An Authenticated Payword Scheme without Public Key Cryptosystems Author: Chia-Chi Wu, Chin-Chen...
-
Upload
constance-willis -
Category
Documents
-
view
219 -
download
0
Transcript of An Authenticated Payword Scheme without Public Key Cryptosystems Author: Chia-Chi Wu, Chin-Chen...
An Authenticated Payword Scheme without Public Key Cryptosystems
Author: Chia-Chi Wu, Chin-Chen Chang, and Iuon-Chang Lin.
Source: International Journal of Innovative Computing, Information and Control, 2009, Vol. 5, No. 9, pp. 2881–2891.
Presenter: Tsuei-Hung Sun (孫翠鴻 )
Date: 2011/3/11
Outline
• Introduction
• Motivation
• Scheme
• Security Analysis
• Performance Evaluation
• Advantage vs. Drawback
• Comment
Introduction(1/6)
• Micro Payment Transfer Protocol (MPTP) stipulate some related security risks that need to be consider as follow:– Credit liability– Abused credit– Counterfeiting– Unauthorized withdrawal– Double spending
Introduction(2/6)
• PayWord Scheme Bank (IDB,PKB,SKB) Customer (IDC,SKC) Vendor (IDV)
request
BSKCCCCBC IEPKAIDIDC ),,,,,(
CC
Verify CC
If correct, select random value wn
Generates hash chain (wn,wn-1,...w0) wi = h(wi+1), i = n-1,...,0
CSKCV nDwCIDM ),,,,( 0M
CC: Customer’s certification AC: Customer’s delivery address E: Expiration date PKC: Customer’s public key IC: Other information of the certificate. SKB: Bank’s private key M: Customer’s commitment D: Current date
R. Rivest and A. Shamir, “PayWord and MicroMint: Two sample micropayment schemes,” Lecture Notes in Computer Science, Vol. 1189, pp.69-87, 1997.
Introduction(3/6)
• PayWord Scheme (cont.)
Verify M and CC
Bank (IDB,PKB,SKB) Customer (IDC,SKC) Vendor (IDV)
M
If correct, store Mwi,i
Verify (wi,i)If and ni Store (wi,i)
)(0 ii whw
When i = nwn,n,M
Verify M and )(?
0 nn whw
If correct, store(wn,n) and pay the money into Vendor’s account.
Introduction(4/6)
• The Advantage of PayWord– Using hash chain to lower computational cost– No need to settle with the bank for each transactio
n.
• The Drawback of PayWord– Customer’s consumption is no limited.– No trusted Certificate Authority (CA)– Bank falsification attack– Certificate abuse attack
Introduction(5/6)
• Adachi et al. Scheme
N. Adachi, S. Aoki, Y. Komano, and K. Ohta, “Solutions to security problems of rivest and Shamir’s PayWord scheme,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol.E88-A, no.1, pp.195-202, 2005.
Bank (IDB,PKB,SKB) Customer (IDC,SKC) Vendor (IDV)Generates hash chain (wn,wn-1,...w0) wi = h(wi+1), i = n-1,...,0
wx: Hash value n: Length of hash chain. M: Customer’s commitment IDV: Vendor ID. E: Expiration date SKC: Customer’s private key CC: Customer’s certificate. I: Any additional information. SKB: Bank’s private key.
CSKV EnwIDM ),,,( 0 IDC,MSelect random none rv
IDC,M,rv
Validation M and customer’s credit.
(Withdraws)
BSKvCC IrYESMIDC ),,,,( CC
Verify CC and MIf correct, store CC
Introduction(6/6)
Bank (IDB,PKB,SKB) Customer (IDC,SKC) Vendor (IDV)
Verify CC and M
Valid message
wi,i
Verify (wi,i)If and ni Store (wi,i)
When i = nwn,n,CC
Verify CC and )(?
0 nn whw
If correct, store(wn,n) and pay the money into Vendor’s account.
)(0 ii whw
• Adachi et al. Scheme (cont.)
If correct, store CC
Motivation
• Adachi et al.’s Drawback– It changes the PayWord scheme to a prepaid type.
– It still need public key signatures– The overhead of build and maintain a CA– It may suffer from an unauthenticated settlement attack.
• Goal– Minimizing the transaction cost– Avoiding credit be abused– Can be applied to the low computational ability enviro
nment.– Reduce the bank settlement risk
Scheme(1/4)
Customer (PWC,IDC,KC,B,n,h(PWC))
Vendor (PWV,IDV,KV,B,n,h(PWV))
PW: Password ID: Identify K: Shared key. N: nonce value r: random numberg: A primitive element with order P−1 in GF(P) P: A large prime number.
Generates hash chain (wn,wn-1,...w0) wi = h(wi+1), i = n-1,...,0
),,,( 0 EnwIDM V
(Using Smart Card)
))((1,BCKVCCCC IDNRMPWIDString
String1
PgR CrC mod
Generate NC
Bank(KC,B,KV,B)
Scheme(2/4)
Bank(KC,B,KV,B)
Customer (PWC,IDC,KC,B,n,h(PWC))
Vendor (PWV,IDV,KV,B,n,h(PWV))
Generate NV PgR Vr
V mod))((2
,BVKVVCVV NRIDPWIDString
21 StringString
(Using Smart Card)
Verify String1If correct, store M, transaction partner, root w0
Verify String2Check PWV, IDC
))1(())1((,, BCBV KCVVCKVCCCV NRIDIDNIRMIDID
Scheme(3/4)
Customer (PWC,IDC,KC,B,n,h(PWC))
Vendor (PWV,IDV,KV,B,n,h(PWV))
BVKVCCC NIRMID,
)1( DecryptCheck NV+1
PRSK VrC mod
Store IDC,SK,M,IC
Generate h(M,SK)
),())1(,
SKMhNRIDIDBCKCVVC
Decrypt ))1(,BCKCVV NRID
Check NC+1PRKS Cr
V mod
Verify ),(),(?
SKMhKSMh If correct, store IDV,SK
Bank(KC,B,KV,B)
Scheme(4/4)
Customer (PWC,IDC,KC,B,n,h(PWC))
Vendor (PWV,IDV,KV,B,n,h(PWV))
WIDC
SKWwi
Check
),( iSKwW i
If , store(wi,i)ni
When i = nBVKnCVV nwIDPWID
,)(
BVKnCV nwIDPW,
)(Decrypt
Check PWV and )(?
0 nn whw
If correct, store(wn,n) and pay the money into Vendor’s account.
)(?
0 ii whw
Bank(KC,B,KV,B)
Security Analysis
• Credit Abuse Attack
• Counterfeiting PayWord
• Bank Falsification Attack
• Unauthorized Withdrawal
• Double Spending
• Replay Attack
Performance Evaluation
Prepaid
No
Advantage vs. Drawback
• Advantage– Low power consumption– It can resist several attack.– All wi are secret over the Internet, and each t
ransmission message has to be authenticated.
• Drawback– Bank has to pre-share the secret keys to cust
omer and the vender.
Comment
• It didn’t consider about the exponentiation cost of session key.
• It may not need the smart card to do this protocol.• It didn’t have comparison of storage.• It is not convenient to used on mobile phone or PDA.• This scheme need additional hardware (ex. smart
card, reader) and middleware to handle the transactions.
Comment (cont.)
PayWord Scheme
Adchi et al.’s Scheme
Proposed Scheme
Bank wi, i wi, i M, IDV, w0, wi, i
Customer wn, hash chain wn, hash chain wn, hash chain
M, NC, rC, RC, ID
V, SK,
Vendor M, wi, i rv,CC, wi, i NV, rV, RV, IDC, SK, M, IC, wi, i
• The comparison of storage of scheme