1. No category

Mobile ecash showcase

Mobile ecash showcase
- Overview and review Credentica
December 16, 2004
© Copyright 2004, Credentica
Part I
M-cash showcase
© Copyright 2004, Credentica
2
Overview of joint showcase with Nokia (NRC)
$
$
$
$
Lottery
$
$
Astro4you
User spends Coins
at Merchant sites
(one Coin per
payment)
© Copyright 2004, Credentica
Bank
Merchants deposit
Coins in batch at
Bank (off-line)
$
$
$
$ $
$
$
$
$
$
User obtains
Coins in batch
from Bank
3
Details (1 of 4): Installation of Pocket software
Lottery
Bank
Astro4you
GPRS
GPRS
User
Userredirected
requests ato
User
browses
Bank
service
to
download
that to
a costs
Merchant
site
Pocket
application
a Coin
© Copyright 2004, Credentica
4
Details (2 of 4): Withdrawal
+12345678901
Lottery
Astro4you
Bank
Bank embeds
authenticates
User’s
phone
User through
numberSMS
and
Coinnetwork
denomination
(using into
challenge-response)
each Coin
$1
5
$
$
GPRS
$
$
$
$
$
$ $
$
© Copyright 2004, Credentica
SMS
User
Pocket
selects
now
number
contains
of Coins
5 to
download
Coins
5
Details (3 of 4): Payment
Colluding
Merchants cannot
cross-profile User
$
Lottery
Bank
$
Astro4you
Merchant validates
Merchant
cannot and
Coin (off-line)
identify
the content
then
provides
payer
to User
GPRS
Pocket
browses
discloses
to feeCoin
....User
and
User
Pocket
12Pocket
entry
visits
now
inanother
and
entries
now
in
based
denomination
Merchant
but
page,
hides
the
contains
pay-for-service
log
of
3spent
unspent
Web
the
contains
log
of
spent
4
unspent
and is
phone
asked
Coins
Coins
sitenumber
…to
…pay a
Coins
Coins
…
unconditionally
Coin
© Copyright 2004, Credentica
$
+12345678901
$$
$
$1
$
6
Details (4 of 4): Deposit (off-line)
$
$
$ $ $
$ $ Bank
Lottery
$ $
$
WWW
Astro4you
Merchant
deposits Coins
in batch to Bank
© Copyright 2004, Credentica
… nor profile
(through
Bank
cannot linkage)
identify
customer customers
behavior at
Merchant’s
Merchants
or peak
hours
Bank
validates
Coins
Bank stores
(footprint
of)
and
verifiesCoins
they were
deposited
to
detect andnot
trace fraud
double-spent nor
double-deposited
7
Double-spending protection
$
Lottery
Bank detects
.. and can
the fraud …
identify the
fraudulent User
WWW
$
Astro4you
$1
GPRS
© Copyright 2004, Credentica
Bank
+12345678901
When Merchants
deposit the doublespent Coin …
… and doublespends the same
Coin
$ $
$
Suppose User
manages to hack
phone …
8
Not yet implemented
•
E-coin extensions & improvements:
•
•
•
•
•
•
•
•
•
•
•
•
Multiple e-coin denominations, multiple currencies
Pay with multiple e-coins (with exact change capability)
Return protocol (for lost/crashed/stolen Customer device, network
crash, expiry of unspent e-coins, …)
E-coin encrypted back-up & restore
E-cheques (pay any amount using a single token)
(Limited) off-line transferability of e-coins
“Earmarked” e-coins (e.g., negotiable Customer data)
Dual-chip (tamper-proofness) enhancements (see next page)
Fault-tolerance against transaction interruptions
Policies (for on-line/off-line deposit, etc)
Multi-party clearing & settlement infrastructure
Receipts, fair exchange, dispute resolution, …
© Copyright 2004, Credentica
9
On dual-chip mobile devices
•
Client device contains two chips
•
•
•
GSM SIM card
Tamper-resistant chip (following WIM specifications)
In 2002 – 2003, Nokia and Nordea conducted a pilot for
a dual-chip WAP phone (“EMPS”)
•
•
Aimed at secure Internet banking and credit card payments
M-cash can exploit dual chip presence:
•
•
•
Tamper-resistant chip provides prior restraint against doublespending (2nd layer of defence)
Tamper-resistant chip can enable single-token payment of any
amount (e-cheque payments, tick payments)
Many applications can piggyback on the same tamper-resistant
chip when using Digital Credentials technology
–
© Copyright 2004, Credentica
Can use cheap 8-bit chip (no crypto coprocessor needed)
10
Part II
Benefits of m-cash
© Copyright 2004, Credentica
11
Strong privacy guarantees
•
Customer privacy towards Merchant & Bank
•
Payment data does not reveal Customer ID (untraceability)
–
•
Multiple payments by same Customer are unlinkable
–
•
Prevents Customer spamming, discrimination, ID theft, …
Prevents Customer profiling without Customer’s consent
Merchant privacy towards Bank
•
•
•
•
Bank cannot learn identities of Merchant’s customers
Bank cannot data-mine Customer purchase behavior across an
association of multiple Merchants
Bank cannot learn Merchant peak hours (off-line payments)
Merchant can “block out” disclosed Customer attribute data
before depositing e-coins [not implemented in m-cash showcase]
–
•
E.g., negotiable demographic information encoded into e-coin
Note: all privacy guarantees are unconditional
•
A Customer’s privacy depends only on the quality of the random
numbers generated by his own payment device (!)
