Secure e-commerce protocol

Abstract

An E-commerce protocol is provided. The E-commerce protocol has been developed as a solution to malicious attacks such as credit card fraud and stealing of various financial data, wherein the malicious attacks appeared particularly in a cyber world. With the help of the E-commerce protocol, a manipulated version of user information in an E-commerce database removes security risks of compromising on E-commerce systems. Even though a user does not have to share personal information of the user with E-commerce companies, an application also eliminates a necessity of entering the user information for each online transaction.

Claims

1. An E-commerce method for an E-commerce transaction, comprising the following steps: combining, by a user device, non-encrypted data of the user device and an E-commerce company certificate into a value D; receiving, by a bank, the value D from the user device and encrypting the value D using a symmetric key to generate, by the bank, an encrypted value Do and providing by the bank the encrypted value Do to the user device; submitting, by the user device and electronically via the internet, the encrypted value Do to an E-commerce company and storing the encrypted value Do in a database of the E-commerce company; generating, by the bank, a first value T.sub.n wherein the first value T.sub.n is obtained by: T.sub.n=F(Time_frame), wherein Time_frame is a time frame in which the E-commerce transaction is processed; transmitting, by an application in the user device, a first value A to the bank, wherein the first value A is a total payment amount of the E-commerce transaction between the user device and the E-commerce company; calculating, by the bank and according to the first value A, a value C with the first value T.sub.n, and a secret key k in a formula and sending the value C to the user device, wherein the formula is expressed as: C=(T.sub.nkA).sup.UID mod p, wherein UID is a user identification number, and p is a multi-digit prime number determined by the bank; submitting, by the user device and electronically via the internet, the value C to the E-Commerce company; submitting, by the E-commerce company, the encrypted value Do and the value C, simultaneously to the bank in order to complete the E-commerce transaction; and receiving the value C and the encrypted value Do by the bank from the E-commerce company; generating, by the bank, a second value T.sub.n and a second value A based on the value C received from the E-Commerce company; confirming, by the bank to the E-Commerce company, the E-Commerce transaction by using the encrypted value Do and comparing and determining that the second value T.sub.n matches the first value T.sub.n and the second value A matches the first value A.

2. An E-commerce system for an E-commerce transaction, comprising: a user device, a bank, and an E-commerce company; wherein the E-commerce system completes and confirms the E-commerce transaction by: combining, by a user device, non-encrypted data of the user device and an E-commerce company certificate into a value D; receiving, by a bank, the value D from the user device and encrypting the value D using a symmetric key to generate, by the bank, an encrypted value Do and providing by the bank the encrypted value Do to the user device; submitting, by the user device and electronically via the internet, the encrypted value Do to an E-commerce company and storing the encrypted value Do in a database of the E-commerce company; generating, by the bank, a first value T.sub.n wherein the first value T.sub.n is obtained by: T.sub.n=F(Time_frame), wherein Time_frame is a time frame in which the E-commerce transaction is processed; transmitting, by an application in the user device, a first value A to the bank, wherein the first value A is a total payment amount of the E-commerce transaction between the user device and the E-commerce company; calculating, by the bank and according to the first value A, a value C with the first value T.sub.n, and a secret key k in a formula and sending the value C to the user device, wherein the formula is expressed as: C=(T.sub.nkA).sup.UID mod p, wherein UID is a user identification number, and p is a multi-digit prime number determined by the bank; submitting, by the user device and electronically via the internet, the value C to the E-Commerce company; submitting, by the E-commerce company, the encrypted value Do and the value C, simultaneously to the bank in order to complete the E-commerce transaction; and receiving the value C and the encrypted value Do by the bank from the E-commerce company; generating, by the bank, a second value T.sub.n and a second value A based on the value C received from the E-Commerce company; confirming, by the bank to the E-Commerce company, the E-Commerce transaction by using the encrypted value Do and comparing and determining that the second value T.sub.n matches the first value T.sub.n and the second value A matches the first value A.

