Network Security Netzwerksicherheit Lecture ID ET-IDA-082 2416082 Lecture-21

Network Security Netzwerksicherheit Lecture ID: ET-IDA-082 (2416082) Lecture-21 E-Payment Transactions SET, Pay-Pal, Digital Cash 15. 07. 2009 , v 4 Prof. W. Adi Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 1

Outlines - E- Online Payment - SET: Secured Electronic Transaction - Pay Pal - Digital Cash - Blind signature - Cut-and-Choose protocol - RIS (Random Identity String) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 2

Overview of E-Paymen (1/2) • Various electronic devices for e-payment Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 3

Overview of E-Payment (2/2) • Participants – – Payer payee banks trusted third party (TTP) TTP • “Medium“ of Exchange – cash – cheque – bank card • Security – Based on Public-key Infrastructure, X. 509 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering Payer (customer) W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 4

Secure Electronic Transactions (SET) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 5 5

Secure Electronic Transaction SET • Outlines of SET – – – SET, An Open Standard, RFC 3538 Developed by Visa and Master. Card Designed to protect credit card transactions over Internet Confidentiality: all messages encrypted Trust: all parties must have digital certificates, nonrepudiation – Privacy: information made available only when and where necessary • SET Business Requirements – Provide confidentiality of payment and ordering information – Ensure the integrity of all transmitted data – Provide authentication that a cardholder is a legitimate user of a credit card account – Provide authentication that a merchant can accept credit card transactions through its relationship with a financial Technical University of Braunschweig institution Network Security IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 6

SET (Secure Electronic Transactions) • • • Provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer’s credit provider, Seller’s bank. Provides trust by the use of X. 509 v 3 certificates. Ensures privacy because information is only made available to the parties that need it. Cardholder account authentication to the Merchant (Cardholder must have a Certificate issued by the credit company). Merchant may issue a temporary Certificate to assure the session is not hijacked). Verifies Merchant's relationship with financial institution. Integrity of data customer sends to Merchant (order info tied to funds transfer). Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 7 7

SET - Steps in a Transaction 1. Customer opens account with credit company or bank. 2. Bank issues X. 509 cert. to the Customer with RSA Keys. 3. Merchant has two certificates, signing and key exchange. ---4. Customer places an order. 5. The Merchant sends the customer a copy of his certificate. 6. The Customer sends Order Information (OI) encrypted so the Merchant can read it, and Payment Information (PI) encrypted so the Merchant can not read it. --7. Merchant requests payment by sending PI to the “Payment Gateway” (who can decrypt it) and verifies Customer’s credit. 8. Merchant confirms the order to the Customer. 9. Merchant ships goods to Customer. 10. Merchant sends request for payment to the Payment Gateway which handles transfer of funds. Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 8 8

Secure Electronic Transaction 6. Electronic Funds Transfer Model 3. Ve rific 4. t yp cr En on C m o. nf t. I en ym Pa fir ed Internet 7. Statement 2. 8. Periodic Statement ation 1. Order & Payment Info. (OI & PI) 5. Confirm Cardholder (customer) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 9

Construction of Customer’s Dual Signature Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 10 10

SET – Customer’s Dual Signature Dual-Sig = E cus-private [ H ( H(PI) || H(OI) ) ] The Dual signature allows proof that: that 1. Merchant has received Order Information (OI). 2. Bank has received Payment Information (PI) and verified the Customer signature. 3. Customer has linked OI and PI and can prove later that PI was not related to a different purchase. Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 11 11

SET Customer’s Purchase Request Innovative idea of SET dual signature: • Bank does not see OI • Merchant does not see bank information Passed on by merchant to payment gateway Received by Merchant Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 12 12

SET Merchant Verifies Customer Purchase Request Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 13 13

SET Transaction over SSL (1/2) • • Secure Socket Layer SSL , RFC 2246 A secure “tunnel“ through the Internet Runs above TCP/IP and below application layer Handshake to create connection 1. hello te 2. certifica Alice 3. KB+(MS) = EMS SSL session: Ks+(Data) Bob Ø MS = master secret (to derive symmetric session keys Ks) Ø EMS = encrypted master secret Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 14

SET Transaction over SSL (2/2) 6. Electronic Funds Transfer 3. Ve r 7. Statement 2. d m te fir on C 4. yp cr En SSL tunnel over Internet. fo In 1. Order & Payment Info. 5. Confirm t en ym Pa 8. Periodic Statement ifica tion Cardholder (customer) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 15

Pay. Pal A P 2 P Account based E-Payment System Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 16

A P 2 P E-Payment System - Pay. Pal 2. e as h c 1. ur P 6. Statement g n si u Pa t/ es qu re ** or k ec e er h ic sf r c ot an e ln tr ap ai st p e ue iv Em eq ce 3. R Re l Pa y s nd Fu r sfe sit)** ran po T 5. (de 4. 7. Periodic Statement Payer (customer) Tr an (w sfe ith r F dr un aw d s ) ACH: Automatic Clearing House **: Optional Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 17

Digital Cash Fundamental Concepts Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 18

Basic Concepts of Digital Cash • An Important Role in E-Payment • Description of Digital Cash – – First proposed by Chaum in 1982, with blind signature Try to build a cash, electronically equivalent to paper currency Electronic money, monetary value stored on electronic device Exchanged electronically v A payment message bearing a digital signature which functions as a medium of exchange or store of value. v Need to be backed by a trusted third party TTP, usually the government and the banking industry. Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 19

Properties of Digital Cash* • Independence not depend on any physical condition • Security Not possible to reused/double-spent or forged • Privacy protect the privacy/anonymity of the user, untraceable • Off-line Payment payee does not need to link to the bank • Transferability be transferred directly from one user to another and re-spent) • Divisibility be subdivided into many pieces, but the sum must be equivalent to the original *reference: Tatsuaki Okamoto and Kazuo Ohta, Universal Electronic Cash, CRYPTO’ 91 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 20

Digital Cash vs Credit Card Anonymous Identified Online or Offline Online Store money in digital wallet Money is in the Bank Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 21

W t ith osi dra p De wa l Basic e-Cash Protocol (1/3) Payment Payer (customer) Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 22

Basic e-Cash Protocol (2/3) ith W sit po 1. Customer asks his Bank to withdraw $10. Payment 2. Bank returns a $10 coin which looks like this : {I am a $10 coin, #4527}SKB and withdraw $10 from Customer account. 3. Customer accepts the coin if bank’s signature is valid. De dra wa l • Withdrawal Protocol Payer (customer) • Payment Protocol 1. Customer pays the merchant with the coin. 2. Merchant accepts the coin if bank’s signature is valid. • Deposit Protocol 1. Merchant gives the coin to the Bank. 2. Bank checks own signature. If valid, pays $10 to merchant. Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 23

Basic e-Cash Protocol (3/3) Possible Implementation Scenario Merchant Customer Bank m send message m m= amount, serial no (m)d spen d send (m)d d is secret key of the Bank Verify / claim Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 24

Problems and Solutions • Problems – Anonymity Problem Bank can link user to serial number, therefore bank knows where the user spent the coin. – Double Spending Problem Copy the original coin and spend it again • Solutions – – – Blind signature (to create anonymous coins) Cut-and-Choose protocol (enhance anonymity) RIS (Random Identity String) Secret splitting Group signature … Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 25

Blind Signature: mechanical Simulation • The content of the message is disguised (blind) before it is signed. User A User B M B Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 26

Blind Signature Cryptographic scheme Blinding Factor ( re r r ) Open directory e Private key d Bank’s Public key e d. e = 1 mod φ(m) All arithmetic modulo m m = p q (RSA Modulus) User B User A M Private key d x = ( r M-1 B Md r ) d Signed Message: bank does not know the signed contests! Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 27

Blind Signature on Message m User adds a blinding factor b to m • r = ( m )b e • Bank signs r rd = (mbe)d • rd =(mbe)d = (m)dbed = (m)d b Bank could keep a record of r User can remove blinding factor to get m signed • User multiplies rd by b-1 to get md Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 28

Cut-and-Choose Protocol (1/3) • Create k different blinding factors: b 1 e, …, bke • Blind k equal units m 1 b 1 e, …, mk bke m 1 b 1 e mkbke , …, • Send to bank for signing Bank Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 29

Cut-and-Choose Protocol (2/3) • Bank chooses k – 1 to check • Customer gives all blinding factors except for unit I • Bank checks they are correct i Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 30

Cut-and-Choose Protocol (3/3) • Bank signs the remaining one and sends it back – (mibie)d = midbi Customer Se ri al no • The customer removes the blind using bi-1 mi d Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 31

Random Identity String RIS • During the payment, the User is forced to write RIS on the coin. • RIS must have the following properties: – must be different for every payment of the coin – only the user can create a valid RIS – two different RIS on the same coin should allow the bank to retrieve the user ID • Example The User prepares 100 bills of $20 which look like this : Mi = (I’m a $20 coin, #4527 i, yi 1’, yi 2’, … yik, yik’) where i = 1. . 100, yij = H(xij), yij’= H(xij’), where of Braunschweig for all i, j Network Security Technical Universityxij ⊕ xij’ = User ID IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Module number: ET-IDA 082 Page : 32

Secret Splitting (1/2) • A method that splits the user ID in to n parts • Each part on its own is useless but when combined will reveal the user ID • Each user ID is XOR with a one time Pad, R – E. g. User ID = 2510, R = 1500: – 2510 XOR 1500 = 3090 – The user ID can now be split into 2 parts, i. e. 1500 and 3090 – On their own they are useless but when XOR will reveal the user ID – I. e 1500 XOR 3090 = 2510 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 33

Secret Splitting (2/2) • A typical digital coin – Header Information – Serial number – Transaction Item – pairs of user ID’s • User ID: 1500 XOR 3090 = 2510 1500 4545 XOR 6159 = 2510 4545 5878 XOR 7992 = 2510 5878 Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 User ID Network Security Module number: ET-IDA 082 Page : 34

Smart Card for Digital Cash • Smart Card – made of plastic – chip, integrated circuit – memory, microprocessor • Why Smart Card? – Portability of Digital Cash – Transferable – Double Spending protection Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 35

Digital Cash Products • Digi. Cash http: //www. digicash. com/ – founded and created by David Chaum in 1990 – ecash, a prototype for digital cash, 1995 – Chaum’s digital cash system, but on-line • Cyber. Cash/Cyber. Coin http: //www. cybercash. com/ – founded in 1994 by William Melton and Daniel Lynch – Wallet, access to credit card and cyber coin • Mondex http: //www. mondex. org/ – smart card based – originally developed by National Westminster Bank in the United Kingdom Digital Cash Products still not acceptable for wide spread use !! Technical University of Braunschweig IDA: Institute of Computer and Communication Network Engineering W. Adi 2005 Network Security Module number: ET-IDA 082 Page : 36