© Copyright 2004, Credentica
12
Extremely cost-effective
•
Few account accesses (vs. non-cash systems):
•
•
•
One withdrawal spans many payments
Many off-line payments can be deposited in one batch
Device independent
•
•
•
•
Payee does not need tamper-proof terminal; any PC will do
Payer may not need tamper-resistant chip in client device
Messages over-the-wire need not be encrypted for security
High computational & storage efficiency
•
•
•
•
One e-coin is only 250 bytes (and 140 bytes if EC-based)
All exponentiations on Customer side can be precomputed, and
spending an e-coin does not require exponentiations
Bank can batch-verify multiple e-coins overnight, and need merely
store 50 bytes per deposited e-coin
Dual-chip enhancement does not need crypto coprocessor
© Copyright 2004, Credentica
13
High systemic security
•
E-coins are counterfeit-proof
•
Each e-coin is protected with military-grade cryptography
–
•
Counterfeiting requires knowledge of private minting key
Multiple measures against double-spending:
•
Double-spending enables Bank to identify Customer
–
•
•
•
•
In m-cash implementation: Customer’s phone number is disclosed
Client code obfuscation measures [not implemented in m-cash showcase]
On-line payment clearing [not implemented in m-cash showcase]
Tamper-resistant (dual) client chip [not implemented in m-cash showcase]
Unsuitable for money laundering, bribery, …
•
No or limited off-line transferability; identified payer and payee
accounts; payer can trace payee (with Bank); high-value
payments can be on-line; earmarking to encode payer
“reputation”; tamper-resistant (dual-chip) protections
© Copyright 2004, Credentica
14
Flexibility & extensibility
•
Flexible dual-chip migration path for Customers
•
Customer can switch to smartcard enhancement anytime
–
•
•
Low-cost 8-bit smartcard implementations
Suitable for both micro & macro payments
•
•
From fractional cents to very large payments
Combine with any other Digital Credentials
•
•
•
Over-18 proofs, location proofs, etc.
Dual chip enhancement can serve many applications (!)
Platform & device independent
•
•
•
Enables off-line high-value payments, better virus protection, etc.
Payer and payee do not need special-purpose hardware
All-electronic processes: minting, issuing, spending, verifying,
depositing, fraud detection & tracing, etc.
