Development of an E-commerce Site with Smartcard Payment Mechanism
Christopher S. Lacey
MEng Electronic Systems Engineering
with Management Studies
Supervisor: Mr. P J Miller
Electronic Engineering
School of Engineering and Applied Science
Aston University
Submitted: May 2001
? Chris Lacey / Aston University, 2000 - 2001. To contact the author, see www.cslacey.co.uk/project
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
Acknowledgements
The author wishes to express his gratitude to the following:
Mr. P J Miller and Dr. J A R Williams of the School of Engineering and Applied Science, Aston University, for providing ongoing advice and assistance for the duration of the project.
Mr. J Ward and Mr. P Trevis also of the School of Engineering and Applied Science, Aston University, for providing technical support.
Hitachi Smart Commerce division for the donation of smartcard equipment and development software; specifically, Mr. J Griffiths for providing technical support and to Mr. R Evans for arranging sponsorship.
Mr. M Meyerstein of BT Cellnet for providing information and source code with respect to Mondex value transfer.
Page 1
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
Contents
Acknowledgements .......................................................................................................... 1 Contents ........................................................................................................................... 2
Table of Figures ............................................................................................................... 6
1 Synopsis........................................................................................................................ 7
2 Introduction ................................................................................................................. 8
2.1 Context ................................................................................................................... 8
2.1.1 Applicability of Smartcard Technology ............................................................ 9 2.2 Requirements ........................................................................................................ 10
2.2.1 Electronic Cash .............................................................................................. 10
2.2.2 Personal Profile .............................................................................................. 10
2.2.3 E-Commerce Web Site ................................................................................... 11 2.3 Overview of Report .............................................................................................. 11 3 Server-Side Design Issues .......................................................................................... 12 3.1 Choice of Web Server ........................................................................................... 12 3.2 Server-Side Processing ......................................................................................... 12 3.3 Maintaining State .................................................................................................. 13 3.4 Database ............................................................................................................... 15
3.4.1 Database Transactions .................................................................................... 15 3.5 Encrypted Communication.................................................................................... 16
3.5.1 Public and Private Keys (Asymmetric Cryptography)..................................... 16
3.5.2 Digital Certificates ......................................................................................... 17
3.5.3 SSL and Certificate Authentication ................................................................ 17 4 Server Implementation .............................................................................................. 18 4.1 ASP Syntax .......................................................................................................... 18
4.1.1 Code Convention ........................................................................................... 18 4.2 Separation of Code and Presentation ..................................................................... 18
4.2.1 The need for inline code embedding ............................................................... 18
4.2.2 Function Libraries .......................................................................................... 19
4.2.3 User Redirects ................................................................................................ 19
Page 2
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
4.3 Database Structure ................................................................................................ 21 4.3.1 Relationships ................................................................................................. 21 4.3.2 Tables ............................................................................................................ 21 4.3.3 Queries .......................................................................................................... 22 4.4 Server-Side Java Application ................................................................................ 23 4.5 SSL ...................................................................................................................... 24
5 Client-Side Design Issues ........................................................................................... 255.1 Hypertext Markup Language (HTML) .................................................................. 25 5.1.1 Frames ........................................................................................................... 26 5.1.2 Forms............................................................................................................. 27 5.1.3 Client-side Scripting ...................................................................................... 28 5.1.4 Dynamic HTML ............................................................................................ 29 5.2 Cascading Style Sheets (CSS) ............................................................................... 29 5.3 Client-Side Java Applet ........................................................................................ 30 6 Client Implementation............................................................................................... 31 6.1 Web User Interface ............................................................................................... 31 6.1.1 SmartCentre Site ............................................................................................ 32 6.1.2 Aston SmartMarket Site ................................................................................. 33 6.2 Client-Side Java Applet ........................................................................................ 35
6.2.1 Interface Methods .......................................................................................... 35 6.2.2 Netscape Navigator and Internet Explorer Security Models ............................ 36
6.2.3 Drivers for Smartcard Readers ....................................................................... 37 7 Smartcard Design Issues ........................................................................................... 38 7.1 Choice of Operating System ................................................................................. 38 7.2 Card-Client Communication ................................................................................. 38 7.2.1 Command APDU‟s ........................................................................................ 38 7.2.2 Response APDU‟s ......................................................................................... 39 7.2.3 APDU Cases .................................................................................................. 39 8 Smartcard Implementation ....................................................................................... 40 8.1 Feature Set ............................................................................................................ 40
