TM Systems Research Center MilliCent ™ Scrip, security and secrets Dr. Mark S. Manasse DIGITAL Systems Research Center, Palo Alto
TM Systems Research Center Microcommerce Microcommerce is commerce where each transaction may be inexpensive. For us, “inexpensive” is around 0.1¢/transaction. Others set the limit at $1/transaction. Microcommerce allows transactions for: –news articles, –stock quotes, –index queries.
TM Systems Research Center Why is microcommerce difficult? The vendor and the financial agent need adequate revenue, despite: –small (0.1¢, by my definition) transactions –on-line service no one wants to wait a long time for a page –reasonable commissions –liability issues
TM Systems Research Center Designing a financial system Customers sign up with a financial intermediary –software implements “wallet” functionality –wallet is loaded from credit card or bank account Value is transferred from wallet to vendor as needed Four basic approaches –centralized notational (e.g., CyberCoin, NetBill) –distributed notational (e.g., Mondex) –centralized token (e.g., Millicent, DigiCash) –distributed token (e.g., PayWord, MiniPay)
TM Systems Research Center Cryptography Public-key versus shared-key –RSA versus DES Authentication versus encryption –Signature and identity versus privacy Public key signatures are non-repudiable Shared-key authentication can be produced by anyone holding the shared key
TM Systems Research Center Public-key cryptography 1: RSA Do arithmetic in group of integers mod p q. Given public key e, private key d can be found from inverting e mod p-1 and q-1, and then using the Chinese remainder theorem. Encryption and decryption are done by exponentiating message to the e or d power. Fermat’s little theorem makes it work: –m^(1+k*(p-1)) = m (mod p)
TM Systems Research Center Public-key cryptography 2: El Gamal Instead of using difficulty of factoring, we can use difficulty of taking discrete logarithms. Pick a modulus and a generator of a large subgroup. Secret keys are random numbers; public keys are the generator to the secret key power. Encrypt a message by picking a blinding exponent, and multiplying the message by public key to the exponent. Also send generator to the exponent; recipient can raise to the secret key, and divide.
TM Systems Research Center Public-key cryptography 3: other cool tricks Key exchange (Diffie-Hellman) Different arithmetic groups –elliptic curves
TM Systems Research Center Shared-key cryptography DES, RC-4, etc. work by having permutation functions that take the key and data and mix the bits in a seemingly random (and hard to analyze) fashion. We can still hide information from people who don’t know the key, but not from each other.
TM Systems Research Center Hash functions A one-way hash function, like MD5 or HMAC-MD5, has the properties: –one-way: given hash(S), it is hard to find S –collision-free: given S and hash(S), it is hard to find T such that S T and hash(S) = hash(T)
TM Systems Research Center Applications of one-way hash functions Suppose that A and B share a secret S. When A wants to communicate M to B: –for integrity and authenticity A can send hash(M,S) together with M, B can check hash(M,S). –for secrecy A can generate and send a random number N, and hash(N,S) XOR M, instead of M, only A and B can recover M.
TM Systems Research Center Performance guidelines: cryptographic costs Very roughly, a commodity computer can do: –public-key cryptography (RSA 1024bits) 20 signatures or 100 verifications/second –shared-key cryptography (DES) 10,000s encryptions/second 1MByte/second –one-way hashing (MD5, SHA-1) 100,000s hashes/second 15MBytes/second, i.e. network speed
TM Systems Research Center Performance guidelines: disk and network costs Generously, a commodity computer can do: –100 seeks/disk/second In Millicent, needed data fits in memory. –1000 TCP connections/second Alta Vista front-end machines handle 100 connections/second each on average.
TM Systems Research Center Vendor: assumptions and calculations There are roughly 30M seconds/year. The cost of business is ¥15M/computer/year. –Average revenue must be at least ¥½/second. Because of burstiness, the vendor may have a 50:1 peak to average load. –So it must reach a 25¢/second peak. If the average transaction is for ¥0.1, the vendor must be able to handle 250 transactions/second. In addition, the vendor must pay for merchandise.
