Dr. Dobb's Journal December 1998
Every electronic-commerce system must carefully examine and define the trust model in which it operates. A trust model defines the relationships among the participating parties: Who is trusted, with what, and how that trust is established. A well-defined trust model is critical for assessing the security of a system, and for assessing the damage to the system when any party is compromised.
In the BlueMoney commerce model, there are three parties: the Merchant Server, Wallet, and Gateway. Initially, none of these parties needs to trust any of the others; they do trust BlueMoney Software, which provides the basis for trust by signing the certificates of the three parties.
Merchant Servers are software packages, operated by merchants that collect and manage orders on their behalf. Wallets store credit cards and other payment data on behalf of buyers, and release that information to merchants when authorized by the buyer. Gateways provide the link from the Internet to bank networks: They perform operations on credit cards and merchant bank accounts on behalf of the merchant, such as authorizing a credit card during a purchase. Thus, Merchant Servers are clients of both Wallets and Gateways.
All parties possess certificates and private keys. Certificates establish the identity of the party, its expected role, the Internet IP address(es) it is approved to operate from, and its public key. Private keys are kept secret, known only to their respective owners. When a party wants to establish trust in itself, it presents its certificate to the parties with which it is communicating. It then signs some data provided by the other party, and that other party can verify the signature with the public key stored in the certificate. If the certificate has a valid signature from BlueMoney Software, the party can be trusted to perform the role specified in its certificate.
Merchant Servers are the weakest point for attack. Merchant Servers may reside on shared machines and are often operated by people without the necessary resources to understand and enforce strong security on their systems. Therefore, Merchant Servers must authenticate themselves when they connect to either Wallets or Gateways. Furthermore, Merchant Servers are not trusted with a buyer's payment data. A buyer's payment data, such as a credit- card number, is placed into a sealed electronic envelope and encrypted for the Merchant Server's chosen Gateway. Only that particular Gateway can decrypt the envelope and break the seal.
The Merchant Server never needs to see the contents of the envelope in order to process the payment, because the Gateway can open the envelope and process the payment on the merchant's behalf. Envelopes are protected against reuse, preventing a Merchant Server from using the envelope to steal the buyer's money. The use of sealed envelopes also reduces a merchant's liability, because attackers who break into merchant databases or online stores cannot retrieve customer credit-card numbers.
Merchant Servers are not the only untrusted parties, however. Wallets and Gateways must both prove to Merchant Servers that they are certified for those roles before a Merchant Server will attempt to communicate with them. Gateways also do not trust Wallets, and any sealed payment data envelope must be signed by the Wallet. The Wallet must also include its signed certificate. In this way, a Gateway can verify that the payment is coming from a valid Wallet, and not from an attacker masquerading as one.
Because Wallets and Gateways have access to a buyer's payment data and sensitive information, BlueMoney Software helps ensure security through our certification process: We verify that the operators of these hosts have invested in specific measures to prevent break-ins and to deactivate services if a break-in is detected. The operators must employ administrative and operational practices that ensure the security of the machines on which the Gateway and Wallet services run. Further, Wallet and Gateway operators must be able to demonstrate their own legitimacy as businesses, and a reasonable purpose for operating a Wallet or Gateway.
DDJ