Abstract: This article introduces the services and disadvantages provided by the SSL protocol, the composition of the Secure Electronic Transaction SET protocol, the services and disadvantages provided by the SSL protocol; the comparison of SSL and SET in four aspects and some constructive comments of the author analyzed the e-commerce security protocol SSL and SET, it is of practical significance to promote the research and development of E-commerce security mechanisms.
E-commerce integrates computer technology, communication technology, and network technology. It is an Internet-based platform featuring interactivity, openness, and extensiveness. Because of its openness and extensiveness, it is bound to face various security risks, such as information leakage or tampering, deception, and credit. Therefore, security issues have become the bottleneck for developing a trusted e-commerce environment. Currently, many security technologies are implemented through security protocols. Therefore, concise and effective security protocols are crucial to e-commerce security. Currently, two major international security protocols are Secure Sockets Layer (SSL) and Secure Electronic Transaction Protocol (SET). Both are mature and practical security protocols, however, because of their different design purposes, there is a big difference in application.
Key words: E-commerce; SSL protocol; SET protocol
1. SSL protocol)
SSL is a secure communication protocol launched by Netscape, which can provide strong protection for credit card and personal information. SSL is the protocol used to encrypt the entire session between computers. In SSL, public keys and private keys are used.
It has become an industrial standard independent of the application layer and can load any high-level application protocol. It is suitable for providing secure transmission services for various C/S model products. It provides an encrypted handshake session that enables the client and server to implement identity authentication, negotiate encryption algorithms and compression algorithms, and exchange key information. This handshake session uses digital signatures and digital certificates to authenticate the identity of both the client and the server. It uses DES, MD5, and other encryption technologies to achieve data confidentiality and integrity. After you use a digital certificate to authenticate the identity of both parties, both parties can use the key for a secure session.
1.1 The SSL security protocol provides three services:
(1) Legality authentication for users and servers: Authenticate the legality of users and servers so that they can be sure that data will be sent to the correct client and server. Both the client and the server have their own identification numbers. These identification numbers are numbered by public keys. to verify whether a user is valid, SSL requires digital authentication on handshaking data exchange to ensure the user's legitimacy.
(2) encrypt data to hide transmitted data: SSL adopts symmetric key technology and public key technology. Before data exchange between the client and the server, the initial SSL handshake information is exchanged. Various encryption technologies are used to encrypt the initial SSL handshake information to ensure its confidentiality and data integrity, and use a digital certificate for authentication. This prevents illegal users from deciphering.
(3) Data Integrity Protection: SSL uses Hash Functions and confidential sharing methods to provide information integrity services and establish a secure channel between the client and the server, make all Services processed by the Secure Sockets Layer Protocol completely and accurately reach the destination during transmission.
1.2 disadvantages of SSL protocol
(1) The customer's information is first sent to the seller for the seller to read. In this way, the security of the customer's information is not guaranteed.
(2) SSL can only ensure the security of data transmission, but it cannot be guaranteed if the transfer process is intercepted. Therefore, SSL does not implement the confidentiality and integrity required by e-payment, and mutual authentication is also very difficult.
2. Secure Electronic Transaction SET protocol
The SET protocol was jointly launched by two major credit card companies, VISA and MasterCard, in May 1997. SET is designed to solve transactions between users, sellers, and banks that are paid by credit card, to ensure the confidentiality of the payment information, the completeness of the payment process, the legal identity of the merchant and the cardholder, And the operability. The core technologies in SET mainly include public key encryption, electronic digital signatures, electronic envelopes, and electronic security certificates.
2.1 Composition of the SET payment system
The SET payment system consists of the cardholder, merchant, issuing bank, receiving bank, payment gateway, and Certification Center. Correspondingly, the SET-based online shopping system should include at least the Electronic Wallet software, merchant software, payment gateway software and certificate issuing software.
2.2 The SET security protocol provides three services:
(1) ensure the confidentiality and integrity of customer transaction information: the SET protocol uses the dual signature technology to sign the payment information and order information of consumers in the SET transaction process separately, so that sellers cannot see the payment information, only the user's order information can be received. Financial institutions can only receive the user's payment information and account information without seeing the transaction content, thus fully ensuring the security of the consumer account and order information.
(2) ensure the non-repudiation of transactions between sellers and customers: the focus of the SET protocol is to ensure the non-repudiation of identity authentication and transactions between sellers and customers, the core technologies used include X.509 electronic certificate standard, digital signature, message digest, and dual signature.
(3) ensure the legality of sellers and customers: The SET protocol uses digital certificates to verify the legality of each party. By verifying digital certificates, you can ensure that both sellers and customers in the transaction are valid and reliable.
2.3 disadvantages of the set protocol
(1) only secure connections between two points can be established. Therefore, the customer can only send the payment information to the merchant first, and then the merchant forwards the payment information to the bank, in addition, the connection channel can only be secure without other guarantees.
(2) The seller is not guaranteed to keep or steal his payment information without authorization.
2.4 comparison of SSL and SET protocols
(1) In terms of authentication requirements, early SSL did not provide a merchant identity authentication mechanism and cannot implement multi-party authentication. SET has high security requirements, all members involved in the SET transaction must apply for a digital certificate for identity recognition.
(2) In terms of security, the SET Protocol regulates the entire business activity process, thus maximizing business, service, coordination and integration. SSL only encrypts and protects the information exchange between the cardholder and the store. It can be seen as the Technical Specification used for transmission. From the perspective of E-commerce features, it is not commercial, service, coordination and integration. Therefore, SET is more secure than SSL.
(3) In terms of Network Layer Protocol location, SSL is a universal security protocol based on the transport layer, and SET is at the application layer, which also involves other layers on the network.
(4) In the application field, SSL mainly works with Web applications, while SET provides security for credit card transactions. However, if e-commerce applications are a process involving multiple parties, SET is safer and more common.
3. Conclusion
In general, because the SSL protocol is low in cost, fast, and easy to use, it does not need to make major changes to the existing network system. Therefore, it is widely used. At present, many banks in China use SSL protocol to carry out online banking. The SET protocol is complex. It also requires that the corresponding software be installed on the PC of the Bank Network, merchant server, and client. In addition, it requires that the digital certificate be issued to all parties. These all prevent the extensive development of SET. From the security perspective, the SSL protocol is not as secure as the SET protocol. For systems that use credit card payment, the SET protocol is the best choice.
According to the specific situation in China, we can predict that the development trend of E-commerce security measures in China will be the coexistence of SET and SSL, with complementary advantages. That is, the SET protocol is used between sellers and banks, while the SSL protocol is still used when connecting with customers. This solution avoids installing software on the customer's machine. At the same time, you can get many advantages provided by SET.
References:
[1] edited by Chen Bing: network security and E-Commerce [M]. Beijing: Peking University Press, 2002.1
[2] He Changling, Editor: e-commerce transactions [M]. Beijing: People's post and telecommunications Press, 2001
[3] edited by Zhang aiju: Electronic Commerce Security Technology [M]. Beijing: Tsinghua University Press, 2006.12
[4] Netscape Company thessl protocol Beijing: Machinery Industry Press, 2002
[5] Liu Weining Song Wei security of online payment in e-commerce Beijing: People's post and telecommunications Press, 2003
From Li shouhong's advanced information technology class