Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed."— Presentation transcript:

1 1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed G. Gouda

2 2 Alex X. LiuThe University of Texas at Austin Microcommerce  What is microcommerce? –Buy and sell goods/services for small amount of money –1¢ per web page access  Can we use credit cards for microcommerce? –No, per transaction fee is too high (29 ¢ + 2%)  Microcommerce on Internet –Micropayment Protocols

3 3 Alex X. LiuThe University of Texas at Austin Micropayment Protocols  Proposed micropayment protocols –Compaq's Millicent –Rivest and Shamir’s PayWord –Anderson‘s NetCard –Jutla and Yung's PayTree –Hauser et al.'s Micro iKP –W3C’s MPTP –……  Are they secure?  Need formal specification and verification

4 4 Alex X. LiuThe University of Texas at Austin PayWord Protocol  Developed by Rivest and Shamir in 1996  Three parties: Bank, User, Vendor –All parties know the same one-way hash function h (From h(x), one cannot derive x)  Outline of PayWord: –User first creates an empty array c[0], c[1], …, c[n] –c[0] c[1] c[2]... c[n-1] c[n] –Then this array becomes a hash chain –Sends c[0] to Vendor by public key cryptography –User  Vendor: (c[2], 2) in plain text –User  Vendor: (c[5], 3) in plain text  This protocol has two security problems! hhhhh

5 5 Alex X. LiuThe University of Texas at Austin 1. Message Modification Attack  Vulnerable to message modification attack –An attacker can modify (c[i], m) to (h(c[i]), m-1). Both valid. –Neither U nor V can detect this attack.  Solution: use securely salted one-way hash function –c[0] c[1] c[2]... c[n-1] c[n] –c[i-1]=h(ss, c[i]) for each i –ss is session secret shared between U and V. Unknown to attacker. h(ss,.)

6 6 Alex X. LiuThe University of Texas at Austin 2. Message Loss Attacks  Vulnerable to message loss attack –An attacker can discard a payment message from U to V –Due to lack of ack mechanism, neither U nor V can detect  Solution: add unforgeable ack messages –U sends V a payment: (c[i], m) –V sends U an ack: h(c[i], ss) –Attacker knows h(ss, c[i]) (=c[i-1]), but not h(c[i], ss).

7 7 Alex X. LiuThe University of Texas at Austin New PayWord Protocol  Assume U and V have a shared secret sk –Can be achieved by public key cryptography  Each hash chain has a sequence number seq  There are two phases –request-reply phase –pay-ack phase

8 8 Alex X. LiuThe University of Texas at Austin Request-reply phase  U picks three numbers –n : max number of coins needed to pay V (by estimation) –c[n]: a random number –ss : a session secret  U computes hash chain –c[0] c[1] c[2]... c[n-1] c[n]  U send request message (c[0] | seq | ss) sk to V  V check whether it is a valid message by seq –If the request message is valid, it replies c[0] back to U h(ss,.)

9 9 Alex X. LiuThe University of Texas at Austin Pay-ack phase  U sends a payment (c[i], m) to V  V checks whether it is a valid one –c[i-m]= (ss, c[i]) ? –If yes, sends acknowledgement h(c[i], ss) to U U V payment ( c[i], m ) payment ( c[i’], m’ ) ack h( c[i], ss ) ack h( c[i’], ss ) …

10 10 Alex X. LiuThe University of Texas at Austin Formal Specification in AP-notation

11 11 Alex X. LiuThe University of Texas at Austin Convergence Theory: Basic Concepts State: an assignment of values to all variables and all channels Transition: two states (p, q) that p transitions to q by protocol action Computation: an infinite sequence of states where any pair of two successive states is a protocol transition. Safe state: occurs in a protocol computation where the first state is an initial state of the protocol Error state: transits from a safe state by an adversary action Unsafe state: A state of a protocol that is not safe is called an unsafe state if it is an error state of the protocol or if it occurs in any protocol computation (p.0, p.1, p.2, …) where p.0 is an error state of the protocol.

12 12 Alex X. LiuThe University of Texas at Austin Convergence Theory : Security  A protocol is secure if it satisfies the following three conditions: –Closure: In each protocol computation whose first state is safe, every state is safe. –Convergence: In each protocol computation whose first state is unsafe, there is a safe state. –Protection: In each protocol transition, whose first state is unsafe, the critical variables of the protocol do not change their values.

13 13 Alex X. LiuThe University of Texas at Austin State Transaction Diagram S.1 S.2 S.3 R.1 R.2 R M L R M L M.1 L.1 R.3 M.2 L.2 L.3 v.1 u.2 T T v.1 S.4 u.1 v.1 u.2 u.3 u.2 v.1 S.4 S.5 S.6 u.3 v.2 u.4 R.4 M.3 R.5 L.4 R.6 M.4 L.5 L.6 v.2 u.4 v.2 T R M L R M L u.4 v.2 T u.4

14 14 Alex X. LiuThe University of Texas at Austin STD: a closer look  S.2: (c[0] | seq | ss) sk in channel from U to V  Adversary actions: –R: message replay –M: message modification –L: message loss  Consider message modification attacks –M.1: a modified request message is in channel from U to V –L.1: V discards modified message because seq is not correct  No critical variables are updated in unsafe states S.2 R.1 R.2 R M L M.1 L.1 v.1 u.2 T v.1

15 15 Alex X. LiuThe University of Texas at Austin Conclusions  Present two security fixes to PayWord protocol  Specify the new secure version of PayWord  Formally verify that this protocol is secure against message loss, modification and replay attacks

Download ppt "1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed."

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.
1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.

1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)

Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:

Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 10 Micropayments II.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 10 Micropayments II.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Electronic Check Payment Protocols and Systems

Electronic Check Payment Protocols and Systems
Wireless Network Security Issues By Advait Kothare SJSU CS265 Fall 2004.

Wireless Network Security Issues By Advait Kothare SJSU CS265 Fall 2004.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.

Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 9: Micropayments II.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 9: Micropayments II.

Similar presentations

Ads by Google