汉英对照:
Chinese-English Translation:
SET协议被称之为安全电子交易协议,是一种新的电子支付模型。SET协议是B2C上基于信用卡支付模式而设计的,它保证了开放网络上使用信用卡进行在线购物的安全。
Set protocol, known as secure electronic transaction protocol, is a new electronic payment model. Set protocol is designed based on credit card payment mode on B2C, which ensures the security of online shopping with credit card on open network.
为了实现更加完善的即时电子支付,SET 协议应运而生。SET 协议(Secure Electronic Transaction),被称之为安全电子交易协议,是由 Master Card 和 Visa 联合 Netscape,Microsoft 等公司,于 1997 年 6 月 1 日推出的一种新的电子支付模型。SET 协议是 B2C 上基于信用卡支付模式而设计的,它保证了开放网络上使用信用卡进行在线购物的安全。SET 主要是为了解决用户,商家,银行之间通过信用卡的交易而设计的,它具有的保证交易数据的完整性,交易的不可抵赖性等种种优点,因此它成为目前公认的信用卡网上交易的国际标准。
In order to achieve more perfect instant electronic payment, set protocol came into being. Set protocol, known as secure electronic transaction protocol, is a new electronic payment model launched by master card, visa, Netscape, Microsoft and other companies on June 1, 1997. Set protocol is designed based on credit card payment mode on B2C, which ensures the security of online shopping with credit card on open network. Set is mainly designed to solve the problem of credit card transactions between users, businesses and banks. It has the advantages of ensuring the integrity of transaction data and non repudiation of transactions. Therefore, it has become the international standard of credit card online transactions.
SET 提供的服务
Services provided by set
SET 协议为电子交易提供了许多保证安全的措施。它能保证电子交易的机密性,数据完整性,交易行为的不可否认性和身份的合法性。
Set protocol provides many security measures for electronic transaction. It can guarantee the confidentiality, data integrity, non repudiation and legitimacy of electronic transactions.
(1)保证客户交易信息的保密性和完整性
(1) Ensure the confidentiality and integrity of customer transaction information
SET 协议采用了双重签名技术对 SET 交易过程中消费者的支付信息和订单信息分别签名,使得商家看不到支付信息,只能接收用户的订单信息;而金融机构看不到交易内容,只能接收到用户支付信息和帐户信息,从而充分保证了消费者帐户和定购信息的安全性。
Set protocol uses double signature technology to sign the payment information and order information of consumers respectively in the process of set transaction, so that businesses can not see the payment information and can only receive the user’s order information; while financial institutions can not see the transaction content, they can only receive the user’s payment information and account information, thus fully ensuring the security of consumer’s account and order information.
(2)确保商家和客户交易行为的不可否认性
(2) Ensure the non repudiation of business and customer’s transaction behavior
SET 协议的重点就是确保商家和客户的身份认证和交易行为的不可否认性。其理论基础就是不可否认机制,采用的核心技术包括 X.509 电子证书标准,数字签名,报文摘要,双重签名等技术。
The key point of set protocol is to ensure the identity authentication of merchants and customers and the non repudiation of transaction behavior. Its theoretical basis is non repudiation mechanism. The core technologies include X.509 e-Certificate standard, digital signature, message digest, double signature and so on.
(3)确保商家和客户的合法性
(3) Ensure the legitimacy of businesses and customers
SET 协议使用数字证书对交易各方的合法性进行验证。通过数字证书的验证,可以确保交易中的商家和客户都是合法的,可信赖的。
Set protocol uses digital certificate to verify the legitimacy of all parties. Through the verification of digital certificate, we can ensure that the merchants and customers in the transaction are legal and reliable.
SET 的交易流程
Transaction process of set
SET 交易过程中要对商家,客户,支付网关等交易各方进行身份认证,因此它的交易过程相对复杂。
In the process of set transaction, the identity authentication should be carried out for the merchants, customers, payment gateway and other transaction parties, so its transaction process is relatively complex.
(1)客户在网上商店看中商品后,和商家进行磋商,然后发出请求购买信息。
(1) Customers in the online store to see the goods, and business negotiations, and then sent a request to buy information.
(2)商家要求客户用电子钱包付款。
(2) Businesses ask customers to pay with e-wallets.
(3)电子钱包提示客户输入口令后与商家交换握手信息,确认商家和客户两端均合法。
(3) The E-wallet prompts the customer to enter the password and exchanges handshake information with the merchant to confirm that both the merchant and the customer are legal.
(4)客户的电子钱包形成一个包含订购信息与支付指令的报文发送给商家。
(4) The customer’s e-wallet forms a message containing ordering information and payment instructions and is sent to the merchant.
