Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.

Published byCameron Harrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS."— Presentation transcript:

1 Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS 788 The Ohio State University

2 Outline Motivation Contribution Digital Cash Protocols Specs of Millicent Proof of Correctness Specs of Micropayments Proof of Correctness Comments

3 Motivation Increasing need for protocols facilitating online transactions No existing formal verification of security of Digital Cash Protocols Choice of protocols Both prominent, largely supported Techniques used can be applied to other protocols

4 Contribution No formal verification available for any security protocol Presents a formal technique of proving correctness

5 Digital Cash Protocols Tailored to small purchases in micro- commerce applications Need to prove security before approval Protocols verified Compaq’s Millicent IBM’s Micropayments

6 Concepts & Proof Proof uses concepts of Closure Convergence Protection Proves protocol security against Forgery Modification Replay

7 Abstract Protocol Notation Each process defined by consts, variables, parameters, and actions Guard of action of Process P Boolean expression over constants and vars of p A receive guard: rcv from process q Timeout guard (Boolean exp over consts and vars of every process,contents of all channels in the protocol

8 Definitions State: Function of protocol- assigns each variable a value from its domain, to each channel a sequence of messages Transition: A pair(p,q) of states, Guard is true at p, execution of action when state=p -> state=q Computation: Infinite sequence of states (p.0,p.1,p.2,…) s.t. (p.i,p.i+1) is a transition

9 Definitions Contd… Safe state: occurs in any computation starting from an initial state of protocol Error State: State reached when adversary executes its action Unsafe state: an error state or occurs in a computation starting from an error state

10 Secure Protocol Satisfies: Closure: In every computation if first state is safe, every state is safe Convergence:Protocol computation whose first state is unsafe, has a safe state Protection: In each transition whose first state is unsafe, critical variables of protocol do not change their value

11 Technique of Proof Presentation of protocol in abstract notation Identification of Parties involved Identification of actions executed at each party State transformations with every action Adversary Actions Convergence from fault span, Protection

12 To Prove Convergence of protocol Protection of protocol

13 Specs of Millicent Parties: Customers, Vendors Customer specific, vendor specific scrip: Identity of customer Identity of vendor Value of scrip (dollars)

14 The Millicent Protocol Value of scrip  buy request,  scrip request Message flow:

15 Fields of Scrip Sequence number: detects scrip replay Vendor Stamp: detects scrip forgery Signature: Scrip modification MD(i|j|val[j]|seq[j]|stamp[j]|newval|sc[j])

16 Customer Actions C.0:Send Request, with new scrip value; Compute signature to be included in the message C.1: Receive and verify new scrip C.2:Time out and retransmit If message was sent and channels are empty

17 Vendor Actions  Receive request from customer  Compare seq no. to expected seq no.  s or s-1 is s is the last scrip  s => new request; check validity of stamp and signature  Reply with scrip message

18 Proof of Correctness Safe States: S.0: c[i] sends request message S.1: v[j] receives request and sends back a scrip, executing its only action S.2: c[i] receives the scrip and protocol returns to state S.0 Fault Span: Message Forgery (F) Message Modification (M) Message replay (R)

19 State Transition Diagrams

20 Adversary Actions Forgery: S.0->U.0: Adversary in collusion with customer forges a false scrip: cannot reproduce vendor stamp Vendor Returns to S.0 (This means a customer can send his scrip only) If valid c.0 is executed at U.0, vendor returns to S.1

21 Adversary Actions Contd… Modification C[i]’s request modified, S.1->U.2 V[j]’s scrip modified, S.2->U.4 Both fail due to signature (MD Hash) can be verified by either receiver Message discarded, U2 or U4->U6 C[i] times out, U6->S0

22 Adversary Actions Contd… Replay Current request message replaced with earlier request message, S.1->U.3 Current scrip message replaced with earlier scrip, S.2->U.5 Presence of sequence numbers causes message to be discarded, U.3 or U.5 -> U.6 C[i] times out U.6->S.0

23 Proof of Security Convergence: Any computation with first state = {U.0,U.1,U.2,U.3,U.4,U.5,U.6} has a safe state S.0 or S.1

24 Proof of Security Contd… Protection: No critical variable is updated when the protocol starts in an unsafe state Critical variables: Customer: Seq, val, stamp Action updating critical variable: C.1 Scrip is verified before updating

25 Protection Contd… Critical Variables for vendor: seq, val, stamp Updated by action v If protocol starts in unsafe state with rqst message channel modified/replayed V[j] invalidates message; leaves critical variables unchanged

26 Micropayment

27 State Diagrams Interaction b/w customer and broker: S.0: Initial State S.0->S.1: c[i] sends cert req to broker S.1->S.2: Broker action S.2->S.0: c[i] receives cert

28 Adversary Actions

29 Verification Forgery S.0->U.0: Adversary creates its own certificate Message discarded since broker’s private key cannot be accessed U.0->U.1: c[i] requests at U.0

30 Verification Message Modification All messages are integrated with public/private key encryption Message Replay Presence of time stamp

31 Comments Recognizes need for only single scrip for each vendor Protocol never deals with combining scrip Compares two widely used protocols; Micropayment more resource intensive and less efficient

32 Comments Does not mention key exchange in millicent; required for signature Fault Span can include Non- repudiation

33 Thank You!

Download ppt "Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS."

Similar presentations

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:

Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:
1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.

1 Formal Specification and Verification of a Micropayment Protocol Alex X. Liu The University of Texas at Austin, U.S.A. October 13, 2004 Co-author: Mohamed.
Electronic Check Payment Protocols and Systems

Electronic Check Payment Protocols and Systems
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS eCommerce Technology 20-763 Lecture 10 Micropayments II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS eCommerce Technology Lecture 10 Micropayments II.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1. INDEX 2 A signature is a handwritten depiction of someone’s name or nickname that a person writes on documents as proof of identity and intent. Signature.

1. INDEX 2 A signature is a handwritten depiction of someone’s name or nickname that a person writes on documents as proof of identity and intent. Signature.
COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.

COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.
E-mail Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

Similar presentations

Ads by Google