Design, implementation, and deployment of the iKP secure electronic payment system

This paper discusses the design, implementation, and deployment of a secure and practical payment system for electronic commerce on the Internet. The system is based on the iKP family of protocols-(i=1,2,3)-developed at IBM Research. The protocols implement credit card-based transactions between buyers and merchants while the existing financial network is used for payment clearing and authorization. The protocols are extensible and can be readily applied to other account-based payment models, such as debit cards. They are based on careful and minimal use of public-key cryptography, and can be implemented in either software or hardware. Individual protocols differ in both complexity and degree of security. In addition to being both a precursor and a direct ancestor of the well-known SET standard, iKP-based payment systems have been in continuous operation on the Internet since mid-1996. This longevity-as well as the security and relative simplicity of the underlying mechanisms-makes the iKP experience unique. For this reason, this paper also reports on, and addresses, a number of practical issues arising in the course of implementation and real-world deployment of a secure payment system.

[1]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[2]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[3]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[4]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[5]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[6]  Benjamin Cox,et al.  NetBill Security and Transaction Protocol , 1995, USENIX Workshop on Electronic Commerce.

[7]  Michael Steiner,et al.  Generic Extensions of WWW Browsers , 1995, USENIX Workshop on Electronic Commerce.

[8]  Hugo Krawczyk,et al.  Design and Implementation of Modular Key Management Protocol and IP Secure Tunnel on AIX , 1995, USENIX Security Symposium.

[9]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[10]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[11]  M. Wainder Development of a secure electronic marketplace for Europe , 1996 .

[12]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[13]  Ralf Hauser,et al.  Micro-Payments based on iKP , 1996 .

[14]  Martín Abadi,et al.  The Millicent Protocol for Inexpensive Electronic Commerce , 1995, World Wide Web J..

[15]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[16]  Gene Tsudik Zurich iKP Prototype (ZiP): Protocol Specification Document , 1996 .

[17]  Els Van Herreweghen Zurich iKP Prototype (ZIP) Certificate Library (CERT) Specification , 1996 .

[18]  Michael Waidner Development of a Secure Electronic Marketplace for Europe , 1996, ESORICS.

[19]  Philippe A. Janson,et al.  The State of the Art in Electronic Payment Systems , 1997, Computer.

[20]  N. Asokan,et al.  Asynchronous protocols for optimistic fair exchange , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[21]  Nadarajah Asokan,et al.  Fairness in electronic commerce , 1998, Research report / RZ / IBM / IBM Research Division / Zürich Research Laboratory.

[23]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[24]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[25]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[26]  P. Wallich How to steal millions in chump change. , 1999, Scientific American.

[27]  Hugo Krawczyk Blinding of Credit Card Numbers in the SET Protocol , 1999, Financial Cryptography.

[28]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[29]  Philippe A. Janson,et al.  State of the art in electronic payment systems , 2000, Adv. Comput..