Multi-currency & automatic currency conversion
© Copyright 2004, Credentica
15
Well-established technology
•
Protocols in open literature since 1993
•
•
Scrutinized by dozens of the world’s top cryptographers
(Including Adi Shamir, Ron Rivest, and Claus Schnorr)
Wide reputation as the world’s best e-cash technology
–
•
E.g.: “Considered by many to be the best” – NSA, Office of Information
Security Research & Technology, June 1996
Eight multi-jurisdictional patents granted
•
•
US, Canada, Europe, Japan, Australia, Singapore
Third-party prototypes & pilots
•
1993 – 1996: CAFE project (e-cheques in smartcards)
–
•
1996 – 1999: OPERA (CAFE continuation by major banks)
–
•
Gemplus, Royal Dutch PTT, Siemens, and 10 other organizations
Pilot with ~10.000 real bank customers in Greece & Spain
2000 – 2001: Zeroknowledge Systems
–
© Copyright 2004, Credentica
RIM Blackberry implementation
16
Part III
Benefits per
participant
© Copyright 2004, Credentica
17
Benefits for Bank (1)
•
Extremely low transaction costs
•
•
No need to authorize each payment in real-time
Few account accesses (vs. non-cash systems):
–
–
•
•
One withdrawal spans many payments
Many off-line payments can be handled through one batch deposit
Fully electronic processing (minting, deposit handling, transaction
logging, fraud tracing, dispute handling, …)
Highly secure
•
Unsuitable for money laundering, bribery, …
–
•
•
Customers cannot spend money they do not have
Avoids ID theft opportunities
–
•
•
Due to ability of payer to trace payee (only “one-way” privacy)
Due to payer privacy towards Merchant
E-coins are counterfeit-proof
Multiple measures against double-spending
© Copyright 2004, Credentica
18
Benefits for Bank (2)
•
Can serve new markets (new revenue streams)
•
•
•
•
•
Micro-payments
Withdraw, spend, and deposit e-coins over any medium
Earmarked cash (e.g., location, age, …)
Customer goodwill for privacy
Merchant goodwill for autonomy towards bank
•
•
•
•
Bank cannot trace & cross-profile Merchant’s customers
Bank cannot learn peak hours of Merchant
Bank does not decide on payment validity; Merchant does
Flexible & extensible architecture
•
•
•
Flexible dual-chip migration path for Customers
Suitable for both micro & macro payments
Combine with any other Digital Credentials
© Copyright 2004, Credentica
19
Benefits for Merchant (1)
•
Anyone can be a Merchant
•
•
•
•
Do not need special-purpose hardware to receive e-coins
No need to establish business relation with Bank
No need for special status by Bank (no charge-back, etc.)
Lowest transaction costs of all payment systems
•
•
•
Can accept payments off-line
All-electronic receiving, depositing, and transaction logging
Can serve new markets (new revenue streams)
•
•
•
•
•
•
Customers who do not have bank accounts
Customers who cannot get credit cards
Micro-payments
Peer to peer off-line payments (Bluetooth, infrared, etc.)
Countries with poor on-line connection capability
Individuals need not be inhibited about spending behavior
© Copyright 2004, Credentica
20
Benefits for Merchant (2)
•
Payment finality
•
•
•
•
•
E-coin reception guarantees that Bank will credit Merchant
Payee not submitted to financial risk & payment uncertainty
Bogus money is automatically rejected with 100% accuracy
No reliance on on-line Bank presence at payment time
Customer goodwill for privacy
•
•
But e-coins unsuitable for money laundering, bribery, etc.
Merchant keeps its autonomy towards Bank
•
•
•
•
•
Bank cannot learn identities of Merchant’s customers
Bank cannot data-mine Customer purchase behavior across an
association of Merchants
Bank cannot learn Merchant peak hours (off-line payments)
Bank cannot falsely or erroneously deny payments
Merchant can “block out” disclosed Customer attribute data
before depositing e-coins
© Copyright 2004, Credentica
21
Benefits for Customer (1)
•
Anyone can make e-coin payments
•
No need for special-purpose hardware
–
•
No need for good credit status with Bank
–
•
•
Dual (tamper-resistant) chip is optional
Could obtain e-cash from resellers …
Payee does not need to verify payer’s credibility
Customer privacy towards Merchant & Bank
•
Payment data does not reveal Customer ID (untraceability)
–
•
Multiple payments by same Customer are unlinkable
–
•
Prevents Customer spamming and discrimination
Prevents Customer profiling without Customer’s consent
Highly secure
•
•
Little scope for ID theft (pre-paid, untraceable, un-linkable)
Unsuitable for money laundering, bribery, …
–
•
Payer can always identify the payee
Protection against loss of e-cash stored on client device
© Copyright 2004, Credentica
22
Benefits for Customer (2)
•
Low transaction costs
•
•
Off-line payments, little scope for repudiation, etc.
Convenient
•
•
•
•
•
•
•
“Click and pay” – computer represents Customer
Micro-payments are cost-effective
Automatically keep personal transaction logs
Automated backups for recovery from loss and crashes
Download & spend from anywhere (platform independent)
No physical proximity to Merchant or Bank required
Client software can serve multiple applications
•
•
Seamless scalability from micro to macro payments
Other “Digital Credentials” tokens / applications
–
© Copyright 2004, Credentica
no cross-application security or privacy “interference” possible!
