Skip to content

Description of the User Authorization core #6

New issue
New issue
Closed
Closed
Description of the User Authorization core#6
@cyberphone

Description

@cyberphone
cyberphone
opened on Nov 30, 2017

Sent back to the Merchant from the "Wallet":

{
    "@context": "http://webpki.org/saturn/v3",
    "@qualifier": "PayerAuthorization",
    "providerAuthorityUrl": "https://mobilepki.org/webpay-payerbank/authority",
    "paymentMethod": "https://bankdirect.net",
    "encryptedAuthorization": {
        "algorithm": "A128CBC-HS256",
        "keyEncryption": {
            "algorithm": "ECDH-ES",
            "publicKey": {
                "kty": "EC",
                "crv": "P-256",
                "x": "TfCrhFwZRU_ea7lUWwRi3HkuyT2yF9IxN5xKh2khjlk",
                "y": "nZFwxLP0TvFXD2xPKzRTIGevgLjpiMw2BP86hszj5x4"
            },
            "ephemeralKey": {
                "kty": "EC",
                "crv": "P-256",
                "x": "aULMwrQGXfabPsySp8scwSba5bLS_JTA-OFi-DEiP6A",
                "y": "8dvGM_q9ZbEuW0FbfQrMCwdBDzLPXCJtmr_lam8qMPM"
            }
        },
        "iv": "XhGBuprfq9w0SUvf-JnQVA",
        "tag": "A1-d1R-9y3IghfJus3Klcw",
        "cipherText": "qBzSqs3fLFI5uzsi  ....  R7Gpn9kXqTKu"
    }
}

Explanation:

  • The @context and @qualifier properties uniquely identify object type (there are many different object types in Saturn)
  • The providerAuthorityUrl replaces IIN/BIN numbers by pointing directly to the issuing bank (actually to an Authority Object holding vital information for the rest of the process)
  • The publicKey used for the Diffie-Hellman operation comes from the payment credential stored on the client-side and is for privacy reasons shared by all the Issuer's clients
  • The ephemeralKey used for the Diffie-Hellman operation is created by the payment app ("Wallet") for each request
  • The cipherText property contains the encrypted User Authorization which only can be deciphered by the Issuer

This End-2-End Secured scheme uses JOSE algorithms but in a somewhat "nicer" container coined JEF (Json Encryption Format). The User Authorization (hidden inside of cipherText) is signed by a client-side payment key which also is only known by the issuer. That is, the issuer must first decrypt and then verify.

The User Authorization itself consists of:

  • Hash of the Merchant's (signed) Payment Request
  • Payment method
  • Account identifier (IBAN, Card number, etc.)
  • Time stamp
  • Miscellaneous data
  • User signature

To effectuate a transaction the issuer needs both the User Authorization and the associated Payment Request. In Saturn these are put in a Merchant-signed "container document", together with other data required for Merchant verification and payment processing.

A "visual" description is also available at: https://cyberphone.github.io/doc/saturn/saturn-authorization.pdf

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions