Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University.

Published byMaximilian Stafford Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University."— Presentation transcript:

1 Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University

2 Agreement in Hostile Environment l Cannot trust the communication channel l Cannot trust the other party in the protocol l Trusted third party may exist n Last resort: use only if something goes wrong

3 Contract Signing l Both parties want to sign the contract l Neither wants to commit first Immunity deal

4 Fairness If A cannot obtain a contract, then B should not be able to obtain a contract, either (and vice versa) Example (Alice buys a house from Bob) If Alice cannot obtain a deed for the property, Bob should not be able to collect Alice’s money

5 Accountability If trusted party T misbehaves, then honest party should be able to prove T’s misbehavior Example (Alice buys a house from Bob) If escrow service gives Bob Alice’s money without giving Alice the deed, Alice should be able to prove to a judge that escrow service is cheating

6 Formal Protocol Analysis Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Gee whiz. Looks OK to me.

7 Mur  [Dill et al.] l Describe finite-state system n State variables with initial values n Transition rules n Communication by shared variables n Scalable: choose system size parameters l Specify correctness condition l Automatic exhaustive state enumeration n Hash table to avoid repeating states Success with research, industrial protocol verification

8 Optimistic Contract Signing A B m 1 = sig A (PK A, PK B, T, text, hash(R A )) m 2 = sig B (m 1, hash(R B )) m 3 = R A m 4 = R B [Asokan, Shoup, Waidner] m 1, R A, m 2, R B

9 l Contract from normal execution l Contract issued by third party l Abort token issued by third party Several Forms of Contract m 1, R A, m 2, R B sig T (m 1, m 2 ) sig T (abort, a 1 )

10 Role of Trusted Third Party l T can issue an abort token Promise not to resolve the protocol in the future l T can issue a replacement contract Proof that both parties are committed l T decides whether to abort or resolve on the first-come-first-serve basis l T only gets involved if requested by A or B

11 Abort Subprotocol A ??? B Network T a 1 =sig A (abort,m 1 ) a2a2 resolved? Yes: a 2 = sig T (m 1, m 2 ) No: aborted := true a 2 = sig T (abort, a 1 ) m 1 = sig A (… hash(R A )) sig T (m 1, m 2 ) sig T (abort, a 1 ) OR

12 Resolve Subprotocol B A Net T r 1 = m 1, m 2 aborted? Yes: r 2 = sig T (abort, a 1 ) No: resolved := true r 2 = sig T (m 1, m 2 ) r2r2 m 1 = sig A (… hash(R A )) m 3 = R A m 2 = sig B (… hash(R B )) sig T (m 1, m 2 ) sig T (abort, a 1 ) OR ???

13 Race Condition B A m 1 = sig A (PK A, PK B, T, text, hash(R B )) m 2 = sig B (m 1, hash(R B )) T a 1 = sig A (abort, m 1 ) r 1 = m 1, m 2

14 Attack A r 2 = sig T (m 1, m 2 ) m 1 = sig A (... hash(R A )) m 2 = sig B (m 1, hash(R B )) m 3 = R A T r 1 = m 1, m 2 secret Q B, m 2 sig T (m 1, m 2 ) m 1, R A, m 2, Q B contracts are inconsistent!

15 Later... sig A (PK A, PK A, T, text, hash(R A )) B Replay Attack Intruder causes B to commit to old contract with A sig B (m 1, hash(Q B )) RARA QBQB A B RARA sig A (… hash(R A )) RBRB sig B (... hash(R B ))

16 sig A (, hash(R B )) Repairing the Protocol A B m 1 = sig A (PK A, PK B, T, text, hash(R A )) m 2 = sig B (m 1, hash(R B )) m 3 = R A m 4 = R B m 1, R A, m 2, R B

17 Another Property: Abuse-Freeness No party should be able to prove that it can solely determine the outcome of the protocol Example (Alice buys a house from Bob) Bob should not be able to show Alice’s offer to Cynthia so that he can convince Cynthia to pay more

18 Conclusions l Fair exchange protocols are subtle n Correctness conditions are hard to formalize n Unusual constraints on communication channels l Several interdependent subprotocols n Many cases and interleavings l Finite-state tools are useful for case analysis

Download ppt "Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University."

Similar presentations

Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.

Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Contract-Signing Protocols John Mitchell Stanford TECS Week2005.

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
For e-Business F. Dignum Utrecht University Trust Reputation and.

For e-Business F. Dignum Utrecht University Trust Reputation and.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.

Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.

1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

Similar presentations

Ads by Google