adrian rusu n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Adrian Rusu PowerPoint Presentation
Download Presentation
Adrian Rusu

Loading in 2 Seconds...

play fullscreen
1 / 49

Adrian Rusu - PowerPoint PPT Presentation


  • 133 Views
  • Uploaded on

Adrian Rusu. CSE 712 Electronic Commerce. Electronic Cash. 1. Introduction - which are the goals for electronic cash ? 2. Research Issues and Techniques in Electronic Cash. 1. Introduction. 1.1. Traditional Cash Payments 1.2. Payments by Instruction 1.3. Electronic Cash Properties.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Adrian Rusu' - joella


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
adrian rusu
Adrian Rusu

CSE 712Electronic Commerce

electronic cash
Electronic Cash

1. Introduction - which are the goals for electronic cash ?

2. Research Issues and Techniques in Electronic Cash

1 introduction
1. Introduction

1.1. Traditional Cash Payments

1.2. Payments by Instruction

1.3. Electronic Cash Properties

1 1 traditional cash payments
1.1. Traditional Cash Payments

Advantages :

  • can be used spontaneously and instantaneously, to make payments
  • from person to personwithout the involvement of a bank
  • it is the preferred method for low and medium-value purchases
  • offer privacy

1

slide5

1.1. Traditional Cash Payments Cont.

Disadvantages :

  • transporting cash from one place to another
  • protecting cash transport and storage
  • replacing worn out coins and bank notes
  • cash comes in fixed denominations
  • cash is the preferred method of payment for money laundering, bribery,
  • and extortion
  • cash can be passed on many times without the need for settlement by a bank
  • the inherent requirement for physical proximity of payer and payee

2

3

4

5

6

1 2 payments by instruction
1.2. Payments by Instruction

7

  • instead of value itself, the payer transfers to the payee an instruction,
  • directing the payee's bank to transfer a specified amount
  • after reception of the transferred instruction from the payee's bank,
  • the payer's bank moves the value from source to destination account,
  • both of which are specified by the payment instruction
slide7

1.2. Payments by Instruction Cont.

Advantages :

  • because the actual value resides at all times within the banks,
  • the risks of theft and loss are largely overcome
  • checks can be mailed by post, and credit cards can be used
  • over the phone or Internet
slide8

1.2. Payments by Instruction Cont.

Disadvantages :

I. The problem of ensuring authenticity :

  • handwritten signatures are easily forged and magnetic strips copied
  • PINs can be learned through fake point-of-sale terminals
  • specified amounts can sometimes be modified by the payee

Solution :

  • upgrade to cryptographic authentication methods in combination
  • with chip cards

8

slide9

1.2. Payments by Instruction Cont.

Disadvantages :

II. The problem of on-line verification of debit

and credit card payments :

9

  • a system that requires on-line payment verification can suffer from
  • a network breakdown and overload
  • only guaranteed checks can be verified off-line and without special
  • equipment, but these do not allow instantaneous payment, and are
  • time-consuming to obtain, verify, process, and redeem
slide10

1.2. Payments by Instruction Cont.

Disadvantages :

III. The problem of tracing the payments :

  • all payments are effortlessly traceable by the bank that performs
  • the actual transfer of value, from source to destination account
  • this enables intrusive profiling of spending behavior - leads to
  • junk mail or worse, in wrong hands this data is a valuable tool
  • for victimizing people

10

1 3 electronic cash properties
1.3. Electronic Cash Properties

11

  • should have high acceptability
  • should be cost-effective for low-value purchases
  • should be suitable for payment from person to person
  • it should be possible to verify payments off-line
  • should offer storage and transportation convenience, while
  • protect users against loss, theft, and accidental destruction
  • physical proximity of payer and payee should not be needed, so that
  • electronic cash payments can be made over the phone or the Internet

12

13

1 3 electronic cash properties cont
1.3. Electronic Cash Properties Cont.

Three forms of privacy of payment :

I. Confidentiality

14

  • can be achieved by encrypting all sensitive data

II. The ability to hide who is transacting with who,

how many times, and so on

  • in case of Internet, this can be revealed by traffic analysis

III. Untraceability

15

16

2 electronic cash techniques
2. Electronic Cash Techniques

2.1. Modeling Electronic Cash

2.2. Authentication Techniques

2.2.1. Conventional Dynamic Authentication

2.2.2. Dynamic Authentication Based on Public-Key Cryptography

2.3. Representing Electronic Cash

2.4. Transferring Electronic Cash

2.4.1. Transferring Register-Based Cash

2.4.2. Transferring Electronic Coins

2.5. Compromised Tamper-Resistance

2.5.1. Fraud Detection

2.5.2. Fraud Tracing

2.5.3. Fraud Liability

2.5.4. Fraud Containment

2.6. Security for Account Holders

2.6.1. Preventing Loss

2.6.2. Preventing Payment Redirection

2.6.3. Nonrepudiation

2 1 modeling electronic cash
2.1. Modeling Electronic Cash

Withdrawal protocol :

asks for electronic cash

Computing

device

Computing

device

prepaid electronic cash

bank - creates a special account

“float account”

participant

17

2 1 modeling electronic cash cont
2.1. Modeling Electronic Cash Cont.

Payment protocol :

sends for electronic cash

Computing

device

Computing

device

payee

payer

Note : Payer and payee must share the same bank.

2 1 modeling electronic cash cont1
2.1. Modeling Electronic Cash Cont.

Deposit protocol :

sells electronic cash

Computing

device

Computing

device

bank

participant

18

Note : At least part of the paying device must be tamper-resistant

in order to prevent double-spending of electronic cash.

19

2 2 authentication techniques
2.2. Authentication Techniques
  • receiving devices must be able to distinguish paying devices from
  • attackers who try to pass for paying devices
  • to prove their authenticity, paying devices need to be equipped by
  • the bank with a secret key
  • receiving devices must be able to recognize whether they are
  • communicating with a device holding a secret key installed by
  • the bank

20

2 2 authentication techniques cont
2.2. Authentication Techniques Cont.
  • static authentication

21

  • dynamic authentication
  • instead of revealing the key, it suffices to prove knowledge
  • of the key, by performing certain computations, without
  • revealing it
  • different computations must be performed each time

challenge-response protocols

22

2 2 1 conventional dynamic authentication
2.2.1. Conventional Dynamic Authentication

Knows the secret key of the

paying device, therefore must

be tamper-resistant

MAC (message authentication code) :

usually chosen randomly

Sends a message

Paying

device

(the challenge)

Receiving

device

Applies secret key to the

challenge and sends result

Applies secret key to message

and verifies for equality

  • it's called symmetric authentication
  • the particular manner in which the secret keys are installed is of
  • great importance to the system security
2 2 1 conventional dynamic authentication cont
2.2.1. Conventional Dynamic Authentication Cont.

Three approaches :

I. The System-Wide Secret Key

  • paying and receiving devices all hold the same random secret key,
  • generated and installed by the bank
  • major drawback : an attacker needs to be able to extract the secret
  • key of any device in order to pass for any paying device
2 2 1 conventional dynamic authentication cont1
2.2.1. Conventional Dynamic Authentication Cont.

II. Diversified keys

  • each paying device holds a unique secret key
  • each receiving device must be able to recognize the secret keys
  • of all paying devices
  • the secret key of a paying device is computed as a one-way function
  • of the master key and a unique ID number of the paying device, and is
  • called a diversified key
  • advantage : if a secret key of a paying device has been extracted by
  • an attacker, and used fraudulently, once the fraud is detected the
  • compromised device can be traced and subsequently blacklisted
  • weak point : the master key is present in any receiving device, and
  • extraction enables an attacker to pass for a paying device with an
  • arbitrary ID number

23

2 2 1 conventional dynamic authentication cont2
2.2.1. Conventional Dynamic Authentication Cont.

III. Certification of Diversified Keys

  • the bank stores into each paying device not only an ID number, but
  • also its own digital signature on that ID number

Payment protocol :

transfers the combination

Receiving

device

Paying

device

(ID, digital signature)

of paying device, of bank for that

particular ID

Applies the public key of the bank

to establish validity of ID#

  • advantage over the diversified key method : an attacker who knows
  • the master key cannot pass for an arbitrary paying device, since he
  • cannot forge signatures of the bank

24

2 2 2 dynamic authentication based on public key cryptography
2.2.2. Dynamic Authentication Based on Public-Key Cryptography
  • is called asymmetric authentication
  • the receiving device verifies the result by applying the
  • corresponding public key of the paying device
  • the vulnerability of master key is removed
  • paying devices should provide their public keys to receiving
  • devices during payment
  • receiving devices must be able to verify the validity of public keys
2 2 2 dynamic authentication based on public key cryptography cont
2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont.

Two basic public-key cryptographic techniques :

  • zero-knowledge authentication

25

  • digital signatures
2 2 2 dynamic authentication based on public key cryptography cont1
2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont.

Digital signatures :

  • it is infeasible for active attackers to forge a new (message,signature) pair
  • drawback : the resistance against cryptanalytic attacks is harder to prove
  • than for zero-knowledge authentication
  • advantage : constitutes an unforgeable transcript of a proof of knowledge
  • of the secret key => receiving devices need not be tamper-resistant at all
  • many digital signatures are based on number-theoretic primitives
  • one-way functions built from block-ciphers are of special interest to
  • electronic cash design because they allow implementation on paying
  • devices with low-cost microprocessors
2 2 2 dynamic authentication based on public key cryptography cont2
2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont.

Lamport signatures :

  • the public key of a paying device is a set of 2k numbers, for an
  • appropriate security parameter k, of the following form :
  • the secret key consists of the 2k preimages sij
2 2 2 dynamic authentication based on public key cryptography cont3
2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont.

Matrix-Based Signatures :

  • it's an improvement in signature storage
  • the secret key consists of a matrix of r rows by 2c columns
  • the public key is obtained by fedding the top rows into a one-way
  • hash function

26

2 2 2 dynamic authentication based on public key cryptography cont4
2.2.2. Dynamic Authentication Based on Public-Key Cryptography Cont.

Tree Authentication :

  • it generates the same matrix as in Matrix-Based Signatures method
  • takes multiple matrix instances as leaves in a tree
  • each node value in the level just above the leaves is computed by
  • compressing the top rows of the child matrices
  • all the other values in the tree are computed by compressing the
  • child node values
  • the value of the root node serves as the public key of the paying device
  • to compute a digital signature on a message, the paying device
  • uses a matrix in a leaf of the tree that has not been used before

27

2 3 representing electronic cash
2.3. Representing Electronic Cash

Two fundamental ways :

I. Register-Based Cash

  • indicates an amount of electronic cash by means of the value of a
  • counter, maintained in a chip register
  • Ex : 100 electronic dollars spendable up to cent granularity would
  • be represented by a counter value of 10,000.
  • relies critically on tamper-resistance

28

2 3 representing electronic cash cont
2.3. Representing Electronic Cash Cont.

II. Electronic Coins

  • cryptographic tokens that are digitally signed by the bank
  • to each token at least a fixed denomination and currency are
  • assigned, and possibly also attributes such as an expiration date
  • and how many times it may be passed on
  • must be unforgeable and verifiable solely by using the signature
  • public key of the bank
  • in its simplest form, each coin is a different (message,signature)
  • pair = two-part form for coins
  • the security relies crucially on the secrecy of the bank's secret
  • key for signing
2 3 representing electronic cash cont1
2.3. Representing Electronic Cash Cont.

