An Efficient, Secure - PowerPoint PPT Presentation

About This Presentation
Title:

An Efficient, Secure

Description:

An Efficient, Secure & Delegable Micro-Payment System Vishwas Patil vtp_at_tifr.res.in http://www.ecom.tifr.res.in/~vtp School of Technology and Computer Science – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 18
Provided by: Vish66
Category:

less

Transcript and Presenter's Notes

Title: An Efficient, Secure


1
An Efficient, Secure Delegable
Micro-Payment System
Vishwas Patil vtp_at_tifr.res.in http//www.ecom.tifr
.res.in/vtp
School of Technology and Computer Science Tata
Institute of Fundamental Research, Mumbai.
2
Outline of the Presentation
  • Micro-Payments
  • Importance and Applications
  • Trade-offs between efficiency, security, privacy
  • One-Way functions
  • PayWord and others
  • TESLA SPKI / SDSI
  • Our Proposal
  • Inducing delegation into the system
  • Protocol Analysis
  • Security
  • Risk
  • Performance

3
Micro-Payments
  • Low intrinsic financial value
  • Aim- keep the cost of each transaction to a
    minimum possible value over aggregates so that
    the over-cost of such transactions can be
    proportionally reduced
  • Current Approaches-
  • Advertisements
  • Bulk subscriptions
  • Identification of the user based on IP addresses
    and/or cookies etc.
  • Existing Protocols for micro-payments-
  • PayWord, MilliCent, NetCard, NetBill, iKP
  • On-line (costly) vs. Off-line (double-spending)

4
One-Way functions
  • Defn. A mathematical function that converts a
    variable-length i/p to fixed-length o/p (called a
    hash value), and it is hard to generate the
    original i/p string that hashes to a particular
    value
  • (?one-way)
  • So, a one-way hash function is a mapping h from
    some set of words into itself such that
  • Given a word x, it is easy to compute h(x)
  • Given a word y, it is not feasible to compute a
    word x such that y h(x)
  • A good one-way hash function is collision-free

5
PayWord
  • Credit-based off-line micro-payment scheme
    optimized for sequences of micro-payments
  • The thrust of this scheme lies in minimizing the
    number of public-key operations required per
    payment and to achieve exceptional efficiency.
  • Its a tripartite mechanism involving
  • Bank B
  • Vendor V
  • User U
  • payword is the smallest monetary unit
  • it is vendor-specific and user-specific
  • a chain of paywords w1 wn is generated using a
    one-way hash function h i.e. wi h(wi1)

6
PayWord
  • Relationship between B, V, and U
  • B ? U
  • U obtains CU B, U, AU, KU, E, IU1/Kb
  • U ? V
  • U generates payword chain w1 wn with root w0
  • U registers with V by sending M V, CU,
    w0, D, IM1/Ku
  • P (wi, i) is the payment from U to V
  • V ? B
  • V sends redemption messages to B at regular
    intervals

7
TESLA (Time Efficient Stream Loss-Tolerant
Authentication)
  • TESLA provides source authentication
  • Sender and receiver of the data are loosely
    time-synchronized and uses an optional
    data-buffer for storage of packets temporarily
  • TESLA-sender makes use of one-way hash chain
    values as encryption keys or keys for computation
    of MAC over the packets
  • And the sender discloses the keys after a
    pre-determined time interval
  • Also, because of delayed key disclosure one can
    achieve data confidentiality for sufficient
    time-period (thus gives us the temporary effect
    of asymmetric cryptography!)
  • But cannot provide non-repudiation!

8
SPKI / SDSI (Simple PKI / Simple Distributed
Security Infrastructure)
  • It a distributed PKI in which every public-key
    enjoys the freedom of naming and authorization
    delegation locally, forming a functional trusted
    island (its a bottom-up design approach)
  • Functional islands of this infrastructure can
    narrate other functional islands in local
    name/authorization bindings and serve each other
    their local name/authorization definitions as and
    when requested
  • Features like grouping of principals and
    threshold certificates make the system
    expressive, manageable, and flexible
  • Separation of name bindings from authorizations
    and allowing principals to further delegate the
    authorizations have distinct advantages over
    traditional PKIs (e.g. privacy, decentralization
    of authorizations etc.)

9
Design of our micro-payment system
  • Aim- To design a micro-payment scheme which is
    off-line, vendor-specific, secure, efficient, and
    allows a user to delegate its spending capability
  • Design-
  • We chose PayWord, which is an efficient,
    off-line, vendor-specific and user-specific
    micro-payment scheme
  • To allow a user to delegate the spending
    capability, we had to make the primitive monetary
    unit (payword) vendor-specific (not
    user-specific)
  • This modification to PayWord invites
    double-spending and theft of the paywords
  • We employed TESLA to provide source-authentication
    and confidentiality to the paywords in transit
  • And, SPKI provides the PKI services and
    delegation capability

10
Protocol stages
11
Multi-seed payword chains
12
Additional Protocol stages (when delegation is
involved)
  • User U, who owns 4 different payword chains, is
    delegating parts of the chain to Agent, Agent1,
    and Agent2 specifying their spending range
  • Special care has to be taken while delegating the
    payword chains in parts they have to be spent in
    the reverse order of their generation

13
Analysis (Security)
  • Cryptographic support
  • Asymmetric -gt Symmetric TESLA
  • Non-repudiation etc. SPKI
  • Use of readily available self-authenticating hash
    values for data confidentiality and integrity
  • Thus, we avoid separate encryption key generation
    and its distribution

14
Analysis (Risk)
  • Use of same key for encryption and MAC
    computation might lead to cryptographic
    weaknesses of the protocol
  • But we are interested in providing
    confidentiality to the paywords in transit
  • V loosely time-synchronizes itself with U in
    TESLA framework, however it does not know the
    propagation delay of the time-synchronization
    request packet
  • To remain of safer side, we take the full
    round-trip time of the packet
  • Even if V loses one of the valid incoming payword
    packet, it can own its value on successfully
    receiving the next payword packet because of
    payword chains self-authenticating nature
  • Therefore, V accepts such risk arising due to
    network errors
  • TESLA buffer constraints
  • Let the sender buffer the packets

15
Analysis (Performance)
  • E one unit encryption
  • D one unit decryption
  • Fragmentation of payword chains
  • Delegation of each payword sub-chain involves a
    pair of asymmetric key operation and such number
    of operations are linearly proportional to the
    depth of delegation

16
Conclusion
  • Its off-line, vendor-specific
  • Secure
  • Delegable
  • Efficient
  • Gives autonomy of spending
  • An enabler for various e-commerce (Internet)
    applications

17
References
  • PayWord and MicroMint Two Simple Micropayment
    Schemes, Ronald Rivest and Adi Shamir. In
    Security Protocols Workshop, pp.69-87, 1996.
  • The TESLA Broadcast Authentication Protocol,
    Adrian Perig, Ran Canetti, J.D. Tygar, Dawn Song,
    In RSA CryptoBytes, 5, 2002.
  • Certificate Chain Discovery in SPKI/SDSI, Dwaine
    Clarke, Jean-Emile Elien, Carl Ellison, Matt
    Fredette, Alexander Morcos, and Ronald Rivest, In
    Journal of Computer Security, 9(4), 2001.
  • Password Authentication in Insecure
    Communication, Leslie Lamport, In Communications
    of ACM, 24(11) 770-772, 1981.
Write a Comment
User Comments (0)
About PowerShow.com