<Previous Lesson


Next Lesson>



SSL is a protocol developed by Netscape Communications. SSL is built into many browsers. It operates at the TCP/IP layer of the OSI model, and uses a combination of symmetric and asymmetric cryptography. If there appears the word “https” in a URL, (e.g, https://www.microsoft.com) it indicates that the web server hosting this web site is SSL enabled. So, if a client machine is configured for SSL then any exchange of information between such a client and the web server would be in the encrypted form. To configure a client machine for SSL following steps are required: Internet Explorer:Tools menu->Internet options->Advanced tab-> Security (use SSL option can be checked)

SSL Handshake

SSL supports a variety of encryption algorithm and authentication methods. The combination of algorithms and methods is called a cipher suite. When a client connects to an SSL server, the SSL handshake begins, which means that the two negotiate a cipher suite selecting the strongest suite the two have in common. Thus, the handshake establishes the protocols that will be used during the communication, selects cryptographic algorithms and authenticates the parties using digital certificates. To start the SSL handshake process, a client sends a message to the server, the server responds and sends its digital certificate that authenticates its public key. The client (customer’s browser) generates a secret symmetric key for the session. The client encrypts the secret key using the public key that it has just received and transmits it to the server. The server decrypts the message using its private key and now has the secret or symmetric key. Further communication between the customer’s browser and the merchant’s server can now be encrypted and decrypted using the secret session key. SSL is commonly applied in online shopping as the customer puts in his/her credit/debit card information on the web form for payment purposes. If the web client and the server are SSL enabled, the SSL handshake would begin when the client enters the URL starting with “https”. This handshake can be accomplished in seconds. The web form opens before the client. The client enters information in the text boxes of the form and on pressing ‘submit’ all such information is automatically encrypted with the agreed secret or session key. This secured/encrypted information travels across the internet and is retrieved by the server side where it is automatically decrypted with the help of same secret or session key. Even if someone intercepts the information, he cannot make any sense out of it because of encryption. The greatest advantage of SSL is its simplicity. Since SSL is built into many browsers, no special encryption software is required either on the client or the server side. However, a drawback of SSL is that the merchant can store credit/debit card information after decryption that can be accessed by unauthorized parties from the merchant’s database.


The process of SSL handshake is also explained in Fig. 1 below:

Fig. 1

Secure Electronic Transaction (SET)

The drawback in SSL that the credit card/debit card information remains with the merchant led to the development of a more sophisticated protocol called SET. It was developed in 1997 jointly by Visa, MasterCard, Netscape and Microsoft. There are four entities involved in a SET transaction – cardholder, merchant, and certification authority and payment gateway. The role of payment gateway is to connect entities on the internet with those which are not on the internet such as the electronic network of banks (see fig. 2 below). Payment gateway provides the security of data transmission to/from the acquirer bank. Merchants must have special SET software to process transactions. Customers must have digital wallet software that stores certificates and card information. Client sends “hello” message Client sends response Session SSL Client (browser) Server responds With “hello” message Session Send encryption algorithms and key length SSL Server Send server certificate containing server’s public key Send client certificate and encrypted private session key Send data between client and server using private shared key Server receives client response and initiates session

123 Debit Card Debit Card Automated Clearing House Payer’s Bank Acquirer Bank Payer Payee Internet Debit Card Debit Card Certification Authority Payment Gateway

Fig. 2 Dual Signature in SET

SET hides customer’s credit card information from merchants and hides order information from banks to protect privacy. This scheme is called Dual Signature. A dual signature is created by combining two message digests and creating a new digest called Dual Signature Message Digest (DSMD). Fig. 3 below explains how the scheme of dual signatures is implemented in SET. Buyer/Bidder Merchant or Auction house Acquirer Bank •Encrypted message authorizing payment to the auction house if offer is accepted, but no details about what item is bought •MD2 and DSMD encrypted with Bidder’s private key 1a Offer for Items 4 •Encrypted message includes amount offered on the item, but no account information •MD1 encrypted with Bidder’s private key 1b •Decrypt message with auction house private key •Decrypt MD1 with bidder’s public key •Determine whether to accept bid 2 •Decrypt account information with acquirer private key •Decrypt offer acceptance message with acquirer private key •Decrypt MD2 and DSMD with bidder’s public key •Decrypt MD1 from step no. 3 with auction house’s public key •Concatenate MD1 and MD2 •Recompute dual signature and verify against DSMD sent by bidder •Encrypted message that offer is accepted from bidder •MD1 encrypted with auction house’s private key 3 4 Fig. 3

124 SET software on the customer side splits the order information from the account information. MDI is the message digest obtained by applying hash function on the order information. MD2 is the message digest obtained by applying hash function on the account information. Both, MD1 and MD2 are concatenated and a third message digest, DSMD, is obtained by again applying the hash function on the concatenated message digests. The order information or the offer for items is forwarded to the merchant/auction house in an encrypted form along with its message digest (MD1) signed with the private key of the buyer/bidder

(step 1b

). The merchant/auction house decrypts the order information/offer and verifies the signatures of the buyer/bidder through his/her digital certificate

(step 2)

. If the order/offer is acceptable to the merchant then the merchant signs the received MD1 with merchant’s private key and sends it to the acquirer bank along with an encrypted letter of acceptance to the offer


. On the other hand, the buyer sends the text based account information (credit card details) to the acquirer in an encrypted form. The buyer also sends MD2 (message digest related to account information) and DSMD to the acquirer bank signed with his/her private key

(step 1a

). The acquirer bank decrypts this information. Mainly, the acquirer bank receives four pieces of information as follows

(step 4)

: MD1 from merchant/auction house related to order information Account information in encrypted form from the buyer MD2 related to account information from the buyer DSMD from the buyer Acquirer bank concatenates MD1 and MD2 and applies the hash function to compute a message digest. Note that if this message digest is the same as the DSMD received by the acquirer, it ensures that a particular order information or offer is related to particular account information. At the same time, we have achieved our purpose that the order information should not reach the bank and the account information (credit card no. etc.) should not reach the merchant/auction house.


SETCo. is a company formed to lead the implementation and promotion of SET specifications It ensures that the vendors of SET software comply with the requirements laid down by its originators. A merchant holds certificate from card brand indicating that the merchant is authorized to accept credit card payment. The customer holds certificate from the card issuing bank. SETCo acts as a root certification authority in the certification hierarchy (see Fig. 4 below) SETCo Card Issuer Bank Customer Card Brand Merchant Fig. 4



SSL only handles secured transmission of credit card no. but SET is designed to handle the whole transaction in a secured manner using dual signatures. SSL is a general purpose protocol built into the browser, whereas SET requires software on, both, the client and the merchant side. SET uses a hierarchy of certificates for authentication. SET is complex and distribution of certificates is sometimes not stable. SET increases transaction cost. SET transactions are slower than SSL. SET uses a payment gateway for secured transmission of information.


An e-business is defined as a company/entity that has an online presence. E-businesses that have the ability to sell, trade, barter or transact over the web can be considered as e-commerce businesses. An e-business model is defined by a company’s policy, operations, technology and ideology.

Advantages of E-business

Some of the major advantages of an e-business as compared to a traditional business are as under: Personalized service High-quality customer service No inventory cost Worldwide reach of the business Electronic catalogues (convenient and quick transaction) Bulk transactions Improved supply chain management

<Previous Lesson


Next Lesson>


Lesson Plan


Go to Top

Next Lesson
Previous Lesson
Lesson Plan
Go to Top