(5)商家将含有客户支付指令的信息发送给支付网关。
(5) The merchant sends the information containing the customer’s payment instruction to the payment gateway.
(6)支付网关在确认客户信用卡信息之后,向商家发送一个授权响应的报文。
(6) After confirming the customer’s credit card information, the payment gateway sends an authorization response message to the merchant.
(7)商家向客户的电子钱包发送一个确认信息。
(7) The merchant sends a confirmation message to the customer’s wallet.
(8)将款项从客户帐号转到商家帐号,然后向顾客送货,交易结束。
(8) Transfer the money from the customer account number to the merchant account number, and then deliver the goods to the customer, and the transaction ends.
从上面的交易流程可以看出,SET 交易过程十分复杂性,在完成一次 S ET 协议交易过程中,需验证电子证书 9 次,验证数字签名 6 次,传递证书 7 次,进行签名 5 次,4 次对称加密和非对称加密。通常完成一个 SET 协议交易过程大约要花费 1.5-2 分钟甚至更长时间。由于各地网络设施良莠不齐,因此,完成一个 SET 协议的交易过程可能需要耗费更长的时间。
From the above transaction process, we can see that the set transaction process is very complex. In the process of completing a set transaction, we need to verify the electronic certificate 9 times, verify the digital signature 6 times, transfer the certificate 7 times, sign 5 times, 4 times symmetric encryption and asymmetric encryption. It usually takes about 1.5-2 minutes or even longer to complete a set protocol transaction process. Due to the different network facilities, it may take longer to complete the transaction process of set protocol.
SET 的安全性分析
Security analysis of set
采用公钥加密和私钥加密相结合的办法保证数据的保密性
Public key encryption and private key encryption are combined to ensure the confidentiality of data
SET 协议中,支付环境的信息保密性是通过公钥加密法和私钥加密法相结合的算法来加密支付信息而获得的。它采用的公钥加密算法是 RSA 的公钥密码体制,私钥加密算法是采用 DES 数据加密标准。这两种不同加密技术的结合应用在 SET 中被形象的成为数字信封,RSA 加密相当于用信封密封,消息首先以 56 位的 DES 密钥加密,然后装入使用 1024 位 RSA 公钥加密的数字信封在交易双方传输。这两种密钥相结合的办法保证了交易中数据信息的保密性。
In set protocol, the information confidentiality of payment environment is obtained by combining public key encryption with private key encryption to encrypt payment information. Its public key encryption algorithm is RSA public key cryptosystem, and private key encryption algorithm adopts des data encryption standard. The combination of these two different encryption technologies is visualized as a digital envelope in set. RSA encryption is equivalent to sealing with an envelope. The message is first encrypted with a 56 bit des key, and then loaded into a 1024 bit RSA public key encrypted digital envelope for transmission between both sides of the transaction. The combination of these two keys ensures the confidentiality of data information in the transaction.
采用信息摘要技术保证信息的完整性
Using information abstract technology to ensure the integrity of information
SET 协议是通过数字签名方案来保证消息的完整性和进行消息源的认证的,数字签名方案采用了与消息加密相同的加密原则。即数字签名通过 RSA 加密算法结合生成信息摘要,信息摘要是消息通过 HASH 函数处理后得到的唯一对应于该消息的数值,消息中每改变一个数据位都会引起信息摘要中大约一半的数据位的改变。而两个不同的消息具有相同的信息摘要的可能性及其微小,因此 HASH 函数的单向性使得从信息摘要得出信息的摘要的计算是不可行的。信息摘要的这些特征保证了信息的完整性。
Set protocol ensures the integrity of the message and authenticates the message source through the digital signature scheme. The digital signature scheme adopts the same encryption principle as the message encryption. In other words, digital signature generates information digest by combining RSA encryption algorithm. Information digest is the only value corresponding to the message obtained after the message is processed by hash function. Every change of a data bit in the message will change about half of the data bits in the message digest. The possibility that two different messages have the same information digest is extremely small, so the unidirectionality of hash function makes it infeasible to calculate the information digest from the information digest. These features ensure the integrity of information.
