Download presentation
Presentation is loading. Please wait.
1
1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed G. Gouda
2
2 Alex X. LiuThe University of Texas at Austin Microcommerce What is microcommerce? –Buy and sell goods/services for small amount of money –1¢ per web page access Can we use credit cards for microcommerce? –No, per transaction fee is too high (29 ¢ + 2%) Microcommerce on Internet –Micropayment Protocols
3
3 Alex X. LiuThe University of Texas at Austin Micropayment Protocols Proposed micropayment protocols –Compaq's Millicent –Rivest and Shamir’s PayWord –Anderson‘s NetCard –Jutla and Yung's PayTree –Hauser et al.'s Micro iKP –W3C’s MPTP –…… Are they secure? Need formal specification and verification
4
4 Alex X. LiuThe University of Texas at Austin PayWord Protocol Developed by Rivest and Shamir in 1996 Three parties: Bank, User, Vendor –All parties know the same one-way hash function h (From h(x), one cannot derive x) Outline of PayWord: –User first creates an empty array c[0], c[1], …, c[n] –c[0] c[1] c[2]... c[n-1] c[n] –Then this array becomes a hash chain –Sends c[0] to Vendor by public key cryptography –User Vendor: (c[2], 2) in plain text –User Vendor: (c[5], 3) in plain text This protocol has two security problems! hhhhh
5
5 Alex X. LiuThe University of Texas at Austin 1. Message Modification Attack Vulnerable to message modification attack –An attacker can modify (c[i], m) to (h(c[i]), m-1). Both valid. –Neither U nor V can detect this attack. Solution: use securely salted one-way hash function –c[0] c[1] c[2]... c[n-1] c[n] –c[i-1]=h(ss, c[i]) for each i –ss is session secret shared between U and V. Unknown to attacker. h(ss,.)
6
6 Alex X. LiuThe University of Texas at Austin 2. Message Loss Attacks Vulnerable to message loss attack –An attacker can discard a payment message from U to V –Due to lack of ack mechanism, neither U nor V can detect Solution: add unforgeable ack messages –U sends V a payment: (c[i], m) –V sends U an ack: h(c[i], ss) –Attacker knows h(ss, c[i]) (=c[i-1]), but not h(c[i], ss).
7
7 Alex X. LiuThe University of Texas at Austin New PayWord Protocol Assume U and V have a shared secret sk –Can be achieved by public key cryptography Each hash chain has a sequence number seq There are two phases –request-reply phase –pay-ack phase
8
8 Alex X. LiuThe University of Texas at Austin Request-reply phase U picks three numbers –n : max number of coins needed to pay V (by estimation) –c[n]: a random number –ss : a session secret U computes hash chain –c[0] c[1] c[2]... c[n-1] c[n] U send request message (c[0] | seq | ss) sk to V V check whether it is a valid message by seq –If the request message is valid, it replies c[0] back to U h(ss,.)
9
9 Alex X. LiuThe University of Texas at Austin Pay-ack phase U sends a payment (c[i], m) to V V checks whether it is a valid one –c[i-m]= (ss, c[i]) ? –If yes, sends acknowledgement h(c[i], ss) to U U V payment ( c[i], m ) payment ( c[i’], m’ ) ack h( c[i], ss ) ack h( c[i’], ss ) …
10
10 Alex X. LiuThe University of Texas at Austin Formal Specification in AP-notation
11
11 Alex X. LiuThe University of Texas at Austin Convergence Theory: Basic Concepts State: an assignment of values to all variables and all channels Transition: two states (p, q) that p transitions to q by protocol action Computation: an infinite sequence of states where any pair of two successive states is a protocol transition. Safe state: occurs in a protocol computation where the first state is an initial state of the protocol Error state: transits from a safe state by an adversary action Unsafe state: A state of a protocol that is not safe is called an unsafe state if it is an error state of the protocol or if it occurs in any protocol computation (p.0, p.1, p.2, …) where p.0 is an error state of the protocol.
12
12 Alex X. LiuThe University of Texas at Austin Convergence Theory : Security A protocol is secure if it satisfies the following three conditions: –Closure: In each protocol computation whose first state is safe, every state is safe. –Convergence: In each protocol computation whose first state is unsafe, there is a safe state. –Protection: In each protocol transition, whose first state is unsafe, the critical variables of the protocol do not change their values.
13
13 Alex X. LiuThe University of Texas at Austin State Transaction Diagram S.1 S.2 S.3 R.1 R.2 R M L R M L M.1 L.1 R.3 M.2 L.2 L.3 v.1 u.2 T T v.1 S.4 u.1 v.1 u.2 u.3 u.2 v.1 S.4 S.5 S.6 u.3 v.2 u.4 R.4 M.3 R.5 L.4 R.6 M.4 L.5 L.6 v.2 u.4 v.2 T R M L R M L u.4 v.2 T u.4
14
14 Alex X. LiuThe University of Texas at Austin STD: a closer look S.2: (c[0] | seq | ss) sk in channel from U to V Adversary actions: –R: message replay –M: message modification –L: message loss Consider message modification attacks –M.1: a modified request message is in channel from U to V –L.1: V discards modified message because seq is not correct No critical variables are updated in unsafe states S.2 R.1 R.2 R M L M.1 L.1 v.1 u.2 T v.1
15
15 Alex X. LiuThe University of Texas at Austin Conclusions Present two security fixes to PayWord protocol Specify the new secure version of PayWord Formally verify that this protocol is secure against message loss, modification and replay attacks
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.