23
Benefits for governments/regulators
•
Not suitable for criminal activities (money laundering,
tax evasion, extortion, bribery)
•
•
•
•
•
•
Privacy is only one-way, payee can always identify payee
Extra safeguards: tamper-proof chip on Customer device
Auditability of Bank accounts complies with all existing bank
regulations & policies
Government can make significant profit from issuance of
e-cash (“seignorage”)
E-cash does not rely on message encryption over the
wire, so export control issues play no role
Facilitates cross-border payments through multiple
currencies
© Copyright 2004, Credentica
24
Part IV
Comparison to other
payment systems
© Copyright 2004, Credentica
25
General drawbacks of account-based systems
•
Account-based AKA book-entry systems:
•
•
•
Bank transfers funds from payer to payee account
Cheques, credit cards, debit cards, …
General drawbacks:
•
•
•
Unsuitable for low-value e-payments
No privacy for Customers nor for Merchants
Payments must be cleared on-line
–
–
–
–
–
•
Not an option in many situations / locations
Delays transactions, may result in unavailability
Adds cost (on-line connection costs money)
Bank must install hardware to cope with peak load
Denial of service attack on clearing/authorization process
Payment process requires delay to identify and correct
undesirable conditions (e.g., bounced cheques)
© Copyright 2004, Credentica
26
Drawbacks of (paper) cheques
•
•
•
Payee bears risk of insufficient funds
Payee must wait days to receive money
No non-repudiation
•
•
•
Payer denial is major fraud cause
Can write cheques against closed accounts
No privacy for Merchants and Customers
•
•
•
•
“In a sense a person is defined by the cheques he writes. By examining them the agents get to know his doctors,
lawyers, creditors, political allies, social connections, religious affiliations, educational interests, the papers and
magazines he reads and so on ad infinitum” – Judge William O. Douglas, U.S. Supreme Court, 1974, California
Bankers Association v. Shultz
Not usable in cyberspace
Processing and handling of cheques is expensive
Poor security
•
ABA: 5 billion US$ annual losses for financial industry
© Copyright 2004, Credentica
27
Drawbacks of (plastic & chip) credit cards
•
Not suitable for peer-to-peer payments
•
•
•
Need tamper-resistant point-of-sale terminal
Need merchant status
Payments must be on-line
•
•
Merchant liable for bogus charges & card-not-present
High costs of exception handling
•
•
Credit cards not economic for below $10
Even less privacy than cheques:
•
•
•
•
Data trail already in electronic format
Central parties learn transaction time / items
Cardholder profiling for fraud detection
Poor security
•
•
Especially of card-not-present transactions (e-payments…)
ID theft opportunities
© Copyright 2004, Credentica
28
E-payments with credit cards
•
Inherit all legacy system drawbacks
•
•
•
Make use of same back-end infrastructure
In particular: payments must still be cleared on-line
Privacy worsens
•
Combine electronic credit card data trails with:
–
•
IP address, click-stream data, location information, …
Security worsens
•
•
Virus attacks, spoofing, DOS attacks, replay, ID theft …
Card-not-present transactions very insecure
–
Fraudulent Merchant can automate attacks
•
•
•
Charge randomly generated credit card numbers
Bank strategy to withdraw Merchant status is ineffective
Serious credit card storage vulnerabilities
–
© Copyright 2004, Credentica
Merchant database is now on-line …
29
Other cash-like e-payment systems
•
Mondex, Proton, Citibank, etc.:
•
•
•
•
•
•
No privacy: payments systematically traceable & linkable
Payees need tamper-resistant terminals
Payers needs tamper-resistant chipcards (and “reader”)
No earmarking of money and other functionalities
Typically: poor security (not: military-grade per cash unit!)
Millicent and similar software-only systems:
•
•
No privacy: payments systematically traceable & linkable
Payments are effectively on-line …
–
•
•
•
must obtain vendor-specific “coins” from “broker” to pay
Poor security (no migration path, no PK security, etc.)
No earmarking of money and other functionalities
DigiCash:
•
•
Sequential on-line payment clearing that does not scale
No smartcard (dual-chip) solution, no negotiable attributes, no echeques, no double-spending tracing, etc. etc.
© Copyright 2004, Credentica
30

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz