rfc1898.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,600 行 · 第 1/5 页
TXT
1,600 行
Network Working Group D. Eastlake 3rd
Request for Comments: 1898 CyberCash
Category: Informational B. Boesch
CyberCash
S. Crocker
CyberCash
M. Yesil
CyberCash
February 1996
CyberCash Credit Card Protocol Version 0.8
Status of this Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
Abstract
CyberCash is developing a general payments system for use over the
Internet. The structure and communications protocols of version 0.8
are described. This version includes credit card payments only.
Additional capabilities are planned for future versions.
This document covers only the current CyberCash system which is one
of the few operational systems in the rapidly evolving area of
Internet payments. CyberCash is committed to the further development
of its system and to cooperation with the Internet Engineering Task
Force and other standards organizations.
Acknowledgements
The significant contributions of the following persons (in alphabetic
order) to this protocol are gratefully acknowledged:
Bruce Binder, Judith Grass, Alden Hart, Steve Kiser, Steve
Klebe, Garry Knox, Tom Lee, Bob Lindenberg, Jim Lum, Bill
Melton, Denise Paredes, Prasad Chintamaneni, Fred Silverman,
Bruce Wilson, Garland Wong, Wei Wu, Mark Zalewski.
In addition, Jeff Stapleton and Peter Wagner made useful comments on
the first version of this memo.
Eastlake, et al Informational [Page 1]
RFC 1898 CyberCash Version 0.8 February 1996
History
For historic purposes, it should be noted that this document was
first posted as an Internet draft, and thus made publicly available,
on 8 July 1995.
Table of Contents
1. Overall System..........................................3
1.1 System Overview........................................3
1.2 Security Approach......................................5
1.2.1 Authentication and Persona Identity..................5
1.2.2 Privacy..............................................6
1.3 Credit Card Operation..................................6
2. General Message Wrapper Format..........................7
2.1 Message Format.........................................7
2.2 Details of Format......................................8
2.3 Body Parts.............................................8
2.4 Transparent Part.......................................9
2.5 Opaque Part...........................................10
2.6 Trailer...............................................10
2.7 Example Messages......................................11
3. Signatures and Hashes..................................12
3.1 Digital Signatures....................................12
3.2 Hash Codes............................................13
4. Specific Message Formats...............................13
4.1 Persona Registration and Application Retrieval........14
4.1.1 R1 - registration...................................14
4.1.2 R2 - registration-response..........................15
4.1.3 GA1 - get-application...............................16
4.1.4 GA2 - get-application-response......................17
4.2 Binding Credit Cards..................................18
4.2.1 BC1 - bind-credit-card..............................18
4.2.2 BC4 - bind-credit-card-response.....................20
4.3 Customer Credit Card Purchasing Messages..............21
4.3.1 PR1 - payment-request...............................21
4.3.2 CH1 - credit-card-payment...........................23
4.3.3 CH2 - charge-card-response..........................24
4.4 Merchant Credit Card Purchasing Messages..............25
4.4.1 CM1 - auth-only.....................................26
4.4.2 CM2 - auth-capture..................................28
3.4.3 CM3 - post-auth-capture.............................28
4.4.4 CM4 - void..........................................30
4.4.5 CM5 - return........................................32
4.4.6 CM6 - charge-action-response........................32
4.4.7 The MM* Message Series..............................34
4.4.8 CD1 - card-data-request.............................35
4.4.9 CD2 - card-data-response............................37
Eastlake, et al Informational [Page 2]
RFC 1898 CyberCash Version 0.8 February 1996
4.5 Utility and Error Messges.............................38
4.5.1 P1 - ping...........................................39
4.5.2 P2 - ping-response..................................39
4.5.3 TQ1 - transaction-query.............................40
4.5.4 TQ2 - transaction-cancel............................41
4.5.5 TQ3 - transaction-response..........................42
4.5.6 UNK1 - unknown-error................................44
4.5.7 DL1 - diagnostic-log................................46
4.5.8 DL2 - merchant-diagnostic-log.......................47
4.6 Table of Messages Described...........................48
5. Future Development.....................................49
5.1 The Credit Card Authorization/Clearance Process.......49
5.2 Lessons Learned.......................................50
6. Security Considerations................................51
References................................................51
Authors' Addresses........................................52
1. Overall System
CyberCash, Inc. of Reston, Virginia was founded in August of 1994 to
partner with financial institutions and providers of goods and
services to deliver a safe, convenient and inexpensive system for
making payments on the Internet. The CyberCash approach is based on
establishing a trusted link between the new world of cyberspace and
the traditional banking world. CyberCash serves as a conduit through
which payments can be transported quickly, easily and safely between
buyers, sellers and their banks. Significantly - much as it is the
real world of commerce - the buyer and seller need not have any prior
existing relationship.
As a neutral third party whose sole concern is ensuring the delivery
of payments from one party to another, CyberCash is the linchpin in
delivering spontaneous consumer electronic commerce on the Internet.
1.1 System Overview
The CyberCash system will provide several separate payment services
on the Internet including credit card and electronic cash. To gain
access to CyberCash services, consumers need only a personal computer
with a network connection. Similarly, merchants and banks need make
only minimal changes to their current operating procedures in order
to process CyberCash transactions, enabling them to more quickly
integrate safe on-line payments into their existing service
offerings. Communications with banks are over existing financial
communications networks.
Eastlake, et al Informational [Page 3]
RFC 1898 CyberCash Version 0.8 February 1996
To get started, consumers download free software from CyberCash on
the Internet. This software establishes the electronic link between
consumers, merchants and their banks as well as between individuals.
To make gaining access to the CyberCash system even easier, CyberCash
"PAY" buttons may be incorporated into popular on-line service and
software graphical user interfaces so that consumers using these
products can easily enter the CyberCash system when they are ready to
make payments for goods and services. Consumers need not have any
prior relationship with CyberCash to use the CyberCash system. They
can easily set up their CyberCash persona on-line.
Transactions are automated in that once the consumer enters
appropriate information into his own computer, no manual steps are
required to process authorization or clearance transactions through
the entire system. The consumer need only initiate payment for each
transaction by exercising the pay option on an electronic form.
Transactions are safe in that they are cryptographicly protected from
tampering and modification by eavesdroppers. And they are private in
that information about the consumer not relevant to the transaction
is not visible to the merchant.
+------------+ +------------+
| | | |
| Internet | | Internet |
| customer +------------+ merchant +
| | | / |
+------------+ +------------+
/
/
+------------|-+
| CyberCash | |
| server | |
+-----+------|-+
| |
| |
+--------------+------|---------+
| +--------+ +--+-------+ |
| | card +-------+ / charge | |
| | issuer | | acquirer | |
| +--------+ +----------+ |
| |
| The Banking System |
+-------------------------------+
SYSTEM OVERVIEW
Eastlake, et al Informational [Page 4]
RFC 1898 CyberCash Version 0.8 February 1996
1.2 Security Approach
The CyberCash system pays special attention to security issues. It
uses encryption technology from the world's leading sources of
security technology and is committed over time to employing new
security technologies as they emerge.
1.2.1 Authentication and Persona Identity
Authentication of messages is based on Public Key encryption as
developed by RSA. The CyberCash Server maintains records of the
public key associated with every customer and merchant persona. It
is thus able to authenticate any information digitally signed by a
customer or merchant regardless of the path the data followed on its
way to the server. The corresponding private key, which is needed to
create such digital signatures, will be held by the customer or
merchant and never revealed to other parties. In customer software,
the private key is only stored in an encrypted form protected by a
passphrase.
While the true CyberCash identity of a customer or merchant is
recognized by their public/private key pair, such keys are too
cumbersome (over 100 hex digits) to be remembered or typed by people.
So, the user interface utilizes short alphanumeric ID's selected by
the user or merchant for purposes of specifying a persona. CyberCash
adds check digits to the requested ID to minimize the chance of
accidental wrong persona selection. Persona IDUs are essentially
public information. Possession of an persona ID without the
corresponding private key is of no benefit in the current system.
Individuals or organizations may establish one or more CyberCash
customer personas directly with CyberCash. Thus, an individual may
have several unrelated CyberCash personas or share a CyberCash
persona with other individuals. This approach provides a degree of
privacy consistent with Internet presence generally and with cash
transactions specifically. However, persona holders who wish to use
a credit card for purchases in conjunction with their CyberCash
persona must first meet such on-line identification criteria as the
card issuing organization requires.
Control over a CyberCash persona is normally available only to an
entity that possesses the private key for that persona. However, a
special provision is made to associate an emergency close out
passphrase with a CyberCash persona. On receipt of the emergency
close out passphrase, even if received over insecure channels such as
a telephone call or ordinary email, CyberCash will suspend activity
for the CyberCash persona. This emergency close-out passphrase can
be stored separately from and with somewhat less security than the
Eastlake, et al Informational [Page 5]
RFC 1898 CyberCash Version 0.8 February 1996
private key for the persona since the emergency passphrase can not be
used to divert funds to others. This provides some protection against
loss or misappropriation of the private key or the passphrase under
which the private key in kept encrypted. In the cash system, the
emergency close-out passpharase may also transfer the persona balance
to a designated bank account.
1.2.2 Privacy
Encryption of messages use the Digital Encryption Standard (DES),
commonly used in electronic payment systems today. It is planned to
superencrypt (i.e., encrypted more than one level) particularly
sensitive information, such as PIN numbers, and handle them so that
the plain text readable version never exists in the CyberCash system
except momentarily, within special purpose secure cryptographic
hardware that is part of the server, before being re-encrypted under
another key.
The processing of card charges through the CyberCash system is
organized so that the merchant never learns the customerUs credit
card number unless the merchantUs bank chooses to release this
information to the merchant or it is required for dispute resolution.
In addition, the server maintains no permanent storage of card
numbers. They are only present while a transaction involving that
card is in progress. These practices greatly reduce the chance of
card number misappropriation.
1.3 Credit Card Operation
Using the CyberCash system for credit card transactions, once price
has been negotiated and the consumer is ready to purchase, the
consumer simply clicks on the CyberCash "PAY" button displayed on the
merchant interface, which invokes the merchant CyberCash software.
The merchant sends the consumer an on-line invoice that includes
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?