TM Systems Research Center Financial agent: assumptions and calculations The agent gets a (roughly) 2% commission. –It must have a ¥25/second average revenue. Because of burstiness, an on-line agent may have a 10:1 peak-to-average load. –So it must reach a ¥250/second peak. For ¥0.1 average transaction, the agent must handle 2500 transactions/second. Something has to give: –transaction grain –commission –on-line
TM Systems Research Center Millicent: concepts Scrip [~ software pre-paid phone card, with PIN] –vendor-specific currency not quite cash, account, bearer certificate,... –generated by either brokers or vendors –based on secrets and cryptography Brokers –financial agents that handle real money –sellers of vendor scrip to customers Vendors Customers
TM Systems Research Center Broker (actually, a broker network) The big picture Vendor Using secure macrocommerce, exchange money for scrip sold by broker Using broker scrip, customer purchases vendor scrip. Customer Exchange the vendor ’ s scrip for service. $ (weekly) $$$ (monthly) Jurisdiction B Jurisdiction C Jurisdiction V Using secure macrocommerce, exchange money for broker scrip.
TM Systems Research Center A closer look at a piece of scrip A piece of scrip consists of a body, with the following fields: –Vendor: a name for the vendor, –Props: any data describing customer properties (possibly including a name), –Value: the value of the scrip, –Expiry: the expiration time for the scrip, –ID#, Cust ID#: some ID material and of a hash: – Stamp: a proof of validity for the piece of scrip.
TM Systems Research Center A closer look at the stamp of a piece of scrip Stamp = hash(Scrip body, Master scrip secret) Master scrip secret is used for certifying scrip. –It is not known to the customer. –It is used for many pieces of scrip for one vendor. ID# identifies Master scrip secret, and in addition includes a sequence number.
TM Systems Research Center Hash Master scrip secret 5 Stamp Vendor Value ID# Cust ID# Expiry Props Customer Master scrip secret 4 Master scrip secret 5 Master scrip secret 6 Scrip stamp generation (at vendor or broker)
TM Systems Research Center Hash Master scrip secret 5 Stamp Vendor Value ID# Cust ID# Expiry Props Customer Master scrip secret 4 Master scrip secret 5 Master scrip secret 6 Stamp Compare Scrip stamp validation (at vendor)
TM Systems Research Center Making a purchase The customer generates a request and attaches some scrip to it. –The customer provides an integrity check using a customer secret (CS) shared with the vendor. –The customer sends Scrip, Request, hash(Scrip, Request, CS) The vendor checks the integrity of the request and the validity of the scrip. Then the vendor sends a reply and any change: Scrip’, Reply, hash(Scrip’, Stamp, Reply, CS)
TM Systems Research Center RequestScripCustomer secret Hash Request stamp Request stamp computation (at customer and vendor)
TM Systems Research Center The customer secret Customer secret does not require extra negotiation. –Customer secret is derived from another secret, Master customer secret. Customer secret = hash(Cust ID#, Master customer secret) Master customer secret is not known to the customer. –It is used for many customers of one vendor. Cust ID# identifies Master customer secret, and in addition includes a sequence number.
TM Systems Research Center Master customer secret 2 Master customer secret 3 Master customer secret 4 Master customer secret 3 Customer secret Hash Vendor Value ID# Cust ID# Expiry Props Cust ID# Customer secret computation (at broker or vendor)
TM Systems Research Center The cost of processing a purchase The vendor verifies adequacy of payment, plus: –a scrip stamp using 1 hash (against tampering), –a request stamp using 2 hashes (against theft) for customer secret and request stamp, –serial number (against double-spending). The vendor provides service and returns change using 2 hashes for new scrip and reply stamps. For a scrip purchase the broker does 3 more hashes to create and transmit scrip and customer secret.
TM Systems Research Center Advantages of scrip Because scrip is vendor-specific currency, double-spending is easy to detect. –It requires only a local lookup (using a unique sequence number). –In contrast, other kinds of currency may require a round-trip to a central authority. Forgery is hard. –Scrip includes a stamp. Scrip cannot be stolen. –Payment is cryptographically tied to request.
TM Systems Research Center VendorServer WebServer Vendor Price File Document Tree Browser Wallet User Browser Cache Wallet Contents BrokerServer Broker HTTP PriceConfigurator MilliCent System Architecture
TM Digital Equipment Corporation ©