an efficient, secure & delegable micro-payment system vishwas patil [email protected] vtp school...
TRANSCRIPT
An Efficient, Secure & Delegable An Efficient, Secure & Delegable Micro-Payment SystemMicro-Payment System
Vishwas PatilVishwas [email protected]
http://www.ecom.tifr.res.in/~vtp
School of Technology and Computer ScienceSchool of Technology and Computer Science
Tata Institute of Fundamental Research, Mumbai.Tata Institute of Fundamental Research, Mumbai.
Vishwas Patil, TIFR. 2/17
Outline of the PresentationOutline of the Presentation
Micro-Payments Importance and Applications Trade-offs between efficiency, security, privacy
One-Way functionsPayWord and othersTESLA & SPKI / SDSIOur Proposal
Inducing delegation into the system
Protocol Analysis Security Risk Performance
Vishwas Patil, TIFR. 3/17
Micro-PaymentsMicro-Payments
Low intrinsic financial valueAim:- keep the cost of each transaction to a minimum possible value over aggregates so that the over-cost of such transactions can be proportionally reducedCurrent Approaches:-
AdvertisementsBulk subscriptionsIdentification of the user based on IP addresses and/or cookies etc.
Existing Protocols for micro-payments:-PayWord, MilliCent, NetCard, NetBill, iKP
On-line (costly) vs. Off-line (double-spending)
Vishwas Patil, TIFR. 4/17
One-Way functionsOne-Way functions
Defn. A mathematical function that converts a variable-length i/p to fixed-length o/p (called a hash value), and it is hard to generate the original i/p string that hashes to a particular value
(one-way)
So, a one-way hash function is a mapping h from some set of words into itself such that:
Given a word x, it is easy to compute h(x)
Given a word y, it is not feasible to compute a word x such that y = h(x)
A good one-way hash function is collision-free
Vishwas Patil, TIFR. 5/17
PayWordPayWord
Credit-based off-line micro-payment scheme optimized for sequences of micro-paymentsThe thrust of this scheme lies in minimizing the number of public-key operations required per payment and to achieve exceptional efficiency.It’s a tripartite mechanism involving
Bank BVendor VUser U
payword is the smallest monetary unit it is vendor-specific and user-specific a chain of paywords w1… wn is generated using a one-way hash function h i.e. wi = h(wi+1)
Vishwas Patil, TIFR. 6/17
PayWordPayWord……
Relationship between B, V, and UB U
U obtains CU = {B, U, AU, KU, E, IU}1/Kb
U VU generates payword chain w1… wn with root w0
U registers with V by sending M = {V, CU, w0, D, IM}1/Ku
P = (wi, i) is the payment from U to V
V BV sends redemption messages to B at regular intervals
Vishwas Patil, TIFR. 7/17
TESLATESLA (Time Efficient Stream Loss-Tolerant Authentication) (Time Efficient Stream Loss-Tolerant Authentication)
TESLA provides source authenticationSender and receiver of the data are loosely time-synchronized and uses an optional data-buffer for storage of packets temporarilyTESLA-sender makes use of one-way hash chain values as encryption keys or keys for computation of MAC over the packetsAnd the sender discloses the keys after a pre-determined time intervalAlso, because of delayed key disclosure one can achieve data confidentiality for sufficient time-period (thus gives us the temporary effect of asymmetric cryptography!)But cannot provide non-repudiation!
Vishwas Patil, TIFR. 8/17
SPKI / SDSISPKI / SDSI (Simple PKI / Simple Distributed Security Infrastructure) (Simple PKI / Simple Distributed Security Infrastructure)
It a distributed PKI in which every public-key enjoys the freedom of naming and authorization delegation locally, forming a functional trusted island (it’s a bottom-up design approach)Functional islands of this infrastructure can narrate other functional islands in local name/authorization bindings and serve each other their local name/authorization definitions as and when requestedFeatures like grouping of principals and threshold certificates make the system expressive, manageable, and flexibleSeparation of name bindings from authorizations and allowing principals to further delegate the authorizations have distinct advantages over traditional PKIs (e.g. privacy, decentralization of authorizations etc.)
Vishwas Patil, TIFR. 9/17
Design of our micro-payment systemDesign of our micro-payment system
Aim:- To design a micro-payment scheme which is off-line, vendor-specific, secure, efficient, and allows a user to delegate its spending capabilityDesign:-
We chose PayWord, which is an efficient, off-line, vendor-specific and user-specific micro-payment schemeTo allow a user to delegate the spending capability, we had to make the primitive monetary unit (payword) vendor-specific (not user-specific)This modification to PayWord invites double-spending and theft of the paywordsWe employed TESLA to provide source-authentication and confidentiality to the paywords in transitAnd, SPKI provides the PKI services and delegation capability
Vishwas Patil, TIFR. 10/17
Protocol stages Protocol stages
Vishwas Patil, TIFR. 11/17
Multi-seed Multi-seed paywordpayword chains chains
Vishwas Patil, TIFR. 12/17
Additional Protocol stagesAdditional Protocol stages (when delegation is involved) (when delegation is involved)
User U, who owns 4 different payword chains, is delegating parts of the chain to Agent, Agent1, and Agent2; specifying their spending range
Special care has to be taken while delegating the payword chains in parts; they have to be spent in the reverse order of their generation
Vishwas Patil, TIFR. 13/17
AnalysisAnalysis (Security) (Security)
Cryptographic supportAsymmetric -> Symmetric TESLANon-repudiation etc. SPKI
Use of readily available self-authenticating hash values for data confidentiality and integrity
Thus, we avoid separate encryption key generation and its distribution
Vishwas Patil, TIFR. 14/17
AnalysisAnalysis (Risk) (Risk)
Use of same key for encryption and MAC computation might lead to cryptographic weaknesses of the protocol
But we are interested in providing confidentiality to the paywords in transitV loosely time-synchronizes itself with U in TESLA framework, however it does not know the propagation delay of the time-synchronization request packet
To remain of safer side, we take the full round-trip time of the packetEven if V loses one of the valid incoming payword packet, it can own its value on successfully receiving the next payword packet because of payword chain’s self-authenticating natureTherefore, V accepts such risk arising due to network errors
TESLA buffer constraintsLet the sender buffer the packets
Vishwas Patil, TIFR. 15/17
AnalysisAnalysis (Performance) (Performance)
E – one unit encryption
D – one unit decryption
Fragmentation of payword chainsDelegation of each payword sub-chain involves a pair of asymmetric key operation and such number of operations are linearly proportional to the depth of delegation
Vishwas Patil, TIFR. 16/17
ConclusionConclusion
Its off-line, vendor-specificSecureDelegableEfficientGives autonomy of spendingAn enabler for various e-commerce (Internet) applications
Vishwas Patil, TIFR. 17/17
ReferencesReferences
PayWord and MicroMint: Two Simple Micropayment Schemes, Ronald Rivest and Adi Shamir. In Security Protocols Workshop, pp.69-87, 1996.
The TESLA Broadcast Authentication Protocol, Adrian Perig, Ran Canetti, J.D. Tygar, Dawn Song, In RSA CryptoBytes, 5, 2002.
Certificate Chain Discovery in SPKI/SDSI, Dwaine Clarke, Jean-Emile Elien, Carl Ellison, Matt Fredette, Alexander Morcos, and Ronald Rivest, In Journal of Computer Security, 9(4), 2001.
Password Authentication in Insecure Communication, Leslie Lamport, In Communications of ACM, 24(11): 770-772, 1981.