Four Attacks on an Anonymous Fair Exchange E-commerce Protocol Adam Barth Andrew Tappert CS259.

Slides:



Advertisements
Similar presentations
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Advertisements

Atomic Transactions CS523 - Spring Brian Schmidt.
Service Bus Service Bus Access Control.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.1: NetBill.
Secure Multiparty Computations on Bitcoin
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Frank Stajano Presented by Patrick Davis 1.  Ubiquitous Computing ◦ Exact concept inception date is unknown ◦ Basically background computing in life.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Electronic Transaction Security (E-Commerce)
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Systems of Distributed Systems Module 2 -Distributed algorithms Teaching unit 3 – Advanced algorithms Ernesto Damiani University of Bozen Lesson 6 – Two.
1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
Electronic Payment Systems. Transaction reconciliation –Cash or check.
An Anonymous Fair- Exchange E-Commerce Protocol Indrajit Ray Computer Science Department Colorado State University
EPS (Electronic payment system) is an online business process used for fund transfer using electronic means, i.e  Personal computers  services  Mobile.
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
Programming Satan’s Computer
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Chris Olston, cs294-7, Spring Atomicity in Electronic Commerce J. D. Tygar -- UCB presented by Chris Olston.
Secure Electronic Transaction (SET)
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
Cryptography, Authentication and Digital Signatures
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University.
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
Network Security Lecture 27 Presented by: Dr. Munam Ali Shah.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Fall 2006CS 395: Computer Security1 Key Management.
Probabilistic Contract Signing CS 395T. Probabilistic Fair Exchange uTwo parties exchange items of value Signed commitments (contract signing) Signed.
Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Course Business I am traveling April 25-May 3rd
Man in the Middle Attacks
Key Establishment Protocols ~
Digital Signatures Network Security.
Probabilistic Contract Signing
Presentation transcript:

Four Attacks on an Anonymous Fair Exchange E-commerce Protocol Adam Barth Andrew Tappert CS259

Protocol Overview  Protocol proposed in Ray and Ray 2001  Five roles –Customer and customer’s bank –Merchant and merchant’s bank –Trusted third party  Allows anonymous fair exchange of money for a digital good  Identities protected by single-transaction public/private key pairs  Customer assured of obtaining correct product by cross validation (not relevant for our analysis)

Protocol Overview (no TP) Preamble (on a private channel) M => TP: m K1 Mipub Preamble (on a private channel) TP => C: [m, K1] Mipub 1) C => M: PO [CC(PO), Ciprv] [Cipub, Mipub] 2) M => C: [CC(PO), Miprv] [m.r, K1xK2] [CC([m.r, K1xK2]), Miprv] [r, K1] [CC([r, K1]), Miprv] [Macct, MBpub] [CC([Macct, MBpub]), Miprv] 3) C => CB: [[MTI, Cprv], CBpub] 4) CB => C: [[P, Bcprv], Cpub] 5) C => M: [[P, Bcprv], Mipub] 6) M => MB: [[P, Bcprv], MBpub] 7) MB => M: [ack, MBprv] 8) M => C: [K2inv, Cipub] [CC(K2inv), Miprv] [rinv, Cipub] [CC(rinv), Miprv] CM CBMB

Attack #1: Malicious Bank  Neither M nor MB can learn creator of P as such knowledge compromises C’s anonymity  Bcprv is a shared private key among banks  Thus, any bank can create [[P, Bcprv], Mipub]  A malicious bank can play the role of customer and obtain the good, but not make good on P  Neither M nor MB can learn the identity of the malicious bank  Defense: validity of payment token is a larger issue, not clear how to fix simply

Attack #2: Man in the Middle  Customer’s public/private key pair fresh  Ciprv/Cipub only occur in messages 1 and 8 –C => M: po [CC(po), Ciprv] [Cipub, Mipub] –M => C: [k2inv, Cipub] [CC(k2inv), Miprv] [rinv, Cipub] [CC(rinv), Miprv]  Ciprv/Cipub never signed by any role  Intruder may replace Ciprv/Cipub  Intruder learns the digital good  Intruder cannot relay message 8 to C, but C can invoke TP to receive product  Defense: add [CC(Cipub), Miprv] to message 2

Extended Protocol with TP  We assume resilient private channels with TP  Only the customer may invoke the TP –C => TP: message 1, message 2, [P, Bcprv] –TP => M: “Please send product decryption key for PO” –Option 1 (if M already has [P, Bcprv]) M => TP: k2inv, rinv TP => C: k2inv, rinv –Option 2 (if M does not have [P, Bcprv]) M => TP: “I did not receive payment token” TP => M: [P, Bcprv] resume base protocol with message 6 –Option 3 (if timeout occurs) No response from merchant TP => C: K1inv

Attack #3: Dishonest Merchant  M can receive payment and not send good  C may invoke the trusted party  M can claim payment was not received  TP forwards P and base protocol resumes  M can still not send product  Defense: add state to TP and disallow option 2 after the first time TP invoked

Attack #4: Unbalance for C  Only C can invoke the trusted party  After receiving [P, Bcprv] from CB, C can either force the transaction to occur or abort  C can prove to another party that s/he can force transaction, but cannot prove s/he can force abort  Once M sends message 2 s/he is committed to the transaction and cannot abort  Maybe M does not care?

Methods  We modeled this protocol using MOCHA  We discovered these attack by hand while creating the formal models  MOCHA found trace based attacks 1 and 2  Unable to model TP due to MOCHA bug  We modeled simplified TP  Attack 4 should be detectable with ATL  MOCHA ran for 150 hours with no answer

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.