1. No category

ppt

The 2004 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE-04)
An Efficient, Secure & Delegable
Micro-payment System
Vishwas Patil
[email protected]
http://www.tcs.tifr.res.in/~vishwas
R. K. Shyamasundar
[email protected]
http://www.tcs.tifr.res.in/~shyam
School of Technology and Computer Science
Tata Institute of Fundamental Research, Mumbai.
e-coupons Micro-payment System
● Goal:- Design a micro-payment scheme which is




off-line,
vendor-specific,
secure, efficient, and
allows a user to delegate its spending capability (not available with other schemes)
● Achieved: Through an integration of



EEE-04
PayWord (generating vendor-specific paywords – micro-payment units)
+
TESLA
(for authentication and communication security)
+
SPKI/SDSI (provides delegation feature apart from PKI services)
Vishwas Patil and R. K. Shyamasundar. TIFR.
2 / 27
Outline
● Micro-payments
 Background & Current Approaches
● e-coupons system
 e-coupons without delegation
 e-coupons delegation
 Eliminate vendor-specific constraints from paywords
● Analysis of e-coupons system
● New dimensions
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
3 / 27
Micro-payment
● Payment of low intrinsic value
● Low on computation and communication demands
● Involves negligible/acceptable monetary risk
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
4 / 27
Micro-payment Applications
● Streaming multi-media (news, music, games etc.)
- IP-based / cookies-based bulk subscription
● Mobile commerce (GPS, location based services etc.)
- Closed system; one macro-payment for multiple micro-transactions
● Infrastructure accounting (bandwidth usage etc.)
- Log-based approach
● E-Library and all such digitized services
- IP-based bulk subscription
● If billing of such services is done using a micro-payments
system, user will pay for the services as and when required.
● And service-provider can dictate QoS based on the payments
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
5 / 27
Micro-payment Schemes [Common Objectives]
1. Minimize costly (public-key) operations
2. Keep payment off-line
3. Make inner loop (purchase/payment) efficient
● A trade-off among these objectives
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
6 / 27
Micro-payment Schemes [Classification]
Important factors involved in a micro-payment schemes:-
● On-line / Off-line
- On-line schemes are communication-wise costly but check double-spending
● Computation / Communication costs
- Asymmetric cryptography is computationally costly for small devices
● Interactive / Non-Interactive
● Level of Aggregation
 No Aggregation { Millicent, MicroMint }
 Session-level Aggregation { PayWord, e-coupons }
 Global Aggregation { lottery scheme, peppercorn }
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
7 / 27
Scheme Setup [Bank, User, Vendor]
Facilitating
Bank
6
1
Authorized
User 2
Step 1: Bank authorizes user
3, 4
Payments
Goods Delivery
5
Vendor
Step 4: User/agents pays to Vendor using payword-chain (repetitive)
Step 2: User generate payword-chain
Step 5: Vendor provides the service (repetitive)
Step 2a: User may delegate payword-chain to its agents
Step 6: Bank redeems the vendor
Step 3: User/agents registers payword-chain with Vendor
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
8 / 27
e-coupons Protocol
● e-coupons payment system is a mixture of macro and micropayments


User acquires PayWord certificate from a bank under MIES – [Multi
Instrument E-payment Service] payment framework
(it’s a macro-payment by User and done once)
User/its agents make micro-payments to Vendor for its services
(this is a more frequent operation)
● Delegation of spending capability by a User to its agents/others
is again a macro-payment

