強化信用卡電子交易安全之研究

a b c / (Electronic Data Interchange) (1) a b c 1

2 (2) ) 2001-03-09 (FBI) Windows NT 100 2001-03-10. Metromedia John Kluge (ID) Abraham 32 Abdallah 47 Michael Puglisi 2003-02-20 800 2003-03-07 2002 817 6.3% 8.11 2004 8.6% () (Message Encryption)(Message

3 Authentication Code) (Digital Signature) SET (Secure Electronic Transaction) SET 1. Message Encryption (Secret Key) (Public Key) (1) (Secret Key) DES (Data Encryption Standard) [1] / (2) (Public Key) ( )

4 RSA (Rivest, Shamir & Adleman) [2] 2. (Message Authentication Code) (Hash Function) ( ) SHA(Secure Hash Algorithm)[3]MD(Message Digest)[4]

5 (128 bits) 3. (Digital Signature) (1) (2) (3) ElGamalSchnorr DSA(Digital RSA Signature Algorithm) [5]RSA ElGamal Schnorr ElGamal ElGamal DSA [6] ElGamal Schnorr 4. SET (Secure Electronic Transaction) [7] SET VISA MasterCard 1996 RSA (Authentication) (Confidentiality) (Integrity) (1) Authentication (Certificate Authority, CA) (2) Confidentiality(DES Secret K

6 (3) Integrity (Message Digest)? ( ) ( ) 4 3 2 1 SET SET ( ) ( ) ( ) ( ) ( )

7 () 1. 2002-9-17 2. SET SET [8] 3. SET 4. 2003-02-20

8 (6 ) (2 ) (8 ) (6 ) (2 ) (8 ) [9] [10] ( ) () 1. ASCII 2.

9 [9] (8 ) (6 ) (2 ) (8 ) ( )

10 (1) Multiple Base B = [MSB,,LSB] = [b n, b n-1, b 1, b 0 ], b k > 1 (k = 0, 1,, n) n b k 1 = k 0 [0,, 0, 0] ~ [b n 1, b n-1 1,, b 1 1, b 0 1] 0 (b n b n-1 b 1 b 0 ) - 1 (2) H i (i = 1, 2, 3 m) b n b n-1 b n-2 b 0 a. H i k (i )i =1, 2,, m H i Si + < 1 k ( i) i 1 bn j, where S i 1 = k( p); k(0) = j= Si 1 + 1 p= 0 0 b. H i (A 1, A 2,, A k(i)-1, A k(i) ) H i k ( i) 1 = Aw i w= 1 k ( i) 1 bn x + Ak ( i), where Ak ( i) = H i mod bn k ( ) + 2 x= w 3. 4. (ID) A220370346 (PW) secret 1 ID ( ) H 1 = 220

11 H 2 =370H 3 = 346PW ( ) ASCII B [B 5, B 4, B 3, B 2, B 1, B 0 ] = [115, 101, 99, 114,101,116] 2 ) ( [11] H 1, H 2 H 3 B qsuvc207e qsuvc207 3 ) ( qsuvc207 () [10] [12] (1) (Proof of Origin) (2) (Message Integrity) (3) (Non-Repudiation) SET( ) SET ( )

12 [10] R = [r m r m-1 r 1 ]ID = [ d n d n-1 d 1 ] C = R ID = [c m, c m-1, c m-2,, c 2, c 1 ], c k rk d n ( m k ) d n ( m k + 1) L d k, n m = rk d n d n 1 L d n ( m k ), n < m, k > rk d1 d 2 L d k, n < m, k m n m n R C ID C R ID ( ID ) ID ID R 8 bits (175)C 153 ID ID ID R C ID ( R C ID ) ID ID (N) ID 0.3 2 N

13 ID ID (R=175,C=153 ) 1 2? 3 + R 4 R ID i ID i+1 F(ID 0R )=W ( ) X=F(ID 0R ) W=X? 5 ( ) ID i ID i+1

14 F / ID i i ( i = 1, 2, ) ID i+1 i R ID 0 ( ( ( ID i ) ( ) ( ) ID i ID i ( ) ID i+1 R ID 0, R ID i+1 F (

15 ) ID i+1 SSL(Secure Socket Layer) [13] SET SSL SET SSL SET SET SSL - (Challenge Response) SET (1) - (2) SET ( HASH RSA ) (3) SET ( DESHASHRSA) (4) SET

16 (5) SET - 3% MasterCard 75% 94% SET - (1) (ID0) ID0 ID0 (2) SET IDi F(IDi+1RID0) (3) ID R F

17 1. (2001) 2. Rivest, R., A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communication of the ACM, Feb. 1978, vol.21, no. 2, pp. 120-126. 3. http://www.rsasecurity.com/rsalabs 4. http://www.faqs.org/rfcs 5. (2001) 6. Harn, L., How to share (broadcast) multiple secrets efficiently, IEE Proceeding E, May 1995, vol. 142, no. 3, pp. 385-389. 7. SET 88 12 50~61 8. http://www.setco.org 9. Chao, H. M., C. M. Hsu and S. G. Miaou, A data-hiding technique with authentication, integration, and confidentiality for electronic patient records, IEEE Transactions on Information Technology in Biomedicine, Mar. 2002, vol. 6, no. 1, pp. 46-53. 10. design of a secure and non-repudiation authentication mechanism with data hiding and message encryption 91 6 11. Twu, S. H., H. M. Chao, and C. M. Hsu, An identity (ID) protection mechanism based on the multiple-number base algorithm for network access controls, Proceedings of 6th Multi-conference Systemic, Cybernetics and Inform. Systems Development, Orlando, Florida, USA, vol. XVIII, pp. 322-326 (July 14-18, 2002). 12. Ganley, M. J., Digital signatures and their uses, Computer & Security, 1994, vol. 13, pp. 385-391. 13. (2002)

18 A Security Mechanism for Improving Credit Card Electronic Transaction Chin Ming Hsu a Hui Mei Chao b Shih Hsiung Twu c Abstract A secure credit-card electronic transaction mechanism with an encryption/decryption scheme and a non-repudiation authentication protocol is proposed to preserve cardholders privacy and reduce banks profit losses. The encryption/decryption scheme based on a multiple number base algorithm and a random number generator can not only prevent cardholders personal information such as their credit card numbers and identification codes from being revealed but also support cardholders privacy. The non-repudiation authentication scheme based on a challenge-response protocol can prevent anyone from denying the transaction being made or accepted. The experimental results show that the proposed approach could be extended and be compatible with current systems because of its simplicity, confidentiality, and fast processing speed. KeywordsCredit cardprivacyrandom number generatorauthentication. a Associate Professor, Dept. of EE, Kao Yuan Institute of Technology b Ph. D Student, Dept. of EE, Chung Yuan Christian University c Associate Professor, Dept. of EE, Chung Yuan Christian University