1 / 49

Adrian Rusu

Adrian Rusu. CSE 712 Electronic Commerce. Electronic Cash. 1. Introduction - which are the goals for electronic cash ? 2. Research Issues and Techniques in Electronic Cash. 1. Introduction. 1.1. Traditional Cash Payments 1.2. Payments by Instruction 1.3. Electronic Cash Properties.

joella
Download Presentation

Adrian Rusu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adrian Rusu CSE 712Electronic Commerce

  2. Electronic Cash 1. Introduction - which are the goals for electronic cash ? 2. Research Issues and Techniques in Electronic Cash

  3. 1. Introduction 1.1. Traditional Cash Payments 1.2. Payments by Instruction 1.3. Electronic Cash Properties

  4. 1.1. Traditional Cash Payments Advantages : • can be used spontaneously and instantaneously, to make payments • from person to personwithout the involvement of a bank • it is the preferred method for low and medium-value purchases • offer privacy 1

  5. 1.1. Traditional Cash Payments Cont. Disadvantages : • transporting cash from one place to another • protecting cash transport and storage • replacing worn out coins and bank notes • cash comes in fixed denominations • cash is the preferred method of payment for money laundering, bribery, • and extortion • cash can be passed on many times without the need for settlement by a bank • the inherent requirement for physical proximity of payer and payee 2 3 4 5 6

  6. 1.2. Payments by Instruction 7 • instead of value itself, the payer transfers to the payee an instruction, • directing the payee's bank to transfer a specified amount • after reception of the transferred instruction from the payee's bank, • the payer's bank moves the value from source to destination account, • both of which are specified by the payment instruction

  7. 1.2. Payments by Instruction Cont. Advantages : • because the actual value resides at all times within the banks, • the risks of theft and loss are largely overcome • checks can be mailed by post, and credit cards can be used • over the phone or Internet

  8. 1.2. Payments by Instruction Cont. Disadvantages : I. The problem of ensuring authenticity : • handwritten signatures are easily forged and magnetic strips copied • PINs can be learned through fake point-of-sale terminals • specified amounts can sometimes be modified by the payee Solution : • upgrade to cryptographic authentication methods in combination • with chip cards 8

  9. 1.2. Payments by Instruction Cont. Disadvantages : II. The problem of on-line verification of debit and credit card payments : 9 • a system that requires on-line payment verification can suffer from • a network breakdown and overload • only guaranteed checks can be verified off-line and without special • equipment, but these do not allow instantaneous payment, and are • time-consuming to obtain, verify, process, and redeem

  10. 1.2. Payments by Instruction Cont. Disadvantages : III. The problem of tracing the payments : • all payments are effortlessly traceable by the bank that performs • the actual transfer of value, from source to destination account • this enables intrusive profiling of spending behavior - leads to • junk mail or worse, in wrong hands this data is a valuable tool • for victimizing people 10

  11. 1.3. Electronic Cash Properties 11 • should have high acceptability • should be cost-effective for low-value purchases • should be suitable for payment from person to person • it should be possible to verify payments off-line • should offer storage and transportation convenience, while • protect users against loss, theft, and accidental destruction • physical proximity of payer and payee should not be needed, so that • electronic cash payments can be made over the phone or the Internet 12 13

  12. 1.3. Electronic Cash Properties Cont. Three forms of privacy of payment : I. Confidentiality 14 • can be achieved by encrypting all sensitive data II. The ability to hide who is transacting with who, how many times, and so on • in case of Internet, this can be revealed by traffic analysis III. Untraceability 15 16

  13. 2. Electronic Cash Techniques 2.1. Modeling Electronic Cash 2.2. Authentication Techniques 2.2.1. Conventional Dynamic Authentication 2.2.2. Dynamic Authentication Based on Public-Key Cryptography 2.3. Representing Electronic Cash 2.4. Transferring Electronic Cash 2.4.1. Transferring Register-Based Cash 2.4.2. Transferring Electronic Coins 2.5. Compromised Tamper-Resistance 2.5.1. Fraud Detection 2.5.2. Fraud Tracing 2.5.3. Fraud Liability 2.5.4. Fraud Containment 2.6. Security for Account Holders 2.6.1. Preventing Loss 2.6.2. Preventing Payment Redirection 2.6.3. Nonrepudiation

  14. 2.1. Modeling Electronic Cash Withdrawal protocol : asks for electronic cash Computing device Computing device prepaid electronic cash bank - creates a special account “float account” participant 17

  15. 2.1. Modeling Electronic Cash Cont. Payment protocol : sends for electronic cash Computing device Computing device payee payer Note : Payer and payee must share the same bank.

  16. 2.1. Modeling Electronic Cash Cont. Deposit protocol : sells electronic cash Computing device Computing device bank participant 18 Note : At least part of the paying device must be tamper-resistant in order to prevent double-spending of electronic cash. 19

  17. 2.2. Authentication Techniques • receiving devices must be able to distinguish paying devices from • attackers who try to pass for paying devices • to prove their authenticity, paying devices need to be equipped by • the bank with a secret key • receiving devices must be able to recognize whether they are • communicating with a device holding a secret key installed by • the bank 20

  18. 2.2. Authentication Techniques Cont. • static authentication 21 • dynamic authentication • instead of revealing the key, it suffices to prove knowledge • of the key, by performing certain computations, without • revealing it • different computations must be performed each time challenge-response protocols 22

  19. 2.2.1. Conventional Dynamic Authentication Knows the secret key of the paying device, therefore must be tamper-resistant MAC (message authentication code) : usually chosen randomly Sends a message Paying device (the challenge) Receiving device Applies secret key to the challenge and sends result Applies secret key to message and verifies for equality • it's called symmetric authentication • the particular manner in which the secret keys are installed is of • great importance to the system security

  20. 2.2.1. Conventional Dynamic Authentication Cont. Three approaches : I. The System-Wide Secret Key • paying and receiving devices all hold the same random secret key, • generated and installed by the bank • major drawback : an attacker needs to be able to extract the secret • key of any device in order to pass for any paying device

  21. 2.2.1. Conventional Dynamic Authentication Cont. II. Diversified keys • each paying device holds a unique secret key • each receiving device must be able to recognize the secret keys • of all paying devices • the secret key of a paying device is computed as a one-way function • of the master key and a unique ID number of the paying device, and is • called a diversified key • advantage : if a secret key of a paying device has been extracted by • an attacker, and used fraudulently, once the fraud is detected the • compromised device can be traced and subsequently blacklisted • weak point : the master key is present in any receiving device, and • extraction enables an attacker to pass for a paying device with an • arbitrary ID number 23

  22. 2.2.1. Conventional Dynamic Authentication Cont. III. Certification of Diversified Keys • the bank stores into each paying device not only an ID number, but • also its own digital signature on that ID number Payment protocol : transfers the combination Receiving device Paying device (ID, digital signature) of paying device, of bank for that particular ID Applies the public key of the bank to establish validity of ID# • advantage over the diversified key method : an attacker who knows • the master key cannot pass for an arbitrary paying device, since he • cannot forge signatures of the bank 24

  23. 2.2.2. Dynamic Authentication Based on Public-Key Cryptography • is called asymmetric authentication • the receiving device verifies the result by applying the • corresponding public key of the paying device • the vulnerability of master key is removed • paying devices should provide their public keys to receiving • devices during payment • receiving devices must be able to verify the validity of public keys

  24. 2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont. Two basic public-key cryptographic techniques : • zero-knowledge authentication 25 • digital signatures

  25. 2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont. Digital signatures : • it is infeasible for active attackers to forge a new (message,signature) pair • drawback : the resistance against cryptanalytic attacks is harder to prove • than for zero-knowledge authentication • advantage : constitutes an unforgeable transcript of a proof of knowledge • of the secret key => receiving devices need not be tamper-resistant at all • many digital signatures are based on number-theoretic primitives • one-way functions built from block-ciphers are of special interest to • electronic cash design because they allow implementation on paying • devices with low-cost microprocessors

  26. 2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont. Lamport signatures : • the public key of a paying device is a set of 2k numbers, for an • appropriate security parameter k, of the following form : • the secret key consists of the 2k preimages sij

  27. 2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont. Matrix-Based Signatures : • it's an improvement in signature storage • the secret key consists of a matrix of r rows by 2c columns • the public key is obtained by fedding the top rows into a one-way • hash function 26

  28. 2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont. Tree Authentication : • it generates the same matrix as in Matrix-Based Signatures method • takes multiple matrix instances as leaves in a tree • each node value in the level just above the leaves is computed by • compressing the top rows of the child matrices • all the other values in the tree are computed by compressing the • child node values • the value of the root node serves as the public key of the paying device • to compute a digital signature on a message, the paying device • uses a matrix in a leaf of the tree that has not been used before 27

  29. 2.3. Representing Electronic Cash Two fundamental ways : I. Register-Based Cash • indicates an amount of electronic cash by means of the value of a • counter, maintained in a chip register • Ex : 100 electronic dollars spendable up to cent granularity would • be represented by a counter value of 10,000. • relies critically on tamper-resistance 28

  30. 2.3. Representing Electronic Cash Cont. II. Electronic Coins • cryptographic tokens that are digitally signed by the bank • to each token at least a fixed denomination and currency are • assigned, and possibly also attributes such as an expiration date • and how many times it may be passed on • must be unforgeable and verifiable solely by using the signature • public key of the bank • in its simplest form, each coin is a different (message,signature) • pair = two-part form for coins • the security relies crucially on the secrecy of the bank's secret • key for signing

  31. 2.3. Representing Electronic Cash Cont. Disadvantages of using electronic coins over register-based cash : • register-based cash has storage space minimal • coin verification requires the ability to verify digital signatures • the complexity of communication and computation for coins • increases with the number of coins needed to form an amount • when coins of appropriate denomination are not at hand, a • payment requires change from the receiving device or a new • withdrawal

  32. 2.4. Transferring Electronic Cash • secure authentication by the paying device is required • the internal cash balance of a paying device should be • decreased before transferring the electronic cash 29

  33. 2.4.1. Transferring Register-Based Cash • paying device and the amount that is transferred must be authenticated • paying device must decrease its register value to reflect the amount • that is transferred • the amount can be encoded into the challenge => the resulting challenge • becomes longer • the receiving device can store the transferred cash either as register-based • cash or in the form of an electronic coin • in case the receiver stores the received amount in the form of a coin, • either the coin may be passed on for a subsequent payment, or it can • only be deposited (electronic check) 30 31

  34. 2.4.2. Transferring Electronic Coins • to issue electronic coins to a paying device of an account holder, the • bank computes digital signatures on distinct messages, sends these • to the device and debits the account of its holder by the total value • of the coins • to make a payment, the paying device first determines whether coins • of appropriate denominations are present. If the amount cannot be • made up, either an excess amount must be formed and the receiving • device must supply change, or first another withdrawal must be performed • before sending out the coins, the paying device erases the coins • from memory • the receiving device decrypts, verifies the coins using the public • key of the bank, and stores them

  35. 2.5. Compromised Tamper-Resistance • stealing the secret key of the bank or discovering an algorithmic • breakthrough (such as how to invert functions that are believed to • be one-way) are two ways in which an attacker may be able to • forge electronic money • in reality, there is no such thing as tamper-proofness • when secrets can be extracted from paying or receiving devices, • nothing distinguishes counterfeit from cash issued by the bank

  36. 2.5.1. Fraud Detection • to keep track of the flow of electronic cash between devices, • transaction transcripts that reveal at least how much cash has • been transferred must regularly be made available to the bank • otherwise fraud cannot be detected in other way than through • the economic side-effect of hyper-inflation • electronic coins and checks have an important advantage over • other methods : the transaction record is tied in with the received • value, into digitally signed message of the paying device, and hence • received coins or checks cannot be deposited without automatically • also revealing the corresponding transaction logs • with electronic coins, the only way for an attacker to make a fraudulent • profit is by double-spending withdrawn coins, and so any forgery of • electronic cash can be detected by the bank by maintaining a list of all • deposited coins and checking at each deposit for double-spending

  37. 2.5.2. Fraud Tracing • with conventional authentication methods, the ability to extract the • master key enables an attacker to perform the authentication for any • paying device, so forgery cannot be traced to a single device • in order to be able to trace devices that have been compromised, the • bank should not deploy system-wide secret keys => we need cash • transfer based on public-key cryptographic authentication • when a coin in the two-part form has been double-spent, it is not • clear whether the attack has been on the paying device or on any of • the receiving devices in the chain of payments with that coin

  38. 2.5.3. Fraud Liability • when counterfeit can be traced to a specific device, it is not • necessarily the case that its holder is a criminal • the bank must require all its account holders to comply with • mechanisms for reporting loss, theft, or hardware defects • the bank should also issue personalized paying devices that • may not be swapped : PIN 32

  39. 2.5.4. Fraud Containment • when forgery of money can be traced to paying devices, the bank • can blacklist these devices • the ability to trace compromised paying devices may suffice to stop • the fraudsters from continuing their fraud • in case tracing of compromised devices is not possible, the bank • can stop further fraud only by revoking its own keys • by refreshing master keys and certification keys an a regular basis, • indicated by expiration dates, containment can be obtained even for • frauds that are difficult to detect 33 34

  40. 2.6. Security for Account Holders Objectives : • the electronic cash held by a device should not disappear in any other • way than by spending it at the approval of its legitimate holder • it should not be possible for an attacker to redirect a payment to a • party other than that intended by the legitimate holder of the device • whenever the behavior of an honest account holder is disputed, the • account holder should be able to substantiate his innocence

  41. 2.6.1. Preventing Loss Various ways for an account holder to loose electronic cash : • the contents of his device may be garbled because of a device crash • or a hardware fault, or his device may get lost or stolen => we need • loss-tolerance measures • a payment transaction can be interrupted with the effect that the • paying device has debited the payable amount while the other device • has not receive it => we need fault-tolerance measures • another party may be able to withdraw from his account at the bank • in case of a receiving device that is not tamper-resistant, an attacker • may have the device accept bogus money by modifying its software

  42. 2.6.1. Preventing Loss Cont. Loss-Tolerance • is of concern of both paying and receiving devices • requires that a destroyed, lost, or stolen amount of electronic cash can be • recovered • in the case of loss or theft the bank must distinguish between a victimized • account holder and one faking loss or theft • co-operation with the bank is needed whenever a paying device or a • receiving device that holds a secret key of the bank crashes • in case a device is reported to have been lost or stolen, the bank should • delay reimbursement, if necessary until the current version of electronic • cash has expired 35 36

  43. 2.6.1. Preventing Loss Cont. Fault-Tolerance • is mainly an implementation issue • to cope with transaction interruption, a device should at all times be • prepared to resend the last message it sent out (of course without • modifying its internal cash representation a second time)

  44. 2.6.1. Preventing Loss Cont. Account Access Control • in order to prevent withdrawal from account by an unauthorized party, • the bank should grant account access only to parties that are properly • authenticated • if a MAC is required, the secret key needed to gain access to an • account is known also to the bank, and fraudulent parties (such as • bank employees) may be able to gain access to the key • by digitally signing crucial parts of the withdrawal request, the • requested amount, and date and time of the request, an account • holder can always disavow an unauthorized withdrawal

  45. 2.6.1. Preventing Loss Cont. Software Integrity • in case the receiving device is not tamper-resistant, the attacker • may change a function pointer so that the software calls a verification • routine that always accepts • an attacker can attempt to substitute the key used by the receiving • device for verifying electronic payments • an attacker can even prevent the receiving device from being informed • about the error at deposit time, by substituting the error message of • the bank by another • protection can be achieved by using measures such as password • protection and secure operating system software

  46. 2.6.2. Preventing Payment Redirection Man-in-the-middle attack : • an attacker might steal electronic cash by redirecting to its own receiving • device a payment intended for another party, or by redirecting it to the • paying device of another party that the attacker intends to pay • one way to prevent the wrong party from being paid is to explicitly direct • an electronic cash payment to the intended payee, by making a digital • signature at payment time

  47. 2.6.2. Preventing Payment Redirection Cont. Distance bounding technique : • for payment platforms in which the paying device and the receiving • device need not be in physical proximity • the idea is for the receiving device and the paying device to mutually • agree on the challenge message that is to be responded to by the • paying device, by each sending a series of random bits to the other, • one by one and interleaved, and concatenating the bits to form the • challenge • by timing the delay, the receiving device can determine an upper • bound on its distance to the other device

  48. 2.6.3. Nonrepudiation • account holders should be able to disavow erroneous or false • incrimination of fraudulent behavior • requires the use of digital signatures, since there can only be • computed by the party associated with the public key needed • for verification (assuming proper protection of the secret key)

  49. THE END

More Related