Today, many users make payments electronically rather than in person. Hundreds of electronic payment systems have been developed to provide secure Internet transactions. Electronic payment systems are generally classified into four categories: credit card and debit cards; electronic cash; micropayment systems; and session-level protocols for secure communications.
A secure electronic financial transaction has to meet the following four requirements: ensure that communications are private; verify that the communications have not been changed in transmission; ensure that the client and server are who each claims to be; and ensure that the data to be transferred was, in fact, generated by the signed author.
To meet these objectives, every electronic payment system developed depends on some type of encryption and/or utilization of digital certificates. Using an encryption algorithm, the plaintext (also known as the original text) is changed into ciphertext, which is decrypted by the receiver and transformed into clear-text. The encryption algorithm utilizes a key, a binary number often ranging in length from 40 to 128 bits. After being encrypted, the information is considered to be coded and therefore “locked.” The recipient uses another key to “unlock” the coded information, restoring it to its original binary form.
Two cryptographic methods used in electronic payment systems include the secret key (which uses the same key to encrypt and decrypt and is the fastest method; however, in the initial transmission to the recipient, the secret key is not secure) and the public key (which uses both a private and a public key).
In the latter, each receiver owns a secret private key and a publishable public key. In public-key cryptography, the sender finds the receiver’s public key and uses it to encrypt the message, whereas the receiver uses the private key to decrypt the message. The important point here is that because key holders do not need to send their private keys to anyone else to have their messages decrypted, the private keys are not in circulation and therefore are not vulnerable to crack attacks. In short, the security of a cryptographic system rests with the secrecy of the key rather than with the secrecy of the algorithm.
Theoretically, any cryptographic technique using a key can be broken, just as doors on a house can be broken into if someone finds a key compatible with the door’s key core. In virtual space, a cracker can break the cryptographic method by trying all possible keys in sequence (known as “brute-force”). As an aside, using brute-force to attempt all keys requires computing resources that grow exponentially with the key’s length. In short, cryptographic keys of 80 bits and 128 bits in length—those commonly used in electronic payment systems—will likely stay unbreakable by brute-force for quite some time.
Vanderbilt University. Overview of Secure Electronic Payment Systems. [Online, August 9, 2004.] Vanderbilt University Student Projects Website. http://elab.vanderbilt .edu/research/papers/html/student_projects/secure.payment.systems/overview.html.