information security group at oregon state university http://www.security.ece.orst.edu/ has a number of papers http://www.security.ece.orst.edu/publications.html including "consepp" to be given in two weeks at IEEE Computer Security Conferenece. http://www.security.ece.orst.edu/papers/c24consp.html CONSEPP: Convenient and secure electronic payment protocol based on X9.59 A. Levi and C. K. Koc Proceedings, The 17th Annual Computer Security Applications Conference, to appear, New Orleans, Louisiana, IEEE Computer Society Press, Los Alamitos, California, December 10-14, 2001. Abstract The security of electronic payment protocols is of interest to researchers in academia and industry. While the ultimate objective is the safest and most secure protocol, convenience and usability should not be ignored, or the protocol may not be suitable for large-scale deployment. Our aim in this paper is to design a practical electronic payment protocol which is both secure and convenient. ANSI X9.59 standard describes secure payment objects to be used in electronic payment in a convenient and secure way. It has many useful convenience features for large-scale consumer market deployment, the best being the elimination of consumer certificates. Consumer public keys are stored in account records at financial institutions; the digital signatures issued by consumers are verified by financial institutions. Encryption is deliberately not provided by X9.59. In this paper we propose a new Internet e-payment protocol, namely CONSEPP (CONvenient and Secure E-Payment Protocol), based on the account authority model of ANSI X9.59 standard. CONSEPP is the specialized version of X9.59 for Internet transactions (X9.59 is multi-purpose). It has some extra features on top of the X9.59 standard. X9.59 requires merchant certificates; in CONSEPP we propose a lightweight method to avoid the need for merchant certificates. Moreover, we propose a simple method for secure shopping experience between merchant and consumer. Merchant authentication is embedded in the payment cycle. CONSEPP aims to use current financial transaction networks, like VisaNet, BankNet and ACH networks, for communications among financial institutions. No certificates (in the classical sense) or certificate authorities exist in CONSEPP. Convenience is not traded for security here; basic security requirements are fulfilled in the payment authorization cycle without extra messaging and significant overhead.