采用双重签名技术保证交易双方的身份认证
Using double signature technology to ensure the identity authentication of both parties
SET 协议应用了双重签名(Dual Signatures)技术。在一项安全电子商务交易中,持卡人的定购信息和支付指令是相互对应的。商家只有确认了对应于持卡人的支付指令对应的定购信息才能够按照定购信息发货;而银行只有确认了与该持卡人支付指令对应的定购信息是真实可靠的才能够按照商家的要求进行支付。为了达到商家在合法验证持卡人支付指令和银行在合法验证持卡人订购信息的同时不会侵犯顾客的私人隐私这一目的,SET 协议采用了双重签名技术来保证顾客的隐私不被侵犯。
Set protocol uses dual signatures technology. In a secure e-commerce transaction, the order information and payment instruction of the cardholder are corresponding to each other. Only when the merchant confirms the order information corresponding to the cardholder’s payment instruction can it deliver the goods according to the order information; while the bank can make payment according to the merchant’s requirements only after confirming that the order information corresponding to the cardholder’s payment instruction is true and reliable. In order to achieve the purpose that the merchant can verify the payment instruction of the cardholder legally and the bank can verify the order information of the cardholder legally, the set protocol adopts the double signature technology to ensure that the customer’s privacy is not violated.
SET 的改进
Improvement of set
SET 协议提供了在 B2C 平台上信用卡在线支付的方式,不过由于其实现起来非常复杂,商家和银行都需要改造系统来实现相互操作,如此看来,SET 的普遍应用还需要假以时日。无论是使用 SSL 协议还是使用 SET 协议进行在线支付,它们总有不如人意之处。但由于 SET 在安全性,保密性上的优势,它本应成为未来电子商务实现在线支付的主流方式。笔者针对其主要问题——商品质量和残留数据的处理方式上,提出了改进方案:引入商品质量检测机制来保证商品的质量;建立一个“交易信息档案中心”来解决交易后残留数据的归属,以此保证用户的利益。
Set protocol provides a way of online payment by credit card on B2C platform. However, due to the complexity of its implementation, both businesses and banks need to transform the system to achieve mutual operation. Therefore, the universal application of set will take time. Whether using SSL protocol or using set protocol for online payment, they are always unsatisfactory. However, due to the advantages of security and confidentiality of set, it should have become the mainstream way to realize online payment in e-commerce in the future. In view of the main problems of commodity quality and the processing method of residual data, the author puts forward the improvement scheme: the introduction of commodity quality detection mechanism to ensure the quality of goods; the establishment of a “trading information archive center” to solve the ownership of residual data after trading, so as to ensure the interests of users.
引入商品质量检测机制保证商品质量
Introduction of commodity quality inspection mechanism to ensure commodity quality
引入这种机制的具体做法是商家把商品直接发送到消费者所在地的官方商品质量检测机构,由这些专业质检机构来检测商品质量问题,检测完毕后再通知消费者前来领取商品。如果消费者需要此服务,必须和商家协商分摊质量检测的费用;如果不需要,就按照一般的 SET 流程交易。因此,我们引入商品质量检测机制可以检查商品质量,解决了 SET 协议中产生的“如果商品质量问题由谁负担”的问题。这样既能保证用户的利益,也能保证商家的利益不被损害。
The specific way to introduce this mechanism is that the merchants send the goods directly to the official commodity quality inspection institutions where the consumers are located, and these professional quality inspection institutions will detect the quality problems of the goods, and then inform the consumers to come to collect the goods after the detection. If consumers need this service, they must negotiate with the merchant to share the cost of quality inspection; if they don’t need it, they will trade according to the general set process. Therefore, we introduce a commodity quality inspection mechanism to check the quality of goods, and solve the problem of “who will bear if the quality problems of goods” in set protocol. This can not only ensure the interests of users, but also ensure that the interests of businesses are not damaged.
引进商品质量检测机制后 SET 的交易流程
Transaction process of set after introducing commodity quality inspection mechanism
引进商品质量检测机制后,基于 SET 的交易过程与原来相比更复杂了些,也需要对 SET 消息报文进行修改,需要将质量检测信息作为附件形式加入 SET 消息报文中。因此要在 SET 信息报文中增加附件位,可考虑附件位的标识为 0 和 1 两种情况,其中 0 表示没有附件,1 表示存在附件。附加的附件信息包括交易双方的有关信息(如给双方打上编号)、商品名称、商品保质期、商品生存周期等.
After the introduction of commodity quality inspection mechanism, the transaction process based on set is more complicated than before. It also needs to modify the set message and add the quality inspection information into the set message as an attachment. Therefore, if you want to add an attachment bit in the set message, you can consider two cases: 0 and 1, where 0 means no attachment and 1 means that there is an attachment. Additional attachment information includes relevant information of both parties (e.g. number both parties), commodity name, commodity shelf life, commodity life cycle, etc
(1)用户查询商品的信息,确定所要定购的商品。
(1) The user inquires the commodity information and determines the commodity to be ordered.
(2)用户和商家进行探讨,确定商品质量检测费用该如何分摊。
(2) Users and businesses to discuss, determine how to share the cost of commodity quality inspection.
(3)将定购单和支付信息一起以电子数据的方式来发给商家。
(3) The purchase order and payment information are sent to the merchant in the form of electronic data.
