to X.509 Proxy Certificates)
2. Client-side and Merchant libraries for: (Credential delegation and policy validation)
3. Payment Gateway Web Services interface (Abstracting the existing payment infrastructure)
![Page 8: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/8.jpg)
Periodical Payment Framework Architecture
![Page 9: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/9.jpg)
Certificate Delegation Process
![Page 10: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/10.jpg)
Payment Process
![Page 11: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/11.jpg)
Periodical Payment Certificate Policy Language
What is it? XML document representing contract between customer
and merchant
How is it used? Proxy certificate asserts that merchant is valid customer
delegate Policy is added to the proxy certificate Policy asserts that merchant can execute payment
transactions on behalf of its customers
![Page 12: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/12.jpg)
<payment-policy>
<pay currency=“aud” amount=“20” on=“* * * 1W * ? 2010” />
</payment-policy>
Periodical Payment Certificate Policy Language (cont)
<payment-policy>
<pay currency=“aud” limit=“20” on=“* * * 1W * ? 2010” />
</payment-policy>
<payment-policy>
<pay currency=“aud” on=“* * * 1W * ? 2010” />
</payment-policy>
![Page 13: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/13.jpg)
Periodical Payment Certificate Policy Language (cont)
Normal Case: Only one assertion of each type per policy
Special case: Declare an odd-assertion to handle a specific
scenario, eg. discounted first/last payment, etc.
![Page 14: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/14.jpg)
Periodical Payment Certificate Policy Language (cont)
Cancelling a periodical payment example: <payment-policy>
<pay currency=“aud” amount=“20” on=“* * * 1W * ? 2010” />
<cancellation-policy>
<pay currency=“aud” amount=“100” on=“* * * * 1-6 ? 2010” />
<pay currency=“aud” amount=“50” on=“* * * * 7-12 ? 2010” />
</cancellation-policy>
</payment-policy>
![Page 15: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/15.jpg)
Double Charging Problem
Question: How does the payment gateway detect a request replay
attack (i.e. merchant is double charging the customer)? Answer
A transaction revocation list (TRL) Based on X.509 Certificate Revocation List (CRL)
revoke = “* * * * MAR ? 2009”
![Page 16: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/16.jpg)
Performance Analysis (Total Request Processing Time)
No SSL
Server-side authentication
Mutual authentication
![Page 17: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/17.jpg)
Performance Analysis (SSL Handshake Processing Time)
Server-side authentication
Mutual authentication
![Page 18: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/18.jpg)
Performance Analysis (SSL Impact on Performance)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Number of Requests (Segments of 1000)
SSL
as %
of T
otal
100 Threads 120 Threads 140 Threads 160 Threads
SSL handshake percentage of total time
Average SSL handshake processing time
![Page 19: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/19.jpg)
Future Work
Performance Improvements Replacing SOAP based Web Services with a light-weight
alternative, e.g. using Representational State Transfer (REST) architectural style
Integrating native SSL libraries instead of using the default Sun JSSE implementation
Client-side Enhancements Integrating USB token support into the existing Firefox
extension Investigating the use of Subscriber Identity Module
(SIM) cards as cryptographic tokens
![Page 20: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/20.jpg)
Conclusion
Periodical payments are different to traditional e-commerce payments: No customer involvement during each transaction Allow merchants access to customer accounts
No alternatives currently exist even though this payment method is popular
Restricted proxy certificates provide a strong cryptographic foundation for this framework making it a viable commercial alternative
![Page 21: Periodical Payments Using X.509 Restricted Proxy ...](https://reader030.fdocuments.us/reader030/viewer/2022020622/61ee66cd544ac505df65522b/html5/thumbnails/21.jpg)
Any Questions?
Reference:
Grigori Goldman and Lawrie Brown, “Analysis of the Periodical Payment Framework using Restricted Proxy
Certificates”, ACSC2010, Brisbane, Australia; Conferences in Research and Practice in Information
Technology (CRPIT), Vol. 102, Jan 2010, B. Mans and M. Reynolds, eds.