SWIFT

Document Sample
SWIFT Powered By Docstoc
					                              EUROCON 2005



                          SWiFT
:: A New Secure Wireless Financial Transaction ::
                :: Architecture ::
       Paul Killoran, Fearghal Morgan & Michael Schukat

                National University of Ireland, Galway

                      paul_killoran@eircom.net


Paul Killoran             EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (1)
                                     Introduction



     Aim: to develop a more secure alternative to the credit
     card
     Credit card fraud totalled £500 million in 2004
     Credit card security
      – Signature
      – Chip and PIN                                    Bank

     Types of fraud
                                   Authorisation & Confirmation
     Architecture of current
     system                         Retailer
                                                  Credit Card &
                                                                Customer
                                                                 Reciept



Paul Killoran              EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (2)
                              Proposed Solution



     Model the credit card on a wireless mobile
     authentication device
      – J2ME (Java 2 micro edition) mobile phone
     Increase the security of the system by removing the
     trust required of the customer
      – Open a connection to                        Bank
         the bank (GPRS)
                                    Authorisation &      Payment Request
     Focus on the security           Confirmation          & Verification

     of the customer
                                   Retailer                   Customer
      – Provide anonymity

Paul Killoran              EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (3)
                                      SWiFT Architecture


                                                               Network
     Transaction Server                                     Basic
                                                                    HTTP  Security & Security &
                                                                          HTTP Security &
      –    Bank or Banking Agent
                                                           Retailer GPRS          Bluetooth
                                                                         Encryption Encryption
                                                                         (WAP) Encryption
                                                                  Interface
                                                           Terminal
     Customer Authorisation
                                                                Security
     Device                                                              J2ME Customer
                                                                  Retailer
                                                                                      GUI
                                                                  SupportMIDlet Support
      –    MIDP enabled mobile phone                             RSA       MD5     PIN
      –    E-Card

     Retailer Kiosk                                                          Bank
      –    Modelled on existing terminals


     Network & Security
      –    GPRS & Bluetooth
      –    RSA, MD5 & Customer PIN                       Retailer                         Customer



Paul Killoran                       EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (4)
                                   Security



     E-Card – Merchant communication
      – Never occurs
      – Eliminates need for a third secure channel.
     Customer authorises bank directly
      – Must only trust their bank
     Centralised control of security (Bank)
      – All parties communicate through the bank
      – Bank controls security in the network by supporting
        requests of authorised nodes only

Paul Killoran         EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (5)
                                      Protocol



     Transaction server established
     with many retailer nodes
     connected                                                                 Bank
     E-Card logs onto the network
     3 handshaked challenges
                                                                Bank
                                                                 Bank
     Use geographic information to
                                                            Bank
     inform bank of its location
                                                                         Local Retailers
                                                                        Current Location
                                                                     Request Connection
                                                             3 Handshake Challenges
     E-Card receives list of local                      MD5, RSA, PIN, Secret Known Values
     retailers
                                             Retailer
                                           Retailer                           Customer
                                            Retailer
                                           Retailer                            Customer
                                                                        Customer




Paul Killoran            EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (6)
                                       Protocol



     Customer approaches a
     retailer pay point with goods
     and produces their mobile
     phone (E-Card)
                                                                  Bank
                                                                  Bank
     Customer uses their E-Card to
     request the Transaction                 Inform Bob Of               Initiate Transaction
                                         Transaction From Alice            To Retailer Bob
     Server to initiate a payment to
     the retailer
     Cashier is informed of this            Retailer
                                            Retailer                             Customer
                                                                                 Customer
     request on their merchant
     terminal



Paul Killoran             EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (7)
                                       Protocol



     Cashier requests payment
     using the Merchant Terminal
     Customer is asked to confirm
     payment of this amount on                                    Bank
                                                                 Bank
                                                                 Bank
     their E-Card by entering their          Request Sale             Confirm Sale Amount
     PIN                                   Amount From Alice           Verify & Authorise
                                                                        To Pay To Bob
     The PIN number is first
     padded, then hashed using             Retailer
                                           Retailer
                                            Retailer                            Customer
                                                                               Customer
     MD5 and finally encrypted
     using RSA. The result is send
     to the Transaction Server for
     authorisation


Paul Killoran             EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (8)
                                       Protocol



     If the PIN authorisation is
     successful, a confirmation is
     then sent to the Merchant
     Terminal                                                       Bank
     The cashier confirms the sale                                  Bank
                                                                    Bank
     and the agreed amount is
     transferred between accounts                E-Receipt
                                               Confirm Sale
                                            Confirm Transaction                E-Receipt
     The E-Card and Merchant                                Printed Reciept
     Terminals receive a copy each            Retailer                            Customer
                                              Retailer
                                              Retailer                            Customer
                                                                                  Customer
     of an e-receipt
     The e-receipt is printed by the
     Merchant Terminal and issued
     to the customer


Paul Killoran             EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (9)
                             Points to Note



     Geographic location
     Customer username
     Customer initiated
     Marketing opportunity
     Card-present & card-not-present transactions support
     Security
      – RSA, MD5 & PIN number




Paul Killoran        EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (10)
                            Implementation



     Transaction Server
      – HTTP requests & responses
      – Session tracking
      – Web user interface (account management)
     E-Card Application
      – J2ME & Mobile Information Device Profile (MIDP)
      – HTTP over WAP
      – Downloaded MIDlet
      – Secret shared values

Paul Killoran        EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (11)
                              Implementation



     Retailer Kiosk
      – Easy integration with existing retail terminals
      – Requires MD5 & RSA encryption module
      – Requires online connection (GPRS)




Paul Killoran          EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (12)
                                      Prototype



     E-Card
      – Java PDA
      – Wi-Fi & sockets
      – Large touch screen
     Transaction Server
      – Java application
      – Sockets
     Retailer kiosk
      – ARM development kit
      – Keypad & small LCD
      – Modelled on current retail
        payment devices


Paul Killoran            EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (13)
                               Future Work



     Expand the application to include card-not-present
     transactions
     Refine the RSA implementation for faster operation
     Transfer the E-Card application from the PDA to a
     mobile phone
     Extensive testing of the security of the network




Paul Killoran        EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (14)
                                Conclusion



     New approach to secure personal financial solutions
     Considerable improvements over credit card security
     Easy integration
     Support for card-present & non-present transactions
     Reliance of trust between customer and 3rd parties
     removed
     Working prototype developed




Paul Killoran        EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (15)
                                       SWiFT
   :: A New Secure Wireless Financial Transaction Architecture ::

                                            Paul Killoran


            Progress is impossible without change, and those who cannot change their minds cannot change anything.
                                                                                       - Albert Einstein (1879-1955)




Paul Killoran                          EUROCON 2005 - “Computer as a Tool”, Belgrade, 24th November 2005 (16)

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:12
posted:9/29/2011
language:English
pages:16