T H E H I G H L E V E L A R C H I T E C T U R E |
(SET Cardholder Wallet With Java Card Support) |
The Cardholder's SET Wallet consists of two parts (see figure 1):
- SET Network Part - Codename ``Body''.
The SET Network Part is a part of the SET Wallet downloaded from the SET
Software Web Server. This part is maintained by the issuer or
delegated to a software provider. We have implement this part of the
architecture as signed Java Applet - codename ``Body''.
The cardholder downloads the ``Body'' into his browser visiting
the merchant shop in order to pay for the goods with the Java Card.
The link to the program is embedded into the merchant Web Shop.
The issuer/software provider is modeled by the http server too.
The authenticity of the Body is proofed by the signature of
the software provider.
- SET Cardlet
The SET Cardlet, Codename Guard,
is a Java Card 2.1 compliant application aiming
to protect the Cardholder's sensible data used in SET. These data are
the Primary Account Number, Card Secret, Cardholder Private Key,
and the Public Key of the Payment Gateway if the cardholder participate
on the local credit plane to reduce the memory utilization on the card.
(This case is implemented in the project) The other function of
the card is to generate the data structures which are required to
construct the payment message in a secure manner. This structures
are, here and after in terms of ASN.1, PIData and hash from it,
PIDualSignedTBS and DES encryption from it, application of the
cardholder signature key, OAEP on PANData and than it encryption with
payment gateway public key.
|
The SET Network Part is implemented as signed Java 2 Applet.
This applet is integrated into the checkout page of the merchant
web shop. The classes of SET Network Part are collected in a jar archive.
This Jar archive is signed with Software Provider Signature.
We create this signature with help of Java ``keytool''.
The Signature is checked every time the browser downloads the applet.
The program runs either on Java 2 compatible browsers or on browsers
that includes Java 2 Plug-In. The target platform of the SET Cardlet is
Java Card 2.1. The cardlet functions cover SET certificate management and
SET specific dual signature issues [1, page 23], [2, pages 271,317,323].
The SET Network Part will exchange the APDUs with the SET Cardlet on
the Java Card by the Open Card Framework API Version 1.2. The access to
the resources on the local host is managed by Java 2 Policy File.
_________
|Java Card|
|SET |
|Cardlet |
|=============|
| Card |
| Terminal |
| |
|_____________|
(
)
/
_____________________________(__________________
| | Open Card | |
| wwwwwwwwwwwwwwwwwwwww|- - - - - - - - -w |
| w | Wake Up Message | Framework w |
| w | Extractor | w |
| w |_________________|_________________w |
| w | | PInitReq Generator | A w |
| w | J |---------------------------| S w |
| w | C | PInitRes Validator | N w |
| w | E |___________________________| . w |
| w | | PReq Generator | 1 w |
| w | |___________________________| w |
| w | | PRes Validator | w |
| w |___|___________________________|___w |
| w | Transport Interface w |
| w |___________________________________w |
| w w |
| w B R O W S E R w |
| wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww |
| PC or any Java 2 compatible device |
|________________________________________________|
Figure. 1 The SET Cardholder Wallet with Java Card support.
- Wake Up Message Extractor is a group of Java classes that download
the Wake Up message and than parse it. The Wake Up Message (or Payment
Initiation Message) contains the order and other important SET related
information used to initiate SET transaction [4, page 10].
- Open Card Framework (http://www.opencard.org) is a standardized application
platform that allows the SET Network Part to access the broad range of card
terminals and cards. Jar archive will include only the SET service classes of OCF.
- PInitReq, PInitRes, PRes, PReq are a group of Java functionality
which implement SET Protocol logic [2, page 306].
- Transport Interface is Java classes that establish and control the
network connection to the merchant Point of Sale (POS).
- JCE stand for Java Cryptography Extension. We will use JCE provided by
IAIK-Java Group (http://jcewww.iaik.tu-graz.ac.at/). There are several
cases where we have to use the cryptography to verify signatures
or to generate message digests outside of the Java Card. Therefore,
the SET Network Part jar archive contains these classes.
- ASN.1 stand for Abstract Syntax Notation One. The ASN.1 is broadly used
to describe the SET data structures. The ASN.1 classes contained in the SET
Network Part jar archive encode and decode the protocol data according
to SET ASN.1 specification [3]. We have used OSS Nokalva asnpjav tool
to generate the Java Code stub for SET ASN.1 specification.
- SET Cardlet consists of 7 classes. The first class is an interface that
ensures the uniform length of data which are common in the SET Cardlet and
SET Network Part. The second class extends the javacard.framework.Applet
class and should be Open Platform Card Specification [6] compliant.
The other class implements the SET protocol logic and protects cardholder
sensible data.
|
REFERENCES |
[1] |
Visa, MasterCard, SET Secure Electronic Transaction Specification, Book 1: Business Description, Version 1.0 http://www.setco.org/download/set_bk1.pdf |
[2] |
Visa, MasterCard, SET Secure Electronic Transaction Specification, Book 2, Programmer's Guide, Version 1.0 http://www.setco.org/download/set_bk2.pdf |
[3] |
Visa, MasterCard, SET Secure Electronic Transaction Specification, Book 3, Formal Protocol Definition, Version 1.0 http://www.setco.org/download/set_bk2.pdf |
[4] |
Visa, MasterCard, External Interface Guide to SET Secure Electronic Transaction, http://www.setco.org/download/set_eig.pdf |
[5] |
GlobalPlatform Inc, Open Platform, Card Specification, Version 2.0.1 http://www.globalplatform.org/ |
|