An Authenticated Payword Scheme without Public Key Cryptosystems

Author: Chia-Chi Wu, Chin-Chen Chang, and Iuon-Chang Lin.

Source: International Journal of Innovative Computing, Information and Control, 2009, Vol. 5, No. 9, pp. 2881–2891.

Presenter: Tsuei-Hung Sun (孫翠鴻 )

Date: 2011/3/11

Outline

• Introduction

• Motivation

• Scheme

• Security Analysis

• Performance Evaluation

• Advantage vs. Drawback

• Comment

Introduction(1/6)

• Micro Payment Transfer Protocol (MPTP) stipulate some related security risks that need to be consider as follow:– Credit liability– Abused credit– Counterfeiting– Unauthorized withdrawal– Double spending

Introduction(2/6)

• PayWord Scheme Bank (IDB,PKB,SKB) Customer (IDC,SKC) Vendor (IDV)

request

BSKCCCCBC IEPKAIDIDC ),,,,,(

CC

Verify CC

If correct, select random value wn

Generates hash chain (wn,wn-1,...w0) wi = h(wi+1), i = n-1,...,0

CSKCV nDwCIDM ),,,,( 0M

CC: Customer’s certification AC: Customer’s delivery address E: Expiration date PKC: Customer’s public key IC: Other information of the certificate. SKB: Bank’s private key M: Customer’s commitment D: Current date

R. Rivest and A. Shamir, “PayWord and MicroMint: Two sample micropayment schemes,” Lecture Notes in Computer Science, Vol. 1189, pp.69-87, 1997.

Introduction(3/6)

• PayWord Scheme (cont.)

Verify M and CC

Bank (IDB,PKB,SKB) Customer (IDC,SKC) Vendor (IDV)

M

If correct, store Mwi,i

Verify (wi,i)If and ni Store (wi,i)

)(0 ii whw

When i = nwn,n,M

Verify M and )(?

0 nn whw

If correct, store(wn,n) and pay the money into Vendor’s account.

Introduction(4/6)

• The Advantage of PayWord– Using hash chain to lower computational cost– No need to settle with the bank for each transactio

n.

• The Drawback of PayWord– Customer’s consumption is no limited.– No trusted Certificate Authority (CA)– Bank falsification attack– Certificate abuse attack

Introduction(5/6)

• Adachi et al. Scheme

N. Adachi, S. Aoki, Y. Komano, and K. Ohta, “Solutions to security problems of rivest and Shamir’s PayWord scheme,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol.E88-A, no.1, pp.195-202, 2005.

Bank (IDB,PKB,SKB) Customer (IDC,SKC) Vendor (IDV)Generates hash chain (wn,wn-1,...w0) wi = h(wi+1), i = n-1,...,0

wx: Hash value n: Length of hash chain. M: Customer’s commitment IDV: Vendor ID. E: Expiration date SKC: Customer’s private key CC: Customer’s certificate. I: Any additional information. SKB: Bank’s private key.

CSKV EnwIDM ),,,( 0 IDC,MSelect random none rv

IDC,M,rv

Validation M and customer’s credit.

(Withdraws)

BSKvCC IrYESMIDC ),,,,( CC

Verify CC and MIf correct, store CC

Introduction(6/6)

Bank (IDB,PKB,SKB) Customer (IDC,SKC) Vendor (IDV)

Verify CC and M

Valid message

wi,i

Verify (wi,i)If and ni Store (wi,i)

When i = nwn,n,CC

Verify CC and )(?

0 nn whw

If correct, store(wn,n) and pay the money into Vendor’s account.

)(0 ii whw

• Adachi et al. Scheme (cont.)

If correct, store CC

Motivation

• Adachi et al.’s Drawback– It changes the PayWord scheme to a prepaid type.

– It still need public key signatures– The overhead of build and maintain a CA– It may suffer from an unauthenticated settlement attack.

• Goal– Minimizing the transaction cost– Avoiding credit be abused– Can be applied to the low computational ability enviro

nment.– Reduce the bank settlement risk

Scheme(1/4)

Customer (PWC,IDC,KC,B,n,h(PWC))

Vendor (PWV,IDV,KV,B,n,h(PWV))

PW: Password ID: Identify K: Shared key. N: nonce value r: random numberg: A primitive element with order P−1 in GF(P) P: A large prime number.

Generates hash chain (wn,wn-1,...w0) wi = h(wi+1), i = n-1,...,0

),,,( 0 EnwIDM V

(Using Smart Card)

))((1,BCKVCCCC IDNRMPWIDString

String1

PgR CrC mod

Generate NC

Bank(KC,B,KV,B)

Scheme(2/4)

Bank(KC,B,KV,B)

Customer (PWC,IDC,KC,B,n,h(PWC))

Vendor (PWV,IDV,KV,B,n,h(PWV))

Generate NV PgR Vr

V mod))((2

,BVKVVCVV NRIDPWIDString

21 StringString

(Using Smart Card)

Verify String1If correct, store M, transaction partner, root w0

Verify String2Check PWV, IDC

))1(())1((,, BCBV KCVVCKVCCCV NRIDIDNIRMIDID

Scheme(3/4)

Customer (PWC,IDC,KC,B,n,h(PWC))

Vendor (PWV,IDV,KV,B,n,h(PWV))

BVKVCCC NIRMID,

)1( DecryptCheck NV+1

PRSK VrC mod

Store IDC,SK,M,IC

Generate h(M,SK)

),())1(,

SKMhNRIDIDBCKCVVC

Decrypt ))1(,BCKCVV NRID

Check NC+1PRKS Cr

V mod

Verify ),(),(?

SKMhKSMh If correct, store IDV,SK

Bank(KC,B,KV,B)

Scheme(4/4)

Customer (PWC,IDC,KC,B,n,h(PWC))

Vendor (PWV,IDV,KV,B,n,h(PWV))

WIDC

SKWwi

Check

),( iSKwW i

If , store(wi,i)ni

When i = nBVKnCVV nwIDPWID

,)(

BVKnCV nwIDPW,

)(Decrypt

Check PWV and )(?

0 nn whw

If correct, store(wn,n) and pay the money into Vendor’s account.

)(?

0 ii whw

Bank(KC,B,KV,B)

Security Analysis

• Credit Abuse Attack

• Counterfeiting PayWord

• Bank Falsification Attack

• Unauthorized Withdrawal

• Double Spending

• Replay Attack

Performance Evaluation

Prepaid

No

Advantage vs. Drawback

• Advantage– Low power consumption– It can resist several attack.– All wi are secret over the Internet, and each t

ransmission message has to be authenticated.

• Drawback– Bank has to pre-share the secret keys to cust

omer and the vender.

Comment

• It didn’t consider about the exponentiation cost of session key.

• It may not need the smart card to do this protocol.• It didn’t have comparison of storage.• It is not convenient to used on mobile phone or PDA.• This scheme need additional hardware (ex. smart

card, reader) and middleware to handle the transactions.

Comment (cont.)

PayWord Scheme

Adchi et al.’s Scheme

Proposed Scheme

Bank wi, i wi, i M, IDV, w0, wi, i

Customer wn, hash chain wn, hash chain wn, hash chain

M, NC, rC, RC, ID

V, SK,

Vendor M, wi, i rv,CC, wi, i NV, rV, RV, IDC, SK, M, IC, wi, i

• The comparison of storage of scheme