Chapter 11 Cash Receipt Schemes and Other Asset Misappropriations.
A Comparison Of Electronic Cash Schemes and...
Transcript of A Comparison Of Electronic Cash Schemes and...
1
A Comparison Of Electronic CashSchemes and Implementations
ECE 646 Presentation13 December 2001
Wook JungAndrew KirbyRajesh Kolluri
Kenneth ShannonYeo-won Yoon
Cold, Hard, Cash
• Advantages– Highly portable
– No apparent cost
– No audit trail
– $3.4 Trillion exchanged300 Billion transactionsavg of $11
– By far, the preferredpayment scheme for smallanonymous transactions
• Disadvantages– $1 bills have a finite
lifetime (18 months) at4c per bill
– Large quantities mustbe secured duringtransfer
– Can be counterfeited
– Cost is not negligible
2
User Merchant
Withdraw Tokens
MakeNew
Tokens
Deposit/Exchange
Tokens
Valid TokenIndication
Get Receipt
Spend TokensRequest Payment
-Makes Payments- Accepts Payments
-Sells Items-Accepts Payments-Makes Deposits
- Signs Tokens- Charges User Accounts- Keeps Serial # Database
BANK(issuer)
Digital Cash: Six Ideal Properties• Independence - no vault or geographic location required• Security - no counterfeiting or double spending• Privacy (untraceability) - a user’s purchases and identity
cannot be linked• Offline Payment - execution of transfer protocol needs
no real-time link to bank• Transferability - digital cash can flow to another user• Divisibility - amounts must be easily subdivided to
some smallest denomination
Finding: No existing electronic cash scheme meets all six ideals! Data requirements/performance prohibit all 6
3
Cheating…
• Digital money nothing but a string of bits!– Bits can be copied more easily than cash– Anonymity, untraceability, guarantee trouble
• Multiple ways to cheat– Fraud, Counterfeiting– Double spending– HW tampering
• Complex cryptographic protocols necessary– Blind signatures [Schnoor, Brand, et. al.]– 11 step protocol to prevent cheating by all parties!
10110110010010100100001110011
Representative Electronic CashSchemes
Online transaction Offline transaction
Traceable
Untraceable
MondexMondex
Millicent,MicroMint,
Payword
E-cash,Netcash,
SET CAFE
4
Individual SystemsCAFE
CAFÉ (1)
• Status: developmental 92-95, trial 95-today, no real user base
• Online vs. Offline: offline unless $ > limit
• Protocol: withdraw -> pay - > deposit
• Security: totally open using RSA Public Key,known hashes, blind signatures [Chaum, Schnoor]
• Cheating: not possible for user or merchant
• Anonymity: for user not double spending
5
CAFÉ (2)
• Restrictions: none on divisibility in the payslip mode
• Fault Tolerance: yes, even it wallet lost• Operating Systems: special HW wallet not
designed for general network use• Cost: probably under $200 to user• Performance: slow, cryptographically
complex, but not a real-time system
CAFÉ: Digital-Cash Ideals
• Independent? Not entirely – not designed for useover Internet or networks at user end
• Secure? YES, complex cryptographic tools• Private? YES, to responsible users (not merchants)• Offline? YES, if below threshold• Transferable? NO, payment only to merchant• Divisibility? 2 operational modes: pay slip
completely divisible, coins discreet.• SCORE = 4.5
6
Original Message
Signed Message
Envelope containingMessage and Carbon Paper
Blinding Process
Sent to Signer
Envelope Removed
Signature
Envelope is signed(by signer)
Signature
Message has now been signed
Blind Signature: Basic Concept
Untraceable Cash - Blinding• Blinded RSA signatures
– One way hash function f
– RSA key pair (PUK,PRK) chosen by bank foreach denomination
• Denomination– Amount (serial number), f (amount $) PRK
• Withdraw and Spend
f($) * R PUK
PUK PRK
f($) * R/R = f($) PRK PRKMerchant
Person
BANKf($) * R
7
Mondex
Mondex (1)• Status: Production. Wholly owned subsidiary of
MasterCard International. Licensed in more than 80territories worldwide.