Description

(1) According to these figures;

(2) FIG. 1: The schematic view illustrates the initial registration and the first purchase of the user in the E-commerce system.

(3) FIG. 2: The schematic view of the processes regarding future purchases carried out on the E-commerce protocol subject to the invention.

(4) The parts in the figures have been numbered and their descriptions have been listed below. 100. E-commerce website 110. User 120. Bank 130. Credit card supplier EMV A: Total payment amount in a single online transaction C: Encrypted data D: User information (Account number information, E-commerce company's certificate, birthdate, address etc.) k: Symmetric encryption key which is used in a symmetric encryption algorithm D.sub.o. Encrypted D under the symmetric encryption algorithm with symmetric key k T.sub.n: An integer value randomly generated by the bank for each time frame F: Function established according to time and payment amount information uID: Unique number assigned to each user Modlo p (Mod p): Multi-digit prime numbers with respect to the modulo p i: Inverse of uID respect to mod (p−1) C: Encrypted text C with calculated i.sup.th power AHI: Account holder's information

DETAILED DESCRIPTION OF THE EMBODIMENTS

(5) The invention, is an E-commerce protocol, including the following steps, Generating the value T.sub.n by the bank and submission of this value to the user in a determined time frame, Combining the value T.sub.n with D which is the user's data (non-encrypted version) and E which is the E-commerce company's certificate values by the user, Generating the value D.sub.0 by the bank via the application, Submitting the generated D.sub.0 to the E-commerce company by the user and storing the value D.sub.0 in the database of the E-commerce company, Generating the value T by the bank, and obtaining the value T.sub.n=F(Time_frame, A), Transmitting the value A to the bank by the user-side application, Using the value A by the bank and calculating C with values T.sub.n and k in Formula II and sending the result to the user as in Formula II as follows:
C=(T.sub.nkA).sup.uID mod p (Formula II) Submitting the value C to the E-commerce company by the user, Submitting the E which is the certificate of the E-commerce company and the values C and D.sub.0 to the bank, in order to complete the purchasing process, Receiving the value C by the bank and confirming the purchase by using D.sub.0.

(6) The invention is an E-commerce protocol that aims to provide data security of users and to establish a secure commerce between the user and the E-commerce company. The protocol can be adapted to all kinds of E-commerce systems and the companies will not be burdened with extra responsibility, on the contrary, the protocol provides a bank and user-oriented security solution.

(7) In the operation principle of the protocol, there are two basic steps. These are as follows: The initial registration of the user to the E-commerce system and the first purchase The process of the future purchase

(8) The Initial Registration of the User to the E-Commerce System and the First Purchase

(9) In the first step of the protocol, the registration process of the user to the E-commerce system is performed, where registration is carried out just once. At this step, the required user information (credit card number, date of birth, address etc.) and the certificate information of the E-commerce company are combined by the bank and the value D is obtained. The AHI (Account holder's information) is shared between the bank and the card supplier EMV (Europay Mastercard Visa). This process already exists when the user obtains his/her credit card. The card supplier EMV acts as the credit card center for card types such as Visa, Mastercard, and the card supplier EMV works together with the bank when the card verification process of the user is performed. The data D is encrypted using any of the symmetric key encryption methods (for example by a standard AES (Advanced Encryption Standard) algorithm) with a key k selected by the bank and the cipher is sent back to the user after being encrypted where the cipher is denoted by D.sub.0.
E.sub.k(D)=D.sub.0 (Formula I)

(10) The value D.sub.0 is sent securely, in order to be stored in the database of the E-commerce company during the connection which is established between the user and the E-commerce system. As a result, the registration step is completed. After the registration step is performed, the user does not have to enter the required payment information such as credit card information for future purchases. At this step, the user information can be revealed from the value D.sub.0 that includes the data of the user in the E-commerce company only if the secret key k at the bank's system is known. As the certificate of the E-commerce company is embedded into the value D.sub.0, the value D.sub.0 will only be used by this company. (FIG. 1)

(11) The Sequence of the Process Steps Indicated in FIG. 1:

(12) It is assumed that the AHI is shared between the bank and the card supplier EMV at a time frame before the initiation of the registration step. 1. Sharing of the user data D between the user and the bank, 2. Extracting of the value D.sub.0 from D by the bank, using the symmetric key k, and sending the encrypted data D.sub.0 to the user, 3. Submission of the encrypted data D.sub.0 to the E-commerce website by the user.