It is similar to a User acquiring PayWord Certificate from a bank
● We will concentrate on the micro-payment aspects of ecoupons system
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
9 / 27
e-coupons Protocol Stages
1.
2.
3.
4.
5.
User receives authorization (PayWord) certificate from bank
User generates multiple payword chains
User may delegate payword chain (fully/partially) to others
Owner of the payword chain registers the chain with Vendor
Vendor time-synchronizes itself with the payword chain owner
and gets ready to accept the unit-wise payments
6. User/owner of the payword chain reveals the values from the
chain in sequence towards the payment of Vendor’s service
7. Vendor periodically sends the user’s registration info. along
with the accumulated paywords to the bank for redemption
8. Bank verifies the info. and redeems accordingly to the Vendor
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
10 / 27
e-coupons Protocol [User acquires payword auth. from Bank]
Macro-payment
for PayWord
Certificate
Registration
Where,
CC
– User’s Credit Card Information
KU
– User’s Public-Key
Time
IU
– Application specific information e.g. Shipping Address/IP Address,
Synchronization
Service & Vendor information, etc.
B
– Bank Attributes
Secure
U
– User Attributes
payments
E
– Certificate Validity period
KB-1
– Bank’s Private-Key
 This is a one time process and it is a macro-transaction
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
11 / 27
Bank Authorizes User
PayWord Certificate Issued by Broker
● CU = {B, U, KU , E, IU}KB-1
You are allowed to spend 1600
Cents, generate a chain & spend
Broker Attributes
Broker’s Public-Key
Issuing Authority
User Attributes
User’s Public-Key
Recipient of the Authorization
Shipping Information
Authorization Validity Period
User’s Spending Limits
e.g. IP Address
01-03-2004_00:00:00 to 31-03-2004_23:59:59
1600
● User uses this certificate as proof of authority with the Vendor
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
12 / 27
Generation of Self-authenticating payword chain
● Let h be collision-free hash function s.t.
 h(x) = y
 Given y and h it is hard to compute x (inverse is computationally
costly)
● User randomly chooses a number wn and repeatedly applies a
one-way hash function h i.e.
 h (h (h …n times ( w ))) = w
n
0
where n is 1600 in our example
● User keeps this payword-chain secret and reveals one value
(payword) for one unit-payment
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
13 / 27
payword chain Properties
● User must spend the paywords in reverse sequence
● i.e. w1 followed by w2
● w2 followed by w3 , followed by w4 and so on till wn
● Revealing w3 before w1 and w2 will be equivalent to making 3
unit payments
● Vendor can verify the unit payments by applying h 3 times to
obtain w0 which must be equal to the w0 provided by User
during payword-chain registration process
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
14 / 27
e-coupons Protocol [User registers payword chain with Vendor]
Macro-payment
for PayWord
Certificate
Registration
Where,
Time
Synchronization
V
– Vendor Attributes
CU
– Payword Certificate (User’s Authorization for making payments)
w0
– root/commitment value of payword chain
– User’s Private-Key
KU
-1
Secure
payments
 Registration is one time process
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
15 / 27
User Registers with Vendor
● M = {U, V, w0 , CU ,validity period }KU-1
I have generated a payword chain
whose root is w0 and I would
like to pay you using this chain.
I have included my credentials to
do so for your verification
User Attributes
User’s Public Key
Vendor Attributes
Vendor’s Public Key
User’s
Commitment w0
PayWord
Certificate
Validity period
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
16 / 27
Monolithic payword chain and its limitations
● Spending Condition: User must make sure before revealing a
payword that all the paywords up to w0 are spent
● Therefore, user cannot delegate parts of a monolithic
payword-chain to others for concurrent spending
● payword Security: If payword-chains are user-specific and
vendor-specific; no need to provide security while in transit
 Since Vendor and User for that monetary value are fixed
● If user want to delegate its spending capability payword-chains
cannot be user-specific; therefore security is required.
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
17 / 27
Monolithic payword chain and its limitations
● So, we need multiple payword chains
 So that parts of them can be delegated to others for concurrent
spending
● We require facility of authority delegation
● We need to provide security to the paywords while in transit
 Security can be provided by encryption
 Since User and Vendor know each others public-keys
 But it is costly
TESLA (for source authentication)
+
SPKI/SDSI (as a PKI with delegation facility)
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
18 / 27
e-coupons Protocol [User and Vendor: time synchronization]
Macro-payment
for PayWord
Certificate
Registration
Time
Synchronization
Where,
Nonce
KV-1
tU
Tint
d
EEE-04
Secure
payments
– Random number
– Vendor’s Private-Key
KU-1
– User’s Private-Key
– User’s local time
– Time interval for which one key will be used for encryption
– an integer value for which the key used for encryption will remain secret/un-disclosed
Vishwas Patil and R. K. Shyamasundar. TIFR.
19 / 27
TESLA [Time Efficient Stream Loss-tolerant Authentication]
● Sender and receiver of the data are loosely time-synchronized
● Same key is used for encryption and decryption
● But the key remains secret for some agreed time interval d
● This time difference creates a temporary asymmetry
● Thus achieving the effect of asymmetric key cryptography
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
20 / 27
TESLA [Time Synchronization]
[Perrig et. al]
Where,
tR
tS
ts
tr
EEE-04
– Receiver’s time while making the time-synchronization request
– Sender’s time when it receives the time-synchronization request
– Upper bound on the current sender’s time
– Receiver’s current time
Vishwas Patil and R. K. Shyamasundar. TIFR.
21 / 27
TESLA Authentication Mechanism
[Perrig et. al]
Key disclosure time d = 2
F is a standard one-way hash function
Authentication of P1: MAC(K3, P1)
Security Condition: on arrival of P, receiver is certain that sender
did not yet disclose K
 Drop P if security condition is not satisfied




EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
22 / 27
e-coupons Protocol [User making micro-payments to Vendor]
Macro-payment
for PayWord
Certificate
Registration
Time
Synchronization
Micro
Payments
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
23 / 27
e-coupons Protocol [User making micro-payments to Vendor]
Lets assume
d=2
i=1

And w0 is
already with V
● wi = w1 which is the first micro-payment by user to vendor
● Vendor will simply buffer it until user discloses w1after d i.e 2
time intervals
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
24 / 27
e-coupons Protocol [User making micro-payments to Vendor]
Where,
d=2
i=1


● This is second micro-payment by user to vendor
● Vendor will buffer it also until User discloses wi+1 i.e. w2 after d
time intervals
● Vendor has buffered two paywords w1 and w2 since it does not
have key to either decrypt them or to verify
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
25 / 27
e-coupons Protocol [User making micro-payments to Vendor]
Where,
d=2
i=1



User disclosed decryption key for first payword
● This is third micro-payment by user to vendor
● Vendor will buffer it also until User discloses wi+2 i.e. w3 after d
time intervals
● Now w2 and w3 remain in Vendor’s buffer until respective keys
are disclosed by user in subsequent communication
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
26 / 27
Generation of Self-authenticating multi-seed chains
● Instead of generating a single payword chain, user generates
multiple chains and marks some intermediate values (indices)
for future reference
● These indices are the boundaries of payword sub-chains that
user might delegate to others
● These chains are
independent from
each other
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
27 / 27
Delegation of Authority
Authorization Certificate Issued by User
● Cagent = {U, agent, Kagent , E, Iagent}KU-1
User Attributes
User’s Public-Key
Issuing Authority (User)
Agent Attributes
Agent’s Public-Key
Recipient of the Authorization (agent)
Shipping Information
Authorization Validity Period
Agent’s Spending Range
e.g. IP Address
01-03-2004_00:00:00 to 02-03-2004_23:59:59
200
● Agent uses this certificate in conjunction with User’s PayWord Certificate
as proof of authority with the Vendor
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
28 / 27
e-coupons [User delegating the spending capability]
0
t1
t
timeline
E = t1
- agent1 cannot start with any random number to generate its payword chain, as in case of the User
E = t2
- The ends of the payword chain for agent1 are specified by the User in the delegation certificate
E = t3
- agent1 Must use the spending capability forwarded by the User within the validity time period E
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
29 / 27
e-coupons [User delegating the spending capability]
0
t1
timeline
t
t2
E = t1
E = t2
E = t3
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
30 / 27
e-coupons [User delegating the spending capability]
Spent / expired
0
t1
timeline
t3
t
t2
E = t1
E = t2
E = t3
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
31 / 27
e-coupons [User’s agent3 making payments to Vendor]
agent3’s Registration
with Vendor
Where,
X
Iagent3
Kagent3-1
EEE-04
– agent3’s proof of authorization over payword chain with root value w201 v
– Information pertaining to agent3
– agent3’s private key
Vishwas Patil and R. K. Shyamasundar. TIFR.
32 / 27
e-coupons [User’s agent3 making payments to Vendor]
agent3’s Registration
with Vendor
agent3’s proof of
Spending
Capability
- The proof of authorization is generated and verified using SPKI/SDSI framework
- Delegation of spending capability is a macro-payment
- This is a one time process
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
33 / 27
e-coupons [User’s agent3 making payments to Vendor]
agent3’s Registration
with Vendor
agent3’s proof of
Spending
Capability
TESLA
Time Synchronization
Where,
Nonce
KV-1
tU
Tint
d
EEE-04
Micro
– Random number
Payments
– Vendor’s Private-Key
Kagent3-1 – agent3’s Private-Key
(e-coupons)
– agent3’s local time
– Time interval for which one key will be used for encryption
– an integer value for which the key used for encryption will remain secret/un-disclosed
Vishwas Patil and R. K. Shyamasundar. TIFR.
34 / 27
e-coupons [User’s agent3 making payments to Vendor]
agent3’s Registration
with Vendor
agent3’s proof of
Spending
Capability
TESLA
Time Synchronization
Micro
Payments
(e-coupons)
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
35 / 27
e-coupons [making the payword chains non-vendor-specific]
● Bank will not explicitly specify the “Vendor Attributes” while
issuing the PayWord certificate
● User generates multi-seed payword chains
● User/its agents are free to register the “root” of payment chain
with any Vendor
● Upon receiving the “commitment” from a user;
 Vendor will verify the user’s credentials
 Contacts the facilitating bank to check whether users has already
registered with any other Vendor with the same “commitment”
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
36 / 27
e-coupons [A typical Scenario]
Node B
Node A
Node D
agent1
Node E
agent3
Node X
agent2
Node C
Node X can make payments to its neighbors for packet
forwarding
- Requires a single PayWord Certificate
- Node X can concurrently open communication channels with its
neighbors
- Other schemes require separate payment authorizations for each such
communication channel and are not scalable
- Neighbors may not accept packet forwarding requests until authenticity
of “commitment” is verified (concept of cheque / reputation ??)
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
37 / 27
e-coupons [Security Analysis]
● Cryptographic support
 Asymmetric key cryptography like property via asymmetry of time

