Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)

Slides:



Advertisements
Similar presentations
Service Bus Service Bus Access Control.
Advertisements

Software Testing Technique. Introduction Software Testing is the process of executing a program or system with the intent of finding errors. It involves.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
A New Approach of Signing Documents with Symmetric Cryptosystems and an Arbitrator Nol Premasathian Faculty of Science King Mongkut’s.
Secure Multiparty Computations on Bitcoin
Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION DEBUGGING Autumn 2011 Bug-Date: Sept 9, 1947.
Justification-based TMSs (JTMS) JTMS utilizes 3 types of nodes, where each node is associated with an assertion: 1.Premises. Their justifications (provided.
Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.
CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
Digital Signatures and Hash Functions. Digital Signatures.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
Probabilistic Model Checking CS 395T. Overview uCrowds redux uProbabilistic model checking PRISM model checker PCTL logic Analyzing Crowds with PRISM.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany ©
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
An Anonymous Fair- Exchange E-Commerce Protocol Indrajit Ray Computer Science Department Colorado State University
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
©OnCourse Learning. All Rights Reserved.. The Principal–Broker Relationship: Agency ©OnCourse Learning. All Rights Reserved. Chapter 11.
Programming Satan’s Computer
Chris Olston, cs294-7, Spring Atomicity in Electronic Commerce J. D. Tygar -- UCB presented by Chris Olston.
CS 395T Contract Signing Protocols. Real-World Fair Exchange uBoth parties want to sign the deal uNeither wants to commit first Immunity deal.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University.
1 The CeNTIE project is supported by the Australian Government through the Advanced Networks Program of the Department of Communications, Information Technology.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Information Security Conference (ISC 2015) On the Efficiency of Multi-Party Contract Signing Protocols Gerard Draper-Gil, Josep-Lluis Ferrer Gomila, M.
Privacy Enhancing Technologies Spring What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies.
Business Rules and Constraints for CPP / CPA (very preliminary draft!) Tony Weida 10/19/2015 8:24:08 PM Copyright © 2001 Edifecs.
Game-Based Verification of Fair Exchange Protocols CS 259 Vitaly Shmatikov.
Four Attacks on an Anonymous Fair Exchange E-commerce Protocol Adam Barth Andrew Tappert CS259.
Probabilistic Model Checking for Security Protocols CS 259 Vitaly Shmatikov.
Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.
Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.
The GOOD the BAD the UGLY WS-CDL: the GOOD the BAD the UGLY.
2/16/001 E-commerce Systems Electronic Payment Systems.
Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.
A Generalized Effectuate Strategy for Mash-up Mobile Circumstances A Generalized Effectuate Strategy for Mash-up Mobile Circumstances Project Guide M.J.Jeyasheela.
CS 395T Game-Based Verification of Contract Signing Protocols.
Network Security Lecture 27 Presented by: Dr. Munam Ali Shah.
Network Protocols Network Systems Security Mort Anvari.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Alternating Temporal Logic and Game-Based Properties CS 259 John Mitchell with slides from Vitaly Shmatikov.
ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.
Fall 2006CS 395: Computer Security1 Key Management.
Probabilistic Contract Signing CS 395T. Probabilistic Fair Exchange uTwo parties exchange items of value Signed commitments (contract signing) Signed.
Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Building Valid, Credible & Appropriately Detailed Simulation Models
ECS15 while.
‘Crowds’ through a PRISM
CSCE 715: Network Systems Security
Presentation transcript:

Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)

Protocol Overview uProtocol proposed in Ray and Ray 2001 Protocol presented in pseudocode uFive roles Customer and customer’s bank Merchant and merchant’s bank Trusted third party uAnonymous fair exchange of money for a digital good Wanted to look at non-trace-based properties Employed MOCHA, an ATL model checker uCustomer assured of obtaining correct product by cross validation (not modeled) Had enough to look at without this

Protocol Overview (no TP) Preamble (on a private channel) M => TP: m K1 Mipub Preamble (on a private channel) TP => C: [m, K1] Mipub 1) C => M: PO [CC(PO), Ciprv] [Cipub, Mipub] 2) M => C: [CC(PO), Miprv] [m.r, K1xK2] [CC([m.r, K1xK2]), Miprv] [r, K1] [CC([r, K1]), Miprv] [Macct, MBpub] [CC([Macct, MBpub]), Miprv] 3) C => CB: [[MTI, Cprv], CBpub] 4) CB => C: [[P, Bcprv], Cpub] 5) C => M: [[P, Bcprv], Mipub] 6) M => MB: [[P, Bcprv], MBpub] 7) MB => M: [ack, MBprv] 8) M => C: [K2inv, Cipub] [CC(K2inv), Miprv] [rinv, Cipub] [CC(rinv), Miprv] CM CBMB

Formalizing Protocol Specification uProtocol has many messages Eight, not including the trusted party uMany terms in each message MOCHA bug limited total number of variables Too complex to keep track of every term directly uModeled messages as Boolean variables Set to true when sent uDishonest parties can forge messages Based on the messages in their possession

Design of Our MOCHA Model u Honest principals interact with network Dishonest principals folded into network u Network records messages seen by dishonest parties u Dishonest can forge messages with enough knowledge Each corrupt principal adds more initial knowledge hc n n hm hcb hmb

Honest Customer Module (1) module hc -- honest customer external o2, o2a, o4, o4a, o8, oB: bool interface i1, i3, i5, i5a, iA, cprod /* customer has received product */, dc: bool atom controls i1, i3, i5, i5a, iA, cprod, dc reads o2, o2a, o4, o4a, o8, oB, i1, i3, i5, i5a, iA, cprod, dc init [] true -> i1' := false; i3' := false; i5' := false; i5a' := false; iA' := false; cprod' := false; dc' := false Vars for messages Customer dishonesty flag Initially has no messages

Honest Customer Module (2) update [] ~i1 -> i1' := true [] i1 & o2 & ~o2a & ~i3 -> i3' := true [] i1 & o2 & ~o2a & i3 & o4 & ~o4a & ~i5 & ~i5a -> i5' := true [] i1 & o2 & ~o2a & i3 & ~o4 & o4a & ~i5 & ~i5a -> i5a' := true [] i1 & o2 & ~o2a & i3 & o4 & ~o4a & i5 & ~i5a & ~o8 & ~iA -> [] i1 & o2 & ~o2a & i3 & o4 & ~o4a & i5 & ~i5a & ~o8 & ~iA -> iA' := true [] (o8 | oB) & ~cprod -> cprod' := true endatom endmodule Rules for updating state Gets product from message 8 or B (part of TP resolution)

Network Module (1) uAble to record messages for dishonest roles [] i1 & (dm | dnet) & ~m1 -> m1' := true [] i2 & (dc | dnet) & ~m2 -> m2' := true [] i2a & (dc | dnet) & ~m2a -> m2a' := true [] i3 & (dcb | dnet) & ~m3 -> m3' := true [] i4 & (dc | dnet) & ~m4 -> m4' := true [] i4a & (dc | dnet) & ~m4a -> m4a' := true [] i5 & (dm | dnet) & ~m5 -> m5' := true [] i5a & (dm | dnet) & ~m5a -> m5a' := true [] i6 & (dmb | dnet) & ~m6 -> m6' := true [] i7 & (dm | dnet) & ~m7 -> m7' := true [] i8 & (dc | dnet) & ~m8 -> m8' := true Knowledge vars Dishonest client or network can record message 4

Network Module (2) u Forge messages [] (dc | ii | mm) & ~m1 -> m1' := true [] m1 & dm & ~m2 -> m2' := true [] dm & ~m2a -> m2a' := true [] dc & ~m3 -> m3' := true [] (dcb | (dc & dmb)) & ~m4 -> m4' := true [] (dcb | dc) & ~m4a -> m4a' := true [] ((m4 & dc) | dcb | dmb) & ~m5 -> m5' := true [] (dc | ii | mm) & ~m5a -> m5a' := true [] ((m5 & dm) | dmb | (dm & dcb)) & ~m6 -> m6' := true [] dmb & ~m7 -> m7' := true [] m1 & dm & ~m8 -> m8' := true [] m1 & m2 & m5 & ~oA -> oA' := true; iitp' := true Dishonest client can forge message 3 at will

What Did We Do With the Model? uMOCHA allowed us to “run” model by hand Useful to debug the model uTested some invariants (trace-based properties) Intruder can't get product unless he's acting as merchant or customer –inv "inv1" (~nprod | dm | dc) Customer only gets prod when merchant is paid –inv "inv2" (~cprod | mpay) –inv "inv3" (cprod | ~mpay)

More Complex ATL Properties uHonest customer eventually gets product atl "atl1" ( > F (cprod)) uWhen payment is sent, honest customer eventually gets the product atl "atl2" (~i5 | > F (cprod)); uExchange can be successfully completed by honest parties atl "atl3" ( > F (cprod & mpay)) cb needed to make payment token

Fairness uDishonest merchant can't get paid without honest customer having a strategy to get product (DM model) atl "cfair" (~( > F (npay & ~( > F (cprod))))) uDishonest customer can't get product without honest merchant having a strategy to get paid (DC model) atl "mfair" (~( > F (nprod & ~( > F (mpay))))) Dishonest parties folded into network Dishonest customer still needs help from honest bank

Balance uDishonest customer can’t get to a point where (1) Customer can force receiving product (2) Merchant can’t force getting paid atl "cbal" (~( > F uDishonest merchant can’t get to a point where (1) Merchant can force getting paid (2) Customer can’t force receiving product atl "mbal" (~( > F (( > F npay) & ~( > F cprod)))) (( > F nprod) & ~( > F mpay))))

Four Attacks on the Protocol uAnalysis reveals four attacks: Malicious banks can steal product –Banks share a signing key (should use group sigs) Man-in-the-middle can steal product –Ephemeral keys can be replaced (need another sig) Dishonest merchant can get paid without giving prod –Customer and TP stuck in a loop (need TP state) Unbalanced in favor of customer –Customer can force outcome with payment token

How the Attacks Were Found uAll found by hand while constructing model Did not see them before building the model uMOCHA found traced-based attacks 1 and 2 uMOCHA should have found attack 4 Ran for 150 hours with no answer

Conclusions uThink carefully about your models! Process of creating formal model uncovers bugs Large impact on model checker’s efficiency uMOCHA limitations frustrating Usually used for simpler models? uChecking invariants successful uChecking ATL properties time consuming MOCHA didn’t answer in a reasonable time

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.