Secure Electronic Transactions (SET) is an open protocol which has the potential to emerge as a dominant force in the securing of electronic transactions. Jointly developed by Visa and MasterCard, in conjunction with leading computer vendors such as IBM, SET is an open standard for protecting the privacy, and ensuring the authenticity, of electronic transactions. This is critical to the success of electronic commerce over the Internet; without privacy, consumer protection cannot be guaranteed, and without authentication, neither the merchant nor the consumer can be sure that valid transactions are being made. Technology
Secure Electronic Transactions (SET) relies on the science of cryptography – the art of encoding and decoding messages. Cryptography dates back many centuries – even in the time of Julius Caesar, encryption was used to preserve the secrecy of messages. Preserving the secrecy of transactions is no different, though stronger encryption algorithms are used, as well as significantly stronger encryption keys. Encryption advancements have come about through its application by the military, and by advances in computing power and mathematics. The SET protocol relies on two different encryption mechanisms, as well as an authentication mechanism. SET uses symmetric encryption, in the form of the aging Data Encryption Standard (DES), as well as asymmetric, or public-key, encryption to transmit session keys for DES transactions (IBM, 1998). Rather than offer the security and protection afforded by public-key cryptography, SET simply uses session keys (56 bits) which are transmitted asymmetrically – the remainder of the transaction uses symmetric encryption in the form of DES. This has disturbing connotations for a "secure" electronic transaction protocol – because public key cryptography is only used only to encrypt DES keys and for authentication, and not for the main body of the transaction. The computational cost of asymmetric encryption is cited as reason for using weak 56 bit DES (IBM, 1998), however other reasons such as export/import restrictions, and the perceived need by law enforcement and government agencies to access the plain-text of encrypted SET messages may also play a role. Overview of symmetric and asymmetric cryptography
Modern cryptography uses encryption keys, which can encode (lock) and decode (unlock) messages when an encryption algorithm is used. Symmetric encryption works by using a single key, which must be known by all parties wishing to unlock the message.
Figure 1.0 - Symmetric encryption with a single key
If we apply a specific key to a message, using a good encryption algorithm, then it will be unreadable by unauthorized parties. If we then apply the same key to the encrypted message, then the message will be restored to its original form. However, this presents a problem, because we must find a secure means of transmitting the key to all parties. Asymmetric encryption, also known as public-key encryption, frees us from this limitation. Asymmetric algorithms use two keys – a public and a private key. These keys are completely independent – a private key cannot be easily deduced from a public one. When we sign a message using someone’s public key, only the holder of the private key can read it. We can place our public key out in the open, and rest assured that only the private key holder can read messages encrypted for him or her.
Figure 2.0 - Asymmetric encryption with a public and a private key
Symmetric and Asymmetric encryption in SET
In the SET protocol, two different encryption algorithms are used – DES and RSA. The DES algorithm has been used since the 1970’s. It is believed by some that the National Security Agency (NSA) of America played "an invisible hand in the development of the algorithm" (Schneier, 1996), and that they were responsible for reducing its key size from the original 128-bits to 56. DES quickly became a...