An Authenticated Payword Scheme without Public Key Cryptosystems Author: Chia-Chi Wu, Chin-Chen Chang, and Iuon-Chang Lin. Source: International Journal of Innovative Computing, Information and Control, 2009, Vol. 5, No. 9, pp. 2881–2891. Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2011/3/11

Outline Introduction Motivation Scheme Security Analysis Performance Evaluation Advantage vs. Drawback Comment

Introduction(1/6) Micro Payment Transfer Protocol (MPTP) stipulate some related security risks that need to be consider as follow: –Credit liability –Abused credit –Counterfeiting –Unauthorized withdrawal –Double spending

Introduction(2/6) PayWord Scheme Bank (ID B,PK B,SK B )Customer (ID C,SK C ) Vendor (ID V ) request C Verify C C If correct, select random value w n Generates hash chain (w n,w n-1,...w 0 ) w i = h(w i+1 ), i = n-1,...,0 M C C : Customer’s certification A C : Customer’s delivery address E: Expiration date PK C : Customer’s public key I C : Other information of the certificate. SK B : Bank’s private key M: Customer’s commitment D: Current date R. Rivest and A. Shamir, “PayWord and MicroMint: Two sample micropayment schemes,” Lecture Notes in Computer Science, Vol. 1189, pp.69-87, 1997.

Introduction(3/6) PayWord Scheme (cont.) Verify M and C C Bank (ID B,PK B,SK B )Customer (ID C,SK C ) Vendor (ID V ) M If correct, store M wi,iwi,i Verify (w i,i) If and Store (w i,i) When i = nw n,n,M Verify M and If correct, store(w n,n) and pay the money into Vendor’s account.

Introduction(4/6) The Advantage of PayWord –Using hash chain to lower computational cost –No need to settle with the bank for each transaction. The Drawback of PayWord –Customer’s consumption is no limited. –No trusted Certificate Authority (CA) –Bank falsification attack –Certificate abuse attack

Introduction(5/6) Adachi et al. Scheme N. Adachi, S. Aoki, Y. Komano, and K. Ohta, “Solutions to security problems of rivest and Shamir’s PayWord scheme,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol.E88-A, no.1, pp , Bank (ID B,PK B,SK B )Customer (ID C,SK C ) Vendor (ID V ) Generates hash chain (w n,w n-1,...w 0 ) w i = h(w i+1 ), i = n-1,...,0 w x : Hash value n: Length of hash chain. M: Customer’s commitment ID V : Vendor ID. E: Expiration date SK C : Customer’s private key C C : Customer’s certificate. I: Any additional information. SKB: Bank’s private key. ID C,M Select random none r v ID C,M,r v Validation M and customer’s credit. (Withdraws) C Verify C C and M If correct, store C C

Introduction(6/6) Bank (ID B,PK B,SK B )Customer (ID C,SK C ) Vendor (ID V ) Verify C C and M Valid message wi,iwi,i Verify (w i,i) If and Store (w i,i) When i = nw n,n,C C Verify C C and If correct, store(w n,n) and pay the money into Vendor’s account. Adachi et al. Scheme (cont.) If correct, store C C

Motivation Adachi et al.’s Drawback –It changes the PayWord scheme to a prepaid type. –It still need public key signatures –The overhead of build and maintain a CA –It may suffer from an unauthenticated settlement attack. Goal –Minimizing the transaction cost –Avoiding credit be abused –Can be applied to the low computational ability environment. –Reduce the bank settlement risk

Scheme(1/4) Customer (PW C,ID C,K C,B,n,h(PW C )) Vendor (PW V,ID V,K V,B,n,h(PW V )) PW: Password ID: Identify K: Shared key. N: nonce value r: random number g: A primitive element with order P−1 in GF(P) P: A large prime number. Generates hash chain (w n,w n-1,...w 0 ) w i = h(w i+1 ), i = n-1,...,0 (Using Smart Card) String1 Generate N C Bank (K C,B,K V,B )

Scheme(2/4) Bank (K C,B,K V,B ) Customer (PW C,ID C,K C,B,n,h(PW C )) Vendor (PW V,ID V,K V,B,n,h(PW V )) Generate N V (Using Smart Card) Verify String1 If correct, store M, transaction partner, root w 0 Verify String2 Check PW V, ID C

Scheme(3/4) Customer (PW C,ID C,K C,B,n,h(PW C )) Vendor (PW V,ID V,K V,B,n,h(PW V )) Decrypt Check N V +1 Store ID C,SK,M,I C Generate h(M,SK) Decrypt Check N C +1 Verify If correct, store ID V,SK Bank (K C,B,K V,B )

Scheme(4/4) Customer (PW C,ID C,K C,B,n,h(PW C )) Vendor (PW V,ID V,K V,B,n,h(PW V )) Check If, store(w i,i) When i = n Decrypt Check PW V and If correct, store(w n,n) and pay the money into Vendor’s account. Bank (K C,B,K V,B )

Security Analysis Credit Abuse Attack Counterfeiting PayWord Bank Falsification Attack Unauthorized Withdrawal Double Spending Replay Attack

Performance Evaluation Prepaid No

Advantage vs. Drawback Advantage –Low power consumption –It can resist several attack. –All w i are secret over the Internet, and each transmission message has to be authenticated. Drawback –Bank has to pre-share the secret keys to customer and the vender.

Comment It didn’t consider about the exponentiation cost of session key. It may not need the smart card to do this protocol. It didn’t have comparison of storage. It is not convenient to used on mobile phone or PDA. This scheme need additional hardware (ex. smart card, reader) and middleware to handle the transactions.

Comment (cont.) PayWord Scheme Adchi et al.’s Scheme Proposed Scheme Bankw i, i M, ID V, w 0, w i, i Customerw n, hash chain M, N C, r C, R C, ID V, SK, VendorM, w i, ir v,C C, w i, iN V, r V, R V, ID C, SK, M, I C, w i, i The comparison of storage of scheme

Introduction(2/5) PayWord –Postpaid scheme –Using one-way hash value as a payment R. Rivest and A. Shamir, “PayWord and MicroMint: Two sample micropayment schemes,” Lecture Notes in Computer Science, Vol. 1189, pp.69-87, Customer VendorBank 3. Sign commitment 4. P = (w i,i) 5. commitment, (w i,i) 2. Sign certificate (include customer’s public key and credit limit) 2.Generates hash chain (w n,w n-1,...w 0 ) w i = h(w i+1 ), i = n-1,...,0 1. request