Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of...
-
Upload
cameron-harrison -
Category
Documents
-
view
218 -
download
0
Transcript of Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of...
![Page 1: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/1.jpg)
Digital Cash Protocols:A Formal Presentation
Delwin F. Lee & Mohamed G.GoudaThe University of Texas at Austin
Presented bySavitha Krishnamoorthy
CIS 788
The Ohio State University
![Page 2: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/2.jpg)
Outline Motivation Contribution Digital Cash Protocols Specs of Millicent Proof of Correctness Specs of Micropayments Proof of Correctness Comments
![Page 3: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/3.jpg)
Motivation Increasing need for protocols
facilitating online transactions
No existing formal verification of security of Digital Cash Protocols
Choice of protocols• Both prominent, largely supported• Techniques used can be applied to
other protocols
![Page 4: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/4.jpg)
Contribution No formal verification available for
any security protocol
Presents a formal technique of proving correctness
![Page 5: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/5.jpg)
Digital Cash Protocols Tailored to small purchases in micro-
commerce applications Need to prove security before
approval Protocols verified
• Compaq’s Millicent• IBM’s Micropayments
![Page 6: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/6.jpg)
Concepts & Proof
Proof uses concepts of • Closure• Convergence• Protection
Proves protocol security against• Forgery• Modification • Replay
![Page 7: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/7.jpg)
Abstract Protocol Notation Each process defined by consts, variables,
parameters, and actions
Guard of action of Process P• Boolean expression over constants and
vars of p• A receive guard: rcv<message> from
process q• Timeout guard (Boolean exp over consts
and vars of every process,contents of all channels in the protocol
![Page 8: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/8.jpg)
Definitions State: Function of protocol- assigns
each variable a value from its domain, to each channel a sequence of messages
Transition: A pair(p,q) of states, Guard is true at p, execution of action when state=p -> state=q
Computation: Infinite sequence of states (p.0,p.1,p.2,…) s.t. (p.i,p.i+1) is a transition
![Page 9: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/9.jpg)
Definitions Contd…
Safe state: occurs in any computation starting from an initial state of protocol
Error State: State reached when adversary executes its action
Unsafe state: an error state or occurs in a computation starting from an error state
![Page 10: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/10.jpg)
Secure Protocol Satisfies:
• Closure: In every computation if first state is safe, every state is safe
• Convergence:Protocol computation whose first state is unsafe, has a safe state
• Protection: In each transition whose first state is unsafe, critical variables of protocol do not change their value
![Page 11: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/11.jpg)
Technique of Proof Presentation of protocol in abstract
notation
Identification of Parties involved
Identification of actions executed at each party
State transformations with every action
Adversary Actions
Convergence from fault span, Protection
![Page 12: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/12.jpg)
To Prove
Convergence of protocol
Protection of protocol
![Page 13: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/13.jpg)
Specs of Millicent
Parties: Customers, Vendors
Customer specific, vendor specific scrip:• Identity of customer• Identity of vendor• Value of scrip (dollars)
![Page 14: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/14.jpg)
The Millicent Protocol Value of scrip buy request, scrip
request Message flow:
![Page 15: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/15.jpg)
Fields of Scrip Sequence number: detects scrip
replay Vendor Stamp: detects scrip forgery Signature: Scrip modification
MD(i|j|val[j]|seq[j]|stamp[j]|newval|sc[j])
![Page 16: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/16.jpg)
Customer Actions
C.0:Send Request, with new scrip value; Compute signature to be included in the message
C.1: Receive and verify new scrip
C.2:Time out and retransmit• If message was sent and channels are
empty
![Page 17: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/17.jpg)
Vendor Actions Receive request from customer Compare seq no. to expected
seq no. s or s-1 is s is the last scrip s => new request; check validity
of stamp and signature Reply with scrip message
![Page 18: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/18.jpg)
Proof of Correctness Safe States:
• S.0: c[i] sends request message• S.1: v[j] receives request and sends back a
scrip, executing its only action• S.2: c[i] receives the scrip and protocol
returns to state S.0
Fault Span:• Message Forgery (F)• Message Modification (M)• Message replay (R)
![Page 19: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/19.jpg)
State Transition Diagrams
![Page 20: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/20.jpg)
Adversary Actions Forgery:
• S.0->U.0: Adversary in collusion with customer forges a false scrip: cannot reproduce vendor stamp
• Vendor Returns to S.0 (This means a customer can send his scrip only)
• If valid c.0 is executed at U.0, vendor returns to S.1
![Page 21: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/21.jpg)
Adversary Actions Contd…
Modification
• C[i]’s request modified, S.1->U.2• V[j]’s scrip modified, S.2->U.4• Both fail due to signature (MD Hash)
can be verified by either receiver• Message discarded, U2 or U4->U6• C[i] times out, U6->S0
![Page 22: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/22.jpg)
Adversary Actions Contd… Replay
• Current request message replaced with earlier request message, S.1->U.3
• Current scrip message replaced with earlier scrip, S.2->U.5
• Presence of sequence numbers causes message to be discarded, U.3 or U.5 -> U.6
• C[i] times out U.6->S.0
![Page 23: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/23.jpg)
Proof of Security Convergence:
• Any computation with first state = {U.0,U.1,U.2,U.3,U.4,U.5,U.6} has a safe state S.0 or S.1
![Page 24: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/24.jpg)
Proof of Security Contd… Protection: No critical variable is
updated when the protocol starts in an unsafe state
Critical variables:• Customer: Seq, val, stamp • Action updating critical variable: C.1
Scrip is verified before updating
![Page 25: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/25.jpg)
Protection Contd… Critical Variables for vendor: seq,
val, stamp Updated by action v If protocol starts in unsafe state with
rqst message channel modified/replayed
V[j] invalidates message; leaves critical variables unchanged
![Page 26: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/26.jpg)
Micropayment
![Page 27: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/27.jpg)
State Diagrams Interaction b/w
customer and broker: S.0: Initial State S.0->S.1: c[i] sends
cert req to broker S.1->S.2: Broker
action S.2->S.0: c[i] receives
cert
![Page 28: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/28.jpg)
Adversary Actions
![Page 29: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/29.jpg)
Verification Forgery
• S.0->U.0: Adversary creates its own certificate
• Message discarded since broker’s private key cannot be accessed
• U.0->U.1: c[i] requests at U.0
![Page 30: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/30.jpg)
Verification Message Modification
• All messages are integrated with public/private key encryption
Message Replay• Presence of time stamp
![Page 31: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/31.jpg)
Comments Recognizes need for only single scrip
for each vendor
Protocol never deals with combining scrip
Compares two widely used protocols; Micropayment more resource intensive and less efficient
![Page 32: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/32.jpg)
Comments Does not mention key exchange in
millicent; required for signature
Fault Span can include Non-repudiation
![Page 33: Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.](https://reader034.fdocuments.us/reader034/viewer/2022052401/5697bfed1a28abf838cb8dbe/html5/thumbnails/33.jpg)
Thank You!