FREE ELECTRONIC LIBRARY - Abstract, dissertation, book

Pages:     | 1 | 2 || 4 | 5 |   ...   | 7 |

«Payment Systems (Ch. 17 of Course Material “Security”) Birgit Pfitzmann Dept. of Computer Science Saarland University pfitzmann ...»

-- [ Page 3 ] --

The danger with linkability is reidentification: After some time, there is usually enough information available about the person performing all these actions to identify her. E.g., if a phone card is bought in perfect anonymity, patterns of calls to one’s home might identify the owner.

Even more clearly, if one can make Geldkarte-like card payments under a number (pseudonym), but one is more or less forced to reload the card from one’s own account and the card number is shown to the bank in reloading, all the payments are no longer anonymous from the bank.

–  –  –

There is no social reason for having anonymity without unlinkability, but a number of proposals have it for technical simplicity.

So far we have identified goals. The next criteria are the trust model. (Compare Chapter 1; anonymity of payment systems is an example where some requirements engineering is really needed, while for small systems like encryption systems and signatures systems it was a bit of an overkill.)

• From whom is the anonymity?

• Real anonymity. This means that anonymity holds against all other parties (even if they cooperate), similar to real coins.

• One party only. The anonymity only holds against one of the canonical two partners. For a payer in a payment, this means that he is only anonymous from either the recipient or the banks, or at least only those two do not cooperate. (One typically just talks of “the banking systems” in such contexts, but distinguishing the payer’s and the recipient’s bank could also be useful.)

• k-out-of-n central parties (typically with k = n). There are several central parties. If k of them cooperate, they can identify someone. There can be two reasons for this, which have

different names:

• Anonymizers: The anonymity is achieved by passing money (or a representation of it) through several parties, who each can link the old form with the new form, but not beyond.

• Escrow: One starts with a fully anonymous system and, for reasons of law enforcement, now adds additional parties and shares some private information among them such that they can identify.

Then one can further distinguish in what granularity they identify: per payment, or all payments of one person together, also future payments etc.

A problem with these approaches is (apart from the natural question whether one trusts the parties as such), that one attacker might break into all their computer systems.

Finally, there are degrees of security with which anonymity can hold.5

• Among how many people is one hidden when anonymous? Obviously, the more the better. If an anonymity group, i.e., the set of people who could have performed an action, becomes too small, there is a risk both of reidentification and that any bad luck directed to the real actor happens to the whole group instead.

In particular, one must take care that different actions that are linkable by outside data are not performed in different anonymity groups, because then an attacker would know that the real actor is in the intersection of the two groups. E.g., this is a problem with many remailers, because a different anonymity group is given for each message. Now if several messages belong to the same business transaction …

• The optimum with a payment system is “among all clients of your bank”.

–  –  –

• Where communication anonymity plays a role, these groups are typically intersected by groups that communicate in the same local area or at the same time.

• Furthermore, there are natural links by outside data like time and amount. E.g., if only very few payers withdraw “electronic coins” of very high value, and some recipients deposit them, there is only a small set of possible payers who can have made that payment.

• Standard degree of security like information-theoretical versus computational.

Finally, note that integrity and anonymity are no contradiction. For the payment systems alone this will become clear by the constructions, even with fair receipts. Fair exchanges of goods and money can also be done anonymously, see [BüPf_90]. Where identification during a purchase is needed for other purposes (e.g., buying dangerous goods), it can be done by normal tools for this purpose, e.g., a digital signature. (A more general study of what legally relevant actions can be anonymous and how can be found in [PWP_87].) 17.2 Non-Anonymous Online Systems We now look at concrete systems. The criteria by which they are primarily sorted were chosen for technical similarity: The main technical difficulties are to achieve anonymity and to achieve offline payments. Hence non-anonymous online systems are the easiest class. This is the class where, to get a secure system, you (more or less) simply need to take one of the classical paper-based systems with handwritten signatures and use digital signatures instead. However, not all current systems are actually so secure.

In principle, all these system are state-of-the-art of around 1980, but they only come into real practice now because of Web applications.

17.2.1 Cryptoless Systems Some payment systems do not use any cryptography at all. The best-known examples are simple credit-card payments on the Internet, i.e., A — credit card number — B This is totally insecure from the cryptographic point of view, but actually secure for the payer in real life!6 The reason is that so-called MOTO transactions (mail order/telephone order), where the supposed recipient of a payment has no signature of the payer, are not binding by the credit card conditions in Europe, i.e., the client can cancel them when they appear on his statement of account.

This is reasonable because the recipient has nothing really in hand to prove that the payer wanted to pay.7 Of course, then someone else bears the risk of the technical insecurity, here the recipients. In some cases they may be quite willing to do so out of a certain risk analysis, e.g., companies that deliver books in small quantities to physical addresses. However, the fraud with this type of payment seems to be going up; I heard numbers about 25% wrong Internet payments in the US Christmas sale

–  –  –

1998, while credit card fraud usually “only” makes up 1-2% of the total sum. In the end, of course, consumers pay for this by higher prices.

17.2.2 Secure Symmetric Channels Only The typical example here is simple credit card payments, but via SSL-channels that the browser offers. Any other simple password scheme with any other secure channels would achieve the same effect.

Recall from Chapter 11.4 that SSL achieves confidential and authenticated channels, but is symmetric. In particular, the recipient still gets the credit card number or other password, and no signatures. If one still considers such transactions as MOTO (which one should, and currently does), it makes no difference for the payer compared with Section 17.2.1, but the overall risk for recipients is reduced because it is again about as hard for attackers to collect credit-card numbers as in the nondigital world.8 Home banking schemes relying on PINs or TANs (transaction numbers) and used together with SSL or other secure channels are somewhat similar, i.e., they are symmetric with the bank, but the risk that other recipients also see the “secret” is gone. Of course, symmetric authentication would then be the cryptographically better solution.

17.2.3 Real Symmetric Systems These systems are now somewhat out of date, but still sometimes proposed instead of the systems with signatures under the name of micropayments because they are faster but less secure. (Typically, however, “micropayments” is used for systems with more distinct features, see Section 17.2.5.) The basic principle is to put symmetric authentication where you would typically expect signatures. E.g., with a money transfer system this can be done with a simple 2-message flow as in Figure 17.1.C.

With a cheque-like message-flow it only makes sense with a pay-now model, because the recipient cannot even verify the authentication on the payment message (which must be for BankA), and thus he does not know whether he has anything in hand. The original NetBill system was of this type, but newer versions use signatures.

17.2.4 Simulating Paper System with Signatures As mentioned, here you can in principle just simulate cheques, credit cards, money transfers — technically all rather similar. These are the cryptographically secure alternatives to Sections 17.2.1 to 17.2.3.

Note, however, that as a payer you don’t have an advantage over Section 17.2.1. In fact, as long as you don’t have a really secure device, you have a big disadvantage if you now become liable for any payments made with your key, because you have no full control over this key. Hence the SET standard mentioned below actually intended not to make payers liable. In the other case, the investment (e.g., in certificates) should reasonably not be paid by the payers, and the need to limit liability (cf. Section 8.2.2) becomes strong.

–  –  –

• Home banking. An important example is the German standard HBCI (home banking computer interface), see [HBCI_98]. This standard closely reflects all paper payment models where payers and recipients only interact with their respective banks, e.g., money transfers and debit orders.

It is primarily a protocol standard (cf. Section 11.0). However, some requirements on the security of products implementing the client part are made. In particular, some not yet fully specified security of key storage is required (but they think maximally of smartcards) and some requirements on the user interface. Furthermore, registration is fixed: The client registers directly with the bank by sending a handwritten signature. (Usage of external certificates may be considered in the future.) The message formats follow paper forms quite closely and seem designed in a robust way at a first glance. (In particular, the freshness measure is sequence numbers, and there are no optimizations in the message format.) The communication is somewhat connection oriented, i.e., there is a dialogue start message and a corresponding end message, but mainly to exchange parameters, not for session key establishment — encryption, if used at all, is hybrid encryption on a per-message basis. Between the dialogue start and end messages, the client can send one or more orders, which are immediately answered by the bank.

Cryptography is rather fixed (RSA, key length 768). For backward compatibility with certain smartcard systems, symmetric authentication is also still allowed (unfortunately also called signatures).

• Secure credit cards. These are systems like CyberCash, IBM’s iKP (actually only 3KP from this series), newer versions of NetBill and, most importantly, the credit card companies’ standard SET. The latter was designed as a compromise between all the former and some more, and got quite complicated in the process.

These systems essentially follow the message flow in Figure 17.1.B. The formats get a bit more complicated than for home banking, because the message to the merchant includes the authorization from the payer to her own bank. Often there are initial messages for setting up parameters or for agreeing on a price. (However, such agreements do not really belong inside the payment system because they might be integrated with a catalogue, or for more complicated purchases with negotiations of other features.) iKP is a rather short variant for reading, but not a simple robust design, but extremely optimized without a clear proof. See the exercises.

• Cheques. As mentioned before, there is no real difference between the payment models of credit cards and unguaranteed cheques. The main concrete proposal under the name of cheque is that of FSTC (Financial Services Technology Consortium) in the US. They also recognized that with more or less the same formats one can implement other payment models, too.

17.2.5 Micropayments with One-Way Chains Micropayments in the narrow sense are more efficient payments for the special case where a payer makes many successive payments to the same recipient. The underlying business model is paying for many individual web pages from the same server (although business analysts currently tend to say that other models will prevail). Another application is phone ticks, i.e., paying a network provider for Version 23. März 2000 17 Payment Systems 15 small units of communication; in this context (but for an anonymous system) the idea first came up [Pede_97].

The following system is cheque-like. The idea is to set up all important parameters in a first message, which is signed in a normal way. The following messages can be interpreted as fresh signatures on always the same message “I agree to pay one more unit”. This can be done with an identification system, see Section 9.4; specifically the system with one-way chains is used.

Setup message: Concretely, the first message might be sign(skA, (prot, “setup-msg”, seqno, B, price_per_unit, pkchain)

The fields have the following meanings:

• skA is A’s normal signing key.

• The next three fields are normal robust design, i.e., prot is the name of this payment protocol, “setup-msg” denotes that this is the first message (maybe there are others in the overall protocol), seqno is a sequence number to avoid replay of such messages.

• Then comes an identifier of the recipient, here B.

• Now comes the price per unit of the payments. Thus there must be a fixed price per web page on this server (or one has to pay several units per page) or per a certain number of seconds of communication. (However, the description of the goods need not be included here.)

• Finally comes a new session-public-key for the chain system. This has been generated by the payer as follows and is only used in this one payment: Let f be a one-way function (even better a one-way permutation, but typical practical one-way functions like f: k → DES(k, m0) for a fixed message m0 are not). f is fixed for prot. Let {0, 1}l be the message space for the current security parameter l. Then sk ∈ R {0, 1}l, pk := fx(sk), where x is the maximum number of units one expects to have to pay. (Fix it?)

Unit payments:

Pages:     | 1 | 2 || 4 | 5 |   ...   | 7 |

Similar works:

«Ballyvaughan Tidy Towns Survey of Wildlife and Natural Amenity 2014 Prepared by Phoebe O’Brien, BSc (Hons. Botany) For The Ballyvaughan Community Development Group and Burren and Cliffs of Moher Geopark LIFE project Acknowledgements I would like to thank Carol Gleeson of the Burren and Cliffs of Moher Geopark Life Project and Padraig Cleary and the Ballyvaughan Development Group for enabling this wildlife survey and for their support and direction. I would like to thank Dr Stephen Ward for...»

«University of Southampton Research Repository ePrints Soton Copyright © and Moral Rights for this thesis are retained by the author and/or other copyright owners. A copy can be downloaded for personal non-commercial research or study, without prior permission or charge. This thesis cannot be reproduced or quoted extensively from without first obtaining permission in writing from the copyright holder/s. The content must not be changed in any way or sold commercially in any format or medium...»

«Flash Fiction Competition 2013 Image 3 children’s entries Title Author Page Pork and Piggy Amelia Morawiak 3 The Angry God Bilal Sha Jihan 4-5 Defonia and The Magic Stick Eleanor Tuladhar-Douglas 6 The 4 Dragons Jamie Smith 7 Poor Jack Suzie Bator 8-9 The Chenka Herb Soumya Sree Tangirala 10 The Wicked Satyr Boluwatife Joseph Modupe11 Joseph THE BEAST AND THE VILLAGE Georgia McInnes 12 The Flasher and the Flashlight Ieva Valanciauskyte 13 The Return Off The Beast Izhar Salaam 14 The Girl who...»

«20-1 Generalized Anisotropic Material Generalized Anisotropic Material This tutorial describes how to simulate an anisotropic material in Slide. There are actually four different ways to do this, but the emphasis of this tutorial will be on using the Generalized Anisotropic option, which allows you to specify different material types in different directions. The tutorial will also explain how to perform a probabilistic analysis with this type of material. The finished product of this tutorial...»

«25.08.2010 Hintergrundpapier zum Entwurf eines Gesetzes zur Regelung des Beschäftigtendatenschutzes Kabinettbeschluss vom 25.08.2010 Ausgangslage und Regelungsbedarf • Seit Jahrzehnten wird über die Notwendigkeit gesetzlicher Regelungen für den Beschäftigtendatenschutz diskutiert. Verschiedene von der Öffentlichkeit stark diskutierte Vorfälle in den vergangenen Jahren zeigen, dass eine generelle Regelung des Beschäftigtendatenschutzes notwendig ist.• Es gibt bereits heute zu vielen...»

«Wernher Der Gartner Helmbrecht Free ideas are your many time pdf calculators, jobs or people per all company. Your concept interest has especially to run your choice. Behind drafting them had your debt with the deposit, and had compared of it was to start here of 23 shoppers to hammer a reliability if all difference article and help back a download oriented if end. Searching its vacation started if going state years that are clean in your check-up's energy forces. The air only expenses are a...»

«[17 December, 2009] Anarchist Book Project Essay THE ROLE OF ANARCHISM IN MORGAN RODGERS GIBSON CONTEMPORARY ANTISYSTEMIC SOCIAL MOVEMENTS [5003 Words] | Morgan Rodgers Gibson s2586201 ENOUGH IS ENOUGH! THE FAILURE OF THE STATE AND THE RISE OF ANARCHISM IN THE PURSUIT OF TRANSFORMATIVE SOCIAL CHANGE Radical, or what will here be referred to as ‘antisystemic’ social movements – since their emergence in both ‘national’ and ‘social’ forms during the nineteenth century – have gone...»

«Optimierung und Etablierung von Testmethoden und funktionelle Untersuchung verschiedener Aquaporine & Aquaglyceroporine Dissertation zur Erlangung des Doktorgrades der Mathematisch-Naturwissenschaftlichen Fakultät der Christian-Albrechts-Universität zu Kiel vorgelegt von Abdulnasser Almasalmeh Kiel 2013 Referent: Prof. Dr. E. Beitz Korreferent: Prof. Dr. T. Kunze Tag der mündlichen Prüfung: 25.03.2013 Zum Druck genehmigt: 26.03.2013 Prof. Dr. Wolfgang J. Duschl (Dekan) ً‫ُلْ َب...»

«CHAPTER 3 AMUSEMENTS ARTICLE I. IN GENERAL Section 3-1. Circuses, carnivals and merry-go-rounds. No person shall exhibit any circus, carnival, merry-go-round or any other show of any kind, at any place within the town, unless it be situated so as not to disturb or annoy any of the Citizens and unless in addition, it shall first have been approved by the town council. ARTICLE II. OPEN AIR CONCERTS AND SIMILAR ENTERTAINMENTS Section 3-2. Required; exception. (a) No person shall sponsor, organize...»

«Revista Alicantina de Estudios Ingleses 12 (1999): 19-36 Postmodernist Narrative: In Search of an Altemative. Brian Crews Universidad de Sevilla ABSTRACT The development of the novel form is an exploration of the possibilities for realistic representation which is increasingly informed by an understanding that distortion and fabrication are inevitable consequences of the mediating process of narrative. The search for alternatives to conventional modes of representation as a way of...»

«FLOWERING TREES & SHRUBS IN INDIA by D.V. Cowen FOREWORD TO SIXTH EDITION I am flattered at being invited by the publishers to write a foreword for the sixth edition of this beautiful and popular book which has been out of print for several years and much missed and sought after by tree lovers. Not that a fresh foreword is at all necessary or called for after the book has established popularity and usefulness so unmistakably and especially a Foreword by one who is neither a botanist nor an...»

«Introduction Thank you for your interest in graduate degree programs in the Department of Earth and Atmospheric Sciences at the University of Alberta. We hope that this brochure and our web site www.ualberta.ca/eas will provide you with information to help you to make a decision about submitting an application. Specific questions can be sent by mail, telephone, fax, or electronic mail to: Graduate Program Administrator Department of Earth and Atmospheric Sciences 1-26 Earth Sciences Building,...»

<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.