Title: Analyzing an Anonymous Fair Exchange E-commerce Protocol
1Analyzing an Anonymous Fair Exchange E-commerce
Protocol
CS 259
- Adam Barth
- (joint work with Andrew Tappert)
2Protocol Overview
- Protocol proposed in Ray and Ray 2001
- Protocol presented in pseudocode
- Five roles
- Customer and customers bank
- Merchant and merchants bank
- Trusted third party
- Anonymous fair exchange of money for a digital
good - Wanted to look at non-trace-based properties
- Employed MOCHA, an ATL model checker
- Customer assured of obtaining correct product by
cross validation (not modeled) - Had enough to look at without this
3Protocol Overview (no TP)
1
2
5
C
M
6
3
8
4
7
CB
MB
- Preamble (on a private channel) M gt TP m K1
Mipub - Preamble (on a private channel) TP gt C m, K1
Mipub - C gt M PO CC(PO), Ciprv Cipub, Mipub
- M gt C CC(PO), Miprv m.r, K1xK2 CC(m.r,
K1xK2), Miprv r, K1
CC(r, K1), Miprv Macct, MBpub CC(Macct,
MBpub), Miprv - C gt CB MTI, Cprv, CBpub 4)
CB gt C P, Bcprv, Cpub - C gt M P, Bcprv, Mipub
- M gt MB P, Bcprv, MBpub 7)
MB gt M ack, MBprv - M gt C K2inv, Cipub CC(K2inv), Miprv rinv,
Cipub CC(rinv), Miprv
4Formalizing Protocol Specification
- Protocol has many messages
- Eight, not including the trusted party
- Many terms in each message
- MOCHA bug limited total number of variables
- Too complex to keep track of every term directly
- Modeled messages as Boolean variables
- Set to true when sent
- Dishonest parties can forge messages
- Based on the messages in their possession
5Design of Our MOCHA Model
hc
n
hm
hmb
hcb
- Honest principals interact with network
- Dishonest principals folded into network
- Network records messages seen by dishonest
parties - Dishonest can forge messages with enough
knowledge - Each corrupt principal adds more initial knowledge
6Honest Customer Module (1)
- module hc -- honest customer
- external o2, o2a, o4, o4a, o8, oB bool
- interface i1, i3, i5, i5a, iA,
- cprod / customer has received
product /, - dc bool
-
- atom
- controls i1, i3, i5, i5a, iA, cprod, dc
- reads o2, o2a, o4, o4a, o8, oB,
- i1, i3, i5, i5a, iA, cprod, dc
- init
- true
- -gt i1' false
- i3' false
- i5' false
- i5a' false
- iA' false
- cprod' false
Vars for messages
Customer dishonesty flag
Initially has no messages
7Honest Customer Module (2)
Rules for updating state
- update
- i1
- -gt i1' true
- i1 o2 o2a i3
- -gt i3' true
- i1 o2 o2a i3 o4 o4a i5
i5a - -gt i5' true
- i1 o2 o2a i3 o4 o4a i5
i5a - -gt i5a' true
- i1 o2 o2a i3 o4 o4a i5
i5a o8 iA - -gt
- i1 o2 o2a i3 o4 o4a i5
i5a o8 iA - -gt iA' true
- (o8 oB) cprod
- -gt cprod' true
- endatom
- endmodule
Gets product from message 8 or B (part of TP
resolution)
8Network Module (1)
- Able to record messages for dishonest roles
- i1 (dm dnet) m1 -gt m1'
true - i2 (dc dnet) m2 -gt m2'
true - i2a (dc dnet) m2a -gt m2a'
true - i3 (dcb dnet) m3 -gt m3'
true - i4 (dc dnet) m4 -gt m4'
true - i4a (dc dnet) m4a -gt m4a'
true - i5 (dm dnet) m5 -gt m5'
true - i5a (dm dnet) m5a -gt m5a'
true - i6 (dmb dnet) m6 -gt m6'
true - i7 (dm dnet) m7 -gt m7'
true - i8 (dc dnet) m8 -gt m8' true
Dishonest client or network can record message 4
Knowledge vars
9Network Module (2)
- Forge messages
- (dc ii mm) m1 -gt
m1' true - m1 dm m2 -gt
m2' true - dm m2a -gt
m2a' true - dc m3 -gt
m3' true - (dcb (dc dmb)) m4 -gt
m4' true - (dcb dc) m4a -gt
m4a' true - ((m4 dc) dcb dmb) m5 -gt
m5' true - (dc ii mm) m5a -gt
m5a' true - ((m5 dm) dmb (dm dcb)) m6 -gt
m6' true - dmb m7 -gt
m7' true - m1 dm m8 -gt
m8' true - m1 m2 m5 oA -gt oA' true iitp'
true
Dishonest client can forge message 3 at will
10What Did We Do With the Model?
- MOCHA allowed us to run model by hand
- Useful to debug the model
- Tested some invariants (trace-based properties)
- Intruder can't get product unless he's acting as
merchant or customer - inv "inv1" (nprod dm dc)
- Customer only gets prod when merchant is paid
- inv "inv2" (cprod mpay)
- inv "inv3" (cprod mpay)
11More Complex ATL Properties
- Honest customer eventually gets product
- atl "atl1" (ltlt hc gtgt F (cprod))
- When payment is sent, honest customer eventually
gets the product - atl "atl2" (i5 ltlt hc gtgt F (cprod))
- Exchange can be successfully completed by honest
parties - atl "atl3" (ltlt hc, hm, hcb gtgt F (cprod mpay))
cb needed to make payment token
12Fairness
- Dishonest merchant can't get paid without honest
customer having a strategy to get product (DM
model) - atl "cfair" ((ltlt n gtgt F (npay (ltlt hc gtgt F
(cprod))))) - Dishonest customer can't get product without
honest merchant having a strategy to get paid (DC
model) - atl "mfair" ((ltlt n, hcb gtgt F (nprod
-
(ltlt hm gtgt F (mpay)))))
Dishonest parties folded into network
Dishonest customer still needs help from honest
bank
13Balance
- Dishonest customer cant get to a point where
- (1) Customer can force receiving product
- (2) Merchant cant force getting paid
- atl "cbal" ((ltlt n, hcb gtgt F
- Dishonest merchant cant get to a point where
- (1) Merchant can force getting paid
- (2) Customer cant force receiving product
- atl "mbal" ((ltlt n gtgt F ((ltlt n gtgt F npay)
- (ltlt hc,
hcb gtgt F cprod))))
((ltlt n gtgt F nprod)
(ltlt hm gtgt F mpay))))
14Four Attacks on the Protocol
- Analysis reveals four attacks
- Malicious banks can steal product
- Banks share a signing key (should use group sigs)
- Man-in-the-middle can steal product
- Ephemeral keys can be replaced (need another sig)
- Dishonest merchant can get paid without giving
prod - Customer and TP stuck in a loop (need TP state)
- Unbalanced in favor of customer
- Customer can force outcome with payment token
15How the Attacks Were Found
- All found by hand while constructing model
- Did not see them before building the model
- MOCHA found traced-based attacks 1 and 2
- MOCHA should have found attack 4
- Ran for 150 hours with no answer
16Conclusions
- Think carefully about your models!
- Process of creating formal model uncovers bugs
- Large impact on model checkers efficiency
- MOCHA limitations frustrating
- Usually used for simpler models?
- Checking invariants successful
- Checking ATL properties time consuming
- MOCHA didnt answer in a reasonable time