(4)商家进行验证,向用户所拥有的支付卡的金融机构请求取得支付授权。
(4) The merchant verifies and requests payment authorization from the financial institution of the user’s payment card.
(5)金融机构验证数字签名,验证用户信息的合法性。如果合法则发送授权信息。
(5) Financial institutions verify digital signatures and verify the legitimacy of user information. If it is legal to send authorization information.
(6)商家验证授权信息后,向用户发出定购确认信息。同时查询用户所在地区的商品质量检测部门的信息。由商家将商品配送到用户所在地区的商品质量检测部门。
(6) After the merchant verifies the authorization information, it sends the order confirmation information to the user. At the same time, query the information of the commodity quality inspection department in the user’s region. The goods are delivered to the commodity quality inspection department in the user’s area by the merchant.
(7)用户所在地商品质量检测部门接收商家的商品。在验收产品质量后,将附件位由 0 改为 1,并附加附件具体信息,向商家发送收货信息并负责配送商品给消费者;商家向用户所拥有的支付卡的金融机构请求付款。
(7) The local commodity quality inspection department receives the goods from the merchant. After the product quality is checked and accepted, the attachment bit is changed from 0 to 1, and the attachment specific information is attached. The merchant sends the receiving information to the merchant and is responsible for distributing the commodity to the consumer; the merchant requests payment from the financial institution of the payment card owned by the user.
(8)用户得到满意的商品后,对付款单进行签名,向商品质量检测部门表示同意付款,并向自己的支付卡所在的发行卡发送支付信息。发卡行在同时得到商家付款请求和用户同意付款的信息之后,方可付款。
(8) After users get satisfied goods, they sign the payment sheet, express their agreement to the commodity quality inspection department, and send payment information to the issuing card of their own payment card. The card issuing bank can make payment only after receiving the payment request from the merchant and the payment information agreed by the user at the same time.
结论
conclusion
SET 协议是由美国的公司发起并联合开发的,因此,SET 协议支持信用卡支付这一支付方式比较符合欧美各国的使用情况。可是实际应用上,SET 要求持卡人在客户端安装电子钱包,增加了顾客交易成本,交易过程又相对复杂,因此比较少顾客接受这种网上即时支付方式。
Set protocol is initiated and jointly developed by American companies. Therefore, set protocol supports credit card payment, which is more suitable for European and American countries. However, in practice, set requires cardholders to install e-wallet on the client side, which increases the transaction cost of customers, and the transaction process is relatively complex. Therefore, fewer customers accept this online instant payment method.
而在中国,信用卡支付这种方式还没有普及,因此 SET 协议在我国的使用也相对较少。电子支付无论要采取哪种支付协议,都应该考虑到安全因素,成本因素和使用的便捷性这三方面,由于这三者在 SET 协议和 SSL 协议里的任何一个协议里面无法全部体现,这就造成现阶段 SSL 协议和 SET 协议并存使用的局面。但即便将来业界开发结合这三个优点的电子支付协议,也未必能完全保证电子支付和网上银行的安全。
In China, credit card payment is not popular, so the use of set protocol in China is relatively small. No matter what kind of payment protocol should be adopted for electronic payment, security factors, cost factors and convenience of use should be taken into account. As these three aspects can not be fully reflected in any one of the set protocol and SSL protocol, this leads to the situation that SSL protocol and set protocol coexist at this stage. But even if the industry develops the electronic payment protocol which combines these three advantages, it may not be able to guarantee the security of electronic payment and online banking.
因为网上银行的安全涉及到方方面面,不只是一个完善的安全支付协议,一堵安全的防火墙或者一个电子签名就能简单解决的问题。所以,现在银行必须加大加强管理力度,加大宣传力度,帮助顾客树立起安全意识,指导用户该如何正确使用网上银行,并发动社会各方面的力量,寻求多方联动的策略来保证网上银行的安全。只有社会各界一起努力,才能保证电子支付的安全;只有社会各界一起努力,才能保证网上银行的安全;也只有社会各界一起努力,才可以保证电子商务的安全,保证电子商务的快速有序的发展。
Because the security of online banking involves all aspects, not only a perfect security payment protocol, a secure firewall or an electronic signature can be simply solved. Therefore, banks must strengthen management and publicity, help customers establish a sense of security, guide users how to use online banking correctly, and mobilize the strength of all sectors of society to seek multi-party linkage strategy to ensure the security of online banking. Only with the joint efforts of all sectors of the society can the security of electronic payment be guaranteed; only with the joint efforts of all sectors of society can the security of online banking be ensured; and only with the joint efforts of all sectors of society can the security of e-commerce be guaranteed and the rapid and orderly development of e-commerce be ensured.