Disadvantages of using electronic coins

over register-based cash :

  • register-based cash has storage space minimal
  • coin verification requires the ability to verify digital signatures
  • the complexity of communication and computation for coins
  • increases with the number of coins needed to form an amount
  • when coins of appropriate denomination are not at hand, a
  • payment requires change from the receiving device or a new
  • withdrawal
2 4 transferring electronic cash
2.4. Transferring Electronic Cash
  • secure authentication by the paying device is required
  • the internal cash balance of a paying device should be
  • decreased before transferring the electronic cash

29

2 4 1 transferring register based cash
2.4.1. Transferring Register-Based Cash
  • paying device and the amount that is transferred must be authenticated
  • paying device must decrease its register value to reflect the amount
  • that is transferred
  • the amount can be encoded into the challenge => the resulting challenge
  • becomes longer
  • the receiving device can store the transferred cash either as register-based
  • cash or in the form of an electronic coin
  • in case the receiver stores the received amount in the form of a coin,
  • either the coin may be passed on for a subsequent payment, or it can
  • only be deposited (electronic check)

30

31

2 4 2 transferring electronic coins
2.4.2. Transferring Electronic Coins
  • to issue electronic coins to a paying device of an account holder, the
  • bank computes digital signatures on distinct messages, sends these
  • to the device and debits the account of its holder by the total value
  • of the coins
  • to make a payment, the paying device first determines whether coins
  • of appropriate denominations are present. If the amount cannot be
  • made up, either an excess amount must be formed and the receiving
  • device must supply change, or first another withdrawal must be performed
  • before sending out the coins, the paying device erases the coins
  • from memory
  • the receiving device decrypts, verifies the coins using the public
  • key of the bank, and stores them
2 5 compromised tamper resistance
2.5. Compromised Tamper-Resistance
  • stealing the secret key of the bank or discovering an algorithmic
  • breakthrough (such as how to invert functions that are believed to
  • be one-way) are two ways in which an attacker may be able to
  • forge electronic money
  • in reality, there is no such thing as tamper-proofness
  • when secrets can be extracted from paying or receiving devices,
  • nothing distinguishes counterfeit from cash issued by the bank
2 5 1 fraud detection
2.5.1. Fraud Detection
  • to keep track of the flow of electronic cash between devices,
  • transaction transcripts that reveal at least how much cash has
  • been transferred must regularly be made available to the bank
  • otherwise fraud cannot be detected in other way than through
  • the economic side-effect of hyper-inflation
  • electronic coins and checks have an important advantage over
  • other methods : the transaction record is tied in with the received
  • value, into digitally signed message of the paying device, and hence
  • received coins or checks cannot be deposited without automatically
  • also revealing the corresponding transaction logs
  • with electronic coins, the only way for an attacker to make a fraudulent
  • profit is by double-spending withdrawn coins, and so any forgery of
  • electronic cash can be detected by the bank by maintaining a list of all
  • deposited coins and checking at each deposit for double-spending
2 5 2 fraud tracing
2.5.2. Fraud Tracing
  • with conventional authentication methods, the ability to extract the
  • master key enables an attacker to perform the authentication for any
  • paying device, so forgery cannot be traced to a single device
  • in order to be able to trace devices that have been compromised, the
  • bank should not deploy system-wide secret keys => we need cash
  • transfer based on public-key cryptographic authentication
  • when a coin in the two-part form has been double-spent, it is not
  • clear whether the attack has been on the paying device or on any of
  • the receiving devices in the chain of payments with that coin
2 5 3 fraud liability
2.5.3. Fraud Liability
  • when counterfeit can be traced to a specific device, it is not
  • necessarily the case that its holder is a criminal
  • the bank must require all its account holders to comply with
  • mechanisms for reporting loss, theft, or hardware defects
  • the bank should also issue personalized paying devices that
  • may not be swapped : PIN

32

2 5 4 fraud containment
2.5.4. Fraud Containment
  • when forgery of money can be traced to paying devices, the bank
  • can blacklist these devices
  • the ability to trace compromised paying devices may suffice to stop
  • the fraudsters from continuing their fraud
  • in case tracing of compromised devices is not possible, the bank
  • can stop further fraud only by revoking its own keys
  • by refreshing master keys and certification keys an a regular basis,
  • indicated by expiration dates, containment can be obtained even for
  • frauds that are difficult to detect

33

34

2 6 security for account holders
2.6. Security for Account Holders

Objectives :