(13) Process of the Future Purchase

(14) As the second step of the protocol, the online shopping scenario of the user's n.sup.th purchase is described. At this step, when the user reaches the related payment step on the E-commerce website, the user shares the payment amount value denoted by A with the bank and the credit card supplier EMV. The bank determines a value T.sub.n depending on the time of the transaction and this determined value T is valid through the specific time frame that is also determined by the bank. The value T.sub.n is an integer value randomly generated by the bank for each time frame and this value is the same for all users that are processing a transaction at that time frame. The values A and T.sub.n are subjected to a modulo operation by including the secret key k of the bank. The bank conceals the values A and T.sub.n by selecting a group where the discrete logarithm problem is hard. As an example, a multiplicative group according to the modulo p (mod p) where the prime integer p is determined by the bank can be used within the scope of the invention. This value p is a multi-digit prime number determined by the bank. The values T.sub.n, k and A are concealed by applying the formula below and as a result, an encrypted data C is obtained from these values.
C=(T.sub.nkA).sup.uID mod p (Formula II)

(15) The value uID used here is the unique user identification number that belongs to the user (such as the user account number etc.).

(16) The encrypted data C is transmitted to the user at the end of the process. The user submits the value C to the E-commerce website and the E-commerce website simultaneously sends the value C together with the information D.sub.0 to the bank and the credit card supplier EMV. In order to process the user verification and purchasing, the information C, D.sub.0 and AHI must be controlled between the bank and the credit card supplier EMV. (FIG. 2)

(17) To check if the transaction is valid and to confirm the money transfer, the bank must check the value T.sub.n that it has selected during the transaction. For the control:

(18) The value i is the inverse of W/D and it is calculated according to the formula below.
uID.Math.i≡1 mod(p−1) (Formula III)
Then,
C.sup.i=((T.sub.n.Math.k.Math.A).sup.uID)=(T.sub.n.Math.k.Math.A).sup.uID.Math.i=T.sub.n.Math.k.Math.A mod p (Formula IV)

(19) At the end of the process, the values T.sub.n and A are compared with the information in the bank. Thus, the money transfer process is confirmed.

(20) The Sequence of the Process Steps Indicated in FIG. 2: 1. Sharing the payment amount A between the user and the bank, 2. Transmitting the value A to the credit card supplier EMV, 3. Generating the encrypted data C by the bank and submitting it to the user, 4. Sending the value C to the E-commerce website by the user, 5. Submitting the values C and D.sub.0 by the E-commerce website simultaneously, to the bank and credit card provider EMV, 6. Sharing the values C, D.sub.0 and AHI to perform purchasing and verification processes between the bank and the credit card supplier EMV.

Secure e-commerce protocol

Assignee

Inventors

Cpc classification

Classification Explorer

G06Q20/12

PHYSICS

Classification Explorer

G06Q20/383

PHYSICS

Classification Explorer

G06Q2220/00

PHYSICS

Classification Explorer

G06Q20/4016

PHYSICS

Classification Explorer

G06Q20/38215

PHYSICS

Classification Explorer

G06Q30/0609

PHYSICS

Classification Explorer

G06Q20/401

PHYSICS

International classification

Classification Explorer

G06Q20/40

PHYSICS

Classification Explorer

G06Q20/38

PHYSICS

Classification Explorer

G06Q30/0601

PHYSICS

Abstract

Claims

Description