320 likes | 329 Vues
This study delves into internet service security, focusing on user authentication, electronic payment schemes, and enhancing secure electronic auctions. It explores innovative approaches for multi-server architecture, ensuring efficient user management without the need for password files. The research presents protocols for user registration, login, and authentication, providing advantages such as password flexibility and enhanced security. Additionally, it discusses micro-payment systems, outlining the motivation, characteristics, threats, and practical implementation of electronic payments. Through a detailed exploration of various scenarios and system architectures, the study aims to contribute to the advancements in securing internet services.
E N D
A Study on Internet Service Security Min-Shiang Hwang Department of Computer Science and Information Engineering Asia University
Outline Introduction User Authentication - A Remote Password Authentication Scheme for Multi-Server Architecture Using Smart Card Electronic Payment - A Simple Micro-Payment Scheme Electronic Auction - Adding Timestamps to The Secure Electronic Auction Protocol Conclusions
Introduction User 1 Server/Computer (User Authentication) User 2 Internet User 3 . . . Resources Services Data Retrieve Auction Payment Election Shopping Memories Processes Data Devices User n
User Authentication Motivation Multi-Server Architecture
User Authentication Introduction Server Resources User Authentication Login • Password • Fingerprint • Handprint Signature Resources
User Authentication Methods for Password Authentication 1. Using Password Table {ID, PW} Client Sever ID1 PW1 ID2 PW2 . . . . . . IDn PWn Password table
User Authentication 2. Without Password Table or Verification Table Ks: server’s secret key User Sever Registration:{ID, PW} PW=Eks[ID] Login:{ID, PW} Verification: PW=? Eks[ID] • The user cannot choose his ID and password freely. • It is not suitable for multi-server architecture.
User Authentication Requirements: • It agrees with multi-server network architecture without repetitive registration. • It needs no password files or verification table. • It allows user choose password freely. • It must manage the users efficiently, i.e., it can add or delete users easily.
User Authentication Our Scheme 1. The Initialization Phase • CA selects a large prime p and a primitive number g of GF(p). • CA chooses each server's secret key d and calculates the public key esuch as : e = gd (mod p). 2. The Registration Phase Assume that a new user U1is granted to register only from the servers Ser1, Ser3. And the service period are SP1, SP3 respectively.
User Authentication D1 = (mod p) W1 = (mod p). X1 = e1ID (mod p) Y1 = (mod p) CA stored the parameters {SP1, S[ID||SP1], K1}, {SP3, S[ID||SP3], K3], user ID and the line LS into the secret zone in the smart card.
User Authentication 3. The Login Phase {ID, (K3, Q3), Z3, A3, T, SP3, S[ID||SP3]} (ID, PW) Ran A3=gRan (mod p) B3=e3Ran*T (mod p) D3 = (mod p) W3 = (mod p).
User Authentication 4. The Authentication Phase • Checking the correctness of ID • Checking SP3 and his signature • Checking T • Checking the point (X3,Y3) is located on L3
User Authentication 5. To Change Password
User Authentication Conclusions Advantages: • It is suitable for the multi-server network system • Without any password or verification table • User can freely choose and change his password Disadvantage: • System administrator can not dynamic manage user’s privileges.
Electronic Payments Motivation When to use micro-payment: • On-line articles • On-line newspaper • Digital image and video • Investment information The characteristics of micro-payment: • Small transaction value • High transaction frequency Why needs micro-payment system?
Networks Electronic Payments Introduction Bank Deposit Withdrawal Consumer Merchant Payment
Electronic Payments Threats • Networks are insecure Fabrication Modification Interruption Interception • Customers are not honest Double spending • Merchants are not honest Replay
Electronic Payments 1.Pre-paid or Post-paid Bank Exchange digital money Pre-paid: (Prepaid card) • good for merchant but is not fair to the consumer. • preventing double spending. Post-paid: (Credit Card) • good for consumer but the merchant and bank take some risks. • preventing replay attack. Networks Consumer Merchant Payment Exchange digital money Bank Networks Merchant Consumer Payment
Electronic Payments 2.On-line or Off-line Bank On-line: involving the bank • detecting double spending • checking the customer’s credit • more communications Networks Consumer Merchant Payment Bank Off-line: not involving the bank • verifying the payment by the merchant • less communications Networks Consumer Merchant Payment
Electronic Payments Summaries • Pre-paid + On-line Ecash (Untraceability ) • Post-paid + On-line SET • Pre-paid + Off-line Millicent (Untransferable) • Post-paid + Off-line PayWord Large Payment, Safety On-line Small Payment, low transaction cost Off-line
Bank Batch withdrawal Batch deposit Networks Consumer Merchant Payment Electronic Payments A Practical Micro-Payment System • Post-paid • Off-line
Electronic Payments Our Scheme The scheme uses the following notations: MAC(k, M): Message Authentication Code function is a key-dependent one way hash function. IDC / IDM: Each customer / merchant's identity. KB / KC: The broker / customer's secret key, where KC =MAC(KB, IDC). AMOUNT: The amount of money of each payment. SUM: The sum of money of all payments in the merchant. PO: The purchase order information, e.g. e-mail address and the ordered information. SER: An automatically increasing time serial number, which is like a time-stamp. The combination can be as (year || month || date || times). PMES: The payment message that contains, at a minimum, {IDC, AMOUNT, PO, SER, H}. H expresses the MAC(KC, IDC || IDM || AMOUNT || PO || SER) where the symbol || denotes the concatenation.
Electronic Payments Our Scheme 1. Initiation KC=MAC(KB,IDC) The broker’s secret key KB and the merchant’s identity IDM are store in a register of the CPU embedded in the card.
Electronic Payments 2. Payment and Authentication PMES: {IDC, AMOUNT, PO, SER, H} H: MAC(KC , IDC || IDM || AMOUNT || PO || SER) checking SER and verifying MAC( MAC(KB ,IDC),IDC || IDM || AMOUNT || PO || SER) = MAC(KC, IDC || IDM || AMOUNT || PO || SER) = H.
Electronic Payments 3. Settling for merchant and customer
Electronic Payments Discussions
Electronic Payments Conclusions Advantages 1. The tamper resistant device is held by the merchant, not held by the customer. This is economical for device cost. 2. To authenticate the validity of payment message without involving the bank. This method can reduce the cost of communication and traded time. 3. The scheme does not using any public key cryptosystem to generate and verify a certificate. 4. The scheme can prevent the database unlimited growth.
Networks Electronic Auction Introduction • Sealed Bid Auction • Public Bid Auction Bank Payment Capture Reimbursement Auction House Bidders Bids
Electronic Auction Subramanian’s Scheme Bank Withdrawal payment [[payment]K, [price]SKb]PKa Auctionner A Bidder B [[[payment]K]SKa, [price]SKb]PKb Bulletin the maximum price [[K]SKb]PKa
Electronic Auction The Weaknesses of Subramanian’s Scheme • The sensitive information (e.g. credit card number) can be revealed. • The resolution of two or more bidders offered the same price was not considered.
Electronic Auction Our Revised Scheme Adding Timestamp to the payment information [TS,[TS paymentK]PKbank] [TS, K, [TS paymentK]PKbank] Bank [TS[TS paymentK]PKbank, [price]SKb]PKa Bidder B Auctionner A [[TS paymentK]PKbank]SKa, [price]SKb]PKb Bulletin the maximum price and TS [[K]SKb]PKa
Electronic Auction Conclusions Advantages: • It prevents the payment information leaking out. • Any malicious bidder cannot forge or replay the payment • It resolves the resolution of tie.