11e Payment.unlocked

7/27/2019 11e Payment.unlocked

http://slidepdf.com/reader/full/11e-paymentunlocked 1/27

Information Security (Fall 2011)

Electronic Payment SchemesProf.dr. Ferucio Laurentiu Tiplea

“Al. I. Cuza” University of Iasi

Department of Computer Science

Iasi 740083, Romania

E-mail: [email protected]

URL: http://www.infoiasi.ro/˜fltiplea

F.L. Ti lea/Information Securit /Fall 2011/Lecture Notes: Electronic Pa ment Schemes – . 1/27

http://prosper.sourceforge.net/





Contents

1. Introduction

2. Requirements for e-payment schemes

3. Schemes based on hash chains4. Schemes based on tamper-resistant devices

See

http://ntrg.cs.tcd.ie/mepeirce/Project/oninternet.html

for a collection of links and pointers to existing payment schemes thatwere designed for, or are in use on, the Internet.




1. Introduction

Electronic payment (e-payment) schemes are necessary ingredients toelectronic transactions over the Internet.

Parties involved in e-payment schemes:Users (customers);

Vendors;

Brokers. A broker authorizes users to make payments to vendors,and redeems the payments collected by the vendors.

U’s Bank

Vendor VUser U

V’s Bank

The user-vendor relationship is transient, while the user-broker andvendor-broker relationships are long-term.




1. Introduction

Classification criteria for payment schemes:

electronic purse/cash/money-transfer

on-line/off-line;

credit-based/debit-based;

software-based/tamper-resistant hardware;

anonymous/non-anonymous;

coin-based;

macro-payment/micro-payment.




1. Introduction

Electronic purse:

Example of electronic purse: card that can be loaded for later use.With such a purse, the user pays to the vendor directly.

Electronic cash / money-transfer:

U’s Bank

Vendor VUser U

V’s Bank

1. withdrawal

2. payment

receipt or goods

3. deposit

4. clearing

Electronic Cash

U’s Bank

Vendor VUser U

V’s Bank

1. transfer order

receipt or goods

3. notification

2. transfer

Money-transfer




1. Introduction

On-line versus off-line:

in on-line systems, the vendor needs a guarantee from the user’s

bank (about the payment);

on-line payment is not always possible: e.g., in buses;

off-line systems have some advantages such as lowercommunication costs and less time-critical transaction handling atthe banks;

main problem with off-line systems: double-spending.




1. Introduction

Credit-based versus debit-based:

U’s Bank

Vendor VUser U

V’s Bank

4. notification

1. payment

receipt or goods

2. deposit

3. clearing

Credit-based

U’s Bank

Vendor VUser U

V’s Bank

3. notification4. protest

receipt or goods

1. debit order

2. transfer

Debit-based




1. Introduction

Macro-payment versus micro-payment:

macro-payment schemes

are appropriate for medium to large transactions;make use of public-key cryptography;

are expensive and time consuming when applied toinexpensive transactions;

Example: SET (Secure Electronic Transaction) produced byVisa and MasterCard to be their standard;

micro-payment schemes

appropriate to small transactions;

try to avoid public-key cryptography partially or entirely;

Example: Millicent, NetBill, NetCard, Pedersen’s scheme,

PayWord, MicroMint, iKP etc.




1. Introduction

General e-payment scenario:

Banking System

Browser (Customer)

1. Select a store 2.Link to merchant server

3. Show home page4. Select good and make payment

6. Confirm payment

7. Update customer’s account 5. Obtain payment authorization

Web SiteMerchant System

Web SiteShopping Mall




2. Requirements for e-payment schemes

In general, e-payment schemes should assure:

security against fraud, e.g.

integrity (nobody wants to loose money);

availability;

privacy (confidentiality):

confidentiality of payment data against outsiders;

anonymity.




