NSPW '06 Proceedings of the 2006 workshop on New security paradigms
| Hi-index | 0.00 |
The security of electronic payment protocols is of interest toresearchers in academia and industry. While the ultimateobjective is the safest and most secure protocol, convenienceand usability should not be ignored, or the protocol may not besuitable for large-scale deployment. Our aim in this paper is todesign a practical electronic payment protocol which is bothsecure and convenient.ANSI X9.59 standard describes secure payment objects to beused in electronic payment in a convenient and secure way. Ithas many useful convenience features for large-scale consumermarket deployment, the best being the elimination of consumercertificates. Consumer public keys are stored in account recordsat financial institutions; the digital signatures issued byconsumers are verified by financial institutions. Encryption isdeliberately not provided by X9.59.In this paper we propose a new Internet e-payment protocol,namely CONSEPP (CONvenient and Secure E-PaymentProtocol), based on the account authority model of ANSI X9.59standard. CONSEPP is the specialized version of X9.59 forInternet transactions (X9.59 is multi-purpose). It has some extrafeatures on top of the X9.59 standard. X9.59 requires merchantcertificates; in CONSEPP we propose a lightweight method toavoid the need for merchant certificates. Moreover, we proposea simple method for secure shopping experience betweenmerchant and consumer. Merchant authentication is embeddedin the payment cycle. CONSEPP aims to use current financialtransaction networks, like VisaNet, BankNet and ACH networks,for communications among financial institutions. No certificates(in the classical sense) or certificate authorities exist inCONSEPP. Convenience is not traded for security here; basicsecurity requirements are fulfilled in the payment authorizationcycle without extra messaging and significant overhead.