Security Protocols

Recently, two major bankcard payment instrument operators VISA and MasterCard published specifications for securing bankcard payment transactions on open networks for open scrutiny. (VISA: Secure Transaction Technology, STT; MasterCard: Secure Electronic Payment Protocol, SEPP.) Based on their success in operating the existing on-line payment systems, both proposals use advanced cryptographic technologies to supply some security services that are well-understood to be inadequate in open networks, and otherwise specify systems similar to today's private-network versions. In this paper we reason that when an open network is used for underlying electronic commerce some subtle vulnerabilities will emerge and the two specifications are seen not in anticipation of them. A number of weaknesses are found as a result of missing and misuse of security services. Missing and misused services include: authentication, non-repudiation, integrity, and timeliness. We identify problems and devise solutions while trying to keep the current successful working style of financial institutions being respected.

This paper proposes practical escrow cash schemes with the following properties:

Our recursive hashing technique greatly reduces the computational complexity in applications where a series of low value payments are made to the same merchant. We have shown how it can be used in simple payment schemes based on both the smartcard and the online processing models of electronic commerce, and can also provide some novel and valuable features, such as a security recovery facility that does not depend on either the legacy systems or the SET protocols. It is an open problem whether hashing techniques can be combined with the more complex anonymous cash schemes.

From the scientific point of view, one of the more interesting lessons learned from implementing our first protocol and developing the others from it has been that local and global trust interact in interesting and often unexpected ways. The details of this will be the subject of a future paper; the high order bit appears to be that the global trust has to go somewhere. In a payment system, the global mechanism to prevent double spending can be a centralised system of online authorisation, authorisation using end-to-end authentication, tamper resistant objects or (more realistically) some combination of these. Moving the primary locus of trust, even slightly, can have profound effects; and very small design changes can greatly improve the system's resilience and robustness.

This note considers the application of electronic cash to transactions in which many small amounts must be paid to the same payee and in which it is not possible to just pay the total amount afterwards. The most notable example of such a transaction is payment for phone calls. If currently published electronic cash systems are used and a full payment protocol is executed for each of the small amounts, the overall complexity of the system will be prohibitively large (time, storage and communication). This note describes how such payments can be handled in a wide class of payment systems. The solution is very easy to adapt as it only influences the payment and deposit transactions involving such payments. Furthermore, making and verifying each small payment requires very little computation and communication, and the total complexity of both transactions is comparable to that of a payment of a fixed amount.

Small cash transactions, electronic or otherwise, can have their overhead costs reduced by Transactions Using Bets (TUB), using probablistic expectation (betting) as a component. Other types of protocols may also benefit from this idea.

We show that the cryptosystems based on Lucas sequences and on elliptic curves over a ring are insecure when a linear relation is known between two plaintexts that are encrypted with a “small” public exponent. This attack is already known for the classical RSA system, but the proofs and the results here are different.

Even, Goldreich and Micali showed at Crypto'89 that the existence of signature schemes secure against known message attacks implies the existence of schemes secure against adaptively chosen message attacks. Unfortunately, this transformation leads to a rather impractical scheme. We exhibit a similar security amplification, which takes the given scheme to a new signature scheme that is not even existentially forgeable under adaptively chosen message attacks. Additionally, however, our transformation will be practical: The complexity of the resulting scheme is twice that of the original scheme.

The principles of both transformations carry over to block encryption systems. It is shown how they can be used to convert a block encryption system secure against known plaintext attacks to a system secure against chosen plaintext attacks. For both schemes it is shown that if the transformed scheme can be broken given a number, T, of encryptions of adaptively chosen plaintexts, then the original scheme can be broken given encryptions of T uniformly chosen plaintexts. In this case, however, the application of the technique of Even, Goldreich and Micali leads to the more efficient scheme. The transformed scheme has the same key length as the original, and ciphertexts are doubled in length. As an example, when applied to DES the transformed scheme is secure against differential cryptanalysis, which relies on the ability to get encryptions of plaintext pairs with proper differences.

In September 1995, David Naccache and Jacques Stern proposed a new public key cryptosystem. We give an analysis of this cryptosystem and we make a comparison with the well-known RSA system.

The IEEE P1363 working group is developing standards for public-key cryptography based on RSA and Diffie-Hellman algorithm families and on elliptic curve systems. This paper summarizes the current activities of that group.

Key distribution is a major cryptographic component for secure communication. For privacy data must be encrypted with keys which are distributed securely. In this paper we focus on conference key distribution. Our approach is to use a two-party key distribution system as an underlying cryptographic primitive and extend it to a conference system.

We consider three different models: an unconditionally secure model, a provably secure model, and a model whose security is based on the difficulty of breaking the Diffie-Hellman problem. For each of these we present a conference key distribution system which is as secure as the primitive. These extend and generalize our conference scheme presented at Eurocrypt '94. In particular, (i) we are not restricted to any specific network or primitive and. (ii) our system based on the Diffie-Hellman key exchange is more efficient.

This paper presents a directed (or designated-receiver) signature scheme with the property that the signature can be verified only with the help of the signature receiver. Such signatures are intended to protect the privacy of the signature receiver in applications where the signed message contains information personally sensitive to the receiver. We also present its application to shared verification of signatures and threshold cryptosystems. The resulting group-oriented cryptosystems are fully dynamic and scalable.

In this paper we present a key escrow system which meets possible requirements for international key escrow, where different domains may not trust each other. In this system multiple third parties, who are trusted collectively but not individually, perform the dual role of providing users with key management services and providing authorised agencies in the relevant domains with warranted access to the users' communications. We propose two escrowed key agreement mechanisms, both designed for the case where the pair of communicating users are in different domains, in which the pair of users and all the third parties jointly generate a cryptographic key for end-to-end encryption. The fact that all entities are involved in the key generation process helps make it more difficult for deviant users to subvert the escrowed key by using a hidden ‘shadow-key’. The first mechanism makes use of a single set of key escrow agencies moderately trusted by mutually mistrusting domains. ! The second mechanism uses a transferable and verifiable secret sharing scheme to transfer key shares between two groups of key escrow agencies, where one group is in each domain.

Some digital signature algorithms (such as RSA) require messages to be padded before they are signed. Secure tokens can use these padding bits as a subliminal channel to embed auditing information in their signed messages. These auditing bits simplify protecting against lost and stolen tokens, breaks of specific protocols, hash functions, and ciphers, and attacks based on defeating a token's tamper-resistance.

One of the great strengths of public-key cryptography is its potential to allow the localization of trust. This potential is greatest when cryptography is present to guarantee data integrity rather than secrecy, and where there is no natural hierarchy of trust. Both these conditions are typically fulfilled in the commercial world, where CSCW requires sharing of data and resources across organizational boundaries. One property which trust is frequently assumed or “proved” to have is transitivity (if A trusts B and B trusts C then A trusts C) or some generalization of transitivity such as ^*-closure. We use the loose term unintensional transitivity of trust to refer to a situation where B can effectively put things into A's set of trust assumptions without A's explicit consent (or sometimes even awareness.) Any account of trust which allows such situations to arise clearly poses major obstacles to the effective confinement (localization) of trust. In this position paper, we argue against the need to accept unintensional transitivity of trust. We distinguish the notion of trust from a number of other (transitive) notions with which it is frequently confused, and argue that “proofs” of the unintensional transitivity of trust typically involve unpalatable logical assumptions as well as undesirable consequences.

In this paper, we consider the security management of a residential ATM network, the ATM Warren. Threats within the ATM Warren are presented and counter-measures to some of these threats are suggested. Security issues in the ATM Warren such as protection domain, naming, firewalling and delegation are also discussed. We also propose user authentication mechanism based on infra-red remote control. Finally, we demonstrate an efficient data path protection mechanism that is able to handle dumb ATM end devices.