3. Schemes based on hash chains

Many micro-payments schemes are based on hash chains, e.g.,NetCard, Pedersen’s scheme, iKP, PayWord. The mechanism wasoriginally proposed in an authentication scheme by Lamport

L. Lamport. Password Authentication with Insecure Communication , Communication of the ACM, 24(11), 1981,770–771.

A hash chain is a sequence

c0 = h(c1), c1 = h(c2) . . . , cn−1 = h(cn), cn,

where n ≥ 1, cn is an arbitrary value chosen at random, and h is ahash function.

c0 is called the root of the chain, and each ci is called a payword.





Why hash chains and not digital signatures? It is because, as a roughguide,

hash functions are about 100 times faster than RSA signatureverification;

hash functions are about 10,000 times faster than RSA signaturegeneration.

To support micro-payment, exceptional efficiency is required, otherwisethe cost of the mechanism will exceed the value of the payments.





A hash chain scheme has two main steps. We will exemplify them byconsidering the PayWord scheme (Rivest and Shamir, 1996):

Issuing user certificate

the user U requests from B an account and a certificate. Toget these, U provides personal data to B (over a secureauthenticated channel) such as credit card number, public-key,delivery address etc.;

B issues to U a certificate C (U ), which is a signed statement

C (U ) = (B,U,IP U ,K U e ,Exp,Info,

sigB(B,U,IP U ,K U e ,Exp,Info)),

where IP U is U ’s delivery address, Exp is the expiration date,and Info is a collection of other data (postal address etc.).

The user’s certificate has to be renewed by the broker regularly;





Protocol description

If U wants to make a micro-payment to a vendor V duringsome day, then:

U chooses at random a number cn and computes the hashchain

c0, c1, . . . , cn,

by a public hash function h;

U → V : Commit(U ) = (V,C (U ), c0,D,Info,

sigU (V,C (U ), c0,D,Info)),

where D is the current date and Info is any additionalinformation. This commitment authorizes B to pay V any ofthe paywords ci that V redeems with B before date D;

V verifies U ’s information (signature, certificate etc.);





If U makes the ith payment to V during the same day, then:

U sends to V the pair (ci, i);

V checks the payment by computing h(ci). If it is ci−1, then

accepts the payment, otherwise, rejects it;

At the end of the day (or other suitable period), V reports tothe broker (bank) the last payment (cl, l) received from the

user that day (time period), together with the correspondingcommitment.

The payment is not signed by U because it is self-authenticated by thecommitment.





PayWord embraces the following features:

it is a credit-based scheme;

it is off-line;

it is based on hash chains;

it is not intended to provide user anonymity (the inclusion of the

delivery address in the certificate destroys U ’s anonymity).

Efficiency:

just two signature computations (one of them is off-line and theother is on-line)

it is very efficient when a user makes repeated requests from thesame vendor (e.g., pay-by-view movies – the user can pay a few

amount of money for each minute of viewing time).





PayWord Variations and Extensions:

h(·) can be replaced by hs(·), where s is a salt (random value)

specified in the commitment. Salting may enable the use of hash

functions with a shorter output length;

the value of each payword might be fixed at a certain value, or

might be specified in C (U ) or in commitment;

the commitment might authenticate several chains whosepaywords have different values;

payword could be sold on a debit basis (rather than a creditbasis), but only if the user interacts with the broker to produce

each commitment;the broker may specify in user certificates other terms andconditions to limit the his risk (may limit the amount that U canspend per day etc.).




4. Schemes based on tamper-resistant devices

A package or container is tamper-resistant if it is made so that you cansee if someone has opened it before it is sold in stores.

Examples of taper-resistant devices:screws with special heads (we do not need them in cryptography);

smart cards;

most stores in the world have such a device for bank cardpayment or cashier machines.

Tamper-resistant devices are distributed by the broker (or a bank

consortium) to vendors and they are trusted by the broker.