• Online vs. Offline: Both Online (Internet, Mondex enabledphones) and Offline (Electronic Purse) capability.
• Cheating: Relatively impossible, the cost of the technologycapable of making counterfeit chip is too expensive to beviable.
• Anonymity: Not completely Anonymous, merchants canfind out the identity of the users.
8
Mondex (2)
• Security: Security mechanism used in Mondex is notpublic but it uses the combination of the following:
DES signature generation: CBC single/triple DES
Encryption/decryption: ECB single DES
RSA: Up to 1024 bit using both normal and CRT modes
SHA-1
Asymmetric HASH functions
• Protocol: Value Transfer Protocol
Mondex (3)• Restrictions: None. Upper limits being varies for different
countries.
• Fault Tolerance: Yes, even if wallet is lost
• Operating Systems: MULTOS, runs on a H8/3112 Hitachichip. On PC, the program runs on Windows 3.x orWindows 9x operating system, and are equipped withSmartMouse card readers.
• Cost: Varies on what the consumer buys
• Performance: 1024 bit RSA executed in 480ms
9
Mondex Hardware
Mondex: Digital-Cash Ideals
• Independent? Yes – designed for use over Internet ornetworks at user end
• Secure? YES, complex cryptographic tools
• Private? Partly Anonymous
• Offline? YES, using smart cards
• Transferable? Yes, using smart cards
• Divisibility? Yes, to the lowest
• SCORE = 5.5
10
Ecash, NetCash
Ecash
11
Untraceable Cash - Blinding• Blinded RSA signatures
– One way hash function f
– RSA key pair (PUK,PRK) chosen by bank foreach denomination
• Denomination– Amount (serial number), f (amount $) PRK
• Withdraw and Spend
f($) * R PUK
PUK PRK
f($) * R/R = f($) PRK PRKMerchant
Person
BANKf($) * R
NetCash
• 7KH EX\HU VHQGV WKH HOHFWURQLF FRLQV LQ SD\PHQW� LGHQWLILHU� VHFUHW NH\� SXEOLF VHVVLRQNH\� DOO HQFU\SWHG ZLWK PHUFKDQW’V SXEOLF NH\� WR WKH PHUFKDQW�
^&RLQV� 6.>%X\HU@� .>3XEOLF� %X\HU@� 6BLG` .>3XEOLF� 0HUFKDQW@
• 7KH PHUFKDQW FKHFN FRLQV YDOLGLW\ WR VHQG WKHP WR WKH FXUUHQF\ VHUYHU WR EH H[FKDQJHG IRU QHZ FRLQV RU IRU D FKHTXH�
^&RLQV� 6.>0HUFKDQW@� WUDQVDFWLRQBW\SH`.>3XEOLF� &6@
• 7KH FXUUHQF\ VHUYHU FKHFNV WKDW WKH FRLQV DUH YDOLG E\ FKHFNLQJ LWV GDWDEDVH� 7KHQ WKH VHUYHU UHWXUQV QHZ FRLQV RU FKHTXH� HQFU\SWHG ZLWK PHUFKDQW’V VHVVLRQ NH\�
^1HZBFRLQV`6.>0HUFKDQW@
• 7KH PHUFKDQW NQRZV WKDW KH KDV EHHQ SURSHUO\ SDLG E\ WKH EX\HU� +H QRZ UHWXUQV D UHFHLSW� HQFU\SWHG ZLWK KLV SULYDWH NH\ DQG EX\HU’V VHFUHW NH\�
^^$PRXQW� WUDQVDFWLRQBLG� GDWH`.>3ULYDWH� 0HUFKDQW@` 6.>%X\HU@
%X\HU�SD\RU�
0HUFKDQW�SD\HH�
&XUUHQF\�6HUYHU
� �
� �
12
Comparison of Ecash/NetCash
( F D V K 1 H W & D V K
O ve r vie w A no nym o us, untra c ea b le , o nline to k e n p a ym e nt sys te m b y D igiC a sh
R e a l- tim e p a ym e nt ac ro ss m ultip le a d m inis tra tive d o m a in o n a n unse c ure d ne tw o rk b y U S C
O n l i n e vs o f f l i n e
O nline o nly O nline b ut p a rtia lly sup p o rt o ffline w he n the p a rtie s a re o ffline d uring the fina l e xc ha nge
O S S up p o rt any k ind o f p la tfo rm U nk no w n
R e s t r ic t io n s S ize o f the d a ta b ase o f sp e nt c o ins F ra ud b y p a ye e is p o ssib le
U s e r - b as e N o rea l use r b a se - fre e tr ia l N o resp o nse fro m the S o ftw a re A gents Inc .
A n o n y m i ty Y e s . C o m p le te ly gua ra ntee d b y b lind s igna ture
W e a k er tha n unc o nd itio na l ano nym ity o f E c a sh b ut m o re sc a la b le
C h e at in g N o . P o ss ib le
P r o to c o l Im p le m e n ta t io n
T rip le D E S , d igita l s igna ture , R S A , S H A S ym m e tr ic /a sym m e tr ic c ip her, d igita l s igna ture , c e rtific a te , ha sh
F au l t - t o le r an c e G o o d . E ve n if the ne tw o rk fa ils a nd c o in b e lo st, it c a n b e re c o ve red
?
C o s t L o w . H igh
Meeting Six criteria
E ca sh N e tC a shInde pe nde nce Pote ntia lly low G ood. Sca lable e le ctronic curre ncy that
is acce pte d acros s multiple adminis tra tive domains
Se curity Fully anonymous by blind s ignature . Paye e anonymity is guarante e d in Ecas h only
practica l le ve l o f anonymous le s s abs olute than Ecas h
Privacy Ye s . G uarante e d anonymity Ye sO ffline N o B as ica lly online bas e but partia lly
Trans fe rability D iv is ibility Ye s UnknownScore 4 3.5
N o. N one of the m a llow a note to pas s from us e r to us e r without the bank 's inte rve ntion.
13
SET
Benefits Drawbacks• Provides confidentiality thru
strong 1024-bit public keyencryption vs. 128-bit SSL
• Provides authentication ofevery party to onlinetransaction
• Provides integrity via hashingand digital signing
• Guaranteed payment tomerchant can expand Internetbusiness
• Certificates backed by CA andfinancial institution
• Customers reluctant to shop viaInternet
• Increased complexity degradesperformance – delays!!!
• Expensive to implement - $$$
• Global compliance issues
• Interoperability amongsoftware vendors
• Not portable
• Use of smartcards increasescustomer security
14
Greater cost due to certificateprocess
Less expensiveCOST
More complex. Needs certificationof all involved parties.
EasierEASE OFIMPLEMENTATION
Inherently stronger security design.Less secure. However,recent attempts for addingauthentication ofclient/customer bypasswords, certificates orsmart cards have added tothe security level.
OVERALL SECURITY
1024-bit encryption128-bit encryptionMESSAGE INTEGRITY
All parties including consumersneed digital certificates.
Usually only the shop isauthenticated. However,option for certificate basedauthentication ofclient/customer has beenadded later on.
AUTHENTICATION OFALL PARTIES
SETSSL
Cardholder(digital wallet)
Acquirer-Gateway(Payment auth.)
SET Participants
Certificate Authority
Merchant(Storefront)
Electronic Certification
Internet
Electronic Commerce
15
SET: Step by Step
SET: Digital-Cash Ideals• Independent? YES – designed for use over the Internet, across
multiple platforms• Secure? YES – provided by combination of strong encryption
with added integrity via hashing and digital signing• Private? YES – separate 1024-bit public keys: merchant sees
only order information; payment gateway sees only paymentinstruction
• On-line? YES - payment authorization provided duringtransaction session
• Transferable? NO - payment request made only from uniquecomputer containing digital wallet.
• Divisibility? YES - divisible to smallest denomination• SCORE = 5.0
16
0LFURSD\PHQW
,Q�*HQHUDO
:KDW�LV�0LFURSD\PHQW"
• A business transaction type, which specialized inthe sub-dollar range
• On-line services providing newspaper, magazines,or digital information (documents, music, evenmovies) could be inexpensive if it sold separately
• For example, a monthly $20 150-hour InternetDial-up Service costs 13 cents per hour, a $4 100-page magazine costs 4 cents per page. If you areonly interested in a 5-page article, 20 cents willdo it
• Pay-per-view, pay-per-login, or pay-per-download…
17
0LFURSD\PHQW�6FKHPH
• Demands of the protocol make it practical forsmall payments amounts
• Computation(processing) time and storagerequirements must be suitable for low-value(fractions of a cent) and fast transaction
• To reduce processing and storage requirements,minimize the use of public key algorithm and on-line verification
• Apparently, the security of micropayment schemeis not as good as that of macropayment scheme
&RPPRQ�)HDWXUHV• Use token (coin) as a payment for purchasing• Use fast one-way, collision-resistant hash function
(such as MD5 or SHA1) for generating token orsignature
• Decentralized validation (off-line processing)• Provide decent level of security/privacy• Involve three parties:
the user(U): makes the purchasethe vendor(V): sells the goodsthe broker(B): keeps the accounts for U and V
• Token can be generated by all the parties
18
%DVLF�)ORZ�RI�0LFURSD\PHQW
Broker
VendorUser
1.request coin
2.return coin
3.purchase
4.goods
5.redemption
6L[�,GHDO�3URSHUWLHV
• Independence: YES, physical location anywhere• Security: YES, forgery is possible, but detectable• Privacy(Untraceability): NO, cannot protect user’s
information and payment records are traceable• Off-line Payment: YES, no need to connect for
validation with central authority (the broker)• Transferability: No, user_specific token is used• Divisibility: YES, token can represent any
denomination• SCORE = 3.8
19
Summary
Scheme Independent Secure Private Offline Transferable Divisibility SCORE
CAFÉ Partial YES YES YES NO YES 4.5
Mondex YES YES Partial YES YES YES 5.5
Ecash Partial YES YES NO NO YES 3.5
NetCash YES Partial YES Partial NO YES 4
Micropayment YES Partial Partial YES NO YES 3.8
IKP
SET
Qualitative vs. Quantitative Scoring…
20
General Conclusions• All security requirements can be implemented
with existing cryptographic tools!– Authentication, Confidentiality, Integrity– Privacy / anonymity / untraceability
• Most systems don’t implement all tools– Complexity, performance penalties– Not necessary, desirable for every application
• No scheme (Mondex?) with widespread base• Anonymity may not be essential or a driver
Electronic Cash: Outlook
• Digital cash won’t likely replace cold, hard cash– Not the vision, not a paperless society…
– Issues of trust for some
• Cheaper HW, SW – no cost barriers to users– Card readers interfaced to PCs– Smart-cards, electronic wallets, purses
• Increasing speed, bandwidth - more crypto w/o penalties– “Moore’s” law valid for another decade
– Complex protocols implemented more easily
21
Electronic Cash: Outlook
• Schemes should achieve all six ideals– Anonymity not a driver, nor a threat
– $ Losses comparable to credit cards (for all parties)
– Counterfeiting, fraud, double spending all manageable
• Major questions remain…– Will US banks / financial institutions wean themselves
off profitable credit cards?
– Will pay ahead systems ever compete in US with buynow pay later borrowing?
Time to Party!
22
Back Up Slides
Categories of Characteristics
U s e r-re la te d c a te g o ry
S y s te m c a te g o ry
A no ny m ity A utho riza tio n ty peA pplic a b ility D iv is ib ilityE a s e o f us e (U s a bility )
S c a la b ility
T ra c e b ility R e lia b ilityT rus t E ffic ie nc y C o nv e rtib ility
In te ro pe ra b ilityS e c urity o f tra ns a c tio ns a nd da ta ba s e