CHAPTER 7/NEWLY DEVELOPED TELECOMMUNICATION SERVICES  75
        7.9.1 Secure Sockets Layer

        First, a customer accesses  a server in which a Secure  Sockets  Layer is  installed.
        Next, the server sends the customer a certificate and a digital  signature, issued by
        a certificating authority, where the digital signature is added  to the certificate by
        using a hash  function  and the private key of the certificating authority. Then  the
        customer decrypts the digital  signature into message digest 1 using the public key
        of the certificating authority. At the same time, he or she creates message digest 2
        from the certificate using a hash function. If message digest  1 and message digest 2
        are the same, then the customer's  browser can get the public key of the server that
        is authenticated by the certificating authority. The public key of the certificating
        authority is installed in the Web server. The Web browser that gets the public key
        of the Web server generates a session key by using parameters  such as time.
            The  session  key  is  used  by  the  customer  and  the  merchant.  The  customer
        encrypts the session key by means of the public key of the Web server and sends it
        to the server. When the server receives the scrambled  session  key, it decrypts it by
        means of its private key. After  this interaction between client and server, both the
        customer and the server share the session key. Using the key, they exchange  infor-
        mation securely. For example, the customer encrypts the purchase order by means
        of the session key and sends it to the server. The server decrypts it by means of the
        session key and gets the original purchase order. Then the server sends a response
        to  the  customer,  encrypting  it  by  means  of  the  session  key. Then  the  customer
        decrypts the scrambled response via the session key and gets the original response,

        7.9.2 Secure Electronic  Transaction
        The method by which a credit card company mediates between a customer and a
        merchant  is important,  especially  when the  customer  purchases  goods  from  the
        merchant over the Internet. It is very important to verify whether the customer and
        the  merchant  are  the  authorized  identities.  The  card  company verifies  the cus-
        tomer's identity by checking the customer's  name, occupation, card ID, and expi-
        ration  date.  Occasionally,  the information on a credit  card  is  used illegally,  for
        example, when somebody steals a credit card or card ID, or when somebody  opens
        a business on the network and manages it illegally. These kinds of illegal  actions
        need to be detected  and avoided.
           In order to manage shopping by credit card securely over the Net, secure elec-
        tronic transaction  (SET)  was invented and developed. It specifies  the rules about
        credit  card handling among the customer, merchant,  and card  company. Each of
        them must get its certificate from a certificating authority before starting the online
        purchase. While they start an online purchase, the purchase order, such as the name
        and number of the goods,  should be  seen  exclusively  by the merchant. The card
        information,  such as card ID and expiration  date, should be  seen  exclusively by
        the  card  company.  To  achieve  this  in  SET,  digital  signatures,  certificates,  and
        encryption/decryption are introduced. How a customer uses SET is described next,
        followed by a description of how a merchant and a card company use it.