1 / 32

A Study on Internet Service Security

A Study on Internet Service Security. Min-Shiang Hwang Department of Computer Science and Information Engineering Asia University. Outline. I ntroduction User Authentication - A Remote Password Authentication Scheme for Multi-Server Architecture Using Smart Card

mildreds
Download Presentation

A Study on Internet Service Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Study on Internet Service Security Min-Shiang Hwang Department of Computer Science and Information Engineering Asia University

  2. Outline Introduction User Authentication - A Remote Password Authentication Scheme for Multi-Server Architecture Using Smart Card  Electronic Payment - A Simple Micro-Payment Scheme  Electronic Auction - Adding Timestamps to The Secure Electronic Auction Protocol Conclusions

  3. Introduction User 1 Server/Computer (User Authentication) User 2 Internet User 3 . . . Resources Services Data Retrieve Auction Payment Election Shopping Memories Processes Data Devices User n

  4. User Authentication Motivation Multi-Server Architecture

  5. User Authentication Introduction Server Resources User Authentication Login • Password • Fingerprint • Handprint Signature Resources

  6. User Authentication Methods for Password Authentication 1. Using Password Table {ID, PW} Client Sever ID1 PW1 ID2 PW2 . . . . . . IDn PWn Password table

  7. User Authentication 2. Without Password Table or Verification Table Ks: server’s secret key User Sever Registration:{ID, PW} PW=Eks[ID] Login:{ID, PW} Verification: PW=? Eks[ID] • The user cannot choose his ID and password freely. • It is not suitable for multi-server architecture.

  8. User Authentication Requirements: • It agrees with multi-server network architecture without repetitive registration. • It needs no password files or verification table. • It allows user choose password freely. • It must manage the users efficiently, i.e., it can add or delete users easily.

  9. User Authentication Our Scheme 1. The Initialization Phase • CA selects a large prime p and a primitive number g of GF(p). • CA chooses each server's secret key d and calculates the public key esuch as : e = gd (mod p). 2. The Registration Phase Assume that a new user U1is granted to register only from the servers Ser1, Ser3. And the service period are SP1, SP3 respectively.

  10. User Authentication D1 = (mod p) W1 = (mod p). X1 = e1ID (mod p) Y1 = (mod p) CA stored the parameters {SP1, S[ID||SP1], K1}, {SP3, S[ID||SP3], K3], user ID and the line LS into the secret zone in the smart card.

  11. User Authentication 3. The Login Phase {ID, (K3, Q3), Z3, A3, T, SP3, S[ID||SP3]} (ID, PW) Ran A3=gRan (mod p) B3=e3Ran*T (mod p) D3 = (mod p) W3 = (mod p).

  12. User Authentication 4. The Authentication Phase • Checking the correctness of ID • Checking SP3 and his signature • Checking T • Checking the point (X3,Y3) is located on L3

  13. User Authentication 5. To Change Password

  14. User Authentication Conclusions Advantages: • It is suitable for the multi-server network system • Without any password or verification table • User can freely choose and change his password Disadvantage: • System administrator can not dynamic manage user’s privileges.

  15. Electronic Payments Motivation When to use micro-payment: • On-line articles • On-line newspaper • Digital image and video • Investment information The characteristics of micro-payment: • Small transaction value • High transaction frequency Why needs micro-payment system?

  16. Networks Electronic Payments Introduction Bank Deposit Withdrawal Consumer Merchant Payment

  17. Electronic Payments Threats • Networks are insecure Fabrication Modification Interruption Interception • Customers are not honest Double spending • Merchants are not honest Replay

  18. Electronic Payments 1.Pre-paid or Post-paid Bank Exchange digital money Pre-paid: (Prepaid card) • good for merchant but is not fair to the consumer. • preventing double spending. Post-paid: (Credit Card) • good for consumer but the merchant and bank take some risks. • preventing replay attack. Networks Consumer Merchant Payment Exchange digital money Bank Networks Merchant Consumer Payment

  19. Electronic Payments 2.On-line or Off-line Bank On-line: involving the bank • detecting double spending • checking the customer’s credit • more communications Networks Consumer Merchant Payment Bank Off-line: not involving the bank • verifying the payment by the merchant • less communications Networks Consumer Merchant Payment

  20. Electronic Payments Summaries • Pre-paid + On-line  Ecash (Untraceability ) • Post-paid + On-line  SET • Pre-paid + Off-line  Millicent (Untransferable) • Post-paid + Off-line  PayWord Large Payment, Safety  On-line Small Payment, low transaction cost  Off-line

  21. Bank Batch withdrawal Batch deposit Networks Consumer Merchant Payment Electronic Payments A Practical Micro-Payment System • Post-paid • Off-line

  22. Electronic Payments Our Scheme The scheme uses the following notations: MAC(k, M): Message Authentication Code function is a key-dependent one way hash function. IDC / IDM: Each customer / merchant's identity. KB / KC: The broker / customer's secret key, where KC =MAC(KB, IDC). AMOUNT: The amount of money of each payment. SUM: The sum of money of all payments in the merchant. PO: The purchase order information, e.g. e-mail address and the ordered information. SER: An automatically increasing time serial number, which is like a time-stamp. The combination can be as (year || month || date || times). PMES: The payment message that contains, at a minimum, {IDC, AMOUNT, PO, SER, H}. H expresses the MAC(KC, IDC || IDM || AMOUNT || PO || SER) where the symbol || denotes the concatenation.

  23. Electronic Payments Our Scheme 1. Initiation KC=MAC(KB,IDC) The broker’s secret key KB and the merchant’s identity IDM are store in a register of the CPU embedded in the card.

  24. Electronic Payments 2. Payment and Authentication PMES: {IDC, AMOUNT, PO, SER, H} H: MAC(KC , IDC || IDM || AMOUNT || PO || SER) checking SER and verifying MAC( MAC(KB ,IDC),IDC || IDM || AMOUNT || PO || SER) = MAC(KC, IDC || IDM || AMOUNT || PO || SER) = H.

  25. Electronic Payments 3. Settling for merchant and customer

  26. Electronic Payments Discussions

  27. Electronic Payments Conclusions Advantages 1. The tamper resistant device is held by the merchant, not held by the customer. This is economical for device cost. 2. To authenticate the validity of payment message without involving the bank. This method can reduce the cost of communication and traded time. 3. The scheme does not using any public key cryptosystem to generate and verify a certificate. 4. The scheme can prevent the database unlimited growth.

  28. Networks Electronic Auction Introduction • Sealed Bid Auction • Public Bid Auction Bank Payment Capture Reimbursement Auction House Bidders Bids

  29. Electronic Auction Subramanian’s Scheme Bank Withdrawal payment [[payment]K, [price]SKb]PKa Auctionner A Bidder B [[[payment]K]SKa, [price]SKb]PKb Bulletin the maximum price [[K]SKb]PKa

  30. Electronic Auction The Weaknesses of Subramanian’s Scheme • The sensitive information (e.g. credit card number) can be revealed. • The resolution of two or more bidders offered the same price was not considered.

  31. Electronic Auction Our Revised Scheme Adding Timestamp to the payment information [TS,[TS paymentK]PKbank] [TS, K, [TS paymentK]PKbank] Bank [TS[TS paymentK]PKbank, [price]SKb]PKa Bidder B Auctionner A [[TS paymentK]PKbank]SKa, [price]SKb]PKb Bulletin the maximum price and TS [[K]SKb]PKa

  32. Electronic Auction Conclusions Advantages: • It prevents the payment information leaking out. • Any malicious bidder cannot forge or replay the payment • It resolves the resolution of tie.

More Related