8.1.1 PIN Requests ................................................................................................. 40 8.2 Developmental Process ......................................................................................... 41
Page 3
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
9 Cryptographic Challenge and Response Cycle ........................................................ 42 9.1 Requirements ........................................................................................................ 42 9.2 Implemented Solution ........................................................................................... 42 9.3 Debit Procedure .................................................................................................... 43 9.4 Credit Procedure ................................................................................................... 44 9.5 Tolerance to Network Failures .............................................................................. 44 9.6 Tolerance to System Interruptions ......................................................................... 45 9.7 Security ................................................................................................................ 45
10 Evaluation ................................................................................................................ 47
10.1 Project Costing ................................................................................................... 47 10.1 Possible Future Development .............................................................................. 48 11 Conclusion................................................................................................................ 49
References ...................................................................................................................... 50
Bibliography .................................................................................................................. 50
Appendix 1: System Overview ..................................................................................... 52 Appendix 2: Public Explanatory Material .................................................................. 53 Appendix 2.1: Introduction to SmartID and SmartWallet ............................................ 53 Appendix 2.2: Privacy Statement for SmartMarket ..................................................... 54 Appendix 3: Server Installation Instructions .............................................................. 55 Appendix 3.1: Implementing SSL ............................................................................... 55
Appendix 3.1.1 Generation of Server Certificate ..................................................... 55
Appendix 3.1.2: Enabling SSL ................................................................................ 56 Appendix 4: Client Installation Instructions ............................................................... 57 Appendix 4.1: Drivers for Smartcard Reader .............................................................. 57 Appendix 4.2: Internet Explorer.................................................................................. 57 Appendix 4.3: Netscape Navigator ............................................................................. 58
Page 4
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
Appendix 5: Server Code ............................................................................................. 59 Appendix 5.1: ASP Examples ..................................................................................... 59
Appendix 5.1.1: Library for calling cryptographic functions (sw_lib.asp) ............... 59
Appendix 5.1.2: Server-side validation for registering a user (adduser.asp) ............. 60
Appendix 5.1.3: Validating card‟s debit response (scauthorise.asp) ......................... 61
Appendix 5.2: Server-Side Java Application ............................................................... 62 Appendix 6: Client Code .............................................................................................. 63 Appendix 6.1: HTML and ECMAScript Examples ..................................................... 63
Appendix 6.1.1: Using client-side Java applet with forms (configsid.html) .............. 63
Appendix 6.1.2: Client-side validation of forms (setpin.html) ................................. 64 Appendix 6.2: CSS Example (aston.css) ..................................................................... 65 Appendix 6.3: Client-Side Java Applet ....................................................................... 66
Appendix 6.3.1: SmartID class................................................................................ 66
Appendix 6.3.2: MessageFrame class ..................................................................... 73
Appendix 6.3.3: PinRequest Class .......................................................................... 74 Appendix 7: Smartcard Code ...................................................................................... 75
Page 5
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
Table of Figures
Figure 4.1: Pseudocode indicating use of inline scripting ................................................. 18 Figure 4.2: ASP code showing use of function libraries and server-side includes ............. 19 Figure 4.3: Extract from db_lib database access library ................................................... 19 Figure 4.4: Extract from adduser.asp showing use of user redirects ................................. 20 Figure 4.5: Database structure ......................................................................................... 21 Figure 4.6: ASP code to call „preemptResponse‟ method in Java application ................... 23
Figure 5.1: Main frame structure ..................................................................................... 26 Figure 5.2: Browse/search products frame structure ........................................................ 26 Figure 6.1: Form used to configure personal profile ......................................................... 33 Figure 6.2: Aston SmartMarket front page ....................................................................... 34 Figure 6.3: Pages to search product database and view results ......................................... 35 Figure 7.1: ISO 7816-4 Command APDU structure ......................................................... 38 Figure 7.2: ISO 7816-4 Response APDU structure .......................................................... 39 Figure 8.1: Implemented smartcard feature set................................................................. 40 Figure 9.1: Debit communication sequence .................................................................... 43 Figure 9.2: Credit communication sequence ................................................................... 44 Figure 9.3: Debit test site ................................................................................................ 46
Figure 9.4: Credit test site ............................................................................................... 46
Page 6
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
1 Synopsis
In an attempt to provide a solution to the problem of using credit cards for payment over the Internet, the objective of this project was to implement a fully functioning E-commerce site which utilised a smartcard mechanism for payment..
Due to the fact that the creators of existing smartcard wallets appear reluctant to divulge their full specifications, a smartcard-based electronic cash system has been developed from scratch, providing means for instantaneous, anonymous transfer of value across an insecure network, such as the Internet. Analysis and test of the system have suggested the implementation to be secure.
Additionally, smartcard technology has been employed to solve another perceived problem with business-to-consumer E-commerce sites: that of the need for repetitive personal data entry. A profile system has been created which permits storage of personal data in one location (the smartcard), and rapid completion of HTML forms by automatic retrieval of this information.
An E-commerce site has been created with which these two systems have been successfully integrated, indicating that smartcard technology does provide a feasible means for addressing the problems identified. However, complications identified at the client side suggest that widespread adoption of the technology will not occur until suitable standards are developed and adhered to.
Page 7
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
2 Introduction
2.1 Context
The explosive growth of the Internet has caused a revolution in the manner in which businesses and consumers conduct commercial exchanges. E-Commerce is currently a
major growth industry, and the number of transactions carried out online is escalating exponentially.
The advantages provided by Internet commerce are self-evident, and explain the enthusiasm shared by companies and customers for trading in this manner. For the supplier, there is greater potential to compete on a global scale, and cost savings can be attained in terms of staff and real estate by removing the need for public-facing premises. For the consumer, a means is provided to browse and search for products, and compare the prices of different suppliers, more quickly and easily than was previously possible. However, some problems have arisen with respect to business-to-consumer (“B2C”)
systems, which to this day have prevented them from realising their full potential. Firstly, there is a general reluctance amongst the public to transfer their credit or debit card number across the Internet, for fear of it being intercepted and unlawfully misused. The
ause of encrypted communication (via SSL) has gone a long way to alleviate this fear, but
it does still remain an issue: a significant number of potential purchases are lost for this reason.
Secondly, credit and debit cards are not ideally suited to purchasing many of the products or services that are available, or could be made so. In many situations, a system more resembling cash would be preferential - avoiding delays inherent within credit card clearing systems, permitting micropayments (e.g. of a few pence) to be made for online
services, retaining customer anonymity and providing a means for the user to be aware of his current balance at all times.
Finally, the tedious activity of repetitively entering personal information, such as shipping address, for every transaction or site registration is disconcerting to many users. A research study conducted by Jupiter Communications (NY) in 1999 indicated that more
a Secure Socket Layer
Page 8
E-commerce Site with Smartcard Payment Mechanism 错误?使用“开始”选项卡将 Heading 1 应用于要在此处显示的文字。
than a quarter of users surveyed had abandoned a transaction solely due to the length or complexity of the form which had to be completed.
aVarious solutions to these problems have been proposed, such as SET and Web „Beanz‟
for payments; and „Autocomplete‟ and Microsoft Profile Assistant for completing forms. However, each of these systems solves only one of the problems mentioned: SET, for example, avoids the need for transmission of credit card information, but still uses such a card as the ultimate means for payment. In addition, most solutions tend to be tied to a user‟s own computer, preventing them from being used effectively in Internet cafés or on other machines.
2.1.1 Applicability of Smartcard Technology
Smartcards have two fundamental capabilities - that of data storage and processing power. In terms of the former, they provide advantages in terms of their portability and - more uniquely - the fact that the data stored upon them can be made tamper-proof. Physical security of the cards provides good protection against attempts to read or modify the contents of memory by external means. Data can therefore only be accessed via the interface defined by the program resident on the card, meaning that a system could be
bcreated whereby information is not released from the card unless a correct PIN is entered
beforehand, for example.
The processing power of the card is of particular use for cryptographic and other sensitive operations, where - for example - digital signatures can be generated and validated without a user‟s private key ever leaving the card.
Smartcards‟ tamper-proof data storage, and their capability to perform cryptographic operations, therefore appeared to provide a feasible means for addressing the problems previously described: firstly, by allowing user profile information to be stored and quickly transferred by insertion of the card into a smartcard reader; secondly, by providing a secure means for value to be stored and transferred by means of a trusted applet resident on the card.
a Secure Electronic Transactions standard b Personal Identification Number
Page 9