We will discus the Small Value Payment (SVP) scheme based ontamper-resistant devices:

J. Stern, S. Vaudenay. SVP: A Flexible Micropayment Scheme ,

Financial Cryptography 1997, 161–171.

It is assumed that communication both between the broker and thevendor’s device and between the broker and the customer are secure

(this can be achieved with strong cryptographic schemes such asdigital signatures and encryption algorithms).





Distributing tamper-resistant devices: assume that the vendor hasbeen given a tamper-resistant device for validating micro-payments.The device has the following characteristics:

it has a (small) internal permanent memory and a (larger) externalmemory (which does not need to be physically secure);

the internal memory has two registers, σcB and σdB, which hold the

global credit and debit sums of all transactions to be cleared bythe broker B. The internal memory also contains a fewinformation about previously aborted or failed transactions;

the external memory contains (many) blocks of information, calledtokens, each token being associated to exactly one customer.

A customer may have more than one token associated – think thata token is identified by a credit card issued by some bank.





Token generation: tokens are generated by brokers and distributed tocustomers in order to allow them to pay:

each token T has two registers mcT and md

T . Each miT has the

formmiT = (date, IdT , σ

iT ,MAC K B (date, IdT , σ

iT )),

where date is the date when the register has been updated, K B is

the broker B’s key , σi

T is the credit/debit sum for T , and IdT is abitstring of the form:

IdT = token _ number||expiration _ date||B

(“||” means concatenation).

K B is communicated securely to the device of each vendor.





the broker computes a spending key K T for each token T by

K T = MAC K B (t,IdT ),

where t is a fixed bitstring (used to avoid bad interactions betweenseveral MAC computations with different types).

By doing this, the broker authorizes the customer with token T to

spend a given amount of money with the key K T .

The relation broken-customer is trust-based, so the control of theamount spent is left to the customer. The broker periodically

monitors the customers and keeps a list of dishonest customers.


4 S h b d i d i




SVP protocol – payment: customer C wants to spend an amount a toa vendor V :

C → V : IdT , t ,rC where rC is generated at random;

V → C : IdD, rV where rV is generated at random;

C → V : p = MAC ′K T ( purchase, IdT , IdD,a ,rC , rV );

V checks if p = MAC ′MAC KB (t,IdT )( purchase, IdT , IdD,a ,rC , rV )

V accepts if the test succeeds (in fact, these operations areperformed by the vendor’s device);

if the test above succeeds, then σcB is increased by a and mcT is

updated (date is updated, σcT is increased by a, and the

MAC-code is recomputed).


4 S h b d t i t t d i




SVP protocol – cancellation: vendor V cancels a transactionsperformed by customer:

V may cancel a transaction performed by customer by using a

cancellation key;

in such a case, σdB and σdT are increased by a.






SVP protocol – payment clearing:

the vendor, through his device, regularly sends the broker theamount spent by his customers;

the broker checks the consistency of the registers;

the broker pays the vendor σcB − σdB;

the broker also keeps a register σT for each token and increase itby σcT − σdT . σT is the money spent by the token T ;

if the token T overspent, the corresponding customer will be

contacted for explanations.






Possible attacks:

1. Attack: get K B from K T = MAC K B (t,IdT ).

Defend: choose a “safe” MAC function;

2. Attack: try to spend money on another customer’s account T without any knowledge of K T .

Defend: choose a “safe” MAC ′ function and make sure that K T is long enough;

3. Attack: try to overspend the key (dishonest customer).Defend: this will be detected by the clearing protocol;


4 Schemes based on tamper resistant de ices




4. Attack: try to get paid for a fake transaction (dishonest vendor).

Defend: detected by the tamper-resistant device (if it haspermanent memory);

5. Attack: re-route the communication between C and V to anothervendor V ′ so that you can benefit of the service from V ′ by

making C pay for it.Defend: avoided by the use of the device identifier I D in the panswer.


Documents

11e Payment.unlocked