  • the electronic cash held by a device should not disappear in any other
  • way than by spending it at the approval of its legitimate holder
  • it should not be possible for an attacker to redirect a payment to a
  • party other than that intended by the legitimate holder of the device
  • whenever the behavior of an honest account holder is disputed, the
  • account holder should be able to substantiate his innocence
2 6 1 preventing loss
2.6.1. Preventing Loss

Various ways for an account holder to loose electronic cash :

  • the contents of his device may be garbled because of a device crash
  • or a hardware fault, or his device may get lost or stolen => we need
  • loss-tolerance measures
  • a payment transaction can be interrupted with the effect that the
  • paying device has debited the payable amount while the other device
  • has not receive it => we need fault-tolerance measures
  • another party may be able to withdraw from his account at the bank
  • in case of a receiving device that is not tamper-resistant, an attacker
  • may have the device accept bogus money by modifying its software
2 6 1 preventing loss cont
2.6.1. Preventing Loss Cont.

Loss-Tolerance

  • is of concern of both paying and receiving devices
  • requires that a destroyed, lost, or stolen amount of electronic cash can be
  • recovered
  • in the case of loss or theft the bank must distinguish between a victimized
  • account holder and one faking loss or theft
  • co-operation with the bank is needed whenever a paying device or a
  • receiving device that holds a secret key of the bank crashes
  • in case a device is reported to have been lost or stolen, the bank should
  • delay reimbursement, if necessary until the current version of electronic
  • cash has expired

35

36

2 6 1 preventing loss cont1
2.6.1. Preventing Loss Cont.

Fault-Tolerance

  • is mainly an implementation issue
  • to cope with transaction interruption, a device should at all times be
  • prepared to resend the last message it sent out (of course without
  • modifying its internal cash representation a second time)
2 6 1 preventing loss cont2
2.6.1. Preventing Loss Cont.

Account Access Control

  • in order to prevent withdrawal from account by an unauthorized party,
  • the bank should grant account access only to parties that are properly
  • authenticated
  • if a MAC is required, the secret key needed to gain access to an
  • account is known also to the bank, and fraudulent parties (such as
  • bank employees) may be able to gain access to the key
  • by digitally signing crucial parts of the withdrawal request, the
  • requested amount, and date and time of the request, an account
  • holder can always disavow an unauthorized withdrawal
2 6 1 preventing loss cont3
2.6.1. Preventing Loss Cont.

Software Integrity

  • in case the receiving device is not tamper-resistant, the attacker
  • may change a function pointer so that the software calls a verification
  • routine that always accepts
  • an attacker can attempt to substitute the key used by the receiving
  • device for verifying electronic payments
  • an attacker can even prevent the receiving device from being informed
  • about the error at deposit time, by substituting the error message of
  • the bank by another
  • protection can be achieved by using measures such as password
  • protection and secure operating system software
2 6 2 preventing payment redirection
2.6.2. Preventing Payment Redirection

Man-in-the-middle attack :

  • an attacker might steal electronic cash by redirecting to its own receiving
  • device a payment intended for another party, or by redirecting it to the
  • paying device of another party that the attacker intends to pay
  • one way to prevent the wrong party from being paid is to explicitly direct
  • an electronic cash payment to the intended payee, by making a digital
  • signature at payment time
2 6 2 preventing payment redirection cont
2.6.2. Preventing Payment Redirection Cont.

Distance bounding technique :

  • for payment platforms in which the paying device and the receiving
  • device need not be in physical proximity
  • the idea is for the receiving device and the paying device to mutually
  • agree on the challenge message that is to be responded to by the
  • paying device, by each sending a series of random bits to the other,
  • one by one and interleaved, and concatenating the bits to form the
  • challenge
  • by timing the delay, the receiving device can determine an upper
  • bound on its distance to the other device
2 6 3 nonrepudiation
2.6.3. Nonrepudiation
  • account holders should be able to disavow erroneous or false
  • incrimination of fraudulent behavior
  • requires the use of digital signatures, since there can only be
  • computed by the party associated with the public key needed
  • for verification (assuming proper protection of the secret key)