between sender and receiver (TESLA)
Certification services, authority delegation and verification, Nonrepudiation of agreements etc. through SPKI/SDSI framework
● Use of readily available self-authenticating hash values
(payword chain) for data confidentiality and integrity (TESLA)
● Thus, we avoid separate encryption key generation and its
distribution; a requirement of TESLA
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
38 / 27
e-coupons [Risk Analysis]
● Use of same key for encryption and MAC computation might
lead to cryptographic weaknesses of the protocol
 But we are interested in providing confidentiality to the paywords while
in transit
● Vendor does not know the uneven propagation delay of the
time-synchronization request packet
 To remain of safer side, we take the full round-trip time of the packet
 Even if Vendor loses one of the valid incoming payword packet, it can

own its value on successfully receiving the next payword packet
Therefore, Vendor accepts such a risk arising due to network errors
● TESLA buffer constraints
 Let the sender buffer the packets
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
39 / 27
e-coupons [Performance Analysis]
E – one unit encryption
D – one unit decryption
 Delegation of each payword sub-chain involves a pair of

EEE-04
asymmetric key operation
Number of operations are linearly proportional to the depth of
delegation
Vishwas Patil and R. K. Shyamasundar. TIFR.
40 / 27
New Dimensions
● Facility of delegation over User’s (Service Subscriber) spending
capability has enabled features like concurrent access e.g.
 User subscribes an on-line news service, it can access the service



EEE-04
from its PDA, laptop, cell phone etc. without registering all these
devices with the facilitating bank
A multi-threaded application which accesses some on-line service for
computational purpose can delegate the authority to access the
service among the threads for their parallel execution without waiting
for other threads to free the payment instrument, as in case of single
monolithic payword chain
A service provider can gift the service to potential customers as
introductory offer to potential users by issuing e-coupons
A node in ad-hoc wireless network can concurrently make payments
to its neighbors for packet forwarding by obtaining a single
authorization certificate from the Bank
Vishwas Patil and R. K. Shyamasundar. TIFR.
41 / 27
Conclusion
●
●
●
●
●
Its off-line, vendor-specific
Efficient, Secure, Delegable
Gives autonomy of spending
A level of authorization indirection provides some anonymity
An enabler for various e-commerce (Internet) applications
● Verifying the commitments on-line with facilitating bank will lead
to a scheme that is free from vendor-specific-ness requirement!
EEE-04
Vishwas Patil and R. K. Shyamasundar. TIFR.
42 / 27

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz