An Efficient, Secure

1
An Efficient, Secure Delegable
Micro-Payment System
Vishwas Patil vtp_at_tifr.res.in http//www.ecom.tifr
.res.in/vtp
School of Technology and Computer Science Tata
Institute of Fundamental Research, Mumbai.
2
Outline of the Presentation

• Micro-Payments
• Importance and Applications
• Trade-offs between efficiency, security, privacy
• One-Way functions
• PayWord and others
• TESLA SPKI / SDSI
• Our Proposal
• Inducing delegation into the system
• Protocol Analysis
• Security
• Risk
• Performance

3
Micro-Payments

• Low intrinsic financial value
• Aim- keep the cost of each transaction to a
  minimum possible value over aggregates so that
  the over-cost of such transactions can be
  proportionally reduced
• Current Approaches-
• Advertisements
• Bulk subscriptions
• Identification of the user based on IP addresses
  and/or cookies etc.
• Existing Protocols for micro-payments-
• PayWord, MilliCent, NetCard, NetBill, iKP
• On-line (costly) vs. Off-line (double-spending)

4
One-Way functions

• Defn. A mathematical function that converts a
  variable-length i/p to fixed-length o/p (called a
  hash value), and it is hard to generate the
  original i/p string that hashes to a particular
  value
• (?one-way)
• So, a one-way hash function is a mapping h from
  some set of words into itself such that
• Given a word x, it is easy to compute h(x)
• Given a word y, it is not feasible to compute a
  word x such that y h(x)
• A good one-way hash function is collision-free

5
PayWord

• Credit-based off-line micro-payment scheme
  optimized for sequences of micro-payments
• The thrust of this scheme lies in minimizing the
  number of public-key operations required per
  payment and to achieve exceptional efficiency.
• Its a tripartite mechanism involving
• Bank B
• Vendor V
• User U
• payword is the smallest monetary unit
• it is vendor-specific and user-specific
• a chain of paywords w1 wn is generated using a
  one-way hash function h i.e. wi h(wi1)

6
PayWord

• Relationship between B, V, and U
• B ? U
• U obtains CU B, U, AU, KU, E, IU1/Kb
• U ? V
• U generates payword chain w1 wn with root w0
• U registers with V by sending M V, CU,
  w0, D, IM1/Ku
• P (wi, i) is the payment from U to V
• V ? B
• V sends redemption messages to B at regular
  intervals

7
TESLA (Time Efficient Stream Loss-Tolerant
Authentication)

• TESLA provides source authentication
• Sender and receiver of the data are loosely
  time-synchronized and uses an optional
  data-buffer for storage of packets temporarily
• TESLA-sender makes use of one-way hash chain
  values as encryption keys or keys for computation
  of MAC over the packets
• And the sender discloses the keys after a
  pre-determined time interval
• Also, because of delayed key disclosure one can
  achieve data confidentiality for sufficient
  time-period (thus gives us the temporary effect
  of asymmetric cryptography!)
• But cannot provide non-repudiation!

8
SPKI / SDSI (Simple PKI / Simple Distributed
Security Infrastructure)

• It a distributed PKI in which every public-key
  enjoys the freedom of naming and authorization
  delegation locally, forming a functional trusted
  island (its a bottom-up design approach)
• Functional islands of this infrastructure can
  narrate other functional islands in local
  name/authorization bindings and serve each other
  their local name/authorization definitions as and
  when requested
• Features like grouping of principals and
  threshold certificates make the system
  expressive, manageable, and flexible
• Separation of name bindings from authorizations
  and allowing principals to further delegate the
  authorizations have distinct advantages over
  traditional PKIs (e.g. privacy, decentralization
  of authorizations etc.)

9
Design of our micro-payment system

• Aim- To design a micro-payment scheme which is
  off-line, vendor-specific, secure, efficient, and
  allows a user to delegate its spending capability
• Design-
• We chose PayWord, which is an efficient,
  off-line, vendor-specific and user-specific
  micro-payment scheme
• To allow a user to delegate the spending
  capability, we had to make the primitive monetary
  unit (payword) vendor-specific (not
  user-specific)
• This modification to PayWord invites
  double-spending and theft of the paywords
• We employed TESLA to provide source-authentication
  and confidentiality to the paywords in transit
• And, SPKI provides the PKI services and
  delegation capability

10
Protocol stages
11
Multi-seed payword chains
12
Additional Protocol stages (when delegation is
involved)

• User U, who owns 4 different payword chains, is
  delegating parts of the chain to Agent, Agent1,
  and Agent2 specifying their spending range
• Special care has to be taken while delegating the
  payword chains in parts they have to be spent in
  the reverse order of their generation

13
Analysis (Security)

• Cryptographic support
• Asymmetric -gt Symmetric TESLA
• Non-repudiation etc. SPKI
• Use of readily available self-authenticating hash
  values for data confidentiality and integrity
• Thus, we avoid separate encryption key generation
  and its distribution

14
Analysis (Risk)

• Use of same key for encryption and MAC
  computation might lead to cryptographic
  weaknesses of the protocol
• But we are interested in providing
  confidentiality to the paywords in transit
• V loosely time-synchronizes itself with U in
  TESLA framework, however it does not know the
  propagation delay of the time-synchronization
  request packet
• To remain of safer side, we take the full
  round-trip time of the packet
• Even if V loses one of the valid incoming payword
  packet, it can own its value on successfully
  receiving the next payword packet because of
  payword chains self-authenticating nature
• Therefore, V accepts such risk arising due to
  network errors
• TESLA buffer constraints
• Let the sender buffer the packets

15
Analysis (Performance)

• E one unit encryption
• D one unit decryption
• Fragmentation of payword chains
• Delegation of each payword sub-chain involves a
  pair of asymmetric key operation and such number
  of operations are linearly proportional to the
  depth of delegation

16
Conclusion

• Its off-line, vendor-specific
• Secure
• Delegable
• Efficient
• Gives autonomy of spending
• An enabler for various e-commerce (Internet)
  applications

17
References

• PayWord and MicroMint Two Simple Micropayment
  Schemes, Ronald Rivest and Adi Shamir. In
  Security Protocols Workshop, pp.69-87, 1996.
• The TESLA Broadcast Authentication Protocol,
  Adrian Perig, Ran Canetti, J.D. Tygar, Dawn Song,
  In RSA CryptoBytes, 5, 2002.
• Certificate Chain Discovery in SPKI/SDSI, Dwaine
  Clarke, Jean-Emile Elien, Carl Ellison, Matt
  Fredette, Alexander Morcos, and Ronald Rivest, In
  Journal of Computer Security, 9(4), 2001.
• Password Authentication in Insecure
  Communication, Leslie Lamport, In Communications
  of ACM, 24(11) 770-772, 1981.