Credit card corporations, banks and Internet software
companies are teaming up with IBM researchers to develop a single, secure way of making payments over the 'Net.
In Brief:
Working with credit card companies, researchers at IBM are developing a nonproprietary method - involving sophisticated cryptographic technology - for making credit card payments across the Internet. Based on Research's seminal work on the Internet Keyed Payments (iKP) system, a new, open multivendor standard - known as Secure Electronic Transaction (SET) - has been developed by IBM together with leading credit card companies and other technology providers.
The 1990s equivalent of the Gold Rush is occurring on the Internet, especially on its fastest-growing service, the World Wide Web. Corporations, Wall Street investors, independent software producers and merchants ranging from giant retailers to the tiniest start-up companies all believe that billions of extra dollars in business will result from increased use of the Internet for electronic commerce.
At the moment, hardly any of these hoped-for billions are being realized. One reason is the dangers that arise from the lack of a secure way of making credit card payments over the Internet (see "Risky Business"). However, that is about to change.
One of the first signs of change emerged in November 1994, when VISA and Microsoft jointly announced that they were developing a protocol - called Secure Transaction Technology (STT) - that would securely transfer money on the Internet. That move caused some alarm among both computer companies and financial concerns that a proprietary standard might emerge. "There was widespread agreement in the industry that no one company should control this market," says IBM researcher Amir Herzberg, now at the Haifa Research Laboratory.
One solution was to develop an open protocol. With that motivation, a team of IBM researchers (including Mihir Bellare, Juan Garay, Herzberg and Hugo Krawczyk at the Thomas J. Watson Research Center, and Ralf Hauser, Michael Steiner, Gene Tsudik, Els Van Herreweghen and Michael Waidner at the Zurich Research Laboratory) intensified their efforts in the area of electronic commerce and decided to go public with a new payment protocol. "We didn't want to develop a competing proprietary protocol," says Herzberg. "Rather, we wanted to create an open, standard protocol that everyone could use."
Like the VISA-Microsoft technology, it was based on the idea of protecting all the relevant credit card data using highly secure "public key" cryptographic technology. The Watson and Zurich researchers met in January 1995, and again in March, to pin down the protocol. The work went fast. "There was no need for a technological or scientific breakthrough," recalls Zurich team leader Phil Janson, "so initial development proceeded smoothly."
As soon as they had developed the new protocol, the teams started to publish descriptions. The open nature of the protocol meant it could not itself be a product for sale. However, developing the protocol put IBM, as an early player in the game, in a good position to supply the software implementations to run it, along with complete hardware-software systems for banks, credit card companies and merchants, once the protocol was accepted.
This protocol, called Internet Keyed Payments, or iKP, became the basis for joint work with MasterCard, Europay (the exclusive European licensee of the MasterCard brand name for credit cards) and other companies to try to establish an international standard protocol that any company could freely use. At the same time, IBM researchers were sending the protocol out widely among cryptographers and security experts for review and comment on possible flaws.
One provider or many?
After IBM entered into working relationships - first with Europay and then with MasterCard - IBM researchers convinced the Internet Engineering Task Force (IETF), the Internet's standards body, to conduct a session on payment protocols. The session, chaired by Herzberg, led to a collaboration with Netscape, a leading provider of Web browsers and servers, and CyberCash, a newly formed electronic payments company. Both had been working on their own secure-payment solutions before the IETF.
Working from the iKP framework, IBM, MasterCard and their partners, which also included Netscape and GTE, developed a modified protocol, called the Secure Electronic Payment Protocol (SEPP). Then, together with IBM, MasterCard began talking to banks and potential Internet vendors about the payment protocol.
By mid-1995, VISA and MasterCard had begun to discuss an approach for converging the two developing protocols. With active support from IBM, those talks, and other negotiations, bore fruit. In February 1996, MasterCard and VISA, with support from IBM and other technology partners, announced that they had agreed on a new standard for secure Internet protocols - a convergence of STT and SEPP - known as Secure Electronic Transactions (SET).
How iKP works
The Research team developed the iKP protocol with one major goal in mind: to avoid any change in the existing infrastructure of the financial network. Such a change would delay the deployment of the technology and significantly increase its cost. So the team designed iKP to impact only those players who are directly connected to the Internet, such as customers and merchants. "This is done by means of a gateway," explains Krawczyk. "Essentially, it translates the information on the iKP protocol into the existing financial protocols."
The protocol had to fulfill four other goals, according to Garay. First, it had to be more secure than existing over-the-phone mail-order systems. Second, like any payment system, it would provide a means of authenticating that the customer, merchant and bank had all authorized a given transaction. Third, it would maintain the privacy of the customer and guard against fraud: Not only would it keep secret the customer's credit card numbers, it would also keep details of the customer's financial information from the merchant selling the goods. In iKP, the merchant and the credit card company have access only to the information needed to complete the transaction. Finally, it had to be a system that could be smoothly implemented in stages, with each stage fully functional.
The Internet Keyed Payments system achieves a high level of security by encrypting and authenticating vital data using "public key" cryptography. RSA cryptography (named for Rivest, Shamir and Adelman, its inventors) - an example of public key cryptography - has become the standard for highly secure systems (see "The Key to the Public Key"). The iKP protocol is designed in such a way that, as it is upgraded, the number of participants that must possess public key-secret key pairs gradually expands.
Three levels of security
In 1KP, the simplest version only the banks that clear the credit card accounts would have public key-secret key pairs. These banks, termed "acquirers," receive the information on the credit card transaction from the merchant, verify the transaction using unique information provided by the customer and credit the merchant's account with the money. They would then communicate over existing financial networks with the bank that issued the credit card (or the credit card company itself) to obtain the money from the customer's account. (The communication between the banks is not included in the iKP protocol, as it occurs over existing, secure banking networks.) Because relatively few acquirers would be involved, the number of public keys to be distributed to customers and merchants would be small.
In 1KP, when a customer wishes to order something from a merchant on the Internet and pay by credit card, the merchant would transmit to the customer the public key used by the acquirer. The customer would use this public key, in connection with software on his or her personal computer, to encrypt the credit card's number and expiration date. The program would then take the order information (i.e., the nature of the goods, the shipping information, etc.) and generate from it a "hash" - a number derived from the order information that cannot be decoded to give back that information.
Because the merchant cannot decrypt the credit card information, he or she cannot use the credit card fraudulently. That overcomes a present-day problem not only on the Internet but also in conventional credit card transactions. Moreover, the hash prevents the bank from learning the nature of the order, which protects the privacy of the customer. It also prevents the merchant, or a malicious intruder, from changing the order or the shipping address.
When the customer sends the encrypted data back to the merchant, the merchant adds its own hash, made up of its version of the order, and sends both sets of encrypted data to the bank (i.e., the acquirer). When the bank receives the encrypted message, it uses its secret key to read the data from the customer and also checks that the hashes provided by the customer and the merchant agree. The acquirer's decision - approving or denying the transaction - is sent back to the merchant, and, if it is approved, a message is sent to the credit-card issuing bank, which charges the customer's account.
The bank "signs" this approval or rejection with its "digital signature," a message encoded with the bank's secret key. Anyone who possesses the public key can decode the digital signature and confirm that only the possessor of the secret key could have sent this message. When the merchant decodes and checks this message, the deal is done and the goods can be shipped, electronically or otherwise.
Even at this simplest level, the system would provide a good deal of security. It would protect the customer from anyone intercepting the credit card information on the Internet or from the merchant's computer. Because only the merchant, and not the bank, would know the details of the order, no business could use the customer's buying habits for future solicitations or any other purposes. The merchant receives an undeniable proof of the bank's authorization, and all parties are assured that the customer and the merchant agree on the nature and price of the order.
At the second level of implementation, 2KP, all participating merchants, in addition to the banks, must possess public key-secret key pairs. The merchants can now give their customers "signed" receipts of payment, using the same method as the bank. The customer also receives an electronic certificate, which shows that the merchant is indeed a participant in the system, providing reassurance that the customer is dealing with a real vendor, rather than someone involved in a scam.
The full implementation, 3KP, requires that all participants, including the customers, have public key-secret key pairs. Thus, any cardholder will have to
generate the key pairs. This system has the advantage of giving the customer a digital signature - an electronic version of the signature inscribed on a credit card slip. The merchant and banks then have undeniable proof that the cardholder did, in fact, make the purchase.
The customer's secret key has two security advantages over the PIN now used for ATM cards and for 1KP and 2KP: unlike a PIN, the secret key is impossible to forge by guessing, and, because the secret key isn't known to the credit card company, it can't be misused by someone breaking into the company's computer.
The technology presents some problems. "Going to 3KP will be both complex and expensive," comments Watson's Mark Linehan, who joined the team in April 1995. "Digital certificates associating public keys with credit cards will have to be distributed by the credit card companies to millions of customers, and that won't be easy."
Micropayments
Another potential challenge focuses on the micropayments expected on the Internet; these sums of much less than $1 per transaction, paid for online information and services, are too small to be charged on credit cards. "Cheaper payment systems will be needed for these micropayments," says Herzberg, "and for these cheap systems, the iKP cost may become a concern."
Micropayments have taken on particular significance in Europe, where the alliance with Europay may provide IBM's technology with an edge over others. Indeed, the alliance has the aim of integrating iKP technology with Europay's "Express electronic purse" technology, to create a product that offers the best of both worlds.
The Express purse is designed to allow customers to make small ($1-$10) electronic cash payments to vendors in face-to-face transactions, such as toll booths, phone booths, food machines and newsstands. The payments can be made in any one of up to 10 currencies, and do not require online contact with any bank, thereby saving the cost of the banking transaction.
Express purse was not designed to make payments across a network like the Internet; iKP was designed for that purpose, although, in its original incarnation, it cannot deal with small payments. However, Zurich has done some work on extensions to iKP, points out researcher Michael Steiner, that would allow payments of very small amounts, such as charges for viewing a Web page on a per-minute basis. The marriage of the two technologies will make a synergistic link, permitting small Express payments to be made across the Internet, using iKP as a vehicle for securely transporting the Express electronic cash.
Transcontinental differences
While iKP is gaining wide interest and acceptance among banks and credit card companies, there is still a long way to go before it, or any other Internet payment system, becomes an internationally recognized standard. "For one thing, there remain a number of differences between European companies, like Europay, and American ones, like MasterCard," says Janson, who is working with the European companies on iKP. One difference involves whether the standards will be set by United States standards bodies or by international ones.
Differences have also emerged over the protocols themselves. For example, in the VISA-MasterCard version of iKP, SET, there is a layer of cryptography that uses an older technique known as DES, which requires a single, secret key to decode. This key is encrypted, in turn, using RSA public key technology, and sent along with the message. European companies, in contrast, prefer to stick to the original idea of encrypting all information in RSA.
More important, U.S. companies envision that their customers will keep their secret keys as software in their own computers. The Europeans want the keys to be held on "smart card" credit cards, which can be inserted in a special reader attached to a personal computer. "The problem here is that the software in a computer is exposed to viruses," explains Janson, "and someone can use a virus to steal secret keys. Thus, it could become, in my view, immensely risky to store the keys in software. Your key can be stolen and you don't even know it's gone. With smart cards, the card itself has to be physically stolen. You generally know it's gone, and it's also protected by a card activation PIN." However, U.S. companies are far behind Europe in implementing smart card technology, and hence will be slower to adopt the new system.
Finally, there is the barrier erected by U.S. export restrictions on cryptographic technology. Many governments regulate the use and export of cryptographic products. The regulation is still enforced in the United States, however, in January 1996, IBM obtained an exemption from the U.S. government. Its reasoning: iKP implementations allow the encoding of only a very limited quantity of financial data.
Although all these hurdles will slow down the march toward a single standard, companies are going ahead on their own. Trials using iKP programs will start soon, and operational implementation may begin as early as the end of the year. It's possible that at least two incompatible payment systems, and perhaps more, may be in use for a few years. But most participants believe that, in fairly short order, payment on the Internet will become as routine as making a mail-order phone call, and a good deal more secure.
Eric J. Lerner is a freelance science and technology writer based in Lawrenceville, New Jersey. His latest book is entitled The Big Bang Never Happened.
Risky Business
If companies are to fully exploit the commercial potential of the Internet, consumers must be able to pay for transactions as simply as they do when shopping in a store or by telephone. Many companies are rushing to set up payment systems that are the electronic equivalent of checks or cash. But, given the widespread use of credit cards for purchase, it is likely that secure ways to use them over the World Wide Web will become the first well-accepted means of payment.
For example, purveyors of electronic catalogues that permit customers to browse online stand to benefit particularly from a system that permits the customers to complete ordering and payment online, without having to make a separate phone call. Even more significant, a reliable payment system for products that can be transmitted over the Web could prove revolutionary once it is universally recognized and supported.
Sending credit card information over the Internet in unencrypted form is definitely not a good idea. It is just too easy for information on the Internet, which passes through many computers, to be intercepted, copied or tampered with.
The obvious solution is some form of coding or encryption scheme. In fact, a number of these are coming into use. The Secure Socket Layer (SSL), devised by Netscape, for example, encrypts information between two parties, such as a customer and a merchant. However, it is still risky for credit card transactions, because the customer has very little assurance that the credit information cannot be lifted from the merchant's computer, or even misused by the merchant. Nor does the customer have any way to verify that the merchant is a real vendor, rather than a front for a credit card abuse scam.
The Key to the Public Key
The iKP protocol uses the highly secure public key encryption technology. One well-known example is called RSA (for its inventors, Rivest, Shamir and Adelman), and is used in iKP for both key encryption and digital signatures. In a public key system, anyone can encrypt a message with an individual's public key, but only that individual can decrypt it with his or her own secret key. The mathematical basis for the system is the fact that, while it is easy to multiply two large prime numbers together to get a third number, factoring the result to obtain the first two is extremely difficult if the number is large enough.
The core of the RSA technology, then, is the difficulty of finding the secret key given the public key. It is relatively easy to produce pairs of keys, but almost impossible to reverse-engineer them and work one's way back from one key to the other in the pair. The iKP protocol actually benefits from innovations introduced by Mihir Bellare (a member of the iKP team who is now at the University of California, San Diego), and Phillip Rogaway, University of California, Davis, that provide certain provable security properties that normal RSA
doesn't have.
