A FEW E-COMMERCE APPLICATIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 9 of Trappe and Washington
E-COMMERCE: SET SET = Secure Electronic Transaction Consider a credit card transaction over the net. We want: Authenticity No impersonations. No forgeries. Integrity Documents cannot be altered after the fact. Privacy The details of the transaction should be private. Security Credit card numbers & the like must be protected. SET - a collection of crypto protocols for credit card transactions ( 1997) 1
Characters Cardholder Merchant Bank SET EXAMPLE H - a public hash function PKC - say RSA These guys don t trust one another Encryption/Decryption Functions E C E M E B Public Private D C D M D B Cardholder GSO - goods and services order (cardholder s name, merchant s name, prices, etc.) PI - payment instructions (merchant s name, card number, total price, etc.) 2
SET EXAMPLE CONTINUED Q: Who knows what from the transactions? Cardholder Computes GSO md = H(E M (GSO)) PI md = H(E B (PI)) PO md = H(PI md GSO md ) DS = D C (PO md ) Sends E M (GSO), DS, PI md, E B (PI) to Merchant Merchant (on receiving E M (GSO), DS, PI md, E B (PI)) Computes Checks gso md gso md = H(E M (GSO)) b = H(PI md gso md )? = H(EM (gso)) & b? = c Sends GSO md, E B (PI), DS to the Bank gso = D M (E M (GSO)) c = E C (DS) 3
SET EXAMPLE, CONTINUED Bank (on receiving GSO md, E B (PI), DS) Computes Checks b? = c pi md = H(E B (PI)) c = E C (DS) pi = D B (E B (PI)) b = H(pi md GSO md ) Sends E M (a payment auth. + signature) to Merchant. Merchant Sends E C (receipt + signature) to Cardholder. 4
DIGITAL CASH Okamoto & Ohta s Criteria Cash can be sent securely through computer networks Cash cannot be copied or reused. The spender can remain anonymous neither the merchant nor the bank can id the spender The transactions can be done off-line the bank does not have to be involved. Cash can be transfered to others. Cash can be divided into smaller amounts. 5
Characters BRANDS S DIGITAL CASH SCHEME Bank Spender Merchant Central Authority Central Authority Chooses: Eve L. Dewar A prime p q = (p 1)/2 is also prime. α a primitive element of Z p. g = α 2 (mod p). (So: g e 1 g e 2 (mod p) e 1 e 2 (mod q)) e 1, e 2 Z p 1 secret exponents. g 1 = g e 1 and g 2 = g e 2. H: Z 5 Z q and H 0 : Z 4 Z q. Hash functions Public: p, q, g, g 1, g 2, H, and H 0. Private: e 1 and e 2 6
BRANDS S DIGITAL CASH: THE SETUP CONTINUED The Bank Chooses x ran Z q The bank s private ID Computes h = g x, h 1 = g1 x, and h 2 = g2 x. (All (mod p)) h, h 1, h 2 the bank s public ID The Spender Chooses u ran Z q The spender s private ID Computes I = g1 u (mod p) & sends I to the bank. The Bank Saves I + info on the spender Computes z = (Ig 2 ) x (mod p) and sends z to the spender. The Merchant Chooses an ID number M and sends it to the bank. 7
Coin (A, B, z, a, b, r) Z 6 CREATING A COIN Spender Asks bank for a coin and sends ID I. Bank Chooses: w ran Z q and computes: Sends g w and β to the spender. In number theory we trust. g w g w β (Ig 2 ) w Spender Chooses (s, x 1, x 2, α 1, α 2 ) ran Z 5 Computes: A (Ig 2 ) s B g x } 1 1 gx 2 2 z (z ) s a g α 1 w g α 2 b β sα 1A α 2 A=1 not allowed. } (mod p) (mod p) 8
CREATING A COIN, CONTINUED Spender continued Computes c α 1 1 H(A, B, z, a, b) (mod q). Sends c to the bank. Bank Computes c 1 (c x + w) (mod q). Sends c 1 to the spender. Spender Computes r (α 1 c 1 + α 2 ) (mod q). The coin (A, B, z, a, b, r) is complete. The amount of the coin is removed from the spender s bank account. 9
SPENDING THE COIN Spender Gives the coin (A, B, z, a, b, r) to the merchant. Merchant g r ah H(A,B,z,a,b) Checks: A r z H(A,B,z,a,b) (Check on board) b (mod q) Computes d = H 0 (A, B, M, t), where t = a time stamp. Sends d to spender. Spender Computes r 1 d u s + x 1 r 2 d s + x 2 Sends r 1 and r 2 to merchant. } (mod q) Merchant Checks: g r 1 1 gr 2 2 Ad B (mod p) (Check on board) Accepts the coint iff this holds. 10
DEPOSITING THE COIN IN THE BANK Merchant Sends (A, B, z, a, b, r) and (r 1, r 2, d) to the bank. Bank Checks that the coin has not yet be deposited. Fraud control (If it has, call the cops.) Checks that g r a h H(A,B,z,a,b) A r z H(A,B,z,a,b) b g r 1 1 gr 2 2 Ad B Accepts the coin iff these check out. (mod p) 11
FRAUD CONTROL: I The spender tries to spend the same coin with the merchant and the vendor. Merchant Sends the coin and (r 1, r 2, d) to the bank. Vendor Sends the coin and (r 1, r 2, d ) to the bank. Bank Since r 1 r 1 us(d d ) (mod q) r 2 r 2 s(d d ) (mod q) we have u (r 1 r 1 )(r 2 r 2 ) 1 (mod q) I g1 u (mod q) the ID of the spender 12
FRAUD CONTROL: II The merchant tries to deposit the same coin twice Once with (r 1, r 2, d) legit Once with (r 1, r 2, d ) forged This is hard to do. The merchant has to produce r 1, r 2, and d g r 1 1 gr 2 2 Ad B (mod p). 13
FRAUD CONTROL: III Someone tries to make an unauthorized coin This requires finding numbers } g r a h H(A,B,z,a,b) A r z H(A,B,z,a,b) b (mod p) } Discrete logs and worse! Eve L. Dewer dot com receives a coin from the spender and tries to spend the coin with the merchant Merchant Computes d for Eve, which is unlikely to equal d. Etc. see text 14
ANONYMITY The spender never needs to show the merchant an ID. The bank never sees the values of A, B, z, a, b, r until the coin is deposited. the bank and the merchant cannot figure out the ID of the spender unless there is double spending. See text for fuller details 15